Recent
Vulnerabilities.
WordPress plugin and theme CVEs published in the last 30 days, sorted by severity. Updated continuously from the Wordfence Intelligence feed.
100 vulnerabilities found
Avada (Fusion) Builder <= 3.15.2 - Unauthenticated Remote Code Execution via PHP Function Injection via 'render_logics' Shortcode Attribute via Widget AJAX Handler
WordPress · CVSS 9.8 · May 20, 2026
WPB Floating Menu or Categories – Sticky Floating Side Menu & Categories with Icons <= 1.0.8 - Authenticated (Editor+) Stored Cross-Site Scripting via 'Icon CSS Class' Category Field
WPB Floating Menu & Categories for WordPress – Sticky Side Menu with Icons · CVSS 4.9 · May 20, 2026
Broadstreet <= 1.52.2 - Authenticated (Subscriber+) Private Post Meta Disclosure via get_sponsored_meta
Broadstreet · CVSS 4.3 · May 20, 2026
Slider Revolution <= 7.0.9 - Unauthenticated Sensitive Information Exposure via 'sliders/stream'
WordPress · CVSS 5.3 · May 19, 2026
AcyMailing <= 10.8.2 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation via 'acymailing_router'
AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress · CVSS 8.8 · May 19, 2026
Anomify AI <= 0.3.6 - Cross-Site Request Forgery
Anomify AI – Anomaly Detection and Alerting · CVSS 4.3 · May 19, 2026
AI Chatbot & Workflow Automation by AIWU <= 1.4.14 - Unauthenticated Stored Cross-Site Scripting via 'X-Forwarded-For' Header
AI Chatbot & Workflow Automation by AIWU · CVSS 6.4 · May 19, 2026
Photo Gallery, Sliders, Proofing and Themes <= 4.2.0 - Insecure Direct Object Reference to Authenticated (Subscriber+) Image Deletion via REST API
Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery · CVSS 4.3 · May 19, 2026
Advanced Database Cleaner – Premium <= 4.1.0 - Authenticated (Subscriber+) Local File Inclusion via 'template'
WordPress · CVSS 8.8 · May 19, 2026
Cost of Goods by PixelYourSite <= 1.2.12 - Unauthenticated Stored Cross-Site Scripting via Cost of Goods Import
WordPress · CVSS 7.2 · May 19, 2026
All in One SEO <= 4.9.7 - Authenticated (Contributor+) Sensitive Information Exposure via 'internalOptions' Localized Script Data
All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic · CVSS 4.3 · May 19, 2026
Boost <= 2.0.3 - Unauthenticated Blind SQL Injection via Multiple Parameters
WordPress · CVSS 7.5 · May 19, 2026
Boost <= 2.0.3 - Unauthenticated PHP Object Injection via STYXKEY-BOOST_USER_LOCATION Cookie
WordPress · CVSS 9.8 · May 19, 2026
Xpro Addons — 140+ Widgets for Elementor <= 1.5.0 - Missing Authorization to Unauthenticated Xpro Template Creation
Xpro Addons — 140+ Widgets for Elementor · CVSS 5.3 · May 19, 2026
Easy Elements for Elementor <= 1.4.4 - Unauthenticated Privilege Escalation via easyel_handle_register
Easy Elements for Elementor – Addons & Website Templates · CVSS 9.8 · May 19, 2026
Creative Mail – Easier WordPress & WooCommerce Email Marketing <= 1.6.9 - Unauthenticated SQL Injection via 'checkout_uuid' Parameter
Creative Mail – Easier WordPress & WooCommerce Email Marketing · CVSS 7.5 · May 19, 2026
TypeSquare Webfonts for ConoHa <= 2.0.4 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Modification via 'fontThemeUseType' Parameter
TypeSquare Webfonts for ConoHa · CVSS 4.3 · May 19, 2026
Read More & Accordion <= 3.5.7 - Authenticated (Administrator+) SQL Injection via 'orderby' Parameter
Read More & Accordion · CVSS 4.9 · May 19, 2026
Read More & Accordion <= 3.5.7 - Privilege Escalation via importData
Read More & Accordion · CVSS 8.8 · May 19, 2026
Logo Manager For Enamad <= 0.7.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'title' Shortcode Attribute
Logo Manager For Enamad · CVSS 6.4 · May 19, 2026
Correct Prices <= 1.0 - Reflected Cross-Site Scripting via PHP_SELF Parameter
WordPress · CVSS 6.1 · May 19, 2026
SponsorMe <= 0.5.2 - Reflected Cross-Site Scripting via PHP_SELF Parameter
SponsorMe · CVSS 6.1 · May 19, 2026
LJ comments import: reloaded <= 0.97.1 - Reflected Cross-Site Scripting via PHP_SELF Parameter
LJ comments import: reloaded · CVSS 6.1 · May 19, 2026
Infility Global <= 2.15.16 - Authenticated (Subscriber+) SQL Injection via 'orderby' Parameter
Infility Global · CVSS 6.5 · May 19, 2026
Remove Yellow BGBOX <= 1.0 - Cross-Site Request Forgery
Remove Yellow BGBOX · CVSS 4.3 · May 19, 2026
JaviBola Custom Theme Test <= 2.0.5 - Cross-Site Request Forgery
JaviBola Custom Theme Test · CVSS 4.3 · May 19, 2026
BLOGCHAT Chat System <= 1.3.6.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting via Settings Update
BLOGCHAT Chat System · CVSS 6.1 · May 19, 2026
Amazon Scraper <= 1.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting via Settings Update
Amazon Scraper · CVSS 4.3 · May 19, 2026
Games Catalog <= 1.2.0 - Cross-Site Request Forgery to Arbitrary Game/Post Deletion
Games Catalog · CVSS 4.3 · May 19, 2026
VatanSMS WP SMS <= 1.01 - Reflected Cross-Site Scripting via 'page' Parameter
VatanSMS WP SMS · CVSS 6.1 · May 19, 2026
Account Switcher <= 1.0.2 - Authenticated (Subscriber+) Authentication Bypass to Privilege Escalation
Account Switcher · CVSS 8.8 · May 19, 2026
Bigfishgames Syndicate <= 1.2 - Cross-Site Request Forgery to Settings Reset and Update
Bigfishgames Syndicate · CVSS 4.3 · May 19, 2026
Anomify AI <= 0.3.6 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'anomify_api_key' Parameter
Anomify AI – Anomaly Detection and Alerting · CVSS 4.4 · May 19, 2026
Bottom Bar <= 0.1.7 - Cross-Site Request Forgery to Settings Update
Bottom Bar · CVSS 4.3 · May 19, 2026
Child Height Predictor by Ostheimer <= 1.3 - Cross-Site Request Forgery to Settings Update via Plugin Settings Form
Child Height Predictor by Ostheimer · CVSS 4.3 · May 19, 2026
General Options <= 1.1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'ad_contact_number' Parameter
General Options · CVSS 4.4 · May 19, 2026
Sticky <= 2.5.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'readmoretext' Shortcode Attribute
Sticky · CVSS 6.4 · May 19, 2026
Word 2 Cash <= 0.9.2 - Cross-Site Request Forgeryto Stored Cross-Site Scripting via Settings Page
Word 2 Cash · CVSS 6.1 · May 19, 2026
Nexa Blocks <= 1.1.1 - Unauthenticated Blind Server-Side Request Forgery via 'demo_json_file' Parameter
Nexa Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE · CVSS 5.4 · May 19, 2026
Sentence To SEO (keywords, description and tags) <= 1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting via Settings Page Parameters
Sentence To SEO (keywords, description and tags) · CVSS 6.1 · May 19, 2026
ProSolution WP Client <= 2.0.0 - Unauthenticated Arbitrary File Upload via 'files'
ProSolution WP Client · CVSS 9.8 · May 19, 2026
Faces of Users <= 0.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'default' Shortcode Attribute
Faces of Users · CVSS 6.4 · May 19, 2026
Oliver POS <= 2.4.2.6 - Unauthenticated Authorization Bypass Through User-Controlled Key to 'OliverAuth' Header
Oliver POS – A WooCommerce Point of Sale (POS) · CVSS 6.5 · May 19, 2026
診断ジェネレータ作成プラグイン <= 1.4.16 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'js' Parameter
診断ジェネレータ作成プラグイン · CVSS 6.4 · May 19, 2026
Kirki <= 6.0.6 - Unauthenticated Limited Arbitrary File Read and Deletion via downloadZIP
Kirki Customizer Framework · CVSS 7.5 · May 19, 2026
Kirki <= 6.0.6 - Missing Authorization to Authenticated (Subscriber+) Sensitive Form Submission Data Exposure via 'kirki_wp_admin_get_apis' Action
Kirki Customizer Framework · CVSS 6.5 · May 19, 2026
The Ultimate Video Player For WordPress – by Presto Player <= 4.1.3 - Missing Authorization
The Ultimate Video Player For WordPress – by Presto Player · CVSS 5.3 · May 19, 2026
Piotnet Addons for Elementor Pro <= 7.1.70 - Unauthenticated Arbitrary File Upload via Form File Upload
WordPress · CVSS 9.8 · May 18, 2026
Piotnet Forms <= 2.1.40 - Unauthenticated Arbitrary File Upload via Form File Upload
WordPress · CVSS 9.8 · May 18, 2026
Contest Gallery <= 28.1.6 - Unauthenticated SQL Injection
Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe · CVSS 7.5 · May 18, 2026
Contest Gallery Pro <= 29.0.1 - Unauthenticated Privilege Escalation
WordPress · CVSS 9.8 · May 17, 2026
Classified Listing – AI-Powered Classified ads & Business Directory Plugin <= 5.3.8 - Authenticated (Subscriber+) Arbitrary File Download
Classified Listing – AI-Powered Classified ads & Business Directory Plugin · CVSS 4.3 · May 17, 2026
AI Engine 3.4.9 - Authenticated (Subscriber+) Privilege Escalation via Missing Authorization in MCP OAuth Bearer Token
AI Engine – The Chatbot, AI Framework & MCP for WordPress · CVSS 8.8 · May 16, 2026
GiveWP – Donation Plugin and Fundraising Platform <= 4.14.5 - Unauthenticated Stored Cross-Site Scripting
GiveWP – Donation Plugin and Fundraising Platform · CVSS 7.2 · May 16, 2026
Essential Chat Support <= 1.0.1 - Missing Authorization to Unauthenticated Settings Reset via 'ecs_reset_settings' Parameter
Essential Chat Support · CVSS 5.3 · May 15, 2026
Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program – myCred <= 3.0.4 - Authenticated (Subscriber+) Stored Cross-Site Scripting
Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program – myCred · CVSS 6.4 · May 15, 2026
WP Document Revisions <= 3.8.1 - Missing Authorization
WP Document Revisions · CVSS 5.3 · May 15, 2026
Hydra Booking — Appointment Scheduling & Booking Calendar <= 1.1.41 - Missing Authorization
Hydra Booking — Appointment Scheduling & Booking Calendar · CVSS 5.3 · May 15, 2026
Smart Coupons For WooCommerce Coupons < 2.3.0 - Missing Authorization
Smart Coupons For WooCommerce Coupons · CVSS 5.3 · May 15, 2026
Multicollab: Content Team Collaboration and Editorial Workflow <= 5.2 - Missing Authorization to Authenticated (Subscriber+) Collaboration Comment
Team Collaboration & Content Workflow Plugin for WordPress Editorial Teams – Multicollab · CVSS 4.3 · May 15, 2026
Classified Listing <= 5.3.10 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Modification via add_order_note and send_email_to_user_by_moderator AJAX Actions
Classified Listing – AI-Powered Classified ads & Business Directory Plugin · CVSS 4.3 · May 14, 2026
Frontend Admin by DynamiApps <= 3.28.36 - Unauthenticated Privilege Escalation via Edit User Form
Frontend Admin by DynamiApps · CVSS 8.8 · May 14, 2026
Quick Playground <= 1.3.3 - Unauthenticated Path Traversal to Arbitrary File Read via 'stylesheet' Parameter
Quick Playground · CVSS 7.5 · May 14, 2026
Receive Notifications After Form Submitting – Form Notify for Any Forms <= 1.1.10 - Unauthenticated Authentication Bypass via LINE OAuth Callback
Receive Notifications After Form Submitting – Form Notify for Any Forms · CVSS 9.8 · May 14, 2026
Notify Odoo <= 1.0.1 - Cross-Site Request Forgery to Settings Update
Notify Odoo · CVSS 4.3 · May 14, 2026
NEX-Forms – Ultimate Forms Plugin for WordPress <= 9.1.12 - Authenticated (Administrator+) SQL Injection via 'table' Parameter
NEX-Forms – Ultimate Forms Plugin for WordPress · CVSS 4.9 · May 14, 2026
FOX – Currency Switcher Professional for WooCommerce <= 1.4.5 - Missing Authorization to Authenticated (Contributor+) Configuration Deletion
FOX – Currency Switcher Professional for WooCommerce · CVSS 8.1 · May 14, 2026
WP Directory Kit <= 1.5.1 - Unauthenticated SQL Injection
WP Directory Kit · CVSS 7.5 · May 14, 2026
Smartcat Translator for WPML <= 3.1.77 - Missing Authorization to Unauthenticated Plugin Settings Update
Smartcat Translator for WPML · CVSS 6.5 · May 14, 2026
Advanced Custom Fields: Font Awesome Field <= 5.0.2 - Authenticated (Subscriber+) Stored Cross-Site Scripting via JSON Field
Advanced Custom Fields: Font Awesome Field · CVSS 6.4 · May 14, 2026
The7 <= 14.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode 'link' Parameter
WordPress · CVSS 6.4 · May 14, 2026
Activity Logs, User Activity Tracking, Multisite Activity Log from Logtivity <= 3.3.6 - Unauthenticated Information Exposure
Activity Logs, User Activity Tracking, Multisite Activity Log from Logtivity · CVSS 5.3 · May 14, 2026
Advanced Access Manager – Access Governance for WordPress <= 7.1.0 - Missing Authorization
Advanced Access Manager – Access Governance for WordPress · CVSS 5.3 · May 14, 2026
Royal Addons for Elementor <= 1.7.1058 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'title_tag' Parameter
Royal Addons for Elementor – Addons and Templates Kit for Elementor · CVSS 6.4 · May 13, 2026
User Registration & Membership <= 5.1.5 - Unauthenticated Missing Authorization to Admin Approval Bypass via 'action' Parameter
User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder · CVSS 5.3 · May 13, 2026
InfusedWoo Pro <= 5.1.2 - Unauthenticated Arbitrary File Read via 'url' Parameter
WordPress · CVSS 7.5 · May 13, 2026
MW WP Form <= 5.1.2 - Insecure Direct Object Reference to Unauthenticated Sensitive Information Disclosure via 'post_id' Query Parameter
MW WP Form · CVSS 5.3 · May 13, 2026
CC Child Pages <= 2.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'more' Parameter
CC Child Pages · CVSS 6.4 · May 13, 2026
InfusedWoo Pro <= 5.1.2 - Unauthenticated Missing Authorization to Arbitrary Post Deletion via Multiple Parameters
WordPress · CVSS 9.1 · May 13, 2026
Taskbuilder – Project Management & Task Management Tool With Kanban Board <= 5.0.6 - Authenticated (Subscriber+) Time-Based Blind SQL Injection via 'project_search' Parameter
Taskbuilder – Project Management & Task Management Tool With Kanban Board · CVSS 6.5 · May 13, 2026
Bold Page Builder <= 5.6.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via bt_bb_button Shortcode
Bold Page Builder · CVSS 6.4 · May 13, 2026
Meta Field Block <= 1.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'tagName' Block Attribute
Meta Field Block · CVSS 6.4 · May 13, 2026
Media Sync <= 1.4.9 - Authenticated (Author+) Path Traversal via 'sub_dir' and 'media_items' Parameters
Media Sync · CVSS 6.5 · May 13, 2026
InfusedWoo Pro <= 5.1.2 - Authenticated (Subscriber+) Missing Authorization to Privilege Escalation via Arbitrary User Meta Update
WordPress · CVSS 8.8 · May 13, 2026
InfusedWoo Pro <= 5.1.2 - Unauthenticated Missing Authorization to Privilege Escalation via 'iwar_save_recipe'
WordPress · CVSS 9.8 · May 13, 2026
Fluent Forms <= 6.2.0 - Authenticated (Subscriber+) Authorization Bypass via 'table' Parameter
Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder · CVSS 8.2 · May 13, 2026
Essential Addons for Elementor – Popular Elementor Templates & Widgets <= 6.5.13 - Authenticated (Author+) Limited Privilege Escalation via register_user
Essential Addons for Elementor – Popular Elementor Templates & Widgets · CVSS 6.5 · May 13, 2026
ManageWP Worker <= 4.9.31 - Unauthenticated Stored Cross-Site Scripting via 'MWP-Key-Name' Header
ManageWP Worker · CVSS 7.2 · May 13, 2026
Career Section <= 1.7 - Unauthenticated Arbitrary File Upload
Career Section · CVSS 9.8 · May 13, 2026
Motors – Car Dealer, Classifieds & Listing <= 1.4.107 - Authenticated (Subscriber+) Arbitrary File Deletion via 'stm_dealer_logo_path' Parameter
Motors – Car Dealership & Classified Listings Plugin · CVSS 8.1 · May 13, 2026
LatePoint <= 5.3.2 - Cross-Site Request Forgery via 'customer_cabinet__request_cancellation' AJAX Route
LatePoint – Calendar Booking Plugin for Appointments and Events · CVSS 4.3 · May 13, 2026
GLS Shipping for WooCommerce <= 1.4.0 - Reflected Cross-Site Scripting via 'failed_orders'
GLS Shipping for WooCommerce · CVSS 6.1 · May 13, 2026
MapGeo - Interactive Geo Maps <= 1.6.27 - Reflected Cross-Site Scripting via 'map' Parameter
MapGeo – Interactive Geo Maps · CVSS 6.1 · May 13, 2026
WP Encryption - One Click SSL & Force HTTPS <= 7.8.5.10 - Missing Authorization to Authenticated (Subscriber+) SSL Setup Tampering
WP Encryption – One Click Free SSL Certificate & SSL / HTTPS Redirect, Security & SSL Scan · CVSS 5.4 · May 13, 2026
Fluent Forms <= 6.1.21 - Authenticated (Subscriber+) Authorization Bypass via 'form_id' Parameter
Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder · CVSS 8.2 · May 13, 2026
Burst Statistics 3.4.0 - 3.4.1.1 - Authentication Bypass to Admin Account Takeover
Burst Statistics – Privacy-Friendly WordPress Analytics (Google Analytics Alternative) · CVSS 9.8 · May 13, 2026
LearnPress – WordPress LMS Plugin for Create and Sell Online Courses <= 4.3.5 - Authenticated (Subscriber+) Payment Bypass to Free Course Enrollment via 'quantity' Parameter
LearnPress – WordPress LMS Plugin for Create and Sell Online Courses · CVSS 4.3 · May 13, 2026
Envira Gallery <= 1.12.4 - Authenticated (Author+) Stored Cross-Site Scripting via 'arrows' Parameter
Envira Gallery – Image Photo Gallery, Albums, Video Gallery, Slideshows & More · CVSS 6.4 · May 13, 2026
Unlimited Elements For Elementor <= 2.0.7 - Authenticated (Contributor+) SQL Injection via 'filter_search' Parameter
Unlimited Elements For Elementor · CVSS 6.5 · May 13, 2026
Database Backup for WordPress <= 2.5.2 - Missing Authorization to Unauthenticated Arbitrary File Read and Deletion
Database Backup for WordPress · CVSS 8.1 · May 13, 2026