Did you know Wordfence runs a Bug Bounty Program for all WordPress plugin and themes at no cost to vendors? Researchers can earn up to $31,200 per vulnerability, for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we handle all the rest. Last week, there were 121 vulnerabilities disclosed in 100 WordPress Plugins and 10 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 52 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected. Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to implement layered security, aligning with our overarching mission to secure WordPress with defense in depth strategies. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report. As the world’s leading quality vulnerability database provider for WordPress, site owners can rest assured knowing Wordfence has their back. Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 33,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free. Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. New Firewall Rules Deployed Last Week The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection. The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week: WAF-RULE-893 – Data redacted while we work with the vendor on a patch. Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay. Total Unpatched & Patched Vulnerabilities Last Week Patch Status Number of Vulnerabilities Patched 74 Unpatched 47 Total Vulnerabilities by CVSS Severity Last Week Severity Rating Number of Vulnerabilities Medium Severity 86 High Severity 31 Critical Severity 4 Total Vulnerabilities by CWE Type Last Week Vulnerability Type by CWE Number of Vulnerabilities Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') 43 Missing Authorization 29 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') 11 Authorization Bypass Through User-Controlled Key 5 Cross-Site Request Forgery (CSRF) 5 Exposure of Sensitive Information to an Unauthorized Actor 5 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') 5 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') 5 Unrestricted Upload of File with Dangerous Type 3 Deserialization of Untrusted Data 2 Improper Privilege Management 2 Server-Side Request Forgery (SSRF) 2 Improper Control of Generation of Code ('Code Injection') 1 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) 1 Incorrect Privilege Assignment 1 Initialization of a Resource with an Insecure Default 1 Researchers That Contributed to WordPress Security Last Week Researcher Name Number of Vulnerabilities Athiwat Tiprasaharn (Jitlada) 11 João Pedro S Alcântara (Kinorth) 11 Legion Hunter 10 Skalucy 9 Phat RiO 5 0x34rth 5 Muhammad Yudha - DJ 4 NumeX 4 Itthidej Aramsri (Boeing777) 4 zaim 3 Abdulsamad Yusuf (0xVenus) 3 Md. Moniruzzaman Prodhan (NomanProdhan) 3 andrea bocchetti 3 zakaria 3 Supakiad S. (m3ez) 3 Ivan Cese 3 johska 2 w41bu1 2 Tharadol Suksamran (d3kc4rt_1) 2 benzdeus 2 Teerachai Somprasong 2 knani alaaeddine (iwd) 2 Williwollo (CybrX) 2 0N0ise 1 Gilang - DJ 1 Vincent Theriault-Laine 1 Hector Flores 1 lucsob 1 Trương Hữu Phúc (truonghuuphuc) 1 theviper17y 1 blue0x1 1 Denver Jackson 1 Nguyen Ba Khanh 1 zer0gh0st 1 type5afe 1 Tarcísio Luchesi De Almeida Silva (Poystick) 1 Jarno Vos (jarnovos) 1 ISMAILSHADOW 1 Varakorn Chanthasri (iCreaM) 1 Sopon Tangpathum (SoNaJaa) 1 dragonzenai 1 Jonas Benjamin Friedli 1 Muhammad Nur Ibnu Hubab (Ibnu) 1 afnaan 1 PPzzAArr 1 YC_Infosec 1 Pouria Shahba (p0or1ya) 1 Kazuma Matsumoto 1 Muhammad Rohan Khan 1 Tran Nguyen Bao Khanh 1 whizzu 1 Sarawut Poolkhet (MisterHelloz) 1 Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report. WordPress Plugins with Reported Vulnerabilities Last Week Software Name Software Slug Addonify Floating Cart For WooCommerce addonify-floating-cart Addonify – Compare Products For WooCommerce addonify-compare-products Addonify – WooCommerce Wishlist addonify-wishlist Advanced Country Blocker advanced-country-blocker All In One Image Viewer Block – Gutenberg block to create image viewer with hyperlink image-viewer All push notification for WP all-push-notification Authorsy – Author Box, Multiple Authors, Guest Authors & Post Rating authorsy AWCA – The Great Analytics Insights for Your eStore advance-wc-analytics Bold Page Builder bold-page-builder Chapa Payment Gateway Plugin for WooCommerce chapa-payment-gateway-for-woocommerce Checkout Gateway for IRIS checkout-gateway-iris Code Explorer code-explorer Code Snippets code-snippets Connector Wizard (formerly LC Wizard) ghl-wizard Contact Manager contact-manager Court Reservation – Manage Your Court Bookings Online court-reservation Docus – YouTube Video Playlist docus Dynamic Widget Content dynamic-widget-content Eleblog – Elementor Blog And Magazine Addons ele-blog ElementInvader Addons for Elementor elementinvader-addons-for-elementor ELEX WordPress HelpDesk & Customer Ticketing System elex-helpdesk-customer-support-ticket-system Employee Directory – Staff Directory and Listing employee-staff-directory Essential Widgets essential-widgets Events Listing Widget events-listing-widget Export Media URLs export-media-urls Extended Random Number Generator extended-random-number-generator Fluent Forms Pro Add On Pack fluentformpro Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder form-maker Fortis for WooCommerce fortis-for-woocommerce GA4WP – Analytics Dashboard for the Website ga-for-wp GMap Targeting – Simple Targeting Inside Google Maps gmap-targeting Greenshift – animation and page builder blocks greenshift-animation-and-page-builder-blocks GSheetConnector For WPForms – WPForms Google Sheets Integration (Real-Time Sync) gsheetconnector-wpforms Happy Addons for Elementor happy-elementor-addons iContact for Gravity Forms gravity-forms-icontact Infility Global infility-global JAY Login & Register jay-login-register LatePoint – Calendar Booking Plugin for Appointments and Events latepoint Library Viewer library-viewer LottieFiles lottiefiles Magic Import Document Extractor magic-import-document-extractor Mail Mint – Newsletters, Email Marketing, Automation, WooCommerce Emails, Post Notification, and more mail-mint Menu Icons by ThemeIsle menu-icons Modula Image Gallery – Photo Grid & Video Gallery modula-best-grid-gallery MP-Ukagaka mp-ukagaka myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Program. mycred MyRewards – Loyalty Points and Rewards for WooCommerce – Reward orders, referrals, product reviews and more woorewards NEX-Forms – Ultimate Forms Plugin for WordPress nex-forms-express-wp-form-builder NPS computy nps-computy OAuth Single Sign On – SSO (OAuth Client) miniorange-login-with-eve-online-google-facebook Okay Toolkit okay-toolkit OMIGO omigo Optimize More! – Images optimize-more-images Orange Comfort+ accessibility toolbar for WordPress orange-confort-plus OS DataHub Maps os-datahub-maps Peter’s Date Countdown peters-date-countdown Plugin BlueX for WooCommerce bluex-for-woocommerce Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers popup-builder-block Portfolio Builder - Elementor Portfolio Addon swp-portfolio Premmerce premmerce Print Invoice & Delivery Notes for WooCommerce woocommerce-delivery-notes Product Filter for WooCommerce prdctfltr ProfileGrid – User Profiles, Groups and Communities profilegrid-user-profiles-groups-and-communities Reflector reflector-plugins Robin Image Optimizer – Unlimited Image Optimization & WebP Converter robin-image-optimizer Run Contests, Raffles, and Giveaways with ContestsWP contest-code-checker SEO Flow by LupsOnline lupsonline-link-netwerk ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF shortpixel-image-optimiser SIBS woocommerce payment gateway sibs-woocommerce Sigmize: A/B Testing, Session Recordings, Heatmaps & Revenue Tracking for WooCommerce, SureCart & EDD sigmize Simple Bible Verse via Shortcode simple-bible-verse-via-shortcode Smart Appointment & Booking smart-appointment-booking Spectra Gutenberg Blocks – Website Builder for the Block Editor ultimate-addons-for-gutenberg SportsPress – Sports Club & League Manager sportspress Subitem AL Slider subitem-al-slider Subscribe2 – Form, Email Subscribers & Newsletters subscribe2 Sync Master Sheet – Product Sync with Google Sheet for WooCommerce product-sync-master-sheet The Bucketlister the-bucketlister The Events Calendar Shortcode & Block the-events-calendar-shortcode ThirstyAffiliates – Affiliate Links, Link Branding, Link Tracking & Marketing Plugin thirstyaffiliates Timeline Block – Beautiful Timeline Builder for WordPress (Vertical & Horizontal Timelines) timeline-block-block TITLE ANIMATOR title-animator TopperPack – Complete Elementor Addons, Theme & CPT Builder topper-pack Tune Library tune-library Tutor LMS – eLearning and online course solution tutor Unlimited Elements For Elementor unlimited-elements-for-elementor Video Onclick video-onclick WaveSurfer-WP wavesurfer-wp WebPurify Profanity Filter webpurifytextreplace Wikiloops Track Player wikiloops-track-player Wonka Slide wonka-slide Woo File Dropzone woo-file-dropzone WordPress User Extra Fields wp-user-extra-fields WP Content Permission wp-content-permission WP Duplicate – WordPress Migration Plugin local-sync WP FOFT Loader wp-foft-loader WP Job Portal – AI-Powered Recruitment System for Company or Job Board website wp-job-portal WP ULike – Like & Dislike Buttons for Engagement and Feedback wp-ulike Xendit Payment woo-xendit-virtual-accounts Yoast SEO – Advanced SEO with real-time guidance and built-in AI wordpress-seo WordPress Themes with Reported Vulnerabilities Last Week Software Name Software Slug Besa - Elementor Marketplace WooCommerce Theme besa CozyStay - Hotel Booking WordPress Theme cozystay Golo - City Travel Guide WordPress Theme golo Grand Conference | Event WordPress grandconference Hara - Beauty and Cosmetics Shop WooCommerce Theme hara PhotoMe | Photography Portfolio WordPress photome SevenHills - Hiking Summer Camp Children PSD Template sevenhills unicamp unicamp Urna - All-in-one WooCommerce WordPress Theme urna VidoRev - Video WordPress Theme vidorev Vulnerability Details Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize. JAY Login & Register <= 2.6.03 - Unauthenticated Privilege Escalation via jay_login_register_ajax_create_final_user 9.8 CVSS Rating Critical (9.8) CVE-ID CVE-2025-15027 Patch Status Patched Published Feb 7, 2026 Affected Software JAY Login & Register Researcher andrea bocchetti More Details > LottieFiles <= 3.0.0 - Missing Authorization 9.8 CVSS Rating Critical (9.8) CVE-ID CVE-2025-68043 Patch Status Patched Published Feb 5, 2026 Affected Software LottieFiles Researcher NumeX More Details > User Extra Fields <= 17.0 - Unauthenticated Arbitrary File Deletion 9.8 CVSS Rating Critical (9.8) CVE-ID CVE-2025-69376 Patch Status Unpatched Published Feb 5, 2026 Affected Software WordPress User Extra Fields Researcher Phat RiO More Details > WP Duplicate <= 1.1.8 - Authenticated (Subscriber+) Arbitrary File Upload via 'process_add_site' AJAX Action 9.8 CVSS Rating Critical (9.8) CVE-ID CVE-2026-1499 Patch Status Patched Published Feb 5, 2026 Affected Software WP Duplicate – WordPress Migration Plugin Researcher Athiwat Tiprasaharn (Jitlada) More Details > JAY Login & Register <= 2.6.03 - Authenticated (Subscriber+) Privilege Escalation via jay_panel_ajax_update_profile 8.8 CVSS Rating High (8.8) CVE-ID CVE-2025-15100 Patch Status Patched Published Feb 7, 2026 Affected Software JAY Login & Register Researcher Sarawut Poolkhet (MisterHelloz) More Details > OS DataHub Maps <= 1.8.3 - Authenticated (Author+) Arbitrary File Upload 8.8 CVSS Rating High (8.8) CVE-ID CVE-2026-1730 Patch Status Patched Published Feb 2, 2026 Affected Software OS DataHub Maps Researcher Williwollo (CybrX) More Details > SportsPress <= 2.7.26 - Authenticated (Contributor+) Local File Inclusion via Shortcode 8.8 CVSS Rating High (8.8) CVE-ID CVE-2025-15368 Patch Status Patched Published Feb 3, 2026 Affected Software SportsPress – Sports Club & League Manager Researcher Muhammad Yudha - DJ More Details > WP FOFT Loader <= 2.1.39 - Authenticated (Author+) Arbitrary File Upload 8.8 CVSS Rating High (8.8) CVE-ID CVE-2026-1756 Patch Status Patched Published Feb 3, 2026 Affected Software WP FOFT Loader Researcher Williwollo (CybrX) More Details > WPForms Google Sheet Connector <= 4.0.1 - Authenticated (Subscriber+) Remote Code Execution 8.8 CVSS Rating High (8.8) CVE-ID CVE-2025-67979 Patch Status Patched Published Feb 4, 2026 Affected Software GSheetConnector For WPForms – WPForms Google Sheets Integration (Real-Time Sync) Researcher Denver Jackson More Details > Popup builder with Gamification <= 2.2.0 - Unauthenticated SQL Injection via Multiple REST API Endpoints 8.2 CVSS Rating High (8.2) CVE-ID CVE-2025-13192 Patch Status Patched Published Feb 4, 2026 Affected Software Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers Researcher YC_Infosec More Details > Besa <= 2.3.15 - Unauthenticated Local File Inclusion 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-67981 Patch Status Patched Published Feb 4, 2026 Affected Software Besa - Elementor Marketplace WooCommerce Theme Researcher João Pedro S Alcântara (Kinorth) More Details > Contact Manager <= 9.1 - Unauthenticated PHP Object Injection 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-68853 Patch Status Unpatched Published Feb 4, 2026 Affected Software Contact Manager Researcher Skalucy More Details > CozyStay < 1.9.1 - Unauthenticated Local File Inclusion 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-67988 Patch Status Patched Published Feb 5, 2026 Affected Software CozyStay - Hotel Booking WordPress Theme Researcher João Pedro S Alcântara (Kinorth) More Details > Eleblog – Elementor Blog And Magazine Addons <= 2.0.3 - Unauthenticated Local File Inclusion 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-69374 Patch Status Unpatched Published Feb 5, 2026 Affected Software Eleblog – Elementor Blog And Magazine Addons Researcher Phat RiO More Details > Hara <= 1.2.17 - Unauthenticated Local File Inclusion 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-67980 Patch Status Patched Published Feb 4, 2026 Affected Software Hara - Beauty and Cosmetics Shop WooCommerce Theme Researcher João Pedro S Alcântara (Kinorth) More Details > Portfolio Builder <= 1.2.5 - Unauthenticated Local File Inclusion 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-69375 Patch Status Unpatched Published Feb 5, 2026 Affected Software Portfolio Builder - Elementor Portfolio Addon Researcher Phat RiO More Details > SevenHills <= 1.6.2 - Unauthenticated PHP Object Injection 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-69372 Patch Status Unpatched Published Feb 3, 2026 Affected Software SevenHills - Hiking Summer Camp Children PSD Template Researcher Tran Nguyen Bao Khanh More Details > TopperPack – Complete Elementor Addons, Theme & CPT Builder <= 1.2.1 - Unauthenticated Local File Inclusion 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-68841 Patch Status Unpatched Published Feb 4, 2026 Affected Software TopperPack – Complete Elementor Addons, Theme & CPT Builder Researcher Skalucy More Details > Tutor LMS <= 3.9.5 - Insecure Direct Object Reference to Authenticated (Instructor+) Arbitrary Course Modification and Deletion 8.1 CVSS Rating High (8.1) CVE-ID CVE-2026-1375 Patch Status Patched Published Feb 2, 2026 Affected Software Tutor LMS – eLearning and online course solution Researchers Athiwat Tiprasaharn (Jitlada)Tharadol Suksamran (d3kc4rt_1) More Details > Urna <= 2.5.12 - Unauthenticated Local File Inclusion 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-67982 Patch Status Patched Published Feb 4, 2026 Affected Software Urna - All-in-one WooCommerce WordPress Theme Researcher João Pedro S Alcântara (Kinorth) More Details > User Extra Fields <= 17.0 - Authenticated (Subscriber+) Arbitrary File Deletion 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-69377 Patch Status Unpatched Published Feb 5, 2026 Affected Software WordPress User Extra Fields Researcher Phat RiO More Details > VidoRev <= 2.9.9.9.9.9.7 - Unauthenticated Local File Inclusion 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-69373 Patch Status Unpatched Published Feb 4, 2026 Affected Software VidoRev - Video WordPress Theme Researcher João Pedro S Alcântara (Kinorth) More Details > Golo < 1.7.5 - Authenticated (Contributor+) Local File Inclusion 7.5 CVSS Rating High (7.5) CVE-ID CVE-2026-23975 Patch Status Patched Published Feb 5, 2026 Affected Software Golo - City Travel Guide WordPress Theme Researcher João Pedro S Alcântara (Kinorth) More Details > Infility Global <= 2.14.46 - Unauthenticated SQL Injection via Predictable API Key and IP Whitelist Bypass 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-15268 Patch Status Unpatched Published Feb 3, 2026 Affected Software Infility Global Researcher andrea bocchetti More Details > SEO Flow by LupsOnline <= 2.2.1 - Unauthenticated Arbitrary Post/Category Modification 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-15285 Patch Status Unpatched Published Feb 3, 2026 Affected Software SEO Flow by LupsOnline Researcher Tarcísio Luchesi De Almeida Silva (Poystick) More Details > Unicamp <= 2.7.1 - Authenticated (Contributor+) Local File Inclusion 7.5 CVSS Rating High (7.5) CVE-ID CVE-2026-25027 Patch Status Patched Published Feb 4, 2026 Affected Software unicamp Researcher João Pedro S Alcântara (Kinorth) More Details > All In One Image Viewer Block <= 1.0.2 - Unauthenticated Server-Side Request Forgery via image-proxy Endpoint 7.2 CVSS Rating High (7.2) CVE-ID CVE-2026-1294 Patch Status Patched Published Feb 4, 2026 Affected Software All In One Image Viewer Block – Gutenberg block to create image viewer with hyperlink Researchers Athiwat Tiprasaharn (Jitlada)Itthidej Aramsri (Boeing777)Varakorn Chanthasri (iCreaM)Sopon Tangpathum (SoNaJaa) More Details > Form Maker by 10Web <= 1.15.35 - Unauthenticated Stored Cross-Site Scripting via SVG file 7.2 CVSS Rating High (7.2) CVE-ID CVE-2026-1065 Patch Status Patched Published Feb 2, 2026 Affected Software Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder Researcher Supakiad S. (m3ez) More Details > GMap Targeting <= 1.1.7 - Unauthenticated Stored Cross-Site Scripting 7.2 CVSS Rating High (7.2) CVE-ID CVE-2025-67990 Patch Status Patched Published Feb 5, 2026 Affected Software GMap Targeting – Simple Targeting Inside Google Maps Researcher Skalucy More Details > LatePoint – Calendar Booking Plugin for Appointments and Events <= 5.2.5 - Unauthenticated Stored Cross-Site Scripting 7.2 CVSS Rating High (7.2) CVE-ID CVE-2026-0617 Patch Status Patched Published Feb 2, 2026 Affected Software LatePoint – Calendar Booking Plugin for Appointments and Events Researcher w41bu1 More Details > NEX-Forms <= 9.1.7 - Unauthenticated Stored Cross-Site Scripting 7.2 CVSS Rating High (7.2) CVE-ID CVE-2025-69324 Patch Status Patched Published Feb 4, 2026 Affected Software NEX-Forms – Ultimate Forms Plugin for WordPress Researcher Jarno Vos (jarnovos) More Details > NPS computy <= 2.8.2 - Unauthenticated Stored Cross-Site Scripting 7.2 CVSS Rating High (7.2) CVE-ID CVE-2025-67984 Patch Status Patched Published Feb 4, 2026 Affected Software NPS computy Researcher Skalucy More Details > PhotoMe <= 5.7.1 - Unauthenticated Stored Cross-Site Scripting 7.2 CVSS Rating High (7.2) CVE-ID CVE-2026-24949 Patch Status Patched Published Feb 3, 2026 Affected Software PhotoMe | Photography Portfolio WordPress Researcher João Pedro S Alcântara (Kinorth) More Details > Product Filter for WooCommerce <= 9.1.2 - Authenticated (Shop Manager+) Privilege Escalation 7.2 CVSS Rating High (7.2) CVE-ID CVE-2025-69378 Patch Status Unpatched Published Feb 5, 2026 Affected Software Product Filter for WooCommerce Researcher Phat RiO More Details > Form Maker by 10Web <= 1.15.35 - Unauthenticated Stored Cross-Site Scripting via Hidden Field 7.1 CVSS Rating High (7.1) CVE-ID CVE-2026-1058 Patch Status Patched Published Feb 2, 2026 Affected Software Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder Researcher Supakiad S. (m3ez) More Details > MyRewards – Loyalty Points and Rewards for WooCommerce <= 5.6.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Loyalty Rule Modification 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2025-15260 Patch Status Unpatched Published Feb 3, 2026 Affected Software MyRewards – Loyalty Points and Rewards for WooCommerce – Reward orders, referrals, product reviews and more Researcher Tharadol Suksamran (d3kc4rt_1) More Details > The Bucketlister <= 0.1.5 - Authenticated (Contributor+) SQL Injection via `category` and `id` Shortcode Attributes 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2025-15477 Patch Status Unpatched Published Feb 6, 2026 Affected Software The Bucketlister Researcher Ivan Cese More Details > WebPurify Profanity Filter <= 4.0.2 - Missing Authorization to Unauthenticated Plugin Settings Change via webpurify_save_options 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2026-0572 Patch Status Unpatched Published Feb 3, 2026 Affected Software WebPurify Profanity Filter Researcher 0x34rth More Details > Bold Builder <= 5.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via bt_bb_tabs Shortcode 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-12803 Patch Status Unpatched Published Feb 6, 2026 Affected Software Bold Page Builder Researcher Muhammad Yudha - DJ More Details > Bold Page Builder <= 5.4.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-12159 Patch Status Unpatched Published Feb 6, 2026 Affected Software Bold Page Builder Researcher Athiwat Tiprasaharn (Jitlada) More Details > Bold Page Builder <= 5.5.3 - Authenticated (Author+) Stored DOM-based Cross-Site Scripting in Post Grid 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-13463 Patch Status Unpatched Published Feb 6, 2026 Affected Software Bold Page Builder Researcher Athiwat Tiprasaharn (Jitlada) More Details > Bold Page Builder <= 5.5.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via bt_bb_accordion_item Shortcode 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-15267 Patch Status Unpatched Published Feb 6, 2026 Affected Software Bold Page Builder Researcher theviper17y More Details > Docus <= 1.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2026-1888 Patch Status Patched Published Feb 5, 2026 Affected Software Docus – YouTube Video Playlist Researcher Gilang - DJ More Details > Dynamic Widget Content <= 1.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Widget Content Field 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2026-1268 Patch Status Patched Published Feb 4, 2026 Affected Software Dynamic Widget Content Researcher Athiwat Tiprasaharn (Jitlada) More Details > Employee Directory <= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'form_title' Shortcode Attribute 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2026-1279 Patch Status Patched Published Feb 5, 2026 Affected Software Employee Directory – Staff Directory and Listing Researcher zaim More Details > Essential Widgets <= 3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Shortcodes 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2026-0867 Patch Status Patched Published Feb 4, 2026 Affected Software Essential Widgets Researcher Muhammad Yudha - DJ More Details > Events Listing Widget <= 1.3.4 - Authenticated (Author+) Stored Cross-Site Scripting via Event URL Field 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2026-1252 Patch Status Patched Published Feb 5, 2026 Affected Software Events Listing Widget Researchers Athiwat Tiprasaharn (Jitlada)Itthidej Aramsri (Boeing777) More Details > Happy Addons for Elementor <= 3.20.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via '_elementor_data' Meta Field 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2026-1210 Patch Status Patched Published Feb 2, 2026 Affected Software Happy Addons for Elementor Researcher knani alaaeddine (iwd) More Details > Menu Icons by ThemeIsle <= 0.13.20 - Authenticated (Author+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2026-1755 Patch Status Patched Published Feb 3, 2026 Affected Software Menu Icons by ThemeIsle Researcher lucsob More Details > Modula Image Gallery <= 2.13.4 - Authenticated (Author+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2026-23976 Patch Status Patched Published Feb 4, 2026 Affected Software Modula Image Gallery – Photo Grid & Video Gallery Researcher johska More Details > OMIGO <= 3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2026-1573 Patch Status Unpatched Published Feb 6, 2026 Affected Software OMIGO Researcher zaim More Details > Orange Confort+ accessibility toolbar for WordPress <= 0.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2026-1808 Patch Status Patched Published Feb 5, 2026 Affected Software Orange Comfort+ accessibility toolbar for WordPress Researcher Muhammad Yudha - DJ More Details > Premmerce <= 1.3.20 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'premmerce_wizard_actions' AJAX Endpoint 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2026-0555 Patch Status Unpatched Published Feb 6, 2026 Affected Software Premmerce Researcher Athiwat Tiprasaharn (Jitlada) More Details > Robin Image Optimizer <= 2.0.2 - Authenticated (Author+) Stored Cross-Site Scripting via Image Alternative Text Field 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2026-1319 Patch Status Patched Published Feb 4, 2026 Affected Software Robin Image Optimizer – Unlimited Image Optimization & WebP Converter Researcher Vincent Theriault-Laine More Details > Simple Bible Verse via Shortcode <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2026-1570 Patch Status Unpatched Published Feb 6, 2026 Affected Software Simple Bible Verse via Shortcode Researcher zaim More Details > Smart Appointment & Booking <= 1.0.7 - Authenticated (Subscriber+) Stored Cross-Site Scripting via saab_save_form_data AJAX Action 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2026-0742 Patch Status Patched Published Feb 3, 2026 Affected Software Smart Appointment & Booking Researchers Athiwat Tiprasaharn (Jitlada)Itthidej Aramsri (Boeing777) More Details > The Events Calendar Shortcode & Block <= 3.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2026-24988 Patch Status Patched Published Feb 4, 2026 Affected Software The Events Calendar Shortcode & Block Researcher PPzzAArr More Details > Tune Library <= 1.6.3 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting via CSV Import 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2026-1401 Patch Status Patched Published Feb 5, 2026 Affected Software Tune Library Researcher Athiwat Tiprasaharn (Jitlada) More Details > Video Onclick <= 0.4.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2026-1608 Patch Status Unpatched Published Feb 6, 2026 Affected Software Video Onclick Researcher zakaria More Details > WaveSurfer-WP <= 2.8.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'src' Shortcode Attribute 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2026-1909 Patch Status Patched Published Feb 5, 2026 Affected Software WaveSurfer-WP Researcher Ivan Cese More Details > Wikiloops Track Player <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2026-1611 Patch Status Unpatched Published Feb 6, 2026 Affected Software Wikiloops Track Player Researcher zakaria More Details > Wonka Slide <= 1.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2026-1613 Patch Status Unpatched Published Feb 6, 2026 Affected Software Wonka Slide Researcher zakaria More Details > Yoast SEO <= 26.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'yoast-schema' Block Attribute 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2026-1293 Patch Status Patched Published Feb 5, 2026 Affected Software Yoast SEO – Advanced SEO with real-time guidance and built-in AI Researcher dragonzenai More Details > Court Reservation <= 1.10.8 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-68852 Patch Status Unpatched Published Feb 5, 2026 Affected Software Court Reservation – Manage Your Court Bookings Online Researcher Skalucy More Details > Export Media URLs <= 2.2 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-68037 Patch Status Patched Published Feb 4, 2026 Affected Software Export Media URLs Researcher Skalucy More Details > Grand Conference <= 5.3.4 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2026-24943 Patch Status Patched Published Feb 3, 2026 Affected Software Grand Conference | Event WordPress Researcher João Pedro S Alcântara (Kinorth) More Details > iContact for Gravity Forms <= 1.3.2 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-68863 Patch Status Unpatched Published Feb 5, 2026 Affected Software iContact for Gravity Forms Researcher Skalucy More Details > Library Viewer < 3.2.0 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-15396 Patch Status Patched Published Feb 6, 2026 Affected Software Library Viewer Researcher Muhammad Rohan Khan More Details > MP-Ukagaka <= 1.5.2 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2026-1643 Patch Status Unpatched Published Feb 6, 2026 Affected Software MP-Ukagaka Researcher Abdulsamad Yusuf (0xVenus) More Details > Okay Toolkit <= 2.3 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-68851 Patch Status Unpatched Published Feb 5, 2026 Affected Software Okay Toolkit Researcher Skalucy More Details > Peter's Date Countdown <= 2.0.0 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF'] 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2026-1654 Patch Status Patched Published Feb 4, 2026 Affected Software Peter’s Date Countdown Researcher Abdulsamad Yusuf (0xVenus) More Details > Reflector <= 1.2.2 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2026-24948 Patch Status Patched Published Feb 3, 2026 Affected Software Reflector Researcher João Pedro S Alcântara (Kinorth) More Details > Subitem AL Slider <= 1.0.0 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF'] 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2026-1634 Patch Status Unpatched Published Feb 6, 2026 Affected Software Subitem AL Slider Researcher Abdulsamad Yusuf (0xVenus) More Details > Fluent Forms Pro Add On Pack <= 6.1.12 - Authenticated (Subscriber+) Server-Side Request Forgery via 'saveDataSource' 5.4 CVSS Rating Medium (5.4) CVE-ID CVE-2026-0632 Patch Status Patched Published Feb 8, 2026 Affected Software Fluent Forms Pro Add On Pack Researcher andrea bocchetti More Details > Mail Mint <= 1.19.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting 5.4 CVSS Rating Medium (5.4) CVE-ID CVE-2026-1447 Patch Status Patched Published Feb 2, 2026 Affected Software Mail Mint – Newsletters, Email Marketing, Automation, WooCommerce Emails, Post Notification, and more Researcher w41bu1 More Details > Unlimited Elements for Elementor <= 2.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Border Hero Widget 5.4 CVSS Rating Medium (5.4) CVE-ID CVE-2025-14274 Patch Status Patched Published Feb 2, 2026 Affected Software Unlimited Elements For Elementor Researcher zer0gh0st More Details > Addonify – Compare Products For WooCommerce <= 1.1.17 - Missing Authorization to Unauthenticated Settings Update 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-68023 Patch Status Unpatched Published Feb 4, 2026 Affected Software Addonify – Compare Products For WooCommerce Researcher Legion Hunter More Details > Addonify – WooCommerce Wishlist <= 2.0.15 - Missing Authorization to Unauthenticated Settings Update 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-68024 Patch Status Unpatched Published Feb 4, 2026 Affected Software Addonify – WooCommerce Wishlist Researcher Legion Hunter More Details > Addonify Floating Cart For WooCommerce <= 1.2.17 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-68025 Patch Status Unpatched Published Feb 5, 2026 Affected Software Addonify Floating Cart For WooCommerce Researcher Legion Hunter More Details > Advanced Country Blocker <= 2.3.1 - Unauthenticated Authorization Bypass via Insecure Default Secret Key 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2026-1675 Patch Status Patched Published Feb 6, 2026 Affected Software Advanced Country Blocker Researcher Hector Flores More Details > Authorsy <= 1.0.6 - Unauthenticated Insecure Direct Object Reference 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2026-24950 Patch Status Patched Published Feb 3, 2026 Affected Software Authorsy – Author Box, Multiple Authors, Guest Authors & Post Rating Researcher NumeX More Details > Chapa Payment Gateway Plugin for WooCommerce <= 1.0.3 - Unauthenticated Sensitive Information Exposure 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-15482 Patch Status Unpatched Published Feb 3, 2026 Affected Software Chapa Payment Gateway Plugin for WooCommerce Researcher Md. Moniruzzaman Prodhan (NomanProdhan) More Details > Checkout Gateway for IRIS <= 1.3 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-68542 Patch Status Patched Published Feb 5, 2026 Affected Software Checkout Gateway for IRIS Researcher Legion Hunter More Details > ELEX WordPress HelpDesk & Customer Ticketing System <= 3.3.5 - Missing Authorization to Authenticated (Subscriber+) Settings Update 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-14079 Patch Status Patched Published Feb 4, 2026 Affected Software ELEX WordPress HelpDesk & Customer Ticketing System Researcher Itthidej Aramsri (Boeing777) More Details > Fortis for WooCommerce <= 1.2.0 - Missing Authorization to Unauthenticated Arbitrary Order Status Update to Paid via 'wc-api' Endpoint 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2026-0679 Patch Status Unpatched Published Feb 3, 2026 Affected Software Fortis for WooCommerce Researcher Md. Moniruzzaman Prodhan (NomanProdhan) More Details > GA4WP: Google Analytics for WordPress <= 2.10.0 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-68028 Patch Status Unpatched Published Feb 5, 2026 Affected Software GA4WP – Analytics Dashboard for the Website Researcher Legion Hunter More Details > Golo < 1.7.5 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2026-23974 Patch Status Patched Published Feb 5, 2026 Affected Software Golo - City Travel Guide WordPress Theme Researcher João Pedro S Alcântara (Kinorth) More Details > LC Wizard <= 2.1.1 - Missing Authorization to Unauthenticated Settings Update 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-68026 Patch Status Patched Published Feb 5, 2026 Affected Software Connector Wizard (formerly LC Wizard) Researcher Legion Hunter More Details > Magic Import Document Extractor <= 1.0.5 - Missing Authorization to Unauthenticated Plugin License Status Modification 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-15507 Patch Status Patched Published Feb 3, 2026 Affected Software Magic Import Document Extractor Researcher Teerachai Somprasong More Details > Magic Import Document Extractor <= 1.0.6 - Unauthenticated Sensitive Information Exposure 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-15508 Patch Status Patched Published Feb 3, 2026 Affected Software Magic Import Document Extractor Researcher Teerachai Somprasong More Details > OAuth Single Sign On – SSO (OAuth Client) <= 6.26.14 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-10753 Patch Status Patched Published Feb 5, 2026 Affected Software OAuth Single Sign On – SSO (OAuth Client) Researcher Jonas Benjamin Friedli More Details > Optimize More! – Images <= 1.1.3 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-67624 Patch Status Unpatched Published Feb 3, 2026 Affected Software Optimize More! – Images Researcher Muhammad Nur Ibnu Hubab (Ibnu) More Details > Plugin BlueX for WooCommerce <= 3.1.4 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-68022 Patch Status Unpatched Published Feb 4, 2026 Affected Software Plugin BlueX for WooCommerce Researcher NumeX More Details > Print Invoice & Delivery Notes for WooCommerce <= 5.8.0 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2026-24946 Patch Status Patched Published Feb 3, 2026 Affected Software Print Invoice & Delivery Notes for WooCommerce Researcher Legion Hunter More Details > ProfileGrid <= 5.9.7.2 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary User Profile and Cover Image Modification 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2026-1271 Patch Status Patched Published Feb 4, 2026 Affected Software ProfileGrid – User Profiles, Groups and Communities Researcher knani alaaeddine (iwd) More Details > Run Contests, Raffles, and Giveaways with ContestsWP <= 2.0.7 - Unauthenticated Information Exposure 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2026-25023 Patch Status Patched Published Feb 2, 2026 Affected Software Run Contests, Raffles, and Giveaways with ContestsWP Researcher Legion Hunter More Details > Spectra Gutenberg Blocks <= 2.19.17 - Unauthenticated Information Disclosure in Sensitive Data 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2026-0950 Patch Status Patched Published Feb 2, 2026 Affected Software Spectra Gutenberg Blocks – Website Builder for the Block Editor Researcher johska More Details > Subscribe2 <= 10.44 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2026-24944 Patch Status Patched Published Feb 3, 2026 Affected Software Subscribe2 – Form, Email Subscribers & Newsletters Researcher blue0x1 More Details > Sync Master Sheet – Product Sync with Google Sheet for WooCommerce <= 1.1.3 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-68834 Patch Status Patched Published Feb 4, 2026 Affected Software Sync Master Sheet – Product Sync with Google Sheet for WooCommerce Researcher NumeX More Details > Tutor LMS <= 3.9.5 - Authenticated (Subscriber+) Information Disclosure in Coupon Details via 'tutor_coupon_details' AJAX Action 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2026-1371 Patch Status Patched Published Feb 2, 2026 Affected Software Tutor LMS – eLearning and online course solution Researcher Supakiad S. (m3ez) More Details > WP Job Portal <= 2.4.4 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2026-24941 Patch Status Patched Published Feb 3, 2026 Affected Software WP Job Portal – AI-Powered Recruitment System for Company or Job Board website Researcher benzdeus More Details > WP ULike <= 4.8.3.1 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Log Deletion via 'id' Parameter 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2026-0909 Patch Status Patched Published Feb 2, 2026 Affected Software WP ULike – Like & Dislike Buttons for Engagement and Feedback Researcher Pouria Shahba (p0or1ya) More Details > Xendit Payment <= 6.0.2 - Missing Authorization to Unauthenticated Arbitrary Order Status Update to Paid 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-14461 Patch Status Unpatched Published Feb 3, 2026 Affected Software Xendit Payment Researcher Md. Moniruzzaman Prodhan (NomanProdhan) More Details > All push notification for WP <= 1.5.3 - Authenticated (Administrator+) SQL Injection via 'delete_id' Parameter 4.9 CVSS Rating Medium (4.9) CVE-ID CVE-2026-0816 Patch Status Unpatched Published Feb 3, 2026 Affected Software All push notification for WP Researcher 0x34rth More Details > Code Explorer <= 1.4.6 - Authenticated (Administrator+) Arbitrary File Read via 'file' Parameter 4.9 CVSS Rating Medium (4.9) CVE-ID CVE-2025-15487 Patch Status Unpatched Published Feb 3, 2026 Affected Software Code Explorer Researcher 0x34rth More Details > ShortPixel Image Optimizer <= 6.4.2 - Authenticated (Editor+) Arbitrary File Read via 'loadFile' Parameter 4.9 CVSS Rating Medium (4.9) CVE-ID CVE-2026-1246 Patch Status Patched Published Feb 4, 2026 Affected Software ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF Researcher 0N0ise More Details > SIBS - WooCommerce <= 2.2.0 - Authenticated (Admin+) SQL Injection via 'referencedId' Parameter 4.9 CVSS Rating Medium (4.9) CVE-ID CVE-2026-1370 Patch Status Unpatched Published Feb 3, 2026 Affected Software SIBS woocommerce payment gateway Researcher whizzu More Details > Extended Random Number Generator <= 1.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via Settings 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2026-0681 Patch Status Unpatched Published Feb 3, 2026 Affected Software Extended Random Number Generator Researcher 0x34rth More Details > WP Content Permission <= 1.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'ohmem-message' Parameter 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2026-0743 Patch Status Unpatched Published Feb 3, 2026 Affected Software WP Content Permission Researcher 0x34rth More Details > Advanced WC Analytics <= 3.19.0 - Missing Authorization to Unauthenticated Settings Update 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-68032 Patch Status Unpatched Published Feb 5, 2026 Affected Software AWCA – The Great Analytics Insights for Your eStore Researcher Legion Hunter More Details > Code Snippets <= 3.9.4 - Cross-Site Request Forgery to Cloud Snippet Download/Update Actions 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2026-1785 Patch Status Patched Published Feb 5, 2026 Affected Software Code Snippets Researcher type5afe More Details > ElementInvader Addons for Elementor <= 1.4.1 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2026-25028 Patch Status Patched Published Feb 5, 2026 Affected Software ElementInvader Addons for Elementor Researcher Legion Hunter More Details > GreenShift - Animation and Page Builder Blocks <= 12.5.7 - Authenticated (Subscriber+) Information Disclosure of AI API Keys 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2026-1927 Patch Status Patched Published Feb 5, 2026 Affected Software Greenshift – animation and page builder blocks Researcher ISMAILSHADOW More Details > myCred <= 2.9.7.3 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2026-24951 Patch Status Patched Published Feb 6, 2026 Affected Software myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Program. Researcher benzdeus More Details > ProfileGrid – User Profiles, Groups and Communities <= 5.9.7.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary User Suspension 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-13416 Patch Status Patched Published Feb 4, 2026 Affected Software ProfileGrid – User Profiles, Groups and Communities Researcher Athiwat Tiprasaharn (Jitlada) More Details > Sigmize <= 0.0.9 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2026-24962 Patch Status Patched Published Feb 7, 2026 Affected Software Sigmize: A/B Testing, Session Recordings, Heatmaps & Revenue Tracking for WooCommerce, SureCart & EDD Researcher Nguyen Ba Khanh More Details > The Bucketlister <= 0.1.5 - Missing Authorization to Authenticated (Subscriber+) Bucket List Modification 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-15476 Patch Status Unpatched Published Feb 6, 2026 Affected Software The Bucketlister Researcher Ivan Cese More Details > ThirstyAffiliates <= 3.11.9 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2026-25024 Patch Status Patched Published Feb 2, 2026 Affected Software ThirstyAffiliates – Affiliate Links, Link Branding, Link Tracking & Marketing Plugin Researcher Trương Hữu Phúc (truonghuuphuc) More Details > Timeline Block <= 1.3.3 - Insecure Direct Object Reference to Authenticated (Author+) Private Timeline Exposure via Shortcode Attribute 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2026-1228 Patch Status Patched Published Feb 5, 2026 Affected Software Timeline Block – Beautiful Timeline Builder for WordPress (Vertical & Horizontal Timelines) Researcher Kazuma Matsumoto More Details > TITLE ANIMATOR <= 1.0 - Cross-Site Request Forgery to Settings Update 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2026-1082 Patch Status Unpatched Published Feb 6, 2026 Affected Software TITLE ANIMATOR Researcher afnaan More Details > Woo File Dropzone <= 1.1.7 - Authenticated (Subscriber+) Arbitrary File Deletion 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-68862 Patch Status Unpatched Published Feb 5, 2026 Affected Software Woo File Dropzone Researcher Skalucy More Details > As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence. This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can. Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. The post Wordfence Intelligence Weekly WordPress Vulnerability Report (February 2, 2026 to February 8, 2026) appeared first on Wordfence.