Triple Threat Bug Bounty Challenge Hunt High Threat vulnerabilities and earn triple the incentives! Now through April 6, 2026, earn three stacked bonuses on all valid submissions from our 'High Threat Vulnerabilities' list: 2x all high threat vulnerability bounties (excluding 5,000,000+ installs) +30% bonus for high threat vulnerabilities in software with 30,000+ active installs (excluding 5,000,000+ installs) $300 extra for every 3 High Threat vulnerabilities submitted (minimum of 1,000 installs) Use the Bounty Estimator to see what rewards are possible through the promotion. Submit through our Bug Bounty Program today to maximize your impact and your payout. Last week, there were 116 vulnerabilities disclosed in 78 WordPress Plugins and 19 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 66 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected. Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to implement layered security, aligning with our overarching mission to secure WordPress with defense in depth strategies. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report. As the world’s leading quality vulnerability database provider for WordPress, site owners can rest assured knowing Wordfence has their back. Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 33,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free. Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. New Firewall Rules Deployed Last Week The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection. The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week: WAF-RULE-904 – Data redacted while we work with the vendor on a patch. WAF-RULE-905 – Data redacted while we work with the vendor on a patch. Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay. Total Unpatched & Patched Vulnerabilities Last Week Patch Status Number of Vulnerabilities Patched 86 Unpatched 30 Total Vulnerabilities by CVSS Severity Last Week Severity Rating Number of Vulnerabilities Medium Severity 71 High Severity 39 Critical Severity 6 Total Vulnerabilities by CWE Type Last Week Vulnerability Type by CWE Number of Vulnerabilities Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') 32 Missing Authorization 27 Authorization Bypass Through User-Controlled Key 10 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') 8 Deserialization of Untrusted Data 7 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') 7 Cross-Site Request Forgery (CSRF) 4 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') 4 Improper Privilege Management 3 Unrestricted Upload of File with Dangerous Type 3 Exposure of Sensitive Information to an Unauthorized Actor 2 Improper Authentication 2 Incorrect Privilege Assignment 2 Missing Authentication for Critical Function 2 Server-Side Request Forgery (SSRF) 2 Improper Restriction of XML External Entity Reference 1 Researchers That Contributed to WordPress Security Last Week Researcher Name Number of Vulnerabilities Tran Nguyen Bao Khanh 13 João Pedro S Alcântara (Kinorth) 8 Dmitrii Ignatyev 5 Phat RiO 5 Youssef Elouaer 5 Bonds 4 Kazuma Matsumoto 4 Nguyen Ba Khanh 3 daroo 3 Drew Webber (mcdruid) 2 Quốc Huy (jtwings) 2 timomangcut 2 Ali Sünbül 2 hoshino 2 zaim 2 sibwtf 2 Khaled Alenazi (Nxploited) 2 Muhammad Sharief 2 Itthidej Aramsri (Boeing777) 2 NumeX 2 Vuln Seeker Cyber Security Team 1 Dimas Maulana 1 Sarawut Poolkhet (MisterHelloz) 1 lilmingwa13 1 Krugov Artyom 1 Krissaphat Jankaew 1 Alexis Lafontaine 1 Legion Hunter 1 PPzzAArr 1 Marc-André Beaulieu (h3dg3h0g) 1 Vitaly Simonovich 1 mikemyers 1 Kishan Vyas 1 Jack Pas (Dark.) 1 benzdeus 1 Or Benit 1 Athiwat Tiprasaharn (Jitlada) 1 Tharadol Suksamran (d3kc4rt_1) 1 darkmode 1 ibrahimsql 1 d.v4n_s3c 1 Asaf Mozes 1 kai63001 1 Saif (Team 51) 1 hhhai 1 Muhammad Yudha - DJ 1 Phat RiO - BlueRock 1 Silver Asu 1 Jarno Vos (jarnovos) 1 kaminuma 1 w41bu1 1 Youssef Achtatal 1 at1as 1 Mike Gozdiskowski 1 lucsob 1 johska 1 Michael Iden (Mickhat) 1 0xd4rk5id3 1 Hunter Jensen (skid) 1 Maktoum (bRpsd) 1 oolongeya 1 Supakiad S. (m3ez) 1 andrea bocchetti 1 Andrés Cruciani 1 LionTree 1 John P 1 Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report. WordPress Plugins with Reported Vulnerabilities Last Week Software Name Software Slug Active Products Tables for WooCommerce. Use constructor to create tables  profit-products-tables-for-woocommerce Addi – Cuotas que se adaptan a ti buy-now-pay-later-addi Admin Menu Editor admin-menu-editor Advanced Product Fields (Product Addons) for WooCommerce advanced-product-fields-for-woocommerce Ally – Web Accessibility & Usability pojo-accessibility Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin simply-schedule-appointments Avada (Fusion) Builder fusion-builder Avada Core fusion-core Booktics – Booking Calendar for Appointments and Service Businesses booktics BuilderPress - WordPress Theme for Construction, A builderpress Calculated Fields Form calculated-fields-form Checkout Field Editor (Checkout Manager) for WooCommerce woo-checkout-field-editor-pro Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe contest-gallery Darna Framework darna-framework Datalogics Ecommerce Delivery – Datalogics datalogics Dear Flipbook – PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer 3d-flipbook-dflip-lite divi-booster divi-booster DukaPress dukapress EventPrime – Events Calendar, Bookings and Tickets eventprime-event-calendar-management Everest Forms Pro everest-forms-pro ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) google-analytics-dashboard-for-wp Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder formidable GetGenie – AI Content Writer with Keyword Research & SEO Tracking Tools getgenie Gravity Forms gravityforms Guest posting / Frontend Posting / Front Editor – WP Front User Submit front-editor Gutena Forms – Contact Form, Survey Form, Feedback Form, Booking Form, and Custom Form Builder gutena-forms Handmade Framework handmade-framework Happy Addons for Elementor happy-elementor-addons JetBooking jet-booking Job Postings job-postings LatePoint – Calendar Booking Plugin for Appointments and Events latepoint Lead Form Builder & Contact Form lead-form-builder LearnPress – WordPress LMS Plugin for Create and Sell Online Courses learnpress Legacy Admin legacy-admin MC4WP: Mailchimp for WordPress mailchimp-for-wp MDTF – Meta Data and Taxonomies Filter wp-meta-data-filter-and-taxonomy-filter MetForm Pro metform-pro Mobile App Editor – WordPress to Android App Builder mobile-app-editor Modular DS: Monitor, update, and backup multiple websites modular-connector My Sticky Bar – Floating Notification Bar & Sticky Header (formerly myStickymenu) mystickymenu Name Directory name-directory NEX-Forms – Ultimate Forms Plugin for WordPress nex-forms-express-wp-form-builder NextScripts: Social Networks Auto-Poster social-networks-auto-poster-facebook-twitter-g Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress wp-user-avatar Penci Soledad Data Migrator penci-data-migrator Photo Contest | Competition | Video Contest totalcontest-lite PitchPrint pitchprint Pix for WooCommerce payment-gateway-pix-for-woocommerce Reading progressbar reading-progress-bar Really Simple Security – Simple and Performant Security (formerly Really Simple SSL) really-simple-ssl RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login custom-registration-form-builder-with-submission-manager Responsive Blocks – Page Builder for Blocks & Patterns responsive-block-editor-addons Royal Addons for Elementor – Addons and Templates Kit for Elementor royal-elementor-addons RTMKit rometheme-for-elementor Simple Ajax Chat – Add a Fast, Secure Chat Box simple-ajax-chat Social Icons Widget & Block – Social Media Icons & Share Buttons social-icons-widget-by-wpzoom Subscriptions for WooCommerce subscriptions-for-woocommerce tagDiv Composer td-composer The Events Calendar the-events-calendar Thim Kit for Elementor – Pre-built Templates & Widgets for Elementor thim-elementor-kit Timetics – Appointment Booking Calendar & Scheduling System timetics Tutor LMS Pro tutor-pro UiPress lite | Effortless custom dashboards, admin themes and pages uipress-lite Ultra Addons for Contact Form 7 ultimate-addons-for-contact-form-7 Ultra Admin ultra-admin Unlimited Elements For Elementor unlimited-elements-for-elementor UpsellWP – WooCommerce Upsell and Related Products Offers checkout-upsell-and-order-bumps User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration wp-user-frontend Website LLMs.txt website-llms-txt weForms – Easy Drag & Drop Contact Form Builder For WordPress weforms Wicked Folders – Folder Organizer for Pages, Posts, and Custom Post Types wicked-folders WOLF – WordPress Posts Bulk Editor and Manager Professional bulk-editor Wolverine Framework wolverine-framework WooCommerce woocommerce WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters wp-google-map-plugin WP ULike – Like & Dislike Buttons for Engagement and Feedback wp-ulike WPCafe – Restaurant Menu, Online Food Ordering and Reservation Booking Solution wp-cafe Xagio SEO – AI Powered SEO xagio-seo WordPress Themes with Reported Vulnerabilities Last Week Software Name Software Slug Amfissa - Organic Olive Shop WordPress Theme amfissa Astra astra Beelove | Honey Production and Sweets Online Store WordPress Theme beelove Belfort - Single Property and Apartment WordPress Theme belfort Buisson - Gardening WordPress Theme buisson Deston - Corporate Business WordPress Theme deston Emaurri - Architecture and Interior Design WordPress Theme emaurri Energox | EV Charging Station WordPress Theme energox Golo - City Travel Guide WordPress Theme golo Instant VA - Virtual Assistant Elementor Template Kit instantva Love Story | Wedding and Event Planner WordPress Theme lovestory LuxeDrive - Limousine and Car Rental WordPress Theme luxedrive Melody - Arts Courses & Music School WordPress Theme melodyschool MultiOffice - Coworking Space WordPress Theme multioffice News Magazine X news-magazine-x Rosebud - Flower Shop and Florist WordPress Theme rosebud Search & Go - Directory WordPress Theme searchgo Work & Travel Company - Youth Programs Theme work-travel-company zorka zorka Vulnerability Details Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize. Datalogics Ecommerce Delivery – Datalogics < 2.6.60 - Unauthenticated Privilege Escalation 9.8 CVSS Rating 9.8 (Critical) CVE-ID CVE-2026-2631 Patch Status Patched Published Mar 12, 2026 Affected Software Datalogics Ecommerce Delivery – Datalogics [datalogics] Researcher Khaled Alenazi (Nxploited) More Details > Golo - City Travel Guide WordPress Theme <= 1.7.0 - Unauthenticated Privilege Escalation 9.8 CVSS Rating 9.8 (Critical) CVE-ID CVE-2026-27051 Patch Status Unpatched Published Mar 12, 2026 Affected Software Golo - City Travel Guide WordPress Theme [golo] Researcher Tran Nguyen Bao Khanh More Details > Pix for WooCommerce <= 1.5.0 - Unauthenticated Arbitrary File Upload 9.8 CVSS Rating 9.8 (Critical) CVE-ID CVE-2026-3891 Patch Status Patched Published Mar 12, 2026 Affected Software Pix for WooCommerce [payment-gateway-pix-for-woocommerce] Researcher Alexis Lafontaine More Details > RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login <= 6.0.7.1 - Authentication Bypass 9.8 CVSS Rating 9.8 (Critical) CVE-ID CVE-2026-24373 Patch Status Patched Published Mar 12, 2026 Affected Software RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login [custom-registration-form-builder-with-submission-manager] Researcher 0xd4rk5id3 More Details > Tutor LMS Pro <= 3.9.5 - Authentication Bypass via Social Login 9.8 CVSS Rating 9.8 (Critical) CVE-ID CVE-2026-0953 Patch Status Patched Published Mar 9, 2026 Affected Software Tutor LMS Pro [tutor-pro] Researcher Phat RiO - BlueRock More Details > PitchPrint <= 11.1.2 - Unauthenticated Arbitrary File Deletion 9.1 CVSS Rating 9.1 (Critical) CVE-ID CVE-2026-22448 Patch Status Patched Published Mar 10, 2026 Affected Software PitchPrint [pitchprint] Researcher NumeX More Details > ExactMetrics 7.1.0 - 9.0.2 - Authenticated (Custom) Improper Privilege Management to Role Privilege Escalation via Settings Update 8.8 CVSS Rating 8.8 (High) CVE-ID CVE-2026-1993 Patch Status Patched Published Mar 10, 2026 Affected Software ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) [google-analytics-dashboard-for-wp] Researcher Ali Sünbül More Details > ExactMetrics 8.6.0 - 9.0.2 - Authenticated (Custom) Insecure Direct Object Reference to Arbitrary Plugin Installation 8.8 CVSS Rating 8.8 (High) CVE-ID CVE-2026-1992 Patch Status Patched Published Mar 10, 2026 Affected Software ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) [google-analytics-dashboard-for-wp] Researcher Ali Sünbül More Details > Royal Addons for Elementor <= 1.7.1049 - Authenticated (Author+) Arbitrary File Upload via main.php Upload Bypass 8.8 CVSS Rating 8.8 (High) CVE-ID CVE-2025-13067 Patch Status Patched Published Mar 10, 2026 Affected Software Royal Addons for Elementor – Addons and Templates Kit for Elementor [royal-elementor-addons] Researcher mikemyers More Details > Search & Go <= 2.8 - Authenticated (Subscriber+) Privilege Escalation 8.8 CVSS Rating 8.8 (High) CVE-ID CVE-2026-24971 Patch Status Patched Published Mar 13, 2026 Affected Software Search & Go - Directory WordPress Theme [searchgo] Researcher Phat RiO More Details > Amfissa <= 1.1 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-27079 Patch Status Unpatched Published Mar 10, 2026 Affected Software Amfissa - Organic Olive Shop WordPress Theme [amfissa] Researcher Tran Nguyen Bao Khanh More Details > Beelove | Honey Production and Sweets Online Store WordPress Theme <= 1.2.6 - Unauthenticated PHP Object Injection 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-22507 Patch Status Unpatched Published Mar 9, 2026 Affected Software Beelove | Honey Production and Sweets Online Store WordPress Theme [beelove] Researcher Tran Nguyen Bao Khanh More Details > Belfort <= 1.0 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-27075 Patch Status Unpatched Published Mar 10, 2026 Affected Software Belfort - Single Property and Apartment WordPress Theme [belfort] Researcher Tran Nguyen Bao Khanh More Details > BuilderPress <= 2.0.1 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-27065 Patch Status Unpatched Published Mar 12, 2026 Affected Software BuilderPress - WordPress Theme for Construction, A [builderpress] Researcher Phat RiO More Details > Buisson <= 1.1.11 - Unauthenticated PHP Object Injection 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-27084 Patch Status Unpatched Published Mar 10, 2026 Affected Software Buisson - Gardening WordPress Theme [buisson] Researcher Tran Nguyen Bao Khanh More Details > Deston <= 1.0 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-27080 Patch Status Unpatched Published Mar 10, 2026 Affected Software Deston - Corporate Business WordPress Theme [deston] Researcher Tran Nguyen Bao Khanh More Details > Divi Booster < 5.0.2 - Unauthenticated PHP Object Injection 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-2626 Patch Status Patched Published Mar 12, 2026 Affected Software divi-booster [divi-booster] Researcher Saif (Team 51) More Details > Emaurri <= 1.0.1 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-27078 Patch Status Unpatched Published Mar 10, 2026 Affected Software Emaurri - Architecture and Interior Design WordPress Theme [emaurri] Researcher Tran Nguyen Bao Khanh More Details > Energox <= 1.2 - Authenticated (Subscriber+) Arbitrary File Deletion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-24970 Patch Status Patched Published Mar 12, 2026 Affected Software Energox | EV Charging Station WordPress Theme [energox] Researcher Phat RiO More Details > Instant VA <= 1.0.1 - Authenticated (Subscriber+) Arbitrary File Deletion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-24969 Patch Status Patched Published Mar 12, 2026 Affected Software Instant VA - Virtual Assistant Elementor Template Kit [instantva] Researcher Phat RiO More Details > Love Story <= 1.3.12 - Unauthenticated PHP Object Injection 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-27082 Patch Status Unpatched Published Mar 10, 2026 Affected Software Love Story | Wedding and Event Planner WordPress Theme [lovestory] Researcher Tran Nguyen Bao Khanh More Details > LuxeDrive <= 1.0 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-27076 Patch Status Unpatched Published Mar 10, 2026 Affected Software LuxeDrive - Limousine and Car Rental WordPress Theme [luxedrive] Researcher Tran Nguyen Bao Khanh More Details > Melody <= 1.6.3 - Unauthenticated PHP Object Injection 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-22510 Patch Status Unpatched Published Mar 9, 2026 Affected Software Melody - Arts Courses & Music School WordPress Theme [melodyschool] Researcher Tran Nguyen Bao Khanh More Details > MultiOffice <= 1.2 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-27077 Patch Status Unpatched Published Mar 10, 2026 Affected Software MultiOffice - Coworking Space WordPress Theme [multioffice] Researcher Tran Nguyen Bao Khanh More Details > ProfilePress <= 4.16.11 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Subscription Cancellation/Expiration 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-3453 Patch Status Patched Published Mar 10, 2026 Affected Software Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress [wp-user-avatar] Researcher kai63001 More Details > Rosebud - Flower Shop and Florist WordPress Theme <= 1.4 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-27081 Patch Status Unpatched Published Mar 10, 2026 Affected Software Rosebud - Flower Shop and Florist WordPress Theme [rosebud] Researcher Tran Nguyen Bao Khanh More Details > Work & Travel Company <= 1.2 - Unauthenticated PHP Object Injection 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-27083 Patch Status Unpatched Published Mar 10, 2026 Affected Software Work & Travel Company - Youth Programs Theme [work-travel-company] Researcher Tran Nguyen Bao Khanh More Details > Ally – Web Accessibility & Usability <= 4.0.3 - Unauthenticated SQL Injection via URL Path 7.5 CVSS Rating 7.5 (High) CVE-ID CVE-2026-2413 Patch Status Patched Published Mar 10, 2026 Affected Software Ally – Web Accessibility & Usability [pojo-accessibility] Researcher Drew Webber (mcdruid) More Details > Appointment Booking Calendar <= 1.6.9.27 - Unauthenticated SQL Injection via 'append_where_sql' Parameter 7.5 CVSS Rating 7.5 (High) CVE-ID CVE-2026-1708 Patch Status Patched Published Mar 10, 2026 Affected Software Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin [simply-schedule-appointments] Researcher d.v4n_s3c More Details > Appointment Booking Calendar <= 1.6.9.29 - Missing Authorization to Unauthenticated Sensitive Information Exposure via Settings REST API Endpoint 7.5 CVSS Rating 7.5 (High) CVE-ID CVE-2026-3045 Patch Status Patched Published Mar 12, 2026 Affected Software Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin [simply-schedule-appointments] Researcher Muhammad Sharief More Details > Formidable Forms <= 6.28 - Missing Authorization to Unauthenticated Payment Integrity Bypass via PaymentIntent Reuse 7.5 CVSS Rating 7.5 (High) CVE-ID CVE-2026-2890 Patch Status Patched Published Mar 12, 2026 Affected Software Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder [formidable] Researcher Andrés Cruciani More Details > JetBooking <= 4.0.3 - Unauthenticated SQL Injection via 'check_in_date' Parameter 7.5 CVSS Rating 7.5 (High) CVE-ID CVE-2026-3496 Patch Status Patched Published Mar 10, 2026 Affected Software JetBooking [jet-booking] Researcher hoshino More Details > My Sticky Bar <= 2.8.6 - Unauthenticated SQL Injection via 'stickymenu_contact_lead_form' Action 7.5 CVSS Rating 7.5 (High) CVE-ID CVE-2026-3657 Patch Status Patched Published Mar 11, 2026 Affected Software My Sticky Bar – Floating Notification Bar & Sticky Header (formerly myStickymenu) [mystickymenu] Researcher Dimas Maulana More Details > NEX-Forms – Ultimate Forms Plugin for WordPress <= 9.1.9 - Missing Authorization to Unauthenticated Arbitrary Form Entry Modification via nf_set_entry_update_id 7.5 CVSS Rating 7.5 (High) CVE-ID CVE-2026-1947 Patch Status Patched Published Mar 14, 2026 Affected Software NEX-Forms – Ultimate Forms Plugin for WordPress [nex-forms-express-wp-form-builder] Researcher Youssef Elouaer More Details > Photo Contest | Competition | Video Contest <= 2.9.1 - Authenticated (Author+) PHP Object Injection 7.5 CVSS Rating 7.5 (High) CVE-ID CVE-2026-0677 Patch Status Unpatched Published Mar 10, 2026 Affected Software Photo Contest | Competition | Video Contest [totalcontest-lite] Researcher hhhai More Details > The Events Calendar <= 6.15.17 - Authenticated (Author+) Arbitrary File Read via ajax_create_import 7.5 CVSS Rating 7.5 (High) CVE-ID CVE-2026-3585 Patch Status Patched Published Mar 9, 2026 Affected Software The Events Calendar [the-events-calendar] Researcher Dmitrii Ignatyev More Details > WP Maps <= 4.9.1 - Unauthenticated SQL Injection via 'location_id' Parameter 7.5 CVSS Rating 7.5 (High) CVE-ID CVE-2026-3222 Patch Status Patched Published Mar 10, 2026 Affected Software WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters [wp-google-map-plugin] Researcher johska More Details > Checkout Field Editor (Checkout Manager) for WooCommerce <= 2.1.7 - Unauthenticated Stored Cross-Site Scripting via Block Checkout Custom Radio Field 7.2 CVSS Rating 7.2 (High) CVE-ID CVE-2026-3231 Patch Status Patched Published Mar 10, 2026 Affected Software Checkout Field Editor (Checkout Manager) for WooCommerce [woo-checkout-field-editor-pro] Researcher Dmitrii Ignatyev More Details > DukaPress <= 3.2.4 - Unauthenticated Stored Cross-Site Scripting 7.2 CVSS Rating 7.2 (High) CVE-ID CVE-2026-2466 Patch Status Unpatched Published Mar 12, 2026 Affected Software DukaPress [dukapress] Researcher Vuln Seeker Cyber Security Team More Details > Everest Forms Pro <= 1.9.10 - Unauthenticated Stored Cross-Site Scripting 7.2 CVSS Rating 7.2 (High) CVE-ID CVE-2026-27070 Patch Status Unpatched Published Mar 12, 2026 Affected Software Everest Forms Pro [everest-forms-pro] Researcher Kishan Vyas More Details > MetForm Pro <= 3.9.6 - Unauthenticated Stored Cross-Site Scripting 7.2 CVSS Rating 7.2 (High) CVE-ID CVE-2026-1261 Patch Status Patched Published Mar 9, 2026 Affected Software MetForm Pro [metform-pro] Researcher andrea bocchetti More Details > Mobile App Editor – WordPress to Android App Builder <= 1.3.1 - Authenticated (Editor+) Arbitrary File Upload 7.2 CVSS Rating 7.2 (High) CVE-ID CVE-2026-27067 Patch Status Unpatched Published Mar 12, 2026 Affected Software Mobile App Editor – WordPress to Android App Builder [mobile-app-editor] Researcher NumeX More Details > Name Directory <= 1.32.1 - Unauthenticated Stored Cross-Site Scripting via 'name_directory_name' 7.2 CVSS Rating 7.2 (High) CVE-ID CVE-2026-3178 Patch Status Patched Published Mar 10, 2026 Affected Software Name Directory [name-directory] Researcher Youssef Elouaer More Details > Responsive Contact Form Builder & Lead Generation Plugin <= 2.0.1 - Unauthenticated Stored Cross-Site Scripting 7.2 CVSS Rating 7.2 (High) CVE-ID CVE-2026-1454 Patch Status Patched Published Mar 10, 2026 Affected Software Lead Form Builder & Contact Form [lead-form-builder] Researcher Youssef Elouaer More Details > Unlimited Elements For Elementor <= 2.0.5 - Unauthenticated Stored Cross-Site Scripting via Form Entry Fields 7.2 CVSS Rating 7.2 (High) CVE-ID CVE-2026-2724 Patch Status Patched Published Mar 9, 2026 Affected Software Unlimited Elements For Elementor [unlimited-elements-for-elementor] Researchers Athiwat Tiprasaharn (Jitlada)Itthidej Aramsri (Boeing777)Tharadol Suksamran (d3kc4rt_1) More Details > MC4WP: Mailchimp for WordPress <= 4.11.1 - Missing Authorization to Unauthenticated Arbitrary Subscription Deletion 6.5 CVSS Rating 6.5 (Medium) CVE-ID CVE-2026-1781 Patch Status Patched Published Mar 10, 2026 Affected Software MC4WP: Mailchimp for WordPress [mailchimp-for-wp] Researcher Sarawut Poolkhet (MisterHelloz) More Details > WordPress <= 6.9.1 - Authenticated (Author+) XML External Entity Injection via getID3 Library Media Upload 6.5 CVSS Rating 6.5 (Medium) Patch Status Patched Published Mar 10, 2026 Affected Software WordPress [wordpress] Researcher Youssef Achtatal More Details > Active Products Tables for WooCommerce. Use constructor to create tables  <= 1.0.7 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-32450 Patch Status Patched Published Mar 10, 2026 Affected Software Active Products Tables for WooCommerce. Use constructor to create tables  [profit-products-tables-for-woocommerce] Researcher zaim More Details > Astra <= 4.12.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Meta 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-3534 Patch Status Patched Published Mar 10, 2026 Affected Software Astra [astra] Researcher at1as More Details > Avada Core < 5.15.0 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-32454 Patch Status Patched Published Mar 10, 2026 Affected Software Avada Core [fusion-core] Researcher Bonds More Details > Calculated Fields Form <= 5.4.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Form Settings 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-3986 Patch Status Patched Published Mar 12, 2026 Affected Software Calculated Fields Form [calculated-fields-form] Researcher Hunter Jensen (skid) More Details > Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe <= 28.1.2.1 - Authenticated (Subscriber+) Server-Side Request Forgery 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-24964 Patch Status Patched Published Mar 10, 2026 Affected Software Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe [contest-gallery] Researcher lilmingwa13 More Details > Dear Flipbook <= 2.4.20 - Authenticated (Auhtor+) Stored Cross-Site Scripting via PDF Page Labels 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-2569 Patch Status Patched Published Mar 10, 2026 Affected Software Dear Flipbook – PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer [3d-flipbook-dflip-lite] Researcher Drew Webber (mcdruid) More Details > GetGenie <= 4.3.2 - Insecure Direct Object Reference to Authenticated (Author+) Stored Cross-Site Scripting via REST API 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-2257 Patch Status Patched Published Mar 12, 2026 Affected Software GetGenie – AI Content Writer with Keyword Research & SEO Tracking Tools [getgenie] Researcher Quốc Huy (jtwings) More Details > Gravity Forms <= 2.9.28.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Form Title 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-3492 Patch Status Patched Published Mar 10, 2026 Affected Software Gravity Forms [gravityforms] Researcher hoshino More Details > Happy Addons for Elementor <= 3.21.0 - Insecure Direct Object Reference to Authenticated (Contributor+) Stored Cross-Site Scripting via Template Conditions 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-2918 Patch Status Patched Published Mar 10, 2026 Affected Software Happy Addons for Elementor [happy-elementor-addons] Researcher Dmitrii Ignatyev More Details > MDTF – Meta Data and Taxonomies Filter <= 1.3.5 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-32455 Patch Status Patched Published Mar 10, 2026 Affected Software MDTF – Meta Data and Taxonomies Filter [wp-meta-data-filter-and-taxonomy-filter] Researcher zaim More Details > NextScripts: Social Networks Auto-Poster <= 4.4.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'nxs_fbembed' Shortcode 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-3228 Patch Status Patched Published Mar 9, 2026 Affected Software NextScripts: Social Networks Auto-Poster [social-networks-auto-poster-facebook-twitter-g] Researcher Muhammad Yudha - DJ More Details > Ultra Addons for Contact Form 7 <= 3.5.36 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-32460 Patch Status Patched Published Mar 14, 2026 Affected Software Ultra Addons for Contact Form 7 [ultimate-addons-for-contact-form-7] Researcher Marc-André Beaulieu (h3dg3h0g) More Details > weForms <= 1.6.27 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Hidden Field Value via REST API 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-2707 Patch Status Patched Published Mar 10, 2026 Affected Software weForms – Easy Drag & Drop Contact Form Builder For WordPress [weforms] Researcher Muhammad Sharief More Details > WP ULike <= 5.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attribute 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-2358 Patch Status Unpatched Published Mar 10, 2026 Affected Software WP ULike – Like & Dislike Buttons for Engagement and Feedback [wp-ulike] Researcher Quốc Huy (jtwings) More Details > Darna Framework <= 2.9 - Reflected Cross-Site Scripting 6.1 CVSS Rating 6.1 (Medium) CVE-ID CVE-2026-27088 Patch Status Unpatched Published Mar 10, 2026 Affected Software Darna Framework [darna-framework] Researcher João Pedro S Alcântara (Kinorth) More Details > Handmade Framework <= 3.9 - Reflected Cross-Site Scripting 6.1 CVSS Rating 6.1 (Medium) CVE-ID CVE-2026-22520 Patch Status Unpatched Published Mar 9, 2026 Affected Software Handmade Framework [handmade-framework] Researcher João Pedro S Alcântara (Kinorth) More Details > LatePoint – Calendar Booking Plugin for Appointments and Events <= 5.2.7 - Cross-Site Request Forgery in Booking Form Settings Update to Stored Cross-Site Scripting 6.1 CVSS Rating 6.1 (Medium) CVE-ID CVE-2026-2324 Patch Status Patched Published Mar 10, 2026 Affected Software LatePoint – Calendar Booking Plugin for Appointments and Events [latepoint] Researcher lucsob More Details > Legacy Admin <= 9.5 - Reflected Cross-Site Scripting 6.1 CVSS Rating 6.1 (Medium) CVE-ID CVE-2026-22524 Patch Status Unpatched Published Mar 10, 2026 Affected Software Legacy Admin [legacy-admin] Researcher João Pedro S Alcântara (Kinorth) More Details > Penci Soledad Data Migrator <= 1.3.1 - Reflected Cross-Site Scripting 6.1 CVSS Rating 6.1 (Medium) CVE-ID CVE-2026-27054 Patch Status Unpatched Published Mar 12, 2026 Affected Software Penci Soledad Data Migrator [penci-data-migrator] Researcher João Pedro S Alcântara (Kinorth) More Details > RTMKit <= 1.6.8 - Reflected Cross-Site Scripting via 'themebuilder' Parameter 6.1 CVSS Rating 6.1 (Medium) CVE-ID CVE-2025-12473 Patch Status Patched Published Mar 10, 2026 Affected Software RTMKit [rometheme-for-elementor] Researcher LionTree More Details > Simple Ajax Chat <= 20260217 - Unauthenticated Stored Cross-Site Scripting via 'c' 6.1 CVSS Rating 6.1 (Medium) CVE-ID CVE-2026-2987 Patch Status Patched Published Mar 12, 2026 Affected Software Simple Ajax Chat – Add a Fast, Secure Chat Box [simple-ajax-chat] Researcher Kazuma Matsumoto More Details > tagDiv Composer <= 5.4.2 - Reflected Cross-Site Scripting 6.1 CVSS Rating 6.1 (Medium) CVE-ID CVE-2025-50001 Patch Status Patched Published Mar 10, 2026 Affected Software tagDiv Composer [td-composer] Researcher João Pedro S Alcântara (Kinorth) More Details > Ultra WordPress Admin <= 11.7 - Reflected Cross-Site Scripting 6.1 CVSS Rating 6.1 (Medium) CVE-ID CVE-2026-22523 Patch Status Unpatched Published Mar 10, 2026 Affected Software Ultra Admin [ultra-admin] Researcher João Pedro S Alcântara (Kinorth) More Details > Website LLMs.txt <= 8.2.6 - Reflected Cross-Site Scripting 6.1 CVSS Rating 6.1 (Medium) CVE-ID CVE-2026-27068 Patch Status Patched Published Mar 12, 2026 Affected Software Website LLMs.txt [website-llms-txt] Researcher benzdeus More Details > Wolverine Framework <= 1.9 - Reflected Cross-Site Scripting 6.1 CVSS Rating 6.1 (Medium) CVE-ID CVE-2026-27087 Patch Status Unpatched Published Mar 10, 2026 Affected Software Wolverine Framework [wolverine-framework] Researcher João Pedro S Alcântara (Kinorth) More Details > Zorka – Wonderful Fashion WooCommerce Theme <= 1.5.7 - Reflected Cross-Site Scripting 6.1 CVSS Rating 6.1 (Medium) CVE-ID CVE-2025-69096 Patch Status Unpatched Published Mar 10, 2026 Affected Software zorka [zorka] Researcher João Pedro S Alcântara (Kinorth) More Details > WordPress <= 6.9.1 - Unauthenticated Blind Server-Side Request Forgery via XML-RPC Pingback Discovery 5.8 CVSS Rating 5.8 (Medium) Patch Status Patched Published Mar 10, 2026 Affected Software WordPress [wordpress] Researcher sibwtf More Details > GetGenie <= 4.3.2 - Insecure Direct Object Reference to Authenticated (Author+) Arbitrary Post Overwrite/Deletion 5.4 CVSS Rating 5.4 (Medium) CVE-ID CVE-2026-2879 Patch Status Patched Published Mar 12, 2026 Affected Software GetGenie – AI Content Writer with Keyword Research & SEO Tracking Tools [getgenie] Researcher Kazuma Matsumoto More Details > Happy Addons for Elementor <= 3.21.0 - Insecure Direct Object Reference to Authenticated (Contributor+) Post Duplication via 'post_id' Parameter 5.4 CVSS Rating 5.4 (Medium) CVE-ID CVE-2026-2917 Patch Status Patched Published Mar 10, 2026 Affected Software Happy Addons for Elementor [happy-elementor-addons] Researcher Dmitrii Ignatyev More Details > Addi – Cuotas que se adaptan a ti <= 2.0.4 - Missing Authorization 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-27073 Patch Status Unpatched Published Mar 10, 2026 Affected Software Addi – Cuotas que se adaptan a ti [buy-now-pay-later-addi] Researcher Jarno Vos (jarnovos) More Details > Advanced Product Fields (Product Addons) for WooCommerce <= 1.6.18 - Missing Authorization 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-32457 Patch Status Patched Published Mar 11, 2026 Affected Software Advanced Product Fields (Product Addons) for WooCommerce [advanced-product-fields-for-woocommerce] Researcher timomangcut More Details > Avada (Fusion) Builder < 3.15.0 - Missing Authorization 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-32452 Patch Status Patched Published Mar 10, 2026 Affected Software Avada (Fusion) Builder [fusion-builder] Researcher Bonds More Details > Avada Core < 5.15.0 - Missing Authorization 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-32453 Patch Status Patched Published Mar 10, 2026 Affected Software Avada Core [fusion-core] Researcher Bonds More Details > Booktics <= 1.0.16 - Missing Authorization to Addon Plugin Installation 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-1920 Patch Status Patched Published Mar 9, 2026 Affected Software Booktics – Booking Calendar for Appointments and Service Businesses [booktics] Researcher Kazuma Matsumoto More Details > Booktics <= 1.0.16 - Missing Authorization to Get Items via REST API endpoints 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-1919 Patch Status Patched Published Mar 9, 2026 Affected Software Booktics – Booking Calendar for Appointments and Service Businesses [booktics] Researcher Kazuma Matsumoto More Details > EventPrime – Events Calendar, Bookings and Tickets <= 4.2.6.0 - Missing Authorization 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2025-69358 Patch Status Patched Published Mar 10, 2026 Affected Software EventPrime – Events Calendar, Bookings and Tickets [eventprime-event-calendar-management] Researcher Nguyen Ba Khanh More Details > Formidable Forms <= 6.28 - Unauthenticated Payment Amount Manipulation via 'item_meta' Parameter 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-2888 Patch Status Patched Published Mar 12, 2026 Affected Software Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder [formidable] Researcher Michael Iden (Mickhat) More Details > Guest posting / Frontend Posting / Front Editor – WP Front User Submit < 5.0.6 - Unauthenticated Information Exposure 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-1867 Patch Status Patched Published Mar 12, 2026 Affected Software Guest posting / Frontend Posting / Front Editor – WP Front User Submit [front-editor] Researcher Mike Gozdiskowski More Details > Job Postings <= 2.8 - Missing Authorization 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-23806 Patch Status Patched Published Mar 10, 2026 Affected Software Job Postings [job-postings] Researcher Krissaphat Jankaew More Details > MetForm Pro <= 3.9.1 - Missing Authorization 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-24611 Patch Status Unpatched Published Mar 12, 2026 Affected Software MetForm Pro [metform-pro] Researcher Phat RiO More Details > News Magazine X <= 1.2.50 - Missing Authorization 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-24382 Patch Status Patched Published Mar 10, 2026 Affected Software News Magazine X [news-magazine-x] Researcher John P More Details > RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login <= 6.0.7.1 - Authenticated (Subscriber+) Information Exposure 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2025-15520 Patch Status Patched Published Mar 12, 2026 Affected Software RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login [custom-registration-form-builder-with-submission-manager] Researcher Maktoum (bRpsd) More Details > Responsive Blocks – Page Builder for Blocks & Patterns <= 2.2.0 - Missing Authorization 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-32543 Patch Status Patched Published Mar 11, 2026 Affected Software Responsive Blocks – Page Builder for Blocks & Patterns [responsive-block-editor-addons] Researcher Silver Asu More Details > Subscriptions for WooCommerce <= 1.8.10 - Missing Authorization 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-24372 Patch Status Patched Published Mar 13, 2026 Affected Software Subscriptions for WooCommerce [subscriptions-for-woocommerce] Researcher PPzzAArr More Details > Thim Kit for Elementor <= 1.3.7 - Missing Authorization to Unauthenticated Private Course Disclosure 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-1870 Patch Status Patched Published Mar 14, 2026 Affected Software Thim Kit for Elementor – Pre-built Templates & Widgets for Elementor [thim-elementor-kit] Researcher Youssef Elouaer More Details > Timetics – Appointment Booking Calendar & Scheduling System < 1.0.52 - Missing Authorization 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2025-15473 Patch Status Patched Published Mar 12, 2026 Affected Software Timetics – Appointment Booking Calendar & Scheduling System [timetics] Researcher Khaled Alenazi (Nxploited) More Details > User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration <= 4.2.8 - Missing Authorization to Unauthenticated Arbitrary Post Modification via 'post_id' Parameter 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-2233 Patch Status Patched Published Mar 14, 2026 Affected Software User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration [wp-user-frontend] Researcher Supakiad S. (m3ez) More Details > WPCafe – Restaurant Menu, Online Food Ordering and Reservation Booking Solution <= 3.0.7 - Missing Authorization 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-27071 Patch Status Unpatched Published Mar 12, 2026 Affected Software WPCafe – Restaurant Menu, Online Food Ordering and Reservation Booking Solution [wp-cafe] Researcher daroo More Details > Xagio SEO – AI Powered SEO <= 7.1.0.30 - Unauthenticated Privilege Escalation 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-24968 Patch Status Patched Published Mar 12, 2026 Affected Software Xagio SEO – AI Powered SEO [xagio-seo] Researcher daroo More Details > UpsellWP – WooCommerce Upsell and Related Products Offers <= 2.2.4 - Authenticated (Shop manager+) SQL Injection 4.9 CVSS Rating 4.9 (Medium) CVE-ID CVE-2026-32459 Patch Status Patched Published Mar 14, 2026 Affected Software UpsellWP – WooCommerce Upsell and Related Products Offers [checkout-upsell-and-order-bumps] Researcher Nguyen Ba Khanh More Details > WOLF – WordPress Posts Bulk Editor and Manager Professional <= 1.0.8.7 - Authenticated (Editor+) SQL Injection 4.9 CVSS Rating 4.9 (Medium) CVE-ID CVE-2026-32458 Patch Status Patched Published Mar 12, 2026 Affected Software WOLF – WordPress Posts Bulk Editor and Manager Professional [bulk-editor] Researcher Nguyen Ba Khanh More Details > Reading progressbar < 1.3.1 - Authenticated (Administrator+) Stored Cross-Site Scripting 4.4 CVSS Rating 4.4 (Medium) CVE-ID CVE-2026-2687 Patch Status Patched Published Mar 12, 2026 Affected Software Reading progressbar [reading-progress-bar] Researcher Krugov Artyom More Details > WordPress <= 6.9.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via Navigation Menu Items 4.4 CVSS Rating 4.4 (Medium) Patch Status Patched Published Mar 10, 2026 Affected Software WordPress [wordpress] Researcher sibwtf More Details > WordPress <= 6.9.1 - Cross-Site Scripting via Client-Side Template Override in Admin Area 4.4 CVSS Rating 4.4 (Medium) Patch Status Patched Published Mar 10, 2026 Affected Software WordPress [wordpress] Researcher Asaf Mozes More Details > Admin Menu Editor <= 1.14.1 - Cross-Site Request Forgery 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-32456 Patch Status Patched Published Mar 10, 2026 Affected Software Admin Menu Editor [admin-menu-editor] Researcher timomangcut More Details > Appointment Booking Calendar <= 1.6.9.29 - Insecure Direct Object Reference to Authenticated (Staff+) Sensitive Information Exposure 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-1704 Patch Status Patched Published Mar 12, 2026 Affected Software Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin [simply-schedule-appointments] Researcher Itthidej Aramsri (Boeing777) More Details > Avada (Fusion) Builder < 3.15.0 - Missing Authorization 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-32451 Patch Status Patched Published Mar 10, 2026 Affected Software Avada (Fusion) Builder [fusion-builder] Researcher Bonds More Details > Gutena Forms – Contact Form, Survey Form, Feedback Form, Booking Form, and Custom Form Builder < 1.6.1 - Missing Authorization to Authenticated (Contributor+) Settings Update 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-1753 Patch Status Patched Published Mar 12, 2026 Affected Software Gutena Forms – Contact Form, Survey Form, Feedback Form, Booking Form, and Custom Form Builder [gutena-forms] Researcher ibrahimsql More Details > LearnPress <= 4.3.2.8 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Email Notification Triggering 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-3226 Patch Status Patched Published Mar 11, 2026 Affected Software LearnPress – WordPress LMS Plugin for Create and Sell Online Courses [learnpress] Researcher Jack Pas (Dark.) More Details > Modular Connector <= 2.5.1 - Cross-Site Request Forgery via postConfirmOauth 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-3903 Patch Status Patched Published Mar 10, 2026 Affected Software Modular DS: Monitor, update, and backup multiple websites [modular-connector] Researcher Dmitrii Ignatyev More Details > NEX-Forms – Ultimate Forms Plugin for WordPress <= 9.1.9 - Missing Authorization to Authenticated (Subscriber+) License Deactivation via deactivate_license 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-1948 Patch Status Patched Published Mar 13, 2026 Affected Software NEX-Forms – Ultimate Forms Plugin for WordPress [nex-forms-express-wp-form-builder] Researcher Legion Hunter More Details > Really Simple Security – Simple and Performant Security (formerly Really Simple SSL) <= 9.5.7 - Missing Authorization 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-32461 Patch Status Patched Published Mar 15, 2026 Affected Software Really Simple Security – Simple and Performant Security (formerly Really Simple SSL) [really-simple-ssl] Researcher Or Benit More Details > Social Icons Widget & Block <= 4.5.8 - Missing Authorization to Authenticated (Subscriber+) Sharing Configuration Creation 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-4063 Patch Status Patched Published Mar 12, 2026 Affected Software Social Icons Widget & Block – Social Media Icons & Share Buttons [social-icons-widget-by-wpzoom] Researcher darkmode More Details > UiPress lite | Effortless custom dashboards, admin themes and pages <= 3.5.09 - Missing Authorization 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-27091 Patch Status Unpatched Published Mar 10, 2026 Affected Software UiPress lite | Effortless custom dashboards, admin themes and pages [uipress-lite] Researcher w41bu1 More Details > User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration <= 4.2.5 - Missing Authorization 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-24364 Patch Status Patched Published Mar 10, 2026 Affected Software User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration [wp-user-frontend] Researcher daroo More Details > Wicked Folders <= 4.1.0 - Insecure Direct Object Reference to Authenticated (Contributor+) Arbitrary Folder Deletion 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-1883 Patch Status Patched Published Mar 14, 2026 Affected Software Wicked Folders – Folder Organizer for Pages, Posts, and Custom Post Types [wicked-folders] Researcher Youssef Elouaer More Details > WooCommerce < 10.5.3 - Cross-Site Request Forgery 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-3589 Patch Status Patched Published Mar 10, 2026 Affected Software WooCommerce [woocommerce] Researcher oolongeya More Details > WordPress <= 6.9.1 - Missing Authorization to Authenticated (Author+) Sensitive Information Disclosure via query-attachments AJAX Endpoint 4.3 CVSS Rating 4.3 (Medium) Patch Status Patched Published Mar 10, 2026 Affected Software WordPress [wordpress] Researcher Vitaly Simonovich More Details > WordPress 6.9 - 6.9.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Note Creation via REST API 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-3906 Patch Status Patched Published Mar 10, 2026 Affected Software WordPress [wordpress] Researcher kaminuma More Details > As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence. This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can. Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.   The post Wordfence Intelligence Weekly WordPress Vulnerability Report (March 9, 2026 to March 15, 2026) appeared first on Wordfence.