Running a website means a single unpatched vulnerability can take it offline, harm your reputation, or require cleanup. Most compromises begin with automated attacks exploiting known software flaws, usually reported and disclosed already.
To keep you protected from these threats, we’ve compiled this month’s key security updates and vulnerability patches for the WordPress ecosystem.
If you’re already using the Sucuri Firewall, you’re protected. These vulnerabilities are virtually patched for all clients. If not, consider putting a web application firewall in front of your site to block attacks before they reach your environment.
Plugins
Elementor Website Builder – Missing Authorization
Security Risk: Medium Vulnerability: Missing Authorization CVE: CVE-2026-49782 Number of Installations: 10,000,000+ Affected Software: Elementor Website Builder ≤ 4.1.0 Patched Versions: 4.1.1
Mitigation steps: Update to Elementor Website Builder version 4.1.1 or greater.
WPForms – Unauthenticated Insufficient Verification of Data Authenticity via PayPal Commerce Webhook Endpoint
Security Risk: Medium Vulnerability: Unauthenticated Insufficient Verification of Data Authenticity via PayPal Commerce Webhook Endpoint CVE: CVE-2026-7792 Number of Installations: 6,000,000+ Affected Software: WPForms ≤ 1.10.0.4 Patched Versions: 1.10.0.5
Mitigation steps: Update to WPForms version 1.10.0.5 or greater.
Rank Math SEO – Missing Authorization
Security Risk: Medium Vulnerability: Missing Authorization CVE: CVE-2026-34892 Number of Installations: 4,000,000+ Affected Software: Rank Math SEO ≤ 1.0.271 Patched Versions: 1.0.271.1
Mitigation steps: Update to Rank Math SEO version 1.0.271.1 or greater.
UpdraftPlus – Unauthenticated Authentication Bypass via UpdraftCentral udrpc
Security Risk: Critical Vulnerability: Unauthenticated Authentication Bypass via UpdraftCentral udrpc CVE: CVE-2026-10795 Number of Installations: 3,000,000+ Affected Software: UpdraftPlus ≤ 1.26.4 Patched Versions: 1.26.5
Mitigation steps: Update to UpdraftPlus version 1.26.5 or greater.
Really Simple Security (formerly Really Simple SSL) – Missing Authorization
Security Risk: Medium Vulnerability: Missing Authorization CVE: CVE-2026-48970 Number of Installations: 3,000,000+ Affected Software: Really Simple Security (formerly Really Simple SSL) ≤ 9.5.10 Patched Versions: 9.5.10.1
Mitigation steps: Update to Really Simple Security (formerly Really Simple SSL) version 9.5.10.1 or greater.
Really Simple Security (formerly Really Simple SSL) – Missing Authorization
Security Risk: Medium Vulnerability: Missing Authorization CVE: CVE-2026-48969 Number of Installations: 3,000,000+ Affected Software: Really Simple Security (formerly Really Simple SSL) ≤ 9.5.9 Patched Versions: 9.5.10
Mitigation steps: Update to Really Simple Security (formerly Really Simple SSL) version 9.5.10 or greater.
Essential Addons for Elementor – Missing Authorization to Unauthenticated Information Exposure via ‘load_more’ AJAX Handler
Security Risk: High Vulnerability: Missing Authorization to Unauthenticated Information Exposure via 'load_more' AJAX Handler CVE: CVE-2026-7665 Number of Installations: 2,000,000+ Affected Software: Essential Addons for Elementor ≤ 6.6.4 Patched Versions: 6.6.5
Mitigation steps: Update to Essential Addons for Elementor version 6.6.5 or greater.
All-In-One Security (AIOS) – Unauthenticated Stored Cross-Site Scripting via REST API Request Path
Security Risk: High Vulnerability: Unauthenticated Stored Cross-Site Scripting via REST API Request Path CVE: CVE-2026-8438 Number of Installations: 1,000,000+ Affected Software: All-In-One Security (AIOS) ≤ 5.4.7 Patched Versions: 5.4.8
Mitigation steps: Update to All-In-One Security (AIOS) version 5.4.8 or greater.
WPvivid – Authenticated (Admin+) Arbitrary Directory Deletion
Security Risk: Low Vulnerability: Authenticated (Admin+) Arbitrary Directory Deletion CVE: CVE-2025-12656 Number of Installations: 900,000+ Affected Software: WPvivid ≤ 0.9.128 Patched Versions: 0.9.129
Mitigation steps: Update to WPvivid version 0.9.129 or greater.
Smart Slider 3 – Authenticated (Administrator+) Path Traversal to Arbitrary File Read via ‘src’/’srcset’ Attribute in HTML Export
Security Risk: Low Vulnerability: Authenticated (Administrator+) Path Traversal to Arbitrary File Read via 'src'/'srcset' Attribute in HTML Export CVE: CVE-2026-9197 Number of Installations: 800,000+ Affected Software: Smart Slider 3 ≤ 3.5.1.36 Patched Versions: 3.5.1.37
Mitigation steps: Update to Smart Slider 3 version 3.5.1.37 or greater.
The Events Calendar – Unauthenticated SQL Injection
Security Risk: Critical Vulnerability: Unauthenticated SQL Injection CVE: CVE-2026-49772 Number of Installations: 700,000+ Affected Software: The Events Calendar 6.15.12 - 6.16.2 Patched Versions: 6.16.3
Mitigation steps: Update to The Events Calendar version 6.16.3 or greater.
WooCommerce Stripe Payment Gateway – Missing Authorization to Unauthenticated Order Status Manipulation via ‘order’ Parameter
Security Risk: Medium Vulnerability: Missing Authorization to Unauthenticated Order Status Manipulation via 'order' Parameter CVE: CVE-2026-2381 Number of Installations: 700,000+ Affected Software: WooCommerce Stripe Payment Gateway ≤ 10.7.0 Patched Versions: 10.8.0
Mitigation steps: Update to WooCommerce Stripe Payment Gateway version 10.8.0 or greater.
Click to Chat – HoliThemes – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘num’ Shortcode Parameter
Security Risk: Medium Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via 'num' Shortcode Parameter CVE: CVE-2026-7795 Number of Installations: 700,000+ Affected Software: Click to Chat – HoliThemes ≤ 4.39 Patched Versions: 4.40
Mitigation steps: Update to Click to Chat – HoliThemes version 4.40 or greater.
MainWP Child – Missing Authorization
Security Risk: Medium Vulnerability: Missing Authorization CVE: CVE-2026-27366 Number of Installations: 700,000+ Affected Software: MainWP Child ≤ 6.1.1 Patched Versions: 6.1.2
Mitigation steps: Update to MainWP Child version 6.1.2 or greater.
Forminator Forms – Unauthenticated Stored Cross-Site Scripting
Security Risk: High Vulnerability: Unauthenticated Stored Cross-Site Scripting CVE: CVE-2026-56071 Number of Installations: 600,000+ Affected Software: Forminator Forms ≤ 1.53.1 Patched Versions: 1.53.2
Mitigation steps: Update to Forminator Forms version 1.53.2 or greater.
WP Statistics – Unauthenticated Stored Cross-Site Scripting
Security Risk: High Vulnerability: Unauthenticated Stored Cross-Site Scripting CVE: CVE-2026-48839 Number of Installations: 600,000+ Affected Software: WP Statistics ≤ 14.16.6 Patched Versions: 14.16.7
Mitigation steps: Update to WP Statistics version 14.16.7 or greater.
Royal Addons for Elementor – Authenticated (Contributor+) Arbitrary File Read via Data Table Widget CSV File Source
Security Risk: Medium Vulnerability: Authenticated (Contributor+) Arbitrary File Read via Data Table Widget CSV File Source CVE: CVE-2026-8118 Number of Installations: 600,000+ Affected Software: Royal Addons for Elementor 1.7.1058 - 1.7.1059 Patched Versions: 1.7.1060
Mitigation steps: Update to Royal Addons for Elementor version 1.7.1060 or greater.
Enable Media Replace – Authenticated (Author+) Stored Cross-Site Scripting via ‘location_dir’ Parameter
Security Risk: Medium Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via 'location_dir' Parameter CVE: CVE-2026-5714 Number of Installations: 600,000+ Affected Software: Enable Media Replace ≤ 4.1.8 Patched Versions: 4.1.9
Mitigation steps: Update to Enable Media Replace version 4.1.9 or greater.
TablePress – Reflected Cross-Site Scripting
Security Risk: Low Vulnerability: Reflected Cross-Site Scripting CVE: CVE-2026-56051 Number of Installations: 600,000+ Affected Software: TablePress ≤ 3.3.1 Patched Versions: 3.3.2
Mitigation steps: Update to TablePress version 3.3.2 or greater.
Kadence Blocks – Authenticated (Contributor+) Sensitive Information Exposure via Block Editor proData Localization
Security Risk: Medium Vulnerability: Authenticated (Contributor+) Sensitive Information Exposure via Block Editor proData Localization CVE: CVE-2026-11357 Number of Installations: 600,000+ Affected Software: Kadence Blocks ≤ 3.7.5 Patched Versions: 3.7.6
Mitigation steps: Update to Kadence Blocks version 3.7.6 or greater.
Kirki – Unauthenticated Privilege Escalation via ‘handle_forgot_password’
Security Risk: Critical Vulnerability: Unauthenticated Privilege Escalation via 'handle_forgot_password' CVE: CVE-2026-8206 Number of Installations: 500,000+ Affected Software: Kirki 6.0.0 - 6.0.6 Patched Versions: 6.0.7
Mitigation steps: Update to Kirki version 6.0.7 or greater.
Page Builder by SiteOrigin – Authenticated (Contributor+) Stored Cross-Site Scripting via panels_data Parameter
Security Risk: Medium Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via panels_data Parameter CVE: CVE-2026-13295 Number of Installations: 400,000+ Affected Software: Page Builder by SiteOrigin ≤ 2.34.3 Patched Versions: 2.34.4
Mitigation steps: Update to Page Builder by SiteOrigin version 2.34.4 or greater.
Page Builder: Pagelayer – Authenticated (Contributor+) Stored Cross-Site Scripting via Anchor Block
Security Risk: Medium Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Anchor Block CVE: CVE-2026-3297 Number of Installations: 400,000+ Affected Software: Page Builder: Pagelayer ≤ 2.0.9 Patched Versions: 2.1.0
Mitigation steps: Update to Page Builder: Pagelayer version 2.1.0 or greater.
Page Builder: Pagelayer – Incorrect Authorization to Authenticated (Contributor+) Mail Relay Configuration via ‘contacts’
Security Risk: Medium Vulnerability: Incorrect Authorization to Authenticated (Contributor+) Mail Relay Configuration via 'contacts' CVE: CVE-2026-2470 Number of Installations: 400,000+ Affected Software: Page Builder: Pagelayer ≤ 2.0.9 Patched Versions: 2.1.0
Mitigation steps: Update to Page Builder: Pagelayer version 2.1.0 or greater.
WP Activity Log – Unauthenticated PHP Object Injection
Security Risk: High Vulnerability: Unauthenticated PHP Object Injection CVE: CVE-2026-54806 Number of Installations: 300,000+ Affected Software: WP Activity Log ≤ 5.6.3.1 Patched Versions: 5.6.4
Mitigation steps: Update to WP Activity Log version 5.6.4 or greater.
WP Activity Log – Authenticated (Subscriber+) Stored Cross-Site Scripting
Security Risk: Medium Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting CVE: CVE-2026-56005 Number of Installations: 300,000+ Affected Software: WP Activity Log ≤ 5.6.3.1 Patched Versions: 5.6.4
Mitigation steps: Update to WP Activity Log version 5.6.4 or greater.
Ad Inserter – Reflected Cross-Site Scripting via URL Parameters in iframe Mode
Security Risk: Medium Vulnerability: Reflected Cross-Site Scripting via URL Parameters in iframe Mode CVE: CVE-2026-9280 Number of Installations: 300,000+ Affected Software: Ad Inserter ≤ 2.8.15 Patched Versions: 2.8.16
Mitigation steps: Update to Ad Inserter version 2.8.16 or greater.
WP Go Maps – Unauthenticated Arbitrary Record Creation
Security Risk: Medium Vulnerability: Unauthenticated Arbitrary Record Creation CVE: CVE-2026-12238 Number of Installations: 300,000+ Affected Software: WP Go Maps ≤ 10.1.01 Patched Versions: 10.1.02
Mitigation steps: Update to WP Go Maps version 10.1.02 or greater.
WP Go Maps – Unauthenticated Sensitive Information Disclosure via Datatables AJAX Fallback
Security Risk: Medium Vulnerability: Unauthenticated Sensitive Information Disclosure via Datatables AJAX Fallback CVE: CVE-2026-8385 Number of Installations: 300,000+ Affected Software: WP Go Maps ≤ 10.0.09 Patched Versions: 10.0.10
Mitigation steps: Update to WP Go Maps version 10.0.10 or greater.
Blocksy Companion – Authenticated (Editor+) Stored Cross-Site Scripting via ‘product_description’ Parameter
Security Risk: Medium Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting via 'product_description' Parameter CVE: CVE-2026-12430 Number of Installations: 300,000+ Affected Software: Blocksy Companion ≤ 2.1.45 Patched Versions: 2.1.46
Mitigation steps: Update to Blocksy Companion version 2.1.46 or greater.
Ultimate Member – Authenticated (Contributor+) Account Takeover via Password Reset Link Disclosure
Security Risk: High Vulnerability: Authenticated (Contributor+) Account Takeover via Password Reset Link Disclosure CVE: CVE-2026-7761 Number of Installations: 200,000+ Affected Software: Ultimate Member ≤ 2.11.4 Patched Versions: 2.12.0
Mitigation steps: Update to Ultimate Member version 2.12.0 or greater.
Advanced Google reCAPTCHA – Authenticated (Subscriber+) Authentication Bypass via Temporary Login Link
Security Risk: High Vulnerability: Authenticated (Subscriber+) Authentication Bypass via Temporary Login Link CVE: CVE-2026-5415 Number of Installations: 200,000+ Affected Software: Advanced Google reCAPTCHA ≤ 5.38 Patched Versions: 5.39
Mitigation steps: Update to Advanced Google reCAPTCHA version 5.39 or greater.
Advanced Google reCAPTCHA – Missing Authorization to Authenticated (Subscriber+) Arbitrary File Upload
Security Risk: High Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary File Upload CVE: CVE-2026-5411 Number of Installations: 200,000+ Affected Software: Advanced Google reCAPTCHA ≤ 5.38 Patched Versions: 5.39
Mitigation steps: Update to Advanced Google reCAPTCHA version 5.39 or greater.
Post Duplicator – Authenticated (Contributor+) PHP Object Injection
Security Risk: Medium Vulnerability: Authenticated (Contributor+) PHP Object Injection CVE: CVE-2026-10749 Number of Installations: 200,000+ Affected Software: Post Duplicator < 3.0.15 Patched Versions: 3.0.15
Mitigation steps: Update to Post Duplicator version 3.0.15 or greater.
CleanTalk Anti-Spam – Unauthenticated Stored Cross-Site Scripting
Security Risk: High Vulnerability: Unauthenticated Stored Cross-Site Scripting CVE: CVE-2026-8071 Number of Installations: 200,000+ Affected Software: CleanTalk Anti-Spam < 6.79 Patched Versions: 6.79
Mitigation steps: Update to CleanTalk Anti-Spam version 6.79 or greater.
Gutenberg Essential Blocks – Authenticated (Author+) Server-Side Request Forgery
Security Risk: Low Vulnerability: Authenticated (Author+) Server-Side Request Forgery CVE: CVE-2026-10586 Number of Installations: 200,000+ Affected Software: Gutenberg Essential Blocks ≤ 6.1.3 Patched Versions: 6.1.4
Mitigation steps: Update to Gutenberg Essential Blocks version 6.1.4 or greater.
MW WP Form – Unauthenticated Stored Cross-Site Scripting
Security Risk: High Vulnerability: Unauthenticated Stored Cross-Site Scripting CVE: CVE-2026-48871 Number of Installations: 200,000+ Affected Software: MW WP Form ≤ 5.1.3 Patched Versions: 5.1.4
Mitigation steps: Update to MW WP Form version 5.1.4 or greater.
Photo Gallery by 10Web – Authenticated (Contributor+) SQL Injection via ‘compact_album_order_by’ Shortcode Parameter
Security Risk: Medium Vulnerability: Authenticated (Contributor+) SQL Injection via 'compact_album_order_by' Shortcode Parameter CVE: CVE-2026-9829 Number of Installations: 200,000+ Affected Software: Photo Gallery by 10Web ≤ 1.8.41 Patched Versions: 1.8.42
Mitigation steps: Update to Photo Gallery by 10Web version 1.8.42 or greater.
Photo Gallery by 10Web – Authenticated (Contributor+) SQL Injection
Security Risk: Medium Vulnerability: Authenticated (Contributor+) SQL Injection CVE: CVE-2026-49771 Number of Installations: 200,000+ Affected Software: Photo Gallery by 10Web ≤ 1.8.41 Patched Versions: 1.8.42
Mitigation steps: Update to Photo Gallery by 10Web version 1.8.42 or greater.
Gutenberg Essential Blocks – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘configurablePrefix’ Block Attribute
Security Risk: Medium Vulnerability: Page Builder for Gutenberg Blocks & Patterns <= 6.1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'configurablePrefix' Block Attribute CVE: CVE-2026-10833 Number of Installations: 200,000+ Affected Software: Gutenberg Essential Blocks ≤ 6.1.4 Patched Versions: 6.2.0
Mitigation steps: Update to Gutenberg Essential Blocks version 6.2.0 or greater.
MW WP Form – Authenticated (Editor+) Stored Cross-Site Scripting via ‘memo’ Parameter
Security Risk: Medium Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting via 'memo' Parameter CVE: CVE-2026-8853 Number of Installations: 200,000+ Affected Software: MW WP Form ≤ 5.1.3 Patched Versions: 5.1.4
Mitigation steps: Update to MW WP Form version 5.1.4 or greater.
Optimole – Cross-Site Request Forgery via ‘optml_replace_file’ AJAX Action
Security Risk: Low Vulnerability: Cross-Site Request Forgery via 'optml_replace_file' AJAX Action CVE: CVE-2026-11784 Number of Installations: 200,000+ Affected Software: Optimole ≤ 4.2.6 Patched Versions: 4.2.7
Mitigation steps: Update to Optimole version 4.2.7 or greater.
WP Migrate Lite – Cross-Site Request Forgery
Security Risk: Low Vulnerability: Cross-Site Request Forgery CVE: CVE-2026-49043 Number of Installations: 200,000+ Affected Software: WP Migrate Lite ≤ 2.7.8 Patched Versions: 2.7.9
Mitigation steps: Update to WP Migrate Lite version 2.7.9 or greater.
Widget Options – Authenticated (Contributor+) Remote Code Execution
Security Risk: Medium Vulnerability: Authenticated (Contributor+) Remote Code Execution CVE: CVE-2026-54823 Number of Installations: 100,000+ Affected Software: Widget Options ≤ 4.2.3 Patched Versions: 4.2.4
Mitigation steps: Update to Widget Options version 4.2.4 or greater.
Admin Columns – Authenticated (Contributor+) PHP Object Injection to Remote Code Execution via Custom Field Meta Value
Security Risk: High Vulnerability: Authenticated (Contributor+) PHP Object Injection to Remote Code Execution via Custom Field Meta Value CVE: CVE-2026-7654 Number of Installations: 100,000+ Affected Software: Admin Columns ≤ 7.0.18 Patched Versions: 7.0.19
Mitigation steps: Update to Admin Columns version 7.0.19 or greater.
LatePoint – Authenticated (Contributor+) Privilege Escalation
Security Risk: Medium Vulnerability: Authenticated (Contributor+) Privilege Escalation CVE: CVE-2026-49083 Number of Installations: 100,000+ Affected Software: LatePoint ≤ 5.5.1 Patched Versions: 5.5.2
Mitigation steps: Update to LatePoint version 5.5.2 or greater.
Advanced Ads – Authenticated (Contributor+) Remote Code Execution
Security Risk: Medium Vulnerability: Authenticated (Contributor+) Remote Code Execution CVE: CVE-2026-54816 Number of Installations: 100,000+ Affected Software: Advanced Ads – ≤ 2.0.21 Patched Versions: 2.0.22
Mitigation steps: Update to Advanced Ads 2.0.22 or greater.
LatePoint – Authenticated (Agent+) Privilege Escalation to Administrator via IDOR in OsOrdersController::create_or_update + Unauthenticated Customer-Cabinet Password Reset
Security Risk: High Vulnerability: Authenticated (Agent+) Privilege Escalation to Administrator via IDOR in OsOrdersController::create_or_update + Unauthenticated Customer-Cabinet Password Reset CVE: CVE-2026-8176 Number of Installations: 100,000+ Affected Software: LatePoint ≤ 5.5.1 Patched Versions: 5.5.2
Mitigation steps: Update to LatePoint – Calendar Booking Plugin for Appointments and Events version 5.5.2 or greater.
Responsive Lightbox & Gallery – Unauthenticated Stored Cross-Site Scripting
Security Risk: High Vulnerability: Unauthenticated Stored Cross-Site Scripting CVE: CVE-2026-56041 Number of Installations: 100,000+ Affected Software: Responsive Lightbox & Gallery ≤ 2.7.6 Patched Versions: 2.7.7
Mitigation steps: Update to Responsive Lightbox & Gallery version 2.7.7 or greater.
Pods – Unauthenticated Stored Cross-Site Scripting
Security Risk: High Vulnerability: Unauthenticated Stored Cross-Site Scripting CVE: CVE-2026-54191 Number of Installations: 100,000+ Affected Software: Pods ≤ 3.3.8 Patched Versions: 3.3.9
Mitigation steps: Update to Pods version 3.3.9 or greater.
Email Address Encoder – Unauthenticated Stored Cross-Site Scripting
Security Risk: High Vulnerability: Unauthenticated Stored Cross-Site Scripting CVE: CVE-2026-5305 Number of Installations: 100,000+ Affected Software: Email Address Encoder < 1.0.25 Patched Versions: 1.0.25
Mitigation steps: Update to Email Address Encoder version 1.0.25 or greater.
Advanced Order Export For WooCommerce – Authenticated (Customer+) Stored Cross-Site Scripting
Security Risk: High Vulnerability: Authenticated (Customer+) Stored Cross-Site Scripting CVE: CVE-2026-56042 Number of Installations: 100,000+ Affected Software: Advanced Order Export For WooCommerce ≤ 4.0.9 Patched Versions: 4.0.10
Mitigation steps: Update to Advanced Order Export For WooCommerce version 4.0.10 or greater.
Permalink Manager Lite – Authenticated (Contributor+) Stored Cross-Site Scripting via Post Title
Security Risk: Medium Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Post Title CVE: CVE-2026-8494 Number of Installations: 100,000+ Affected Software: Permalink Manager Lite ≤ 2.5.3.3 Patched Versions: 2.5.3.4
Mitigation steps: Update to Permalink Manager Lite version 2.5.3.4 or greater.
Photo Gallery by FooGallery – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘custom_attribute_key’ Shortcode Parameter
Security Risk: Medium Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via 'custom_attribute_key' Shortcode Parameter CVE: CVE-2026-9134 Number of Installations: 100,000+ Affected Software: Photo Gallery by FooGallery ≤ 3.1.31 Patched Versions: 3.1.32
Mitigation steps: Update to Photo Gallery by FooGallery version 3.1.32 or greater.
Presto Player – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘link_url’ Shortcode Attribute
Security Risk: Medium Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via 'link_url' Shortcode Attribute CVE: CVE-2026-9125 Number of Installations: 100,000+ Affected Software: Presto Player ≤ 4.2.0 Patched Versions: 4.2.1
Mitigation steps: Update to Presto Player version 4.2.1 or greater.
EmbedPress – Authenticated (Contributor+) Stored Cross-Site Scripting via Block ‘url’ Attribute
Security Risk: Medium Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Block 'url' Attribute CVE: CVE-2026-7796 Number of Installations: 100,000+ Affected Software: EmbedPress ≤ 4.5.3 Patched Versions: 4.5.4
Mitigation steps: Update to EmbedPress version 4.5.4 or greater.
Auto Image Attributes From Filename With Bulk Updater (Add Alt Text, Image Title For Image SEO) – Authenticated (Author+) Stored Cross-Site Scripting via Image Attribute
Security Risk: Medium Vulnerability: Authenticated (Author+) Stored Cross-Site Scripting via Image Attribute CVE: CVE-2026-3722 Number of Installations: 100,000+ Affected Software: Auto Image Attributes From Filename With Bulk Updater (Add Alt Text, Image Title For Image SEO) ≤ 4.9 Patched Versions: 4.9.1
Mitigation steps: Update to Auto Image Attributes From Filename With Bulk Updater (Add Alt Text, Image Title For Image SEO) version 4.9.1 or greater.
Envira Gallery – Missing Authorization
Security Risk: Medium Vulnerability: Missing Authorization CVE: CVE-2026-54190 Number of Installations: 100,000+ Affected Software: Envira Gallery ≤ 1.12.5 Patched Versions: 1.12.6
Mitigation steps: Update to Envira Gallery version 1.12.6 or greater.
Schema & Structured Data for WP & AMP – Unauthenticated Arbitrary Media Upload
Security Risk: High Vulnerability: Unauthenticated Arbitrary Media Upload CVE: CVE-2026-9067 Number of Installations: 100,000+ Affected Software: Schema & Structured Data for WP & AMP < 1.60 Patched Versions: 1.60
Mitigation steps: Update to Schema & Structured Data for WP & AMP version 1.60 or greater.
EmbedPress – Unauthenticated Information Exposure
Security Risk: High Vulnerability: Unauthenticated Information Exposure CVE: CVE-2026-48872 Number of Installations: 100,000+ Affected Software: EmbedPress ≤ 4.5.2 Patched Versions: 4.5.3
Mitigation steps: Update to EmbedPress version 4.5.3 or greater.
WP All Import – Authenticated (Administrator+) SQL Injection
Security Risk: Low Vulnerability: Authenticated (Administrator+) SQL Injection CVE: CVE-2026-57628 Number of Installations: 100,000+ Affected Software: WP All Import ≤ 4.0.1 Patched Versions: 4.1.0
Mitigation steps: Update to WP All Import version 4.1.0 or greater.
Tutor LMS – Authenticated (Administrator+) SQL Injection via ‘data’ Parameter
Security Risk: Low Vulnerability: Authenticated (Administrator+) SQL Injection via 'data' Parameter CVE: CVE-2026-10736 Number of Installations: 100,000+ Affected Software: Tutor LMS ≤ 3.9.11 Patched Versions: 3.9.12
Mitigation steps: Update to Tutor LMS version 3.9.12 or greater.
Advanced Order Export For WooCommerce – Authenticated (Shop Manager+) SQL Injection via ‘sort_direction’ Parameter
Security Risk: Medium Vulnerability: Authenticated (Shop Manager+) SQL Injection via 'sort_direction' Parameter CVE: CVE-2026-11360 Number of Installations: 100,000+ Affected Software: Advanced Order Export For WooCommerce ≤ 4.0.10 Patched Versions: 4.1.0
Mitigation steps: Update to Advanced Order Export For WooCommerce version 4.1.0 or greater.
Ivory Search – Authenticated (Administrator+) Stored Cross-Site Scripting via ‘menu_title’ and ‘menu_magnifier_color’ Settings
Security Risk: Low Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via 'menu_title' and 'menu_magnifier_color' Settings CVE: CVE-2026-11356 Number of Installations: 100,000+ Affected Software: Ivory Search ≤ 5.5.15 Patched Versions: 5.5.16
Mitigation steps: Update to Ivory Search version 5.5.16 or greater.
Orbit Fox – Authenticated (Administrator+) Stored Cross-Site Scripting via ‘menu-item-icon’ Parameter
Security Risk: Low Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via 'menu-item-icon' Parameter CVE: CVE-2026-11358 Number of Installations: 100,000+ Affected Software: Orbit Fox ≤ 3.0.6 Patched Versions: 3.0.7
Mitigation steps: Update to Orbit Fox version 3.0.7 or greater.
Feeds for YouTube (YouTube video, channel, and gallery plugin) – Missing Authorization
Security Risk: Medium Vulnerability: Missing Authorization CVE: CVE-2026-1631 Number of Installations: 100,000+ Affected Software: Feeds for YouTube (YouTube video, channel, and gallery plugin) < 2.6.4 Patched Versions: 2.6.4
Mitigation steps: Update to Feeds for YouTube (YouTube video, channel, and gallery plugin) version 2.6.4 or greater.
LatePoint – Cross-Site Request Forgery via invoices__change_status Action
Security Risk: Low Vulnerability: Cross-Site Request Forgery via invoices__change_status Action CVE: CVE-2026-9719 Number of Installations: 100,000+ Affected Software: LatePoint ≤ 5.6.0 Patched Versions: 5.6.1
Mitigation steps: Update to LatePoint version 5.6.1 or greater.
JetFormBuilder – Authenticated (Subscriber+) Privilege Escalation
Security Risk: High Vulnerability: Authenticated (Subscriber+) Privilege Escalation CVE: CVE-2026-54196 Number of Installations: 90,000+ Affected Software: JetFormBuilder ≤ 3.6.1 Patched Versions: 3.6.1.1
Mitigation steps: Update to JetFormBuilder 3.6.1.1 or greater.
Amelia – Authenticated (Subscriber+) Privilege Escalation
Security Risk: Low Vulnerability: Authenticated (Subscriber+) Privilege Escalation CVE: CVE-2026-48889 Number of Installations: 90,000+ Affected Software: Amelia ≤ 2.3 Patched Versions: 2.4
Mitigation steps: Update to Booking for Appointments and Events Calendar – Amelia version 2.4 or greater.
OttoKit – Unauthenticated PHP Object Injection
Security Risk: High Vulnerability: Unauthenticated PHP Object Injection CVE: CVE-2026-49781 Number of Installations: 90,000+ Affected Software: OttoKit ≤ 1.1.27 Patched Versions: 1.1.28
Mitigation steps: Update to OttoKit version 1.1.28 or greater.
JetFormBuilder – Unauthenticated Stored Cross-Site Scripting
Security Risk: High Vulnerability: Unauthenticated Stored Cross-Site Scripting CVE: CVE-2026-54195 Number of Installations: 90,000+ Affected Software: JetFormBuilder ≤ 3.6.0.1 Patched Versions: 3.6.1
Mitigation steps: Update to JetFormBuilder version 3.6.1 or greater.
Email Encoder – Unauthenticated Stored Cross-Site Scripting
Security Risk: High Vulnerability: Unauthenticated Stored Cross-Site Scripting CVE: CVE-2026-5776 Number of Installations: 90,000+ Affected Software: Email Encoder < 2.4.7 Patched Versions: 2.4.7
Mitigation steps: Update to Email Encoder version 2.4.7 or greater.
SureCart – Authenticated (Subscriber+) Stored Cross-Site Scripting
Security Risk: Medium Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting CVE: CVE-2026-57313 Number of Installations: 90,000+ Affected Software: SureCart ≤ 4.2.2 Patched Versions: 4.2.3
Mitigation steps: Update to SureCart version 4.2.3 or greater.
Advanced Import – Authenticated (Author+) Server-Side Request Forgery via ‘demo_file’ Parameter
Security Risk: Low Vulnerability: Authenticated (Author+) Server-Side Request Forgery via 'demo_file' Parameter CVE: CVE-2026-4328 Number of Installations: 90,000+ Affected Software: Advanced Import ≤ 1.4.6 Patched Versions: 2.0.0
Mitigation steps: Update to Advanced Import version 2.0.0 or greater.
SureCart – Reflected Cross-Site Scripting
Security Risk: TBC Vulnerability: Reflected Cross-Site Scripting CVE: CVE-2026-57314 Number of Installations: 90,000+ Affected Software: SureCart ≤ 4.3.2 Patched Versions: 4.3.3
Mitigation steps: Update to SureCart Products, Digital Downloads, Subscriptions, Donations, & Payments version 4.3.3 or greater.
Everest Forms – Reflected Cross-Site Scripting
Security Risk: TBC Vulnerability: Reflected Cross-Site Scripting CVE: CVE-2026-57312 Number of Installations: 90,000+ Affected Software: Everest Forms ≤ 3.4.8 Patched Versions: 3.5.0
Mitigation steps: Update to Everest Forms version 3.5.0 or greater.
SlimStat Analytics – Unauthenticated PHP Object Injection
Security Risk: High Vulnerability: Unauthenticated PHP Object Injection CVE: CVE-2026-27410 Number of Installations: 80,000+ Affected Software: SlimStat Analytics < 5.4.0 Patched Versions: 5.4.0
Mitigation steps: Update to SlimStat Analytics version 5.4.0 or greater.
Customer Reviews for WooCommerce – Unauthenticated Stored Cross-Site Scripting
Security Risk: High Vulnerability: Unauthenticated Stored Cross-Site Scripting CVE: CVE-2026-56043 Number of Installations: 80,000+ Affected Software: Customer Reviews for WooCommerce ≤ 5.110.1 Patched Versions: 5.111.0
Mitigation steps: Update to Customer Reviews for WooCommerce version 5.111.0 or greater.
GetGenie – Unauthenticated Information Exposure
Security Risk: TBC Vulnerability: Unauthenticated Information Exposure CVE: CVE-2026-54197 Number of Installations: 80,000+ Affected Software: GetGenie ≤ 4.4.1 Patched Versions: 4.4.2
Mitigation steps: Update to GetGenie – AI Content Writer with Keyword Research & SEO Tracking version 4.4.2 or greater.
wpDataTables – Unauthenticated SQL Injection
Security Risk: Critical Vulnerability: Unauthenticated SQL Injection CVE: CVE-2026-54825 Number of Installations: 70,000+ Affected Software: wpDataTables ≤ 7.4 Patched Versions: 7.4.1
Mitigation steps: Update to wpDataTables version 7.4.1 or greater.
wpDataTables – Unauthenticated SQL Injection
Security Risk: Critical Vulnerability: Unauthenticated SQL Injection CVE: CVE-2026-49080 Number of Installations: 70,000+ Affected Software: wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin ≤ 7.3.6 Patched Versions: 7.4
Mitigation steps: Update to wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin version 7.4 or greater.
Bookly – Unauthenticated Stored Cross-Site Scripting via ‘bookly-customer-full-name’ Cookie
Security Risk: Medium Vulnerability: Unauthenticated Stored Cross-Site Scripting via 'bookly-customer-full-name' Cookie CVE: CVE-2026-5513 Number of Installations: 70,000+ Affected Software: Bookly ≤ 27.2 Patched Versions: 27.3
Mitigation steps: Update to Bookly version 27.3 or greater.
Media Library Assistant – Authenticated (Contributor+) SQL Injection
Security Risk: Medium Vulnerability: Authenticated (Contributor+) SQL Injection CVE: CVE-2026-56012 Number of Installations: 70,000+ Affected Software: Media Library Assistant ≤ 3.35 Patched Versions: 3.36
Mitigation steps: Update to Media Library Assistant version 3.36 or greater.
SlimStat Analytics – Authenticated (Subscriber+) SQL Injection
Security Risk: Medium Vulnerability: Authenticated (Subscriber+) SQL Injection CVE: CVE-2026-54818 Number of Installations: 70,000+ Affected Software: SlimStat Analytics ≤ 5.4.11 Patched Versions: 5.4.12
Mitigation steps: Update to SlimStat Analytics version 5.4.12 or greater.
StatCounter – Authenticated (Contributor+) Stored Cross-Site Scripting
Security Risk: Medium Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting CVE: CVE-2026-57629 Number of Installations: 70,000+ Affected Software: StatCounter ≤ 2.1.1 Patched Versions: 2.1.2
Mitigation steps: Update to StatCounter version 2.1.2 or greater.
MaxButtons – Reflected Cross-Site Scripting via ‘view’ Parameter
Security Risk: Medium Vulnerability: Reflected Cross-Site Scripting via 'view' Parameter CVE: CVE-2026-13245 Number of Installations: 70,000+ Affected Software: MaxButtons ≤ 9.8.5 Patched Versions: 9.8.6
Mitigation steps: Update to MaxButtons version 9.8.6 or greater.
Media Library Assistant – Reflected Cross-Site Scripting
Security Risk: TBC Vulnerability: Reflected Cross-Site Scripting CVE: CVE-2026-54198 Number of Installations: 70,000+ Affected Software: Media Library Assistant ≤ 3.35 Patched Versions: 3.36
Mitigation steps: Update to Media Library Assistant version 3.36 or greater.
LearnPress – Reflected Cross-Site Scripting
Security Risk: Medium Vulnerability: Reflected Cross-Site Scripting CVE: CVE-2026-48865 Number of Installations: 70,000+ Affected Software: LearnPress ≤ 4.3.6 Patched Versions: 4.3.7
Mitigation steps: Update to LearnPress version 4.3.7 or greater.
LearnPress – Unauthenticated Sensitive Information Exposure via ‘c_status’ and ‘return_type’ Parameters
Security Risk: High Vulnerability: Unauthenticated Sensitive Information Exposure via 'c_status' and 'return_type' Parameters CVE: CVE-2026-8502 Number of Installations: 70,000+ Affected Software: LearnPress ≤ 4.3.6 Patched Versions: 4.3.7
Mitigation steps: Update to LearnPress version 4.3.7 or greater.
Database for Contact Form 7, WPforms, Elementor forms – Unauthenticated Arbitrary File Deletion via CF7 File Field POST Value
Security Risk: High Vulnerability: Unauthenticated Arbitrary File Deletion via CF7 File Field POST Value CVE: CVE-2026-9843 Number of Installations: 60,000+ Affected Software: Database for Contact Form 7, WPforms, Elementor forms ≤ 1.5.1 Patched Versions: 1.5.2
Mitigation steps: Update to Database for Contact Form 7, WPforms, Elementor forms version 1.5.2 or greater.
WP Maps – Authenticated (Subscriber+) Local File Inclusion
Security Risk: High Vulnerability: Authenticated (Subscriber+) Local File Inclusion CVE: CVE-2026-6381 Number of Installations: 60,000+ Affected Software: WP Maps < 4.9.3 Patched Versions: 4.9.3
Mitigation steps: Update to WP Maps version 4.9.3 or greater.
Appointment Booking Calendar – Unauthenticated Stored Cross-Site Scripting
Security Risk: High Vulnerability: Unauthenticated Stored Cross-Site Scripting CVE: CVE-2026-57317 Number of Installations: 60,000+ Affected Software: Appointment Booking Calendar ≤ 1.6.12.2 Patched Versions: 1.6.12.4
Mitigation steps: Update to Appointment Booking Calendar version 1.6.12.4 or greater.
Master Slider – Unauthenticated Stored Cross-Site Scripting
Security Risk: High Vulnerability: Unauthenticated Stored Cross-Site Scripting CVE: CVE-2026-56014 Number of Installations: 60,000+ Affected Software: Master Slider ≤ 3.11.2 Patched Versions: N/A
Mitigation steps: Update to Master Slider version N/A or greater.
Drag and Drop Multiple File Upload for Contact Form 7 – Unauthenticated Stored Cross-Site Scripting
Security Risk: High Vulnerability: Unauthenticated Stored Cross-Site Scripting CVE: CVE-2026-49055 Number of Installations: 60,000+ Affected Software: Drag and Drop Multiple File Upload for Contact Form 7 ≤ 1.3.9.7 Patched Versions: 1.3.9.8
Mitigation steps: Update to Drag and Drop Multiple File Upload for Contact Form 7 version 1.3.9.8 or greater.
User Registration & Membership – Missing Authorization to Unauthenticated Payment Bypass
Security Risk: High Vulnerability: Missing Authorization to Unauthenticated Payment Bypass CVE: CVE-2026-1869 Number of Installations: 60,000+ Affected Software: User Registration & Membership ≤ 5.2.0 Patched Versions: 5.2.1
Mitigation steps: Update to User Registration & Membership version 5.2.1 or greater.
WP Maps – Authenticated (Admin+) Stored Cross-Site Scripting via ‘location_messages’ Parameter
Security Risk: Low Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via 'location_messages' Parameter CVE: CVE-2026-9594 Number of Installations: 60,000+ Affected Software: WP Maps ≤ 4.9.4 Patched Versions: 4.9.5
Mitigation steps: Update to WP Maps version 4.9.5 or greater.
Drag and Drop Multiple File Upload for Contact Form 7 – Authenticated (Administrator+) Stored Cross-Site Scripting via ‘drag_n_drop_text’ and ‘drag_n_drop_browse_text’ Settings
Security Risk: Low Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting via 'drag_n_drop_text' and 'drag_n_drop_browse_text' Settings CVE: CVE-2026-8991 Number of Installations: 60,000+ Affected Software: Drag and Drop Multiple File Upload for Contact Form 7 ≤ 1.3.9.7 Patched Versions: 1.3.9.8
Mitigation steps: Update to Drag and Drop Multiple File Upload for Contact Form 7 version 1.3.9.8 or greater.
Slim SEO – Missing Authorization
Security Risk: Medium Vulnerability: Missing Authorization CVE: CVE-2026-57429 Number of Installations: 60,000+ Affected Software: Slim SEO ≤ 4.6.2 Patched Versions: 4.7.0
Mitigation steps: Update to Slim SEO version 4.7.0 or greater.
FOX – Unauthenticated Stored Cross-Site Scripting
Security Risk: High Vulnerability: Unauthenticated Stored Cross-Site Scripting CVE: CVE-2026-57319 Number of Installations: 50,000+ Affected Software: FOX ≤ 1.4.8 Patched Versions: 1.4.9
Mitigation steps: Update to FOX version 1.4.9 or greater.
Blog2Social – Unauthenticated Stored Cross-Site Scripting
Security Risk: High Vulnerability: Unauthenticated Stored Cross-Site Scripting CVE: CVE-2026-56044 Number of Installations: 50,000+ Affected Software: Blog2Social ≤ 8.9.2 Patched Versions: 8.9.3
Mitigation steps: Update to Blog2Social version 8.9.3 or greater.
RTMKit – Authenticated (Contributor+) Missing Authorization to Arbitrary Form Submission Access via ‘entries_id’ Parameter
Security Risk: Medium Vulnerability: Authenticated (Contributor+) Missing Authorization to Arbitrary Form Submission Access via 'entries_id' Parameter CVE: CVE-2026-5149 Number of Installations: 50,000+ Affected Software: RTMKit ≤ 2.0.7 Patched Versions: 2.0.8
Mitigation steps: Update to RTMKit version 2.0.8 or greater.
Exclusive Addons for Elementor – Authenticated (Contributor+) Stored Cross-Site Scripting
Security Risk: Medium Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting CVE: CVE-2026-57620 Number of Installations: 50,000+ Affected Software: Exclusive Addons for Elementor ≤ 2.7.9.8 Patched Versions: 2.7.9.9
Mitigation steps: Update to Exclusive Addons for Elementor version 2.7.9.9 or greater.
Popup Box – Reflected Cross-Site Scripting
Security Risk: TBC Vulnerability: Reflected Cross-Site Scripting CVE: CVE-2026-54192 Number of Installations: 50,000+ Affected Software: Popup Box ≤ 6.2.9 Patched Versions: 6.3.0
Mitigation steps: Update to Popup Box version 6.3.0 or greater.
User Registration & Membership – Missing Authorization
Security Risk: Medium Vulnerability: Missing Authorization CVE: CVE-2026-52701 Number of Installations: 50,000+ Affected Software: User Registration & Membership ≤ 5.2.2 Patched Versions: 5.2.3
Mitigation steps: Update to User Registration & Membership version 5.2.3 or greater.
WebToffee – Unauthenticated Information Exposure
Security Risk: TBC Vulnerability: Unauthenticated Information Exposure CVE: CVE-2026-49056 Number of Installations: 50,000+ Affected Software: WebToffee ≤ 4.9.4 Patched Versions: 4.9.5
Mitigation steps: Update to WebToffee version 4.9.5 or greater.
Popup Box – Authenticated (Administrator+) SQL Injection
Security Risk: Low Vulnerability: Authenticated (Administrator+) SQL Injection CVE: CVE-2026-57631 Number of Installations: 50,000+ Affected Software: Popup Box ≤ 6.0.1 Patched Versions: 6.0.2
Mitigation steps: Update to Popup Box version 6.0.2 or greater.
Email Marketing for WooCommerce by Omnisend – Missing Authorization
Security Risk: Medium Vulnerability: Missing Authorization CVE: CVE-2026-57632 Number of Installations: 50,000+ Affected Software: Email Marketing for WooCommerce by Omnisend ≤ 1.19.0 Patched Versions: 1.19.1
Mitigation steps: Update to Email Marketing for WooCommerce by Omnisend version 1.19.1 or greater.
Themes
Blocksy – Authenticated (Contributor+) PHP Object Injection via Deserialization of Untrusted Data via ‘blocksy_meta’ REST API Field
Security Risk: High Vulnerability: Authenticated (Contributor+) PHP Object Injection via Deserialization of Untrusted Data via 'blocksy_meta' REST API Field CVE: CVE-2026-8365 Number of Installations: 300,000+ Affected Software: Blocksy ≤ 2.1.41 Patched Versions: 2.1.42
Mitigation steps: Update to Blocksy version 2.1.42 or greater.
Update your website software to reduce risk. If you cannot update to the latest version, consider using a web application firewall to patch known vulnerabilities and safeguard your site.









