Last week, there were 87 vulnerabilities disclosed in 198 WordPress Plugins and 5 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 60 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to implement layered security, aligning with our overarching mission to secure WordPress with defense in depth strategies. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report. As the world’s leading quality vulnerability database provider for WordPress, site owners can rest assured knowing Wordfence has their back.
Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 35,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
-
-
- WAF-RULE-909 – Data redacted while we work with the vendor on a patch.
- WAF-RULE-910 – Data redacted while we work with the vendor on a patch.
-
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
| Patch Status | Number of Vulnerabilities |
|---|---|
| Patched | 84 |
| Unpatched | 3 |
Total Vulnerabilities by CVSS Severity Last Week
| Severity Rating | Number of Vulnerabilities |
|---|---|
| Medium Severity | 50 |
| High Severity | 34 |
| Critical Severity | 3 |
Total Vulnerabilities by CWE Type Last Week
| Vulnerability Type by CWE | Number of Vulnerabilities |
|---|---|
| Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 30 |
| Missing Authorization | 19 |
| Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 10 |
| Exposure of Sensitive Information to an Unauthorized Actor | 6 |
| Server-Side Request Forgery (SSRF) | 3 |
| Authentication Bypass Using an Alternate Path or Channel | 2 |
| Authorization Bypass Through User-Controlled Key | 2 |
| Cross-Site Request Forgery (CSRF) | 2 |
| Deserialization of Untrusted Data | 2 |
| Improper Authorization | 2 |
| Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | 2 |
| Improper Privilege Management | 2 |
| External Control of Assumed-Immutable Web Parameter | 1 |
| Improper Control of Generation of Code (‘Code Injection’) | 1 |
| Insufficient Verification of Data Authenticity | 1 |
| Insufficiently Protected Credentials | 1 |
| Unrestricted Upload of File with Dangerous Type | 1 |
Researchers That Contributed to WordPress Security Last Week
| Researcher Name | Number of Vulnerabilities |
|---|---|
| 5 | |
| 5 | |
| 4 | |
| 4 | |
| 4 | |
| 3 | |
| 3 | |
| 3 | |
| 3 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 |
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| Advanced Classifieds & Directory Pro | advanced-classifieds-and-directory-pro |
| Advanced Scrollbar – Custom Scrollbar Styling and Behavior | advanced-scrollbar |
| AEH Speed Optimization: Browser Cache, Optimized Minify, Lazy Loading & Image Optimization | add-expires-headers |
| AFI – The Easiest Integration Plugin | advanced-form-integration |
| AI Bud – AI Content Generator, AI Chatbot, ChatGPT, Gemini, GPT-4o | aibuddy-openai-chatgpt |
| AI Puffer – Chat. Create. Automate. (formerly AI Power) | gpt3-ai-content-generator |
| AidWP – Donation & Payment Forms (Stripe Powered) | wp-stripe-donation |
| Announcement & Notification Banner – Bulletin | bulletin-announcements |
| Anti-Spam Protection – No API Key, GDPR Friendly | fullworks-anti-spam |
| App Builder – Create Native Android & iOS Apps On The Flight | app-builder |
| Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin | simply-schedule-appointments |
| ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup | armember-membership |
| Auto-Install Free SSL – Generate & Install Free SSL Certificates | auto-install-free-ssl |
| Automatic Internal Links for SEO by Pagup | automatic-internal-links-for-seo |
| Automatic YouTube Gallery | automatic-youtube-gallery |
| AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress | automatorwp |
| AWCA – The Great Analytics Insights for Your eStore | advance-wc-analytics |
| bBlocks – Essential Gutenberg Blocks & Patterns Collection | b-blocks |
| Better Messages – Live Chat, Chat Rooms, Real-Time Messaging & Private Messages | bp-better-messages |
| BlockSpare — News, Magazine and Blog Addons for (Gutenberg) Block Editor | blockspare |
| Blog Designer Pack – Blog, Post Grid, Post Slider, Post Carousel, Category Post, News | blog-designer-pack |
| Booking for Appointments and Events Calendar – Amelia | ameliabooking |
| Booking Package | booking-package |
| Brizy – Page Builder | brizy |
| Bulk Auto Image Alt Text (Alt tag, Alt attribute) optimizer (image SEO) | bulk-image-alt-text-with-yoast |
| Bulk Edit Posts and Products in Spreadsheet | wp-sheet-editor-bulk-spreadsheet-editor-for-posts-and-pages |
| Call for Price for WooCommerce | woocommerce-call-for-price |
| Carousel, Recent Post Slider and Banner Slider | spice-post-slider |
| Check & Log Email – Easy Email Testing & Mail logging | check-email |
| Checkout with Cash App on WooCommerce | wc-cashapp |
| Classified Listing – AI-Powered Classified ads & Business Directory Plugin | classified-listing |
| Code Manager | code-manager |
| Complianz – GDPR/CCPA Cookie Consent | complianz-gdpr |
| Contact Form 7 Multi-Step Forms | contact-form-7-multi-step-module |
| Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe | contest-gallery |
| Coupon Affiliates – Affiliate Plugin for WooCommerce | woo-coupon-usage |
| Custom PHP Settings | custom-php-settings |
| Custom WooCommerce Checkout Fields Editor | add-fields-to-checkout-page-woocommerce |
| Delete Posts automatically | delete-old-posts-programmatically |
| Disable Payment Methods based on cart conditions for WooCommerce | woo-conditional-payment-gateways |
| Display Eventbrite Events | widget-for-eventbrite-api |
| Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy | dokan-lite |
| Dracula Dark Mode – Accessibility, Reading Mode & Dark Mode for WordPress | dracula-dark-mode |
| Dynamic Copyright Year | dynamic-copyright-year |
| Easy Age Verify | easy-age-verify |
| Easy Appointment Booking & Scheduling System – Webba Booking Calendar | webba-booking-lite |
| Easy Social Feed – Social Photos Gallery and Post Feed for WordPress | easy-facebook-likebox |
| EazyDocs – AI Powered Knowledge Base, Wiki, Documentation & FAQ Builder | eazydocs |
| Elementor Website Builder – more than just a page builder | elementor |
| EleSpare – News, Magazine and Blog Addons for Elementor | elespare |
| Embedder for Google Reviews | embedder-for-google-reviews |
| Event Tickets and Registration | event-tickets |
| Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered) | wp-event-solution |
| Events Addon for Elementor | events-addon-for-elementor |
| Favicon Rotator | favicon-rotator |
| Featured Images in RSS for Mailchimp & More | featured-images-for-rss-feeds |
| File Manager for Google Drive – Integrate Google Drive | integrate-google-drive |
| Five Star Restaurant Reservations – WordPress Booking Plugin | restaurant-reservations |
| Five-Star Ratings Shortcode | five-star-ratings-shortcode |
| Forumax – AI Powered Advanced Community Forum Plugin | bbp-core |
| Full Screen Background | fullscreen-background |
| FundPress – WordPress Donation Plugin | fundpress |
| FunnelKit – Funnel Builder for WooCommerce Checkout | funnel-builder |
| GA4WP – Analytics Dashboard for the Website | ga-for-wp |
| Gallery by FooGallery | foogallery |
| GD Rating System | gd-rating-system |
| Geo Mashup | geo-mashup |
| Glossary | glossary-by-codeat |
| Go Fetch Jobs (for WP Job Manager) | go-fetch-jobs-wp-job-manager |
| Goal Tracker – Custom Event Tracking for GA4 | goal-tracker-ga |
| Gravity Forms | gravityforms |
| Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns | essential-blocks |
| HTML5 Audio Player – The Ultimate No-Code Podcast, MP3 & Audio Player | html5-audio-player |
| Image Alt Text Manager – Bulk & Dynamic Alt Tags For image SEO Optimization + AI | alt-manager |
| Import and export users and customers | import-users-from-csv-with-meta |
| Inavii Social Feed | inavii-social-feed-for-elementor |
| Independent Analytics | independent-analytics |
| Internal Link Juicer: SEO Auto Linker for WordPress | internal-links |
| Ivory Search – WordPress Search Plugin | add-search-to-menu |
| Jeg Kit for Elementor – Powerful Addons for Elementor, Widgets & Templates for WordPress | jeg-elementor-kit |
| JetEngine | jet-engine |
| Joli Table Of Contents | joli-table-of-contents |
| JoomSport – for Sports: Team & League, Football, Hockey & more | joomsport-sports-league-results-management |
| Justified Gallery | justified-gallery |
| Kikote – Location Picker at Checkout & Google Address AutoFill Plugin for WooCommerce | map-location-picker-at-checkout-for-woocommerce |
| Knowledge Base documentation & wiki plugin – BasePress Docs | basepress |
| LatePoint – Calendar Booking Plugin for Appointments and Events | latepoint |
| Lightbox & Modal Popup WordPress Plugin – FooBox | foobox-image-lightbox |
| Logo Showcase – Responsive Logo Carousel, Logo Slider & Logo Grid | logo-showcase-with-slick-slider |
| MapGeo – Interactive Geo Maps | interactive-geo-maps |
| Mapster WP Maps | mapster-wp-maps |
| Marijuana Age Verify | easy-marijuana-age-verify |
| Master Addons For Elementor – Widgets, Extensions, Theme Builder, Popup Builder & Template Kits | master-addons |
| MaxiBlocks Builder | 17,000+ Design Assets, Patterns, Icons & Starter Sites | maxi-blocks |
| Menu Image, Icons made easy | menu-image |
| Message Filter for Contact Form 7 | cf7-message-filter |
| Meta Field Block – Display custom fields in the Block Editor without coding | display-a-meta-field-as-block |
| Mixed Media Gallery Blocks | simply-gallery-block |
| Music Player for Elementor – Audio Player & Podcast Player | music-player-for-elementor |
| My Social Feeds – Social Feeds Embedder Plugin for WP | my-social-feeds |
| NEX-Forms – Ultimate Forms Plugin for WordPress | nex-forms-express-wp-form-builder |
| NextMove Lite – Thank You Page for WooCommerce | woo-thank-you-page-nextmove-lite |
| Notification Bar, Announcement and Cookie Notice WordPress Plugin – FooBar | foobar-notifications-lite |
| Ocean Extra | ocean-extra |
| Open User Map | open-user-map |
| Order Delivery Date for WooCommerce | order-delivery-date-for-woocommerce |
| Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE | otter-blocks |
| Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions | paid-memberships-pro |
| Pay For Post with WooCommerce | woocommerce-pay-per-post |
| Paymattic – Secure, Simple Payment & Donation with Subscription Payments, Recurring Donations, Customer Management | wp-payment-form |
| Payment Gateway for ACBA BANK | wc-hkdigital-acba-gateway |
| PDF Poster – Display PDF Files with Custom Viewer | pdf-poster |
| PixelYourSite Pro – Your smart PIXEL (TAG) Manager | pixelyoursite-pro |
| Place Order Without Payment for WooCommerce | wc-place-order-without-payment |
| Post List Designer – Category Post, Recent Post, Post List | post-list-designer |
| Post Slider and Post Carousel with Post Vertical Scrolling Widget – A Responsive Post Slider | post-slider-and-carousel |
| Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App | post-smtp |
| Post to Google My Business (Google Business Profile) | post-to-google-my-business |
| PowerPack Pro for Elementor | powerpack-elements |
| Premium Addons for Elementor – Powerful Elementor Templates & Widgets | premium-addons-for-elementor |
| Premmerce Permalink Manager for WooCommerce | woo-permalink-manager |
| Premmerce Product Filter for WooCommerce | premmerce-woocommerce-product-filter |
| Primary Addon for Elementor | primary-addon-for-elementor |
| Product Layouts for WooCommerce | product-layouts |
| Profile Builder Pro | profile-builder-pro |
| Quiz Maker by AYS | quiz-maker |
| Radio Player – Live Shoutcast, Icecast and Any Audio Stream Player | radio-player |
| Radio Station by netmix® – Manage and play your Show Schedule in WordPress! | radio-station |
| Remove Add to Cart WooCommerce | remove-add-to-cart-woocommerce |
| Restaurant & Cafe Addon for Elementor | restaurant-cafe-addon-for-elementor |
| Restrict – membership, site, content and user access restrictions for WordPress | restricted-content |
| RevivePress – Keep your Old Content Evergreen | wp-auto-republish |
| Role Based Pricing for Woo by Meow Crew | role-and-customer-based-pricing-for-woocommerce |
| Royal Addons for Elementor – Addons and Templates Kit for Elementor | royal-elementor-addons |
| Salon Booking System – Free Version | salon-booking-system |
| Secure Gateway for Authorize.net and WooCommerce by Pledged Plugins | woo-authorize-net-gateway-aim |
| Security Ninja – WordPress Security & Firewall | security-ninja |
| Send Users Email – Email Subscribers, Email Marketing Newsletter | send-users-email |
| Share This Image | share-this-image |
| Simple Link Directory | simple-link-directory |
| Smart phone field for Gravity Forms | smart-phone-field-for-gravity-forms |
| Social Post Embed | social-post-embed |
| Solid Testimonials – Testimonial Slider, Video Testimonials & Customer Reviews | gs-testimonial |
| Spotlight Social Feeds – Block, Shortcode, and Widget | spotlight-social-photo-feeds |
| StoreCustomizer – A plugin to Customize all WooCommerce Pages | woocustomizer |
| StreamWeasels Twitch Integration | streamweasels-twitch-integration |
| SureForms Pro | sureforms-pro |
| TablePress – Tables in WordPress made easy | tablepress |
| Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent | tablesome |
| Team Members Showcase | wps-team |
| Team Members – A WordPress Team Plugin with Gallery, Grid, Carousel, Slider, Table, List, and More | gs-team-members |
| Templately – Elementor & Gutenberg Template Library: 6500+ Free & Pro Ready Templates And Cloud! | templately |
| Temporary Login | temporary-login |
| Text To Speech TTS Accessibility | text-to-audio |
| Thank You Page for WooCommerce | wc-thanks-redirect |
| TheGem Theme Elements | thegem-elements-elementor |
| Timeline Blocks for Gutenberg | timeline-blocks |
| TopNewsWp – Display Tikcer News, RSS Feed Widget and Many More | wp-top-news |
| Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid | boldgrid-backup |
| TreePress – Easy Family Trees & Ancestor Profiles | treepress |
| Ultimate Dashboard – Custom WordPress Dashboard | ultimate-dashboard |
| Ultimeter | ultimeter |
| Unlimited Elements For Elementor | unlimited-elements-for-elementor |
| URL Shortify – Simple and Easy URL Shortener | url-shortify |
| User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration | wp-user-frontend |
| User Registration Advanced Fields | user-registration-advanced-fields |
| User Verification by PickPlugins | user-verification |
| Wallet System for WooCommerce – Digital Wallet, Buy Now Pay Later (BNPL), Instant Cashback, Referral program, Partial & Subscription Payments | wallet-system-for-woocommerce |
| WCFM – Frontend Manager for WooCommerce | wc-frontend-manager |
| Widget Options – Extended | extended-widget-options |
| Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets | widget-options |
| Widgets for Social Photo Feed | social-photo-feed-widget |
| Widgets on Pages | widgets-on-pages |
| WordPress form builder plugin for contact forms, surveys and quizzes – Tripetto | tripetto |
| WOW Styler for CF7 – Visual Styler for Contact Form 7 Forms | cf7-styler |
| WP Books Gallery – Build Stunning Book Showcases & Libraries in Minutes | wp-books-gallery |
| WP Coupons and Deals – Coupon Plugin For Affiliate Marketers | wp-coupons-and-deals |
| WP Customer Area | customer-area |
| WP Data Access – App Builder for Tables, Forms, Charts, Maps & Dashboards | wp-data-access |
| WP Editor | wp-editor |
| WP Encryption – One Click Free SSL Certificate & SSL / HTTPS Redirect, Security & SSL Scan | wp-letsencrypt-ssl |
| WP fail2ban – Advanced Security | wp-fail2ban |
| WP Mail Gateway | wp-mail-gateway |
| WP Meta and Date Remover | wp-meta-and-date-remover |
| WP Meteor Website Speed Optimization Addon | wp-meteor |
| WP Mobile Menu – The Mobile-Friendly Responsive Menu | mobile-menu |
| WP Notification Bell | wp-notification-bell |
| WP Page Templates | custom-page-templates-by-vegacorp |
| WP Post Author – Author Box, Multiple Authors, Guest Authors & Custom Avatars | wp-post-author |
| WP Shortcodes Plugin — Shortcodes Ultimate | shortcodes-ultimate |
| WPBITS Addons For Elementor Page Builder | wpbits-addons-for-elementor |
| WPC Smart Messages for WooCommerce | wpc-smart-messages |
| WPIDE – File Manager & Code Editor | wpide |
| WPPizza – A Restaurant Plugin | wppizza |
| XT Floating Cart for WooCommerce | woo-floating-cart-lite |
| XT Quick View for WooCommerce | xt-woo-quick-view-lite |
| XT Variation Swatches for WooCommerce | xt-woo-variation-swatches |
| YASR – Yet Another Star Rating Plugin for WordPress | yet-another-stars-rating |
WordPress Themes with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| AI Lab – Machine Learning WordPress Theme | ailab |
| Flipmart – MegaOne Multipurpose WordPress Theme | flipmart |
| Ona | ona |
| Total | total |
| Woostify | woostify |
Vulnerability Details
Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.
Affected Software
Temporary Login [temporary-login]
Researcher
Affected Software
User Registration Advanced Fields [user-registration-advanced-fields]
Researcher
Affected Software
User Verification by PickPlugins [user-verification]
Researcher
Affected Software
Import and export users and customers [import-users-from-csv-with-meta]
Researcher
Affected Software
Researchers
Affected Software
Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets [widget-options]
Widget Options – Extended [extended-widget-options]
Researchers
Affected Software
WP Editor [wp-editor]
Researcher
Affected Software
WP Mail Gateway [wp-mail-gateway]
Researcher
Affected Software
Researcher
Affected Software
Profile Builder Pro [profile-builder-pro]
Researcher
Affected Software
WCFM – Frontend Manager for WooCommerce [wc-frontend-manager]
Researcher
Affected Software
Researcher
Affected Software
FunnelKit – Funnel Builder for WooCommerce Checkout [funnel-builder]
Researcher
Affected Software
GD Rating System [gd-rating-system]
Researcher
Affected Software
Geo Mashup [geo-mashup]
Researcher
Affected Software
Geo Mashup [geo-mashup]
Researcher
Affected Software
Geo Mashup [geo-mashup]
Researcher
Affected Software
JoomSport – for Sports: Team & League, Football, Hockey & more [joomsport-sports-league-results-management]
Researcher
Affected Software
Order Delivery Date for WooCommerce [order-delivery-date-for-woocommerce]
Researcher
Affected Software
Researcher
Affected Software
Salon Booking System – Free Version [salon-booking-system]
Researcher
Affected Software
Researcher
Affected Software
Brizy – Page Builder [brizy]
Researcher
Affected Software
Check & Log Email – Easy Email Testing & Mail logging [check-email]
Researcher
Affected Software
Classified Listing – AI-Powered Classified ads & Business Directory Plugin [classified-listing]
Researcher
Affected Software
Favicon Rotator [favicon-rotator]
Researcher
Affected Software
Gravity Forms [gravityforms]
Researcher
Gravity Forms <= 2.10.0 – Unauthenticated Stored Cross-Site Scripting via Consent Field Hidden Input
7.2
Affected Software
Gravity Forms [gravityforms]
Researcher
Affected Software
Gravity Forms [gravityforms]
Researcher
Affected Software
Gravity Forms [gravityforms]
Researcher
Affected Software
Gravity Forms [gravityforms]
Researcher
Affected Software
NEX-Forms – Ultimate Forms Plugin for WordPress [nex-forms-express-wp-form-builder]
Researcher
Affected Software
PixelYourSite Pro – Your smart PIXEL (TAG) Manager [pixelyoursite-pro]
Researcher
Affected Software
Profile Builder Pro [profile-builder-pro]
Researcher
Affected Software
Royal Addons for Elementor – Addons and Templates Kit for Elementor [royal-elementor-addons]
Researcher
Affected Software
Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions [paid-memberships-pro]
Researcher
Affected Software
Geo Mashup [geo-mashup]
Researcher
Affected Software
Widgets for Social Photo Feed [social-photo-feed-widget]
Researcher
Affected Software
Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe [contest-gallery]
Researcher
Affected Software
Researcher
Affected Software
Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns [essential-blocks]
Researchers
Affected Software
Researcher
Maxi Blocks <= 2.1.9 – Authenticated (Author+) Stored Cross-Site Scripting via Style Card REST API
6.4
Affected Software
Researcher
Affected Software
NextMove Lite – Thank You Page for WooCommerce [woo-thank-you-page-nextmove-lite]
Researcher
Affected Software
Simple Link Directory [simple-link-directory]
Researcher
Affected Software
Social Post Embed [social-post-embed]
Researcher
Affected Software
TheGem Theme Elements [thegem-elements-elementor]
Researcher
Affected Software
Timeline Blocks for Gutenberg [timeline-blocks]
Researcher
Affected Software
Woostify [woostify]
Researcher
Affected Software
WPC Smart Messages for WooCommerce [wpc-smart-messages]
Researcher
Affected Software
Advanced Classifieds & Directory Pro [advanced-classifieds-and-directory-pro]
Advanced Scrollbar – Custom Scrollbar Styling and Behavior [advanced-scrollbar]
AEH Speed Optimization: Browser Cache, Optimized Minify, Lazy Loading & Image Optimization [add-expires-headers]
AI Bud – AI Content Generator, AI Chatbot, ChatGPT, Gemini, GPT-4o [aibuddy-openai-chatgpt]
AI Puffer – Chat. Create. Automate. (formerly AI Power) [gpt3-ai-content-generator]
AidWP – Donation & Payment Forms (Stripe Powered) [wp-stripe-donation]
Announcement & Notification Banner – Bulletin [bulletin-announcements]
Anti-Spam Protection – No API Key, GDPR Friendly [fullworks-anti-spam]
Auto-Install Free SSL – Generate & Install Free SSL Certificates [auto-install-free-ssl]
Automatic Internal Links for SEO by Pagup [automatic-internal-links-for-seo]
Researcher
Affected Software
WP Meteor Website Speed Optimization Addon [wp-meteor]
Researcher
Affected Software
Quiz Maker by AYS [quiz-maker]
Researcher
Affected Software
My Social Feeds – Social Feeds Embedder Plugin for WP [my-social-feeds]
Researcher
Affected Software
Premium Addons for Elementor – Powerful Elementor Templates & Widgets [premium-addons-for-elementor]
Researcher
Affected Software
Total [total]
Researcher
Affected Software
Researcher
Affected Software
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin [simply-schedule-appointments]
Researcher
Affected Software
Booking for Appointments and Events Calendar – Amelia [ameliabooking]
Researcher
Affected Software
Booking Package [booking-package]
Researcher
Affected Software
Classified Listing – AI-Powered Classified ads & Business Directory Plugin [classified-listing]
Researcher
Affected Software
Complianz – GDPR/CCPA Cookie Consent [complianz-gdpr]
Researcher
Affected Software
Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe [contest-gallery]
Researcher
Affected Software
Researcher
Affected Software
Event Tickets and Registration [event-tickets]
Researcher
Affected Software
Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered) [wp-event-solution]
Researcher
Affected Software
Five Star Restaurant Reservations – WordPress Booking Plugin [restaurant-reservations]
Researcher
Affected Software
Researcher
Affected Software
FundPress – WordPress Donation Plugin [fundpress]
Researcher
Affected Software
Researcher
Affected Software
PowerPack Pro for Elementor [powerpack-elements]
Researcher
Affected Software
Royal Addons for Elementor – Addons and Templates Kit for Elementor [royal-elementor-addons]
Researcher
Affected Software
SureForms Pro [sureforms-pro]
Researcher
Affected Software
Researcher
Affected Software
Researcher
Affected Software
WP Customer Area [customer-area]
Researcher
Affected Software
Call for Price for WooCommerce [woocommerce-call-for-price]
Researcher
Affected Software
Ona [ona]
Researcher
Affected Software
AFI – The Easiest Integration Plugin [advanced-form-integration]
Researcher
Affected Software
Booking for Appointments and Events Calendar – Amelia [ameliabooking]
Researcher
Affected Software
Classified Listing – AI-Powered Classified ads & Business Directory Plugin [classified-listing]
Researcher
Affected Software
Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe [contest-gallery]
Researcher
Affected Software
Researcher
Affected Software
Ultimate Dashboard – Custom WordPress Dashboard [ultimate-dashboard]
Researcher
Affected Software
Researcher
Affected Software
WPPizza – A Restaurant Plugin [wppizza]
Researcher
As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.
This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
The post Wordfence Intelligence Weekly WordPress Vulnerability Report (April 27, 2026 to May 3, 2026) appeared first on Wordfence.