Wordfence Intelligence Weekly WordPress Vulnerability Report (January 12, 2026 to January 18, 2026)

Did you know Wordfence runs a Bug Bounty Program for all WordPress plugin and themes at no cost to vendors? Researchers can earn up to $31,200 per vulnerability, for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we handle all the rest.

Last week, there were 170 vulnerabilities disclosed in 123 WordPress Plugins and 37 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 68 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to implement layered security, aligning with our overarching mission to secure WordPress with defense in depth strategies. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report. As the world’s leading quality vulnerability database provider for WordPress, site owners can rest assured knowing Wordfence has their back.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 32,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

• • • LA-Studio Element Kit for Elementor <= 1.5.6.3 – Unauthenticated Privilege Escalation via Backdoor to Administrative User Creation via lakit_bkrole parameter
    • Modular Connector (Modular DS) <= 2.5.1 – Missing Authentication to Privilege Escalation
    • Academy LMS – WordPress LMS Plugin for Complete eLearning Solution <= 3.5.0 – Unauthenticated Privilege Escalation via Account Takeover
    • WAF-RULE-890 – Data redacted while we work with the vendor on a patch.

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Total Vulnerabilities by CVSS Severity Last Week

Total Vulnerabilities by CWE Type Last Week

Researchers That Contributed to WordPress Security Last Week

Researcher Name	Number of Vulnerabilities
Tran Nguyen Bao Khanh	36
0x34rth	11
João Pedro S Alcântara (Kinorth)	9
Md. Moniruzzaman Prodhan (NomanProdhan)	8
Athiwat Tiprasaharn (Jitlada)	6
Legion Hunter	5
shark3y	5
Skalucy	5
Itthidej Aramsri (Boeing777)	4
0xd4rk5id3	4
Denver Jackson	4
Muhammad Yudha – DJ	3
dayea song	3
Teerachai Somprasong	3
Os	3
Rafie Muhammad	3
Phap Nguyen Anh	3
daroo	2
andrea bocchetti	2
mikemyers	2
Kazuma Matsumoto	2
zer0gh0st	2
Deadbee	2
Peerapat Samatathanyakorn	2
Abdulsamad Yusuf (0xVenus)	2
Drew Webber (mcdruid)	2
ChamlaVic	2
Ivan Cese	2
afnaan	2
Khaled Alenazi (Nxploited)	1
shrikant bhosale	1
Ahmed Rayen Ayari	1
omer yeshayahu	1
Bao – BlueRock	1
y0shicat	1
Muhammad Nur Ibnu Hubab (Ibnu)	1
Jonas Benjamin Friedli	1
Teemu Saarentaus	1
kr0d	1
theviper17y	1
Jochem Boender	1
Powpy	1
Waris Damkham	1
Varakorn Chanthasri (iCreaM)	1
Sopon Tangpathum (SoNaJaa)	1
NAWardRox	1
Nguyen Truong (Roll)	1
Sarawut Poolkhet (MisterHelloz)	1
vpetr	1
Supakiad S. (m3ez)	1
guardimo	1
NumeX	1
Dave Jong	1
Bonds	1
Benachi	1
Benachi	1
bosz	1
jsonc	1
Ryan Novotny	1
Jarno Vos (jarnovos)	1
Abu Hurayra (HurayraIIT)	1
Dmitrii Ignatyev	1
Peter Thaleikis	1
theviper17	1
LionTree	1
zaim	1
NosleeP++	1
ZAST.AI	1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

WordPress Themes with Reported Vulnerabilities Last Week

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

Energia <= 1.1.2 – Unauthenticated Arbitrary File Upload

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-50002

Patch Status
Unpatched

Published
Jan 12, 2026

Affected Software
Energia – Renewable Energy WordPress Theme

Researcher

Tran Nguyen Bao Khanh

More Details >

Event Tickets with Ticket Scanner <= 2.7.10 – Unauthenticated Remote Code Execution

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-68015

Patch Status
Unpatched

Published
Jan 15, 2026

Affected Software
Event Tickets with Ticket Scanner

Researcher

daroo

More Details >

g-FFL Checkout <= 2.1.0 – Unauthenticated Arbitrary File Upload

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-68001

Patch Status
Patched

Published
Jan 15, 2026

Affected Software
g-FFL Checkout

Researcher

Denver Jackson

More Details >

Integration Opvius AI for WooCommerce <= 1.3.0 – Unauthenticated Arbitrary File Deletion/Read via Path Traversal

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-14301

Patch Status
Unpatched

Published
Jan 13, 2026

Affected Software
Integration Opvius AI for WooCommerce

Researcher

Muhammad Yudha – DJ

More Details >

Modular DS 2.5.2 – Unauthenticated Privilege Escalation

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2026-23800

Patch Status
Patched

Published
Jan 16, 2026

Affected Software
Modular DS: Monitor, update, and backup multiple websites

Researcher

Dave Jong

More Details >

Modular DS <= 2.5.1 – Unauthenticated Privilege Escalation

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2026-23550

Patch Status
Patched

Published
Jan 14, 2026

Affected Software
Modular DS: Monitor, update, and backup multiple websites

Researcher

Teemu Saarentaus

More Details >

News and Blog Designer Bundle <= 1.1 – Unauthenticated Local File Inclusion

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-14502

Patch Status
Unpatched

Published
Jan 13, 2026

Affected Software
News and Blog Designer Bundle

Researcher

Itthidej Aramsri (Boeing777)

More Details >

Registration & Login with Mobile Phone Number for WooCommerce <= 1.3.1 – Authentication Bypass

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-10484

Patch Status
Patched

Published
Jan 16, 2026

Affected Software
Registration & Login with Mobile Phone Number for WooCommerce

Researcher

vpetr

More Details >

RegistrationMagic <= 6.0.7.1 – Privilege Escalation via admin_order

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-15403

Patch Status
Patched

Published
Jan 16, 2026

Affected Software
RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login

Researcher

Os

More Details >

Workreap Core <= 3.4.0 – Authentication Bypass

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-69101

Patch Status
Unpatched

Published
Jan 15, 2026

Affected Software
Workreap Core

Researcher

NAWardRox

More Details >

Anona <= 8.0 – Unauthenticated Arbitrary File Deletion

9.1

CVSS Rating
Critical (9.1)

CVE-ID
CVE-2025-68901

Patch Status
Unpatched

Published
Jan 13, 2026

Affected Software
Anona – Pest Control WordPress Theme

Researcher

Tran Nguyen Bao Khanh

More Details >

HDForms <= 1.6.1 – Unauthenticated Arbitrary File Deletion

9.1

CVSS Rating
Critical (9.1)

CVE-ID
CVE-2025-68912

Patch Status
Unpatched

Published
Jan 13, 2026

Affected Software
HDForms | Contact Form Builder

Researcher

theviper17

More Details >

Hostme v2 <= 7.0 – Unauthenticated Arbitrary File Deletion

9.1

CVSS Rating
Critical (9.1)

CVE-ID
CVE-2025-68907

Patch Status
Unpatched

Published
Jan 13, 2026

Affected Software
Hostme v2 – Responsive WordPress Theme

Researcher

Tran Nguyen Bao Khanh

More Details >

WPLMS <= 1.9.9.5.4 – Unauthenticated Arbitrary File Deletion

9.1

CVSS Rating
Critical (9.1)

CVE-ID
CVE-2025-69097

Patch Status
Unpatched

Published
Jan 13, 2026

Affected Software
WPLMS Plugin

Researcher

João Pedro S Alcântara (Kinorth)

More Details >

All-in-One Video Gallery <= 4.5.7 – Authenticated (Author+) Arbitrary File Upload via VTT Upload Bypass

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-12957

Patch Status
Patched

Published
Jan 15, 2026

Affected Software
All-in-One Video Gallery

Researcher

mikemyers

More Details >

Blogistic <= 1.0.5 – Authenticated (Subscriber+) Arbitrary File Upload

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-68909

Patch Status
Unpatched

Published
Jan 13, 2026

Affected Software
Blogistic

Researcher

Denver Jackson

More Details >

Blogzee <= 1.0.5 – Authenticated (Subscriber+) Arbitrary File Upload

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-68910

Patch Status
Unpatched

Published
Jan 13, 2026

Affected Software
Blogzee

Researcher

Denver Jackson

More Details >

Miion <= 1.2.7 – Authenticated (Subscriber+) Arbitrary File Upload

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-68986

Patch Status
Unpatched

Published
Jan 13, 2026

Affected Software
Miion | Multi-Purpose WordPress Theme

Researcher

Tran Nguyen Bao Khanh

More Details >

Restaurt <= 1.0.4 – Authenticated (subscriber+) Arbitrary File Upload

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2026-22327

Patch Status
Unpatched

Published
Jan 13, 2026

Affected Software
Restaurt

Researcher

Tran Nguyen Bao Khanh

More Details >

Supreme Modules Lite <= 2.5.62 – Authenticated (Author+) Arbitrary File Upload via JSON Upload Bypass

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-13062

Patch Status
Patched

Published
Jan 15, 2026

Affected Software
Supreme Modules Lite – Divi Theme, Extra Theme and Divi Builder

Researcher

mikemyers

More Details >

xSmart <= 1.2.9.4 – Authenticated (Subscriber+) Privilege Escalation

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-50007

Patch Status
Unpatched

Published
Jan 12, 2026

Affected Software
xSmart – App Landing Page WordPress Theme in Tech Presentation, Promo Marketing & Advertising Agency

Researcher

Tran Nguyen Bao Khanh

More Details >

Membership Plugin – Restrict Content <= 3.2.16 – Missing Authentication to Insecure Direct Object Reference and Sensitive Information Exposure

8.2

CVSS Rating
High (8.2)

CVE-ID
CVE-2025-14844

Patch Status
Patched

Published
Jan 15, 2026

Affected Software
Membership Plugin – Restrict Content

Researcher

andrea bocchetti

More Details >

AutoParts <= 1.5.8 – Unauthenticated Local File Inclusion

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2026-22331

Patch Status
Unpatched

Published
Jan 12, 2026

Affected Software
AutoParts – Car Parts Store WordPress Theme

Researcher

Tran Nguyen Bao Khanh

More Details >

Bajaar – Highly Customizable WooCommerce WordPress <= 2.1.0 – Unauthenticated Local File Inclusion

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2025-69004

Patch Status
Unpatched

Published
Jan 13, 2026

Affected Software
bajaar

Researcher

Tran Nguyen Bao Khanh

More Details >

Barberry <= 2.9.9.87 – Unauthenticated Local File Inclusion

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2025-68908

Patch Status
Unpatched

Published
Jan 12, 2026

Affected Software
Barberry – Modern WooCommerce Theme

Researcher

Tran Nguyen Bao Khanh

More Details >

Biagiotti < 3.5.2 – Unauthenticated Local File Inclusion

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2025-67938

Patch Status
Patched

Published
Jan 15, 2026

Affected Software
Biagiotti

Researcher

Tran Nguyen Bao Khanh

More Details >

Consult Aid <= 1.4.3 – Unauthenticated PHP Object Injection

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2025-67617

Patch Status
Unpatched

Published
Jan 12, 2026

Affected Software
Consult Aid: Business Consulting And Finance PSD

Researcher

Tran Nguyen Bao Khanh

More Details >

Melania <= 2.5.0 – Unauthenticated Local File Inclusion

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2026-22324

Patch Status
Unpatched

Published
Jan 12, 2026

Affected Software
Melania | Blog about Handmade & Crafts WordPress Theme + Shop

Researcher

Tran Nguyen Bao Khanh

More Details >

Mella <= 1.2.29 – Unauthenticated Local File Inclusion

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2025-67616

Patch Status
Unpatched

Published
Jan 12, 2026

Affected Software
Mella – Minimalist Ajax eCommerce PSD Template

Researcher

Tran Nguyen Bao Khanh

More Details >

Myour <= 1.5.1 – Unauthenticated Local File Inclusion

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2025-67615

Patch Status
Unpatched

Published
Jan 12, 2026

Affected Software
Myour – Personal Portfolio Resume WordPress Theme

Researcher

Tran Nguyen Bao Khanh

More Details >

North <= 5.7.5 – Unauthenticated Local File Inclusion

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2025-69100

Patch Status
Unpatched

Published
Jan 15, 2026

Affected Software
North – One Page Parallax WordPress Theme

Researcher

João Pedro S Alcântara (Kinorth)

More Details >

Powerlift < 3.2.1 – Unauthenticated Local File Inclusion

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2025-67940

Patch Status
Patched

Published
Jan 16, 2026

Affected Software
Powerlift – Fitness and Gym WordPress Theme

Researcher

Tran Nguyen Bao Khanh

More Details >

Promo <= 1.3.0 – Unauthenticated Local File Inclusion

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2026-22325

Patch Status
Unpatched

Published
Jan 12, 2026

Affected Software
Promo

Researcher

Tran Nguyen Bao Khanh

More Details >

Reprizo <= 1.0.8 – Unauthenticated Local File Inclusion

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2026-22326

Patch Status
Unpatched

Published
Jan 12, 2026

Affected Software
Reprizo – Jewelry & Watch Store Shopify Theme

Researcher

Tran Nguyen Bao Khanh

More Details >

Right Way <= 4.0 – Unauthenticated Local File Inclusion

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2026-22330

Patch Status
Unpatched

Published
Jan 12, 2026

Affected Software
Right Way | Election Campaign and Political Candidate WordPress Theme

Researcher

Tran Nguyen Bao Khanh

More Details >

Search & Go <= 2.8 – Unauthenticated Local File Inclusion

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2025-69005

Patch Status
Unpatched

Published
Jan 12, 2026

Affected Software
Search & Go – Directory WordPress Theme

Researcher

Tran Nguyen Bao Khanh

More Details >

The Aisle < 2.9.1 – Unauthenticated Local File Inclusion

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2025-67941

Patch Status
Patched

Published
Jan 16, 2026

Affected Software
The Aisle – Elegant Wedding WordPress Theme

Researcher

Tran Nguyen Bao Khanh

More Details >

Anona <= 8.0 – Authenticated (Subscriber+) PHP Object Injection

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-68903

Patch Status
Unpatched

Published
Jan 13, 2026

Affected Software
Anona – Pest Control WordPress Theme

Researcher

Tran Nguyen Bao Khanh

More Details >

Anona <= 8.0 – Unauthenticated Arbitrary File Download

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-68902

Patch Status
Unpatched

Published
Jan 13, 2026

Affected Software
Anona – Pest Control WordPress Theme

Researcher

Tran Nguyen Bao Khanh

More Details >

Antideo Email Validator <= 1.0.10 – Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-68017

Patch Status
Unpatched

Published
Jan 16, 2026

Affected Software
Antideo Email Validator

Researcher

Jarno Vos (jarnovos)

More Details >

CleverReach® WP <= 1.5.22 – Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-68034

Patch Status
Unpatched

Published
Jan 15, 2026

Affected Software
CleverReach® WP

Researcher

0xd4rk5id3

More Details >

Demo Importer Plus <= 2.0.9 – Authenticated (Author+) Blind XML External Entity Injection via SVG File Upload

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-14478

Patch Status
Patched

Published
Jan 16, 2026

Affected Software
Demo Importer Plus

Researcher

bosz

More Details >

JNews – Pay Writer <= 11.0.0 – Authenticated (Subscriber+) Local File Inclusion

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-68905

Patch Status
Unpatched

Published
Jan 13, 2026

Affected Software
JNews – Pay Writer

Researcher

Rafie Muhammad

More Details >

JupiterX Core <= 4.10.1 – Authenticated (Contributor+) PHP Object Injection

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-50004

Patch Status
Patched

Published
Jan 12, 2026

Affected Software
Jupiter X Core

Researcher

João Pedro S Alcântara (Kinorth)

More Details >

Kids Heaven <= 3.2 – Authenticated (Subscriber+) PHP Object Injection

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-67619

Patch Status
Unpatched

Published
Jan 13, 2026

Affected Software
Kids Heaven – Children Education WordPress Theme

Researcher

Tran Nguyen Bao Khanh

More Details >

Miion <= 1.2.7 – Authenticated (Subscriber+) Local File Inclusion

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-68913

Patch Status
Unpatched

Published
Jan 13, 2026

Affected Software
Miion | Multi-Purpose WordPress Theme

Researcher

Tran Nguyen Bao Khanh

More Details >

North <= 5.7.5 – Authenticated (Contributor+) PHP Object Injection

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-69099

Patch Status
Unpatched

Published
Jan 15, 2026

Affected Software
North – One Page Parallax WordPress Theme

Researcher

João Pedro S Alcântara (Kinorth)

More Details >

OneLife <= 3.9 – Authenticated (Subscriber+) PHP Object Injection

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-69002

Patch Status
Unpatched

Published
Jan 13, 2026

Affected Software
OneLife – Medical WordPress Theme

Researcher

Tran Nguyen Bao Khanh

More Details >

Shipping Rate By Cities <= 2.0.0 – Unauthenticated SQL Injection via ‘city’ Parameter

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-14770

Patch Status
Patched

Published
Jan 13, 2026

Affected Software
Shipping Rate By Cities

Researcher

Athiwat Tiprasaharn (Jitlada)

More Details >

Simply Schedule Appointments <= 1.6.9.9 – Unauthenticated SQL Injection via `order` and `append_where_sql` Parameters

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-12166

Patch Status
Patched

Published
Jan 14, 2026

Affected Software
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin

Researcher

shark3y

More Details >

Tutor LMS Pro <= 3.8.3 – Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2026-22332

Patch Status
Unpatched

Published
Jan 13, 2026

Affected Software
Tutor LMS Pro

Researcher

0xd4rk5id3

More Details >

Vivagh <= 2.4 – Authenticated (Subscriber+) PHP Object Injection

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-68899

Patch Status
Unpatched

Published
Jan 13, 2026

Affected Software
Wedding Photographer WordPress Theme – Vivagh

Researcher

Tran Nguyen Bao Khanh

More Details >

AJS Footnotes <= 1.0 – Unauthenticated Stored Cross-Site Scripting

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2025-15378

Patch Status
Unpatched

Published
Jan 13, 2026

Affected Software
AJS Footnotes

Researcher

0x34rth

More Details >

GeekyBot — Generate AI Content Without Prompt, Chatbot and Lead Generation <= 1.1.7 – Unauthenticated Stored Cross-Site Scripting

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2025-15266

Patch Status
Unpatched

Published
Jan 13, 2026

Affected Software
GeekyBot — Generate AI Content Without Prompt, Chatbot and Lead Generation

Researcher

zer0gh0st

More Details >

GetContentFromURL <= 1.0 – Authenticated (Contributor+) Server-Side Request Forgery via ‘url’ Shortcode Attribute

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2025-14613

Patch Status
Unpatched

Published
Jan 13, 2026

Affected Software
GetContentFromURL

Researcher

Ivan Cese

More Details >

Infility Global <= 2.14.49 – Unauthenticated Stored Cross-Site Scripting

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2025-68864

Patch Status
Unpatched

Published
Jan 15, 2026

Affected Software
Infility Global

Researcher

Drew Webber (mcdruid)

More Details >

Name Directory <= 1.30.3 – Unauthenticated Stored Cross-Site Scripting via Multiple Parameters

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2025-15283

Patch Status
Patched

Published
Jan 13, 2026

Affected Software
Name Directory

Researcher

zer0gh0st

More Details >

Omnichannel for WooCommerce <= 1.3.65 – Unauthenticated Stored Cross-Site Scripting

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2025-68041

Patch Status
Unpatched

Published
Jan 15, 2026

Affected Software
Omnichannel for WooCommerce: Google, Amazon, eBay & Walmart Integration – Powered by Codisto

Researcher

guardimo

More Details >

Synergy Project Manager <= 1.5 – Unauthenticated Stored Cross-Site Scripting

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2025-68898

Patch Status
Unpatched

Published
Jan 15, 2026

Affected Software
Synergy Project Manager

Researcher

Drew Webber (mcdruid)

More Details >

DASHBOARD BUILDER <= 1.5.7 – Cross-Site Request Forgery to SQL Injection

7.1

CVSS Rating
High (7.1)

CVE-ID
CVE-2025-14615

Patch Status
Unpatched

Published
Jan 13, 2026

Affected Software
DASHBOARD BUILDER – WordPress plugin for Charts and Graphs

Researcher

omer yeshayahu

More Details >

Awesome Support – WordPress HelpDesk & Support Plugin <= 6.3.6 – Missing Authorization to Unauthenticated Role Demotion

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2025-12641

Patch Status
Patched

Published
Jan 15, 2026

Affected Software
Awesome Support – WordPress HelpDesk & Support Plugin

Researcher

shark3y

More Details >

DZS Video Gallery <= 12.37 – Authenticated (Subscriber+) SQL Injection

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2025-49049

Patch Status
Unpatched

Published
Jan 12, 2026

Affected Software
DZS Video Gallery

Researcher

João Pedro S Alcântara (Kinorth)

More Details >

Event Espresso 4 Decaf <= 5.0.37.decaf – Missing Authorization to Unauthenticated Settings Change

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2025-68007

Patch Status
Unpatched

Published
Jan 15, 2026

Affected Software
Event Espresso – Event Registration & Ticketing Sales

Researcher

Legion Hunter

More Details >

Gotham Block Extra Light <= 1.5.0 – Authenticated (Contributor+) Arbitrary File Read via ‘ghostban’ Shortcode

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2025-15020

Patch Status
Patched

Published
Jan 13, 2026

Affected Software
Gotham Block Extra Light

Researcher

0x34rth

More Details >

Gutenberg Thim Blocks <= 1.0.1 – Authenticated (Contributor+) Arbitrary File Read via ‘iconSVG’ Parameter

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2025-13725

Patch Status
Patched

Published
Jan 16, 2026

Affected Software
Thim Blocks

Researcher

Athiwat Tiprasaharn (Jitlada)

More Details >

Lead Capturing Pages <= 2.5 – Authenticated (Subscriber+) SQL Injection

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2025-49050

Patch Status
Unpatched

Published
Jan 12, 2026

Affected Software
WP Lead Capturing Pages

Researcher

João Pedro S Alcântara (Kinorth)

More Details >

Wallet System for WooCommerce <= 2.7.2 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Wallet Balance Manipulation

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2025-14450

Patch Status
Patched

Published
Jan 16, 2026

Affected Software
Wallet System for WooCommerce – Digital Wallet, Buy Now Pay Later (BNPL), Instant Cashback, Referral program, Partial & Subscription Payments

Researcher

Md. Moniruzzaman Prodhan (NomanProdhan)

More Details >

Woocommerce Book Price <= 1.3 – Authenticated (Subscriber++) Arbitrary File Download

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2026-22334

Patch Status
Unpatched

Published
Jan 15, 2026

Affected Software
Woocommerce Book Price

Researcher

0xd4rk5id3

More Details >

WooCommerce Frontend Manager – Ultimate < 6.7.6 – Authenticated (Subscriber+) SQL Injection

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2026-22335

Patch Status
Unpatched

Published
Jan 15, 2026

Affected Software
WooCommerce Frontend Manager – Ultimate

Researcher

0xd4rk5id3

More Details >

AffiliateX 1.0.0 – 1.3.9.3 – Authenticated (Subscriber+) Missing Authorization to Stored Cross-Site Scripting via save_customization_settings

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-13859

Patch Status
Patched

Published
Jan 15, 2026

Affected Software
AffiliateX – Amazon Affiliate Plugin

Researcher

kr0d

More Details >

CubeWP <= 1.1.26 – Authenticated (Contributor+) Stored Cross-Site Scripting via cubewp_shortcode_taxonomy Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-8615

Patch Status
Patched

Published
Jan 16, 2026

Affected Software
CubeWP Framework

Researcher

zaim

More Details >

Related Posts by Taxonomy <= 2.7.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘related_posts_by_tax’ Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2026-0916

Patch Status
Unpatched

Published
Jan 15, 2026

Affected Software
Related Posts by Taxonomy

Researcher

Muhammad Yudha – DJ

More Details >

SearchWiz <= 1.0.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Post Title

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2026-0694

Patch Status
Unpatched

Published
Jan 13, 2026

Affected Software
SearchWiz

Researchers

Athiwat Tiprasaharn (Jitlada)

Itthidej Aramsri (Boeing777)

Powpy

Waris Damkham

Varakorn Chanthasri (iCreaM)

Peerapat Samatathanyakorn

Sopon Tangpathum (SoNaJaa)

More Details >

SpiceForms Form Builder <= 1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-12178

Patch Status
Unpatched

Published
Jan 13, 2026

Affected Software
SpiceForms Form Builder

Researcher

Peter Thaleikis

More Details >

Team Section Block <= 2.0.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Social Network Link

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2026-0833

Patch Status
Patched

Published
Jan 16, 2026

Affected Software
Team Section Block – Showcase Team Members with Layout Options

Researcher

Athiwat Tiprasaharn (Jitlada)

More Details >

UiChemy <= 4.4.2 – Authenticated (Author+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-69362

Patch Status
Patched

Published
Jan 12, 2026

Affected Software
UiChemy — Figma Converter for Elementor, Gutenberg and Bricks

Researcher

Athiwat Tiprasaharn (Jitlada)

More Details >

User Submitted Posts <= 20260110 – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘usp_access’ Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2026-0913

Patch Status
Patched

Published
Jan 15, 2026

Affected Software
User Submitted Posts – Enable Users to Submit Posts from the Front End

Researcher

Muhammad Yudha – DJ

More Details >

Accordion Slider PRO <= 1.2 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-49066

Patch Status
Unpatched

Published
Jan 12, 2026

Affected Software
Accordion Slider PRO

Researcher

João Pedro S Alcântara (Kinorth)

More Details >

Anon <= 2.2.10 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-67620

Patch Status
Unpatched

Published
Jan 13, 2026

Affected Software
Anon – Multipurpose Elementor WooCommerce Themes

Researcher

Tran Nguyen Bao Khanh

More Details >

Auto Repair <= 22.6 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2026-22328

Patch Status
Unpatched

Published
Jan 13, 2026

Affected Software
Auto Repair

Researcher

Tran Nguyen Bao Khanh

More Details >

bidorbuy Store Integrator <= 2.12.0 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-68883

Patch Status
Unpatched

Published
Jan 16, 2026

Affected Software
bidorbuy Store Integrator

Researcher

Skalucy

More Details >

Brookside <= 1.4 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-67618

Patch Status
Unpatched

Published
Jan 13, 2026

Affected Software
Brookside

Researcher

Tran Nguyen Bao Khanh

More Details >

Dooodl <= 2.3.0 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-68871

Patch Status
Unpatched

Published
Jan 16, 2026

Affected Software
Dooodl

Researcher

Skalucy

More Details >

Drone <= 1.40 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-49249

Patch Status
Unpatched

Published
Jan 12, 2026

Affected Software
Drone Media | Aerial Photography & Videography Theme

Researcher

Tran Nguyen Bao Khanh

More Details >

Eli’s WordCents adSense Widget with Analytics <= 1.3.03.27 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-68872

Patch Status
Unpatched

Published
Jan 16, 2026

Affected Software
Eli’s WordCents adSense Widget with Analytics

Researcher

Skalucy

More Details >

Hide My WP <= 6.2.12 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-69098

Patch Status
Unpatched

Published
Jan 13, 2026

Affected Software
Hide My WP – Amazing Security Plugin for WordPress!

Researcher

João Pedro S Alcântara (Kinorth)

More Details >

JNews – Frontend Submit <= 11.0.0 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-68904

Patch Status
Unpatched

Published
Jan 12, 2026

Affected Software
JNews – Frontend Submit

Researcher

Rafie Muhammad

More Details >

JNews – Video <= 11.0.2 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-68906

Patch Status
Unpatched

Published
Jan 13, 2026

Affected Software
JNews – Video

Researcher

Rafie Muhammad

More Details >

KenthaRadio <= 2.2.0 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-69003

Patch Status
Unpatched

Published
Jan 13, 2026

Affected Software
KenthaRadio – Addon for Kentha Music WordPress Theme To Add Radio Station and Schedule Functionality

Researcher

Tran Nguyen Bao Khanh

More Details >

List Site Contributors <= 1.1.8 – Reflected Cross-Site Scripting via alpha

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2026-0594

Patch Status
Unpatched

Published
Jan 13, 2026

Affected Software
List Site Contributors

Researcher

0x34rth

More Details >

Mail <= 1.3 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-68008

Patch Status
Unpatched

Published
Jan 16, 2026

Affected Software
WP Mail

Researcher

Skalucy

More Details >

Quote Master <= 7.1.1 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-68849

Patch Status
Unpatched

Published
Jan 16, 2026

Affected Software
Quote Master

Researcher

Abdulsamad Yusuf (0xVenus)

More Details >

RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging <= 5.0.10 – Reflected Cross-Site Scripting via className

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-14375

Patch Status
Patched

Published
Jan 15, 2026

Affected Software
RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging

Researcher

Deadbee

More Details >

Simple Redirect <= 1.1 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-68884

Patch Status
Unpatched

Published
Jan 15, 2026

Affected Software
WP Simple Redirect

Researcher

Skalucy

More Details >

Skillate <= 1.2.10 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2026-22329

Patch Status
Unpatched

Published
Jan 13, 2026

Affected Software
Skillate

Researcher

Tran Nguyen Bao Khanh

More Details >

Syntax Highlighter Compress <= 3.0.83.3 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-68859

Patch Status
Unpatched

Published
Jan 16, 2026

Affected Software
Syntax Highlighter Compress

Researcher

Abdulsamad Yusuf (0xVenus)

More Details >

Test Email <= 1.1.7 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-69102

Patch Status
Unpatched

Published
Jan 15, 2026

Affected Software
WP Test Email

Researcher

Ryan Novotny

More Details >

TheNa <= 1.5.5 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-67614

Patch Status
Unpatched

Published
Jan 12, 2026

Affected Software
TheNa – Photography & Portfolio WordPress Theme

Researcher

Tran Nguyen Bao Khanh

More Details >

xPromoter <= 1.3.4 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-49046

Patch Status
Unpatched

Published
Jan 12, 2026

Affected Software
xPromoter

Researcher

João Pedro S Alcântara (Kinorth)

More Details >

xSmart <= 1.2.9.4 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-50006

Patch Status
Unpatched

Published
Jan 12, 2026

Affected Software
xSmart – App Landing Page WordPress Theme in Tech Presentation, Promo Marketing & Advertising Agency

Researcher

Tran Nguyen Bao Khanh

More Details >

Feeds for YouTube Pro <= 2.6.0 – Unauthenticated Arbitrary File Read via Path Traversal

5.9

CVSS Rating
Medium (5.9)

CVE-ID
CVE-2025-12002

Patch Status
Patched

Published
Jan 16, 2026

Affected Software
YouTube Feed Pro

Researcher

LionTree

More Details >

Quick Contact Form <= 8.2.6 – Unauthenticated Open Mail Relay

5.8

CVSS Rating
Medium (5.8)

CVE-ID
CVE-2025-12718

Patch Status
Patched

Published
Jan 16, 2026

Affected Software
Quick Contact Form

Researcher

Md. Moniruzzaman Prodhan (NomanProdhan)

More Details >

WP Duplicate Page <= 1.8 – Missing Authorization to Authenticated (Contributor+) Arbitrary Post Duplication

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2025-14001

Patch Status
Patched

Published
Jan 12, 2026

Affected Software
WP Duplicate Page

Researcher

Sarawut Poolkhet (MisterHelloz)

More Details >

WP-CRM System – Manage Clients and Projects <= 3.4.5 – Missing Authorization to Authenticated (Subscriber+) CRM Data Exposure and Task Modification

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2025-14854

Patch Status
Unpatched

Published
Jan 13, 2026

Affected Software
WP-CRM System – Manage Clients and Projects

Researcher

Teerachai Somprasong

More Details >

WP-Members Membership Plugin <= 3.5.4.3 – Authenticated (Subscriber+) Stored Cross-Site Scripting via Multiple Checkbox and Multiple Select User Profile Fields

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2025-14448

Patch Status
Patched

Published
Jan 14, 2026

Affected Software
WP-Members Membership Plugin

Researcher

shark3y

More Details >

Aplazo Payment Gateway <= 1.4.2 – Missing Authorization to Unauthenticated Order Status Manipulation

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-15512

Patch Status
Unpatched

Published
Jan 13, 2026

Affected Software
Aplazo Payment Gateway

Researcher

Md. Moniruzzaman Prodhan (NomanProdhan)

More Details >

Breeze <= 2.2.21 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-69364

Patch Status
Patched

Published
Jan 13, 2026

Affected Software
Breeze Cache

Researcher

Bao – BlueRock

More Details >

Community Events <= 1.5.6 – Missing Authorization to Unauthenticated Arbitrary Event Approval via ‘eventlist’ Parameter

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-14029

Patch Status
Patched

Published
Jan 16, 2026

Affected Software
Community Events

Researcher

Itthidej Aramsri (Boeing777)

More Details >

Cost Calculator Builder <= 3.6.9 – Missing Authorization to Unauthenticated Payment Status Bypass

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-14757

Patch Status
Patched

Published
Jan 15, 2026

Affected Software
Cost Calculator Builder

Researcher

andrea bocchetti

More Details >

CubeWP – All-in-One Dynamic Content Framework <= 1.1.27 – Unauthenticated Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-12129

Patch Status
Patched

Published
Jan 16, 2026

Affected Software
CubeWP Framework

Researcher

Jonas Benjamin Friedli

More Details >

Essential Addons for Elementor <= 6.5.5 – Missing Authorization to Unauthenticated Sensitive Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2026-1004

Patch Status
Patched

Published
Jan 15, 2026

Affected Software
Essential Addons for Elementor – Popular Elementor Templates & Widgets

Researcher

shrikant bhosale

More Details >

EventPrime – Events Calendar, Bookings and Tickets <= 4.2.7.0 – Unauthenticated Sensitive Information Exposure via REST API

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-14507

Patch Status
Patched

Published
Jan 12, 2026

Affected Software
EventPrime – Events Calendar, Bookings and Tickets

Researcher

Deadbee

More Details >

Float Payment Gateway <= 1.1.9 – Improper Authorization to Unauthenticated Order Status Manipulation

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-15513

Patch Status
Unpatched

Published
Jan 13, 2026

Affected Software
Float Payment Gateway

Researcher

Md. Moniruzzaman Prodhan (NomanProdhan)

More Details >

Kalium <= 3.29 – Missing Authorization to Unauthenticated Mail Relay via kalium_vc_contact_form_request

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-12895

Patch Status
Patched

Published
Jan 15, 2026

Affected Software
Kalium 3 | Creative WordPress & WooCommerce Theme

Researcher

Ahmed Rayen Ayari

More Details >

LottieFiles – Lottie block for Gutenberg <= 3.0.0 – Unauthenticated Sensitive Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2026-0717

Patch Status
Unpatched

Published
Jan 13, 2026

Affected Software
LottieFiles – Lottie block for Gutenberg

Researcher

y0shicat

More Details >

Netcash WooCommerce Payment Gateway <= 4.1.3 – Missing Authorization to Unauthenticated Order Status Modification

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-14880

Patch Status
Patched

Published
Jan 13, 2026

Affected Software
Netcash WooCommerce Payment Gateway

Researcher

Md. Moniruzzaman Prodhan (NomanProdhan)

More Details >

onepay Payment Gateway For WooCommerce <= 1.1.2 – Missing Authorization to Unauthenticated Order Status Modification

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-68016

Patch Status
Patched

Published
Jan 16, 2026

Affected Software
onepay Payment Gateway For WooCommerce

Researcher

NumeX

More Details >

PAYGENT for WooCommerce <= 2.4.6 – Missing Authorization to Unauthenticated Payment Callback Manipulation

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-14078

Patch Status
Patched

Published
Jan 16, 2026

Affected Software
PAYGENT for WooCommerce

Researchers

Benachi

Benachi

More Details >

PayHere Payment Gateway Plugin for WooCommerce <= 2.3.9 – Missing Authorization to Unauthenticated Order Status Modification

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-15475

Patch Status
Unpatched

Published
Jan 13, 2026

Affected Software
PayHere Payment Gateway

Researcher

Md. Moniruzzaman Prodhan (NomanProdhan)

More Details >

Payment Button for PayPal <= 1.2.3.41 – Missing Authorization to Unauthenticated Arbitrary Order Creation

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-14463

Patch Status
Patched

Published
Jan 16, 2026

Affected Software
Payment Button for PayPal

Researcher

Md. Moniruzzaman Prodhan (NomanProdhan)

More Details >

PDF Resume Parser <= 1.0 – Unauthenticated Sensitive Information Disclosure in SMTP Credentials

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-14464

Patch Status
Unpatched

Published
Jan 13, 2026

Affected Software
PDF Resume Parser

Researcher

Ivan Cese

More Details >

Peach Payments Gateway <= 3.3.6 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-67942

Patch Status
Patched

Published
Jan 16, 2026

Affected Software
Peach Payments Gateway

Researcher

Legion Hunter

More Details >

Perfit WooCommerce <= 1.0.1 – Missing Authorization to Unauthenticated Arbitrary Plugin Settings Deletion

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-14173

Patch Status
Unpatched

Published
Jan 13, 2026

Affected Software
Perfit WooCommerce

Researcher

Legion Hunter

More Details >

Rede Itaú for WooCommerce — Payment PIX, Credit Card and Debit <= 5.1.2 – Unauthenticated Order Status Manipulation

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2026-0939

Patch Status
Unpatched

Published
Jan 15, 2026

Affected Software
Rede Itaú for WooCommerce — Payment PIX, Credit Card and Debit

Researcher

Os

More Details >

Rede Itaú for WooCommerce — Payment PIX, Credit Card and Debit <= 5.1.3 – Missing Authorization to Unauthenticated Rede Order Logs Deletion

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2026-0942

Patch Status
Unpatched

Published
Jan 15, 2026

Affected Software
Rede Itaú for WooCommerce — Payment PIX, Credit Card and Debit

Researcher

Os

More Details >

RepairBuddy <= 4.1116 – Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Signature Upload to Orders

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2026-0820

Patch Status
Patched

Published
Jan 16, 2026

Affected Software
RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress

Researcher

Teerachai Somprasong

More Details >

Reservation <= 1.7 – Missing Authorization to Unauthenticated Settings Update

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-69095

Patch Status
Unpatched

Published
Jan 13, 2026

Affected Software
Reservation Plugin

Researcher

Bonds

More Details >

Shown Connector <= 1.2.10 – Missing Authorization to Unauthenticated Settings Update

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-68003

Patch Status
Unpatched

Published
Jan 15, 2026

Affected Software
Shown Connector

Researcher

Legion Hunter

More Details >

Spin Wheel <= 2.1.0 – Unauthenticated Client-Side Prize Manipulation via ‘prize_index’ Parameter

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2026-0808

Patch Status
Patched

Published
Jan 16, 2026

Affected Software
Spin Wheel – Interactive spinning wheel that offers coupons

Researcher

jsonc

More Details >

User Registration Using Contact Form 7 <= 2.5 – Authenticated (Subscriber+) Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-12825

Patch Status
Patched

Published
Jan 16, 2026

Affected Software
User Registration Using Contact Form 7

Researcher

Md. Moniruzzaman Prodhan (NomanProdhan)

More Details >

WDV One Page Docs <= 1.2.4 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-68896

Patch Status
Unpatched

Published
Jan 15, 2026

Affected Software
WDV One Page Docs – Documentation Plugin for WordPress

Researcher

Muhammad Nur Ibnu Hubab (Ibnu)

More Details >

WP Hotel Booking <= 2.2.7 – Unauthenticated Sensitive Information Exposure via ’email’ Parameter

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-14075

Patch Status
Patched

Published
Jan 16, 2026

Affected Software
WP Hotel Booking

Researcher

Itthidej Aramsri (Boeing777)

More Details >

DK PDF – WordPress PDF Generator <= 2.3.0 – Authenticated (Author+) Server-Side Request Forgery

5.0

CVSS Rating
Medium (5.0)

CVE-ID
CVE-2025-14793

Patch Status
Patched

Published
Jan 15, 2026

Affected Software
DK PDF – WordPress PDF Generator

Researchers

Athiwat Tiprasaharn (Jitlada)

Peerapat Samatathanyakorn

More Details >

Advanced Ads – Ad Manager & AdSense <= 2.0.15 – Authenticated (Admin+) SQL Injection

4.9

CVSS Rating
Medium (4.9)

CVE-ID
CVE-2025-12984

Patch Status
Patched

Published
Jan 16, 2026

Affected Software
Advanced Ads – Ad Manager & AdSense

Researcher

Supakiad S. (m3ez)

More Details >

Shipping Rates by City for WooCommerce <= 1.0.3 – Authenticated (Shop Manager+) SQL Injection via ‘cities’ Parameter

4.9

CVSS Rating
Medium (4.9)

CVE-ID
CVE-2026-0678

Patch Status
Unpatched

Published
Jan 13, 2026

Affected Software
Shipping Rates by City for WooCommerce

Researcher

Nguyen Truong (Roll)

More Details >

CM E-Mail Blacklist <= 1.6.2 – Authenticated (Administrator+) Stored Cross-Site Scripting via ‘black_email’ Parameter

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2026-0691

Patch Status
Patched

Published
Jan 16, 2026

Affected Software
CM E-Mail Blacklist – Simple email filtering for safer registration

Researcher

Phap Nguyen Anh

More Details >

Electric Studio Download Counter <= 2.4 – Authenticated (Administrator+) Stored Cross-Site Scripting via Settings Parameters

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2026-0741

Patch Status
Unpatched

Published
Jan 13, 2026

Affected Software
Electric Studio Download Counter

Researcher

0x34rth

More Details >

Filr – Secure document library <= 1.2.11 – Authenticated (Administrator+) Stored Cross-Site Scripting via HTML Upload

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-14632

Patch Status
Patched

Published
Jan 16, 2026

Affected Software
Filr – Secure document library

Researcher

Phap Nguyen Anh

More Details >

Gotham Block Extra Light <= 1.5.0 – Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-15021

Patch Status
Patched

Published
Jan 13, 2026

Affected Software
Gotham Block Extra Light

Researcher

0x34rth

More Details >

Integrate Dynamics 365 CRM <= 1.1.1 – Authenticated (Administrator+) Stored Cross-Site Scripting via Field Mapping Configuration

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2026-0725

Patch Status
Patched

Published
Jan 16, 2026

Affected Software
Integrate Dynamics 365 CRM

Researcher

Teerachai Somprasong

More Details >

Internal Link Builder <= 1.0 – Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin’s Settings

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-14725

Patch Status
Unpatched

Published
Jan 13, 2026

Affected Software
Internal Link Builder

Researcher

0x34rth

More Details >

Kunze Law <= 2.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-15486

Patch Status
Unpatched

Published
Jan 13, 2026

Affected Software
Kunze Law

Researcher

ZAST.AI

More Details >

LinkedIn SC <= 1.1.9 – Authenticated (Administrator+) Stored Cross-Site Scripting via Settings Page

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2026-0812

Patch Status
Unpatched

Published
Jan 13, 2026

Affected Software
LinkedIn SC

Researcher

0x34rth

More Details >

Makesweat <= 0.1 – Authenticated (Administrator+) Stored Cross-Site Scripting via ‘makesweat_clubid’ Setting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-13627

Patch Status
Unpatched

Published
Jan 13, 2026

Affected Software
Makesweat

Researcher

ChamlaVic

More Details >

Real Post Slider Lite <= 2.4 – Authenticated (Administrator+) Stored Cross-Site Scripting via Settings

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2026-0680

Patch Status
Unpatched

Published
Jan 13, 2026

Affected Software
Real Post Slider Lite

Researcher

0x34rth

More Details >

Short Link <= 1.0 – Authenticated (Administrator+) Stored Cross-Site Scripting via Administration Settings Page

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2026-0813

Patch Status
Unpatched

Published
Jan 13, 2026

Affected Software
Short Link

Researcher

0x34rth

More Details >

Testimonials Creator 1.6 – Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-14379

Patch Status
Unpatched

Published
Jan 13, 2026

Affected Software
Testimonials Creator

Researcher

Jochem Boender

More Details >

WMF Mobile Redirector <= 1.2 – Authenticated (Administrator+) Stored Cross-Site Scripting via Settings Parameters

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2026-0739

Patch Status
Unpatched

Published
Jan 13, 2026

Affected Software
WMF Mobile Redirector

Researcher

0x34rth

More Details >

WP Allowed Hosts <= 1.0.8 – Authenticated (Administrator+) Stored Cross-Site Scripting via ‘allowed-hosts’ Parameter

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2026-0734

Patch Status
Unpatched

Published
Jan 13, 2026

Affected Software
WP Allowed Hosts

Researcher

0x34rth

More Details >

All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic <= 4.9.2 – Missing Authorization to Authenticated (Contributor+) AI Access Token and Credit Disclosure

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-14384

Patch Status
Patched

Published
Jan 15, 2026

Affected Software
All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic

Researcher

NosleeP++

More Details >

Booking Calendar <= 10.14.11 – Missing Authorization to Sensitive Information Exposure

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-14982

Patch Status
Patched

Published
Jan 15, 2026

Affected Software
Booking Calendar

Researcher

shark3y

More Details >

CP Image Store with Slideshow <= 1.1.9 – Missing Authorization to Authenticated (Contributor+) Arbitrary Product Import

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2026-0684

Patch Status
Patched

Published
Jan 12, 2026

Affected Software
CP Image Store with Slideshow

Researcher

Kazuma Matsumoto

More Details >

Crush.pics Image Optimizer <= 1.8.7 – Missing Authorization to Authenticated (Subscriber+) Plugin Settings Update

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-14482

Patch Status
Unpatched

Published
Jan 13, 2026

Affected Software
Crush.pics Image Optimizer – Image Compression and Optimization

Researcher

ChamlaVic

More Details >

Dreamer Blog <= 1.2 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-10915

Patch Status
Unpatched

Published
Jan 14, 2026

Affected Software
Dreamer Blog

Researcher

Khaled Alenazi (Nxploited)

More Details >

Electron <= 1.8.2 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-5805

Patch Status
Unpatched

Published
Jan 12, 2026

Affected Software
electron

Researcher

Tran Nguyen Bao Khanh

More Details >

GetGenie – AI Content Writer with Keyword Research & SEO Tracking Tools <= 4.3.0 – Missing Authorization to Authenticated (Author+) Arbitrary Post Deletion

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2026-1003

Patch Status
Patched

Published
Jan 15, 2026

Affected Software
GetGenie – AI Content Writer with Keyword Research & SEO Tracking Tools

Researcher

theviper17y

More Details >

LEAV Last Email Address Validator <= 1.7.1 – Cross-Site Request Forgery to Plugin Settings Update

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-14853

Patch Status
Unpatched

Published
Jan 15, 2026

Affected Software
LEAV Last Email Address Validator

Researcher

afnaan

More Details >

Phrase TMS Integration for WordPress <= 4.7.5 – Missing Authorization to Authenticated (Subscriber+) Log Deletion

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-12168

Patch Status
Patched

Published
Jan 16, 2026

Affected Software
Phrase TMS Integration for WordPress

Researcher

Legion Hunter

More Details >

Responsive Accordion Slider <= 1.2.2 – Missing Authorization to Authenticated (Contributor+) Slider Update via ‘resp_accordion_silder_save_images’

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2026-0635

Patch Status
Unpatched

Published
Jan 13, 2026

Affected Software
Responsive Accordion Slider

Researcher

Kazuma Matsumoto

More Details >

Responsive Addons for Elementor <= 2.0.8 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-69363

Patch Status
Patched

Published
Jan 12, 2026

Affected Software
Responsive Addons for Elementor – Free Elementor Addons Plugin and Elementor Templates

Researcher

Abu Hurayra (HurayraIIT)

More Details >

Shield Security <= 21.0.9 – Authenticated (Subscriber+) Insecure Direct Object Reference to Disable Google Authenticator

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-15370

Patch Status
Patched

Published
Jan 15, 2026

Affected Software
Shield: Blocks Bots, Protects Users, and Prevents Security Breaches

Researcher

Dmitrii Ignatyev

More Details >

SocialChamp with WordPress <= 1.3.3 – Cross-Site Request Forgery to Plugin Settings Update

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-14846

Patch Status
Unpatched

Published
Jan 13, 2026

Affected Software
SocialChamp with WordPress

Researcher

afnaan

More Details >

Solace <= 2.1.16 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-68911

Patch Status
Unpatched

Published
Jan 13, 2026

Affected Software
Solace

Researcher

Denver Jackson

More Details >

Sosh Share Buttons <= 1.1.0 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-15377

Patch Status
Unpatched

Published
Jan 13, 2026

Affected Software
Sosh Share Buttons

Researcher

dayea song

More Details >

Stopwords for comments <= 1.1 – Missing Authorization to Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-15376

Patch Status
Unpatched

Published
Jan 13, 2026

Affected Software
Stopwords for comments

Researcher

dayea song

More Details >

Tickera <= 3.5.6.2 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-67939

Patch Status
Patched

Published
Jan 16, 2026

Affected Software
Tickera – Sell Tickets & Manage Events

Researcher

daroo

More Details >

WPBlogSyn <= 1.0 – Cross-Site Request Forgery to Arbitrary Remote Sync Configuration Update

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-14389

Patch Status
Unpatched

Published
Jan 13, 2026

Affected Software
WPBlogSyn

Researcher

dayea song

More Details >

xSmart <= 1.2.9.4 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-54002

Patch Status
Unpatched

Published
Jan 12, 2026

Affected Software
xSmart – App Landing Page WordPress Theme in Tech Presentation, Promo Marketing & Advertising Agency

Researcher

Tran Nguyen Bao Khanh

More Details >

Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.9.2 – Missing Authorization to Unauthenticated File Deletion

3.7

CVSS Rating
Low (3.7)

CVE-ID
CVE-2025-14457

Patch Status
Patched

Published
Jan 14, 2026

Affected Software
Drag and Drop Multiple File Upload for Contact Form 7

Researcher

shark3y

More Details >

Church Admin <= 5.0.28 – Authenticated (Administrator+) Blind Server-Side Request Forgery via ‘audio_url’ Parameter

2.2

CVSS Rating
Low (2.2)

CVE-ID
CVE-2026-0682

Patch Status
Patched

Published
Jan 16, 2026

Affected Software
Church Admin

Researcher

Phap Nguyen Anh

More Details >

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (January 12, 2026 to January 18, 2026) appeared first on Wordfence.