Last week, there were 157 vulnerabilities disclosed in 122 WordPress Plugins and 27 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 69 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to implement layered security, aligning with our overarching mission to secure WordPress with defense in depth strategies. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report. As the world’s leading quality vulnerability database provider for WordPress, site owners can rest assured knowing Wordfence has their back.
Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 35,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
-
-
- WAF-RULE-908 – Data redacted while we work with the vendor on a patch.
-
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
| Patch Status | Number of Vulnerabilities |
|---|---|
| Patched | 115 |
| Unpatched | 42 |
Total Vulnerabilities by CVSS Severity Last Week
| Severity Rating | Number of Vulnerabilities |
|---|---|
| Medium Severity | 104 |
| High Severity | 47 |
| Critical Severity | 6 |
Total Vulnerabilities by CWE Type Last Week
| Vulnerability Type by CWE | Number of Vulnerabilities |
|---|---|
| Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 47 |
| Missing Authorization | 34 |
| Deserialization of Untrusted Data | 23 |
| Cross-Site Request Forgery (CSRF) | 12 |
| Unrestricted Upload of File with Dangerous Type | 9 |
| Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 8 |
| Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | 6 |
| Exposure of Sensitive Information to an Unauthorized Actor | 5 |
| Authorization Bypass Through User-Controlled Key | 4 |
| Improper Control of Generation of Code (‘Code Injection’) | 3 |
| Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) | 2 |
| External Control of File Name or Path | 1 |
| Improper Input Validation | 1 |
| Improper Neutralization of CRLF Sequences (‘CRLF Injection’) | 1 |
| Improper Privilege Management | 1 |
Researchers That Contributed to WordPress Security Last Week
| Researcher Name | Number of Vulnerabilities |
|---|---|
| 17 | |
| 12 | |
| 9 | |
| 9 | |
| 6 | |
| 5 | |
| 5 | |
| 5 | |
| 4 | |
| 4 | |
| 4 | |
| 4 | |
| 4 | |
| 4 | |
| 3 | |
| 3 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 |
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| ACF Galerie 4 | acf-galerie-4 |
| Advanced Product Fields (Product Addons) for WooCommerce | advanced-product-fields-for-woocommerce |
| Anti-Malware Security and Brute-Force Firewall | gotmls |
| AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress | automatorwp |
| BetterDocs – Knowledge Base Docs & FAQ Solution for Elementor & Block Editor | betterdocs |
| Blocksy Companion Pro | blocksy-companion-pro |
| Bookify – Appointment Booking & Scheduling for WordPress | bookify |
| Booking Calendar Contact Form | booking-calendar-contact-form |
| Booking for Appointments and Events Calendar – Amelia | ameliabooking |
| Booking Package | booking-package |
| Bookit — Booking & Appointment Calendar | bookit |
| Bread & Butter: AI-Powered Lead Intelligence | bread-butter |
| Breaking News WP | breaking-news-wp |
| Breeze Cache | breeze |
| Buzz Comments | buzz-comments |
| CalJ Shabbat Times | calj |
| Call To Action Plugin | call-to-action-plugin |
Chatbot for WordPress by Collect.chat  |
collectchat |
| CI HUB Connector | ci-hub-connector |
| Contact Form Extender for Divi – Submissions DB & Extra Fields | contact-form-extender-for-divi-builder |
| Contact Form to Any API | contact-form-to-any-api |
| Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe | contest-gallery |
| Coupon Affiliates – Affiliate Plugin for WooCommerce | woo-coupon-usage |
| Create DB Tables | create-db-tables |
| Download Monitor | download-monitor |
| Drag and Drop File Upload for Contact Form 7 | drag-and-drop-file-upload-for-contact-form-7 |
| DX Unanswered Comments | dx-unanswered-comments |
| E-cab Taxi Booking Manager for Woocommerce | ecab-taxi-booking-manager |
| Easy Digital Downloads – eCommerce Payments and Subscriptions made easy | easy-digital-downloads |
| Easy Social Photos Gallery – MIF | my-instagram-feed |
| Email Encoder – Protect Email Addresses and Phone Numbers | email-encoder-bundle |
| Emailchef | emailchef |
| ER Swiffy Insert | er-swiffy-insert |
| Essential Addons for Elementor – Popular Elementor Templates & Widgets | essential-addons-for-elementor-lite |
| EventPrime – Events Calendar, Bookings and Tickets | eventprime-event-calendar-management |
| Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder | everest-forms |
| ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) | google-analytics-dashboard-for-wp |
| Fast & Fancy Filter – 3F | fast-fancy-filter-3f |
| Feed KuantoKusta for WooCommerce – Free | feed-kuantokusta-for-woocommerce |
| FunnelFormsPro | Funnelforms-pro |
| FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce | wp-marketing-automations |
| Gallagher Website Design | gallagher-website-design |
| GeekyBot — AI Copilot, Chatbot, WooCommerce Lead Gen & Zero-Prompt Content | geeky-bot |
| GiveWP – Donation Plugin and Fundraising Platform | give |
| Google PageRank Display | google-pagerank-display |
| Groundhogg — CRM, Newsletters, and Marketing Automation | groundhogg |
| Gutentools | gutentools |
| Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor | gutentor |
| Highland Software Custom Role Manager | highland-software-custom-role-manager |
| HT Mega Addons for Elementor – Elementor Widgets & Template Builder | ht-mega-for-elementor |
| HTTP Headers | http-headers |
| HubSpot All-In-One Marketing – Forms, Popups, Live Chat | leadin |
| Image Source Control Lite – Show Image Credits and Captions | image-source-control-isc |
| InPost Gallery | inpost-gallery |
| Inquiry cart | inquiry-cart |
| ITERAS | iteras |
| Jupiter X Core | jupiterx-core |
| Kcaptcha | kcaptcha |
| KiviCare – Clinic & Patient Management System (EHR) | kivicare-clinic-management-system |
| Liaison Site Prober | liaison-site-prober |
| Link Library | link-library |
| ListingPro Plugin | listingpro-plugin |
| MasterStudy LMS Pro | masterstudy-lms-learning-management-system-pro |
| MasterStudy LMS WordPress Plugin – for Online Courses and Education | masterstudy-lms-learning-management-system |
| MaxiBlocks Builder | 17,000+ Design Assets, Patterns, Icons & Starter Sites | maxi-blocks |
| mCatFilter | mcatfilter |
| Min Max Step Quantity Limits Manager for WooCommerce | product-quantity-for-woocommerce |
| Modula Image Gallery – Photo Grid & Video Gallery | modula-best-grid-gallery |
| Motors – Car Dealership & Classified Listings Plugin | motors-car-dealership-classified-listings |
| Ni WooCommerce Order Export | ni-woocommerce-order-export |
| Notification for Telegram | notification-for-telegram |
| Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress | wp-user-avatar |
| Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction | paid-member-subscriptions |
| PDF Invoices & Packing Slips for WooCommerce | woocommerce-pdf-invoices-packing-slips |
| Plugin: CMS für Motorrad Werkstätten | cms-fuer-motorrad-werkstaetten |
| Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program – myCred | mycred |
| Posts map | posts-map |
| Private WP suite | private-wp-suite |
| Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker | quiz-master-next |
| Quran Live Multilanguage | quran-live |
| Real Estate Pro | re-pro |
| reCaptcha by WebDesignBy | webdesignby-recaptcha |
| RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress | computer-repair-shop |
| Rescue Shortcodes | rescue-shortcodes |
| Responsive Blocks – Page Builder for Blocks & Patterns | responsive-block-editor-addons |
| ReviewX – Multi-Criteria Reviews for WooCommerce with Google Reviews & Schema | reviewx |
| Royal Addons for Elementor – Addons and Templates Kit for Elementor | royal-elementor-addons |
| Royal MCP – Secure AI Connector for Claude, ChatGPT & Gemini | royal-mcp |
| rtMedia for WordPress, BuddyPress and bbPress | buddypress-media |
| Salon Booking System – Free Version | salon-booking-system |
| Sendmachine for WordPress | sendmachine |
| Sentence To SEO (keywords, description and tags) | sentence-to-seo |
| Short Comment Filter | short-comment-filter |
| ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF | shortpixel-image-optimiser |
| Simple Random Posts Shortcode | simple-random-posts-shortcode |
| Slider Bootstrap Carousel | slider-bootstrap-carousel |
| Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider | ml-slider |
| SlideShowPro SC | slideshowpro-shortcode |
| Social Rocket – Social Sharing Plugin | social-rocket |
| Switch CTA Box | switch-cta-box |
| Table Manager | table-manager |
| Taqnix | taqnix |
| Text Snippets | text-snippet |
| TextP2P Texting Widget | textp2p-texting-widget |
| TP Restore Categories And Taxonomies | tp-restore-categories-and-taxonomies |
| Tutor LMS – eLearning and online course solution | tutor |
| Twittee Text Tweet | twittee-text-tweet |
| Website LLMs.txt | website-llms-txt |
| WP Books Gallery – Build Stunning Book Showcases & Libraries in Minutes | wp-books-gallery |
| WP Responsive Popup + Optin | wp-popup-optin |
| WP Sessions Time Monitoring Full Automatic | activitytime |
| WP Store Locator | wp-store-locator |
| WP Time Slots Booking Form | wp-time-slots-booking-form |
| WPAdverts – Classifieds Plugin | wpadverts |
| WPBot – AI ChatBot for Live Support, Lead Generation, AI Services | chatbot |
| wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin | wpdatatables |
| wpForo Forum | wpforo |
| WPGraphQL | wp-graphql |
| WPMK Block | wpmk-block |
| WSMS (formerly WP SMS) – SMS & MMS Notifications with OTP and 2FA for WooCommerce | wp-sms |
| YayMail – WooCommerce Email Customizer | yaymail |
| Zypento Blocks | zypento-blocks |
WordPress Themes with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| Alukas – Luxury Jewelry Store WooCommerce WordPress Theme | alukas |
| Ashtanga – Yoga Studio WordPress Theme | ashtanga |
| Atomlab – Startup Landing Page WordPress Theme | atomlab |
| Avada | Website Builder For WordPress & WooCommerce | Avada |
| behold | behold |
| Bricks | bricks |
| Charity Zone | charity-zone |
| Château – Winery and Wine Shop WordPress Theme | chateau |
| EasyMeals – Food Blog WordPress Theme | easymeals |
| Ecommerce Zone | ecommerce-zone |
| Elementra – 100% Elementor WordPress Theme | elementra |
| EmallShop – Responsive WooCommerce WordPress Theme | emallshop |
| Esmée – Fashion Store WordPress Theme | esme |
| Kapee – Modern Multipurpose WooCommerce Theme | kapee |
| Kids Gift Shop | kids-gift-shop |
| Kids Online Store | kids-online-store |
| Learnify – Online Courses Education WordPress Theme | learnify |
| Léonie – Nail and Beauty Salon WordPress Theme | lonie |
| Manufaktur Solutions – Industry and Factory WordPress Theme | manufaktursolutions |
| Metro Magazine | metro-magazine |
| PressMart – Modern Elementor WooCommerce WordPress Theme | presssmart |
| Restaurant Zone | restaurant-zone |
| Roisin – Flower Shop and Florist WordPress Theme | roisin |
| TechLink – Technology and IT Solutions WordPress Theme | techlink |
| Valeska – Fashion eCommerce WordPress Theme | valeska |
| Webenvo | webenvo |
| Zoya – Minimal Blog Elementor Template Kit | zoya |
Vulnerability Details
Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.
Affected Software
Breeze Cache [breeze]
Researcher
Affected Software
Charity Zone [charity-zone]
Researcher
Affected Software
Restaurant Zone [restaurant-zone]
Researcher
Affected Software
Sendmachine for WordPress [sendmachine]
Researcher
Affected Software
Contact Form Extender for Divi – Submissions DB & Extra Fields [contact-form-extender-for-divi-builder]
Researcher
Affected Software
Create DB Tables [create-db-tables]
Researcher
Affected Software
Ecommerce Zone [ecommerce-zone]
Researcher
Affected Software
FunnelFormsPro [Funnelforms-pro]
Researcher
Affected Software
Researcher
Highland Software Custom Role Manager <= 1.0.0 – Authenticated (Subscriber+) Privilege Escalation
8.8
Affected Software
Highland Software Custom Role Manager [highland-software-custom-role-manager]
Researcher
Affected Software
Kids Gift Shop [kids-gift-shop]
Researcher
Affected Software
Kids Online Store [kids-online-store]
Researcher
Affected Software
Webenvo [webenvo]
Researcher
Affected Software
Researcher
Affected Software
Ashtanga – Yoga Studio WordPress Theme [ashtanga]
Researcher
Affected Software
Researcher
Affected Software
behold [behold]
Researcher
Affected Software
Researcher
Affected Software
Drag and Drop File Upload for Contact Form 7 [drag-and-drop-file-upload-for-contact-form-7]
Researcher
Affected Software
EasyMeals – Food Blog WordPress Theme [easymeals]
Researcher
Affected Software
Elementra – 100% Elementor WordPress Theme [elementra]
Researcher
Affected Software
Researcher
Affected Software
Researcher
Affected Software
Researcher
Affected Software
Researcher
Learnify – Online Courses Education WordPress Theme <= 1.15.0 – Unauthenticated Local File Inclusion
8.1
Affected Software
Researcher
Affected Software
Researcher
Affected Software
Link Library [link-library]
Researcher
Affected Software
Manufaktur Solutions – Industry and Factory WordPress Theme [manufaktursolutions]
Researcher
Affected Software
Researcher
Affected Software
Researcher
Affected Software
Researcher
Affected Software
Researcher
Affected Software
wpForo Forum [wpforo]
Researchers
Affected Software
Researcher
Affected Software
Researcher
Affected Software
Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe [contest-gallery]
Researcher
Affected Software
Feed KuantoKusta for WooCommerce – Free [feed-kuantokusta-for-woocommerce]
Researcher
Affected Software
InPost Gallery [inpost-gallery]
Researcher
Affected Software
ListingPro Plugin [listingpro-plugin]
Researcher
Affected Software
Modula Image Gallery – Photo Grid & Video Gallery [modula-best-grid-gallery]
Researcher
Affected Software
ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF [shortpixel-image-optimiser]
Researcher
Affected Software
Chatbot for WordPress by Collect.chat [collectchat]
[collectchat]
Researcher
Affected Software
Contact Form to Any API [contact-form-to-any-api]
Researcher
Affected Software
Coupon Affiliates – Affiliate Plugin for WooCommerce [woo-coupon-usage]
Researcher
Affected Software
ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) [google-analytics-dashboard-for-wp]
Researcher
Affected Software
HTTP Headers [http-headers]
Researcher
Affected Software
Researcher
Affected Software
Notification for Telegram [notification-for-telegram]
Researcher
Affected Software
Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker [quiz-master-next]
Researcher
Affected Software
Researcher
Affected Software
WP Time Slots Booking Form [wp-time-slots-booking-form]
Researcher
Affected Software
Advanced Product Fields (Product Addons) for WooCommerce [advanced-product-fields-for-woocommerce]
Researcher
Affected Software
PDF Invoices & Packing Slips for WooCommerce [woocommerce-pdf-invoices-packing-slips]
Researcher
Affected Software
Researcher
YayMail – WooCommerce Email Customizer <= 4.3.3 – Authenticated (Shop manager+) PHP Object Injection
6.6
Affected Software
YayMail – WooCommerce Email Customizer [yaymail]
Researcher
Affected Software
Breaking News WP [breaking-news-wp]
Researcher
Affected Software
MasterStudy LMS WordPress Plugin – for Online Courses and Education [masterstudy-lms-learning-management-system]
Researcher
Affected Software
Plugin: CMS für Motorrad Werkstätten [cms-fuer-motorrad-werkstaetten]
Researcher
Affected Software
WP Sessions Time Monitoring Full Automatic [activitytime]
Researcher
Affected Software
Bread & Butter: AI-Powered Lead Intelligence [bread-butter]
Researcher
Affected Software
CI HUB Connector [ci-hub-connector]
Researcher
Affected Software
E-cab Taxi Booking Manager for Woocommerce [ecab-taxi-booking-manager]
Researcher
Affected Software
Easy Social Photos Gallery – MIF [my-instagram-feed]
Researcher
Affected Software
ER Swiffy Insert [er-swiffy-insert]
Researcher
Affected Software
Gallagher Website Design [gallagher-website-design]
Researcher
Affected Software
Gutentools [gutentools]
Affected Software
Image Source Control Lite – Show Image Credits and Captions [image-source-control-isc]
ITERAS <= 1.8.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
6.4
Affected Software
ITERAS [iteras]
Researcher
Affected Software
Researcher
Affected Software
Quran Live Multilanguage [quran-live]
Researcher
Affected Software
Rescue Shortcodes [rescue-shortcodes]
Researcher
Affected Software
Royal Addons for Elementor – Addons and Templates Kit for Elementor [royal-elementor-addons]
Researcher
Affected Software
Simple Random Posts Shortcode [simple-random-posts-shortcode]
Researcher
Affected Software
Slider Bootstrap Carousel [slider-bootstrap-carousel]
Researcher
Affected Software
SlideShowPro SC [slideshowpro-shortcode]
Researcher
Affected Software
Social Rocket – Social Sharing Plugin [social-rocket]
Researcher
Affected Software
Switch CTA Box [switch-cta-box]
Researcher
Affected Software
Text Snippets [text-snippet]
Researcher
Affected Software
Twittee Text Tweet [twittee-text-tweet]
Researcher
Affected Software
WP Store Locator [wp-store-locator]
Researcher
Affected Software
WPMK Block [wpmk-block]
Researcher
Affected Software
Zypento Blocks [zypento-blocks]
Researcher
Affected Software
Researcher
Affected Software
Inquiry cart [inquiry-cart]
Researcher
Affected Software
Min Max Step Quantity Limits Manager for WooCommerce [product-quantity-for-woocommerce]
Researcher
Affected Software
Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction [paid-member-subscriptions]
Researcher
Affected Software
Website LLMs.txt [website-llms-txt]
Researcher
Affected Software
WP Responsive Popup + Optin [wp-popup-optin]
Researcher
Affected Software
HTTP Headers [http-headers]
Researcher
Affected Software
Real Estate Pro [re-pro]
Researcher
Affected Software
Researcher
Affected Software
Booking Calendar Contact Form [booking-calendar-contact-form]
Researcher
Booking for Appointments and Events Calendar – Amelia <= 2.2 – Unauthenticated Information Exposure
5.3
Affected Software
Booking for Appointments and Events Calendar – Amelia [ameliabooking]
Researcher
Affected Software
Booking Package [booking-package]
Researcher
Affected Software
Researcher
Affected Software
CalJ Shabbat Times [calj]
Researcher
Affected Software
Easy Digital Downloads – eCommerce Payments and Subscriptions made easy [easy-digital-downloads]
Researcher
Affected Software
Essential Addons for Elementor – Popular Elementor Templates & Widgets [essential-addons-for-elementor-lite]
Researcher
Affected Software
ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) [google-analytics-dashboard-for-wp]
Researcher
Affected Software
HT Mega Addons for Elementor – Elementor Widgets & Template Builder [ht-mega-for-elementor]
Researcher
Affected Software
Jupiter X Core [jupiterx-core]
Researcher
Affected Software
Liaison Site Prober [liaison-site-prober]
Researcher
Affected Software
MasterStudy LMS Pro [masterstudy-lms-learning-management-system-pro]
Researcher
Affected Software
Researcher
Affected Software
Metro Magazine [metro-magazine]
Researcher
Affected Software
Responsive Blocks – Page Builder for Blocks & Patterns [responsive-block-editor-addons]
Researcher
Affected Software
Researcher
Affected Software
Researcher
Salon Booking System – Free Version <= 10.30.24 – Unauthenticated Insecure Direct Object Reference
5.3
Affected Software
Salon Booking System – Free Version [salon-booking-system]
Researcher
Affected Software
Researcher
Affected Software
WP Books Gallery – Build Stunning Book Showcases & Libraries in Minutes [wp-books-gallery]
Researcher
Affected Software
WPAdverts – Classifieds Plugin [wpadverts]
Researcher
Affected Software
wpForo Forum [wpforo]
Researcher
Affected Software
Researcher
Affected Software
Buzz Comments [buzz-comments]
Researcher
Affected Software
Email Encoder – Protect Email Addresses and Phone Numbers [email-encoder-bundle]
Researcher
Affected Software
HTTP Headers [http-headers]
Researcher
Affected Software
Private WP suite [private-wp-suite]
Researcher
Affected Software
reCaptcha by WebDesignBy [webdesignby-recaptcha]
Researcher
Affected Software
Sentence To SEO (keywords, description and tags) [sentence-to-seo]
Researcher
Affected Software
Short Comment Filter [short-comment-filter]
Researcher
Affected Software
Website LLMs.txt [website-llms-txt]
Researcher
Affected Software
ACF Galerie 4 [acf-galerie-4]
Researcher
Affected Software
Researcher
Affected Software
Researcher
Affected Software
Researcher
Affected Software
Blocksy Companion Pro [blocksy-companion-pro]
Researcher
Affected Software
Researcher
Affected Software
Call To Action Plugin [call-to-action-plugin]
Researcher
Affected Software
Download Monitor [download-monitor]
Researcher
Affected Software
DX Unanswered Comments [dx-unanswered-comments]
Researcher
Affected Software
Emailchef [emailchef]
Researcher
Affected Software
EventPrime – Events Calendar, Bookings and Tickets [eventprime-event-calendar-management]
Researcher
Affected Software
Fast & Fancy Filter – 3F [fast-fancy-filter-3f]
Researcher
Affected Software
FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce [wp-marketing-automations]
Researcher
Google PageRank Display <= 1.4 – Cross-Site Request Forgery to Settings Update via Settings Page
4.3
Affected Software
Google PageRank Display [google-pagerank-display]
Researcher
Affected Software
Researcher
Affected Software
Researcher
Affected Software
KiviCare – Clinic & Patient Management System (EHR) [kivicare-clinic-management-system]
Researcher
Affected Software
mCatFilter [mcatfilter]
Researcher
Affected Software
Motors – Car Dealership & Classified Listings Plugin [motors-car-dealership-classified-listings]
Researcher
Affected Software
Ni WooCommerce Order Export [ni-woocommerce-order-export]
Researcher
Affected Software
Researcher
Affected Software
RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress [computer-repair-shop]
Researcher
Affected Software
Responsive Blocks – Page Builder for Blocks & Patterns [responsive-block-editor-addons]
Researcher
Affected Software
rtMedia for WordPress, BuddyPress and bbPress [buddypress-media]
Researcher
Affected Software
Table Manager [table-manager]
Researcher
Affected Software
Taqnix [taqnix]
Researcher
Affected Software
TextP2P Texting Widget [textp2p-texting-widget]
Researcher
Affected Software
TP Restore Categories And Taxonomies [tp-restore-categories-and-taxonomies]
Researcher
WPBot – AI ChatBot for Live Support, Lead Generation, AI Services <= 7.9.7 – Missing Authorization
4.3
Affected Software
Researcher
Affected Software
Researcher
As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.
This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
The post Wordfence Intelligence Weekly WordPress Vulnerability Report (April 20, 2026 to April 26, 2026) appeared first on Wordfence.