Last week, there were 102 vulnerabilities disclosed in 90 WordPress Plugins and 5 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 68 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to implement layered security, aligning with our overarching mission to secure WordPress with defense in depth strategies. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report. As the world’s leading quality vulnerability database provider for WordPress, site owners can rest assured knowing Wordfence has their back.
Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 35,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
Total Unpatched & Patched Vulnerabilities Last Week
| Patch Status | Number of Vulnerabilities |
|---|---|
| Patched | 78 |
| Unpatched | 24 |
Total Vulnerabilities by CVSS Severity Last Week
| Severity Rating | Number of Vulnerabilities |
|---|---|
| Medium Severity | 62 |
| High Severity | 36 |
| Critical Severity | 4 |
Total Vulnerabilities by CWE Type Last Week
| Vulnerability Type by CWE | Number of Vulnerabilities |
|---|---|
| Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 35 |
| Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 13 |
| Exposure of Sensitive Information to an Unauthorized Actor | 12 |
| Cross-Site Request Forgery (CSRF) | 8 |
| Missing Authorization | 8 |
| Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | 5 |
| Deserialization of Untrusted Data | 4 |
| Authorization Bypass Through User-Controlled Key | 3 |
| Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) | 3 |
| Incorrect Privilege Assignment | 3 |
| Improper Privilege Management | 2 |
| Server-Side Request Forgery (SSRF) | 2 |
| Access of Resource Using Incompatible Type (‘Type Confusion’) | 1 |
| Improper Verification of Cryptographic Signature | 1 |
| Incorrect Authorization | 1 |
| Unrestricted Upload of File with Dangerous Type | 1 |
Researchers That Contributed to WordPress Security Last Week
| Researcher Name | Number of Vulnerabilities |
|---|---|
| 6 | |
| 5 | |
| 4 | |
| 3 | |
| 3 | |
| 3 | |
| 3 | |
| 3 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 |
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| 6Storage Rentals | 6storage-rentals |
| ABC Crypto Checkout | payerurl-crypto-currency-payment-gateway-for-woocommerce |
| Accordions | accordions |
| Advanced 301 and 302 Redirect | advanced-301-and-302-redirect |
| Affiliates Manager | affiliates-manager |
| Ajax Load More – Infinite Scroll, Load More, & Lazy Load | ajax-load-more |
| AJAX Report Comments | report-comments |
| Animation Addons for Elementor – GSAP Motion Elementor Addons & Website Templates | animation-addons-for-elementor |
| aThemes Addons for Elementor | athemes-addons-for-elementor-lite |
| Booking (Reservation & Appointment) | directorist-booking |
| BookPro – Appointment Booking WordPress Plugin | ovabookpro |
| Canvas | canvas |
| CleanTalk Anti-Spam. Spam Firewall & Bot protection | cleantalk-spam-protect |
| Conekta Payment Gateway | conekta-payment-gateway |
| Coupon Affiliates – Affiliate Plugin for WooCommerce | woo-coupon-usage |
| Custom Block Builder – Lazy Blocks | lazy-blocks |
| Customer Support Ticket System & Helpdesk | wp-ticket |
| Decent Comments | decent-comments |
| Digital Signature Add-on for WooCommerce | woocommerce-digital-signature |
| Doctreat Core | doctreat_core |
| Easy Image Collage | easy-image-collage |
| eCommerce Product Catalog Plugin for WordPress | ecommerce-product-catalog |
| Email Encoder – Protect Email Addresses and Phone Numbers | email-encoder-bundle |
| Enable Media Replace | enable-media-replace |
| Events Calendar for GeoDirectory | events-for-geodirectory |
| Extra Settings for RocketChat | extra-settings-for-rocketchat |
| FastDup – Fastest WordPress Migration & Duplicator | fastdup |
| FastPicker, an order picker and order management system (oms) for WooCommerce on steroids | fastpicker |
| Faust.js | faustwp |
| Fediverse Embeds | fediverse-embeds |
| Feeds for YouTube (YouTube video, channel, and gallery plugin) | feeds-for-youtube |
| Fortis for WooCommerce | fortis-for-woocommerce |
| FV Flowplayer Video Player | fv-wordpress-flowplayer |
| Global Body Mass Index Calculator | global-body-mass-index-calculator |
| GPTranslate – Multilingual AI Translation for WordPress: Automatically Translate Websites | gptranslate |
| Hash Elements | hash-elements |
| Helpfulcrowd Product Reviews | helpfulcrowd-product-reviews |
| Hippoo Mobile App for WooCommerce | hippoo |
| JetBlog | jet-blog |
| JetEngine | jet-engine |
| jQuery Hover Footnotes | jquery-hover-footnotes |
| kk blog card | kk-blog-card |
| Knit Pay – Cashfree, Instamojo, Razorpay, PayPal and more | knit-pay |
| Listdom: AI-powered Business Directory with Classifieds Ads Listings | listdom |
| LoginPress Pro | loginpress-pro |
| LWS Optimize – All-in-One Speed Booster & Cache Tools | lws-optimize |
| MailerPress – Email Marketing, Newsletter, Email Automation & WooCommerce Emails | mailerpress |
| Masteriyo LMS – LMS Course Builder, Quizzes & Certificates | learning-management-system |
| Meow Gallery | meow-gallery |
| MW WP Form | mw-wp-form |
| Newsletters | newsletters-lite |
| Online Scheduling and Appointment Booking System – Bookly | bookly-responsive-appointment-booking-tool |
| Open User Map PRO | open-user-map-pro |
| Page Builder: Pagelayer – Drag and Drop website builder | pagelayer |
| Payment forms, Buy now buttons, and Invoicing System | GetPaid | invoicing |
| Photo Gallery by FooGallery : Responsive Image Gallery, Masonry Gallery & Carousel | foogallery |
| Plugin Name: ePaperFlip Publisher | epaperflip-publisher |
| Presto Player | presto-player |
| Prime Elementor Addons – Lightweight Elementor Widgets for Faster Pages | unlimited-elementor-inner-sections-by-boomdevs |
| Product Filter Widget for Elementor | product-filter-widget-for-elementor |
| PushEngage – Web Push Notifications, WooCommerce Automation & Chat Widget | pushengage |
| Recover Exit For WooCommerce | recoverexit-for-woocommerce |
| RomanCart Ecommerce | romancart-ecommerce |
| Schema & Structured Data for WP & AMP | schema-and-structured-data-for-wp |
| SEO Redirection Plugin – 301 Redirect Manager | seo-redirection |
| Slider Revolution | revslider |
| Store Locator WordPress | agile-store-locator |
| Taskbuilder – Project Management & Task Management Tool With Kanban Board | taskbuilder |
| The Events Calendar | the-events-calendar |
| TinyMCE shortcode Addon | 360crest-themeone-tinymce-shortcodes |
| UpdraftPlus Premium | updraftplus |
| UpdraftPlus: WP Backup & Migration Plugin | updraftplus |
| User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration | wp-user-frontend |
| VikRentCar Car Rental Management System | vikrentcar |
| WCMultiShipping — Mondial Relay, Inpost & Chronopost for WooCommerce | wc-multishipping |
| WooCommerce Anti-Fraud | woocommerce-anti-fraud |
| WooCommerce Dropshipping Premium | woocommerce-dropshipping |
| WordPress & WooCommerce Scraper Plugin, Import Data from Any WebSite. | wp_scraper |
| WP ApplicantStack Jobs Display | wp-applicantstack-jobs-display |
| WP Emoticon Rating | wp-emoticon-rating |
| WP GDPR Cookie Consent | wp-gdpr-cookie-consent |
| WP Maps – Google Maps,OpenStreetMap,Mapbox,Store Locator,Listing,Directory & Filters | wp-google-map-plugin |
| WP Meta Sort Posts | wp-meta-sort-posts |
| WP Migrate Lite – Migration Made Easy | wp-migrate-db |
| WP Photo Album Plus | wp-photo-album-plus |
| WP-Ultimate-Map | wp-ultimate-map |
| WPC Product Options for WooCommerce | wpc-product-options |
| wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin | wpdatatables |
| WpMobi | wp-mobi |
| WPZOOM Portfolio Lite – Filterable Portfolio Plugin | wpzoom-portfolio |
WordPress Themes with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| Blocksy | blocksy |
| EventPress | eventpress |
| Kastell – WordPress Theme for Single Properties and Apartments | kastell |
| nifty | nifty |
| XStore | xstore |
Vulnerability Details
Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.
Affected Software
Doctreat Core [doctreat_core]
Researcher
Affected Software
Researcher
Affected Software
LoginPress Pro [loginpress-pro]
Researcher
Affected Software
Researcher
Affected Software
Blocksy [blocksy]
Researcher
Affected Software
Events Calendar for GeoDirectory [events-for-geodirectory]
Researcher
Affected Software
Masteriyo LMS – LMS Course Builder, Quizzes & Certificates [learning-management-system]
Researcher
Affected Software
Researcher
Recover Exit For WooCommerce <= 1.0.3 – Unauthenticated Local File Inclusion via ‘tpf’ Parameter
8.1
Affected Software
Recover Exit For WooCommerce [recoverexit-for-woocommerce]
Researcher
Affected Software
UpdraftPlus: WP Backup & Migration Plugin [updraftplus]
UpdraftPlus Premium [updraftplus]
Researcher
Affected Software
6Storage Rentals [6storage-rentals]
Researcher
Affected Software
Advanced 301 and 302 Redirect [advanced-301-and-302-redirect]
Researcher
Affected Software
BookPro – Appointment Booking WordPress Plugin [ovabookpro]
Researcher
Affected Software
Decent Comments [decent-comments]
Researcher
Affected Software
eCommerce Product Catalog Plugin for WordPress [ecommerce-product-catalog]
Researcher
Affected Software
Newsletters [newsletters-lite]
Researcher
Affected Software
The Events Calendar [the-events-calendar]
Researcher
Affected Software
Researcher
Affected Software
WP Maps – Google Maps,OpenStreetMap,Mapbox,Store Locator,Listing,Directory & Filters [wp-google-map-plugin]
Researcher
Affected Software
WP Photo Album Plus [wp-photo-album-plus]
Researcher
Affected Software
Customer Support Ticket System & Helpdesk [wp-ticket]
Researcher
Affected Software
WPC Product Options for WooCommerce [wpc-product-options]
Researcher
Affected Software
Researcher
Affected Software
XStore [xstore]
Researcher
Affected Software
Ajax Load More – Infinite Scroll, Load More, & Lazy Load [ajax-load-more]
Researcher
Affected Software
CleanTalk Anti-Spam. Spam Firewall & Bot protection [cleantalk-spam-protect]
Researcher
Affected Software
Email Encoder – Protect Email Addresses and Phone Numbers [email-encoder-bundle]
Researcher
Affected Software
Fediverse Embeds [fediverse-embeds]
Researcher
Affected Software
Fediverse Embeds [fediverse-embeds]
Researcher
Affected Software
FV Flowplayer Video Player [fv-wordpress-flowplayer]
Researchers
GPTranslate <= 2.31 – Unauthenticated Stored Cross-Site Scripting via REST API Translation Storage
7.2
Affected Software
Affected Software
Online Scheduling and Appointment Booking System – Bookly [bookly-responsive-appointment-booking-tool]
Researcher
SEO Redirection Plugin – 301 Redirect Manager <= 9.17 – Unauthenticated Stored Cross-Site Scripting
7.2
Affected Software
SEO Redirection Plugin – 301 Redirect Manager [seo-redirection]
Researcher
Affected Software
WPZOOM Portfolio Lite – Filterable Portfolio Plugin [wpzoom-portfolio]
Researcher
Affected Software
Booking (Reservation & Appointment) [directorist-booking]
Researcher
Affected Software
Slider Revolution [revslider]
Researcher
Affected Software
Researcher
Affected Software
WCMultiShipping — Mondial Relay, Inpost & Chronopost for WooCommerce [wc-multishipping]
Researcher
Accordions <= 2.3.23 – Authenticated (Custom+) Stored Cross-Site Scripting via Accordion Body Field
6.4
Affected Software
Accordions [accordions]
Researcher
Affected Software
Animation Addons for Elementor – GSAP Motion Elementor Addons & Website Templates [animation-addons-for-elementor]
Researcher
Affected Software
aThemes Addons for Elementor [athemes-addons-for-elementor-lite]
Researcher
Canvas <= 2.5.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘tag’ Block Attribute
6.4
Affected Software
Canvas [canvas]
Researcher
Affected Software
Easy Image Collage [easy-image-collage]
Researcher
Affected Software
Enable Media Replace [enable-media-replace]
Researcher
Affected Software
Plugin Name: ePaperFlip Publisher [epaperflip-publisher]
Researcher
Affected Software
Extra Settings for RocketChat [extra-settings-for-rocketchat]
Researcher
Affected Software
Global Body Mass Index Calculator [global-body-mass-index-calculator]
Researcher
Affected Software
jQuery Hover Footnotes [jquery-hover-footnotes]
Researcher
Affected Software
kk blog card [kk-blog-card]
Researcher
Affected Software
Researcher
Affected Software
Affected Software
Researcher
Affected Software
Prime Elementor Addons – Lightweight Elementor Widgets for Faster Pages [unlimited-elementor-inner-sections-by-boomdevs]
Researcher
Affected Software
RomanCart Ecommerce [romancart-ecommerce]
Researcher
Affected Software
Presto Player [presto-player]
Researcher
Affected Software
TinyMCE shortcode Addon [360crest-themeone-tinymce-shortcodes]
Researcher
Affected Software
WP ApplicantStack Jobs Display [wp-applicantstack-jobs-display]
Researcher
Affected Software
WP GDPR Cookie Consent [wp-gdpr-cookie-consent]
Researchers
Affected Software
Product Filter Widget for Elementor [product-filter-widget-for-elementor]
Researcher
Affected Software
WP Emoticon Rating [wp-emoticon-rating]
Researcher
Affected Software
WP-Ultimate-Map [wp-ultimate-map]
Researcher
Affected Software
ABC Crypto Checkout [payerurl-crypto-currency-payment-gateway-for-woocommerce]
Researcher
Affected Software
Affiliates Manager [affiliates-manager]
Researcher
Affected Software
Conekta Payment Gateway [conekta-payment-gateway]
Researcher
Affected Software
Digital Signature Add-on for WooCommerce [woocommerce-digital-signature]
Researcher
Affected Software
Researcher
Affected Software
Helpfulcrowd Product Reviews [helpfulcrowd-product-reviews]
Researcher
Affected Software
Hippoo Mobile App for WooCommerce [hippoo]
Researcher
Affected Software
JetBlog [jet-blog]
Researcher
Affected Software
Researcher
Affected Software
Researcher
Affected Software
Schema & Structured Data for WP & AMP [schema-and-structured-data-for-wp]
Researcher
VikRentCar Car Rental Management System <= 1.4.5 – Unauthenticated Insecure Direct Object Reference
5.3
Affected Software
VikRentCar Car Rental Management System [vikrentcar]
Researcher
Affected Software
WooCommerce Anti-Fraud [woocommerce-anti-fraud]
Researcher
Affected Software
WooCommerce Dropshipping Premium [woocommerce-dropshipping]
Researcher
Affected Software
LWS Optimize – All-in-One Speed Booster & Cache Tools [lws-optimize]
Researcher
Affected Software
Open User Map PRO [open-user-map-pro]
Researcher
Affected Software
Custom Block Builder – Lazy Blocks [lazy-blocks]
Researcher
Affected Software
MW WP Form [mw-wp-form]
Researcher
Affected Software
Store Locator WordPress [agile-store-locator]
Researcher
Affected Software
AJAX Report Comments [report-comments]
Researcher
Affected Software
Coupon Affiliates – Affiliate Plugin for WooCommerce [woo-coupon-usage]
Researcher
Affected Software
Researcher
Affected Software
Faust.js [faustwp]
Researcher
Affected Software
Feeds for YouTube (YouTube video, channel, and gallery plugin) [feeds-for-youtube]
Researcher
Affected Software
Hash Elements [hash-elements]
Researcher
Affected Software
jQuery Hover Footnotes [jquery-hover-footnotes]
Researcher
Affected Software
Meow Gallery [meow-gallery]
Researcher
Affected Software
Researcher
Affected Software
Researcher
Affected Software
Researcher
Affected Software
WP Meta Sort Posts [wp-meta-sort-posts]
Researcher
Affected Software
WP Migrate Lite – Migration Made Easy [wp-migrate-db]
Researcher
Affected Software
WpMobi [wp-mobi]
Researcher
As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.
This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
The post Wordfence Intelligence Weekly WordPress Vulnerability Report (June 8, 2026 to June 14, 2026) appeared first on Wordfence.