Triple Threat Bug Bounty Challenge Hunt High Threat vulnerabilities and earn triple the incentives! Now through April 6, 2026, earn three stacked bonuses on all valid submissions from our 'High Threat Vulnerabilities' list: 2x all high threat vulnerability bounties (excluding 5,000,000+ installs) +30% bonus for high threat vulnerabilities in software with 30,000+ active installs (excluding 5,000,000+ installs) $300 extra for every 3 High Threat vulnerabilities submitted (minimum of 1,000 installs) Use the Bounty Estimator to see what rewards are possible through the promotion. Submit through our Bug Bounty Program today to maximize your impact and your payout. Last week, there were 106 vulnerabilities disclosed in 77 WordPress Plugins and 22 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 40 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected. Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to implement layered security, aligning with our overarching mission to secure WordPress with defense in depth strategies. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report. As the world’s leading quality vulnerability database provider for WordPress, site owners can rest assured knowing Wordfence has their back. Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 33,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free. Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. New Firewall Rules Deployed Last Week The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection. The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week: WAF-RULE-907 – Data redacted while we work with the vendor on a patch. Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay. Total Unpatched & Patched Vulnerabilities Last Week Patch Status Number of Vulnerabilities Patched 100 Unpatched 6 Total Vulnerabilities by CVSS Severity Last Week Severity Rating Number of Vulnerabilities Medium Severity 64 High Severity 40 Critical Severity 2 Total Vulnerabilities by CWE Type Last Week Vulnerability Type by CWE Number of Vulnerabilities Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') 32 Missing Authorization 27 Deserialization of Untrusted Data 15 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') 8 Authorization Bypass Through User-Controlled Key 4 Exposure of Sensitive Information to an Unauthorized Actor 3 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') 3 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') 2 Unrestricted Upload of File with Dangerous Type 2 Cross-Site Request Forgery (CSRF) 1 Improper Authentication 1 Improper Authorization 1 Improper Control of Generation of Code ('Code Injection') 1 Improper Input Validation 1 Improper Neutralization of CRLF Sequences ('CRLF Injection') 1 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') 1 Improper Privilege Management 1 Incorrect Privilege Assignment 1 Server-Side Request Forgery (SSRF) 1 Researchers That Contributed to WordPress Security Last Week Researcher Name Number of Vulnerabilities Phat RiO 14 João Pedro Soares de Alcântara 10 Denver Jackson 7 daroo 7 johska 7 Doan Dinh Van (DinhVan52) 5 Nabil Irawan 5 Nguyen Ba Khanh 4 Muhammad Yudha - DJ 4 Jack Pas (Dark.) 3 Osvaldo Noe Gonzalez Del Rio (Os) 2 shark3y 2 Hunter Jensen (skid) 2 Supakiad S. (m3ez) 2 darkmode 2 Tran Nguyen Bao Khanh 2 daroo 2 zaim 2 Youssef Elouaer 1 Hung Nguyen (bashu) 1 PPzzAArr 1 Legion Hunter 1 Ren Voza 1 s00me00ne 1 Daniel Basta (whizzu) 1 Bonds 1 Ahmed Rayen Ayari 1 andrea bocchetti 1 Huynh Pham Thanh Luc 1 d.v4n_s3c 1 Sandeep V 1 HDH 1 Nguyen Duc Canh (canhnguyen26) 1 Drew Webber (mcdruid) 1 theviper17 1 Lucas Montes (NiRoX) 1 Dmitrii Ignatyev 1 Athiwat Tiprasaharn (Jitlada) 1 Leonid Semenenko (lsemenenko) 1 hoshino 1 Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report. WordPress Plugins with Reported Vulnerabilities Last Week Software Name Software Slug Addon Jobsearch Chat addon-jobsearch-chat Blackhole for Bad Bots blackhole-bad-bots Blog2Social: Social Media Auto Post & Scheduler blog2social Booking and Rental Manager for Bike | Car | Resort | Appointment | Dress | Equipment booking-and-rental-manager-for-woocommerce Booking for Appointments and Events Calendar – Amelia ameliabooking BWL Advanced FAQ Manager Lite bwl-advanced-faq-manager-lite Coinbase Commerce – Crypto Gateway for WooCommerce commerce-coinbase-for-woocommerce Complianz – GDPR/CCPA Cookie Consent complianz-gdpr Conditional Menus conditional-menus Contact Manager contact-manager Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe contest-gallery Download Monitor download-monitor DSGVO snippet for Leaflet Map and its Extensions dsgvo-leaflet-map ElementInvader Addons for Elementor elementinvader-addons-for-elementor Elementor Website Builder – more than just a page builder elementor File Uploader for WooCommerce file-uploader-for-woocommerce Five Star Restaurant Reservations – WordPress Booking Plugin restaurant-reservations FloristPress for Woo – Customize your eCommerce store for your Florist bakkbone-florist-companion Fluent Booking – The Ultimate Appointments Scheduling, Events Booking, Events Calendar Solution fluent-booking FormLift for Infusionsoft Web Forms formlift Frontend Admin by DynamiApps acf-frontend-form-element Gyan Elements gyan-elements Helpdesk Support Ticket System for WooCommerce support-ticket-system-for-woocommerce Indeed Membership Pro indeed-membership-pro JetEngine jet-engine JobSearch WP Job Board wp-jobsearch JS Help Desk – AI-Powered Support & Ticketing System js-support-ticket Jupiter X Core jupiterx-core KiviCare – Clinic & Patient Management System (EHR) kivicare-clinic-management-system LatePoint – Calendar Booking Plugin for Appointments and Events latepoint Lead Form Builder & Contact Form lead-form-builder LearnDash LMS sfwd-lms LearnPress – WordPress LMS Plugin for Create and Sell Online Courses learnpress Masteriyo LMS – Online Course Builder for eLearning, LMS & Education learning-management-system NaturaLife Extensions naturalife-extensions Nelio A/B Testing – AB Tests and Heatmaps for Better Conversion Optimization nelio-ab-testing Ninja Forms – The Contact Form Builder That Grows With You ninja-forms OOPSpam Anti-Spam: Spam Protection for WordPress Forms & Comments (No CAPTCHA) oopspam-anti-spam Page Builder: Pagelayer – Drag and Drop website builder pagelayer Petitioner petitioner PPWP – Password Protect Pages password-protect-page Product File Upload for WooCommerce products-file-upload-for-woocommerce Product Filter for WooCommerce by WBW woo-product-filter ProfileGrid – User Profiles, Groups and Communities profilegrid-user-profiles-groups-and-communities Quads Ads Manager for Google AdSense quick-adsense-reloaded Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker quiz-master-next Review Schema – Review & Structure Data Schema Plugin review-schema RSFirewall! rsfirewall Salon Booking System Pro salon-booking-plugin-pro ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF shortpixel-image-optimiser Simple Download Counter simple-download-counter Smart Custom Fields smart-custom-fields Smart Slider 3 smart-slider-3 SureForms – Contact Form, Payment Form & Other Custom Form Builder sureforms Team – Team Members Showcase Plugin tlp-team The Grid the-grid Tutor LMS Pro tutor-pro Twentig Supercharged Block Editor – Blocks, Patterns, Starter Sites, Portfolio twentig Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin ultimate-member User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration wp-user-frontend User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder user-registration User Verification by PickPlugins user-verification Vertex Addons for Elementor addons-for-elementor-builder VikRestaurants Table Reservations and Take-Away vikrestaurants weForms – Easy Drag & Drop Contact Form Builder For WordPress weforms Woocommerce Custom Product Addons Pro woo-custom-product-addons-pro WP Configurator Pro wp-configurator-pro WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses wp-courses WP DSGVO Tools (GDPR) shapepress-dsgvo WP Job Portal – AI-Powered Recruitment System for Company or Job Board website wp-job-portal WP REST Cache wp-rest-cache WP Review Slider wp-facebook-reviews WP Telegram Widget and Join Link wptelegram-widget WP TripAdvisor Review Slider wp-tripadvisor-review-slider WPBookit Pro - Appointment Booking Plugin for WordPress wpbookit-pro WPCargo Track & Trace wpcargo WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More wpforms-lite WordPress Themes with Reported Vulnerabilities Last Week Software Name Software Slug Apicona - Health & Medical WordPress Theme apicona Archicon - Architecture and Construction WordPress Theme archicon Borgholm - Marketing Agency Wordpress Theme borgholm-marketing-agency-theme Boutique - Kute Fashion WooCommerce Theme ( RTL Supported ) kute-boutique Car Dealer Automotive WordPress Theme – Responsive cardealer Gaea - Environmental WordPress Theme gaea Goldish - Jewelry Store WooCommerce Theme goldish Halstein - Business Consulting WordPress Theme halstein Kamperen - Camping and Adventure Tourism WordPress Theme kamperen Kiddy - Children WordPress theme kiddy KIDZ - Kids Store and Baby Shop Theme kidz Leroux - Business Consulting WordPress Theme leroux Meloo - Music Theme for WordPress meloo Noo JobMonster noo-jobmonster Ona ona Oxygen - WooCommerce WordPress Theme oxygen Ricky - Pet Shop & Care WooCoomerce Theme ricky sanzo sanzo Stål - Industry WordPress Theme stal Tasty Daily - Grocery Store & Food WooCommerce Theme tastydaily Vayvo - Media Streaming & Membership WordPress Theme vayvo-progression Woodmart woodmart Vulnerability Details Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize. Woocommerce Custom Product Addons Pro <= 5.4.1 - Unauthenticated Remote Code Execution via Custom Pricing Formula 9.8 CVSS Rating 9.8 (Critical) CVE-ID CVE-2026-4001 Patch Status Patched Published Mar 23, 2026 Affected Software Woocommerce Custom Product Addons Pro [woo-custom-product-addons-pro] Researcher Ren Voza More Details > WP DSGVO Tools (GDPR) <= 3.1.38 - Missing Authorization to Unauthenticated Account Destruction of Non-Admin Users 9.1 CVSS Rating 9.1 (Critical) CVE-ID CVE-2026-4283 Patch Status Patched Published Mar 23, 2026 Affected Software WP DSGVO Tools (GDPR) [shapepress-dsgvo] Researcher shark3y More Details > Amelia Booking <= 9.1.2 - Authenticated (Customer+) Insecure Direct Object Reference to Arbitrary User Password Change 8.8 CVSS Rating 8.8 (High) CVE-ID CVE-2026-2931 Patch Status Patched Published Mar 25, 2026 Affected Software Booking for Appointments and Events Calendar – Amelia [ameliabooking] Researcher Hunter Jensen (skid) More Details > JupiterX Core <= 4.14.1 - Authenticated (Subscriber+) Missing Authorization To Limited File Upload via Popup Template Import 8.8 CVSS Rating 8.8 (High) CVE-ID CVE-2026-3533 Patch Status Patched Published Mar 23, 2026 Affected Software Jupiter X Core [jupiterx-core] Researcher Jack Pas (Dark.) More Details > Masteriyo LMS <= 2.1.6 - Missing Authorization to Authenticated (Student+) Privilege Escalation to Administrator 8.8 CVSS Rating 8.8 (High) CVE-ID CVE-2026-4484 Patch Status Patched Published Mar 25, 2026 Affected Software Masteriyo LMS – Online Course Builder for eLearning, LMS & Education [learning-management-system] Researcher Hunter Jensen (skid) More Details > Ona < 1.24 - Authenticated (Subscriber+) Arbitrary File Upload 8.8 CVSS Rating 8.8 (High) CVE-ID CVE-2026-32482 Patch Status Patched Published Mar 23, 2026 Affected Software Ona [ona] Researcher Phat RiO More Details > WP Job Portal <= 2.4.9 - Authenticated (Subscriber+) Arbitrary File Deletion via Resume Custom File Field 8.8 CVSS Rating 8.8 (High) CVE-ID CVE-2026-4758 Patch Status Patched Published Mar 25, 2026 Affected Software WP Job Portal – AI-Powered Recruitment System for Company or Job Board website [wp-job-portal] Researcher daroo More Details > Archicon < 1.7 - Unauthenticated PHP Object Injection 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-32506 Patch Status Patched Published Mar 23, 2026 Affected Software Archicon - Architecture and Construction WordPress Theme [archicon] Researcher Denver Jackson More Details > Borgholm < 1.6 - Unauthenticated PHP Object Injection 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-32502 Patch Status Patched Published Mar 23, 2026 Affected Software Borgholm - Marketing Agency Wordpress Theme [borgholm-marketing-agency-theme] Researcher Denver Jackson More Details > Contest Gallery <= 28.1.5 - Unauthenticated Privilege Escalation Admin Account Takeover via Registration Confirmation Email-to-ID Type Confusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-4021 Patch Status Patched Published Mar 23, 2026 Affected Software Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe [contest-gallery] Researcher Supakiad S. (m3ez) More Details > Goldish < 3.47 - Unauthenticated PHP Object Injection 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-25030 Patch Status Patched Published Mar 23, 2026 Affected Software Goldish - Jewelry Store WooCommerce Theme [goldish] Researcher João Pedro Soares de Alcântara More Details > Halstein < 1.8 - Unauthenticated PHP Object Injection 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-32508 Patch Status Patched Published Mar 23, 2026 Affected Software Halstein - Business Consulting WordPress Theme [halstein] Researcher Denver Jackson More Details > Kamperen < 1.3 - Unauthenticated PHP Object Injection 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-32510 Patch Status Patched Published Mar 23, 2026 Affected Software Kamperen - Camping and Adventure Tourism WordPress Theme [kamperen] Researcher Denver Jackson More Details > Kiddy <= 2.0.8 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-32505 Patch Status Patched Published Mar 27, 2026 Affected Software Kiddy - Children WordPress theme [kiddy] Researcher Phat RiO More Details > KIDZ <= 5.24 - Unauthenticated PHP Object Injection 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-25029 Patch Status Patched Published Mar 23, 2026 Affected Software KIDZ - Kids Store and Baby Shop Theme [kidz] Researcher João Pedro Soares de Alcântara More Details > Leroux - Business Consulting WordPress Theme < 1.4 - Unauthenticated PHP Object Injection 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-32507 Patch Status Patched Published Mar 23, 2026 Affected Software Leroux - Business Consulting WordPress Theme [leroux] Researcher Denver Jackson More Details > NaturaLife Extensions <= 2.1 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-25017 Patch Status Patched Published Mar 23, 2026 Affected Software NaturaLife Extensions [naturalife-extensions] Researcher João Pedro Soares de Alcântara More Details > Product File Upload for WooCommerce <= 2.2.4 - Unauthenticated Arbitrary File Deletion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-25328 Patch Status Patched Published Mar 23, 2026 Affected Software Product File Upload for WooCommerce [products-file-upload-for-woocommerce] Researcher Denver Jackson More Details > Ricky < 2.31 - Unauthenticated PHP Object Injection 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-25032 Patch Status Patched Published Mar 23, 2026 Affected Software Ricky - Pet Shop & Care WooCoomerce Theme [ricky] Researcher João Pedro Soares de Alcântara More Details > Stål < 1.7 - Unauthenticated PHP Object Injection 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-32511 Patch Status Patched Published Mar 23, 2026 Affected Software Stål - Industry WordPress Theme [stal] Researcher Denver Jackson More Details > Tasty Daily < 1.27 - Unauthenticated PHP Object Injection 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-25031 Patch Status Patched Published Mar 23, 2026 Affected Software Tasty Daily - Grocery Store & Food WooCommerce Theme [tastydaily] Researcher João Pedro Soares de Alcântara More Details > weForms – Easy Drag & Drop Contact Form Builder For WordPress <= 1.6.26 - Unauthenticated PHP Object Injection 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-32484 Patch Status Patched Published Mar 23, 2026 Affected Software weForms – Easy Drag & Drop Contact Form Builder For WordPress [weforms] Researcher daroo More Details > Woodmart <= 8.3.8 - Unauthenticated PHP Object Injection 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-23971 Patch Status Patched Published Mar 23, 2026 Affected Software Woodmart [woodmart] Researcher Phat RiO More Details > Ultimate Member <= 2.11.2 - Authenticated (Contributor+) Sensitive Information Exposure to Account Takeover via Shortcode Template Tag 8.0 CVSS Rating 8.0 (High) CVE-ID CVE-2026-4248 Patch Status Patched Published Mar 27, 2026 Affected Software Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin [ultimate-member] Researcher HDH More Details > Addon Jobsearch Chat <= 3.0 - Unauthenticated SQL Injection 7.5 CVSS Rating 7.5 (High) CVE-ID CVE-2026-25377 Patch Status Patched Published Mar 23, 2026 Affected Software Addon Jobsearch Chat [addon-jobsearch-chat] Researcher Phat RiO More Details > Apicona <= 24.1.0 - Authenticated (Subscriber+) PHP Object Injection 7.5 CVSS Rating 7.5 (High) CVE-ID CVE-2026-25400 Patch Status Unpatched Published Mar 23, 2026 Affected Software Apicona - Health & Medical WordPress Theme [apicona] Researcher João Pedro Soares de Alcântara More Details > Download Monitor <= 5.1.7 - Insecure Direct Object Reference to Unauthenticated Arbitrary Order Completion via 'token' and 'order_id' 7.5 CVSS Rating 7.5 (High) CVE-ID CVE-2026-3124 Patch Status Patched Published Mar 29, 2026 Affected Software Download Monitor [download-monitor] Researcher Hung Nguyen (bashu) More Details > JetEngine <= 3.8.6.1 - Unauthenticated SQL Injection via Listing Grid 'filtered_query' Parameter 7.5 CVSS Rating 7.5 (High) CVE-ID CVE-2026-4662 Patch Status Patched Published Mar 23, 2026 Affected Software JetEngine [jet-engine] Researcher hoshino More Details > JS Help Desk – AI-Powered Support & Ticketing System <= 3.0.4 - Unauthenticated SQL Injection via 'multiformid' Parameter 7.5 CVSS Rating 7.5 (High) CVE-ID CVE-2026-2511 Patch Status Patched Published Mar 25, 2026 Affected Software JS Help Desk – AI-Powered Support & Ticketing System [js-support-ticket] Researcher Nabil Irawan More Details > Meloo < 2.8.2 - Authenticated (Subscriber+) PHP Object Injection 7.5 CVSS Rating 7.5 (High) CVE-ID CVE-2026-25358 Patch Status Patched Published Mar 23, 2026 Affected Software Meloo - Music Theme for WordPress [meloo] Researcher Tran Nguyen Bao Khanh More Details > Noo JobMonster < 4.8.4 - Unauthenticated SQL Injection 7.5 CVSS Rating 7.5 (High) CVE-ID CVE-2026-25340 Patch Status Patched Published Mar 23, 2026 Affected Software Noo JobMonster [noo-jobmonster] Researcher Phat RiO More Details > SureForms <= 2.5.2 - Unauthenticated Payment Amount Validation Bypass via 'form_id' 7.5 CVSS Rating 7.5 (High) CVE-ID CVE-2026-4987 Patch Status Patched Published Mar 27, 2026 Affected Software SureForms – Contact Form, Payment Form & Other Custom Form Builder [sureforms] Researcher Jack Pas (Dark.) More Details > WP Job Portal <= 2.4.8 - Unauthenticated SQL Injection via 'radius' Parameter 7.5 CVSS Rating 7.5 (High) CVE-ID CVE-2026-4306 Patch Status Patched Published Mar 23, 2026 Affected Software WP Job Portal – AI-Powered Recruitment System for Company or Job Board website [wp-job-portal] Researcher Leonid Semenenko (lsemenenko) More Details > Blackhole for Bad Bots <= 3.8 - Unauthenticated Stored Cross-Site Scripting via User-Agent HTTP Header 7.2 CVSS Rating 7.2 (High) CVE-ID CVE-2026-4329 Patch Status Patched Published Mar 25, 2026 Affected Software Blackhole for Bad Bots [blackhole-bad-bots] Researcher Huynh Pham Thanh Luc More Details > Fluent Booking <= 2.0.01 - Unauthenticated Stored Cross-Site Scripting via Multiple Parameters 7.2 CVSS Rating 7.2 (High) CVE-ID CVE-2026-2231 Patch Status Patched Published Mar 25, 2026 Affected Software Fluent Booking – The Ultimate Appointments Scheduling, Events Booking, Events Calendar Solution [fluent-booking] Researcher Supakiad S. (m3ez) More Details > Frontend Admin by DynamiApps <= 3.28.31 - Authenticated (Editor+) PHP Object Injection via 'post_content' of Admin Form Posts 7.2 CVSS Rating 7.2 (High) CVE-ID CVE-2026-3328 Patch Status Patched Published Mar 25, 2026 Affected Software Frontend Admin by DynamiApps [acf-frontend-form-element] Researcher Osvaldo Noe Gonzalez Del Rio (Os) More Details > Lead Form Builder & Contact Form <= 2.0.1 - Unauthenticated Stored Cross-Site Scripting 7.2 CVSS Rating 7.2 (High) CVE-ID CVE-2026-32532 Patch Status Patched Published Mar 23, 2026 Affected Software Lead Form Builder & Contact Form [lead-form-builder] Researcher daroo More Details > Nelio A/B Testing – AB Tests and Heatmaps for Better Conversion Optimization <= 8.2.7 - Authenticated (Editor+) Remote Code Execution 7.2 CVSS Rating 7.2 (High) CVE-ID CVE-2026-32573 Patch Status Patched Published Mar 23, 2026 Affected Software Nelio A/B Testing – AB Tests and Heatmaps for Better Conversion Optimization [nelio-ab-testing] Researcher daroo More Details > OOPSpam Anti-Spam: Spam Protection for WordPress Forms & Comments (No CAPTCHA) <= 1.2.62 - Unauthenticated Stored Cross-Site Scripting 7.2 CVSS Rating 7.2 (High) CVE-ID CVE-2026-32544 Patch Status Patched Published Mar 23, 2026 Affected Software OOPSpam Anti-Spam: Spam Protection for WordPress Forms & Comments (No CAPTCHA) [oopspam-anti-spam] Researcher Nguyen Ba Khanh More Details > Oxygen <= 6.0.8 - Unauthenticated Server-Side Request Forgery via route_path 7.2 CVSS Rating 7.2 (High) CVE-ID CVE-2025-12886 Patch Status Patched Published Mar 27, 2026 Affected Software Oxygen - WooCommerce WordPress Theme [oxygen] Researcher Ahmed Rayen Ayari More Details > RSFirewall! <= 1.1.45 - Unauthenticated Stored Cross-Site Scripting 7.2 CVSS Rating 7.2 (High) CVE-ID CVE-2026-25341 Patch Status Patched Published Mar 23, 2026 Affected Software RSFirewall! [rsfirewall] Researcher johska More Details > WP REST Cache <= 2026.1.0 - Unauthenticated Stored Cross-Site Scripting 7.2 CVSS Rating 7.2 (High) CVE-ID CVE-2026-25347 Patch Status Patched Published Mar 23, 2026 Affected Software WP REST Cache [wp-rest-cache] Researcher Nguyen Ba Khanh More Details > ElementInvader Addons for Elementor <= 1.4.2 - Authenticated (Subscriber+) SQL Injection 6.5 CVSS Rating 6.5 (Medium) CVE-ID CVE-2026-25007 Patch Status Patched Published Mar 23, 2026 Affected Software ElementInvader Addons for Elementor [elementinvader-addons-for-elementor] Researcher Nabil Irawan More Details > LearnDash LMS <= 5.0.3 - Authenticated (Contributor+) SQL Injection via 'filters[orderby_order]' Parameter 6.5 CVSS Rating 6.5 (Medium) CVE-ID CVE-2026-3079 Patch Status Patched Published Mar 23, 2026 Affected Software LearnDash LMS [sfwd-lms] Researcher Osvaldo Noe Gonzalez Del Rio (Os) More Details > Ninja Forms <= 3.14.1 - Authenticated (Contributor+) Sensitive Information Disclosure via Block Editor Token 6.5 CVSS Rating 6.5 (Medium) CVE-ID CVE-2026-1307 Patch Status Patched Published Mar 27, 2026 Affected Software Ninja Forms – The Contact Form Builder That Grows With You [ninja-forms] Researcher Lucas Montes (NiRoX) More Details > Product Filter for WooCommerce by WBW <= 3.1.2 - Missing Authorization to Unauthenticated Filter Data Deletion via TRUNCATE TABLE 6.5 CVSS Rating 6.5 (Medium) CVE-ID CVE-2026-3138 Patch Status Patched Published Mar 23, 2026 Affected Software Product Filter for WooCommerce by WBW [woo-product-filter] Researcher Youssef Elouaer More Details > Quiz and Survey Master (QSM) <= 10.3.5 - Authenticated (Contributor+) SQL Injection via 'merged_question' Parameter 6.5 CVSS Rating 6.5 (Medium) CVE-ID CVE-2026-2412 Patch Status Patched Published Mar 23, 2026 Affected Software Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker [quiz-master-next] Researcher d.v4n_s3c More Details > Smart Slider 3 <= 3.5.1.33 - Authenticated (Subscriber+) Arbitrary File Read via actionExportAll 6.5 CVSS Rating 6.5 (Medium) CVE-ID CVE-2026-3098 Patch Status Patched Published Mar 26, 2026 Affected Software Smart Slider 3 [smart-slider-3] Researcher Dmitrii Ignatyev More Details > BWL Advanced FAQ Manager Lite <= 1.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'sbox_id' Shortcode Attribute 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-4075 Patch Status Patched Published Mar 25, 2026 Affected Software BWL Advanced FAQ Manager Lite [bwl-advanced-faq-manager-lite] Researcher Muhammad Yudha - DJ More Details > DSGVO snippet for Leaflet Map and its Extensions <= 3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'unset' Attribute 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-4389 Patch Status Patched Published Mar 23, 2026 Affected Software DSGVO snippet for Leaflet Map and its Extensions [dsgvo-leaflet-map] Researcher zaim More Details > ProfileGrid – User Profiles, Groups and Communities <= 5.9.8.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-25417 Patch Status Patched Published Mar 23, 2026 Affected Software ProfileGrid – User Profiles, Groups and Communities [profilegrid-user-profiles-groups-and-communities] Researcher daroo More Details > Sanzo < 2.4.3 - Authenticated (Subscriber+) Stored Cross-Site Scripting 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-25355 Patch Status Patched Published Mar 23, 2026 Affected Software sanzo [sanzo] Researcher Tran Nguyen Bao Khanh More Details > Simple Download Counter <= 2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'text' Shortcode Attribute 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-4278 Patch Status Patched Published Mar 25, 2026 Affected Software Simple Download Counter [simple-download-counter] Researcher zaim More Details > The Grid < 2.8.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-24370 Patch Status Patched Published Mar 23, 2026 Affected Software The Grid [the-grid] Researcher Phat RiO More Details > Twentig <= 1.9.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'featuredImageSizeWidth' 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-2602 Patch Status Patched Published Mar 28, 2026 Affected Software Twentig Supercharged Block Editor – Blocks, Patterns, Starter Sites, Portfolio [twentig] Researcher Muhammad Yudha - DJ More Details > WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses <= 3.2.26 - Authenticated (Subscriber+) Stored Cross-Site Scripting 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-31914 Patch Status Patched Published Mar 23, 2026 Affected Software WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses [wp-courses] Researcher Nguyen Duc Canh (canhnguyen26) More Details > WP Review Slider <= 13.9 - Authenticated (Subscriber+) Stored Cross-Site Scripting 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-32491 Patch Status Patched Published Mar 23, 2026 Affected Software WP Review Slider [wp-facebook-reviews] Researcher Doan Dinh Van (DinhVan52) More Details > WP TripAdvisor Review Slider <= 14.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-32490 Patch Status Patched Published Mar 23, 2026 Affected Software WP TripAdvisor Review Slider [wp-tripadvisor-review-slider] Researcher Doan Dinh Van (DinhVan52) More Details > Addon Jobsearch Chat <= 3.0 - Reflected Cross-Site Scripting 6.1 CVSS Rating 6.1 (Medium) CVE-ID CVE-2026-25376 Patch Status Patched Published Mar 23, 2026 Affected Software Addon Jobsearch Chat [addon-jobsearch-chat] Researcher Phat RiO More Details > Boutique < 2.4.6 - Reflected Cross-Site Scripting 6.1 CVSS Rating 6.1 (Medium) CVE-ID CVE-2026-25342 Patch Status Patched Published Mar 23, 2026 Affected Software Boutique - Kute Fashion WooCommerce Theme ( RTL Supported ) [kute-boutique] Researcher João Pedro Soares de Alcântara More Details > Car Dealer Automotive WordPress Theme – Responsive <= 1.6.7 - Reflected Cross-Site Scripting 6.1 CVSS Rating 6.1 (Medium) CVE-ID CVE-2026-24391 Patch Status Patched Published Mar 23, 2026 Affected Software Car Dealer Automotive WordPress Theme – Responsive [cardealer] Researcher(s): Unknown More Details > Contact Manager <= 9.1 - Reflected Cross-Site Scripting 6.1 CVSS Rating 6.1 (Medium) CVE-ID CVE-2026-32517 Patch Status Patched Published Mar 23, 2026 Affected Software Contact Manager [contact-manager] Researcher johska More Details > FloristPress for Woo <= 7.8.2 - Reflected Cross-Site Scripting via 'noresults' Parameter 6.1 CVSS Rating 6.1 (Medium) CVE-ID CVE-2026-1986 Patch Status Patched Published Mar 25, 2026 Affected Software FloristPress for Woo – Customize your eCommerce store for your Florist [bakkbone-florist-companion] Researcher Athiwat Tiprasaharn (Jitlada) More Details > Gaea < 3.8 - Reflected Cross-Site Scripting 6.1 CVSS Rating 6.1 (Medium) CVE-ID CVE-2026-32518 Patch Status Patched Published Mar 23, 2026 Affected Software Gaea - Environmental WordPress Theme [gaea] Researcher João Pedro Soares de Alcântara More Details > Gyan Elements <= 2.2.1 - Reflected Cross-Site Scripting 6.1 CVSS Rating 6.1 (Medium) CVE-ID CVE-2026-23979 Patch Status Patched Published Mar 23, 2026 Affected Software Gyan Elements [gyan-elements] Researcher(s): Unknown More Details > JobSearch WP Job Board <= 3.2.0 - Reflected Cross-Site Scripting 6.1 CVSS Rating 6.1 (Medium) CVE-ID CVE-2026-32493 Patch Status Patched Published Mar 23, 2026 Affected Software JobSearch WP Job Board [wp-jobsearch] Researcher Phat RiO More Details > KiviCare – Clinic & Patient Management System (EHR) <= 3.6.16 - Reflected Cross-Site Scripting 6.1 CVSS Rating 6.1 (Medium) CVE-ID CVE-2026-25383 Patch Status Patched Published Mar 23, 2026 Affected Software KiviCare – Clinic & Patient Management System (EHR) [kivicare-clinic-management-system] Researcher johska More Details > NaturaLife Extensions <= 2.1 - Reflected Cross-Site Scripting 6.1 CVSS Rating 6.1 (Medium) CVE-ID CVE-2026-25018 Patch Status Patched Published Mar 23, 2026 Affected Software NaturaLife Extensions [naturalife-extensions] Researcher João Pedro Soares de Alcântara More Details > Vayvo < 6.8 - Reflected Cross-Site Scripting 6.1 CVSS Rating 6.1 (Medium) CVE-ID CVE-2026-25373 Patch Status Patched Published Mar 23, 2026 Affected Software Vayvo - Media Streaming & Membership WordPress Theme [vayvo-progression] Researcher João Pedro Soares de Alcântara More Details > VikRestaurants Table Reservations and Take-Away <= 1.5.2 - Reflected Cross-Site Scripting 6.1 CVSS Rating 6.1 (Medium) CVE-ID CVE-2026-25025 Patch Status Patched Published Mar 23, 2026 Affected Software VikRestaurants Table Reservations and Take-Away [vikrestaurants] Researcher johska More Details > WP Telegram Widget and Join Link <= 2.2.13 - Reflected Cross-Site Scripting 6.1 CVSS Rating 6.1 (Medium) CVE-ID CVE-2026-23807 Patch Status Patched Published Mar 23, 2026 Affected Software WP Telegram Widget and Join Link [wptelegram-widget] Researcher johska More Details > Quads Ads Manager for Google AdSense <= 2.0.98.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Ad Metadata Parameters 5.4 CVSS Rating 5.4 (Medium) CVE-ID CVE-2026-2595 Patch Status Patched Published Mar 27, 2026 Affected Software Quads Ads Manager for Google AdSense [quick-adsense-reloaded] Researcher Muhammad Yudha - DJ More Details > ShortPixel Image Optimizer <= 6.4.3 - Authenticated (Author+) Stored Cross-Site Scripting via Attachment Title 5.4 CVSS Rating 5.4 (Medium) CVE-ID CVE-2026-4335 Patch Status Patched Published Mar 25, 2026 Affected Software ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF [shortpixel-image-optimiser] Researcher daroo More Details > User Registration & Membership <= 5.1.4 - Missing Authorization to Authenticated (Contributor+) Content Access Rule Manipulation 5.4 CVSS Rating 5.4 (Medium) CVE-ID CVE-2026-4056 Patch Status Patched Published Mar 23, 2026 Affected Software User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder [user-registration] Researcher darkmode More Details > Coinbase Commerce – Crypto Gateway for WooCommerce <= 1.6.6 - Missing Authorization 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-25396 Patch Status Unpatched Published Mar 23, 2026 Affected Software Coinbase Commerce – Crypto Gateway for WooCommerce [commerce-coinbase-for-woocommerce] Researcher Legion Hunter More Details > Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe <= 28.1.2.2 - Missing Authorization 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-25035 Patch Status Patched Published Mar 23, 2026 Affected Software Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe [contest-gallery] Researcher daroo More Details > File Uploader for WooCommerce <= 1.0.4 - Unauthenticated Path Traversal 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-25397 Patch Status Unpatched Published Mar 23, 2026 Affected Software File Uploader for WooCommerce [file-uploader-for-woocommerce] Researcher johska More Details > Five Star Restaurant Reservations – WordPress Booking Plugin <= 2.7.9 - Missing Authorization 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-25327 Patch Status Patched Published Mar 23, 2026 Affected Software Five Star Restaurant Reservations – WordPress Booking Plugin [restaurant-reservations] Researcher johska More Details > FormLift for Infusionsoft Web Forms <= 7.5.21 - Missing Authorization to Unauthenticated Infusionsoft Connection Hijack via OAuth Connection Flow 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-4281 Patch Status Patched Published Mar 25, 2026 Affected Software FormLift for Infusionsoft Web Forms [formlift] Researcher Nabil Irawan More Details > Helpdesk Support Ticket System for WooCommerce <= 2.1.2 - Missing Authorization 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-23977 Patch Status Patched Published Mar 23, 2026 Affected Software Helpdesk Support Ticket System for WooCommerce [support-ticket-system-for-woocommerce] Researcher daroo More Details > Indeed Membership Pro <= 13.7 - Missing Authorization 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-25357 Patch Status Patched Published Mar 23, 2026 Affected Software Indeed Membership Pro [indeed-membership-pro] Researcher Phat RiO More Details > KiviCare – Clinic & Patient Management System (EHR) <= 3.6.16 - Missing Authorization 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-25034 Patch Status Patched Published Mar 23, 2026 Affected Software KiviCare – Clinic & Patient Management System (EHR) [kivicare-clinic-management-system] Researcher andrea bocchetti More Details > Pagelayer <= 2.0.7 - Improper Neutralization of CRLF Sequences to Unauthenticated Email Header Injection via 'email' 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-2442 Patch Status Patched Published Mar 27, 2026 Affected Software Page Builder: Pagelayer – Drag and Drop website builder [pagelayer] Researcher Drew Webber (mcdruid) More Details > Salon Booking System Pro < 10.30.12 - Missing Authorization 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-25334 Patch Status Patched Published Mar 23, 2026 Affected Software Salon Booking System Pro [salon-booking-plugin-pro] Researcher Phat RiO More Details > Team – Team Members Showcase Plugin <= 5.0.11 - Missing Authorization 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-25026 Patch Status Patched Published Mar 23, 2026 Affected Software Team – Team Members Showcase Plugin [tlp-team] Researcher Doan Dinh Van (DinhVan52) More Details > Tutor LMS Pro <= 3.9.4 - Missing Authorization 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-25406 Patch Status Unpatched Published Mar 23, 2026 Affected Software Tutor LMS Pro [tutor-pro] Researcher Phat RiO More Details > User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration <= 4.2.8 - Missing Authorization 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-32485 Patch Status Patched Published Mar 23, 2026 Affected Software User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration [wp-user-frontend] Researcher Nguyen Ba Khanh More Details > User Verification by PickPlugins <= 2.0.45 - Missing Authorization 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-32497 Patch Status Patched Published Mar 23, 2026 Affected Software User Verification by PickPlugins [user-verification] Researcher Nguyen Ba Khanh More Details > WPCargo Track & Trace <= 8.0.2 - Missing Authorization 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-25401 Patch Status Unpatched Published Mar 23, 2026 Affected Software WPCargo Track & Trace [wpcargo] Researcher Nabil Irawan More Details > WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More <= 1.9.8.7 - Unauthenticated Sensitive Information Exposure 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-25339 Patch Status Patched Published Mar 23, 2026 Affected Software WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More [wpforms-lite] Researcher Sandeep V More Details > Complianz – GDPR/CCPA Cookie Consent <= 7.4.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Content Filter 4.9 CVSS Rating 4.9 (Medium) CVE-ID CVE-2026-2389 Patch Status Patched Published Mar 25, 2026 Affected Software Complianz – GDPR/CCPA Cookie Consent [complianz-gdpr] Researcher Muhammad Yudha - DJ More Details > Blog2Social: Social Media Auto Post & Scheduler <= 8.8.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Meta Deletion via 'b2s_reset_social_meta_tags' AJAX Action 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-4331 Patch Status Patched Published Mar 25, 2026 Affected Software Blog2Social: Social Media Auto Post & Scheduler [blog2social] Researcher s00me00ne More Details > Booking and Rental Manager for Bike | Car | Resort | Appointment | Dress | Equipment <= 2.6.0 - Missing Authorization 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-23972 Patch Status Patched Published Mar 23, 2026 Affected Software Booking and Rental Manager for Bike | Car | Resort | Appointment | Dress | Equipment [booking-and-rental-manager-for-woocommerce] Researcher PPzzAArr More Details > Conditional Menus <= 1.2.6 - Cross-Site Request Forgery to Menu Options Update 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-1032 Patch Status Patched Published Mar 25, 2026 Affected Software Conditional Menus [conditional-menus] Researcher Daniel Basta (whizzu) More Details > Elementor Website Builder <= 3.35.7 - Incorrect Authorization to Authenticated (Contributor+) Sensitive Information Exposure via Elementor Template 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-1206 Patch Status Patched Published Mar 25, 2026 Affected Software Elementor Website Builder – more than just a page builder [elementor] Researcher shark3y More Details > JS Help Desk – AI-Powered Support & Ticketing System <= 3.0.3 - Authenticated (Subscriber+) Insecure Direct Object Reference 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-32535 Patch Status Patched Published Mar 23, 2026 Affected Software JS Help Desk – AI-Powered Support & Ticketing System [js-support-ticket] Researcher Bonds More Details > LatePoint – Calendar Booking Plugin for Appointments and Events <= 5.2.6 - Authenticated (Subscriber+) Insecure Direct Object Reference 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-32533 Patch Status Patched Published Mar 23, 2026 Affected Software LatePoint – Calendar Booking Plugin for Appointments and Events [latepoint] Researcher daroo More Details > LearnPress <= 4.3.2.8 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Quiz Answer Deletion 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-3225 Patch Status Patched Published Mar 23, 2026 Affected Software LearnPress – WordPress LMS Plugin for Create and Sell Online Courses [learnpress] Researcher Jack Pas (Dark.) More Details > Petitioner <= 0.7.3 - Missing Authorization 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-32514 Patch Status Patched Published Mar 27, 2026 Affected Software Petitioner [petitioner] Researcher Nabil Irawan More Details > PPWP – Password Protect Pages <= 1.9.15 - Missing Authorization 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-32562 Patch Status Patched Published Mar 23, 2026 Affected Software PPWP – Password Protect Pages [password-protect-page] Researcher Doan Dinh Van (DinhVan52) More Details > Review Schema – Review & Structure Data Schema Plugin <= 2.2.6 - Authenticated (Subscriber+) Information Exposure 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-25344 Patch Status Patched Published Mar 23, 2026 Affected Software Review Schema – Review & Structure Data Schema Plugin [review-schema] Researcher Doan Dinh Van (DinhVan52) More Details > Smart Custom Fields <= 5.0.6 - Missing Authorization to Authenticated (Contributor+) Sensitive Information Exposure via Relational Post Search 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-4066 Patch Status Patched Published Mar 23, 2026 Affected Software Smart Custom Fields [smart-custom-fields] Researcher darkmode More Details > The Grid < 2.8.0 - Missing Authorization 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-24369 Patch Status Patched Published Mar 23, 2026 Affected Software The Grid [the-grid] Researcher Phat RiO More Details > Vertex Addons for Elementor <= 1.6.4 - Missing Authorization 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-25398 Patch Status Patched Published Mar 23, 2026 Affected Software Vertex Addons for Elementor [addons-for-elementor-builder] Researcher theviper17 More Details > WP Configurator Pro <= 3.7.9 - Missing Authorization 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-32501 Patch Status Patched Published Mar 23, 2026 Affected Software WP Configurator Pro [wp-configurator-pro] Researcher Phat RiO More Details > WPBookit Pro <= 1.6.18 - Authenticated (Subscriber+) Privilege Escalation 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-25414 Patch Status Unpatched Published Mar 23, 2026 Affected Software WPBookit Pro - Appointment Booking Plugin for WordPress [wpbookit-pro] Researcher Phat RiO More Details > As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence. This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can. Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. The post Wordfence Intelligence Weekly WordPress Vulnerability Report (March 23, 2026 to March 29, 2026) appeared first on Wordfence.