Triple Threat Bug Bounty Challenge  Hunt High Threat vulnerabilities and earn triple the incentives! Now through April 6, 2026, earn three stacked bonuses on all valid submissions from our ‘High Threat Vulnerabilities’ list:  2x all high threat vulnerability bounties (excluding 5,000,000+ installs)  +30% bonus for high threat vulnerabilities in software with 30,000+ active installs (excluding 5,000,000+ installs)  $300 extra for every 3 High Threat vulnerabilities submitted (minimum of 1,000 installs) Use the Bounty Estimator to see what rewards are possible through the promotion. Submit through our Bug Bounty Program today to maximize your impact and your payout. Last week, there were 174 vulnerabilities disclosed in 139 WordPress Plugins and 28 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 64 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected. Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to implement layered security, aligning with our overarching mission to secure WordPress with defense in depth strategies. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report. As the world’s leading quality vulnerability database provider for WordPress, site owners can rest assured knowing Wordfence has their back. Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 33,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free. Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. New Firewall Rules Deployed Last Week The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection. The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week: WAF-RULE-894 – Data redacted while we work with the vendor on a patch. Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay. Total Unpatched & Patched Vulnerabilities Last Week Patch Status Number of Vulnerabilities Patched 85 Unpatched 89 Total Vulnerabilities by CVSS Severity Last Week Severity Rating Number of Vulnerabilities Medium Severity 108 High Severity 60 Critical Severity 6 Total Vulnerabilities by CWE Type Last Week Vulnerability Type by CWE Number of Vulnerabilities Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') 62 Missing Authorization 36 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') 22 Deserialization of Untrusted Data 12 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') 6 Authorization Bypass Through User-Controlled Key 5 Cross-Site Request Forgery (CSRF) 5 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') 5 Improper Privilege Management 4 Exposure of Sensitive Information to an Unauthorized Actor 3 Server-Side Request Forgery (SSRF) 3 Unrestricted Upload of File with Dangerous Type 3 Improper Control of Generation of Code ('Code Injection') 2 Missing Authentication for Critical Function 2 Improper Input Validation 1 Incorrect Authorization 1 Insufficient Verification of Data Authenticity 1 Reliance on Reverse DNS Resolution for a Security-Critical Action 1 Researchers That Contributed to WordPress Security Last Week Researcher Name Number of Vulnerabilities Muhammad Yudha - DJ 15 Tran Nguyen Bao Khanh 15 Phat RiO 12 Itthidej Aramsri (Boeing777) 10 João Pedro S Alcântara (Kinorth) 10 Athiwat Tiprasaharn (Jitlada) 8 Skalucy 8 Gilang - DJ 8 0x34rth 6 Legion Hunter 5 Osvaldo Noe Gonzalez Del Rio (Os) 4 Abdulsamad Yusuf (0xVenus) 4 johska 4 Bonds 4 Denver Jackson 3 Waris Damkham 3 MD. TAREQ AHAMED JONY (itztrq) 3 zakaria 3 afnaan 3 Nabil Irawan 3 Lucas Montes (NiRoX) 2 Kazuma Matsumoto 2 daroo 2 Nguyen Ngoc Duc (duc193) 2 Phat RiO - BlueRock 2 Webbernaut 2 Md. Moniruzzaman Prodhan (NomanProdhan) 2 Chiao-Lin Yu (Steven Meow) 2 type5afe 2 ZAST.AI 2 Deadbee 2 Jonas Benjamin Friedli 1 s00me00ne 1 Muqsith Barru 1 Moose Love 1 kr0d 1 Stefan 1 duy.thai 1 lucsob 1 NumeX 1 Trương Hữu Phúc (truonghuuphuc) 1 ifoundbug 1 Teerachai Somprasong 1 Teerachai S. 1 Marcin Dudek (dudekmar) 1 zaim 1 Doan Dinh Van (DinhVan52) 1 andrea bocchetti 1 0xd4rk5id3 1 shark3y 1 Nguyen Truong (Roll) 1 Alyudin Nafiie 1 Youssef Elouaer 1 Dmitrii Ignatyev 1 Jing Xuan Sun 1 shivanandsnaidu 1 Gibran Abdillah 1 Powpy 1 Peerapat Samatathanyakorn 1 knani alaaeddine (iwd) 1 benzdeus 1 Paolo Tresso 1 Unk9vvN 1 theviper17y 1 Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report. WordPress Plugins with Reported Vulnerabilities Last Week Software Name Software Slug Accordion and Accordion Slider accordion-and-accordion-slider Activity Log for WordPress winterlock Address Bar Ads address-bar-ads Allow HTML in Category Descriptions allow-html-in-category-descriptions AMP Enhancer – Compatibility Layer for Official AMP Plugin amp-enhancer Appointment Booking Calendar Plugin – Bookr bookr Beaver Builder Page Builder – Drag and Drop Website Builder beaver-builder-lite-version BFG Tools – Extension Zipper bfg-tools-extension-zipper BlueSnap Payment Gateway for WooCommerce bluesnap-payment-gateway-for-woocommerce Booking and Rental Manager for Bike | Car | Resort | Appointment | Dress | Equipment booking-and-rental-manager-for-woocommerce Bravis Addons bravis-addons BuddyHolis ListSearch listsearch Business Template Blocks for WPBakery (Visual Composer) Page Builder templates-and-addons-for-wpbakery-page-builder CallbackKiller service widget callbackkiller-service-widget Category Image category-image Chatbot for WordPress by Collect.chat collectchat Citations tools citations-tools Cliengo – Chatbot cliengo Cnvrse cnvrse Converter for Media – Optimize images | Convert WebP & AVIF webp-converter-for-media Custom Block Builder – Lazy Blocks lazy-blocks Customer Reviews for WooCommerce customer-reviews-woocommerce Download Manager Addons for Elementor wpdm-elementor Easy Form Builder by WhiteStudio — Drag & Drop Form Builder easy-form-builder Easy Voice Mail easy-voice-mail Ecwid by Lightspeed Ecommerce Shopping Cart ecwid-shopping-cart Element Pack Addons for Elementor bdthemes-element-pack-lite Essential Addons for Elementor – Popular Elementor Templates & Widgets essential-addons-for-elementor-lite FastDup – Fastest WordPress Migration & Duplicator fastdup Flexi Product Slider and Grid for WooCommerce flexi-product-slider-grid Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder fluentform Gallery by FooGallery foogallery Geo Widget geowidget HTML Shortcodes html-shortcodes IDE Micro code-editor flask-micro Image Gallery new-image-gallery iMoney imoney Invoct – PDF Invoices & Billing for WooCommerce kirilkirkov-pdf-invoice-manager iONE360 configurator ione360-configurator JetEngine jet-engine JS Help Desk – AI-Powered Support & Ticketing System js-support-ticket Kadence Blocks — Page Builder Toolkit for Gutenberg Editor kadence-blocks LatePoint – Calendar Booking Plugin for Appointments and Events latepoint Link Hopper link-hopper Lucky Wheel Giveaway wp-lucky-wheel Magic Login Mail or QR Code magic-login-mail Mail Mint – Newsletters, Email Marketing, Automation, WooCommerce Emails, Post Notification, and more mail-mint MailChimp Campaigns olalaweb-mailchimp-campaign-manager MasterStudy LMS WordPress Plugin – for Online Courses and Education masterstudy-lms-learning-management-system MDirector Newsletter WordPress Plugin mdirector-newsletter Media Library Folders media-library-plus Microtango microtango midi-Synth midi-synth Migration, Backup, Staging – WPvivid Backup & Migration wpvivid-backuprestore Miraculous Elementor miraculous-el MMA Call Tracking mma-call-tracking Modal Popup Box: A Flexible Pop Up Box Builder modal-popup-box Modula Image Gallery – Photo Grid & Video Gallery modula-best-grid-gallery Mollie Payments for WooCommerce mollie-payments-for-woocommerce MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar mp3-music-player-by-sonaar myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Program. mycred Name Directory name-directory New User Approve new-user-approve NEX-Forms – Ultimate Forms Plugin for WordPress nex-forms-express-wp-form-builder Ninja Forms – The Contact Form Builder That Grows With You ninja-forms One to one user Chat by WPGuppy wpguppy-lite OpenPix for WooCommerce openpix-for-woocommerce OpenPOS Lite – Point of Sale for WooCommerce wpos-lite-version Orbisius Random Name Generator orbisius-random-name-generator Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction paid-member-subscriptions Passster – Password Protect Pages and Content content-protector Payment Page | Payment Form for Stripe payment-page PDF for Elementor Forms + Drag And Drop Template Builder pdf-for-elementor-forms PDF for WPForms + Drag and Drop Template Builder pdf-for-wpforms Percent to Infograph percent-to-infograph personal-authors-category personal-authors-category PhotoStack Gallery photostack-gallery PixelYourSite Pro – Your smart PIXEL (TAG) Manager pixelyoursite-pro PixelYourSite – Your smart PIXEL (TAG) & API Manager pixelyoursite Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers popup-builder-block Press3D press3d Primer MyData for Woocommerce primer-mydata Product Options and Price Calculation Formulas for WooCommerce – Uni CPO (Premium) uni-woo-custom-product-options-premium QuestionPro Surveys questionpro-surveys Ravelry Designs Widget ravelry-designs-widget Responsive Slideshow slider-responsive-slideshow RVCFDI para Woocommerce rvcfdi-para-woocommerce Scheduler Widget scheduler-widget SEATT: Simple Event Attendance simple-event-attendance Secure Copy Content Protection and Content Locking secure-copy-content-protection Simple File List simple-file-list Simple Plyr simple-plyr Simple Retail Menus simple-retail-menus Simple Wp colorfull Accordion simple-wp-colorfull-accordion Slideshow Wp slideshow-wp SlimStat Analytics wp-slimstat Smart Forms – when you need more than just a contact form smart-forms Spam protection, Honeypot, Anti-Spam by CleanTalk cleantalk-spam-protect Sphere Manager sphere-manager Starfish Review Generation & Marketing for WordPress starfish-reviews StickEasy Protected Contact Form stickeasy-protected-contact-form StyleBidet stylebidet Sudoku Shortcode sudoku-shortcode Super Page Cache wp-cloudflare-page-cache Super Simple Contact Form super-simple-contact-form SureForms – Contact Form, Payment Form & Other Custom Form Builder sureforms The Events Calendar Shortcode & Block the-events-calendar-shortcode Themesflat Elementor themesflat-elementor Timeline Event History timeline-event-history Truelysell Core truelysell-core Twitter posts to Blog twitter-posts-to-blog UpMenu – Online ordering for restaurants upmenu User Language Switch user-language-switch Videospirecore Theme Plugin videospirecore Visitor Maps Extended Referer Field visitor-maps-extended-referer-field Visual Feedback, Review & AI Collaboration Tool For WordPress – Atarim atarim-visual-collaboration WaMate Confirm – Order Confirmation wamate-confirm WCFM Marketplace – Multivendor Marketplace for WooCommerce wc-multivendor-marketplace WCFM Membership – WooCommerce Memberships for Multivendor Marketplace wc-multivendor-membership WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible wc-frontend-manager WDES Responsive Popup wdes-responsive-popup Whizz Plugins whizz-plugins WooCommerce Bulk Product Editor woocommerce-quick-product-editor WooCommerce Coming Soon Product with Countdown woo-coming-soon-product WooODT Lite – Delivery & pickup date time location for WooCommerce byconsole-woo-order-delivery-time WordPress Upload Files Anywhere wp-upload-files-anywhere WordPress User Extra Fields wp-user-extra-fields WP Data Access – No-Code App Builder with Tables, Forms, Charts & Maps wp-data-access WP FullCalendar wp-fullcalendar WP Last Modified Info wp-last-modified-info WP Quick Contact Us wp-quick-contact-us wpForo Forum wpforo WPlyr Media Block wplyr-media-block WPshop 2 – E-Commerce wpshop WPZOOM Addons for Elementor – Starter Templates & Widgets wpzoom-elementor-addons YayCurrency – WooCommerce Multi-Currency Switcher yaycurrency Yoast Duplicate Post duplicate-post ZoomifyWP Free tz-zoomifywp-free افزونه پیامک ووکامرس Persian WooCommerce SMS persian-woocommerce-sms WordPress Themes with Reported Vulnerabilities Last Week Software Name Software Slug AdForest adforest Belletrist - Blog Theme for WordPress Theme belletrist Cartify - WooCommerce Gutenberg WordPress cartify Cobble cobble Dating DA10 Diamond diamond Diza - Pharmacy Store Elementor WooCommerce Theme diza Electronics eCommerce WordPress Woocommerce Theme - Exzo exzo Extreme Store extremestore Fana - Fashion Shop WordPress Theme fana FiveStar - Hotel Booking WordPress Theme fivestar FreightCo – Free Transportation & Logistics WordPress Theme freightco Gable - Structure & Building Franework WordPress Theme gable HealthFirst - Nutrition and Recipes WordPress Theme healthfirst Lorem Ipsum lorem-ipsum-books-media-store Nestin nestin Nika - Medical Elementor WooCommerce Theme nika PatioTime - Restaurant WordPress Theme patiotime PJ | Life & Business Coaching Site Template pj Plank - Carpenter, Flooring & Woodworker WordPress Theme plank Prestige prestige R&F - Roof & Floor Carpenter WordPress Theme rf Splendour splendour Struktur - Creative Agency WordPress Theme struktur Tint - Renovation, Painting & Wallpapering WordPress Theme tint Travelicious - Tour Operator WordPress Theme travelicious Yokoo yokoo Zota - Elementor Multi-Purpose WooCommerce Theme zota Vulnerability Details Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize. AdForest <= 6.0.12 - Authentication Bypass 9.8 CVSS Rating Critical (9.8) CVE-ID CVE-2026-1729 Patch Status Patched Published Feb 11, 2026 Affected Software AdForest Researcher Phat RiO - BlueRock More Details > midi-Synth <= 1.1.0 - Unauthenticated Arbitrary File Upload via 'export' AJAX Action 9.8 CVSS Rating Critical (9.8) CVE-ID CVE-2026-1306 Patch Status Unpatched Published Feb 13, 2026 Affected Software midi-Synth Researchers Athiwat Tiprasaharn (Jitlada)Itthidej Aramsri (Boeing777)PowpyWaris DamkhamPeerapat Samatathanyakorn More Details > Migration, Backup, Staging <= 0.9.123 - Unauthenticated Arbitrary File Upload 9.8 CVSS Rating Critical (9.8) CVE-ID CVE-2026-1357 Patch Status Patched Published Feb 10, 2026 Affected Software Migration, Backup, Staging – WPvivid Backup & Migration Researcher Lucas Montes (NiRoX) More Details > Spam protection, Honeypot, Anti-Spam by CleanTalk <= 6.71 - Authorization Bypass via Reverse DNS (PTR record) Spoofing to Unauthenticated Arbitrary Plugin Installation 9.8 CVSS Rating Critical (9.8) CVE-ID CVE-2026-1490 Patch Status Patched Published Feb 14, 2026 Affected Software Spam protection, Honeypot, Anti-Spam by CleanTalk Researcher Nguyen Ngoc Duc (duc193) More Details > Truelysell Core <= 1.8.7 - Unauthenticated Privilege Escalation via Registration 9.8 CVSS Rating Critical (9.8) CVE-ID CVE-2025-8572 Patch Status Patched Published Feb 13, 2026 Affected Software Truelysell Core Researcher Alyudin Nafiie More Details > Upload Files Anywhere <= 2.8 - Unauthenticated Arbitrary File Deletion 9.1 CVSS Rating Critical (9.1) CVE-ID CVE-2025-69379 Patch Status Unpatched Published Feb 9, 2026 Affected Software WordPress Upload Files Anywhere Researcher Phat RiO More Details > Bravis Addons <= 1.1.9 - Authenticated (Subscriber+) Arbitrary File Upload 8.8 CVSS Rating High (8.8) CVE-ID CVE-2025-69403 Patch Status Unpatched Published Feb 11, 2026 Affected Software Bravis Addons Researcher Phat RiO More Details > Custom Block Builder – Lazy Blocks <= 4.2.0 - Authenticated (Contributor+) Remote Code Execution 8.8 CVSS Rating High (8.8) CVE-ID CVE-2026-1560 Patch Status Patched Published Feb 10, 2026 Affected Software Custom Block Builder – Lazy Blocks Researcher Youssef Elouaer More Details > Ecwid by Lightspeed Ecommerce Shopping Cart <= 7.0.7 - Authenticated (Subscriber+) Privilege Escalation via ec_store_admin_access 8.8 CVSS Rating High (8.8) CVE-ID CVE-2026-1750 Patch Status Patched Published Feb 14, 2026 Affected Software Ecwid by Lightspeed Ecommerce Shopping Cart Researcher Nguyen Ngoc Duc (duc193) More Details > FastDup – Fastest WordPress Migration & Duplicator <= 2.7.1 - Missing Authorization to Authenticated (Contributor+) Backup Creation and Download 8.8 CVSS Rating High (8.8) CVE-ID CVE-2026-1104 Patch Status Patched Published Feb 11, 2026 Affected Software FastDup – Fastest WordPress Migration & Duplicator Researchers Athiwat Tiprasaharn (Jitlada)Itthidej Aramsri (Boeing777)Waris Damkham More Details > Miraculous Elementor <= 2.0.7 - Authenticated (Subscriber+) Privilege Escalation 8.8 CVSS Rating High (8.8) CVE-ID CVE-2025-67998 Patch Status Patched Published Feb 10, 2026 Affected Software Miraculous Elementor Researcher Phat RiO More Details > Starfish Review Generation & Marketing for WordPress <= 3.1.19 - Authenticated (Subscriber+) Arbitrary Options Update via srm_restore_options_defaults 8.8 CVSS Rating High (8.8) CVE-ID CVE-2025-15157 Patch Status Unpatched Published Feb 13, 2026 Affected Software Starfish Review Generation & Marketing for WordPress Researchers Athiwat Tiprasaharn (Jitlada)Itthidej Aramsri (Boeing777) More Details > Videospirecore Theme Plugin <= 1.0.6 - Authenticated (Subscriber+) Privilege Escalation via User Email Change/Account Takeover 8.8 CVSS Rating High (8.8) CVE-ID CVE-2025-15096 Patch Status Unpatched Published Feb 10, 2026 Affected Software Videospirecore Theme Plugin Researcher Phat RiO - BlueRock More Details > wpForo Forum <= 2.4.13 - Authenticated (Subscriber+) PHP Object Injection 8.8 CVSS Rating High (8.8) CVE-ID CVE-2026-0910 Patch Status Patched Published Feb 10, 2026 Affected Software wpForo Forum Researcher Webbernaut More Details > Belletrist <= 1.2 - Unauthenticated Local File Inclusion 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-69410 Patch Status Unpatched Published Feb 11, 2026 Affected Software Belletrist - Blog Theme for WordPress Theme Researcher Tran Nguyen Bao Khanh More Details > Cobble <= 1.7 - Unauthenticated Local File Inclusion 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-69399 Patch Status Unpatched Published Feb 11, 2026 Affected Software Cobble Researcher Tran Nguyen Bao Khanh More Details > Diza <= 1.3.15 - Unauthenticated Local File Inclusion 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-68543 Patch Status Patched Published Feb 11, 2026 Affected Software Diza - Pharmacy Store Elementor WooCommerce Theme Researcher João Pedro S Alcântara (Kinorth) More Details > Extreme Store <= 1.5.7 - Unauthenticated PHP Object Injection 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-69404 Patch Status Unpatched Published Feb 11, 2026 Affected Software Extreme Store Researcher Tran Nguyen Bao Khanh More Details > Fana <= 1.1.35 - Unauthenticated Local File Inclusion 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-68539 Patch Status Patched Published Feb 11, 2026 Affected Software Fana - Fashion Shop WordPress Theme Researcher João Pedro S Alcântara (Kinorth) More Details > FiveStar <= 1.7 - Unauthenticated Local File Inclusion 8.1 CVSS Rating High (8.1) CVE-ID CVE-2026-22344 Patch Status Unpatched Published Feb 11, 2026 Affected Software FiveStar - Hotel Booking WordPress Theme Researcher Tran Nguyen Bao Khanh More Details > FreightCo <= 1.1.7 - Unauthenticated Local File Inclusion 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-69406 Patch Status Unpatched Published Feb 11, 2026 Affected Software FreightCo – Free Transportation & Logistics WordPress Theme Researcher Tran Nguyen Bao Khanh More Details > Gable <= 1.5 - Unauthenticated Local File Inclusion 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-69395 Patch Status Unpatched Published Feb 11, 2026 Affected Software Gable - Structure & Building Franework WordPress Theme Researcher Tran Nguyen Bao Khanh More Details > HealthFirst <= 1.0.1 - Unauthenticated Local File Inclusion 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-69408 Patch Status Unpatched Published Feb 11, 2026 Affected Software HealthFirst - Nutrition and Recipes WordPress Theme Researcher Tran Nguyen Bao Khanh More Details > Lorem Ipsum | Books & Media Store <= 1.2.6 - Unauthenticated PHP Object Injection 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-69405 Patch Status Unpatched Published Feb 11, 2026 Affected Software Lorem Ipsum Researcher Tran Nguyen Bao Khanh More Details > Magic Login Mail or QR Code <= 2.05 - Unauthenticated Privilege Escalation via Insecure QR Code File Storage 8.1 CVSS Rating High (8.1) CVE-ID CVE-2026-2144 Patch Status Patched Published Feb 13, 2026 Affected Software Magic Login Mail or QR Code Researcher ifoundbug More Details > Nestin < 1.2.6 - Unauthenticated PHP Object Injection 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-67996 Patch Status Patched Published Feb 9, 2026 Affected Software Nestin Researcher João Pedro S Alcântara (Kinorth) More Details > Nika <= 1.2.14 - Unauthenticated Local File Inclusion 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-68545 Patch Status Patched Published Feb 11, 2026 Affected Software Nika - Medical Elementor WooCommerce Theme Researcher João Pedro S Alcântara (Kinorth) More Details > PatioTime < 2.1 - Unauthenticated Local File Inclusion 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-67992 Patch Status Patched Published Feb 9, 2026 Affected Software PatioTime - Restaurant WordPress Theme Researcher João Pedro S Alcântara (Kinorth) More Details > PatioTime < 2.1 - Unauthenticated PHP Object Injection 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-67995 Patch Status Patched Published Feb 9, 2026 Affected Software PatioTime - Restaurant WordPress Theme Researcher João Pedro S Alcântara (Kinorth) More Details > PJ | Life & Business Coaching <= 3.0.0 - Unauthenticated Local File Inclusion 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-69409 Patch Status Unpatched Published Feb 11, 2026 Affected Software PJ | Life & Business Coaching Site Template Researcher Tran Nguyen Bao Khanh More Details > Plank <= 1.7 - Unauthenticated Local File Inclusion 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-69398 Patch Status Unpatched Published Feb 11, 2026 Affected Software Plank - Carpenter, Flooring & Woodworker WordPress Theme Researcher Tran Nguyen Bao Khanh More Details > Prestige < 1.4.1 - Unauthenticated PHP Object Injection 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-69329 Patch Status Patched Published Feb 11, 2026 Affected Software Prestige Researcher Phat RiO More Details > R&F <= 1.5 - Unauthenticated Local File Inclusion 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-69402 Patch Status Unpatched Published Feb 11, 2026 Affected Software R&F - Roof & Floor Carpenter WordPress Theme Researcher Tran Nguyen Bao Khanh More Details > shop <= 2.6.1 - Unauthenticated Local File Inclusion 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-69383 Patch Status Unpatched Published Feb 9, 2026 Affected Software WPshop 2 – E-Commerce Researcher Skalucy More Details > Simple Retail Menus <= 4.2.1 - Unauthenticated Local File Inclusion 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-69387 Patch Status Unpatched Published Feb 9, 2026 Affected Software Simple Retail Menus Researcher Skalucy More Details > Splendour <= 1.23 - Unauthenticated Local File Inclusion 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-69396 Patch Status Unpatched Published Feb 11, 2026 Affected Software Splendour Researcher Tran Nguyen Bao Khanh More Details > Struktur <= 2.5.1 - Unauthenticated Local File Inclusion 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-69407 Patch Status Unpatched Published Feb 11, 2026 Affected Software Struktur - Creative Agency WordPress Theme Researcher Tran Nguyen Bao Khanh More Details > Themesflat Elementor <= 1.0.1 - Unauthenticated PHP Object Injection 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-69382 Patch Status Unpatched Published Feb 9, 2026 Affected Software Themesflat Elementor Researcher Phat RiO More Details > Tint <= 1.7 - Unauthenticated Local File Inclusion 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-69397 Patch Status Unpatched Published Feb 11, 2026 Affected Software Tint - Renovation, Painting & Wallpapering WordPress Theme Researcher Tran Nguyen Bao Khanh More Details > Travelicious < 1.6.7 - Unauthenticated PHP Object Injection 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-67997 Patch Status Patched Published Feb 9, 2026 Affected Software Travelicious - Tour Operator WordPress Theme Researcher João Pedro S Alcântara (Kinorth) More Details > Yokoo <= 1.1.11 - Unauthenticated Local File Inclusion 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-69400 Patch Status Unpatched Published Feb 11, 2026 Affected Software Yokoo Researcher Tran Nguyen Bao Khanh More Details > Zota <= 1.3.14 - Unauthenticated Local File Inclusion 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-68536 Patch Status Patched Published Feb 11, 2026 Affected Software Zota - Elementor Multi-Purpose WooCommerce Theme Researcher João Pedro S Alcântara (Kinorth) More Details > BlueSnap Payment Gateway for WooCommerce <= 3.3.0 - Missing Authorization to Unauthenticated Arbitrary Order Status Manipulation 7.5 CVSS Rating High (7.5) CVE-ID CVE-2026-0692 Patch Status Unpatched Published Feb 13, 2026 Affected Software BlueSnap Payment Gateway for WooCommerce Researcher Md. Moniruzzaman Prodhan (NomanProdhan) More Details > Booking and Rental Manager <= 2.5.9 - Authenticated (Contributor+) PHP Object Injection 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-69328 Patch Status Patched Published Feb 9, 2026 Affected Software Booking and Rental Manager for Bike | Car | Resort | Appointment | Dress | Equipment Researcher Phat RiO More Details > Download Manager Addons for Elementor <= 1.3.0 - Unauthenticated SQL Injection 7.5 CVSS Rating High (7.5) CVE-ID CVE-2026-24956 Patch Status Patched Published Feb 11, 2026 Affected Software Download Manager Addons for Elementor Researcher NumeX More Details > Flexi Product Slider and Grid for WooCommerce <= 1.0.5 - Authenticated (Contributor+) Local File Inclusion via 'theme' Shortcode Attribute 7.5 CVSS Rating High (7.5) CVE-ID CVE-2026-1988 Patch Status Unpatched Published Feb 13, 2026 Affected Software Flexi Product Slider and Grid for WooCommerce Researcher Muhammad Yudha - DJ More Details > Image Gallery – Lightbox Gallery, Responsive Photo Gallery, Masonry Gallery <= 1.6.0 - Authenticated (Contributor+) PHP Object Injection 7.5 CVSS Rating High (7.5) CVE-ID CVE-2026-22345 Patch Status Unpatched Published Feb 11, 2026 Affected Software Image Gallery Researcher Muhammad Yudha - DJ More Details > Modal Popup Box <= 1.6.1 - Authenticated (Contributor+) PHP Object Injection 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-68526 Patch Status Patched Published Feb 11, 2026 Affected Software Modal Popup Box: A Flexible Pop Up Box Builder Researcher Muhammad Yudha - DJ More Details > Ninja Forms <= 3.14.0 - Unauthenticated Information Disclosure in nf_ajax_submit AJAX Action 7.5 CVSS Rating High (7.5) CVE-ID CVE-2026-2268 Patch Status Patched Published Feb 9, 2026 Affected Software Ninja Forms – The Contact Form Builder That Grows With You Researcher johska More Details > PhotoStack Gallery <= 0.4.1 - Unauthenticated SQL Injection via 'postid' Parameter 7.5 CVSS Rating High (7.5) CVE-ID CVE-2026-2024 Patch Status Unpatched Published Feb 13, 2026 Affected Software PhotoStack Gallery Researcher Muhammad Yudha - DJ More Details > Slider Responsive Slideshow – Image slider, Gallery slideshow <= 1.5.4 - Authenticated (Contributor+) PHP Object Injection 7.5 CVSS Rating High (7.5) CVE-ID CVE-2026-22346 Patch Status Unpatched Published Feb 11, 2026 Affected Software Responsive Slideshow Researcher Muhammad Yudha - DJ More Details > SureForms – Drag and Drop Form Builder for WordPress <= 2.2.1 - Unauthenticated Stripe Payment Amount Manipulation 7.5 CVSS Rating High (7.5) CVE-ID Unknown Patch Status Patched Published Feb 13, 2026 Affected Software SureForms – Contact Form, Payment Form & Other Custom Form Builder Researcher andrea bocchetti More Details > Upload Files Anywhere <= 2.8 - Unauthenticated Arbitrary File Download 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-69380 Patch Status Unpatched Published Feb 9, 2026 Affected Software WordPress Upload Files Anywhere Researcher Phat RiO More Details > WooCommerce Coming Soon Product with Countdown <= 5.0 - Authenticated (Subscriber+) Local File Inclusion 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-68552 Patch Status Patched Published Feb 10, 2026 Affected Software WooCommerce Coming Soon Product with Countdown Researcher Phat RiO More Details > Customer Reviews for WooCommerce <= 5.97.0 - Unauthenticated Stored Cross-Site Scripting via media[].href Parameter 7.2 CVSS Rating High (7.2) CVE-ID CVE-2026-1316 Patch Status Patched Published Feb 12, 2026 Affected Software Customer Reviews for WooCommerce Researcher type5afe More Details > iONE360 configurator <= 2.0.57 - Unauthenticated Stored Cross-Site Scripting via Contact Form Parameters 7.2 CVSS Rating High (7.2) CVE-ID CVE-2025-15440 Patch Status Unpatched Published Feb 10, 2026 Affected Software iONE360 configurator Researcher 0x34rth More Details > Lucky Wheel Giveaway <= 1.0.22 - Authenticated (Administrator+) Remote Code Execution via 'conditional_tags' Parameter 7.2 CVSS Rating High (7.2) CVE-ID CVE-2025-14541 Patch Status Patched Published Feb 10, 2026 Affected Software Lucky Wheel Giveaway Researcher Nguyen Truong (Roll) More Details > Name Directory <= 1.32.0 - Unauthenticated Stored Cross-Site Scripting via Double HTML-Entity Encoding in Submission Form 7.2 CVSS Rating High (7.2) CVE-ID CVE-2026-1866 Patch Status Patched Published Feb 9, 2026 Affected Software Name Directory Researcher duy.thai More Details > PixelYourSite <= 11.2.0 - Unauthenticated Stored Cross-Site Scripting 7.2 CVSS Rating High (7.2) CVE-ID CVE-2026-1841 Patch Status Patched Published Feb 13, 2026 Affected Software PixelYourSite – Your smart PIXEL (TAG) & API Manager Researcher Osvaldo Noe Gonzalez Del Rio (Os) More Details > PixelYourSite PRO <= 12.4.0.2 - Unauthenticated Stored Cross-Site Scripting 7.2 CVSS Rating High (7.2) CVE-ID CVE-2026-1844 Patch Status Patched Published Feb 13, 2026 Affected Software PixelYourSite Pro – Your smart PIXEL (TAG) Manager Researcher Osvaldo Noe Gonzalez Del Rio (Os) More Details > Secure Copy Content Protection and Content Locking <= 4.9.8 - Unauthenticated Stored Cross-Site Scripting via X-Forwarded-For Header 7.2 CVSS Rating High (7.2) CVE-ID CVE-2026-1320 Patch Status Patched Published Feb 12, 2026 Affected Software Secure Copy Content Protection and Content Locking Researcher Deadbee More Details > Super Page Cache <= 5.2.2 - Unauthenticated Stored Cross-Site Scripting via Activity Log 7.2 CVSS Rating High (7.2) CVE-ID CVE-2026-1843 Patch Status Patched Published Feb 13, 2026 Affected Software Super Page Cache Researcher shark3y More Details > Super Simple Contact Form <= 1.6.2 - Reflected Cross-Site Scripting via 'sscf_name' Parameter 7.2 CVSS Rating High (7.2) CVE-ID CVE-2026-0753 Patch Status Unpatched Published Feb 13, 2026 Affected Software Super Simple Contact Form Researcher 0x34rth More Details > User Extra Fields <= 16.8 - Unauthenticated Stored Cross-Site Scripting 7.2 CVSS Rating High (7.2) CVE-ID CVE-2025-67991 Patch Status Patched Published Feb 9, 2026 Affected Software WordPress User Extra Fields Researcher Phat RiO More Details > User Language Switch <= 1.6.10 - Authenticated (Administrator+) Server-Side Request Forgery via 'info_language' Parameter 7.2 CVSS Rating High (7.2) CVE-ID CVE-2026-0745 Patch Status Unpatched Published Feb 13, 2026 Affected Software User Language Switch Researcher 0x34rth More Details > WCFM - WooCommerce Frontend Manager <= 6.7.24 - Authenticated (Shop Manager+) Arbitrary Options Update 7.2 CVSS Rating High (7.2) CVE-ID CVE-2026-0845 Patch Status Patched Published Feb 9, 2026 Affected Software WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible Researcher Osvaldo Noe Gonzalez Del Rio (Os) More Details > Activity Log for WordPress <= 1.2.8 - Missing Authorization to Sensitive Information Exposure via Log File 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2026-1671 Patch Status Patched Published Feb 11, 2026 Affected Software Activity Log for WordPress Researchers Athiwat Tiprasaharn (Jitlada)Itthidej Aramsri (Boeing777) More Details > Element Pack Addons for Elementor <= 8.3.17 - Authenticated (Contributor+) Arbitrary File Read 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2026-1793 Patch Status Patched Published Feb 14, 2026 Affected Software Element Pack Addons for Elementor Researcher Chiao-Lin Yu (Steven Meow) More Details > JS Help Desk <= 3.0.1 - Authenticated (Subscriber+) SQL Injection 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2026-24959 Patch Status Patched Published Feb 11, 2026 Affected Software JS Help Desk – AI-Powered Support & Ticketing System Researcher Bonds More Details > Simple File List <= 6.1.15 - Authenticated (Subscriber+) Arbitrary File Download 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2026-24953 Patch Status Patched Published Feb 9, 2026 Affected Software Simple File List Researcher daroo More Details > SlimStat Analytics <= 5.3.1 - Authenticated (Subscriber+) SQL Injection via `args` Parameter 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2025-13431 Patch Status Patched Published Feb 10, 2026 Affected Software SlimStat Analytics Researcher Marcin Dudek (dudekmar) More Details > Twitter posts to Blog <= 1.11.25 - Missing Authorization to Unauthenticated Plugin Settings Update 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2026-1786 Patch Status Unpatched Published Feb 10, 2026 Affected Software Twitter posts to Blog Researcher Nabil Irawan More Details > Beaver Builder Page Builder – Drag and Drop Website Builder <= 2.10.0.5 - Authenticated (Custom+) Missing Authorization to Stored Cross-Site Scripting via Global Settings 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2026-1231 Patch Status Patched Published Feb 10, 2026 Affected Software Beaver Builder Page Builder – Drag and Drop Website Builder Researchers Athiwat Tiprasaharn (Jitlada)Itthidej Aramsri (Boeing777)Waris Damkham More Details > BuddyHolis ListSearch <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'placeholder' Shortcode Attribute 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2026-1853 Patch Status Unpatched Published Feb 10, 2026 Affected Software BuddyHolis ListSearch Researcher zakaria More Details > Chatbot for WordPress by Collect.chat <= 2.4.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Meta Field 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2026-0736 Patch Status Patched Published Feb 13, 2026 Affected Software Chatbot for WordPress by Collect.chat Researcher Deadbee More Details > Citations tools <= 0.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'code' Shortcode Attribute 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2026-1912 Patch Status Unpatched Published Feb 13, 2026 Affected Software Citations tools Researcher Gilang - DJ More Details > Essential Addons for Elementor <= 6.5.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Info Box Widget 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2026-1512 Patch Status Patched Published Feb 13, 2026 Affected Software Essential Addons for Elementor – Popular Elementor Templates & Widgets Researcher knani alaaeddine (iwd) More Details > Fluent Forms <= 6.1.14 - Authenticated (Subscriber+) Stored Cross-Site Scripting via AI Form Builder Module 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2026-0996 Patch Status Patched Published Feb 9, 2026 Affected Software Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder Researcher Osvaldo Noe Gonzalez Del Rio (Os) More Details > HTML Shortcodes <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2026-1809 Patch Status Unpatched Published Feb 10, 2026 Affected Software HTML Shortcodes Researcher zakaria More Details > IDE Micro code-editor <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'title' Shortcode Attribute 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2026-1827 Patch Status Unpatched Published Feb 10, 2026 Affected Software IDE Micro code-editor Researcher zakaria More Details > MasterStudy LMS WordPress Plugin – for Online Courses and Education <= 3.7.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'stm_lms_courses_grid_display' Shortcode 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2026-0559 Patch Status Patched Published Feb 13, 2026 Affected Software MasterStudy LMS WordPress Plugin – for Online Courses and Education Researcher Muhammad Yudha - DJ More Details > Microtango <= 0.9.29 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2026-1821 Patch Status Patched Published Feb 10, 2026 Affected Software Microtango Researcher Muhammad Yudha - DJ More Details > myCred <= 2.9.7.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'mycred_load_coupon' Shortcode 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2026-0550 Patch Status Patched Published Feb 13, 2026 Affected Software myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Program. Researcher Muhammad Yudha - DJ More Details > OpenPOS Lite <= 3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2026-1826 Patch Status Patched Published Feb 10, 2026 Affected Software OpenPOS Lite – Point of Sale for WooCommerce Researcher Muhammad Yudha - DJ More Details > Orbisius Random Name Generator <= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'btn_label' Shortcode Attribute 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2026-1893 Patch Status Patched Published Feb 10, 2026 Affected Software Orbisius Random Name Generator Researcher zaim More Details > Payment Page | Payment Form for Stripe <= 1.4.6 - Authenticated (Author+) Stored Cross-Site Scripting via 'pricing_plan_select_text_font_family' Parameter 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2026-0751 Patch Status Unpatched Published Feb 13, 2026 Affected Software Payment Page | Payment Form for Stripe Researcher Athiwat Tiprasaharn (Jitlada) More Details > Percent to Infograph <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2026-1939 Patch Status Unpatched Published Feb 13, 2026 Affected Software Percent to Infograph Researcher Gilang - DJ More Details > Press3D <= 1.0.2 - Authenticated (Author+) Stored Cross-Site Scripting via Link URL Parameter in 3D Model Block 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2026-1985 Patch Status Unpatched Published Feb 13, 2026 Affected Software Press3D Researchers Athiwat Tiprasaharn (Jitlada)Itthidej Aramsri (Boeing777) More Details > QuestionPro Surveys <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2026-1901 Patch Status Unpatched Published Feb 13, 2026 Affected Software QuestionPro Surveys Researcher Gilang - DJ More Details > Ravelry Designs Widget <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'sb_ravelry_designs' Shortcode 'layout' Attribute 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2026-1903 Patch Status Unpatched Published Feb 13, 2026 Affected Software Ravelry Designs Widget Researcher Muhammad Yudha - DJ More Details > Simple Plyr <= 0.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'poster' Shortcode Attribute 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2026-1915 Patch Status Unpatched Published Feb 13, 2026 Affected Software Simple Plyr Researcher Gilang - DJ More Details > Simple Wp colorfull Accordion <= 1.0 - Authenticated (Contributor+) Cross-Site Scripting via 'title' Shortcode Attribute 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2026-1904 Patch Status Unpatched Published Feb 13, 2026 Affected Software Simple Wp colorfull Accordion Researcher Gilang - DJ More Details > Slideshow Wp <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'sswp-slide' Shortcode 'sswpid' Attribute 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2026-1885 Patch Status Unpatched Published Feb 10, 2026 Affected Software Slideshow Wp Researcher Muhammad Yudha - DJ More Details > Sphere Manager <= 1.0.2 - Authenticated (Contributor+) Cross-Site Scripting via 'width' Shortcode Attribute 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2026-1905 Patch Status Unpatched Published Feb 13, 2026 Affected Software Sphere Manager Researcher Gilang - DJ More Details > Sudoku Shortcode <= 1.0.0 - Authenticated (Contributor+) Cross-Site Scripting via 'background' Shortcode Attribute 6.4 CVSS Rating Medium (6.4) CVE-ID Unknown Patch Status Unpatched Published Feb 10, 2026 Affected Software Sudoku Shortcode Researcher Gilang - DJ More Details > Sudoku Shortcode <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID Unknown Patch Status Unpatched Published Feb 10, 2026 Affected Software Sudoku Shortcode Researcher Gilang - DJ More Details > The Events Calendar Shortcode & Block <= 3.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2026-1922 Patch Status Patched Published Feb 9, 2026 Affected Software The Events Calendar Shortcode & Block Researcher Muhammad Yudha - DJ More Details > UpMenu <= 3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'upmenu-menu' Shortcode 'lang' Attribute 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2026-1910 Patch Status Unpatched Published Feb 13, 2026 Affected Software UpMenu – Online ordering for restaurants Researcher Muhammad Yudha - DJ More Details > WDES Responsive Popup <= 1.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'attr' Shortcode Attribute 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2026-1804 Patch Status Unpatched Published Feb 10, 2026 Affected Software WDES Responsive Popup Researcher Muhammad Yudha - DJ More Details > WP Data Access <= 5.5.63 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'wpda_app' Shortcode 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2026-0557 Patch Status Patched Published Feb 13, 2026 Affected Software WP Data Access – No-Code App Builder with Tables, Forms, Charts & Maps Researcher Muhammad Yudha - DJ More Details > ZoomifyWP Free <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'filename' Shortcode Attribute 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2026-1187 Patch Status Unpatched Published Feb 13, 2026 Affected Software ZoomifyWP Free Researcher theviper17y More Details > Address Bar Ads <= 1.0.0 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2026-1795 Patch Status Unpatched Published Feb 13, 2026 Affected Software Address Bar Ads Researcher Abdulsamad Yusuf (0xVenus) More Details > Business Template Blocks for WPBakery (Visual Composer) Page Builder <= 1.3.2 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-69390 Patch Status Unpatched Published Feb 10, 2026 Affected Software Business Template Blocks for WPBakery (Visual Composer) Page Builder Researcher Skalucy More Details > Diamond <= 2.4.8 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-69391 Patch Status Unpatched Published Feb 11, 2026 Affected Software Diamond Researcher João Pedro S Alcântara (Kinorth) More Details > Easy Voice Mail <= 1.2.5 - Unauthenticated Stored Cross-Site Scripting via 'message' 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2026-1164 Patch Status Unpatched Published Feb 13, 2026 Affected Software Easy Voice Mail Researcher Kazuma Matsumoto More Details > Geo Widet <= 1.0 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2026-1792 Patch Status Unpatched Published Feb 13, 2026 Affected Software Geo Widget Researcher Abdulsamad Yusuf (0xVenus) More Details > iMoney <= 0.36 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-69392 Patch Status Unpatched Published Feb 11, 2026 Affected Software iMoney Researcher Skalucy More Details > JetEngine <= 3.8.0 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-68495 Patch Status Patched Published Feb 11, 2026 Affected Software JetEngine Researcher Bonds More Details > Mollie Payments for WooCommerce <= 8.1.1 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-68501 Patch Status Patched Published Feb 11, 2026 Affected Software Mollie Payments for WooCommerce Researcher Bonds More Details > NEX-Forms <= 9.1.7 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-69326 Patch Status Patched Published Feb 9, 2026 Affected Software NEX-Forms – Ultimate Forms Plugin for WordPress Researcher Skalucy More Details > Persian Woocommerce SMS <= 7.1.1 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2026-22352 Patch Status Unpatched Published Feb 11, 2026 Affected Software افزونه پیامک ووکامرس Persian WooCommerce SMS Researcher Bonds More Details > personal-authors-category <= 0.3 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2026-1754 Patch Status Unpatched Published Feb 13, 2026 Affected Software personal-authors-category Researcher Abdulsamad Yusuf (0xVenus) More Details > Prestige < 1.4.1 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-69330 Patch Status Patched Published Feb 11, 2026 Affected Software Prestige Researcher Phat RiO More Details > RVCFDI para Woocommerce <= 8.1.8 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-69386 Patch Status Unpatched Published Feb 9, 2026 Affected Software RVCFDI para Woocommerce Researcher Skalucy More Details > StyleBidet <= 1.0.0 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2026-1796 Patch Status Unpatched Published Feb 13, 2026 Affected Software StyleBidet Researcher Abdulsamad Yusuf (0xVenus) More Details > Timeline Event History <= 3.2 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-69384 Patch Status Unpatched Published Feb 9, 2026 Affected Software Timeline Event History Researcher Trương Hữu Phúc (truonghuuphuc) More Details > Visitor Maps Extended Referer Field <= 1.2.6 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-69389 Patch Status Unpatched Published Feb 10, 2026 Affected Software Visitor Maps Extended Referer Field Researcher Skalucy More Details > Whizz Plugins <= 1.9 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2026-24955 Patch Status Patched Published Feb 9, 2026 Affected Software Whizz Plugins Researcher João Pedro S Alcântara (Kinorth) More Details > Product Options and Price Calculation Formulas for WooCommerce – Uni CPO (Premium) <= 4.9.60 - Missing Authorization to Unauthenticated Arbitrary Attachment and Dropbox File Deletion 5.8 CVSS Rating Medium (5.8) CVE-ID CVE-2025-13391 Patch Status Patched Published Feb 10, 2026 Affected Software Product Options and Price Calculation Formulas for WooCommerce – Uni CPO (Premium) Researcher Stefan More Details > Accordion and Accordion Slider <= 1.4.5 - Missing Authorization to Authenticated (Contributor+) Attachment Metadata Modification 5.4 CVSS Rating Medium (5.4) CVE-ID CVE-2026-0727 Patch Status Patched Published Feb 13, 2026 Affected Software Accordion and Accordion Slider Researcher Kazuma Matsumoto More Details > PopupKit <= 2.2.0 - Missing Authorization to Sensitive Information Disclosure and Data Deletion 5.4 CVSS Rating Medium (5.4) CVE-ID CVE-2025-14895 Patch Status Patched Published Feb 9, 2026 Affected Software Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers Researcher Dmitrii Ignatyev More Details > Scheduler Widget <= 0.1.6 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Event Modification 5.4 CVSS Rating Medium (5.4) CVE-ID CVE-2026-1987 Patch Status Unpatched Published Feb 13, 2026 Affected Software Scheduler Widget Researcher MD. TAREQ AHAMED JONY (itztrq) More Details > Appointment Booking Calendar Plugin <= 1.0.2 - Missing Authorization to Unauthenticated Arbitrary Appointment Status Modification 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2026-1932 Patch Status Unpatched Published Feb 13, 2026 Affected Software Appointment Booking Calendar Plugin – Bookr Researcher MD. TAREQ AHAMED JONY (itztrq) More Details > Atarim <= 4.2.1 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-67993 Patch Status Patched Published Feb 9, 2026 Affected Software Visual Feedback, Review & AI Collaboration Tool For WordPress – Atarim Researcher Legion Hunter More Details > CallbackKiller service widget <= 1.2 - Missing Authorization to Unauthenticated Arbitrary Plugin Settings Update 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2026-1944 Patch Status Unpatched Published Feb 13, 2026 Affected Software CallbackKiller service widget Researcher Legion Hunter More Details > Cnvrse <= 026.02.10.20 - Unauthenticated Insecure Direct Object Reference 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-69394 Patch Status Unpatched Published Feb 11, 2026 Affected Software Cnvrse Researcher Athiwat Tiprasaharn (Jitlada) More Details > Dating <= 11.2.0 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2026-22343 Patch Status Unpatched Published Feb 9, 2026 Affected Software Dating Researcher 0xd4rk5id3 More Details > Easy Form Builder <= 3.9.3 - Missing Authorization to Authenticated (Subscriber+) Sensitive Form Response Data Exposure 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-14067 Patch Status Patched Published Feb 13, 2026 Affected Software Easy Form Builder by WhiteStudio — Drag & Drop Form Builder Researcher Itthidej Aramsri (Boeing777) More Details > Exzo <= 1.2.4 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-69393 Patch Status Unpatched Published Feb 11, 2026 Affected Software Electronics eCommerce WordPress Woocommerce Theme - Exzo Researcher Phat RiO More Details > FullCalendar <= 1.6 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2026-22351 Patch Status Unpatched Published Feb 11, 2026 Affected Software WP FullCalendar Researcher Doan Dinh Van (DinhVan52) More Details > LatePoint – Calendar Booking Plugin for Appointments and Events <= 5.2.6 - Missing Authorization to Booking Details Exposure 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2026-1537 Patch Status Patched Published Feb 11, 2026 Affected Software LatePoint – Calendar Booking Plugin for Appointments and Events Researcher Chiao-Lin Yu (Steven Meow) More Details > MailChimp Campaigns <= 3.2.4 - Missing Authorization to Authenticated (Subscriber+) MailChimp App Disconnection 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2026-1303 Patch Status Unpatched Published Feb 13, 2026 Affected Software MailChimp Campaigns Researcher Nabil Irawan More Details > New User Approve <= 3.2.0 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-69063 Patch Status Patched Published Feb 11, 2026 Affected Software New User Approve Researcher Denver Jackson More Details > One to one user Chat by WPGuppy <= 1.1.4 - Unauthenticated Information Disclosure via Chat Message Interception 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-6792 Patch Status Unpatched Published Feb 13, 2026 Affected Software One to one user Chat by WPGuppy Researcher Jonas Benjamin Friedli More Details > Primer MyData for Woocommerce <= 4.2.8 - Unauthenticated Path Traversal 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-69325 Patch Status Patched Published Feb 9, 2026 Affected Software Primer MyData for Woocommerce Researcher Skalucy More Details > StickEasy Protected Contact Form <= 1.0.1 - Unauthenticated Information Disclosure 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-13973 Patch Status Patched Published Feb 13, 2026 Affected Software StickEasy Protected Contact Form Researcher Itthidej Aramsri (Boeing777) More Details > WaMate Confirm <= 2.0.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Phone Number Blocking/Unblocking 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2026-1833 Patch Status Unpatched Published Feb 10, 2026 Affected Software WaMate Confirm – Order Confirmation Researcher Legion Hunter More Details > WCFM Marketplace <= 3.7.0 - Insecure Direct Object Reference to Unauthenticated Arbitrary Refund Request Creation 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2026-1722 Patch Status Patched Published Feb 9, 2026 Affected Software WCFM Marketplace – Multivendor Marketplace for WooCommerce Researcher Gibran Abdillah More Details > WooODT Lite <= 2.5.2 - Unauthenticated Payment Bypass 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-69401 Patch Status Unpatched Published Feb 11, 2026 Affected Software WooODT Lite – Delivery & pickup date time location for WooCommerce Researcher benzdeus More Details > WP Last Modified Info <= 1.9.5 - Insecure Direct Object Reference to Authenticated (Author+) Post Metadata Modification 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-14608 Patch Status Patched Published Feb 13, 2026 Affected Software WP Last Modified Info Researcher Itthidej Aramsri (Boeing777) More Details > WPZOOM Addons for Elementor – Starter Templates & Widgets <= 1.3.2 - Unauthenticated Protected Post Exposure via ajax_post_grid_load_more 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2026-2295 Patch Status Patched Published Feb 10, 2026 Affected Software WPZOOM Addons for Elementor – Starter Templates & Widgets Researcher Webbernaut More Details > YayCurrency <= 3.3 - Missing Authorization to Unauthenticated Arbitrary Post Deletion 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-67994 Patch Status Patched Published Feb 9, 2026 Affected Software YayCurrency – WooCommerce Multi-Currency Switcher Researcher Denver Jackson More Details > MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar 5.3 - 5.10 - Authenticated (Author+) Server-Side Request Forgery 5.0 CVSS Rating Medium (5.0) CVE-ID CVE-2026-1249 Patch Status Patched Published Feb 13, 2026 Affected Software MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar Researcher kr0d More Details > BFG Tools – Extension Zipper <= 1.0.7 - Authenticated (Administrator+) Path Traversal via 'first_file' Parameter 4.9 CVSS Rating Medium (4.9) CVE-ID CVE-2025-13681 Patch Status Patched Published Feb 13, 2026 Affected Software BFG Tools – Extension Zipper Researcher Itthidej Aramsri (Boeing777) More Details > Mail Mint <= 1.19.2 - Authenticated (Administrator+) SQL Injection via Multiple API Endpoints 4.9 CVSS Rating Medium (4.9) CVE-ID CVE-2026-1258 Patch Status Patched Published Feb 13, 2026 Affected Software Mail Mint – Newsletters, Email Marketing, Automation, WooCommerce Emails, Post Notification, and more Researcher Paolo Tresso More Details > Converter for Media – Optimize images | Convert WebP & AVIF <= 6.5.1 - Unauthenticated Server-Side Request Forgery via src 4.8 CVSS Rating Medium (4.8) CVE-ID CVE-2026-1356 Patch Status Patched Published Feb 11, 2026 Affected Software Converter for Media – Optimize images | Convert WebP & AVIF Researcher Lucas Montes (NiRoX) More Details > Allow HTML in Category Descriptions <= 1.2.4 - Authenticated (Administrator+) Stored Cross-Site Scripting via Category Descriptions 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2026-0693 Patch Status Unpatched Published Feb 13, 2026 Affected Software Allow HTML in Category Descriptions Researcher ZAST.AI More Details > AMP Enhancer <= 1.0.49 - Authenticated (Administrator+) Stored Cross-Site Scripting via AMP Custom CSS Setting 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2026-2027 Patch Status Unpatched Published Feb 13, 2026 Affected Software AMP Enhancer – Compatibility Layer for Official AMP Plugin Researcher Muqsith Barru More Details > Category Image <= 2.0 - Authenticated (Editor+) Stored Cross-Site Scripting via 'tag-image' Parameter 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2026-0815 Patch Status Unpatched Published Feb 10, 2026 Affected Software Category Image Researcher 0x34rth More Details > Duplicate Post <= 3.2.3 - Authenticated (Administrator+) Stored Cross-Site Scripting 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2019-25314 Patch Status Patched Published Feb 11, 2026 Affected Software Yoast Duplicate Post Researcher Unk9vvN More Details > Link Hopper <= 2.5 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'hop_name' Parameter 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2025-15483 Patch Status Unpatched Published Feb 13, 2026 Affected Software Link Hopper Researcher ZAST.AI More Details > User Language Switch <= 1.6.10 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'tab_color_picker_language_switch' Parameter 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2026-0735 Patch Status Unpatched Published Feb 13, 2026 Affected Software User Language Switch Researcher 0x34rth More Details > WPlyr Media Block <= 1.3.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via '_wplyr_accent_color' Parameter 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2026-0724 Patch Status Unpatched Published Feb 10, 2026 Affected Software WPlyr Media Block Researcher 0x34rth More Details > Cartify - WooCommerce Gutenberg WordPress <= 1.3 - Authenticated (Subscriber+) Arbitrary Post Deletion 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-69385 Patch Status Unpatched Published Feb 9, 2026 Affected Software Cartify - WooCommerce Gutenberg WordPress Researcher Denver Jackson More Details > Cliengo – Chatbot <= 3.0.4 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-69388 Patch Status Unpatched Published Feb 9, 2026 Affected Software Cliengo – Chatbot Researcher Nabil Irawan More Details > Gallery by FooGallery <= 3.1.9 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Gallery Metadata Exposure 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-15524 Patch Status Patched Published Feb 10, 2026 Affected Software Gallery by FooGallery Researcher s00me00ne More Details > Gutenberg Blocks by Kadence Blocks <= 3.5.32 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2026-2608 Patch Status Patched Published Feb 11, 2026 Affected Software Kadence Blocks — Page Builder Toolkit for Gutenberg Editor Researcher johska More Details > Gutenberg Blocks with AI by Kadence WP – Page Builder Features <= 3.5.32 - Incorrect Authorization to Authenticated (Contributor+) Post Publication 4.3 CVSS Rating Medium (4.3) CVE-ID Unknown Patch Status Patched Published Feb 10, 2026 Affected Software Kadence Blocks — Page Builder Toolkit for Gutenberg Editor Researcher johska More Details > Invoct – PDF Invoices & Billing for WooCommerce <= 1.6 - Missing Authorization to Authenticated (Subscriber+) Information Exposure 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2026-1748 Patch Status Patched Published Feb 10, 2026 Affected Software Invoct – PDF Invoices & Billing for WooCommerce Researchers Teerachai SomprasongTeerachai S. More Details > LatePoint – Calendar Booking Plugin for Appointments and Events <= 5.2.5 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-14873 Patch Status Patched Published Feb 13, 2026 Affected Software LatePoint – Calendar Booking Plugin for Appointments and Events Researcher Moose Love More Details > MDirector Newsletter <= 4.5.8 - Cross-Site Request Forgery to Plugin Settings Update 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-14852 Patch Status Unpatched Published Feb 13, 2026 Affected Software MDirector Newsletter WordPress Plugin Researcher afnaan More Details > Media Library Folders <= 8.3.6 - Insecure Direct Object Reference to Authenticated (Author+) Arbitrary Attachment Deletion and Rename 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2026-2312 Patch Status Patched Published Feb 13, 2026 Affected Software Media Library Folders Researcher shivanandsnaidu More Details > MMA Call Tracking <= 2.3.15 - Cross-Site Request Forgery to Plugin Settings Update 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2026-1215 Patch Status Unpatched Published Feb 10, 2026 Affected Software MMA Call Tracking Researcher afnaan More Details > Modula Image Gallery – Photo Grid & Video Gallery <= 2.13.6 - Missing Authorization to Authenticated (Contributor+) Arbitrary Post/Page Editing 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2026-1254 Patch Status Patched Published Feb 13, 2026 Affected Software Modula Image Gallery – Photo Grid & Video Gallery Researcher type5afe More Details > OpenPix <= 2.13.3 - Missing Authorization to Authenticated (Subscriber+) Settings Update 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-15400 Patch Status Unpatched Published Feb 11, 2026 Affected Software OpenPix for WooCommerce Researcher Md. Moniruzzaman Prodhan (NomanProdhan) More Details > Paid Member Subscriptions <= 2.16.8 - Authenticated (Subscriber+) Insecure Direct Object Reference 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-68514 Patch Status Patched Published Feb 11, 2026 Affected Software Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction Researcher daroo More Details > Passster <= 4.2.25 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2026-25036 Patch Status Patched Published Feb 12, 2026 Affected Software Passster – Password Protect Pages and Content Researcher johska More Details > PDF for Elementor Forms + Drag And Drop Template Builder <= 6.3.1 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2026-22350 Patch Status Patched Published Feb 11, 2026 Affected Software PDF for Elementor Forms + Drag And Drop Template Builder Researcher Legion Hunter More Details > PDF for WPForms <= 6.3.0 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-68534 Patch Status Patched Published Feb 11, 2026 Affected Software PDF for WPForms + Drag and Drop Template Builder Researcher Legion Hunter More Details > SEATT: Simple Event Attendance <= 1.5.0 - Cross-Site Request Forgery to Arbitrary Event Deletion 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2026-1983 Patch Status Unpatched Published Feb 13, 2026 Affected Software SEATT: Simple Event Attendance Researcher MD. TAREQ AHAMED JONY (itztrq) More Details > Smart Forms <= 2.6.99 - Missing Authorization to Authenticated (Subscriber+) Campaign Data Exposure 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2026-2022 Patch Status Unpatched Published Feb 13, 2026 Affected Software Smart Forms – when you need more than just a contact form Researcher lucsob More Details > WCFM Membership – WooCommerce Memberships for Multivendor Marketplace <= 2.11.8 - Insecure Direct Object Reference to Update Membership Payment 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-15147 Patch Status Patched Published Feb 9, 2026 Affected Software WCFM Membership – WooCommerce Memberships for Multivendor Marketplace Researcher Jing Xuan Sun More Details > WooCommerce Bulk Product Editor <= 3.0 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-69381 Patch Status Unpatched Published Feb 9, 2026 Affected Software WooCommerce Bulk Product Editor Researcher Phat RiO More Details > WP Quick Contact Us <= 1.0 - Cross-Site Request Forgery to Settings Update 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2026-1394 Patch Status Unpatched Published Feb 13, 2026 Affected Software WP Quick Contact Us Researcher afnaan More Details > As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence. This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can. Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. The post Wordfence Intelligence Weekly WordPress Vulnerability Report (February 9, 2026 to February 15, 2026) appeared first on Wordfence.