CVE Database

WordPress CVEs.
All of them.

Every known security vulnerability in WordPress plugins and themes, indexed, searchable, and scored. Updated continuously from the Wordfence Intelligence feed.

142

Critical

891

High

3,204

Medium

1,102

Low

12,000+

CVEs indexed

60,000+

Plugins monitored

11,000+

Themes monitored

Continuous

Updates

Severity:

Live Database

34,482 vulnerabilities indexed

wp-cve-database — live query

CVE ID	Title	Plugin/Theme	Severity	CVSS	Patched	Date
CVE-2026-2233	User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration <= 4.2.8 - Missing Authorization to Unauthenticated Arbitrary Post Modification via 'post_id' Parameter Missing Authorization	wp-user-frontend	medium	5.3	4.2.9	Mar 14, 2026
CVE-2026-1947	NEX-Forms – Ultimate Forms Plugin for WordPress <= 9.1.9 - Missing Authorization to Unauthenticated Arbitrary Form Entry Modification via nf_set_entry_update_id Authorization Bypass Through User-Controlled Key	nex-forms-express-wp-form-builder	high	7.5	9.1.10	Mar 14, 2026
CVE-2026-1883	Wicked Folders <= 4.1.0 - Insecure Direct Object Reference to Authenticated (Contributor+) Arbitrary Folder Deletion Authorization Bypass Through User-Controlled Key	wicked-folders	medium	4.3	4.1.1	Mar 14, 2026
CVE-2026-1870	Thim Kit for Elementor <= 1.3.7 - Missing Authorization to Unauthenticated Private Course Disclosure Missing Authorization	thim-elementor-kit	medium	5.3	1.3.8	Mar 14, 2026
CVE-2026-1948	NEX-Forms – Ultimate Forms Plugin for WordPress <= 9.1.9 - Missing Authorization to Authenticated (Subscriber+) License Deactivation via deactivate_license Missing Authorization	nex-forms-express-wp-form-builder	medium	4.3	9.1.10	Mar 13, 2026
CVE-2026-4063	Social Icons Widget & Block <= 4.5.8 - Missing Authorization to Authenticated (Subscriber+) Sharing Configuration Creation Missing Authorization	social-icons-widget-by-wpzoom	medium	4.3	4.5.9	Mar 12, 2026
CVE-2026-3986	Calculated Fields Form <= 5.4.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Form Settings Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')	calculated-fields-form	medium	6.4	5.4.5.1	Mar 12, 2026
CVE-2026-2257	GetGenie <= 4.3.2 - Insecure Direct Object Reference to Authenticated (Author+) Stored Cross-Site Scripting via REST API Authorization Bypass Through User-Controlled Key	getgenie	medium	6.4	4.3.3	Mar 12, 2026
CVE-2026-2879	GetGenie <= 4.3.2 - Insecure Direct Object Reference to Authenticated (Author+) Arbitrary Post Overwrite/Deletion Authorization Bypass Through User-Controlled Key	getgenie	medium	5.4	4.3.3	Mar 12, 2026
CVE-2026-2888	Formidable Forms <= 6.28 - Unauthenticated Payment Amount Manipulation via 'item_meta' Parameter Authorization Bypass Through User-Controlled Key	formidable	medium	5.3	6.29	Mar 12, 2026
CVE-2026-2890	Formidable Forms <= 6.28 - Missing Authorization to Unauthenticated Payment Integrity Bypass via PaymentIntent Reuse Missing Authorization	formidable	high	7.5	6.29	Mar 12, 2026
CVE-2026-3045	Appointment Booking Calendar <= 1.6.9.29 - Missing Authorization to Unauthenticated Sensitive Information Exposure via Settings REST API Endpoint Missing Authorization	simply-schedule-appointments	high	7.5	1.6.10.0	Mar 12, 2026
CVE-2026-1704	Appointment Booking Calendar <= 1.6.9.29 - Insecure Direct Object Reference to Authenticated (Staff+) Sensitive Information Exposure Authorization Bypass Through User-Controlled Key	simply-schedule-appointments	medium	4.3	1.6.10.0	Mar 12, 2026
CVE-2026-3891	Pix for WooCommerce <= 1.5.0 - Unauthenticated Arbitrary File Upload Unrestricted Upload of File with Dangerous Type	payment-gateway-pix-for-woocommerce	critical	9.8	1.6.0	Mar 12, 2026
CVE-2026-2987	Simple Ajax Chat <= 20260217 - Unauthenticated Stored Cross-Site Scripting via 'c' Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')	simple-ajax-chat	medium	6.1	20260301	Mar 12, 2026
CVE-2026-2466	DukaPress <= 3.2.4 - Unauthenticated Stored Cross-Site Scripting Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')	dukapress	high	7.2	Unpatched	Mar 12, 2026
CVE-2026-3657	My Sticky Bar <= 2.8.6 - Unauthenticated SQL Injection via 'stickymenu_contact_lead_form' Action Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')	mystickymenu	high	7.5	2.8.7	Mar 11, 2026
CVE-2026-3226	LearnPress <= 4.3.2.8 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Email Notification Triggering Missing Authorization	learnpress	medium	4.3	4.3.3	Mar 11, 2026
CVE-2026-3231	Checkout Field Editor (Checkout Manager) for WooCommerce <= 2.1.7 - Unauthenticated Stored Cross-Site Scripting via Block Checkout Custom Radio Field Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')	woo-checkout-field-editor-pro	high	7.2	2.1.8	Mar 10, 2026
CVE-2026-3492	Gravity Forms <= 2.9.28.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Form Title Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')	gravityforms	medium	6.4	2.9.29	Mar 10, 2026

WordPress CVEs.All of them.

WordPress CVEs.
All of them.