Did you know Wordfence runs a Bug Bounty Program for all WordPress plugin and themes at no cost to vendors? Researchers can earn up to $31,200 per vulnerability, for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we handle all the rest. Last week, there were 263 vulnerabilities disclosed in 214 WordPress Plugins and 30 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 78 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected. Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to implement layered security, aligning with our overarching mission to secure WordPress with defense in depth strategies. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report. As the world’s leading quality vulnerability database provider for WordPress, site owners can rest assured knowing Wordfence has their back. Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 32,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free. Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. New Firewall Rules Deployed Last Week The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection. The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week: WAF-RULE-885 – Data redacted while we work with the vendor on a patch. WAF-RULE-886 – Data redacted while we work with the vendor on a patch. Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay. Total Unpatched & Patched Vulnerabilities Last Week Patch Status Number of Vulnerabilities Patched 131 Unpatched 132 Total Vulnerabilities by CVSS Severity Last Week Severity Rating Number of Vulnerabilities Low Severity 1 Medium Severity 210 High Severity 47 Critical Severity 5 Total Vulnerabilities by CWE Type Last Week Vulnerability Type by CWE Number of Vulnerabilities Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') 97 Missing Authorization 70 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') 24 Cross-Site Request Forgery (CSRF) 15 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') 12 Authorization Bypass Through User-Controlled Key 8 Exposure of Sensitive Information to an Unauthorized Actor 8 Incorrect Authorization 5 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') 4 Server-Side Request Forgery (SSRF) 4 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) 3 Unrestricted Upload of File with Dangerous Type 3 Improper Authorization 2 Improper Control of Generation of Code ('Code Injection') 2 External Control of File Name or Path 1 Files or Directories Accessible to External Parties 1 Improper Privilege Management 1 Missing Support for Integrity Check 1 Use of Insufficiently Random Values 1 Use of Less Trusted Source 1 Researchers That Contributed to WordPress Security Last Week Researcher Name Number of Vulnerabilities João Pedro S Alcântara (Kinorth) 24 Tran Nguyen Bao Khanh 20 Nabil Irawan 13 Legion Hunter 12 Athiwat Tiprasaharn (Jitlada) 11 Gilang - DJ 9 Muhammad Yudha - DJ 9 Abdulsamad Yusuf (0xVenus) 9 Itthidej Aramsri (Boeing777) 9 zakaria 8 Supakiad S. (m3ez) 7 Dmitrii Ignatyev 7 andrea bocchetti 6 Md. Moniruzzaman Prodhan (NomanProdhan) 6 Rafie Muhammad 6 Bonds 6 theviper17y 6 0x34rth 5 Powpy 5 daroo 5 afnaan 4 Drew Webber (mcdruid) 4 shark3y 4 Sopon Tangpathum (SoNaJaa) 4 Waris Damkham 4 type5afe 3 Phat RiO - BlueRock 3 dayea song 3 NumeX 3 Muhammad Nur Ibnu Hubab (Ibnu) 3 ChamlaVic 2 Abu Hurayra (HurayraIIT) 2 thinnawarth mathuros 2 Paolo Tresso 2 zaim 2 MD ISMAIL 2 Rahul Sreenivasan (Tr0j4n) 2 Sarawut Poolkhet (MisterHelloz) 2 Webbernaut 2 Skalucy 2 DityaRA 2 Ivan Cese 1 Ryan Novotny 1 Bao - BlueRock 1 0N0ise 1 Filippo Decortes 1 tmrswrr 1 Mrreee 1 Kai Aizen 1 Peerapat Samatathanyakorn 1 ifoundbug 1 Krissaphat Jankaew 1 Jack Taylor 1 Kannika Khongpan 1 Teerachai Somprasong 1 Nguyen C 1 omer yeshayahu 1 bxdman 1 Deniz Mert (dennywise) 1 Arif Shaikh 1 theviper17 1 Lucas Montes (NiRoX) 1 Muhamad Visat 1 kr0d 1 Tharadol Suksamran 1 Kishan Vyas 1 mahdi salhi (CaptinSharky01) 1 0xd4rk5id3 1 fallenofalbaz 1 SangNQ29 1 Brizzle 1 greenhats 1 Edisc1 1 Sergej Ljubojevic 1 Bhayanak Atma 1 Marcin Dudek (dudekmar) 1 Abdualrhman Muzamil 1 ZAST.AI 1 Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report. WordPress Plugins with Reported Vulnerabilities Last Week Software Name Software Slug 1180px Shortcodes 1180px-shortcodes AA Block country aa-block-country aBlocks – Gutenberg Blocks, User Dashboard Builder, Popup Builder, Form Builder & Animation Builder ablocks Absolute Addons For Elementor absolute-addons Accordions – Responsive Accordion & FAQ Plugin for WordPress accordions-wp ACF to REST API acf-to-rest-api AD Sliding FAQ ad-sliding-faq AffiliateX – Amazon Affiliate Plugin affiliatex AH Shortcodes ah-shortcodes AI BotKit – AI Chatbot & Live Chat for WordPress (No-Code) ai-botkit-for-lead-generation AMP for WP – Accelerated Mobile Pages accelerated-mobile-pages Appointment Booking Calendar – WP Timetics Booking Plugin timetics Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin simply-schedule-appointments AS Password Field In Default Registration Form as-password-field-in-default-registration-form Autogen Headers Menu autogen-headers-menu Automotive Listings automotive Awesome Hotel Booking awesome-hotel-booking BD Courier Order Ratio Checker bd-courier-order-ratio-checker Better Business Reviews – Trustpilot WordPress Plugin better-business-reviews BetterDocs – Knowledge Base Documentation & FAQ Solution for Elementor & Block Editor betterdocs Bit Form – Custom Contact Form, Multi Step, Conversational Form & Payment Form builder bit-form Block Slider – Responsive Image Slider, Video Slider & Post Slider block-slider Blockons – Gutenberg blocks for WordPress and WooCommerce websites blockons Blog2Social: Social Media Auto Post & Scheduler blog2social Booking Calendar booking Booking for Appointments and Events Calendar – Amelia ameliabooking Breadcrumbs for Elementor – Crumber crumber-elementor Brevo for WooCommerce woocommerce-sendinblue-newsletter-subscription BuddyPress Xprofile Custom Field Types bp-xprofile-custom-field-types Bulk Auto Image Alt Text (Alt tag, Alt attribute) optimizer (image SEO) bulk-image-alt-text-with-yoast Bulk Page Generator – LPagery lpagery BulletProof Security bulletproof-security Campaign Monitor for WordPress forms-for-campaign-monitor CBX Bookmark & Favorite cbxwpbookmark Clearfy Cache – WordPress optimization plugin, Minify HTML, CSS & JS, Defer clearfy Client Testimonial Slider wp-client-testimonial Contact Form vCard Generator contact-form-vcard-generator Contact Us Simple Form contact-us-simple-form ConvertForce Popup Builder convertforce-popup-builder Cookies and Content Security Policy cookies-and-content-security-policy Cool YT Player cool-yt-player Countdown Timer – Widget Countdown widget-countdown CountDown With Image or Video Background countdown-with-background Creator LMS – The LMS for Creators, Coaches, and Trainers creatorlms Curved Text curved-text Customer Reviews for WooCommerce customer-reviews-woocommerce Dashboard Welcome for Beaver Builder dashboard-welcome-for-beaver-builder Debt.com Business in a Box debtcom-business-in-a-box Demo Importer Plus demo-importer-plus Depicter — Popup & Slider Builder depicter Docket Cache – Object Cache Accelerator docket-cache Download Manager download-manager Drag and Drop Multiple File Upload for Contact Form 7 drag-and-drop-multiple-file-upload-contact-form-7 Easy Form Builder by WhiteStudio — Drag & Drop Form Builder easy-form-builder Easy GitHub Gist Shortcodes easy-github-gist-shortcodes Easy Media Download easy-media-download EDD Download Info edd-download-info eHive Search ehive-search Email Customizer for WooCommerce | Drag and Drop Email Templates Builder email-customizer-for-woocommerce EmailKit – Email Customizer for WooCommerce & WP emailkit Entry Views entry-views Essential Addons for Elementor – Popular Elementor Templates & Widgets essential-addons-for-elementor-lite Eventin – Event Manager, Event Booking, Calendar, Tickets and Registration Plugin (AI Powered) wp-event-solution Famous - Responsive Image And Video Grid Gallery WordPress Plugin famous_grid_image_and_video_gallery FastDup – Fastest WordPress Migration & Duplicator fastdup Featured Image from URL (FIFU) featured-image-from-url Felan Framework felan-framework FireStorm Professional Real Estate Plugin fs-real-estate-plugin Flashcard Plugin for WordPress flashcard Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder fluentform Fluent Support – Helpdesk & Customer Support Ticket System fluent-support Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager folders Form Vibes – Database Manager for Forms form-vibes Forminator Forms – Contact Form, Payment Form & Custom Form Builder forminator ForumWP – Forum & Discussion Board forumwp Frontend Admin by DynamiApps acf-frontend-form-element FS Registration Password registration-password GA4WP – Analytics Dashboard for the Website ga-for-wp GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress gamipress GiveWP – Donation Plugin and Fundraising Platform give Guest posting / Frontend Posting / Front Editor – WP Front User Submit front-editor Gutenverse Form – Contact Form Builder, Booking, Reservation, Subscribe for Block Editor gutenverse-form Handmade Framework handmade-framework HBLPAY Payment Gateway for WooCommerce hblpay-payment-gateway-for-woocommerce Header and Footer Scripts header-and-footer-scripts HelpDesk Contact Form helpdesk-contact-form HTML5 Video Player with Playlist & Multiple Skins lbg-vp2-html5-rightside HTML5 Video Player WordPress Plugin lbg-vp2-html5-bottom Icegram Engage – Popups, Optins, CTAs & lot more… icegram ilGhera Support System for WooCommerce wc-support-system Image Slider Slideshow image-slider-slideshow Image&Video FullScreen Background lbg_fullscreen_fullwidth_slider IMGspider – 图片采集抓取插件 imgspider IndieWeb indieweb iPaymu Payment Gateway for WooCommerce ipaymu-for-woocommerce Japanized for WooCommerce woocommerce-for-japan Jeg Kit for Elementor – Powerful Addons for Elementor, Widgets & Templates for WordPress jeg-elementor-kit JetEngine jet-engine Key Figures key-figures Latest Registered Users latest-registered-users Latest Tabs kento-latest-tabs LearnPress – WordPress LMS Plugin learnpress Lesson Plan Book lesson-plan-book Link Whisper Free link-whisper Listeo-Core - Directory Plugin by Purethemes listeo-core ListingHub listinghub Magic Responsive Slider and Carousel magic_slider Magic Responsive Slider and Carousel WordPress magic_carousel Mamurjor Employee Info mamurjor-employee-info MasterStudy LMS WordPress Plugin – for Online Courses and Education masterstudy-lms-learning-management-system MediaPress mediapress Menu Card menu-card MG AdvancedOptions mg-advancedoptions miniOrange OTP Verification and SMS Notification for WooCommerce miniorange-sms-order-notification-otp-verification Money Space money-space Moosend Landing Pages moosend-landing-pages Mstoic Shortcodes mstoic-shortcodes MTCaptcha WordPress Plugin mtcaptcha Multi-column Tag Map multi-column-tag-map My Album Gallery my-album-gallery Nearby Now Reviews nearby-now-reviews Newsletter Email Subscribe newsletter-email-subscribe NextGEN Download Gallery nextgen-download-gallery Niche Hero | Beautifully-designed blocks in seconds niche-hero Ninja Tables – Easy Data Table Builder ninja-tables nK Themes Helper nk-themes-helper NS Ie Compatibility Fixer ns-ie-compatibility-fixer Optional Email optional-email Page Expire Popup/Redirection for WordPress page-expire-popup Page Keys page-keys PhotoFade photofade Piraeus Bank WooCommerce Payment Gateway woo-payment-gateway-for-piraeus-bank Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers popup-builder-block Post and Page Builder by BoldGrid – Visual Drag and Drop Editor post-and-page-builder Post Like Dislike post-like-dislike Premmerce WooCommerce Customers Manager woo-customers-manager Proxy & VPN Blocker proxy-vpn-blocker PullQuote pullquote QR Code for WooCommerce order emails, PDF invoices, packing slips qr-code-tag-for-wc-from-goaskle-com Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker quiz-master-next Quote Comments quote-comments Rankology SEO and Analytics Tool rankology-seo-and-analytics-tool Re Gallery – Responsive Image & Photo Gallery regallery Real Estate Pro - WordPress Plugin real-estate-pro Recras recras reHub Framework rehub-framework Responsive Pricing Table dk-pricr-responsive-pricing-table Reviewify — Review Discounts & Photo/Video Reviews for WooCommerce review-for-discount RSS Feed Widget rss-feed-widget Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories post-expirator Shabat Keeper shabat-keeper ShareThis Dashboard for Google Analytics googleanalytics ShopMagic – email automation shopmagic-for-woocommerce Shortcodes and extra features for Phlox theme auxin-elements Simcast simcast Simple User Meta Editor simple-user-meta-editor SlimStat Analytics wp-slimstat Smart App Banners smart-app-banners Snillrik Restaurant snillrik-restaurant-menu Speed Kit baqend Spiffy Calendar spiffy-calendar Starred Review starred-review Sticky Action Buttons sticky-action-buttons STM Gallery 1.9 stm-gallery Stumble! for WordPress stumble-for-wordpress Stylish Order Form Builder stylish-order-form-builder Super Interactive Maps super-interactive-maps SVG Map Plugin svg-map-by-saedi Table Field Add-on for ACF and SCF advanced-custom-fields-table-field Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI simple-tags Taskbuilder – WordPress Project Management & Task Management taskbuilder teachPress teachpress Templately – Elementor & Gutenberg Template Library: 6500+ Free & Pro Ready Templates And Cloud! templately Testimonial Master testimonial-master The Events Calendar the-events-calendar The Events Calendar Countdown Addon countdown-for-the-events-calendar The Tooltip the-tooltip TheGem Theme Elements thegem-elements-elementor TheGem Theme Elements (for WPBakery) thegem-elements Tickera – Sell Tickets & Manage Events tickera-event-ticketing-system Top Position Google Finance top-position-google-finance Travel Bucket List – Wish To Go wish-to-go Tutor LMS – eLearning and online course solution tutor twinklesmtp – Email Service Provider For WordPress twinklesmtp Unify unify Uper – Back to Top Button for Elementor uper-elementor URL Image Importer url-image-importer User Activity Log user-activity-log User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin user-registration Viitor Button Shortcodes viitor-shortcodes weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot wedocs Woffice Core woffice-core WooCommerce Orders & Customers Exporter woocommerce-orders-ei WooCommerce Square woocommerce-square Woodpecker for WordPress woodpecker Workreap workreap WP Attractive Donations System - Easy Stripe & Paypal donations WP_AttractiveDonationsSystem WP Enable WebP wp-enable-webp WP Google Street View (with 360° virtual tour) & Google maps + Local SEO wp-google-street-view WP Js List Pages Shortcodes wp-js-list-pages-shortcodes WP Lead Capturing Pages wp-lead-capture WP Page Permalink Extension change-wp-page-permalinks WP Photo Album Plus wp-photo-album-plus WP Popup Magic wppopupmagic WP Recipe Manager wp-recipe-manager WP Status Notifier wp-change-status-notifier WP Table Builder – Drag & Drop Table Builder wp-table-builder WP Virtual Assistant VirtualAssistant WP Widget Changer wp-widget-changer WP-Members Membership Plugin wp-members X Addons for Elementor x-addons-elementor Xagio SEO – AI Powered SEO xagio-seo xShare xshare Yoco Payments yoco-payment-gateway WordPress Themes with Reported Vulnerabilities Last Week Software Name Software Slug AeroLand - App Landing Software Website WordPress Theme aeroland Amuli | Property & Real Estate Marketplace WordPress Theme amuli Anarkali - Fashion Shop WooCommerce Elementor Theme anarkali atlas atlas Brook - Agency Business Creative WordPress Theme brook Corpkit - Business Consulting WordPress Theme corpkit Curly - A Stylish WordPress Theme for Hairdressers and Hair Salons curly DeepDigital – Web Design Agency WordPress Theme deepdigital Depot - eCommerce WordPress Theme depot Grand Restaurant WordPress grandrestaurant Hendon - Single Property WordPress Theme hendon Jobify - Job Board WordPress Theme jobify Lobo - WordPress Portfolio for Freelancers & Agencies lobo Mitech - Technology IT Solutions & Services WordPress Theme mitech Navian - Multi-Purpose Responsive WordPress Theme navian Neo Ocular - Optician and Optical Store WordPress Theme neoocular OchaHouse - Organic Tea Store WooCommerce WordPress Theme ochahouse Optimize - SEO & Social Media WordPress Theme optimizewp Oshin oshin Phlox phlox photography photography Racquet – Tennis, Badminton & Squash WordPress Theme racquet Rozy - Flower Shop WooCommerce WordPress Theme (4+ Indexes + Mobile Layouts Ready) rozy tm-moody tm-moody Travel Booking WordPress Theme traveler Typify - Newspaper & Magazine WordPress Theme typify VideoPro - Video WordPress Theme videopro WellSpring | Aqua Filters & Drinking Water Delivery WordPress Theme wellspring Woffice CRM woffice zorka zorka Vulnerability Details Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize. AS Password Field In Default Registration Form <= 2.0.0 - Unauthenticated Privilege Escalation via Account Takeover 9.8 CVSS Rating Critical (9.8) CVE-ID CVE-2025-14996 Patch Status Unpatched Published Jan 5, 2026 Affected Software AS Password Field In Default Registration Form Researcher Drew Webber (mcdruid) More Details > Frontend Admin by DynamiApps <= 3.28.25 - Unauthenticated Privilege Escalation to Administrator via Role Form Field 9.8 CVSS Rating Critical (9.8) CVE-ID CVE-2025-14736 Patch Status Patched Published Jan 8, 2026 Affected Software Frontend Admin by DynamiApps Researcher andrea bocchetti More Details > FS Registration Password <= 1.0.1 - Unauthenticated Privilege Escalation via Account Takeover 9.8 CVSS Rating Critical (9.8) CVE-ID CVE-2025-15001 Patch Status Patched Published Jan 5, 2026 Affected Software FS Registration Password Researcher Drew Webber (mcdruid) More Details > Optional Email <= 1.3.11 - Unauthenticated Privilege Escalation to Account Takeover 9.8 CVSS Rating Critical (9.8) CVE-ID CVE-2025-15018 Patch Status Unpatched Published Jan 6, 2026 Affected Software Optional Email Researcher Drew Webber (mcdruid) More Details > Frontend Admin by DynamiApps <= 3.28.25 - Missing Authorization to Unauthenticated Arbitrary Data Deletion via 'delete post' Form Element 9.1 CVSS Rating Critical (9.1) CVE-ID CVE-2025-14741 Patch Status Patched Published Jan 8, 2026 Affected Software Frontend Admin by DynamiApps Researcher andrea bocchetti More Details > Corpkit <= 2.0 - Authenticated (Subscriber+) Arbitrary File Upload 8.8 CVSS Rating High (8.8) CVE-ID CVE-2025-67924 Patch Status Patched Published Jan 5, 2026 Affected Software Corpkit - Business Consulting WordPress Theme Researcher Bonds More Details > WP Enable WebP <= 1.0 - Authenticated (Author+) Arbitrary File Upload 8.8 CVSS Rating High (8.8) CVE-ID CVE-2025-15158 Patch Status Unpatched Published Jan 6, 2026 Affected Software WP Enable WebP Researcher ZAST.AI More Details > Money Space <= 2.13.9 - Unauthenticated Sensitive Information Exposure 8.6 CVSS Rating High (8.6) CVE-ID CVE-2025-13371 Patch Status Patched Published Jan 6, 2026 Affected Software Money Space Researcher Kannika Khongpan More Details > iPaymu Payment Gateway for WooCommerce <= 2.0.2 - Missing Authentication to Unauthenticated Payment Bypass and Order Information Disclosure 8.2 CVSS Rating High (8.2) CVE-ID CVE-2026-0656 Patch Status Patched Published Jan 6, 2026 Affected Software iPaymu Payment Gateway for WooCommerce Researcher Teerachai Somprasong More Details > AeroLand <= 1.6.6 - Unauthenticated Local File Inclusion 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-14429 Patch Status Unpatched Published Jan 7, 2026 Affected Software AeroLand - App Landing Software Website WordPress Theme Researcher Tran Nguyen Bao Khanh More Details > Amuli <= 2.3.0 - Unauthenticated Local File Inclusion 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-50003 Patch Status Unpatched Published Jan 8, 2026 Affected Software Amuli | Property & Real Estate Marketplace WordPress Theme Researcher Tran Nguyen Bao Khanh More Details > Anarkali <= 1.0.9 - Unauthenticated Local File Inclusion 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-47474 Patch Status Unpatched Published Jan 8, 2026 Affected Software Anarkali - Fashion Shop WooCommerce Elementor Theme Researcher Tran Nguyen Bao Khanh More Details > Atlas <= 2.1.0 - Unauthenticated Local File Inclusion 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-22509 Patch Status Unpatched Published Jan 7, 2026 Affected Software atlas Researcher Tran Nguyen Bao Khanh More Details > Brook <= 2.9.0 - Unauthenticated Local File Inclusion 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-14430 Patch Status Unpatched Published Jan 7, 2026 Affected Software Brook - Agency Business Creative WordPress Theme Researcher Tran Nguyen Bao Khanh More Details > Curly < 3.3 - Unauthenticated Local File Inclusion 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-67936 Patch Status Patched Published Jan 6, 2026 Affected Software Curly - A Stylish WordPress Theme for Hairdressers and Hair Salons Researcher Tran Nguyen Bao Khanh More Details > Depot <= 1.16 - Unauthenticated Local File Inclusion 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-54003 Patch Status Unpatched Published Jan 8, 2026 Affected Software Depot - eCommerce WordPress Theme Researcher Tran Nguyen Bao Khanh More Details > Hendon < 1.7 - Unauthenticated Local File Inclusion 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-67937 Patch Status Patched Published Jan 6, 2026 Affected Software Hendon - Single Property WordPress Theme Researcher Tran Nguyen Bao Khanh More Details > Mitech <= 2.3.4 - Unauthenticated Local File Inclusion 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-22708 Patch Status Unpatched Published Jan 7, 2026 Affected Software Mitech - Technology IT Solutions & Services WordPress Theme Researcher Tran Nguyen Bao Khanh More Details > Moody <= 2.7.3 - Unauthenticated Local File Inclusion 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-22707 Patch Status Unpatched Published Jan 7, 2026 Affected Software tm-moody Researcher Tran Nguyen Bao Khanh More Details > Navian <= 1.5.4 - Unauthenticated Local File Inclusion 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-14431 Patch Status Unpatched Published Jan 7, 2026 Affected Software Navian - Multi-Purpose Responsive WordPress Theme Researcher Tran Nguyen Bao Khanh More Details > Neo Ocular < 1.2 - Unauthenticated Local File Inclusion 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-67920 Patch Status Patched Published Jan 5, 2026 Affected Software Neo Ocular - Optician and Optical Store WordPress Theme Researcher Tran Nguyen Bao Khanh More Details > OchaHouse <= 2.2.8 - Unauthenticated Local File Inclusion 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-12550 Patch Status Unpatched Published Jan 7, 2026 Affected Software OchaHouse - Organic Tea Store WooCommerce WordPress Theme Researcher Tran Nguyen Bao Khanh More Details > Optimize < 2.4 - Unauthenticated Local File Inclusion 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-67935 Patch Status Patched Published Jan 6, 2026 Affected Software Optimize - SEO & Social Media WordPress Theme Researcher Tran Nguyen Bao Khanh More Details > Oshine <= 7.2.7 - Unauthenticated Local File Inclusion 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-14359 Patch Status Unpatched Published Jan 7, 2026 Affected Software Oshin Researcher Rafie Muhammad More Details > Photography < 7.7.5 - Unauthenticated Local File Inclusion 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-68510 Patch Status Patched Published Jan 5, 2026 Affected Software photography Researcher Rafie Muhammad More Details > Racquet <= 1.12.0 - Unauthenticated Local File Inclusion 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-69369 Patch Status Unpatched Published Jan 7, 2026 Affected Software Racquet – Tennis, Badminton & Squash WordPress Theme Researcher Tran Nguyen Bao Khanh More Details > Rozy - Flower Shop <= 1.2.25 - Unauthenticated Local File Inclusion 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-12549 Patch Status Unpatched Published Jan 7, 2026 Affected Software Rozy - Flower Shop WooCommerce WordPress Theme (4+ Indexes + Mobile Layouts Ready) Researcher Tran Nguyen Bao Khanh More Details > Typify <= 3.0.2 - Unauthenticated Local File Inclusion 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-22712 Patch Status Unpatched Published Jan 7, 2026 Affected Software Typify - Newspaper & Magazine WordPress Theme Researcher Tran Nguyen Bao Khanh More Details > VideoPro <= 2.3.8.1 - Unauthenticated Local File Inclusion 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-58913 Patch Status Unpatched Published Jan 8, 2026 Affected Software VideoPro - Video WordPress Theme Researcher Tran Nguyen Bao Khanh More Details > Wellspring < 2.8 - Unauthenticated Local File Inclusion 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-67934 Patch Status Patched Published Jan 6, 2026 Affected Software WellSpring | Aqua Filters & Drinking Water Delivery WordPress Theme Researcher Tran Nguyen Bao Khanh More Details > Automotive Listings <= 18.6 - Unauthenticated SQL Injection 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-67928 Patch Status Patched Published Jan 5, 2026 Affected Software Automotive Listings Researcher João Pedro S Alcântara (Kinorth) More Details > Corpkit <= 2.0 - Authenticated (Subscriber+) Local File Inclusion 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-67925 Patch Status Patched Published Jan 5, 2026 Affected Software Corpkit - Business Consulting WordPress Theme Researcher Bonds More Details > Felan Framework <= 1.1.3 - Unauthenticated SQL Injection 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-23993 Patch Status Unpatched Published Jan 8, 2026 Affected Software Felan Framework Researcher 0xd4rk5id3 More Details > Handmade Framework <= 3.9 - Authenticated (Contributor+) Local File Inclusion 7.5 CVSS Rating High (7.5) CVE-ID CVE-2026-22521 Patch Status Unpatched Published Jan 7, 2026 Affected Software Handmade Framework Researcher João Pedro S Alcântara (Kinorth) More Details > Latest Registered Users <= 1.4 - Missing Authorization to Unauthenticated Sensitive Information Exposure via User Data Export 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-13493 Patch Status Unpatched Published Jan 6, 2026 Affected Software Latest Registered Users Researcher Legion Hunter More Details > Lead Capturing Pages <= 2.5 - Unauthenticated SQL Injection 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-49055 Patch Status Unpatched Published Jan 8, 2026 Affected Software WP Lead Capturing Pages Researcher João Pedro S Alcântara (Kinorth) More Details > Reviewify <= 1.0.7 - Missing Authorization to Authenticated (Contributor+) Arbitrary WooCommerce Coupon Creation 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-14070 Patch Status Patched Published Jan 6, 2026 Affected Software Reviewify — Review Discounts & Photo/Video Reviews for WooCommerce Researcher Itthidej Aramsri (Boeing777) More Details > TheGem Theme Elements (for Elementor) <= 5.11.0 - Authenticated (Contributor+) Local File Inclusion 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-69356 Patch Status Patched Published Jan 10, 2026 Affected Software TheGem Theme Elements Researcher João Pedro S Alcântara (Kinorth) More Details > User Activity Log <= 2.2 - Unauthenticated Limited Options Update via Failed Login 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-11877 Patch Status Unpatched Published Jan 6, 2026 Affected Software User Activity Log Researcher shark3y More Details > WooCommerce Square <= 5.1.1 - Unauthenticated Insecure Direct Object Reference to Sensitive Information Exposure in get_token_by_id 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-13457 Patch Status Patched Published Jan 9, 2026 Affected Software WooCommerce Square Researcher DityaRA More Details > Yoco Payments <= 3.9.0 - Unauthenticated Arbitrary File Read 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-13801 Patch Status Patched Published Jan 6, 2026 Affected Software Yoco Payments Researcher NumeX More Details > Download Manager <= 3.3.40 - Unauthenticated Limited Privilege Escalation via updatePassword 7.3 CVSS Rating High (7.3) CVE-ID CVE-2025-15364 Patch Status Patched Published Jan 5, 2026 Affected Software Download Manager Researcher Drew Webber (mcdruid) More Details > Brevo for WooCommerce <= 4.0.49 - Unauthenticated Stored Cross-Site Scripting 7.2 CVSS Rating High (7.2) CVE-ID CVE-2025-14436 Patch Status Patched Published Jan 8, 2026 Affected Software Brevo for WooCommerce Researcher shark3y More Details > BuddyPress Xprofile Custom Field Types <= 1.2.8 - Authenticated (Subscriber+) Arbitrary File Deletion 7.2 CVSS Rating High (7.2) CVE-ID CVE-2025-14997 Patch Status Patched Published Jan 5, 2026 Affected Software BuddyPress Xprofile Custom Field Types Researcher Sarawut Poolkhet (MisterHelloz) More Details > Eventin – Event Manager, Event Booking, Calendar, Tickets and Registration Plugin (AI Powered) <= 4.0.51 - Missing Authorization to Unauthenticated Stored Cross-Site Scripting via 'post_settings' 7.2 CVSS Rating High (7.2) CVE-ID CVE-2025-14657 Patch Status Patched Published Jan 8, 2026 Affected Software Eventin – Event Manager, Event Booking, Calendar, Tickets and Registration Plugin (AI Powered) Researcher Sarawut Poolkhet (MisterHelloz) More Details > Frontend Admin by DynamiApps <= 3.28.23 - Unauthenticated Stored Cross-Site Scripting via 'update_field' 7.2 CVSS Rating High (7.2) CVE-ID CVE-2025-14937 Patch Status Patched Published Jan 8, 2026 Affected Software Frontend Admin by DynamiApps Researcher Paolo Tresso More Details > JetEngine <= 3.7.7 - Unauthenticated Stored Cross-Site Scripting 7.2 CVSS Rating High (7.2) CVE-ID CVE-2025-67923 Patch Status Patched Published Jan 5, 2026 Affected Software JetEngine Researcher Bonds More Details > ListingHub 1.2.6 - Unauthenticated Stored Cross-Site Scripting 7.2 CVSS Rating High (7.2) CVE-ID CVE-2025-12551 Patch Status Unpatched Published Jan 7, 2026 Affected Software ListingHub Researcher João Pedro S Alcântara (Kinorth) More Details > SlimStat Analytics <= 5.3.3 - Unauthenticated Stored Cross-Site Scripting via 'fh' Parameter 7.2 CVSS Rating High (7.2) CVE-ID CVE-2025-15057 Patch Status Patched Published Jan 8, 2026 Affected Software SlimStat Analytics Researcher Supakiad S. (m3ez) More Details > SlimStat Analytics <= 5.3.4 - Unauthenticated Stored Cross-Site Scripting via 'notes/resource' Parameters 7.2 CVSS Rating High (7.2) CVE-ID CVE-2025-15055 Patch Status Patched Published Jan 8, 2026 Affected Software SlimStat Analytics Researcher Supakiad S. (m3ez) More Details > Virtual Assistant <= 3.0 - Unauthenticated Stored Cross-Site Scripting 7.2 CVSS Rating High (7.2) CVE-ID CVE-2025-22725 Patch Status Unpatched Published Jan 8, 2026 Affected Software WP Virtual Assistant Researcher João Pedro S Alcântara (Kinorth) More Details > WP Photo Album Plus <= 9.1.05.008 - Reflected Cross-Site Scripting 7.1 CVSS Rating High (7.1) CVE-ID CVE-2025-14835 Patch Status Patched Published Jan 6, 2026 Affected Software WP Photo Album Plus Researcher Muhammad Yudha - DJ More Details > Appointment Booking and Scheduling Calendar Plugin – WP Timetics <= 1.0.36 - Missing Authorization to Unauthenticated Booking Details View And Modification 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2025-5919 Patch Status Patched Published Jan 5, 2026 Affected Software Appointment Booking Calendar – WP Timetics Booking Plugin Researcher greenhats More Details > Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin <= 1.6.9.5 - Unauthenticated Sensitive Information Exposure 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2025-11723 Patch Status Patched Published Jan 5, 2026 Affected Software Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin Researcher Lucas Montes (NiRoX) More Details > BetterDocs <= 4.3.3 - Authenticated (Contributor+) Sensitive Information Exposure 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2025-14980 Patch Status Patched Published Jan 8, 2026 Affected Software BetterDocs – Knowledge Base Documentation & FAQ Solution for Elementor & Block Editor Researcher Dmitrii Ignatyev More Details > Bit Form – Contact Form Plugin <= 2.21.6 - Missing Authorization to Unauthenticated Workflow Replay 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2025-14901 Patch Status Patched Published Jan 6, 2026 Affected Software Bit Form – Custom Contact Form, Multi Step, Conversational Form & Payment Form builder Researcher andrea bocchetti More Details > CBX Bookmark & Favorite <= 2.0.4 - Authenticated (Subscriber+) SQL Injection via `orderby` Parameter 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2025-13652 Patch Status Patched Published Jan 5, 2026 Affected Software CBX Bookmark & Favorite Researcher Muhamad Visat More Details > DeepDigital <= 1.0.2 - Unauthenticated Arbitrary Shortcode Execution 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2026-22469 Patch Status Unpatched Published Jan 5, 2026 Affected Software DeepDigital – Web Design Agency WordPress Theme Researcher João Pedro S Alcântara (Kinorth) More Details > EmailKit <= 1.6.1 - Authenticated (Author+) Arbitrary File Read via Path Traversal 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2025-14059 Patch Status Patched Published Jan 6, 2026 Affected Software EmailKit – Email Customizer for WooCommerce & WP Researcher Dmitrii Ignatyev More Details > FastDup <= 2.7 - Authenticated (Contributor+) Path Traversal via 'dir_path' REST Parameter 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2026-0604 Patch Status Patched Published Jan 5, 2026 Affected Software FastDup – Fastest WordPress Migration & Duplicator Researcher Athiwat Tiprasaharn (Jitlada) More Details > Flashcard Plugin for WordPress <= 0.9 - Authenticated (Contributor+) Arbitrary File Read via Path Traversal 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2025-14867 Patch Status Unpatched Published Jan 6, 2026 Affected Software Flashcard Plugin for WordPress Researcher 0x34rth More Details > GiveWP <= 4.13.1 - Unauthenticated Arbitrary Shortcode Execution 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2025-66533 Patch Status Patched Published Jan 8, 2026 Affected Software GiveWP – Donation Plugin and Fundraising Platform Researcher Kishan Vyas More Details > Lobo < 2.8.6 - Authenticated (Subscriber+) SQL Injection 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2025-67921 Patch Status Patched Published Jan 5, 2026 Affected Software Lobo - WordPress Portfolio for Freelancers & Agencies Researcher Tran Nguyen Bao Khanh More Details > Ninja Tables <= 5.2.4 - Authenticated (Contributor+) SQL Injection 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2025-69351 Patch Status Patched Published Jan 7, 2026 Affected Software Ninja Tables – Easy Data Table Builder Researcher daroo More Details > Page Expire Popup/Redirection for WordPress <= 1.0 - Authenticated (Author+) SQL Injection via 'id' Shortcode Attribute 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2025-14153 Patch Status Patched Published Jan 5, 2026 Affected Software Page Expire Popup/Redirection for WordPress Researchers Athiwat Tiprasaharn (Jitlada)Itthidej Aramsri (Boeing777)PowpyWaris Damkham More Details > Quiz and Survey Master (QSM) <= 10.3.1 - Authenticated (Subscriber+) SQL Injection via `is_linking` Query Parameter 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2025-9318 Patch Status Patched Published Jan 5, 2026 Affected Software Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker Researcher Rahul Sreenivasan (Tr0j4n) More Details > Quiz and Survey Master (QSM) <= 10.3.1 - Missing Authorization to Unpublished, Private And Password-Protected Quiz Information Disclosure And Image Response Uploads 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2025-9637 Patch Status Patched Published Jan 5, 2026 Affected Software Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker Researcher Rahul Sreenivasan (Tr0j4n) More Details > Tutor LMS <= 3.9.3 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure via tutor_order_details 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2025-13679 Patch Status Patched Published Jan 7, 2026 Affected Software Tutor LMS – eLearning and online course solution Researcher Supakiad S. (m3ez) More Details > WooCommerce Orders & Customers Exporter <= 5.4 - Authenticated (Subscriber+) SQL Injection 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2025-22713 Patch Status Unpatched Published Jan 8, 2026 Affected Software WooCommerce Orders & Customers Exporter Researcher João Pedro S Alcântara (Kinorth) More Details > Workreap (theme's plugin) <= 3.3.6 - Authenticated (Subscriber+) SQL Injection 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2025-22728 Patch Status Unpatched Published Jan 8, 2026 Affected Software Workreap Researcher Bonds More Details > WP Page Permalink Extension <= 1.5.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Rewrite Rules Flush 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2025-14172 Patch Status Unpatched Published Jan 8, 2026 Affected Software WP Page Permalink Extension Researcher Legion Hunter More Details > 1180px Shortcodes <= 1.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'class' Shortcode Attribute 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-14114 Patch Status Unpatched Published Jan 6, 2026 Affected Software 1180px Shortcodes Researcher zakaria More Details > AD Sliding FAQ <= 2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-14122 Patch Status Unpatched Published Jan 6, 2026 Affected Software AD Sliding FAQ Researcher Muhammad Yudha - DJ More Details > AH Shortcodes <= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'column' Shortcode Attribute 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-14109 Patch Status Unpatched Published Jan 6, 2026 Affected Software AH Shortcodes Researcher zakaria More Details > AI BotKit <= 1.1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-13887 Patch Status Patched Published Jan 6, 2026 Affected Software AI BotKit – AI Chatbot & Live Chat for WordPress (No-Code) Researcher theviper17y More Details > AMP for WP <= 1.1.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via SVG File Upload 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2026-0627 Patch Status Patched Published Jan 8, 2026 Affected Software AMP for WP – Accelerated Mobile Pages Researcher andrea bocchetti More Details > Autogen Headers Menu <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'head_class' Shortcode Parameter 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-13704 Patch Status Unpatched Published Jan 8, 2026 Affected Software Autogen Headers Menu Researcher theviper17y More Details > BIALTY - Bulk Image Alt Text (Alt tag, Alt Attribute) with Yoast SEO + WooCommerce <= 2.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-15019 Patch Status Patched Published Jan 8, 2026 Affected Software Bulk Auto Image Alt Text (Alt tag, Alt attribute) optimizer (image SEO) Researcher Muhammad Yudha - DJ More Details > Client Testimonial Slider <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'aft_testimonial_meta_name' Metabox Field 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-13897 Patch Status Unpatched Published Jan 8, 2026 Affected Software Client Testimonial Slider Researcher Muhammad Yudha - DJ More Details > ConvertForce Popup Builder <= 0.0.7 - Stored Cross-Site Scripting via entrance_animation 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-14506 Patch Status Patched Published Jan 9, 2026 Affected Software ConvertForce Popup Builder Researchers Athiwat Tiprasaharn (Jitlada)Itthidej Aramsri (Boeing777)PowpyWaris Damkham More Details > Cool YT Player <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-13849 Patch Status Unpatched Published Jan 6, 2026 Affected Software Cool YT Player Researcher Gilang - DJ More Details > Countdown Timer - Widget Countdown <= 2.7.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-14555 Patch Status Patched Published Jan 9, 2026 Affected Software Countdown Timer – Widget Countdown Researcher Muhammad Yudha - DJ More Details > Curved Text <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-13854 Patch Status Unpatched Published Jan 8, 2026 Affected Software Curved Text Researcher Gilang - DJ More Details > Customer Reviews for WooCommerce <= 5.93.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting via displayName Parameter 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-14891 Patch Status Patched Published Jan 6, 2026 Affected Software Customer Reviews for WooCommerce Researcher shark3y More Details > Debt.com Business in a Box <= 4.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-13852 Patch Status Unpatched Published Jan 8, 2026 Affected Software Debt.com Business in a Box Researcher theviper17y More Details > Easy GitHub Gist Shortcodes <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'id' Shortcode Attribute 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-14147 Patch Status Unpatched Published Jan 6, 2026 Affected Software Easy GitHub Gist Shortcodes Researcher zakaria More Details > Easy Media Download <= 1.1.11 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-69169 Patch Status Patched Published Jan 8, 2026 Affected Software Easy Media Download Researcher Krissaphat Jankaew More Details > EDD Download Info <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-14121 Patch Status Unpatched Published Jan 6, 2026 Affected Software EDD Download Info Researcher Muhammad Yudha - DJ More Details > Entry Views <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-13729 Patch Status Unpatched Published Jan 8, 2026 Affected Software Entry Views Researcher Muhammad Yudha - DJ More Details > Essential Addons for Elementor <= 6.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-69092 Patch Status Patched Published Jan 6, 2026 Affected Software Essential Addons for Elementor – Popular Elementor Templates & Widgets Researcher Bonds More Details > ForumWP – Forum & Discussion Board <= 2.1.6 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Display Name 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-13746 Patch Status Patched Published Jan 5, 2026 Affected Software ForumWP – Forum & Discussion Board Researcher Sergej Ljubojevic More Details > Gutenverse Form <= 2.3.2 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-14984 Patch Status Patched Published Jan 7, 2026 Affected Software Gutenverse Form – Contact Form Builder, Booking, Reservation, Subscribe for Block Editor Researcher andrea bocchetti More Details > Header and Footer Scripts <= 2.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-11453 Patch Status Unpatched Published Jan 8, 2026 Affected Software Header and Footer Scripts Researcher Powpy More Details > IMGspider <= 2.3.12 - Authenticated (Contributor+) Server-Side Request Forgery 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2026-22482 Patch Status Unpatched Published Jan 6, 2026 Affected Software IMGspider – 图片采集抓取插件 Researcher Nabil Irawan More Details > IndieWeb <= 4.0.5 - Authenticated (Author+) Stored Cross-Site Scripting via 'Telephone' Parameter 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-14893 Patch Status Patched Published Jan 8, 2026 Affected Software IndieWeb Researcher Tharadol Suksamran More Details > Jeg Elementor Kit <= 3.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Widget 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-14275 Patch Status Patched Published Jan 7, 2026 Affected Software Jeg Kit for Elementor – Powerful Addons for Elementor, Widgets & Templates for WordPress Researcher Webbernaut More Details > MediaPress <= 1.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Plugin's Shortcode 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-14552 Patch Status Patched Published Jan 5, 2026 Affected Software MediaPress Researcher zaim More Details > MediaPress <= 1.6.2 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2026-22519 Patch Status Patched Published Jan 7, 2026 Affected Software MediaPress Researcher zaim More Details > Menu Card <= 0.8.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-13862 Patch Status Unpatched Published Jan 8, 2026 Affected Software Menu Card Researcher theviper17y More Details > Mstoic Shortcodes <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'start' Shortcode Attribute 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-14144 Patch Status Unpatched Published Jan 6, 2026 Affected Software Mstoic Shortcodes Researcher zakaria More Details > My Album Gallery <= 1.0.4 - Authenticated (Author+) Stored Cross-Site Scripting via Image Title 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-14796 Patch Status Unpatched Published Jan 6, 2026 Affected Software My Album Gallery Researcher Itthidej Aramsri (Boeing777) More Details > My Album Gallery <= 1.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'style_css' Shortcode Attribute 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-14453 Patch Status Unpatched Published Jan 6, 2026 Affected Software My Album Gallery Researchers Athiwat Tiprasaharn (Jitlada)Itthidej Aramsri (Boeing777)PowpyWaris Damkham More Details > Nearby Now Reviews <= 5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-13853 Patch Status Unpatched Published Jan 8, 2026 Affected Software Nearby Now Reviews Researcher Gilang - DJ More Details > Niche Hero | Beautifully-designed blocks in seconds <= 1.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'spacing' Shortcode Attribute 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-14145 Patch Status Unpatched Published Jan 6, 2026 Affected Software Niche Hero | Beautifully-designed blocks in seconds Researcher zakaria More Details > nK Themes Helper <= 1.7.9 - Authenticated (Subscriber+) Server-Side Request Forgery 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-22726 Patch Status Unpatched Published Jan 8, 2026 Affected Software nK Themes Helper Researcher Bonds More Details > Phlox <= 2.17.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via `data-caption` HTML Attribute 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-4776 Patch Status Patched Published Jan 5, 2026 Affected Software Phlox Researcher Webbernaut More Details > PhotoFade <= 0.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-13847 Patch Status Unpatched Published Jan 6, 2026 Affected Software PhotoFade Researcher Gilang - DJ More Details > PullQuote <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-13903 Patch Status Unpatched Published Jan 8, 2026 Affected Software PullQuote Researcher Gilang - DJ More Details > QR Code for WooCommerce order emails, PDF invoices, packing slips <= 1.9.42 - Authenticated (Contributor+) Cross-Site Scripting via Shortcode Attributes 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-14626 Patch Status Unpatched Published Jan 6, 2026 Affected Software QR Code for WooCommerce order emails, PDF invoices, packing slips Researchers Athiwat Tiprasaharn (Jitlada)Itthidej Aramsri (Boeing777)PowpyWaris DamkhamPeerapat Samatathanyakorn More Details > Recras WordPress plugin <= 6.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'recrasname' Shortcode Attribute 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-13497 Patch Status Patched Published Jan 6, 2026 Affected Software Recras Researcher Sopon Tangpathum (SoNaJaa) More Details > Responsive Pricing Table <= 5.1.12 - Authenticated (Author+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-13418 Patch Status Patched Published Jan 6, 2026 Affected Software Responsive Pricing Table Researcher Itthidej Aramsri (Boeing777) More Details > Responsive Pricing Table <= 5.1.12 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'table_currency' 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-15058 Patch Status Patched Published Jan 6, 2026 Affected Software Responsive Pricing Table Researcher Muhammad Yudha - DJ More Details > Shortcodes and extra features for Phlox theme <= 2.17.13 - Authenticated (Contributor+) Stored Cross-Site Scripting via Modern Heading Widget 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-12379 Patch Status Patched Published Jan 9, 2026 Affected Software Shortcodes and extra features for Phlox theme Researcher Abu Hurayra (HurayraIIT) More Details > Smart App Banners <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'size' and 'verticalalign' Shortcode Attributes 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-13841 Patch Status Unpatched Published Jan 6, 2026 Affected Software Smart App Banners Researcher Gilang - DJ More Details > Snillrik Restaurant <= 2.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'menu_style' Shortcode Attribute 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-14112 Patch Status Unpatched Published Jan 6, 2026 Affected Software Snillrik Restaurant Researcher zakaria More Details > STM Gallery 1.9 <= 0.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-13848 Patch Status Unpatched Published Jan 6, 2026 Affected Software STM Gallery 1.9 Researcher Gilang - DJ More Details > Stylish Order Form Builder <= 1.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'product_name' Parameter 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-13531 Patch Status Unpatched Published Jan 6, 2026 Affected Software Stylish Order Form Builder Researcher Sopon Tangpathum (SoNaJaa) More Details > Table Field Add-on for ACF and SCF <= 1.3.30 - Authenticated (Contributor+) Stored Cross-Site Scripting via Table Cell Content 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-12067 Patch Status Patched Published Jan 5, 2026 Affected Software Table Field Add-on for ACF and SCF Researcher shark3y More Details > The Tooltip <= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-13908 Patch Status Unpatched Published Jan 8, 2026 Affected Software The Tooltip Researcher Gilang - DJ More Details > TheGem Theme Elements (for Elementor) <= 5.11.0 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-69357 Patch Status Patched Published Jan 10, 2026 Affected Software TheGem Theme Elements Researcher João Pedro S Alcântara (Kinorth) More Details > TheGem Theme Elements (for WPBakery) <= 5.11.0 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-69360 Patch Status Patched Published Jan 10, 2026 Affected Software TheGem Theme Elements (for WPBakery) Researcher João Pedro S Alcântara (Kinorth) More Details > Travel Bucket List <= 0.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-14053 Patch Status Unpatched Published Jan 6, 2026 Affected Software Travel Bucket List – Wish To Go Researcher ChamlaVic More Details > URL Image Importer <= 1.0.7 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-14120 Patch Status Patched Published Jan 5, 2026 Affected Software URL Image Importer Researcher bxdman More Details > Viitor Button Shortcodes <= 3.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'link' Shortcode Attribute 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-14113 Patch Status Unpatched Published Jan 6, 2026 Affected Software Viitor Button Shortcodes Researcher zakaria More Details > Woodpecker for WordPress <= 3.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'form_name' Shortcode Attribute 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-13967 Patch Status Unpatched Published Jan 8, 2026 Affected Software Woodpecker for WordPress Researcher Gilang - DJ More Details > WP Google Street View (with 360° virtual tour) & Google maps + Local SEO <= 1.1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'wpgsv_map' Shortcode 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2026-0563 Patch Status Patched Published Jan 8, 2026 Affected Software WP Google Street View (with 360° virtual tour) & Google maps + Local SEO Researcher Paolo Tresso More Details > WP Js List Pages Shortcodes <= 1.21 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'class' Shortcode Attribute 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-14110 Patch Status Unpatched Published Jan 6, 2026 Affected Software WP Js List Pages Shortcodes Researcher zakaria More Details > WP Popup Magic <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'name' Shortcode Attribute 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-13900 Patch Status Unpatched Published Jan 8, 2026 Affected Software WP Popup Magic Researcher Muhammad Yudha - DJ More Details > WP Recipe Manager <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'Skill Level' Input Field 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-13667 Patch Status Unpatched Published Jan 6, 2026 Affected Software WP Recipe Manager Researcher ChamlaVic More Details > X Addons for Elementor <= 1.0.23 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2026-22518 Patch Status Unpatched Published Jan 7, 2026 Affected Software X Addons for Elementor Researcher Abu Hurayra (HurayraIIT) More Details > Xagio SEO <= 7.1.0.30 - Authenticated (Subscriber+) Server-Side Request Forgery 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-14438 Patch Status Patched Published Jan 5, 2026 Affected Software Xagio SEO – AI Powered SEO Researcher Jack Taylor More Details > CountDown With Image or Video Background <= 1.5 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-27002 Patch Status Unpatched Published Jan 8, 2026 Affected Software CountDown With Image or Video Background Researcher João Pedro S Alcântara (Kinorth) More Details > Drag and Drop Multiple File Upload – Contact Form 7 <= 1.3.9.2 - Unauthenticated Limited Arbitrary File Upload 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-14842 Patch Status Patched Published Jan 6, 2026 Affected Software Drag and Drop Multiple File Upload for Contact Form 7 Researcher andrea bocchetti More Details > eHive Search <= 2.5.0 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-67930 Patch Status Patched Published Jan 6, 2026 Affected Software eHive Search Researcher Skalucy More Details > Famous - Responsive Image And Video Grid Gallery WordPress <= 1.4 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-27004 Patch Status Unpatched Published Jan 8, 2026 Affected Software Famous - Responsive Image And Video Grid Gallery WordPress Plugin Researcher João Pedro S Alcântara (Kinorth) More Details > Grand Restaurant < 7.0.9 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-67922 Patch Status Patched Published Jan 5, 2026 Affected Software Grand Restaurant WordPress Researcher João Pedro S Alcântara (Kinorth) More Details > HBLPAY Payment Gateway for WooCommerce <= 5.0.0 - Reflected Cross-Site Scripting via 'cusdata' Parameter 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-14875 Patch Status Unpatched Published Jan 6, 2026 Affected Software HBLPAY Payment Gateway for WooCommerce Researcher Md. Moniruzzaman Prodhan (NomanProdhan) More Details > HTML5 Video Player <= 5.3.5 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-27005 Patch Status Unpatched Published Jan 8, 2026 Affected Software HTML5 Video Player WordPress Plugin Researcher João Pedro S Alcântara (Kinorth) More Details > HTML5 Video Player with Playlist & Multiple Skins <= 5.3.5 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-32123 Patch Status Unpatched Published Jan 8, 2026 Affected Software HTML5 Video Player with Playlist & Multiple Skins Researcher João Pedro S Alcântara (Kinorth) More Details > Image&Video FullScreen Background <= 1.6.7 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-47666 Patch Status Unpatched Published Jan 8, 2026 Affected Software Image&Video FullScreen Background Researcher João Pedro S Alcântara (Kinorth) More Details > Jobify <= 4.3.0 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-67916 Patch Status Patched Published Jan 5, 2026 Affected Software Jobify - Job Board WordPress Theme Researcher João Pedro S Alcântara (Kinorth) More Details > Lesson Plan Book <= 1.3 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-13893 Patch Status Unpatched Published Jan 8, 2026 Affected Software Lesson Plan Book Researcher Abdulsamad Yusuf (0xVenus) More Details > Link Whisper Free <= 0.8.8 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-67927 Patch Status Patched Published Jan 5, 2026 Affected Software Link Whisper Free Researcher Ryan Novotny More Details > Listeo Core < 2.0.19 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-67932 Patch Status Patched Published Jan 6, 2026 Affected Software Listeo-Core - Directory Plugin by Purethemes Researcher João Pedro S Alcântara (Kinorth) More Details > Magic Responsive Slider and Carousel WordPress <= 1.6 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-49043 Patch Status Unpatched Published Jan 8, 2026 Affected Software Magic Responsive Slider and Carousel WordPress Researcher João Pedro S Alcântara (Kinorth) More Details > Magic Slider <= 2.2 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-48094 Patch Status Unpatched Published Jan 8, 2026 Affected Software Magic Responsive Slider and Carousel Researcher João Pedro S Alcântara (Kinorth) More Details > MG AdvancedOptions <= 1.2 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-13892 Patch Status Unpatched Published Jan 8, 2026 Affected Software MG AdvancedOptions Researcher Abdulsamad Yusuf (0xVenus) More Details > Post Like Dislike <= 1.0 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF'] 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-14130 Patch Status Unpatched Published Jan 6, 2026 Affected Software Post Like Dislike Researcher Abdulsamad Yusuf (0xVenus) More Details > Premmerce WooCommerce Customers Manager <= 1.1.14 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-13369 Patch Status Unpatched Published Jan 6, 2026 Affected Software Premmerce WooCommerce Customers Manager Researchers Athiwat Tiprasaharn (Jitlada)Itthidej Aramsri (Boeing777) More Details > Real Estate Pro <= 2.1.4 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-13504 Patch Status Unpatched Published Jan 7, 2026 Affected Software Real Estate Pro - WordPress Plugin Researcher João Pedro S Alcântara (Kinorth) More Details > Shabat Keeper <= 0.4.4 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF'] 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-13701 Patch Status Unpatched Published Jan 8, 2026 Affected Software Shabat Keeper Researcher Abdulsamad Yusuf (0xVenus) More Details > Starred Review <= 1.4.2 - Reflected Cross-Site Scripting via PHP_SELF Variable 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-14118 Patch Status Unpatched Published Jan 6, 2026 Affected Software Starred Review Researcher Abdulsamad Yusuf (0xVenus) More Details > Stumble! for WordPress <= 1.1.1 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF'] 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-14128 Patch Status Unpatched Published Jan 6, 2026 Affected Software Stumble! for WordPress Researcher Abdulsamad Yusuf (0xVenus) More Details > Super Interactive Maps <= 2.3 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-49045 Patch Status Unpatched Published Jan 8, 2026 Affected Software Super Interactive Maps Researcher João Pedro S Alcântara (Kinorth) More Details > SVG Map Plugin <= 1.0.0 - Cross-Site Request Forgery to Settings Update and Stored Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-13519 Patch Status Unpatched Published Jan 6, 2026 Affected Software SVG Map Plugin Researcher dayea song More Details > Taskbuilder <= 4.0.9 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-67933 Patch Status Patched Published Jan 6, 2026 Affected Software Taskbuilder – WordPress Project Management & Task Management Researcher Skalucy More Details > Testimonial Master <= 0.2.1 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF'] 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-14127 Patch Status Unpatched Published Jan 6, 2026 Affected Software Testimonial Master Researcher Abdulsamad Yusuf (0xVenus) More Details > Top Position Google Finance <= 0.1.0 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-13895 Patch Status Unpatched Published Jan 8, 2026 Affected Software Top Position Google Finance Researcher Abdulsamad Yusuf (0xVenus) More Details > Woffice <= 5.4.30 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-67918 Patch Status Patched Published Jan 5, 2026 Affected Software Woffice CRM Researcher Rafie Muhammad More Details > WP Widget Changer <= 1.2.5 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF'] 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-14131 Patch Status Unpatched Published Jan 6, 2026 Affected Software WP Widget Changer Researcher Abdulsamad Yusuf (0xVenus) More Details > aBlocks – WordPress Gutenberg Blocks <= 2.4.0 - Missing Authorization to Authenticated (Subscriber+) Settings Modification 5.4 CVSS Rating Medium (5.4) CVE-ID CVE-2025-12449 Patch Status Unpatched Published Jan 6, 2026 Affected Software aBlocks – Gutenberg Blocks, User Dashboard Builder, Popup Builder, Form Builder & Animation Builder Researcher mahdi salhi (CaptinSharky01) More Details > LearnPress – WordPress LMS Plugin <= 4.3.2.2 - Insecure Direct Object Reference to Authenticated (Instructor+) Teacher Material Deletion 5.4 CVSS Rating Medium (5.4) CVE-ID CVE-2025-14802 Patch Status Patched Published Jan 6, 2026 Affected Software LearnPress – WordPress LMS Plugin Researcher Deniz Mert (dennywise) More Details > MasterStudy LMS WordPress Plugin – for Online Courses and Education <= 3.7.6 Missing Authorization to Authenticated (Subscriber+) Posts and Media Creation, Modification and Deletion 5.4 CVSS Rating Medium (5.4) CVE-ID CVE-2025-13766 Patch Status Patched Published Jan 5, 2026 Affected Software MasterStudy LMS WordPress Plugin – for Online Courses and Education Researcher thinnawarth mathuros More Details > Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories <= 4.9.3 - Missing Authorization to Authenticated (Contributor+) Workflow Manipulation 5.4 CVSS Rating Medium (5.4) CVE-ID CVE-2025-14718 Patch Status Patched Published Jan 8, 2026 Affected Software Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories Researcher Athiwat Tiprasaharn (Jitlada) More Details > User Registration & Membership <= 4.4.8 - Cross-Site Request Forgery to Arbitrary Post Deletion 5.4 CVSS Rating Medium (5.4) CVE-ID CVE-2025-14976 Patch Status Patched Published Jan 9, 2026 Affected Software User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin Researcher theviper17y More Details > AA Block country <= 1.0.1 - Unauthenticated IP Address Spoofing via X-Forwarded-For Header 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-13694 Patch Status Unpatched Published Jan 6, 2026 Affected Software AA Block country Researcher Ivan Cese More Details > Attractive Donations System - Easy Stripe & Paypal donations <= 1.25 - Missing Authorization to Unauthenticated Arbitrary Content Deletion 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-22715 Patch Status Unpatched Published Jan 8, 2026 Affected Software WP Attractive Donations System - Easy Stripe & Paypal donations Researcher João Pedro S Alcântara (Kinorth) More Details > Awesome Hotel Booking <= 1.0.3 - Incorrect Authorization to Unauthenticated Arbitrary Booking Modification 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-14352 Patch Status Patched Published Jan 6, 2026 Affected Software Awesome Hotel Booking Researcher Itthidej Aramsri (Boeing777) More Details > Blockons <= 1.2.15 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-14360 Patch Status Unpatched Published Jan 8, 2026 Affected Software Blockons – Gutenberg blocks for WordPress and WooCommerce websites Researcher MD ISMAIL More Details > Booking Calendar <= 10.14.10 - Unauthenticated Sensitive Information Exposure 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-14146 Patch Status Patched Published Jan 8, 2026 Affected Software Booking Calendar Researcher Filippo Decortes More Details > Booking for Appointments and Events Calendar – Amelia <= 1.2.38 - Missing Authorization to Unauthenticated Multiple AJAX Actions 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-14720 Patch Status Patched Published Jan 8, 2026 Affected Software Booking for Appointments and Events Calendar – Amelia Researcher type5afe More Details > BulletProof Security <= 6.9 - Unauthenticated Sensitive Information Exposure 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-67931 Patch Status Patched Published Jan 6, 2026 Affected Software BulletProof Security Researcher Nabil Irawan More Details > Contact Form vCard Generator <= 2.4 - Missing Authorization to Unauthenticated Sensitive Information Exposure via 'wp-gvc-cf-download-id' Parameter 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-13717 Patch Status Unpatched Published Jan 8, 2026 Affected Software Contact Form vCard Generator Researcher Sopon Tangpathum (SoNaJaa) More Details > Cookies and Content Security Policy <= 2.34 - Unauthenticated Information Exposure 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-63019 Patch Status Unpatched Published Jan 5, 2026 Affected Software Cookies and Content Security Policy Researcher MD ISMAIL More Details > Creator LMS <= 1.1.12 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-69359 Patch Status Patched Published Jan 10, 2026 Affected Software Creator LMS – The LMS for Creators, Coaches, and Trainers Researcher NumeX More Details > Dashboard Welcome for Beaver Builder <= 1.0.8 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2026-22488 Patch Status Unpatched Published Jan 7, 2026 Affected Software Dashboard Welcome for Beaver Builder Researcher Nabil Irawan More Details > Depicter <= 4.0.7 - Missing Authorization to Unauthenticated Display Rule Updates 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-11370 Patch Status Patched Published Jan 5, 2026 Affected Software Depicter — Popup & Slider Builder Researcher Brizzle More Details > Depicter Slider <= 4.0.4 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-68558 Patch Status Patched Published Jan 5, 2026 Affected Software Depicter — Popup & Slider Builder Researcher Edisc1 More Details > Fluent Forms <= 6.1.7 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Form Creation via AI Builder 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-13722 Patch Status Patched Published Jan 6, 2026 Affected Software Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder Researcher Marcin Dudek (dudekmar) More Details > Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.49.1 - Missing Authorization to Authenticated (Forminator User+) CSV Export 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-14782 Patch Status Patched Published Jan 8, 2026 Affected Software Forminator Forms – Contact Form, Payment Form & Custom Form Builder Researcher type5afe More Details > Guest posting / Frontend Posting / Front Editor – WP Front User Submit <= 5.0.0 - Missing Authorization to Unauthenticated Media Deletion 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-13419 Patch Status Patched Published Jan 6, 2026 Affected Software Guest posting / Frontend Posting / Front Editor – WP Front User Submit Researcher Md. Moniruzzaman Prodhan (NomanProdhan) More Details > Icegram <= 3.1.35 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-68507 Patch Status Patched Published Jan 5, 2026 Affected Software Icegram Engage – Popups, Optins, CTAs & lot more… Researcher Legion Hunter More Details > ilGhera Support System for WooCommerce <= 1.2.6 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Ticket Deletion 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-14034 Patch Status Patched Published Jan 5, 2026 Affected Software ilGhera Support System for WooCommerce Researcher Md. Moniruzzaman Prodhan (NomanProdhan) More Details > Japanized for WooCommerce <= 2.7.17 - Missing Authorization to Unauthenticated Order Status Modification 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-14886 Patch Status Patched Published Jan 8, 2026 Affected Software Japanized for WooCommerce Researcher Md. Moniruzzaman Prodhan (NomanProdhan) More Details > LearnPress – WordPress LMS Plugin <= 4.3.2 - Missing Authentication to Unauthenticated Course Modification 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-13964 Patch Status Patched Published Jan 5, 2026 Affected Software LearnPress – WordPress LMS Plugin Researcher Supakiad S. (m3ez) More Details > miniOrange OTP Verification and SMS Notification for WooCommerce <= 4.3.8 - Missing Authorization to Unauthenticated Notification Settings Modification 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-14948 Patch Status Patched Published Jan 9, 2026 Affected Software miniOrange OTP Verification and SMS Notification for WooCommerce Researcher Abdualrhman Muzamil More Details > Moosend Landing Pages <= 1.1.6 - Missing Authorization to Authenticated (Subscriber+) Option Deletion 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-13496 Patch Status Unpatched Published Jan 6, 2026 Affected Software Moosend Landing Pages Researcher Legion Hunter More Details > NextGEN Download Gallery <= 1.6.2 - Unauthenticated Information Exposure 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2026-0675 Patch Status Unpatched Published Jan 8, 2026 Affected Software NextGEN Download Gallery Researcher Nabil Irawan More Details > Piraeus Bank WooCommerce Payment Gateway <= 3.1.4 - Missing Authorization to Unauthenticated Arbitrary Order Status Change 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-14460 Patch Status Unpatched Published Jan 6, 2026 Affected Software Piraeus Bank WooCommerce Payment Gateway Researcher Md. Moniruzzaman Prodhan (NomanProdhan) More Details > Popupkit <= 2.2.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Subscriber Data Deletion 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-14441 Patch Status Patched Published Jan 5, 2026 Affected Software Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers Researcher Athiwat Tiprasaharn (Jitlada) More Details > Quote Comments <= 3.0.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Settings Update 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-14370 Patch Status Unpatched Published Jan 6, 2026 Affected Software Quote Comments Researcher Legion Hunter More Details > Re Gallery – Responsive Photo Gallery <= 1.17.19 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2026-22486 Patch Status Unpatched Published Jan 7, 2026 Affected Software Re Gallery – Responsive Image & Photo Gallery Researcher Athiwat Tiprasaharn (Jitlada) More Details > REHub Framework <= 19.9.5 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-14358 Patch Status Unpatched Published Jan 7, 2026 Affected Software reHub Framework Researcher Rafie Muhammad More Details > ShopMagic <= 4.7.2 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-69093 Patch Status Patched Published Jan 7, 2026 Affected Software ShopMagic – email automation Researcher Arif Shaikh More Details > Shortcodes and extra features for Phlox theme <= 2.17.13 - Unauthenticated Draft Posts Information Exposure 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-13215 Patch Status Patched Published Jan 5, 2026 Affected Software Shortcodes and extra features for Phlox theme Researcher Nguyen C More Details > Templately <= 3.4.8 - Unauthenticated Limited Arbitrary JSON File Write 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2026-0831 Patch Status Patched Published Jan 9, 2026 Affected Software Templately – Elementor & Gutenberg Template Library: 6500+ Free & Pro Ready Templates And Cloud! Researcher type5afe More Details > Timetics <= 1.0.46 - Incorrect Authorization to Authenticated (Timetics Customer+) User Creation 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-67915 Patch Status Patched Published Jan 5, 2026 Affected Software Appointment Booking Calendar – WP Timetics Booking Plugin Researcher daroo More Details > Traveler <= 3.2.6 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-67917 Patch Status Patched Published Jan 5, 2026 Affected Software Travel Booking WordPress Theme Researcher Rafie Muhammad More Details > Unify <= 3.4.9 - Missing Authorization to Unauthenticated Option Deletion via 'unify_plugin_downgrade' Parameter 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-13529 Patch Status Unpatched Published Jan 6, 2026 Affected Software Unify Researcher Legion Hunter More Details > weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot <= 2.1.15 - Unauthenticated Sensitive Information Exposure 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-14574 Patch Status Patched Published Jan 8, 2026 Affected Software weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot Researcher DityaRA More Details > Woffice Core <= 5.4.30 - Unauthenticated Insecure Direct Object Reference 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-67919 Patch Status Patched Published Jan 5, 2026 Affected Software Woffice Core Researcher Rafie Muhammad More Details > WP-Members Membership Plugin <= 3.5.4.4 - Unauthenticated Information Exposure via Unprotected Files 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-12648 Patch Status Patched Published Jan 6, 2026 Affected Software WP-Members Membership Plugin Researcher thinnawarth mathuros More Details > Zorka <= 1.5.7 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2026-0676 Patch Status Unpatched Published Jan 8, 2026 Affected Software zorka Researcher João Pedro S Alcântara (Kinorth) More Details > FireStorm Professional Real Estate <= 2.7.11 - Authenticated (Administrator+) SQL Injection 4.9 CVSS Rating Medium (4.9) CVE-ID CVE-2026-22470 Patch Status Unpatched Published Jan 6, 2026 Affected Software FireStorm Professional Real Estate Plugin Researcher Mrreee More Details > Form Vibes – Database Manager for Forms <= 1.4.13 - Authenticated (Admin+) SQL Injection 4.9 CVSS Rating Medium (4.9) CVE-ID CVE-2025-13409 Patch Status Patched Published Jan 5, 2026 Affected Software Form Vibes – Database Manager for Forms Researcher tmrswrr More Details > ShareThis Dashboard for Google Analytics <= 3.2.4 - Unauthenticated Google Analytics Data Exposure 4.7 CVSS Rating Medium (4.7) CVE-ID CVE-2025-12540 Patch Status Unpatched Published Jan 6, 2026 Affected Software ShareThis Dashboard for Google Analytics Researcher ifoundbug More Details > Accordion <= 3.0.3 - Authenticated (Editor+) Stored Cross-Site Scripting 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2025-69350 Patch Status Patched Published Jan 7, 2026 Affected Software Accordions – Responsive Accordion & FAQ Plugin for WordPress Researcher NumeX More Details > Contact Us Simple Form <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2025-14028 Patch Status Unpatched Published Jan 6, 2026 Affected Software Contact Us Simple Form Researcher 0x34rth More Details > Email Customizer for WooCommerce | Drag and Drop Email Templates Builder <= 2.6.7 - Authenticated (Administrator+) Stored Cross-Site Scripting via Email Template Content 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2025-13974 Patch Status Unpatched Published Jan 6, 2026 Affected Software Email Customizer for WooCommerce | Drag and Drop Email Templates Builder Researcher fallenofalbaz More Details > Key Figures <= 1.1 - Authenticated (Admin+) Stored Cross-Site Scripting via kf_field_figure_default_color_render 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2025-14792 Patch Status Unpatched Published Jan 6, 2026 Affected Software Key Figures Researcher afnaan More Details > Multi-column Tag Map <= 17.0.39 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'mctm_css_conditional' Parameter 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2025-14057 Patch Status Unpatched Published Jan 6, 2026 Affected Software Multi-column Tag Map Researcher Bhayanak Atma More Details > Page Keys <= 1.3.3 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'page_key' Parameter 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2025-15000 Patch Status Patched Published Jan 6, 2026 Affected Software Page Keys Researcher 0x34rth More Details > Simple User Meta Editor <= 1.0.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via User Meta Value Field 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2025-14888 Patch Status Unpatched Published Jan 6, 2026 Affected Software Simple User Meta Editor Researcher 0x34rth More Details > twinklesmtp – Email Service Provider For WordPress <= 1.03 - Authenticated (Administrator+) Stored Cross-Site Scripting via Sender Settings 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2025-14887 Patch Status Unpatched Published Jan 6, 2026 Affected Software twinklesmtp – Email Service Provider For WordPress Researcher 0x34rth More Details > Absolute Addons For Elementor <= 1.0.14 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2026-22468 Patch Status Unpatched Published Jan 5, 2026 Affected Software Absolute Addons For Elementor Researcher Legion Hunter More Details > ACF to REST API <= 3.3.4 - Insecure Direct Object Reference to Authenticated (Contributor+) ACF Field/Option Modification 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-12030 Patch Status Unpatched Published Jan 6, 2026 Affected Software ACF to REST API Researcher Kai Aizen More Details > AffiliateX <= 1.3.9.3 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-69346 Patch Status Patched Published Jan 6, 2026 Affected Software AffiliateX – Amazon Affiliate Plugin Researcher Legion Hunter More Details > AMP for WP – Accelerated Mobile Pages <= 1.1.9 - Cross-Site Request Forgery to Comment Submission 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-14468 Patch Status Patched Published Jan 6, 2026 Affected Software AMP for WP – Accelerated Mobile Pages Researcher 0N0ise More Details > BD Courier Order Ratio Checker <= 2.0.1 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2026-22481 Patch Status Unpatched Published Jan 6, 2026 Affected Software BD Courier Order Ratio Checker Researcher Nabil Irawan More Details > Better Business Reviews <= 0.1.1 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-69354 Patch Status Patched Published Jan 9, 2026 Affected Software Better Business Reviews – Trustpilot WordPress Plugin Researcher Nabil Irawan More Details > Block Slider <= 2.2.3 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2026-22522 Patch Status Unpatched Published Jan 7, 2026 Affected Software Block Slider – Responsive Image Slider, Video Slider & Post Slider Researcher theviper17 More Details > Blog2Social: Social Media Auto Post & Scheduler <= 8.7.2 - Incorrect Authorization to Authenticated (Subscriber+) Sensitive Information Exposure 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-14943 Patch Status Patched Published Jan 9, 2026 Affected Software Blog2Social: Social Media Auto Post & Scheduler Researcher theviper17y More Details > Bulk Landing Page Creator for WordPress LPagery <= 2.4.9 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2026-22490 Patch Status Patched Published Jan 7, 2026 Affected Software Bulk Page Generator – LPagery Researcher Nabil Irawan More Details > Campaign Monitor for WordPress <= 2.9.0 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2026-0674 Patch Status Unpatched Published Jan 8, 2026 Affected Software Campaign Monitor for WordPress Researcher Nabil Irawan More Details > Clearfy <= 2.4.0 - Cross-Site Request Forgery to Update Notification Tampering 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-13749 Patch Status Patched Published Jan 8, 2026 Affected Software Clearfy Cache – WordPress optimization plugin, Minify HTML, CSS & JS, Defer Researcher Dmitrii Ignatyev More Details > Crumber <= 1.0.10 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-66143 Patch Status Unpatched Published Jan 10, 2026 Affected Software Breadcrumbs for Elementor – Crumber Researcher Phat RiO - BlueRock More Details > Demo Importer Plus <= 2.0.8 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-69091 Patch Status Patched Published Jan 5, 2026 Affected Software Demo Importer Plus Researcher Athiwat Tiprasaharn (Jitlada) More Details > Docket Cache <= 24.07.04 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2026-22492 Patch Status Patched Published Jan 7, 2026 Affected Software Docket Cache – Object Cache Accelerator Researcher Legion Hunter More Details > Easy Form Builder <= 3.9.6 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2026-22472 Patch Status Unpatched Published Jan 6, 2026 Affected Software Easy Form Builder by WhiteStudio — Drag & Drop Form Builder Researcher Athiwat Tiprasaharn (Jitlada) More Details > Featured Image from URL (FIFU) <= 5.3.1 - Authenticated (Contributor+) Server-Side Request Forgery via 'fifu_input_url' 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-13393 Patch Status Patched Published Jan 9, 2026 Affected Software Featured Image from URL (FIFU) Researcher Dmitrii Ignatyev More Details > Fluent Support <= 1.10.4 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-67926 Patch Status Patched Published Jan 5, 2026 Affected Software Fluent Support – Helpdesk & Customer Support Ticket System Researcher daroo More Details > Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager <= 3.1.5 - Missing Authorization to Authenticated (Author+) Media Replacement 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-12640 Patch Status Patched Published Jan 7, 2026 Affected Software Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager Researcher Md. Moniruzzaman Prodhan (NomanProdhan) More Details > GA4WP: Google Analytics for WordPress <= 2.10.0 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2026-22517 Patch Status Unpatched Published Jan 7, 2026 Affected Software GA4WP – Analytics Dashboard for the Website Researcher Legion Hunter More Details > GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress <= 7.6.1 - Missing Authorization to Authenticated (Subscriber+) Information Exposure 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-13812 Patch Status Patched Published Jan 5, 2026 Affected Software GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress Researcher kr0d More Details > HelpDesk contact form plugin <= 1.1.5 - Cross-Site Request Forgery to Settings Update via handle_query_args 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-13657 Patch Status Unpatched Published Jan 6, 2026 Affected Software HelpDesk Contact Form Researcher Sopon Tangpathum (SoNaJaa) More Details > Image Slider Slideshow <= 1.8 - Authenticated (Contributor+) Insecure Direct Object Reference 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2026-22489 Patch Status Unpatched Published Jan 7, 2026 Affected Software Image Slider Slideshow Researcher Nabil Irawan More Details > Latest Tabs <= 1.5 - Cross-Site Request Forgery to Plugin's Settings Update 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-14999 Patch Status Unpatched Published Jan 6, 2026 Affected Software Latest Tabs Researcher omer yeshayahu More Details > Mamurjor Employee Info <= 1.0.0 - Cross-Site Request Forgery to Arbitrary Employee and Related Data Manipulation 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-13990 Patch Status Unpatched Published Jan 6, 2026 Affected Software Mamurjor Employee Info Researcher dayea song More Details > MTCaptcha WordPress Plugin <= 2.7.2 - Cross-Site Request Forgery to Settings Update 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-13520 Patch Status Unpatched Published Jan 6, 2026 Affected Software MTCaptcha WordPress Plugin Researcher Muhammad Nur Ibnu Hubab (Ibnu) More Details > Newsletter Email Subscribe <= 2.4 - Cross-Site Request Forgery to Plugin Settings Update 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-14904 Patch Status Unpatched Published Jan 6, 2026 Affected Software Newsletter Email Subscribe Researcher afnaan More Details > NS IE Compatibility Fixer <= 2.1.5 - Cross-Site Request Forgery to Plugin Settings Update 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-14845 Patch Status Unpatched Published Jan 6, 2026 Affected Software NS Ie Compatibility Fixer Researcher afnaan More Details > Post and Page Builder by BoldGrid <= 1.27.9 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-69345 Patch Status Patched Published Jan 5, 2026 Affected Software Post and Page Builder by BoldGrid – Visual Drag and Drop Editor Researcher daroo More Details > Post Expirator <= 4.9.3 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-69361 Patch Status Patched Published Jan 11, 2026 Affected Software Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories Researcher Bao - BlueRock More Details > Proxy & VPN Blocker <= 3.5.3 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-69353 Patch Status Patched Published Jan 9, 2026 Affected Software Proxy & VPN Blocker Researcher Legion Hunter More Details > Quiz And Survey Master <= 10.3.1 - Missing Authorization to Authenticated (Subscriber+) Quiz Results Deletion 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-9294 Patch Status Patched Published Jan 5, 2026 Affected Software Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker Researcher Dmitrii Ignatyev More Details > RSS Feed Widget <= 3.0.2 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-69349 Patch Status Patched Published Jan 7, 2026 Affected Software RSS Feed Widget Researcher Nabil Irawan More Details > Simcast <= 1.0.0 - Cross-Site Request Forgery to Settings Update 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-14077 Patch Status Unpatched Published Jan 6, 2026 Affected Software Simcast Researcher Muhammad Nur Ibnu Hubab (Ibnu) More Details > Speed Kit <= 2.0.2 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2026-22487 Patch Status Unpatched Published Jan 7, 2026 Affected Software Speed Kit Researcher Nabil Irawan More Details > Spiffy Calendar <= 5.0.7 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-68523 Patch Status Patched Published Jan 5, 2026 Affected Software Spiffy Calendar Researcher daroo More Details > Sticky Action Buttons <= 1.1 - Cross-Site Request Forgery to Plugin Settings Update 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-14465 Patch Status Unpatched Published Jan 6, 2026 Affected Software Sticky Action Buttons Researcher afnaan More Details > TaxoPress <= 3.41.0 - Missing Authorization to Authenticated (Contributor+) Arbitrary Post Tag Modification 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-14371 Patch Status Patched Published Jan 5, 2026 Affected Software Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI Researcher Dmitrii Ignatyev More Details > teachPress <= 9.0.12 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2026-22483 Patch Status Unpatched Published Jan 6, 2026 Affected Software teachPress Researcher Nabil Irawan More Details > The Events Calendar <= 6.15.12.2 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-69352 Patch Status Patched Published Jan 9, 2026 Affected Software The Events Calendar Researcher Phat RiO - BlueRock More Details > The Events Calendar Countdown Addon <= 1.4.15 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-69348 Patch Status Patched Published Jan 6, 2026 Affected Software The Events Calendar Countdown Addon Researcher Legion Hunter More Details > Tickera <= 3.5.6.4 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-69355 Patch Status Patched Published Jan 9, 2026 Affected Software Tickera – Sell Tickets & Manage Events Researcher Nabil Irawan More Details > Tutor LMS – eLearning and online course solution <= 3.9.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Coupon Modification 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-13628 Patch Status Patched Published Jan 8, 2026 Affected Software Tutor LMS – eLearning and online course solution Researcher Supakiad S. (m3ez) More Details > Tutor LMS – eLearning and online course solution <= 3.9.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Course Completion 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-13935 Patch Status Patched Published Jan 8, 2026 Affected Software Tutor LMS – eLearning and online course solution Researcher Supakiad S. (m3ez) More Details > Tutor LMS – eLearning and online course solution <= 3.9.3 - Missing Authorization to Authenticated (Subscriber+) Course Enrollment Bypass 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-13934 Patch Status Patched Published Jan 8, 2026 Affected Software Tutor LMS – eLearning and online course solution Researcher Supakiad S. (m3ez) More Details > Uper for Elementor <= 1.0.5 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-66140 Patch Status Unpatched Published Jan 10, 2026 Affected Software Uper – Back to Top Button for Elementor Researcher Phat RiO - BlueRock More Details > WP Status Notifier <= 1.0 - Cross-Site Request Forgery to Settings Update 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-13521 Patch Status Unpatched Published Jan 6, 2026 Affected Software WP Status Notifier Researcher Muhammad Nur Ibnu Hubab (Ibnu) More Details > WP Table Builder <= 2.0.19 - Incorrect Authorization to Authenticated (Subscriber+) Arbitrary Table Creation 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-13753 Patch Status Patched Published Jan 8, 2026 Affected Software WP Table Builder – Drag & Drop Table Builder Researcher Dmitrii Ignatyev More Details > xShare <= 1.0.1 - Cross-Site Request Forgery to 'rs_plugin_reset' Parameter 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-13527 Patch Status Unpatched Published Jan 6, 2026 Affected Software xShare Researcher dayea song More Details > Rankology SEO and Analytics Tool <= 2.0 - Incorrect Authorization to Authenticated (Editor+) Header & Footer Code Creation 2.7 CVSS Rating Low (2.7) CVE-ID CVE-2025-12958 Patch Status Unpatched Published Jan 6, 2026 Affected Software Rankology SEO and Analytics Tool Researcher SangNQ29 More Details > As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence. This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can. Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. The post Wordfence Intelligence Weekly WordPress Vulnerability Report (January 5, 2026 to January 11, 2026) appeared first on Wordfence.