Did you know Wordfence runs a Bug Bounty Program for all WordPress plugin and themes at no cost to vendors? Researchers can earn up to $31,200 per vulnerability, for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we handle all the rest. Last week, there were 170 vulnerabilities disclosed in 123 WordPress Plugins and 37 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 68 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected. Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to implement layered security, aligning with our overarching mission to secure WordPress with defense in depth strategies. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report. As the world’s leading quality vulnerability database provider for WordPress, site owners can rest assured knowing Wordfence has their back. Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 32,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free. Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. New Firewall Rules Deployed Last Week The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection. The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week: LA-Studio Element Kit for Elementor <= 1.5.6.3 – Unauthenticated Privilege Escalation via Backdoor to Administrative User Creation via lakit_bkrole parameter Modular Connector (Modular DS) <= 2.5.1 – Missing Authentication to Privilege Escalation Academy LMS – WordPress LMS Plugin for Complete eLearning Solution <= 3.5.0 – Unauthenticated Privilege Escalation via Account Takeover WAF-RULE-890 – Data redacted while we work with the vendor on a patch. Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay. Total Unpatched & Patched Vulnerabilities Last Week Patch Status Number of Vulnerabilities Patched 62 Unpatched 108 Total Vulnerabilities by CVSS Severity Last Week Severity Rating Number of Vulnerabilities Low Severity 2 Medium Severity 108 High Severity 46 Critical Severity 14 Total Vulnerabilities by CWE Type Last Week Vulnerability Type by CWE Number of Vulnerabilities Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') 50 Missing Authorization 37 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') 17 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') 10 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') 9 Unrestricted Upload of File with Dangerous Type 9 Deserialization of Untrusted Data 7 Cross-Site Request Forgery (CSRF) 6 Exposure of Sensitive Information to an Unauthorized Actor 5 Improper Privilege Management 3 Server-Side Request Forgery (SSRF) 3 Authentication Bypass Using an Alternate Path or Channel 2 Authorization Bypass Through User-Controlled Key 2 Incorrect Authorization 2 Client-Side Enforcement of Server-Side Security 1 Improper Control of Generation of Code ('Code Injection') 1 Improper Input Validation 1 Improper Restriction of XML External Entity Reference 1 Incorrect Privilege Assignment 1 Insufficient Verification of Data Authenticity 1 Missing Authentication for Critical Function 1 Relative Path Traversal 1 Researchers That Contributed to WordPress Security Last Week Researcher Name Number of Vulnerabilities Tran Nguyen Bao Khanh 36 0x34rth 11 João Pedro S Alcântara (Kinorth) 9 Md. Moniruzzaman Prodhan (NomanProdhan) 8 Athiwat Tiprasaharn (Jitlada) 6 Legion Hunter 5 shark3y 5 Skalucy 5 Itthidej Aramsri (Boeing777) 4 0xd4rk5id3 4 Denver Jackson 4 Muhammad Yudha - DJ 3 dayea song 3 Teerachai Somprasong 3 Os 3 Rafie Muhammad 3 Phap Nguyen Anh 3 daroo 2 andrea bocchetti 2 mikemyers 2 Kazuma Matsumoto 2 zer0gh0st 2 Deadbee 2 Peerapat Samatathanyakorn 2 Abdulsamad Yusuf (0xVenus) 2 Drew Webber (mcdruid) 2 ChamlaVic 2 Ivan Cese 2 afnaan 2 Khaled Alenazi (Nxploited) 1 shrikant bhosale 1 Ahmed Rayen Ayari 1 omer yeshayahu 1 Bao - BlueRock 1 y0shicat 1 Muhammad Nur Ibnu Hubab (Ibnu) 1 Jonas Benjamin Friedli 1 Teemu Saarentaus 1 kr0d 1 theviper17y 1 Jochem Boender 1 Powpy 1 Waris Damkham 1 Varakorn Chanthasri (iCreaM) 1 Sopon Tangpathum (SoNaJaa) 1 NAWardRox 1 Nguyen Truong (Roll) 1 Sarawut Poolkhet (MisterHelloz) 1 vpetr 1 Supakiad S. (m3ez) 1 guardimo 1 NumeX 1 Dave Jong 1 Bonds 1 Benachi 1 Benachi 1 bosz 1 jsonc 1 Ryan Novotny 1 Jarno Vos (jarnovos) 1 Abu Hurayra (HurayraIIT) 1 Dmitrii Ignatyev 1 Peter Thaleikis 1 theviper17 1 LionTree 1 zaim 1 NosleeP++ 1 ZAST.AI 1 Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report. WordPress Plugins with Reported Vulnerabilities Last Week Software Name Software Slug Accordion Slider PRO accordion_slider_pro Advanced Ads – Ad Manager & AdSense advanced-ads AffiliateX – Amazon Affiliate Plugin affiliatex AJS Footnotes ajs-footnotes All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic all-in-one-seo-pack All-in-One Video Gallery all-in-one-video-gallery Antideo Email Validator antideo-email-validator Aplazo Payment Gateway aplazo-payment-gateway Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin simply-schedule-appointments Awesome Support – WordPress HelpDesk & Support Plugin awesome-support bidorbuy Store Integrator bidorbuystoreintegrator Booking Calendar booking Breeze Cache breeze Church Admin church-admin CleverReach® WP cleverreach-wp CM E-Mail Blacklist – Simple email filtering for safer registration cm-email-blacklist Community Events community-events Cost Calculator Builder cost-calculator-builder CP Image Store with Slideshow cp-image-store Crush.pics Image Optimizer – Image Compression and Optimization crush-pics CubeWP Framework cubewp-framework DASHBOARD BUILDER – WordPress plugin for Charts and Graphs dashboard-builder Demo Importer Plus demo-importer-plus DK PDF – WordPress PDF Generator dk-pdf Dooodl dooodl Drag and Drop Multiple File Upload for Contact Form 7 drag-and-drop-multiple-file-upload-contact-form-7 DZS Video Gallery dzs-videogallery Electric Studio Download Counter electric-studio-download-counter Eli's WordCents adSense Widget with Analytics wordcents Essential Addons for Elementor – Popular Elementor Templates & Widgets essential-addons-for-elementor-lite Event Espresso – Event Registration & Ticketing Sales event-espresso-decaf Event Tickets with Ticket Scanner event-tickets-with-ticket-scanner EventPrime – Events Calendar, Bookings and Tickets eventprime-event-calendar-management Filr – Secure document library filr-protection Float Payment Gateway float-gateway g-FFL Checkout g-ffl-checkout GeekyBot — Generate AI Content Without Prompt, Chatbot and Lead Generation geeky-bot GetContentFromURL getcontentfromurl GetGenie – AI Content Writer with Keyword Research & SEO Tracking Tools getgenie Gotham Block Extra Light gotham-block-extra-light HDForms | Contact Form Builder hdforms Hide My WP - Amazing Security Plugin for WordPress! hide_my_wp Infility Global infility-global Integrate Dynamics 365 CRM integrate-dynamics-365-crm Integration Opvius AI for WooCommerce woosa-ai-for-woocommerce Internal Link Builder internal-link-builder JNews - Frontend Submit jnews-frontend-submit JNews - Pay Writer jnews-pay-writer JNews - Video jnews-video Jupiter X Core jupiterx-core Kunze Law kunze-law LEAV Last Email Address Validator last-email-address-validator LinkedIn SC linkedin-sc List Site Contributors list-site-contributors LottieFiles – Lottie block for Gutenberg lottiefiles Makesweat makesweat Membership Plugin – Restrict Content restrict-content Modular DS: Monitor, update, and backup multiple websites modular-connector Name Directory name-directory Netcash WooCommerce Payment Gateway netcash-pay-now-payment-gateway-for-woocommerce News and Blog Designer Bundle news-and-blog-designer-bundle Omnichannel for WooCommerce: Google, Amazon, eBay & Walmart Integration – Powered by Codisto codistoconnect onepay Payment Gateway For WooCommerce onepay-payment-gateway-for-woocommerce PAYGENT for WooCommerce woocommerce-for-paygent-payment-main PayHere Payment Gateway Plugin for WooCommerce payhere-payment-gateway Payment Button for PayPal wp-paypal PDF Resume Parser pdf-resume-parser Peach Payments Gateway wc-peach-payments-gateway Perfit WooCommerce perfit-woocommerce Phrase TMS Integration for WordPress memsource-connector Quick Contact Form quick-contact-form Quote Master quote-master Real Post Slider Lite real-post-slider-lite Rede Itaú for WooCommerce — Payment PIX, Credit Card and Debit woo-rede Registration & Login with Mobile Phone Number for WooCommerce registration-login-with-mobile-phone-number RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login custom-registration-form-builder-with-submission-manager Related Posts by Taxonomy related-posts-by-taxonomy RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress computer-repair-shop Reservation Plugin dt-reservation-plugin Responsive Accordion Slider responsive-accordion-slider Responsive Addons for Elementor – Free Elementor Addons Plugin and Elementor Templates responsive-addons-for-elementor RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging wp-rss-aggregator SearchWiz searchwiz Shield: Blocks Bots, Protects Users, and Prevents Security Breaches wp-simple-firewall Shipping Rate By Cities shipping-rate-by-cities Shipping Rates by City for WooCommerce flat-shipping-rate-by-city-for-woocommerce Short Link short-link Shown Connector shown-connector SocialChamp with WordPress auto-post-to-social-media-wp-to-social-champ Sosh Share Buttons sosh-share-buttons SpiceForms Form Builder spiceforms-form-builder Spin Wheel – Interactive spinning wheel that offers coupons spin-wheel Stopwords for comments stopwords-for-comments Supreme Modules Lite – Divi Theme, Extra Theme and Divi Builder supreme-modules-for-divi Synergy Project Manager synergy-project-manager Syntax Highlighter Compress syntax-highlighter-compress Team Section Block – Showcase Team Members with Layout Options team-section Testimonials Creator testimonials-creator Thim Blocks thim-blocks Tickera – Sell Tickets & Manage Events tickera-event-ticketing-system Tutor LMS Pro tutor-pro UiChemy — Figma Converter for Elementor, Gutenberg and Bricks uichemy User Registration Using Contact Form 7 user-registration-using-contact-form-7 User Submitted Posts – Enable Users to Submit Posts from the Front End user-submitted-posts Wallet System for WooCommerce – Digital Wallet, Buy Now Pay Later (BNPL), Instant Cashback, Referral program, Partial & Subscription Payments wallet-system-for-woocommerce WDV One Page Docs – Documentation Plugin for WordPress wdv-one-page-docs WMF Mobile Redirector wmf-mobile-redirector Woocommerce Book Price woo-book-price WooCommerce Frontend Manager – Ultimate wc-frontend-manager-ultimate Workreap Core workreap_core WP Allowed Hosts wp-allow-hosts WP Duplicate Page wp-duplicate-page WP Hotel Booking wp-hotel-booking WP Lead Capturing Pages wp-lead-capture WP Mail wp-mail WP Simple Redirect wp-simple-redirect WP Test Email wp-test-email WP-CRM System – Manage Clients and Projects wp-crm-system WP-Members Membership Plugin wp-members WPBlogSyn wpblogsync WPLMS Plugin wplms_plugin xPromoter top_bar_promoter YouTube Feed Pro youtube-feed-pro WordPress Themes with Reported Vulnerabilities Last Week Software Name Software Slug Anon - Multipurpose Elementor WooCommerce Themes anon2x Anona - Pest Control WordPress Theme anona Auto Repair auto-repair AutoParts - Car Parts Store WordPress Theme autoparts bajaar bajaar Barberry - Modern WooCommerce Theme barberry Biagiotti biagiotti Blogistic blogistic Blogzee blogzee Brookside brookside Consult Aid: Business Consulting And Finance PSD consultaid Dreamer Blog dreamer-blog Drone Media | Aerial Photography & Videography Theme drone electron electron Energia - Renewable Energy WordPress Theme energia Hostme v2 - Responsive WordPress Theme hostmev2 Kalium 3 | Creative WordPress & WooCommerce Theme kalium KenthaRadio - Addon for Kentha Music WordPress Theme To Add Radio Station and Schedule Functionality qt-kentharadio Kids Heaven - Children Education WordPress Theme kids-world Melania | Blog about Handmade & Crafts WordPress Theme + Shop melania Mella - Minimalist Ajax eCommerce PSD Template mella Miion | Multi-Purpose WordPress Theme miion Myour - Personal Portfolio Resume WordPress Theme myour North - One Page Parallax WordPress Theme north-wp OneLife - Medical WordPress Theme onelife Powerlift - Fitness and Gym WordPress Theme powerlift Promo promo Reprizo - Jewelry & Watch Store Shopify Theme reprizo Restaurt restaurt Right Way | Election Campaign and Political Candidate WordPress Theme rightway Search & Go - Directory WordPress Theme search-and-go Skillate skillate Solace solace The Aisle - Elegant Wedding WordPress Theme theaisle TheNa - Photography & Portfolio WordPress Theme thena Wedding Photographer WordPress Theme - Vivagh vivagh xSmart - App Landing Page WordPress Theme in Tech Presentation, Promo Marketing & Advertising Agency xsmart Vulnerability Details Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize. Energia <= 1.1.2 - Unauthenticated Arbitrary File Upload 9.8 CVSS Rating Critical (9.8) CVE-ID CVE-2025-50002 Patch Status Unpatched Published Jan 12, 2026 Affected Software Energia - Renewable Energy WordPress Theme Researcher Tran Nguyen Bao Khanh More Details > Event Tickets with Ticket Scanner <= 2.7.10 - Unauthenticated Remote Code Execution 9.8 CVSS Rating Critical (9.8) CVE-ID CVE-2025-68015 Patch Status Unpatched Published Jan 15, 2026 Affected Software Event Tickets with Ticket Scanner Researcher daroo More Details > g-FFL Checkout <= 2.1.0 - Unauthenticated Arbitrary File Upload 9.8 CVSS Rating Critical (9.8) CVE-ID CVE-2025-68001 Patch Status Patched Published Jan 15, 2026 Affected Software g-FFL Checkout Researcher Denver Jackson More Details > Integration Opvius AI for WooCommerce <= 1.3.0 - Unauthenticated Arbitrary File Deletion/Read via Path Traversal 9.8 CVSS Rating Critical (9.8) CVE-ID CVE-2025-14301 Patch Status Unpatched Published Jan 13, 2026 Affected Software Integration Opvius AI for WooCommerce Researcher Muhammad Yudha - DJ More Details > Modular DS 2.5.2 - Unauthenticated Privilege Escalation 9.8 CVSS Rating Critical (9.8) CVE-ID CVE-2026-23800 Patch Status Patched Published Jan 16, 2026 Affected Software Modular DS: Monitor, update, and backup multiple websites Researcher Dave Jong More Details > Modular DS <= 2.5.1 - Unauthenticated Privilege Escalation 9.8 CVSS Rating Critical (9.8) CVE-ID CVE-2026-23550 Patch Status Patched Published Jan 14, 2026 Affected Software Modular DS: Monitor, update, and backup multiple websites Researcher Teemu Saarentaus More Details > News and Blog Designer Bundle <= 1.1 - Unauthenticated Local File Inclusion 9.8 CVSS Rating Critical (9.8) CVE-ID CVE-2025-14502 Patch Status Unpatched Published Jan 13, 2026 Affected Software News and Blog Designer Bundle Researcher Itthidej Aramsri (Boeing777) More Details > Registration & Login with Mobile Phone Number for WooCommerce <= 1.3.1 - Authentication Bypass 9.8 CVSS Rating Critical (9.8) CVE-ID CVE-2025-10484 Patch Status Patched Published Jan 16, 2026 Affected Software Registration & Login with Mobile Phone Number for WooCommerce Researcher vpetr More Details > RegistrationMagic <= 6.0.7.1 - Privilege Escalation via admin_order 9.8 CVSS Rating Critical (9.8) CVE-ID CVE-2025-15403 Patch Status Patched Published Jan 16, 2026 Affected Software RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login Researcher Os More Details > Workreap Core <= 3.4.0 - Authentication Bypass 9.8 CVSS Rating Critical (9.8) CVE-ID CVE-2025-69101 Patch Status Unpatched Published Jan 15, 2026 Affected Software Workreap Core Researcher NAWardRox More Details > Anona <= 8.0 - Unauthenticated Arbitrary File Deletion 9.1 CVSS Rating Critical (9.1) CVE-ID CVE-2025-68901 Patch Status Unpatched Published Jan 13, 2026 Affected Software Anona - Pest Control WordPress Theme Researcher Tran Nguyen Bao Khanh More Details > HDForms <= 1.6.1 - Unauthenticated Arbitrary File Deletion 9.1 CVSS Rating Critical (9.1) CVE-ID CVE-2025-68912 Patch Status Unpatched Published Jan 13, 2026 Affected Software HDForms | Contact Form Builder Researcher theviper17 More Details > Hostme v2 <= 7.0 - Unauthenticated Arbitrary File Deletion 9.1 CVSS Rating Critical (9.1) CVE-ID CVE-2025-68907 Patch Status Unpatched Published Jan 13, 2026 Affected Software Hostme v2 - Responsive WordPress Theme Researcher Tran Nguyen Bao Khanh More Details > WPLMS <= 1.9.9.5.4 - Unauthenticated Arbitrary File Deletion 9.1 CVSS Rating Critical (9.1) CVE-ID CVE-2025-69097 Patch Status Unpatched Published Jan 13, 2026 Affected Software WPLMS Plugin Researcher João Pedro S Alcântara (Kinorth) More Details > All-in-One Video Gallery <= 4.5.7 - Authenticated (Author+) Arbitrary File Upload via VTT Upload Bypass 8.8 CVSS Rating High (8.8) CVE-ID CVE-2025-12957 Patch Status Patched Published Jan 15, 2026 Affected Software All-in-One Video Gallery Researcher mikemyers More Details > Blogistic <= 1.0.5 - Authenticated (Subscriber+) Arbitrary File Upload 8.8 CVSS Rating High (8.8) CVE-ID CVE-2025-68909 Patch Status Unpatched Published Jan 13, 2026 Affected Software Blogistic Researcher Denver Jackson More Details > Blogzee <= 1.0.5 - Authenticated (Subscriber+) Arbitrary File Upload 8.8 CVSS Rating High (8.8) CVE-ID CVE-2025-68910 Patch Status Unpatched Published Jan 13, 2026 Affected Software Blogzee Researcher Denver Jackson More Details > Miion <= 1.2.7 - Authenticated (Subscriber+) Arbitrary File Upload 8.8 CVSS Rating High (8.8) CVE-ID CVE-2025-68986 Patch Status Unpatched Published Jan 13, 2026 Affected Software Miion | Multi-Purpose WordPress Theme Researcher Tran Nguyen Bao Khanh More Details > Restaurt <= 1.0.4 - Authenticated (subscriber+) Arbitrary File Upload 8.8 CVSS Rating High (8.8) CVE-ID CVE-2026-22327 Patch Status Unpatched Published Jan 13, 2026 Affected Software Restaurt Researcher Tran Nguyen Bao Khanh More Details > Supreme Modules Lite <= 2.5.62 - Authenticated (Author+) Arbitrary File Upload via JSON Upload Bypass 8.8 CVSS Rating High (8.8) CVE-ID CVE-2025-13062 Patch Status Patched Published Jan 15, 2026 Affected Software Supreme Modules Lite – Divi Theme, Extra Theme and Divi Builder Researcher mikemyers More Details > xSmart <= 1.2.9.4 - Authenticated (Subscriber+) Privilege Escalation 8.8 CVSS Rating High (8.8) CVE-ID CVE-2025-50007 Patch Status Unpatched Published Jan 12, 2026 Affected Software xSmart - App Landing Page WordPress Theme in Tech Presentation, Promo Marketing & Advertising Agency Researcher Tran Nguyen Bao Khanh More Details > Membership Plugin – Restrict Content <= 3.2.16 - Missing Authentication to Insecure Direct Object Reference and Sensitive Information Exposure 8.2 CVSS Rating High (8.2) CVE-ID CVE-2025-14844 Patch Status Patched Published Jan 15, 2026 Affected Software Membership Plugin – Restrict Content Researcher andrea bocchetti More Details > AutoParts <= 1.5.8 - Unauthenticated Local File Inclusion 8.1 CVSS Rating High (8.1) CVE-ID CVE-2026-22331 Patch Status Unpatched Published Jan 12, 2026 Affected Software AutoParts - Car Parts Store WordPress Theme Researcher Tran Nguyen Bao Khanh More Details > Bajaar - Highly Customizable WooCommerce WordPress <= 2.1.0 - Unauthenticated Local File Inclusion 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-69004 Patch Status Unpatched Published Jan 13, 2026 Affected Software bajaar Researcher Tran Nguyen Bao Khanh More Details > Barberry <= 2.9.9.87 - Unauthenticated Local File Inclusion 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-68908 Patch Status Unpatched Published Jan 12, 2026 Affected Software Barberry - Modern WooCommerce Theme Researcher Tran Nguyen Bao Khanh More Details > Biagiotti < 3.5.2 - Unauthenticated Local File Inclusion 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-67938 Patch Status Patched Published Jan 15, 2026 Affected Software Biagiotti Researcher Tran Nguyen Bao Khanh More Details > Consult Aid <= 1.4.3 - Unauthenticated PHP Object Injection 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-67617 Patch Status Unpatched Published Jan 12, 2026 Affected Software Consult Aid: Business Consulting And Finance PSD Researcher Tran Nguyen Bao Khanh More Details > Melania <= 2.5.0 - Unauthenticated Local File Inclusion 8.1 CVSS Rating High (8.1) CVE-ID CVE-2026-22324 Patch Status Unpatched Published Jan 12, 2026 Affected Software Melania | Blog about Handmade & Crafts WordPress Theme + Shop Researcher Tran Nguyen Bao Khanh More Details > Mella <= 1.2.29 - Unauthenticated Local File Inclusion 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-67616 Patch Status Unpatched Published Jan 12, 2026 Affected Software Mella - Minimalist Ajax eCommerce PSD Template Researcher Tran Nguyen Bao Khanh More Details > Myour <= 1.5.1 - Unauthenticated Local File Inclusion 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-67615 Patch Status Unpatched Published Jan 12, 2026 Affected Software Myour - Personal Portfolio Resume WordPress Theme Researcher Tran Nguyen Bao Khanh More Details > North <= 5.7.5 - Unauthenticated Local File Inclusion 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-69100 Patch Status Unpatched Published Jan 15, 2026 Affected Software North - One Page Parallax WordPress Theme Researcher João Pedro S Alcântara (Kinorth) More Details > Powerlift < 3.2.1 - Unauthenticated Local File Inclusion 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-67940 Patch Status Patched Published Jan 16, 2026 Affected Software Powerlift - Fitness and Gym WordPress Theme Researcher Tran Nguyen Bao Khanh More Details > Promo <= 1.3.0 - Unauthenticated Local File Inclusion 8.1 CVSS Rating High (8.1) CVE-ID CVE-2026-22325 Patch Status Unpatched Published Jan 12, 2026 Affected Software Promo Researcher Tran Nguyen Bao Khanh More Details > Reprizo <= 1.0.8 - Unauthenticated Local File Inclusion 8.1 CVSS Rating High (8.1) CVE-ID CVE-2026-22326 Patch Status Unpatched Published Jan 12, 2026 Affected Software Reprizo - Jewelry & Watch Store Shopify Theme Researcher Tran Nguyen Bao Khanh More Details > Right Way <= 4.0 - Unauthenticated Local File Inclusion 8.1 CVSS Rating High (8.1) CVE-ID CVE-2026-22330 Patch Status Unpatched Published Jan 12, 2026 Affected Software Right Way | Election Campaign and Political Candidate WordPress Theme Researcher Tran Nguyen Bao Khanh More Details > Search & Go <= 2.8 - Unauthenticated Local File Inclusion 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-69005 Patch Status Unpatched Published Jan 12, 2026 Affected Software Search & Go - Directory WordPress Theme Researcher Tran Nguyen Bao Khanh More Details > The Aisle < 2.9.1 - Unauthenticated Local File Inclusion 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-67941 Patch Status Patched Published Jan 16, 2026 Affected Software The Aisle - Elegant Wedding WordPress Theme Researcher Tran Nguyen Bao Khanh More Details > Anona <= 8.0 - Authenticated (Subscriber+) PHP Object Injection 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-68903 Patch Status Unpatched Published Jan 13, 2026 Affected Software Anona - Pest Control WordPress Theme Researcher Tran Nguyen Bao Khanh More Details > Anona <= 8.0 - Unauthenticated Arbitrary File Download 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-68902 Patch Status Unpatched Published Jan 13, 2026 Affected Software Anona - Pest Control WordPress Theme Researcher Tran Nguyen Bao Khanh More Details > Antideo Email Validator <= 1.0.10 - Unauthenticated SQL Injection 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-68017 Patch Status Unpatched Published Jan 16, 2026 Affected Software Antideo Email Validator Researcher Jarno Vos (jarnovos) More Details > CleverReach® WP <= 1.5.22 - Unauthenticated SQL Injection 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-68034 Patch Status Unpatched Published Jan 15, 2026 Affected Software CleverReach® WP Researcher 0xd4rk5id3 More Details > Demo Importer Plus <= 2.0.9 - Authenticated (Author+) Blind XML External Entity Injection via SVG File Upload 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-14478 Patch Status Patched Published Jan 16, 2026 Affected Software Demo Importer Plus Researcher bosz More Details > JNews - Pay Writer <= 11.0.0 - Authenticated (Subscriber+) Local File Inclusion 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-68905 Patch Status Unpatched Published Jan 13, 2026 Affected Software JNews - Pay Writer Researcher Rafie Muhammad More Details > JupiterX Core <= 4.10.1 - Authenticated (Contributor+) PHP Object Injection 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-50004 Patch Status Patched Published Jan 12, 2026 Affected Software Jupiter X Core Researcher João Pedro S Alcântara (Kinorth) More Details > Kids Heaven <= 3.2 - Authenticated (Subscriber+) PHP Object Injection 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-67619 Patch Status Unpatched Published Jan 13, 2026 Affected Software Kids Heaven - Children Education WordPress Theme Researcher Tran Nguyen Bao Khanh More Details > Miion <= 1.2.7 - Authenticated (Subscriber+) Local File Inclusion 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-68913 Patch Status Unpatched Published Jan 13, 2026 Affected Software Miion | Multi-Purpose WordPress Theme Researcher Tran Nguyen Bao Khanh More Details > North <= 5.7.5 - Authenticated (Contributor+) PHP Object Injection 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-69099 Patch Status Unpatched Published Jan 15, 2026 Affected Software North - One Page Parallax WordPress Theme Researcher João Pedro S Alcântara (Kinorth) More Details > OneLife <= 3.9 - Authenticated (Subscriber+) PHP Object Injection 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-69002 Patch Status Unpatched Published Jan 13, 2026 Affected Software OneLife - Medical WordPress Theme Researcher Tran Nguyen Bao Khanh More Details > Shipping Rate By Cities <= 2.0.0 - Unauthenticated SQL Injection via 'city' Parameter 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-14770 Patch Status Patched Published Jan 13, 2026 Affected Software Shipping Rate By Cities Researcher Athiwat Tiprasaharn (Jitlada) More Details > Simply Schedule Appointments <= 1.6.9.9 - Unauthenticated SQL Injection via `order` and `append_where_sql` Parameters 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-12166 Patch Status Patched Published Jan 14, 2026 Affected Software Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin Researcher shark3y More Details > Tutor LMS Pro <= 3.8.3 - Unauthenticated SQL Injection 7.5 CVSS Rating High (7.5) CVE-ID CVE-2026-22332 Patch Status Unpatched Published Jan 13, 2026 Affected Software Tutor LMS Pro Researcher 0xd4rk5id3 More Details > Vivagh <= 2.4 - Authenticated (Subscriber+) PHP Object Injection 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-68899 Patch Status Unpatched Published Jan 13, 2026 Affected Software Wedding Photographer WordPress Theme - Vivagh Researcher Tran Nguyen Bao Khanh More Details > AJS Footnotes <= 1.0 - Unauthenticated Stored Cross-Site Scripting 7.2 CVSS Rating High (7.2) CVE-ID CVE-2025-15378 Patch Status Unpatched Published Jan 13, 2026 Affected Software AJS Footnotes Researcher 0x34rth More Details > GeekyBot — Generate AI Content Without Prompt, Chatbot and Lead Generation <= 1.1.7 - Unauthenticated Stored Cross-Site Scripting 7.2 CVSS Rating High (7.2) CVE-ID CVE-2025-15266 Patch Status Unpatched Published Jan 13, 2026 Affected Software GeekyBot — Generate AI Content Without Prompt, Chatbot and Lead Generation Researcher zer0gh0st More Details > GetContentFromURL <= 1.0 - Authenticated (Contributor+) Server-Side Request Forgery via 'url' Shortcode Attribute 7.2 CVSS Rating High (7.2) CVE-ID CVE-2025-14613 Patch Status Unpatched Published Jan 13, 2026 Affected Software GetContentFromURL Researcher Ivan Cese More Details > Infility Global <= 2.14.49 - Unauthenticated Stored Cross-Site Scripting 7.2 CVSS Rating High (7.2) CVE-ID CVE-2025-68864 Patch Status Unpatched Published Jan 15, 2026 Affected Software Infility Global Researcher Drew Webber (mcdruid) More Details > Name Directory <= 1.30.3 - Unauthenticated Stored Cross-Site Scripting via Multiple Parameters 7.2 CVSS Rating High (7.2) CVE-ID CVE-2025-15283 Patch Status Patched Published Jan 13, 2026 Affected Software Name Directory Researcher zer0gh0st More Details > Omnichannel for WooCommerce <= 1.3.65 - Unauthenticated Stored Cross-Site Scripting 7.2 CVSS Rating High (7.2) CVE-ID CVE-2025-68041 Patch Status Unpatched Published Jan 15, 2026 Affected Software Omnichannel for WooCommerce: Google, Amazon, eBay & Walmart Integration – Powered by Codisto Researcher guardimo More Details > Synergy Project Manager <= 1.5 - Unauthenticated Stored Cross-Site Scripting 7.2 CVSS Rating High (7.2) CVE-ID CVE-2025-68898 Patch Status Unpatched Published Jan 15, 2026 Affected Software Synergy Project Manager Researcher Drew Webber (mcdruid) More Details > DASHBOARD BUILDER <= 1.5.7 - Cross-Site Request Forgery to SQL Injection 7.1 CVSS Rating High (7.1) CVE-ID CVE-2025-14615 Patch Status Unpatched Published Jan 13, 2026 Affected Software DASHBOARD BUILDER – WordPress plugin for Charts and Graphs Researcher omer yeshayahu More Details > Awesome Support – WordPress HelpDesk & Support Plugin <= 6.3.6 - Missing Authorization to Unauthenticated Role Demotion 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2025-12641 Patch Status Patched Published Jan 15, 2026 Affected Software Awesome Support – WordPress HelpDesk & Support Plugin Researcher shark3y More Details > DZS Video Gallery <= 12.37 - Authenticated (Subscriber+) SQL Injection 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2025-49049 Patch Status Unpatched Published Jan 12, 2026 Affected Software DZS Video Gallery Researcher João Pedro S Alcântara (Kinorth) More Details > Event Espresso 4 Decaf <= 5.0.37.decaf - Missing Authorization to Unauthenticated Settings Change 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2025-68007 Patch Status Unpatched Published Jan 15, 2026 Affected Software Event Espresso – Event Registration & Ticketing Sales Researcher Legion Hunter More Details > Gotham Block Extra Light <= 1.5.0 - Authenticated (Contributor+) Arbitrary File Read via 'ghostban' Shortcode 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2025-15020 Patch Status Patched Published Jan 13, 2026 Affected Software Gotham Block Extra Light Researcher 0x34rth More Details > Gutenberg Thim Blocks <= 1.0.1 - Authenticated (Contributor+) Arbitrary File Read via 'iconSVG' Parameter 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2025-13725 Patch Status Patched Published Jan 16, 2026 Affected Software Thim Blocks Researcher Athiwat Tiprasaharn (Jitlada) More Details > Lead Capturing Pages <= 2.5 - Authenticated (Subscriber+) SQL Injection 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2025-49050 Patch Status Unpatched Published Jan 12, 2026 Affected Software WP Lead Capturing Pages Researcher João Pedro S Alcântara (Kinorth) More Details > Wallet System for WooCommerce <= 2.7.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Wallet Balance Manipulation 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2025-14450 Patch Status Patched Published Jan 16, 2026 Affected Software Wallet System for WooCommerce – Digital Wallet, Buy Now Pay Later (BNPL), Instant Cashback, Referral program, Partial & Subscription Payments Researcher Md. Moniruzzaman Prodhan (NomanProdhan) More Details > Woocommerce Book Price <= 1.3 - Authenticated (Subscriber++) Arbitrary File Download 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2026-22334 Patch Status Unpatched Published Jan 15, 2026 Affected Software Woocommerce Book Price Researcher 0xd4rk5id3 More Details > WooCommerce Frontend Manager – Ultimate < 6.7.6 - Authenticated (Subscriber+) SQL Injection 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2026-22335 Patch Status Unpatched Published Jan 15, 2026 Affected Software WooCommerce Frontend Manager – Ultimate Researcher 0xd4rk5id3 More Details > AffiliateX 1.0.0 - 1.3.9.3 - Authenticated (Subscriber+) Missing Authorization to Stored Cross-Site Scripting via save_customization_settings 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-13859 Patch Status Patched Published Jan 15, 2026 Affected Software AffiliateX – Amazon Affiliate Plugin Researcher kr0d More Details > CubeWP <= 1.1.26 - Authenticated (Contributor+) Stored Cross-Site Scripting via cubewp_shortcode_taxonomy Shortcode 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-8615 Patch Status Patched Published Jan 16, 2026 Affected Software CubeWP Framework Researcher zaim More Details > Related Posts by Taxonomy <= 2.7.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'related_posts_by_tax' Shortcode 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2026-0916 Patch Status Unpatched Published Jan 15, 2026 Affected Software Related Posts by Taxonomy Researcher Muhammad Yudha - DJ More Details > SearchWiz <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Title 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2026-0694 Patch Status Unpatched Published Jan 13, 2026 Affected Software SearchWiz Researchers Athiwat Tiprasaharn (Jitlada)Itthidej Aramsri (Boeing777)PowpyWaris DamkhamVarakorn Chanthasri (iCreaM)Peerapat SamatathanyakornSopon Tangpathum (SoNaJaa) More Details > SpiceForms Form Builder <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-12178 Patch Status Unpatched Published Jan 13, 2026 Affected Software SpiceForms Form Builder Researcher Peter Thaleikis More Details > Team Section Block <= 2.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Social Network Link 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2026-0833 Patch Status Patched Published Jan 16, 2026 Affected Software Team Section Block – Showcase Team Members with Layout Options Researcher Athiwat Tiprasaharn (Jitlada) More Details > UiChemy <= 4.4.2 - Authenticated (Author+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-69362 Patch Status Patched Published Jan 12, 2026 Affected Software UiChemy — Figma Converter for Elementor, Gutenberg and Bricks Researcher Athiwat Tiprasaharn (Jitlada) More Details > User Submitted Posts <= 20260110 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'usp_access' Shortcode 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2026-0913 Patch Status Patched Published Jan 15, 2026 Affected Software User Submitted Posts – Enable Users to Submit Posts from the Front End Researcher Muhammad Yudha - DJ More Details > Accordion Slider PRO <= 1.2 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-49066 Patch Status Unpatched Published Jan 12, 2026 Affected Software Accordion Slider PRO Researcher João Pedro S Alcântara (Kinorth) More Details > Anon <= 2.2.10 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-67620 Patch Status Unpatched Published Jan 13, 2026 Affected Software Anon - Multipurpose Elementor WooCommerce Themes Researcher Tran Nguyen Bao Khanh More Details > Auto Repair <= 22.6 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2026-22328 Patch Status Unpatched Published Jan 13, 2026 Affected Software Auto Repair Researcher Tran Nguyen Bao Khanh More Details > bidorbuy Store Integrator <= 2.12.0 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-68883 Patch Status Unpatched Published Jan 16, 2026 Affected Software bidorbuy Store Integrator Researcher Skalucy More Details > Brookside <= 1.4 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-67618 Patch Status Unpatched Published Jan 13, 2026 Affected Software Brookside Researcher Tran Nguyen Bao Khanh More Details > Dooodl <= 2.3.0 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-68871 Patch Status Unpatched Published Jan 16, 2026 Affected Software Dooodl Researcher Skalucy More Details > Drone <= 1.40 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-49249 Patch Status Unpatched Published Jan 12, 2026 Affected Software Drone Media | Aerial Photography & Videography Theme Researcher Tran Nguyen Bao Khanh More Details > Eli's WordCents adSense Widget with Analytics <= 1.3.03.27 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-68872 Patch Status Unpatched Published Jan 16, 2026 Affected Software Eli's WordCents adSense Widget with Analytics Researcher Skalucy More Details > Hide My WP <= 6.2.12 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-69098 Patch Status Unpatched Published Jan 13, 2026 Affected Software Hide My WP - Amazing Security Plugin for WordPress! Researcher João Pedro S Alcântara (Kinorth) More Details > JNews - Frontend Submit <= 11.0.0 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-68904 Patch Status Unpatched Published Jan 12, 2026 Affected Software JNews - Frontend Submit Researcher Rafie Muhammad More Details > JNews - Video <= 11.0.2 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-68906 Patch Status Unpatched Published Jan 13, 2026 Affected Software JNews - Video Researcher Rafie Muhammad More Details > KenthaRadio <= 2.2.0 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-69003 Patch Status Unpatched Published Jan 13, 2026 Affected Software KenthaRadio - Addon for Kentha Music WordPress Theme To Add Radio Station and Schedule Functionality Researcher Tran Nguyen Bao Khanh More Details > List Site Contributors <= 1.1.8 - Reflected Cross-Site Scripting via alpha 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2026-0594 Patch Status Unpatched Published Jan 13, 2026 Affected Software List Site Contributors Researcher 0x34rth More Details > Mail <= 1.3 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-68008 Patch Status Unpatched Published Jan 16, 2026 Affected Software WP Mail Researcher Skalucy More Details > Quote Master <= 7.1.1 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-68849 Patch Status Unpatched Published Jan 16, 2026 Affected Software Quote Master Researcher Abdulsamad Yusuf (0xVenus) More Details > RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging <= 5.0.10 - Reflected Cross-Site Scripting via className 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-14375 Patch Status Patched Published Jan 15, 2026 Affected Software RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging Researcher Deadbee More Details > Simple Redirect <= 1.1 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-68884 Patch Status Unpatched Published Jan 15, 2026 Affected Software WP Simple Redirect Researcher Skalucy More Details > Skillate <= 1.2.10 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2026-22329 Patch Status Unpatched Published Jan 13, 2026 Affected Software Skillate Researcher Tran Nguyen Bao Khanh More Details > Syntax Highlighter Compress <= 3.0.83.3 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-68859 Patch Status Unpatched Published Jan 16, 2026 Affected Software Syntax Highlighter Compress Researcher Abdulsamad Yusuf (0xVenus) More Details > Test Email <= 1.1.7 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-69102 Patch Status Unpatched Published Jan 15, 2026 Affected Software WP Test Email Researcher Ryan Novotny More Details > TheNa <= 1.5.5 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-67614 Patch Status Unpatched Published Jan 12, 2026 Affected Software TheNa - Photography & Portfolio WordPress Theme Researcher Tran Nguyen Bao Khanh More Details > xPromoter <= 1.3.4 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-49046 Patch Status Unpatched Published Jan 12, 2026 Affected Software xPromoter Researcher João Pedro S Alcântara (Kinorth) More Details > xSmart <= 1.2.9.4 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-50006 Patch Status Unpatched Published Jan 12, 2026 Affected Software xSmart - App Landing Page WordPress Theme in Tech Presentation, Promo Marketing & Advertising Agency Researcher Tran Nguyen Bao Khanh More Details > Feeds for YouTube Pro <= 2.6.0 - Unauthenticated Arbitrary File Read via Path Traversal 5.9 CVSS Rating Medium (5.9) CVE-ID CVE-2025-12002 Patch Status Patched Published Jan 16, 2026 Affected Software YouTube Feed Pro Researcher LionTree More Details > Quick Contact Form <= 8.2.6 - Unauthenticated Open Mail Relay 5.8 CVSS Rating Medium (5.8) CVE-ID CVE-2025-12718 Patch Status Patched Published Jan 16, 2026 Affected Software Quick Contact Form Researcher Md. Moniruzzaman Prodhan (NomanProdhan) More Details > WP Duplicate Page <= 1.8 - Missing Authorization to Authenticated (Contributor+) Arbitrary Post Duplication 5.4 CVSS Rating Medium (5.4) CVE-ID CVE-2025-14001 Patch Status Patched Published Jan 12, 2026 Affected Software WP Duplicate Page Researcher Sarawut Poolkhet (MisterHelloz) More Details > WP-CRM System – Manage Clients and Projects <= 3.4.5 - Missing Authorization to Authenticated (Subscriber+) CRM Data Exposure and Task Modification 5.4 CVSS Rating Medium (5.4) CVE-ID CVE-2025-14854 Patch Status Unpatched Published Jan 13, 2026 Affected Software WP-CRM System – Manage Clients and Projects Researcher Teerachai Somprasong More Details > WP-Members Membership Plugin <= 3.5.4.3 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Multiple Checkbox and Multiple Select User Profile Fields 5.4 CVSS Rating Medium (5.4) CVE-ID CVE-2025-14448 Patch Status Patched Published Jan 14, 2026 Affected Software WP-Members Membership Plugin Researcher shark3y More Details > Aplazo Payment Gateway <= 1.4.2 - Missing Authorization to Unauthenticated Order Status Manipulation 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-15512 Patch Status Unpatched Published Jan 13, 2026 Affected Software Aplazo Payment Gateway Researcher Md. Moniruzzaman Prodhan (NomanProdhan) More Details > Breeze <= 2.2.21 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-69364 Patch Status Patched Published Jan 13, 2026 Affected Software Breeze Cache Researcher Bao - BlueRock More Details > Community Events <= 1.5.6 - Missing Authorization to Unauthenticated Arbitrary Event Approval via 'eventlist' Parameter 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-14029 Patch Status Patched Published Jan 16, 2026 Affected Software Community Events Researcher Itthidej Aramsri (Boeing777) More Details > Cost Calculator Builder <= 3.6.9 - Missing Authorization to Unauthenticated Payment Status Bypass 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-14757 Patch Status Patched Published Jan 15, 2026 Affected Software Cost Calculator Builder Researcher andrea bocchetti More Details > CubeWP – All-in-One Dynamic Content Framework <= 1.1.27 - Unauthenticated Information Exposure 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-12129 Patch Status Patched Published Jan 16, 2026 Affected Software CubeWP Framework Researcher Jonas Benjamin Friedli More Details > Essential Addons for Elementor <= 6.5.5 - Missing Authorization to Unauthenticated Sensitive Information Exposure 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2026-1004 Patch Status Patched Published Jan 15, 2026 Affected Software Essential Addons for Elementor – Popular Elementor Templates & Widgets Researcher shrikant bhosale More Details > EventPrime - Events Calendar, Bookings and Tickets <= 4.2.7.0 - Unauthenticated Sensitive Information Exposure via REST API 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-14507 Patch Status Patched Published Jan 12, 2026 Affected Software EventPrime – Events Calendar, Bookings and Tickets Researcher Deadbee More Details > Float Payment Gateway <= 1.1.9 - Improper Authorization to Unauthenticated Order Status Manipulation 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-15513 Patch Status Unpatched Published Jan 13, 2026 Affected Software Float Payment Gateway Researcher Md. Moniruzzaman Prodhan (NomanProdhan) More Details > Kalium <= 3.29 - Missing Authorization to Unauthenticated Mail Relay via kalium_vc_contact_form_request 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-12895 Patch Status Patched Published Jan 15, 2026 Affected Software Kalium 3 | Creative WordPress & WooCommerce Theme Researcher Ahmed Rayen Ayari More Details > LottieFiles – Lottie block for Gutenberg <= 3.0.0 - Unauthenticated Sensitive Information Exposure 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2026-0717 Patch Status Unpatched Published Jan 13, 2026 Affected Software LottieFiles – Lottie block for Gutenberg Researcher y0shicat More Details > Netcash WooCommerce Payment Gateway <= 4.1.3 - Missing Authorization to Unauthenticated Order Status Modification 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-14880 Patch Status Patched Published Jan 13, 2026 Affected Software Netcash WooCommerce Payment Gateway Researcher Md. Moniruzzaman Prodhan (NomanProdhan) More Details > onepay Payment Gateway For WooCommerce <= 1.1.2 - Missing Authorization to Unauthenticated Order Status Modification 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-68016 Patch Status Patched Published Jan 16, 2026 Affected Software onepay Payment Gateway For WooCommerce Researcher NumeX More Details > PAYGENT for WooCommerce <= 2.4.6 - Missing Authorization to Unauthenticated Payment Callback Manipulation 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-14078 Patch Status Patched Published Jan 16, 2026 Affected Software PAYGENT for WooCommerce Researchers BenachiBenachi More Details > PayHere Payment Gateway Plugin for WooCommerce <= 2.3.9 - Missing Authorization to Unauthenticated Order Status Modification 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-15475 Patch Status Unpatched Published Jan 13, 2026 Affected Software PayHere Payment Gateway Plugin for WooCommerce Researcher Md. Moniruzzaman Prodhan (NomanProdhan) More Details > Payment Button for PayPal <= 1.2.3.41 - Missing Authorization to Unauthenticated Arbitrary Order Creation 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-14463 Patch Status Patched Published Jan 16, 2026 Affected Software Payment Button for PayPal Researcher Md. Moniruzzaman Prodhan (NomanProdhan) More Details > PDF Resume Parser <= 1.0 - Unauthenticated Sensitive Information Disclosure in SMTP Credentials 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-14464 Patch Status Unpatched Published Jan 13, 2026 Affected Software PDF Resume Parser Researcher Ivan Cese More Details > Peach Payments Gateway <= 3.3.6 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-67942 Patch Status Patched Published Jan 16, 2026 Affected Software Peach Payments Gateway Researcher Legion Hunter More Details > Perfit WooCommerce <= 1.0.1 - Missing Authorization to Unauthenticated Arbitrary Plugin Settings Deletion 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-14173 Patch Status Unpatched Published Jan 13, 2026 Affected Software Perfit WooCommerce Researcher Legion Hunter More Details > Rede Itaú for WooCommerce — Payment PIX, Credit Card and Debit <= 5.1.2 - Unauthenticated Order Status Manipulation 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2026-0939 Patch Status Unpatched Published Jan 15, 2026 Affected Software Rede Itaú for WooCommerce — Payment PIX, Credit Card and Debit Researcher Os More Details > Rede Itaú for WooCommerce — Payment PIX, Credit Card and Debit <= 5.1.3 - Missing Authorization to Unauthenticated Rede Order Logs Deletion 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2026-0942 Patch Status Unpatched Published Jan 15, 2026 Affected Software Rede Itaú for WooCommerce — Payment PIX, Credit Card and Debit Researcher Os More Details > RepairBuddy <= 4.1116 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Signature Upload to Orders 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2026-0820 Patch Status Patched Published Jan 16, 2026 Affected Software RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress Researcher Teerachai Somprasong More Details > Reservation <= 1.7 - Missing Authorization to Unauthenticated Settings Update 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-69095 Patch Status Unpatched Published Jan 13, 2026 Affected Software Reservation Plugin Researcher Bonds More Details > Shown Connector <= 1.2.10 - Missing Authorization to Unauthenticated Settings Update 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-68003 Patch Status Unpatched Published Jan 15, 2026 Affected Software Shown Connector Researcher Legion Hunter More Details > Spin Wheel <= 2.1.0 - Unauthenticated Client-Side Prize Manipulation via 'prize_index' Parameter 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2026-0808 Patch Status Patched Published Jan 16, 2026 Affected Software Spin Wheel – Interactive spinning wheel that offers coupons Researcher jsonc More Details > User Registration Using Contact Form 7 <= 2.5 - Authenticated (Subscriber+) Information Exposure 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-12825 Patch Status Patched Published Jan 16, 2026 Affected Software User Registration Using Contact Form 7 Researcher Md. Moniruzzaman Prodhan (NomanProdhan) More Details > WDV One Page Docs <= 1.2.4 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-68896 Patch Status Unpatched Published Jan 15, 2026 Affected Software WDV One Page Docs – Documentation Plugin for WordPress Researcher Muhammad Nur Ibnu Hubab (Ibnu) More Details > WP Hotel Booking <= 2.2.7 - Unauthenticated Sensitive Information Exposure via 'email' Parameter 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-14075 Patch Status Patched Published Jan 16, 2026 Affected Software WP Hotel Booking Researcher Itthidej Aramsri (Boeing777) More Details > DK PDF – WordPress PDF Generator <= 2.3.0 - Authenticated (Author+) Server-Side Request Forgery 5.0 CVSS Rating Medium (5.0) CVE-ID CVE-2025-14793 Patch Status Patched Published Jan 15, 2026 Affected Software DK PDF – WordPress PDF Generator Researchers Athiwat Tiprasaharn (Jitlada)Peerapat Samatathanyakorn More Details > Advanced Ads – Ad Manager & AdSense <= 2.0.15 - Authenticated (Admin+) SQL Injection 4.9 CVSS Rating Medium (4.9) CVE-ID CVE-2025-12984 Patch Status Patched Published Jan 16, 2026 Affected Software Advanced Ads – Ad Manager & AdSense Researcher Supakiad S. (m3ez) More Details > Shipping Rates by City for WooCommerce <= 1.0.3 - Authenticated (Shop Manager+) SQL Injection via 'cities' Parameter 4.9 CVSS Rating Medium (4.9) CVE-ID CVE-2026-0678 Patch Status Unpatched Published Jan 13, 2026 Affected Software Shipping Rates by City for WooCommerce Researcher Nguyen Truong (Roll) More Details > CM E-Mail Blacklist <= 1.6.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'black_email' Parameter 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2026-0691 Patch Status Patched Published Jan 16, 2026 Affected Software CM E-Mail Blacklist – Simple email filtering for safer registration Researcher Phap Nguyen Anh More Details > Electric Studio Download Counter <= 2.4 - Authenticated (Administrator+) Stored Cross-Site Scripting via Settings Parameters 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2026-0741 Patch Status Unpatched Published Jan 13, 2026 Affected Software Electric Studio Download Counter Researcher 0x34rth More Details > Filr – Secure document library <= 1.2.11 - Authenticated (Administrator+) Stored Cross-Site Scripting via HTML Upload 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2025-14632 Patch Status Patched Published Jan 16, 2026 Affected Software Filr – Secure document library Researcher Phap Nguyen Anh More Details > Gotham Block Extra Light <= 1.5.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2025-15021 Patch Status Patched Published Jan 13, 2026 Affected Software Gotham Block Extra Light Researcher 0x34rth More Details > Integrate Dynamics 365 CRM <= 1.1.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via Field Mapping Configuration 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2026-0725 Patch Status Patched Published Jan 16, 2026 Affected Software Integrate Dynamics 365 CRM Researcher Teerachai Somprasong More Details > Internal Link Builder <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin's Settings 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2025-14725 Patch Status Unpatched Published Jan 13, 2026 Affected Software Internal Link Builder Researcher 0x34rth More Details > Kunze Law <= 2.1 - Authenticated (Administrator+) Stored Cross-Site Scripting 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2025-15486 Patch Status Unpatched Published Jan 13, 2026 Affected Software Kunze Law Researcher ZAST.AI More Details > LinkedIn SC <= 1.1.9 - Authenticated (Administrator+) Stored Cross-Site Scripting via Settings Page 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2026-0812 Patch Status Unpatched Published Jan 13, 2026 Affected Software LinkedIn SC Researcher 0x34rth More Details > Makesweat <= 0.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'makesweat_clubid' Setting 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2025-13627 Patch Status Unpatched Published Jan 13, 2026 Affected Software Makesweat Researcher ChamlaVic More Details > Real Post Slider Lite <= 2.4 - Authenticated (Administrator+) Stored Cross-Site Scripting via Settings 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2026-0680 Patch Status Unpatched Published Jan 13, 2026 Affected Software Real Post Slider Lite Researcher 0x34rth More Details > Short Link <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via Administration Settings Page 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2026-0813 Patch Status Unpatched Published Jan 13, 2026 Affected Software Short Link Researcher 0x34rth More Details > Testimonials Creator 1.6 - Authenticated (Admin+) Stored Cross-Site Scripting 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2025-14379 Patch Status Unpatched Published Jan 13, 2026 Affected Software Testimonials Creator Researcher Jochem Boender More Details > WMF Mobile Redirector <= 1.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via Settings Parameters 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2026-0739 Patch Status Unpatched Published Jan 13, 2026 Affected Software WMF Mobile Redirector Researcher 0x34rth More Details > WP Allowed Hosts <= 1.0.8 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'allowed-hosts' Parameter 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2026-0734 Patch Status Unpatched Published Jan 13, 2026 Affected Software WP Allowed Hosts Researcher 0x34rth More Details > All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic <= 4.9.2 - Missing Authorization to Authenticated (Contributor+) AI Access Token and Credit Disclosure 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-14384 Patch Status Patched Published Jan 15, 2026 Affected Software All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic Researcher NosleeP++ More Details > Booking Calendar <= 10.14.11 - Missing Authorization to Sensitive Information Exposure 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-14982 Patch Status Patched Published Jan 15, 2026 Affected Software Booking Calendar Researcher shark3y More Details > CP Image Store with Slideshow <= 1.1.9 - Missing Authorization to Authenticated (Contributor+) Arbitrary Product Import 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2026-0684 Patch Status Patched Published Jan 12, 2026 Affected Software CP Image Store with Slideshow Researcher Kazuma Matsumoto More Details > Crush.pics Image Optimizer <= 1.8.7 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Update 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-14482 Patch Status Unpatched Published Jan 13, 2026 Affected Software Crush.pics Image Optimizer – Image Compression and Optimization Researcher ChamlaVic More Details > Dreamer Blog <= 1.2 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-10915 Patch Status Unpatched Published Jan 14, 2026 Affected Software Dreamer Blog Researcher Khaled Alenazi (Nxploited) More Details > Electron <= 1.8.2 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-5805 Patch Status Unpatched Published Jan 12, 2026 Affected Software electron Researcher Tran Nguyen Bao Khanh More Details > GetGenie – AI Content Writer with Keyword Research & SEO Tracking Tools <= 4.3.0 - Missing Authorization to Authenticated (Author+) Arbitrary Post Deletion 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2026-1003 Patch Status Patched Published Jan 15, 2026 Affected Software GetGenie – AI Content Writer with Keyword Research & SEO Tracking Tools Researcher theviper17y More Details > LEAV Last Email Address Validator <= 1.7.1 - Cross-Site Request Forgery to Plugin Settings Update 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-14853 Patch Status Unpatched Published Jan 15, 2026 Affected Software LEAV Last Email Address Validator Researcher afnaan More Details > Phrase TMS Integration for WordPress <= 4.7.5 - Missing Authorization to Authenticated (Subscriber+) Log Deletion 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-12168 Patch Status Patched Published Jan 16, 2026 Affected Software Phrase TMS Integration for WordPress Researcher Legion Hunter More Details > Responsive Accordion Slider <= 1.2.2 - Missing Authorization to Authenticated (Contributor+) Slider Update via 'resp_accordion_silder_save_images' 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2026-0635 Patch Status Unpatched Published Jan 13, 2026 Affected Software Responsive Accordion Slider Researcher Kazuma Matsumoto More Details > Responsive Addons for Elementor <= 2.0.8 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-69363 Patch Status Patched Published Jan 12, 2026 Affected Software Responsive Addons for Elementor – Free Elementor Addons Plugin and Elementor Templates Researcher Abu Hurayra (HurayraIIT) More Details > Shield Security <= 21.0.9 - Authenticated (Subscriber+) Insecure Direct Object Reference to Disable Google Authenticator 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-15370 Patch Status Patched Published Jan 15, 2026 Affected Software Shield: Blocks Bots, Protects Users, and Prevents Security Breaches Researcher Dmitrii Ignatyev More Details > SocialChamp with WordPress <= 1.3.3 - Cross-Site Request Forgery to Plugin Settings Update 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-14846 Patch Status Unpatched Published Jan 13, 2026 Affected Software SocialChamp with WordPress Researcher afnaan More Details > Solace <= 2.1.16 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-68911 Patch Status Unpatched Published Jan 13, 2026 Affected Software Solace Researcher Denver Jackson More Details > Sosh Share Buttons <= 1.1.0 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-15377 Patch Status Unpatched Published Jan 13, 2026 Affected Software Sosh Share Buttons Researcher dayea song More Details > Stopwords for comments <= 1.1 - Missing Authorization to Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-15376 Patch Status Unpatched Published Jan 13, 2026 Affected Software Stopwords for comments Researcher dayea song More Details > Tickera <= 3.5.6.2 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-67939 Patch Status Patched Published Jan 16, 2026 Affected Software Tickera – Sell Tickets & Manage Events Researcher daroo More Details > WPBlogSyn <= 1.0 - Cross-Site Request Forgery to Arbitrary Remote Sync Configuration Update 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-14389 Patch Status Unpatched Published Jan 13, 2026 Affected Software WPBlogSyn Researcher dayea song More Details > xSmart <= 1.2.9.4 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-54002 Patch Status Unpatched Published Jan 12, 2026 Affected Software xSmart - App Landing Page WordPress Theme in Tech Presentation, Promo Marketing & Advertising Agency Researcher Tran Nguyen Bao Khanh More Details > Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.9.2 - Missing Authorization to Unauthenticated File Deletion 3.7 CVSS Rating Low (3.7) CVE-ID CVE-2025-14457 Patch Status Patched Published Jan 14, 2026 Affected Software Drag and Drop Multiple File Upload for Contact Form 7 Researcher shark3y More Details > Church Admin <= 5.0.28 - Authenticated (Administrator+) Blind Server-Side Request Forgery via 'audio_url' Parameter 2.2 CVSS Rating Low (2.2) CVE-ID CVE-2026-0682 Patch Status Patched Published Jan 16, 2026 Affected Software Church Admin Researcher Phap Nguyen Anh More Details > As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence. This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can. Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. The post Wordfence Intelligence Weekly WordPress Vulnerability Report (January 12, 2026 to January 18, 2026) appeared first on Wordfence.