Did you know Wordfence runs a Bug Bounty Program for all WordPress plugin and themes at no cost to vendors? Researchers can earn up to $31,200 per vulnerability, for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we handle all the rest. Last week, there were 120 vulnerabilities disclosed in 107 WordPress Plugins and 10 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 55 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected. Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to implement layered security, aligning with our overarching mission to secure WordPress with defense in depth strategies. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report. As the world’s leading quality vulnerability database provider for WordPress, site owners can rest assured knowing Wordfence has their back. Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 33,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free. Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. New Firewall Rules Deployed Last Week The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection. The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week: WAF-RULE-892 – Data redacted while we work with the vendor on a patch. Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay. Total Unpatched & Patched Vulnerabilities Last Week Patch Status Number of Vulnerabilities Patched 56 Unpatched 64 Total Vulnerabilities by CVSS Severity Last Week Severity Rating Number of Vulnerabilities Medium Severity 86 High Severity 32 Critical Severity 2 Total Vulnerabilities by CWE Type Last Week Vulnerability Type by CWE Number of Vulnerabilities Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') 40 Missing Authorization 37 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') 14 Cross-Site Request Forgery (CSRF) 9 Deserialization of Untrusted Data 4 Exposure of Sensitive Information to an Unauthorized Actor 4 Server-Side Request Forgery (SSRF) 3 Authentication Bypass Using an Alternate Path or Channel 2 Authorization Bypass Through User-Controlled Key 2 Improper Access Control 1 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') 1 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') 1 Incorrect Authorization 1 Unrestricted Upload of File with Dangerous Type 1 Researchers That Contributed to WordPress Security Last Week Researcher Name Number of Vulnerabilities Phat RiO 16 João Pedro S Alcântara (Kinorth) 9 Skalucy 9 Nabil Irawan 9 Athiwat Tiprasaharn (Jitlada) 6 daroo 5 NumeX 5 Md. Moniruzzaman Prodhan (NomanProdhan) 4 Legion Hunter 4 type5afe 3 Itthidej Aramsri (Boeing777) 3 johska 3 Peerapat Samatathanyakorn 3 Tran Nguyen Bao Khanh 2 0xd4rk5id3 2 Sarawut Poolkhet (MisterHelloz) 2 Abdulsamad Yusuf (0xVenus) 2 Muhammad Nur Ibnu Hubab (Ibnu) 2 theviper17 2 benzdeus 2 Deadbee 2 hhhai 1 afnaan 1 Drew Webber (mcdruid) 1 Peter Thaleikis 1 Tristan Jay Neale 1 Rapid0nion 1 zaim 1 whizzu 1 Teerachai Somprasong 1 Doan Dinh Van (DinhVan52) 1 Muhammad Yudha - DJ 1 w41bu1 1 JoanClarke2 1 Purachai Phonwisut 1 kr0d 1 Bao - BlueRock 1 ibrahimsql 1 theviper17y 1 zer0gh0st 1 ALockWooD 1 Supakiad S. (m3ez) 1 Kai Aizen 1 JongHwan Shin (zzzsleep) 1 shark3y 1 Yevgen Goncharuk 1 Webbernaut 1 Ty5ona 1 omer yeshayahu 1 Myungju Kim 1 Powpy 1 Waris Damkham 1 Varakorn Chanthasri (iCreaM) 1 Sopon Tangpathum (SoNaJaa) 1 Abdualrhman Muzamil 1 Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report. WordPress Plugins with Reported Vulnerabilities Last Week Software Name Software Slug Aardvark aardvark-plugin aDirectory – WP Business Directory Plugin and Classified Ads Listings Directory adirectory AhaChat Messenger Marketing ahachat-messenger-marketing AI Engine – The Chatbot and AI Framework for WordPress ai-engine Ajax Load More – Infinite Scroll, Load More, & Lazy Load ajax-load-more Allmart allmart-core Appointment Hour Booking – Booking Calendar appointment-hour-booking Asynchronous Javascript asynchronous-javascript Bitcoin Donate Button bitcoin-donate-button BlockArt Blocks – Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library blockart-blocks Booked - Appointment Booking for WordPress booked Booking Calendar booking bSlider – Create Responsive Image, Post, Product, and Video Sliders b-slider Buy Now Plus — Payments with Stripe buy-now-plus Change WP URL change-wp-url CLP Varnish Cache clp-varnish-cache Crete Core crete-core Database for Contact Form 7, WPforms, Elementor forms contact-form-entries DesignThemes Core Features designthemes-core-features Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings directorist Document Embedder – Embed PDFs, Word, Excel, and Other Files document-emberdder Easy Hotel Booking – Powerful Hotel Booking easy-hotel Easy Replace Image easy-replace-image eDS Responsive Menu eds-responsive-menu Educare – Students & Result Management System educare Electio Core electio-core ELEX WordPress HelpDesk & Customer Ticketing System elex-helpdesk-customer-support-ticket-system Email Inquiry & Cart Options for WooCommerce woocommerce-email-inquiry-cart-options Emerce - Multipurpose WooCommerce WordPress Theme emerce-core Enter Addons – Ultimate Template Builder for Elementor enteraddons EventPrime – Events Calendar, Bookings and Tickets eventprime-event-calendar-management FeedWordPress Advanced Filters faf FluentCart A New Era of eCommerce – Faster, Lighter, and Simpler fluent-cart Forms Bridge – Infinite integrations forms-bridge Frontend File Manager Plugin nmedia-user-file-uploader Gallery PhotoBlocks photoblocks-grid-gallery Gyan Elements gyan-elements HAPPY – Helpdesk Support Ticket System happy-helpdesk-support-ticket-system ID Arrays id-arrays imwptip imwptip Interactions – Create Interactive Experiences in the Block Editor interactions iSape isape Ivory Search – WordPress Search Plugin add-search-to-menu JobBoard Job listing plugin job-board-light Kama Thumbnail kama-thumbnail Leadpages leadpages Link Invoice Payment for WooCommerce invoice-payment-for-woocommerce Medinik Core medinik-core Membee Login membees-member-login-widget ModelTheme Addons for WPBakery and Elementor modeltheme-addons-for-wpbakery ModelTheme Framework modeltheme-framework Mopinion Feedback Form mopinion-feedback-form Nelio Popups nelio-popups Nestbyte Core nestbyte-core New User Approve new-user-approve NEX-Forms – Ultimate Forms Plugin for WordPress nex-forms-express-wp-form-builder Nexter Gutenberg Blocks – Website Builder & 1000+ Starter Templates the-plus-addons-for-block-editor NextMove Lite – Thank You Page for WooCommerce woo-thank-you-page-nextmove-lite Nova Blocks by Pixelgrade nova-blocks Order Minimum/Maximum Amount Limits for WooCommerce order-minimum-amount-for-woocommerce Passster – Password Protect Pages and Content content-protector Popup Box – Create Countdown, Coupon, Video, Contact Form Popups ays-popup-box Prague prague-plugins Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WP Legal Pages wplegalpages Quick Restaurant Reservations quick-restaurant-reservations Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker quiz-master-next Recipe Card Blocks Lite recipe-card-blocks-by-wpzoom Recooty – Job Widget (Old Dashboard) recooty RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login custom-registration-form-builder-with-submission-manager Rupantorpay rupantorpay Saasplate Core saasplate-core Schedula – Smart Appointment Booking schedula-smart-appointment-booking Search Atlas SEO – Premier SEO Plugin for One-Click WP Publishing & Integrated AI Optimization metasync Sell BTC – Cryptocurrency Selling Calculator sell-btc-by-hayyatapps Sendy sendy SEO Links Interlinking seo-links-interlinking Shiprocket shiprocket Simple Archive Generator simple-archive-generator Simple calendar for Elementor simple-calendar-for-elementor Simple Folio simple-folio Simple User Registration wp-registration SlimStat Analytics wp-slimstat Snow Monkey Forms snow-monkey-forms Stop Spammers Classic stop-spammer-registrations-plugin Sunshine Photo Cart: Free Client Photo Galleries for Photographers sunshine-photo-cart SupportCandy – Helpdesk & Customer Support Ticket System supportcandy TableMaster for Elementor – Advanced Responsive Tables for Elementor tablemaster-for-elementor Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent tablesome Target Video Easy Publish brid-video-easy-publish TelSender – Сontact form 7, Events, Wpforms, ninja forms and woocommerce to telegram bot telsender The Grid the-grid Translate WordPress Websites Globally with ConveyThis Translate conveythis-translate Travelpayouts travelpayouts Uroan Core uroan-core UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP userswp VidShop – Shoppable Videos for WooCommerce vidshop-for-woocommerce Vzaar Media Management vzaar-media-management WebP Conversion webp-conversion Widget Logic Visual widget-logic-visual Woodly Core woodly-core WP Adminify – White Label WordPress, Admin Menu Editor, Login Customizer adminify WP FullCalendar wp-fullcalendar WP Google Ad Manager Plugin wp-google-ad-manager-plugin WP Recipe Maker wp-recipe-maker WP Subscribe wp-subscribe WPBITS Addons For Elementor Page Builder wpbits-addons-for-elementor افزونه پیامک حرفه ای فراز اس ام اس farazsms WordPress Themes with Reported Vulnerabilities Last Week Software Name Software Slug Aardvark - Community, Membership, BuddyPress Theme aardvark Capella | Restaurant WordPress capella Gauge: Multi-Purpose Review Theme gauge Jobster wpjobster KindlyCare - Senior Care & Medical WordPress Theme kindlycare Konte - Minimal & Modern WooCommerce Theme konte Oxygen oxygen Oyster - Photography WordPress Theme oyster PhotoMe | Photography Portfolio WordPress photome SOHO - Photography WordPress Theme soho Vulnerability Details Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize. Booked <= 3.0.0 - Authentication Bypass 9.8 CVSS Rating Critical (9.8) CVE-ID CVE-2026-22341 Patch Status Unpatched Published Jan 29, 2026 Affected Software Booked - Appointment Booking for WordPress Researcher Phat RiO More Details > Snow Monkey Forms <= 12.0.3 - Unauthenticated Arbitrary File Deletion via Path Traversal 9.8 CVSS Rating Critical (9.8) CVE-ID CVE-2026-1056 Patch Status Patched Published Jan 27, 2026 Affected Software Snow Monkey Forms Researcher Sarawut Poolkhet (MisterHelloz) More Details > Search Atlas SEO – Premier SEO Plugin for One-Click WP Publishing & Integrated AI Optimization 2.4.4 - 2.5.12 - Missing Authorization to Authenticated (Subscriber+) Authentication Bypass via Account Takeover 8.8 CVSS Rating High (8.8) CVE-ID CVE-2025-14386 Patch Status Unpatched Published Jan 27, 2026 Affected Software Search Atlas SEO – Premier SEO Plugin for One-Click WP Publishing & Integrated AI Optimization Researcher kr0d More Details > Simple User Registration <= 6.7 - Authenticated (Subscriber+) Privilege Escalation via profile_save_field 8.8 CVSS Rating High (8.8) CVE-ID CVE-2026-0844 Patch Status Patched Published Jan 27, 2026 Affected Software Simple User Registration Researcher johska More Details > Capella <= 2.5.5 - Unauthenticated PHP Object Injection 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-69370 Patch Status Unpatched Published Jan 29, 2026 Affected Software Capella | Restaurant WordPress Researcher Tran Nguyen Bao Khanh More Details > KindlyCare <= 1.6.1 - Unauthenticated PHP Object Injection 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-69371 Patch Status Unpatched Published Jan 29, 2026 Affected Software KindlyCare - Senior Care & Medical WordPress Theme Researcher Tran Nguyen Bao Khanh More Details > PhotoMe <= 5.6.11 - Unauthenticated PHP Object Injection 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-69301 Patch Status Unpatched Published Jan 27, 2026 Affected Software PhotoMe | Photography Portfolio WordPress Researcher João Pedro S Alcântara (Kinorth) More Details > Allmart <= 1.1 - Unauthenticated SQL Injection 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-69304 Patch Status Unpatched Published Jan 27, 2026 Affected Software Allmart Researcher Phat RiO More Details > Crete Core <= 1.4.3 - Unauthenticated SQL Injection 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-69305 Patch Status Unpatched Published Jan 27, 2026 Affected Software Crete Core Researcher Phat RiO More Details > Electio Core <= 1.4 - Unauthenticated SQL Injection 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-69306 Patch Status Unpatched Published Jan 28, 2026 Affected Software Electio Core Researcher Phat RiO More Details > Emerce Core <= 1.8 - Unauthenticated SQL Injection 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-69366 Patch Status Unpatched Published Jan 28, 2026 Affected Software Emerce - Multipurpose WooCommerce WordPress Theme Researcher Phat RiO More Details > Frontend File Manager Plugin <= 23.5 - Missing Authorization to Unauthenticated Arbitrary File Sharing via 'file_id' Parameter 7.5 CVSS Rating High (7.5) CVE-ID CVE-2026-1280 Patch Status Unpatched Published Jan 27, 2026 Affected Software Frontend File Manager Plugin Researcher Md. Moniruzzaman Prodhan (NomanProdhan) More Details > Gyan Elements <= 2.2.1 - Authenticated (Contributor+) Local File Inclusion 7.5 CVSS Rating High (7.5) CVE-ID CVE-2026-23978 Patch Status Patched Published Feb 1, 2026 Affected Software Gyan Elements Researcher João Pedro S Alcântara (Kinorth) More Details > Medinik Core <= 1.3.6 - Unauthenticated SQL Injection 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-69307 Patch Status Unpatched Published Jan 28, 2026 Affected Software Medinik Core Researcher Phat RiO More Details > ModelTheme Addons for WPBakery and Elementor < 1.5.6 - Authenticated (Contributor+) PHP Object Injection 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-68531 Patch Status Patched Published Jan 27, 2026 Affected Software ModelTheme Addons for WPBakery and Elementor Researcher Phat RiO More Details > Nestbyte Core <= 1.2 - Unauthenticated SQL Injection 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-69308 Patch Status Unpatched Published Jan 28, 2026 Affected Software Nestbyte Core Researcher Phat RiO More Details > Saasplate Core <= 1.2.8 - Unauthenticated SQL Injection 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-69309 Patch Status Unpatched Published Jan 28, 2026 Affected Software Saasplate Core Researcher Phat RiO More Details > Uroan Core <= 1.4.4 - Unauthenticated SQL Injection 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-69365 Patch Status Unpatched Published Jan 28, 2026 Affected Software Uroan Core Researcher Phat RiO More Details > VidShop – Shoppable Videos for WooCommerce <= 1.1.4 - Unauthenticated Time-Based SQL Injection via 'fields' 7.5 CVSS Rating High (7.5) CVE-ID CVE-2026-0702 Patch Status Patched Published Jan 27, 2026 Affected Software VidShop – Shoppable Videos for WooCommerce Researchers Athiwat Tiprasaharn (Jitlada)Itthidej Aramsri (Boeing777)Peerapat Samatathanyakorn More Details > Woodly Core <= 1.4 - Unauthenticated SQL Injection 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-69310 Patch Status Unpatched Published Jan 28, 2026 Affected Software Woodly Core Researcher Phat RiO More Details > WPJobster <= 6.3.5 - Unauthenticated SQL Injection 7.5 CVSS Rating High (7.5) CVE-ID CVE-2026-22340 Patch Status Unpatched Published Jan 27, 2026 Affected Software Jobster Researcher 0xd4rk5id3 More Details > New User Approve <= 3.2.2 - Missing Authorization to Unauthenticated Arbitrary User Approval, Denial, and Information Disclosure 7.3 CVSS Rating High (7.3) CVE-ID CVE-2026-0832 Patch Status Patched Published Jan 27, 2026 Affected Software New User Approve Researcher Deadbee More Details > AhaChat Messenger Marketing <= 1.1 - Unauthenticated Stored Cross-Site Scripting 7.2 CVSS Rating High (7.2) CVE-ID CVE-2025-14316 Patch Status Unpatched Published Jan 27, 2026 Affected Software AhaChat Messenger Marketing Researcher Yevgen Goncharuk More Details > AI Engine <= 3.3.2 - Authenticated (Editor+) Arbitrary File Upload via 'filename' Parameter in update_media_metadata Endpoint 7.2 CVSS Rating High (7.2) CVE-ID CVE-2026-1400 Patch Status Patched Published Jan 27, 2026 Affected Software AI Engine – The Chatbot and AI Framework for WordPress Researcher type5afe More Details > Educare <= 1.6.1 - Unauthenticated Stored Cross-Site Scripting 7.2 CVSS Rating High (7.2) CVE-ID CVE-2025-67978 Patch Status Patched Published Jan 28, 2026 Affected Software Educare – Students & Result Management System Researcher hhhai More Details > FluentCart < 1.3.0 - Unauthenticated Stored Cross-Site Scripting 7.2 CVSS Rating High (7.2) CVE-ID CVE-2025-67971 Patch Status Patched Published Jan 27, 2026 Affected Software FluentCart A New Era of eCommerce – Faster, Lighter, and Simpler Researcher benzdeus More Details > Membee Login <= 2.3.6 - Unauthenticated Stored Cross-Site Scripting 7.2 CVSS Rating High (7.2) CVE-ID CVE-2025-68844 Patch Status Unpatched Published Jan 27, 2026 Affected Software Membee Login Researcher Skalucy More Details > Oxygen <= 6.0.8 - Unauthenticated Server-Side Request Forgery 7.2 CVSS Rating High (7.2) CVE-ID CVE-2025-69299 Patch Status Unpatched Published Jan 27, 2026 Affected Software Oxygen Researcher João Pedro S Alcântara (Kinorth) More Details > Oyster - Photography WordPress <= 4.4.3 - Unauthenticated Stored Cross-Site Scripting 7.2 CVSS Rating High (7.2) CVE-ID CVE-2025-69367 Patch Status Unpatched Published Jan 28, 2026 Affected Software Oyster - Photography WordPress Theme Researcher João Pedro S Alcântara (Kinorth) More Details > Prague <= 2.2.8 - Unauthenticated Stored Cross-Site Scripting 7.2 CVSS Rating High (7.2) CVE-ID CVE-2025-67972 Patch Status Patched Published Jan 27, 2026 Affected Software Prague Researcher João Pedro S Alcântara (Kinorth) More Details > Sell BTC - Cryptocurrency Selling Calculator <= 1.5 - Unauthenticated Stored Cross-Site Scripting via 'orderform_data' AJAX Action 7.2 CVSS Rating High (7.2) CVE-ID CVE-2025-14554 Patch Status Patched Published Jan 30, 2026 Affected Software Sell BTC – Cryptocurrency Selling Calculator Researcher Sarawut Poolkhet (MisterHelloz) More Details > SOHO - Photography WordPress <= 3.0.3 - Unauthenticated Stored Cross-Site Scripting 7.2 CVSS Rating High (7.2) CVE-ID CVE-2025-69368 Patch Status Unpatched Published Jan 29, 2026 Affected Software SOHO - Photography WordPress Theme Researcher João Pedro S Alcântara (Kinorth) More Details > TableMaster for Elementor <= 1.3.6 - Authenticated (Author+) Server-Side Request Forgery via 'csv_url' Parameter 7.2 CVSS Rating High (7.2) CVE-ID CVE-2025-14610 Patch Status Patched Published Jan 27, 2026 Affected Software TableMaster for Elementor – Advanced Responsive Tables for Elementor Researchers Athiwat Tiprasaharn (Jitlada)Itthidej Aramsri (Boeing777)PowpyWaris DamkhamVarakorn Chanthasri (iCreaM)Peerapat SamatathanyakornSopon Tangpathum (SoNaJaa) More Details > TelSender <= 1.14.14 - Unauthenticated Stored Cross-Site Scripting via Telegram Chat Title 7.2 CVSS Rating High (7.2) CVE-ID Unknown Patch Status Patched Published Jan 27, 2026 Affected Software TelSender – Сontact form 7, Events, Wpforms, ninja forms and woocommerce to telegram bot Researcher Kai Aizen More Details > Quiz And Survey Master <= 10.3.1 - Authenticated (Subscriber+) SQL Injection 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2025-67987 Patch Status Patched Published Jan 28, 2026 Affected Software Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker Researcher Doan Dinh Van (DinhVan52) More Details > Recipe Card Blocks for Gutenberg & Elementor < 3.4.13 - Authenticated (Contributor+) SQL Injection 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2025-14973 Patch Status Patched Published Jan 27, 2026 Affected Software Recipe Card Blocks Lite Researcher Purachai Phonwisut More Details > SupportCandy – Helpdesk & Customer Support Ticket System <= 3.4.4 - Authenticated (Subscriber+) SQL Injection via Number Field Filter 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2026-0683 Patch Status Patched Published Jan 30, 2026 Affected Software SupportCandy – Helpdesk & Customer Support Ticket System Researcher Supakiad S. (m3ez) More Details > AI Engine <= 3.3.2 - Authenticated (Subscriber+) Server-Side Request Forgery 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2026-0746 Patch Status Patched Published Jan 27, 2026 Affected Software AI Engine – The Chatbot and AI Framework for WordPress Researcher type5afe More Details > B Slider <= 2.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2026-24383 Patch Status Patched Published Jan 29, 2026 Affected Software bSlider – Create Responsive Image, Post, Product, and Video Sliders Researcher Athiwat Tiprasaharn (Jitlada) More Details > BlockArt Blocks – Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library <= 2.2.14 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-14283 Patch Status Unpatched Published Jan 27, 2026 Affected Software BlockArt Blocks – Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library Researcher Webbernaut More Details > Buy Now Plus <= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2026-1295 Patch Status Patched Published Jan 27, 2026 Affected Software Buy Now Plus — Payments with Stripe Researcher theviper17y More Details > Email Inquiry & Cart Options for WooCommerce <= 3.4.3 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2026-24526 Patch Status Unpatched Published Jan 26, 2026 Affected Software Email Inquiry & Cart Options for WooCommerce Researcher theviper17 More Details > Forms Bridge <= 4.2.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'id' Shortcode Attribute 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2026-1244 Patch Status Patched Published Jan 27, 2026 Affected Software Forms Bridge – Infinite integrations Researcher zaim More Details > Gallery PhotoBlocks <= 1.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2026-24389 Patch Status Patched Published Jan 26, 2026 Affected Software Gallery PhotoBlocks Researcher johska More Details > Interactions – Create Interactive Experiences in the Block Editor <= 1.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-12709 Patch Status Patched Published Jan 27, 2026 Affected Software Interactions – Create Interactive Experiences in the Block Editor Researchers Athiwat Tiprasaharn (Jitlada)Peerapat Samatathanyakorn More Details > Nova Blocks <= 2.1.9 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2026-24528 Patch Status Unpatched Published Jan 26, 2026 Affected Software Nova Blocks by Pixelgrade Researcher theviper17 More Details > Passster – Password Protect Pages and Content <= 4.2.24 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-14865 Patch Status Patched Published Jan 27, 2026 Affected Software Passster – Password Protect Pages and Content Researcher Muhammad Yudha - DJ More Details > Simple Folio <= 1.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'Client name' and 'Link' Meta Fields 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-14039 Patch Status Patched Published Jan 27, 2026 Affected Software Simple Folio Researcher Athiwat Tiprasaharn (Jitlada) More Details > Target Video Easy Publish <= 3.8.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via placeholder_img Parameter 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-8072 Patch Status Patched Published Jan 27, 2026 Affected Software Target Video Easy Publish Researcher Peter Thaleikis More Details > WPBITS Addons For Elementor <= 1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-9082 Patch Status Patched Published Jan 27, 2026 Affected Software WPBITS Addons For Elementor Page Builder Researcher zer0gh0st More Details > Aardvark <= 4.6.3 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-69296 Patch Status Unpatched Published Jan 27, 2026 Affected Software Aardvark - Community, Membership, BuddyPress Theme Researcher João Pedro S Alcântara (Kinorth) More Details > Asynchronous Javascript <= 1.3.5 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-68846 Patch Status Unpatched Published Jan 27, 2026 Affected Software Asynchronous Javascript Researcher Skalucy More Details > DesignThemes Core Features <= 2.3 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-69302 Patch Status Unpatched Published Jan 27, 2026 Affected Software DesignThemes Core Features Researcher Phat RiO More Details > eDS Responsive Menu <= 1.2 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-68845 Patch Status Unpatched Published Jan 27, 2026 Affected Software eDS Responsive Menu Researcher Skalucy More Details > FeedWordPress Advanced Filters <= 0.6.2 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-68843 Patch Status Unpatched Published Jan 27, 2026 Affected Software FeedWordPress Advanced Filters Researcher Skalucy More Details > ID Arrays <= 2.1.2 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-68854 Patch Status Unpatched Published Jan 29, 2026 Affected Software ID Arrays Researcher Skalucy More Details > iSape <= 0.72 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-68847 Patch Status Unpatched Published Jan 27, 2026 Affected Software iSape Researcher Skalucy More Details > Mopinion Feedback Form <= 1.1.1 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-68856 Patch Status Unpatched Published Jan 27, 2026 Affected Software Mopinion Feedback Form Researcher Skalucy More Details > SEO Links Interlinking <= 1.7.5 - Reflected Cross-Site Scripting via 'google_error' Parameter 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-14063 Patch Status Unpatched Published Jan 27, 2026 Affected Software SEO Links Interlinking Researcher johska More Details > Simple Archive Generator <= 5.2 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-68880 Patch Status Unpatched Published Jan 27, 2026 Affected Software Simple Archive Generator Researcher Abdulsamad Yusuf (0xVenus) More Details > Slimstat Analytics <= 5.3.2 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-69323 Patch Status Patched Published Jan 27, 2026 Affected Software SlimStat Analytics Researcher Drew Webber (mcdruid) More Details > Widget Logic Visual <= 1.52 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-68842 Patch Status Unpatched Published Jan 27, 2026 Affected Software Widget Logic Visual Researcher Skalucy More Details > WPJobster <= 6.3.5 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2026-22339 Patch Status Unpatched Published Jan 27, 2026 Affected Software Jobster Researcher 0xd4rk5id3 More Details > افزونه پیامک حرفه ای فراز اس ام اس <= 2.7.3 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-68031 Patch Status Unpatched Published Jan 27, 2026 Affected Software افزونه پیامک حرفه ای فراز اس ام اس Researcher Skalucy More Details > Aardvark <= 2.19 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-69297 Patch Status Unpatched Published Jan 27, 2026 Affected Software Aardvark Researcher João Pedro S Alcântara (Kinorth) More Details > AhaChat Messenger Marketing <= 1.1 - Authentication Bypass 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-68895 Patch Status Unpatched Published Jan 27, 2026 Affected Software AhaChat Messenger Marketing Researcher Rapid0nion More Details > Ajax Load More – Infinite Scroll, Lazy Load & Load More <= 7.8.1 - Incorrect Authorization to Unauthenticated Private/Draft Post Title and Excerpt Exposure 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-15525 Patch Status Patched Published Jan 30, 2026 Affected Software Ajax Load More – Infinite Scroll, Load More, & Lazy Load Researcher shark3y More Details > Booking Calendar <= 10.14.13 - Missing Authorization to Unauthenticated Booking Details Exposure 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2026-1431 Patch Status Patched Published Jan 30, 2026 Affected Software Booking Calendar Researcher type5afe More Details > CLP Varnish Cache <= 1.0.2 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2026-24525 Patch Status Unpatched Published Jan 26, 2026 Affected Software CLP Varnish Cache Researcher Nabil Irawan More Details > ConveyThis <= 269.1 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-68021 Patch Status Unpatched Published Jan 27, 2026 Affected Software Translate WordPress Websites Globally with ConveyThis Translate Researcher NumeX More Details > Database for Contact Form 7, WPforms, Elementor forms <= 1.4.5 - Missing Authorization to Unauthenticated Form Data Exfiltration via CSV Export 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2026-0825 Patch Status Patched Published Jan 27, 2026 Affected Software Database for Contact Form 7, WPforms, Elementor forms Researcher Teerachai Somprasong More Details > Document Embedder <= 2.0.4 - Insecure Direct Object Reference to Authenticated (Author+) Arbitrary Document Library Entry Deletion 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2026-1389 Patch Status Patched Published Jan 27, 2026 Affected Software Document Embedder – Embed PDFs, Word, Excel, and Other Files Researcher Itthidej Aramsri (Boeing777) More Details > Easy Replace Image <= 3.5.2 - Missing Authorization to Authenticated (Contributor+) Arbitrary Attachment Replacement 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2026-1298 Patch Status Patched Published Jan 27, 2026 Affected Software Easy Replace Image Researcher Nabil Irawan More Details > EventPrime <= 4.2.8.0 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2026-24380 Patch Status Patched Published Jan 28, 2026 Affected Software EventPrime – Events Calendar, Bookings and Tickets Researcher Bao - BlueRock More Details > FullCalendar <= 1.6 - Unauthenticated Information Exposure 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2026-24523 Patch Status Unpatched Published Jan 26, 2026 Affected Software WP FullCalendar Researcher Nabil Irawan More Details > Gauge <= 6.56.4 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-69298 Patch Status Unpatched Published Jan 27, 2026 Affected Software Gauge: Multi-Purpose Review Theme Researcher João Pedro S Alcântara (Kinorth) More Details > HAPPY <= 1.0.8 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-67977 Patch Status Patched Published Jan 27, 2026 Affected Software HAPPY – Helpdesk Support Ticket System Researcher Phat RiO More Details > JobBoard Job listing <= 1.2.8 - Unauthenticated Information Exposure 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-68855 Patch Status Unpatched Published Jan 27, 2026 Affected Software JobBoard Job listing plugin Researcher Myungju Kim More Details > Konte <= 2.4.6 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-67547 Patch Status Patched Published Jan 29, 2026 Affected Software Konte - Minimal & Modern WooCommerce Theme Researcher Phat RiO More Details > Leadpages <= 1.1.3 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-68050 Patch Status Unpatched Published Jan 27, 2026 Affected Software Leadpages Researcher NumeX More Details > Link Invoice Payment for WooCommerce <= 2.8.0 - Missing Authorization to Unauthenticated Arbitrary Partial Payment Creation/Cancellation 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-14971 Patch Status Patched Published Jan 26, 2026 Affected Software Link Invoice Payment for WooCommerce Researcher Md. Moniruzzaman Prodhan (NomanProdhan) More Details > ModelTheme Framework <= 1.9.2 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-69303 Patch Status Unpatched Published Jan 28, 2026 Affected Software ModelTheme Framework Researcher Phat RiO More Details > NEX-Forms – Ultimate Forms Plugin for WordPress <= 9.1.8 - Missing Authorization to Unauthenticated Sensitive Information Exposure 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-15510 Patch Status Patched Published Jan 30, 2026 Affected Software NEX-Forms – Ultimate Forms Plugin for WordPress Researcher Deadbee More Details > NextMove Lite <= 2.23.0 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-68048 Patch Status Unpatched Published Jan 27, 2026 Affected Software NextMove Lite – Thank You Page for WooCommerce Researcher NumeX More Details > Quick Restaurant Reservations <= 1.6.7 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2026-24529 Patch Status Unpatched Published Jan 26, 2026 Affected Software Quick Restaurant Reservations Researcher Legion Hunter More Details > RegistrationMagic <= 6.0.7.4 - Missing Authorization to Unauthenticated Arbitrary Settings Modification 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2026-1054 Patch Status Patched Published Jan 27, 2026 Affected Software RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login Researcher Md. Moniruzzaman Prodhan (NomanProdhan) More Details > Rupantorpay <= 2.0.0 - Missing Authorization to Unauthenticated Order Status Modification 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-15511 Patch Status Unpatched Published Jan 27, 2026 Affected Software Rupantorpay Researcher Md. Moniruzzaman Prodhan (NomanProdhan) More Details > Schedula <= 1.0 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-67970 Patch Status Patched Published Jan 26, 2026 Affected Software Schedula – Smart Appointment Booking Researcher Ty5ona More Details > Sendy <= 3.4.1 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-68564 Patch Status Unpatched Published Jan 28, 2026 Affected Software Sendy Researcher Legion Hunter More Details > Simple calendar for Elementor <= 1.6.6 - Missing Authorization to Unauthenticated Arbitrary Calendar Entry Deletion 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2026-1310 Patch Status Patched Published Jan 27, 2026 Affected Software Simple calendar for Elementor Researcher Nabil Irawan More Details > Sunshine Photo Cart <= 3.5.6.2 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-67973 Patch Status Patched Published Jan 27, 2026 Affected Software Sunshine Photo Cart: Free Client Photo Galleries for Photographers Researcher Legion Hunter More Details > The Grid < 2.8.0 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2026-24368 Patch Status Patched Published Jan 29, 2026 Affected Software The Grid Researcher Phat RiO More Details > Vzaar Media Management <= 1.2 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF'] 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2026-1391 Patch Status Unpatched Published Jan 27, 2026 Affected Software Vzaar Media Management Researcher Abdulsamad Yusuf (0xVenus) More Details > WebP Conversion <= 2.1 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2026-24530 Patch Status Unpatched Published Jan 26, 2026 Affected Software WebP Conversion Researcher Legion Hunter More Details > WP Adminify <= 4.0.7.7 - Unauthenticated Sensitive Information Exposure via 'get-addons-list' REST API 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2026-1060 Patch Status Patched Published Jan 27, 2026 Affected Software WP Adminify – White Label WordPress, Admin Menu Editor, Login Customizer Researcher ibrahimsql More Details > WPLegalPages <= 3.5.4 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-67974 Patch Status Patched Published Jan 27, 2026 Affected Software Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WP Legal Pages Researcher NumeX More Details > Appointment Hour Booking – Booking Calendar <= 1.5.60 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Min/Max Length' Field Configuration 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2026-1083 Patch Status Patched Published Jan 27, 2026 Affected Software Appointment Hour Booking – Booking Calendar Researcher ALockWooD More Details > Ivory Search <= 5.5.13 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'menu_gcse' and 'nothing_found_text' Parameters 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2026-1053 Patch Status Patched Published Jan 27, 2026 Affected Software Ivory Search – WordPress Search Plugin Researcher JongHwan Shin (zzzsleep) More Details > Order Minimum/Maximum Amount Limits for WooCommerce <= 4.6.8 - Authenticated (Shop Manager+) Stored Cross-Site Scripting via Hide Add to Cart Content Fields 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2026-1381 Patch Status Patched Published Jan 27, 2026 Affected Software Order Minimum/Maximum Amount Limits for WooCommerce Researcher whizzu More Details > WP Google Ad Manager Plugin <= 1.1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via Admin Settings 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2026-1399 Patch Status Unpatched Published Jan 27, 2026 Affected Software WP Google Ad Manager Plugin Researcher Abdualrhman Muzamil More Details > aDirectory <= 3.0.3 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-67975 Patch Status Patched Published Jan 27, 2026 Affected Software aDirectory – WP Business Directory Plugin and Classified Ads Listings Directory Researcher daroo More Details > Bitcoin Donate Button <= 1.0 - Cross-Site Request Forgery to Settings Update 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2026-1380 Patch Status Unpatched Published Jan 27, 2026 Affected Software Bitcoin Donate Button Researcher Muhammad Nur Ibnu Hubab (Ibnu) More Details > Change WP URL <= 1.0 - Cross-Site Request Forgery to Settings Update 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2026-1398 Patch Status Unpatched Published Jan 27, 2026 Affected Software Change WP URL Researcher Muhammad Nur Ibnu Hubab (Ibnu) More Details > Directorist <= 8.5.8 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-68069 Patch Status Unpatched Published Jan 27, 2026 Affected Software Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings Researcher daroo More Details > Easy Hotel Booking <= 1.8.4 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-68005 Patch Status Unpatched Published Jan 29, 2026 Affected Software Easy Hotel Booking – Powerful Hotel Booking Researcher daroo More Details > ELEX WordPress HelpDesk & Customer Ticketing System <= 3.3.5 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-68837 Patch Status Patched Published Jan 27, 2026 Affected Software ELEX WordPress HelpDesk & Customer Ticketing System Researcher benzdeus More Details > Enter Addons <= 2.3.2 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2026-25014 Patch Status Patched Published Jan 28, 2026 Affected Software Enter Addons – Ultimate Template Builder for Elementor Researcher Nabil Irawan More Details > imwptip <= 1.1 - Cross-Site Request Forgery to Settings Update 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2026-1377 Patch Status Unpatched Published Jan 27, 2026 Affected Software imwptip Researcher afnaan More Details > Kama Thumbnail <= 3.5.1 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2026-24521 Patch Status Unpatched Published Jan 26, 2026 Affected Software Kama Thumbnail Researcher Nabil Irawan More Details > Nelio Popups <= 1.3.5 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2026-25016 Patch Status Patched Published Jan 29, 2026 Affected Software Nelio Popups Researcher Athiwat Tiprasaharn (Jitlada) More Details > Nexter Blocks <= 4.6.3 - Authenticated (Subscriber+) Information Exposure 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2026-24377 Patch Status Patched Published Jan 26, 2026 Affected Software Nexter Gutenberg Blocks – Website Builder & 1000+ Starter Templates Researcher Nabil Irawan More Details > Popup Box <= 6.1.1 - Cross-Site Request Forgery to Popup Status Change 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2026-1165 Patch Status Patched Published Jan 30, 2026 Affected Software Popup Box – Create Countdown, Coupon, Video, Contact Form Popups Researcher w41bu1 More Details > Recipe Maker <= 10.2.4 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2026-24357 Patch Status Patched Published Jan 28, 2026 Affected Software WP Recipe Maker Researcher daroo More Details > Recooty <= 1.0.6 - Cross-Site Request Forgery to Settings Update 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-14616 Patch Status Unpatched Published Jan 27, 2026 Affected Software Recooty – Job Widget (Old Dashboard) Researcher omer yeshayahu More Details > Shiprocket <= 2.0.8 - Authenticated (Subscriber+) Insecure Direct Object Reference 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-68051 Patch Status Unpatched Published Jan 29, 2026 Affected Software Shiprocket Researcher NumeX More Details > Stop Spammers Classic <= 2026.1 - Cross-Site Request Forgery via Email Allowlist 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-14795 Patch Status Patched Published Jan 27, 2026 Affected Software Stop Spammers Classic Researcher JoanClarke2 More Details > Subscribe <= 1.2.16 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2026-24522 Patch Status Unpatched Published Jan 26, 2026 Affected Software WP Subscribe Researcher Nabil Irawan More Details > Tablesome <= 1.2.2 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2026-24524 Patch Status Unpatched Published Jan 26, 2026 Affected Software Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent Researcher Nabil Irawan More Details > Travelpayouts <= 1.2.1 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-68042 Patch Status Unpatched Published Jan 29, 2026 Affected Software Travelpayouts Researcher daroo More Details > UsersWP <= 1.2.53 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2026-25015 Patch Status Patched Published Jan 28, 2026 Affected Software UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP Researcher Tristan Jay Neale More Details > As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence. This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can. Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. The post Wordfence Intelligence Weekly WordPress Vulnerability Report (January 26, 2026 to February 1, 2026) appeared first on Wordfence.