Last week, there were 153 vulnerabilities disclosed in 117 WordPress Plugins and 23 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 74 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected. Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to implement layered security, aligning with our overarching mission to secure WordPress with defense in depth strategies. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report. As the world’s leading quality vulnerability database provider for WordPress, site owners can rest assured knowing Wordfence has their back. Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 33,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free. Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. Total Unpatched & Patched Vulnerabilities Last Week Patch Status Number of Vulnerabilities Patched 137 Unpatched 16 Total Vulnerabilities by CVSS Severity Last Week Severity Rating Number of Vulnerabilities Medium Severity 89 High Severity 54 Critical Severity 10 Total Vulnerabilities by CWE Type Last Week Vulnerability Type by CWE Number of Vulnerabilities Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') 44 Missing Authorization 26 Deserialization of Untrusted Data 17 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') 14 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') 11 Cross-Site Request Forgery (CSRF) 9 Authorization Bypass Through User-Controlled Key 6 Unrestricted Upload of File with Dangerous Type 5 Exposure of Sensitive Information to an Unauthorized Actor 4 Incorrect Privilege Assignment 4 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') 3 Improper Privilege Management 2 Embedded Malicious Code 1 External Control of Assumed-Immutable Web Parameter 1 External Control of File Name or Path 1 Improper Authentication 1 Improper Neutralization of Alternate XSS Syntax 1 Incorrect Authorization 1 Insufficient Verification of Data Authenticity 1 Server-Side Request Forgery (SSRF) 1 Researchers That Contributed to WordPress Security Last Week Researcher Name Number of Vulnerabilities Denver Jackson 17 Athiwat Tiprasaharn (Jitlada) 11 João Pedro Soares de Alcântara 8 Nguyen Ba Khanh 7 Itthidej Aramsri (Boeing777) 7 Muhammad Yudha - DJ 7 Tran Nguyen Bao Khanh 6 Osvaldo Noe Gonzalez Del Rio (Os) 5 Nabil Irawan 5 zaim 5 Jarno Vos (jarnovos) 4 Dmitrii Ignatyev 3 zakaria 3 Kai Aizen 3 Muhammad Nur Ibnu Hubab (Ibnu) 3 Legion Hunter 3 Sajjad Haqi 2 daroo 2 Carlos Ferreira 2 theviper17y 2 Gilang - DJ 2 Hunter Jensen (skid) 2 s00me00ne 2 Youssef Elouaer 2 Webbernaut 1 Sélim Lanouar (whattheslime) 1 Spider Sec Ltd 1 Mohammad Amin Hajian (mamadrce) 1 ch4r0n 1 Leonid Semenenko (lsemenenko) 1 Simone Maion 1 Ali Cem Havare 1 Sencer Kılıç 1 Cesi De Taranto 1 andrea bocchetti 1 Nguyen C 1 0xsabre 1 BaroHaf 1 kai63001 1 ibrahimsql 1 Vilaysone CHANTHAVONG (0xJ0cKkY) 1 Waris Damkham 1 Kirasec 1 Chawabhon Netisingha (JNX03) 1 Anthony Cihan (Hann1bl3L3ct3r) 1 momopon1415 1 Dahmani Toumi (pegaSUS) 1 Quốc Huy (jtwings) 1 darkmode 1 Martín Martín 1 Tharadol Suksamran (d3kc4rt_1) 1 lucky_buddy 1 Nguyen Ngoc Duc (duc193) 1 tadokun 1 dangnosuy 1 davidfdzmorilla 1 Doan Dinh Van (DinhVan52) 1 Supakiad S. (m3ez) 1 Ronnachai Sretawat Na Ayutaya (Simonhaskelly) 1 Michael Iden (Mickhat) 1 Poli 1 luc 1 0N0ise 1 Or Benit 1 Md. Moniruzzaman Prodhan (NomanProdhan) 1 Sander Horsman 1 Andrés Cruciani 1 Kate Kligman 1 hoshino 1 afnaan 1 Maurice Fielenbach (Hexastrike) 1 Alex Thomas 1 nquangit 1 Abi Wiranata 1 Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report. WordPress Plugins with Reported Vulnerabilities Last Week Software Name Software Slug AddFunc Head & Footer Code addfunc-head-footer-code Advanced Contact form 7 DB advanced-cf7-db Advanced Members for ACF advanced-members AM LottiePlayer am-lottieplayer Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin simply-schedule-appointments Aruba HiSpeed Cache aruba-hispeed-cache Attendance Manager attendance-manager Awesome Support – WordPress HelpDesk & Support Plugin awesome-support AWP Classifieds another-wordpress-classifieds-plugin BackupBliss – Backup & Migration with Free Cloud Storage backup-backup BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net woo-bulk-editor Beaver Builder Page Builder – Drag and Drop Website Builder beaver-builder-lite-version BlockArt Blocks – Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library blockart-blocks Blocksy Companion Pro blocksy-companion-pro Blog2Social: Social Media Auto Post & Scheduler blog2social Booking for Appointments and Events Calendar – Amelia ameliabooking Bricksforge bricksforge BuddyPress Groupblog bp-groupblog Cart Abandonment Recovery for WooCommerce – Recover Lost Sales with Automated Emails woo-cart-abandonment-recovery Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More charitable Columns by BestWebSoft – Additional Columns Plugin for Posts Pages and Widgets columns-bws Customer Reviews for WooCommerce customer-reviews-woocommerce Datalogics Ecommerce Delivery – Datalogics datalogics Download Manager download-manager Download Monitor download-monitor DSGVO Google Web Fonts GDPR dsgvo-google-web-fonts-gdpr Element Pack – Widgets, Templates & Addons for Elementor bdthemes-element-pack-lite Elementor Website Builder – more than just a page builder elementor Event Tickets Manager for WooCommerce event-tickets-manager-for-woocommerce Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder everest-forms Experto Dashboard for WooCommerce experto-custom-dashboard Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder form-maker GeekyBot — AI Copilot, Chatbot, WooCommerce Lead Gen & Zero-Prompt Content geeky-bot Gerador de Certificados – DevApps gerador-de-certificados-devapps Gravity Forms gravityforms Gravity SMTP gravitysmtp Greenshift – animation and page builder blocks greenshift-animation-and-page-builder-blocks Hustle – Email Marketing, Lead Generation, Optins, Popups wordpress-popup iControlWP worpit-admin-dashboard-plugin IDPay Payment Gateway for Woocommerce woo-idpay-gateway Inquiry form to posts or pages inquiry-form-to-posts-or-pages Integrio Core integrio-core Investi investi LatePoint – Calendar Booking Plugin for Appointments and Events latepoint LearnPress – WordPress LMS Plugin for Create and Sell Online Courses learnpress LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes lifterlms LightPress Lightbox wp-jquery-lightbox Link Whisper Free link-whisper List category posts list-category-posts LTL Freight Quotes – R+L Carriers Edition ltl-freight-quotes-rl-edition LTL Freight Quotes – Worldwide Express Edition ltl-freight-quotes-worldwide-express-edition Magic Conversation For Gravity Forms magic-conversation-for-gravity-forms MainWP Child Reports mainwp-child-reports Masteriyo LMS – Online Course Builder for eLearning, LMS & Education learning-management-system Media Library Assistant media-library-assistant Mikado Core mikado-core MStore API – Create Native Android & iOS Apps On The Cloud mstore-api MultiLoca - WooCommerce Multi Locations Inventory Management WooCommerce-Multi-Locations-Inventory-Management MW WP Form mw-wp-form Ninja Forms - File Uploads ninja-forms-uploads Ocean Extra ocean-extra Online Scheduling and Appointment Booking System – Bookly bookly-responsive-appointment-booking-tool Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization optimole-wp OSM – OpenStreetMap osm Page Builder: Pagelayer – Drag and Drop website builder pagelayer pdfl.io pdfl-io Perfmatters perfmatters Pinterest Site Verification plugin using Meta Tag pinterest-site-verification Popup Box – Create Countdown, Coupon, Video, Contact Form Popups ays-popup-box Post Blocks & Tools bnm-blocks PowerPress Podcasting plugin by Blubrry powerpress Prime Slider – Addons for Elementor bdthemes-prime-slider-lite PrivateContent Free privatecontent-free Product Feed Manager for WooCommerce – CTX Feed – Support 220+ Shopping & Social Channels webappick-product-feed-for-woocommerce Product Feed PRO for WooCommerce by AdTribes – Product Feeds for WooCommerce woo-product-feed-pro Product Table and List Builder for WooCommerce Lite wc-product-table-lite ProSolution WP Client prosolution-wp-client PZ Frontend Manager pz-frontend-manager Quick Playground quick-playground Quran Translations quran-translations-by-edc Riaxe Product Customizer riaxe-product-customizer Robo Gallery – Photo & Image Slider robo-gallery Royal WordPress Backup, Restore & Migration Plugin – Backup WordPress Sites Safely royal-backup-reset Simple Social Media Share Buttons – Social Sharing for Everyone simple-social-buttons Smart Slider 3 smart-slider-3 Smart Slider 3 Pro nextend-smart-slider3-pro Softlab Core softlab-core Solene Core solene-core Sports Club Management sports-club-management SQL Chart Builder sql-chart-builder Strong Testimonials strong-testimonials TableOn – WordPress Posts Table Filterable  posts-table-filterable The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce the-plus-addons-for-elementor-page-builder TheGov Core thegov-core Timetics – Appointment Booking & Scheduling timetics Tutor LMS – eLearning and online course solution tutor Ultimate FAQ Accordion Plugin ultimate-faqs Under Construction, Coming Soon & Maintenance Mode under-construction-maintenance-mode User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder user-registration Users manager – PN userspn UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP userswp Vertex Addons for Elementor addons-for-elementor-builder Wavr wavr WCAPF – Ajax Product Filter for WooCommerce wc-ajax-product-filter Webling webling Whole Enquiry Cart for WooCommerce whole-cart-enquiry WowPress wowpress WP BASE Booking of Appointments, Services and Events wp-base-booking-of-appointments-services-and-events WP Blockade – Visual Page Builder wp-blockade WP Directory Kit wpdirectorykit WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters wp-google-map-plugin WP Visitor Statistics (Real Time Traffic) wp-stats-manager WP-BusinessDirectory – Business directory plugin for WordPress wp-businessdirectory WP-Optimize – Cache, Compress images, Minify & Clean database to boost page speed & performance wp-optimize WPAMS - Apartment Management System for wordpress apartment-management wpForo Forum wpforo Ziggeo ziggeo WordPress Themes with Reported Vulnerabilities Last Week Software Name Software Slug Alloggio - Hotel Booking WordPress Theme alloggio Aperitif - Wine Shop and Liquor Store WordPress Theme aperitif Askka - Candle Shop WordPress Theme askka blueprint blueprint Fidalgo - Restaurant WordPress Theme fidalgo Getaway - Travel & Tourism WordPress Theme getaway Hiroshi - Architecture and Interior Design WordPress Theme hiroshi Hitek - Electronics WooCommerce Theme xts-hitek Konsept - Furniture Store WordPress Theme konsept Malmö - A Charming Multi-concept WordPress Theme malmo Micdrop - Music WordPress Theme micdrop Mildhill - Organic and Food Store WordPress Theme mildhill Mr. SEO - Social Media Marketing Agency WordPress Theme mrseo NeoBeat - Music WordPress Theme neobeat Playroom - Kids & Kindergarten WordPress Theme playroom Santé - Organic Shop WordPress Theme sante SingleMalt - Drink Store WordPress Theme singlemalt Solene - Wedding Photography WordPress Theme solene Töbel - Modern Furniture Store WordPress Theme tobel Uppercase - WordPress Blog Theme with Dark Mode uppercase Valiance - Business Consulting WordPress Theme valiance WaveRide - Surfing and Water Sports WordPress Theme waveride Zermatt - Agency WordPress Theme zermatt Vulnerability Details Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize. Datalogics Ecommerce Delivery – Datalogics <= 2.6.62 - Unauthenticated Privilege Escalation 9.8 CVSS Rating 9.8 (Critical) CVE-ID CVE-2026-39583 Patch Status Patched Published Apr 8, 2026 Affected Software Datalogics Ecommerce Delivery – Datalogics [datalogics] Researcher Jarno Vos (jarnovos) More Details > DSGVO Google Web Fonts GDPR <= 1.1 - Unauthenticated Arbitrary File Upload via 'fonturl' Parameter 9.8 CVSS Rating 9.8 (Critical) CVE-ID CVE-2026-3535 Patch Status Unpatched Published Apr 7, 2026 Affected Software DSGVO Google Web Fonts GDPR [dsgvo-google-web-fonts-gdpr] Researcher Nabil Irawan More Details > Everest Forms <= 3.4.3 - Unauthenticated PHP Object Injection via Form Entry Metadata 9.8 CVSS Rating 9.8 (Critical) CVE-ID CVE-2026-3296 Patch Status Patched Published Apr 7, 2026 Affected Software Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder [everest-forms] Researcher 0xsabre More Details > iControlWP <= 5.5.3 - Unauthenticated Privilege Escalation 9.8 CVSS Rating 9.8 (Critical) CVE-ID CVE-2026-34901 Patch Status Patched Published Apr 7, 2026 Affected Software iControlWP [worpit-admin-dashboard-plugin] Researcher Jarno Vos (jarnovos) More Details > Ninja Forms - File Upload <= 3.3.26 - Unauthenticated Arbitrary File Upload 9.8 CVSS Rating 9.8 (Critical) CVE-ID CVE-2026-0740 Patch Status Patched Published Apr 6, 2026 Affected Software Ninja Forms - File Uploads [ninja-forms-uploads] Researcher Sélim Lanouar (whattheslime) More Details > ProSolution WP Client <= 1.9.9 - Unauthenticated Arbitrary File Upload via proSol_fileUploadProcess 9.8 CVSS Rating 9.8 (Critical) CVE-ID CVE-2026-2942 Patch Status Patched Published Apr 8, 2026 Affected Software ProSolution WP Client [prosolution-wp-client] Researcher Nabil Irawan More Details > Quick Playground <= 1.3.1 - Missing Authorization to Unauthenticated Arbitrary File Upload 9.8 CVSS Rating 9.8 (Critical) CVE-ID CVE-2026-1830 Patch Status Patched Published Apr 8, 2026 Affected Software Quick Playground [quick-playground] Researchers Athiwat Tiprasaharn (Jitlada)Itthidej Aramsri (Boeing777)Vilaysone CHANTHAVONG (0xJ0cKkY)Waris Damkham More Details > Smart Slider 3 Pro 3.5.1.35 - Backdoor Embedded via Supply Chain Compromise 9.8 CVSS Rating 9.8 (Critical) Patch Status Patched Published Apr 8, 2026 Affected Software Smart Slider 3 Pro [nextend-smart-slider3-pro] Researcher(s): Unknown More Details > Users manager – PN <= 1.1.15 - Unauthenticated Privilege Escalation via Account Takeover via 'userspn_form_save' AJAX Action 9.8 CVSS Rating 9.8 (Critical) CVE-ID CVE-2026-4003 Patch Status Patched Published Apr 7, 2026 Affected Software Users manager – PN [userspn] Researcher BaroHaf More Details > WP BASE Booking of Appointments, Services and Events <= 5.9.0 - Unauthenticated Privilege Escalation 9.8 CVSS Rating 9.8 (Critical) CVE-ID CVE-2026-39587 Patch Status Patched Published Apr 8, 2026 Affected Software WP BASE Booking of Appointments, Services and Events [wp-base-booking-of-appointments-services-and-events] Researcher Jarno Vos (jarnovos) More Details > Advanced Members for ACF <= 1.2.5 - Authenticated (Subscriber+) Arbitrary File Deletion via Path Traversal 8.8 CVSS Rating 8.8 (High) CVE-ID CVE-2026-3243 Patch Status Patched Published Apr 7, 2026 Affected Software Advanced Members for ACF [advanced-members] Researcher Muhammad Yudha - DJ More Details > Amelia <= 2.1.3 - Insecure Direct Object Reference to Authenticated (Employee+) Privilege Escalation via 'externalId' Parameter 8.8 CVSS Rating 8.8 (High) CVE-ID CVE-2026-5465 Patch Status Patched Published Apr 6, 2026 Affected Software Booking for Appointments and Events Calendar – Amelia [ameliabooking] Researcher Osvaldo Noe Gonzalez Del Rio (Os) More Details > BuddyPress Groupblog <= 1.9.3 - Authenticated (Subscriber+) Privilege Escalation to Administrator via Group Blog IDOR 8.8 CVSS Rating 8.8 (High) CVE-ID CVE-2026-5144 Patch Status Patched Published Apr 10, 2026 Affected Software BuddyPress Groupblog [bp-groupblog] Researcher Nabil Irawan More Details > MultiLoca <= 4.2.15 - Authenticated (Subscriber+) Privilege Escalation 8.8 CVSS Rating 8.8 (High) CVE-ID CVE-2026-39546 Patch Status Patched Published Apr 8, 2026 Affected Software MultiLoca - WooCommerce Multi Locations Inventory Management [WooCommerce-Multi-Locations-Inventory-Management] Researcher Denver Jackson More Details > Product Feed PRO for WooCommerce by AdTribes – Product Feeds for WooCommerce 13.4.6 - 13.5.2.1 - Cross-Site Request Forgery to Multiple Administrative Actions 8.8 CVSS Rating 8.8 (High) CVE-ID CVE-2026-3499 Patch Status Patched Published Apr 7, 2026 Affected Software Product Feed PRO for WooCommerce by AdTribes – Product Feeds for WooCommerce [woo-product-feed-pro] Researcher lucky_buddy More Details > Vertex Addons for Elementor <= 1.6.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation and Activation via 'afeb_activate_required_plugins' 8.8 CVSS Rating 8.8 (High) CVE-ID CVE-2026-4326 Patch Status Patched Published Apr 8, 2026 Affected Software Vertex Addons for Elementor [addons-for-elementor-builder] Researcher Athiwat Tiprasaharn (Jitlada) More Details > WP-BusinessDirectory – Business directory plugin for WordPress <= 4.0.0 - Authenticated (Subscriber+) Arbitrary File Upload 8.8 CVSS Rating 8.8 (High) CVE-ID CVE-2026-39591 Patch Status Patched Published Apr 8, 2026 Affected Software WP-BusinessDirectory – Business directory plugin for WordPress [wp-businessdirectory] Researcher Jarno Vos (jarnovos) More Details > Alloggio - Hotel Booking WordPress Theme <= 2.1.2 - Unauthenticated PHP Object Injection 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-39539 Patch Status Patched Published Apr 8, 2026 Affected Software Alloggio - Hotel Booking WordPress Theme [alloggio] Researcher Denver Jackson More Details > Aperitif <= 1.5 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-39549 Patch Status Patched Published Apr 8, 2026 Affected Software Aperitif - Wine Shop and Liquor Store WordPress Theme [aperitif] Researcher Tran Nguyen Bao Khanh More Details > Aperitif <= 1.6 - Unauthenticated PHP Object Injection 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-39550 Patch Status Patched Published Apr 8, 2026 Affected Software Aperitif - Wine Shop and Liquor Store WordPress Theme [aperitif] Researcher Denver Jackson More Details > Askka - Candle Shop WordPress Theme <= 1.3.1 - Unauthenticated PHP Object Injection 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-39555 Patch Status Patched Published Apr 8, 2026 Affected Software Askka - Candle Shop WordPress Theme [askka] Researcher Denver Jackson More Details > Blueprint < 1.1.5 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-39552 Patch Status Patched Published Apr 8, 2026 Affected Software blueprint [blueprint] Researcher João Pedro Soares de Alcântara More Details > Fidalgo <= 1.2.2 - Unauthenticated PHP Object Injection 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-39554 Patch Status Patched Published Apr 8, 2026 Affected Software Fidalgo - Restaurant WordPress Theme [fidalgo] Researcher Denver Jackson More Details > Getaway < 1.8 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-39547 Patch Status Patched Published Apr 8, 2026 Affected Software Getaway - Travel & Tourism WordPress Theme [getaway] Researcher João Pedro Soares de Alcântara More Details > Hiroshi <= 1.5.1 - Unauthenticated PHP Object Injection 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-39560 Patch Status Patched Published Apr 8, 2026 Affected Software Hiroshi - Architecture and Interior Design WordPress Theme [hiroshi] Researcher Denver Jackson More Details > Hitek < 1.8.3 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-39582 Patch Status Patched Published Apr 8, 2026 Affected Software Hitek - Electronics WooCommerce Theme [xts-hitek] Researcher Tran Nguyen Bao Khanh More Details > Integrio Core < 1.2.8 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-34894 Patch Status Patched Published Apr 7, 2026 Affected Software Integrio Core [integrio-core] Researcher João Pedro Soares de Alcântara More Details > Konsept <= 1.9 - Unauthenticated PHP Object Injection 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-39556 Patch Status Patched Published Apr 8, 2026 Affected Software Konsept - Furniture Store WordPress Theme [konsept] Researcher Denver Jackson More Details > Malmö <= 2.2 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-39558 Patch Status Patched Published Apr 8, 2026 Affected Software Malmö - A Charming Multi-concept WordPress Theme [malmo] Researcher Tran Nguyen Bao Khanh More Details > Micdrop <= 1.3.1 - Unauthenticated PHP Object Injection 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-39580 Patch Status Patched Published Apr 8, 2026 Affected Software Micdrop - Music WordPress Theme [micdrop] Researcher Denver Jackson More Details > Mikado Core <= 1.6 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-39537 Patch Status Patched Published Apr 8, 2026 Affected Software Mikado Core [mikado-core] Researcher João Pedro Soares de Alcântara More Details > Mildhill <= 1.5 - Unauthenticated PHP Object Injection 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-39573 Patch Status Patched Published Apr 8, 2026 Affected Software Mildhill - Organic and Food Store WordPress Theme [mildhill] Researcher Denver Jackson More Details > Mr. SEO <= 2.0 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-39568 Patch Status Patched Published Apr 8, 2026 Affected Software Mr. SEO - Social Media Marketing Agency WordPress Theme [mrseo] Researcher Tran Nguyen Bao Khanh More Details > MW WP Form <= 5.1.1 - Unauthenticated Arbitrary File Move via regenerate_upload_file_keys 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-5436 Patch Status Patched Published Apr 8, 2026 Affected Software MW WP Form [mw-wp-form] Researcher Sander Horsman More Details > NeoBeat - Music WordPress Theme <= 1.7 - Unauthenticated PHP Object Injection 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-39557 Patch Status Patched Published Apr 8, 2026 Affected Software NeoBeat - Music WordPress Theme [neobeat] Researcher Denver Jackson More Details > Perfmatters <= 2.5.9 - Authenticated (Subscriber+) Arbitrary File Overwrite via 'snippets' Parameter 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-4351 Patch Status Patched Published Apr 9, 2026 Affected Software Perfmatters [perfmatters] Researcher hoshino More Details > Playroom <= 1.4.1 - Unauthenticated PHP Object Injection 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-39577 Patch Status Patched Published Apr 8, 2026 Affected Software Playroom - Kids & Kindergarten WordPress Theme [playroom] Researcher Denver Jackson More Details > Santé <= 1.5.1 - Unauthenticated PHP Object Injection 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-39567 Patch Status Patched Published Apr 8, 2026 Affected Software Santé - Organic Shop WordPress Theme [sante] Researcher Denver Jackson More Details > SingleMalt <= 1.5 - Unauthenticated PHP Object Injection 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-39576 Patch Status Patched Published Apr 8, 2026 Affected Software SingleMalt - Drink Store WordPress Theme [singlemalt] Researcher Denver Jackson More Details > Softlab Core < 1.2.11 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-34895 Patch Status Patched Published Apr 7, 2026 Affected Software Softlab Core [softlab-core] Researcher João Pedro Soares de Alcântara More Details > Solene <= 3.4 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-39522 Patch Status Patched Published Apr 8, 2026 Affected Software Solene - Wedding Photography WordPress Theme [solene] Researcher Tran Nguyen Bao Khanh More Details > Solene Core <= 2.3.2 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-39523 Patch Status Patched Published Apr 8, 2026 Affected Software Solene Core [solene-core] Researcher Tran Nguyen Bao Khanh More Details > Thegov Core < 2.0.23 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-34893 Patch Status Patched Published Apr 7, 2026 Affected Software TheGov Core [thegov-core] Researcher João Pedro Soares de Alcântara More Details > Töbel - Modern Furniture Store WordPress Theme <= 1.8.1 - Unauthenticated PHP Object Injection 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-39551 Patch Status Patched Published Apr 8, 2026 Affected Software Töbel - Modern Furniture Store WordPress Theme [tobel] Researcher Denver Jackson More Details > Uppercase < 1.2.2 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-39559 Patch Status Patched Published Apr 8, 2026 Affected Software Uppercase - WordPress Blog Theme with Dark Mode [uppercase] Researcher João Pedro Soares de Alcântara More Details > Valiance <= 1.2 - Unauthenticated PHP Object Injection 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-39578 Patch Status Patched Published Apr 8, 2026 Affected Software Valiance - Business Consulting WordPress Theme [valiance] Researcher Denver Jackson More Details > WaveRide <= 1.4 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-39553 Patch Status Patched Published Apr 8, 2026 Affected Software WaveRide - Surfing and Water Sports WordPress Theme [waveride] Researcher João Pedro Soares de Alcântara More Details > Zermatt <= 1.6.1 - Unauthenticated PHP Object Injection 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-39545 Patch Status Patched Published Apr 8, 2026 Affected Software Zermatt - Agency WordPress Theme [zermatt] Researcher Denver Jackson More Details > Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin <= 1.6.9.27 - Unauthenticated SQL Injection 7.5 CVSS Rating 7.5 (High) CVE-ID CVE-2026-39493 Patch Status Patched Published Apr 8, 2026 Affected Software Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin [simply-schedule-appointments] Researcher Doan Dinh Van (DinhVan52) More Details > AWP Classifieds <= 4.4.4 - Missing Authorization 7.5 CVSS Rating 7.5 (High) CVE-ID CVE-2026-39533 Patch Status Patched Published Apr 8, 2026 Affected Software AWP Classifieds [another-wordpress-classifieds-plugin] Researcher Dahmani Toumi (pegaSUS) More Details > Blocksy Companion Pro < 2.1.29 - Unauthenticated SQL Injection 7.5 CVSS Rating 7.5 (High) CVE-ID CVE-2026-39596 Patch Status Patched Published Apr 8, 2026 Affected Software Blocksy Companion Pro [blocksy-companion-pro] Researcher Nguyen Ba Khanh More Details > Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder <= 1.15.38 - Unauthenticated SQL Injection 7.5 CVSS Rating 7.5 (High) CVE-ID CVE-2026-39502 Patch Status Patched Published Apr 8, 2026 Affected Software Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder [form-maker] Researcher Nguyen Ba Khanh More Details > GeekyBot — AI Copilot, Chatbot, WooCommerce Lead Gen & Zero-Prompt Content <= 1.2.0 - Unauthenticated SQL Injection 7.5 CVSS Rating 7.5 (High) CVE-ID CVE-2026-39519 Patch Status Patched Published Apr 8, 2026 Affected Software GeekyBot — AI Copilot, Chatbot, WooCommerce Lead Gen & Zero-Prompt Content [geeky-bot] Researcher Nguyen Ba Khanh More Details > SQL Chart Builder < 2.3.8 - Unauthenticated SQL Injection 7.5 CVSS Rating 7.5 (High) CVE-ID CVE-2026-4079 Patch Status Patched Published Apr 8, 2026 Affected Software SQL Chart Builder [sql-chart-builder] Researcher dangnosuy More Details > Tutor LMS <= 3.9.7 - Missing Authorization to Unauthenticated Arbitrary Billing Profile Overwrite via 'order_id' Parameter 7.5 CVSS Rating 7.5 (High) CVE-ID CVE-2026-3360 Patch Status Patched Published Apr 9, 2026 Affected Software Tutor LMS – eLearning and online course solution [tutor] Researcher Supakiad S. (m3ez) More Details > WCAPF – WooCommerce Ajax Product Filter <= 4.2.3 - Unauthenticated Time-Based SQL Injection 7.5 CVSS Rating 7.5 (High) CVE-ID CVE-2026-3396 Patch Status Patched Published Apr 7, 2026 Affected Software WCAPF – Ajax Product Filter for WooCommerce [wc-ajax-product-filter] Researcher Youssef Elouaer More Details > WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters <= 4.9.1 - Unauthenticated SQL Injection 7.5 CVSS Rating 7.5 (High) CVE-ID CVE-2026-39492 Patch Status Patched Published Apr 8, 2026 Affected Software WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters [wp-google-map-plugin] Researcher Nguyen Ba Khanh More Details > Cart Abandonment Recovery for WooCommerce – Recover Lost Sales with Automated Emails < 2.1.0 - Authenticated (Shop Manager+) Privilege Escalation 7.2 CVSS Rating 7.2 (High) CVE-ID CVE-2026-39470 Patch Status Patched Published Apr 8, 2026 Affected Software Cart Abandonment Recovery for WooCommerce – Recover Lost Sales with Automated Emails [woo-cart-abandonment-recovery] Researcher Nguyen Ba Khanh More Details > Gerador de Certificados – DevApps <= 1.3.6 - Authenticated (Administrator+) Arbitrary File Upload 7.2 CVSS Rating 7.2 (High) CVE-ID CVE-2026-4808 Patch Status Unpatched Published Apr 7, 2026 Affected Software Gerador de Certificados – DevApps [gerador-de-certificados-devapps] Researcher Legion Hunter More Details > Optimole <= 4.2.2 - Unauthenticated Stored Cross-Site Scripting via Srcset Descriptor Parameter 7.2 CVSS Rating 7.2 (High) CVE-ID CVE-2026-5217 Patch Status Patched Published Apr 10, 2026 Affected Software Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization [optimole-wp] Researcher Quốc Huy (jtwings) More Details > Popup Box – Create Countdown, Coupon, Video, Contact Form Popups < 5.5.0 - Unauthenticated Stored Cross-Site Scripting 7.2 CVSS Rating 7.2 (High) CVE-ID CVE-2025-15611 Patch Status Patched Published Apr 8, 2026 Affected Software Popup Box – Create Countdown, Coupon, Video, Contact Form Popups [ays-popup-box] Researcher Spider Sec Ltd More Details > Product Table and List Builder for WooCommerce Lite <= 4.6.3 - Unauthenticated Stored Cross-Site Scripting 7.2 CVSS Rating 7.2 (High) CVE-ID CVE-2026-34902 Patch Status Patched Published Apr 7, 2026 Affected Software Product Table and List Builder for WooCommerce Lite [wc-product-table-lite] Researcher daroo More Details > Gravity SMTP <= 2.1.4 - Missing Authorization to Authenticated (Subscriber+) Plugin Uninstall 7.1 CVSS Rating 7.1 (High) CVE-ID CVE-2026-4162 Patch Status Patched Published Apr 9, 2026 Affected Software Gravity SMTP [gravitysmtp] Researcher Osvaldo Noe Gonzalez Del Rio (Os) More Details > wpForo Forum <= 3.0.2 - Authenticated (Subscriber+) Arbitrary File Deletion via 'data[body][fileurl]' Parameter 7.1 CVSS Rating 7.1 (High) CVE-ID CVE-2026-5809 Patch Status Patched Published Apr 10, 2026 Affected Software wpForo Forum [wpforo] Researcher Leonid Semenenko (lsemenenko) More Details > Product Feed Manager for WooCommerce – CTX Feed – Support 220+ Shopping & Social Channels <= 6.6.26 - Authenticated (Shop Manager+) PHP Object Injection 6.6 CVSS Rating 6.6 (Medium) CVE-ID CVE-2026-39434 Patch Status Patched Published Apr 7, 2026 Affected Software Product Feed Manager for WooCommerce – CTX Feed – Support 220+ Shopping & Social Channels [webappick-product-feed-for-woocommerce] Researcher daroo More Details > BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net <= 1.1.5 - Cross-Site Request Forgery to Product Data Modification 6.5 CVSS Rating 6.5 (Medium) CVE-ID CVE-2026-1672 Patch Status Patched Published Apr 7, 2026 Affected Software BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net [woo-bulk-editor] Researcher Dmitrii Ignatyev More Details > LifterLMS <= 9.2.1 - Authenticated (Custom+) SQL Injection via 'order' Parameter 6.5 CVSS Rating 6.5 (Medium) CVE-ID CVE-2026-5207 Patch Status Patched Published Apr 10, 2026 Affected Software LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes [lifterlms] Researcher momopon1415 More Details > Media Library Assistant <= 3.34 - Authenticated (Contributor+) SQL Injection 6.5 CVSS Rating 6.5 (Medium) CVE-ID CVE-2026-34885 Patch Status Patched Published Apr 6, 2026 Affected Software Media Library Assistant [media-library-assistant] Researcher Sajjad Haqi More Details > User Registration & Membership <= 5.1.2 - Authenticated (Subscriber+) SQL Injection via membership_ids[] 6.5 CVSS Rating 6.5 (Medium) CVE-ID CVE-2026-1865 Patch Status Patched Published Apr 7, 2026 Affected Software User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder [user-registration] Researchers Athiwat Tiprasaharn (Jitlada)Itthidej Aramsri (Boeing777) More Details > WP Blockade <= 0.9.14 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Shortcode Execution via 'shortcode' Parameter 6.5 CVSS Rating 6.5 (Medium) CVE-ID CVE-2026-3480 Patch Status Unpatched Published Apr 7, 2026 Affected Software WP Blockade – Visual Page Builder [wp-blockade] Researcher theviper17y More Details > AddFunc Head & Footer Code <= 2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Fields 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-2305 Patch Status Patched Published Apr 9, 2026 Affected Software AddFunc Head & Footer Code [addfunc-head-footer-code] Researcher Muhammad Yudha - DJ More Details > Beaver Builder Page Builder – Drag and Drop Website Builder <= 2.10.1.1 - Authenticated (Author+) Stored Cross-Site Scripting via 'settings[js]' 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-2481 Patch Status Patched Published Apr 7, 2026 Affected Software Beaver Builder Page Builder – Drag and Drop Website Builder [beaver-builder-lite-version] Researchers Athiwat Tiprasaharn (Jitlada)Tharadol Suksamran (d3kc4rt_1) More Details > BlockArt Blocks <= 2.2.15 - Authenticated (Author+) Stored Cross-Site Scripting via 'clientId' Block Attribute 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-3498 Patch Status Patched Published Apr 10, 2026 Affected Software BlockArt Blocks – Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library [blockart-blocks] Researchers Athiwat Tiprasaharn (Jitlada)Itthidej Aramsri (Boeing777) More Details > Blubrry PowerPress <= 11.15.15 - Authenticated (Contributor+) Stored Cross-Site Scripting via powerpress and podcast Shortcodes 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-2988 Patch Status Patched Published Apr 7, 2026 Affected Software PowerPress Podcasting plugin by Blubrry [powerpress] Researcher Muhammad Yudha - DJ More Details > Columns by BestWebSoft <= 1.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'columns' Shortcode 'id' Attribute 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-3618 Patch Status Unpatched Published Apr 7, 2026 Affected Software Columns by BestWebSoft – Additional Columns Plugin for Posts Pages and Widgets [columns-bws] Researcher Muhammad Yudha - DJ More Details > Download Manager <= 3.3.52 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-5357 Patch Status Patched Published Apr 8, 2026 Affected Software Download Manager [download-manager] Researcher zaim More Details > Element Pack Addons for Elementor <= 8.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via SVG Image Widget 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-4655 Patch Status Patched Published Apr 7, 2026 Affected Software Element Pack – Widgets, Templates & Addons for Elementor [bdthemes-element-pack-lite] Researcher Webbernaut More Details > Elementor Website Builder <= 3.35.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via REST API 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2025-14732 Patch Status Patched Published Apr 7, 2026 Affected Software Elementor Website Builder – more than just a page builder [elementor] Researcher andrea bocchetti More Details > Greenshift <= 12.8.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via disablelazy Attribute 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-4895 Patch Status Patched Published Apr 10, 2026 Affected Software Greenshift – animation and page builder blocks [greenshift-animation-and-page-builder-blocks] Researcher Muhammad Yudha - DJ More Details > Investi <= 1.0.26 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'maximum-num-years' Shortcode Attribute 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-3600 Patch Status Patched Published Apr 7, 2026 Affected Software Investi [investi] Researcher Gilang - DJ More Details > LatePoint <= 5.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-4785 Patch Status Patched Published Apr 7, 2026 Affected Software LatePoint – Calendar Booking Plugin for Appointments and Events [latepoint] Researcher zaim More Details > LearnPress <= 4.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'skin' Shortcode Attribute 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-4333 Patch Status Patched Published Apr 7, 2026 Affected Software LearnPress – WordPress LMS Plugin for Create and Sell Online Courses [learnpress] Researcher zaim More Details > LightPress Lightbox <= 2.3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'group' Shortcode Attribute 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-4379 Patch Status Patched Published Apr 7, 2026 Affected Software LightPress Lightbox [wp-jquery-lightbox] Researcher Muhammad Yudha - DJ More Details > List category posts <= 0.94.0 - Authenticated (Author+) Stored Cross-Site Scripting via 'catlist' Shortcode 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-3005 Patch Status Patched Published Apr 8, 2026 Affected Software List category posts [list-category-posts] Researchers Athiwat Tiprasaharn (Jitlada)Itthidej Aramsri (Boeing777) More Details > Magic Conversation For Gravity Forms <= 3.0.97 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-1396 Patch Status Patched Published Apr 7, 2026 Affected Software Magic Conversation For Gravity Forms [magic-conversation-for-gravity-forms] Researcher zaim More Details > Media Library Assistant <= 3.34 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-34897 Patch Status Patched Published Apr 6, 2026 Affected Software Media Library Assistant [media-library-assistant] Researcher Sajjad Haqi More Details > OSM <= 6.1.15 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'marker_name' Shortcode Attribute 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-4429 Patch Status Patched Published Apr 8, 2026 Affected Software OSM – OpenStreetMap [osm] Researcher Nguyen Ngoc Duc (duc193) More Details > Page Builder: Pagelayer <= 2.0.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Button Widget Custom Attributes 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-2509 Patch Status Patched Published Apr 7, 2026 Affected Software Page Builder: Pagelayer – Drag and Drop website builder [pagelayer] Researcher Athiwat Tiprasaharn (Jitlada) More Details > pdfl.io <= 1.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'text' Shortcode Attribute 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-4073 Patch Status Patched Published Apr 7, 2026 Affected Software pdfl.io [pdfl-io] Researcher zakaria More Details > Pinterest Site Verification plugin using Meta Tag <= 1.8 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'post_var' 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-3142 Patch Status Unpatched Published Apr 7, 2026 Affected Software Pinterest Site Verification plugin using Meta Tag [pinterest-site-verification] Researcher Nabil Irawan More Details > Post Blocks & Tools <= 1.3.0 - Authenticated (Author+) Stored Cross-Site Scripting via 'sliderStyle' Block Attribute 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-5711 Patch Status Patched Published Apr 8, 2026 Affected Software Post Blocks & Tools [bnm-blocks] Researcher Athiwat Tiprasaharn (Jitlada) More Details > Prime Slider <= 4.1.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'follow_us_text' Parameter 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-4341 Patch Status Patched Published Apr 7, 2026 Affected Software Prime Slider – Addons for Elementor [bdthemes-prime-slider-lite] Researchers Athiwat Tiprasaharn (Jitlada)Itthidej Aramsri (Boeing777) More Details > PrivateContent Free <= 1.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'align' Shortcode Attribute 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-4025 Patch Status Patched Published Apr 7, 2026 Affected Software PrivateContent Free [privatecontent-free] Researcher Gilang - DJ More Details > Robo Gallery <= 5.1.3 - Authenticated (Author+) Stored Cross-Site Scripting via 'Loading Label' Setting 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-4300 Patch Status Patched Published Apr 7, 2026 Affected Software Robo Gallery – Photo & Image Slider [robo-gallery] Researcher Athiwat Tiprasaharn (Jitlada) More Details > Sports Club Management <= 1.12.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'before' Attribute 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-4871 Patch Status Unpatched Published Apr 7, 2026 Affected Software Sports Club Management [sports-club-management] Researcher zaim More Details > Strong Testimonials <= 3.2.21 - Authenticated (Contributor+) Stored Cross-Site Scripting via testimonial_view Shortcode 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-3239 Patch Status Patched Published Apr 7, 2026 Affected Software Strong Testimonials [strong-testimonials] Researcher Ronnachai Sretawat Na Ayutaya (Simonhaskelly) More Details > TableOn – WordPress Posts Table Filterable <= 1.0.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'class' Shortcode Attribute 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-3513 Patch Status Patched Published Apr 7, 2026 Affected Software TableOn – WordPress Posts Table Filterable  [posts-table-filterable] Researcher Itthidej Aramsri (Boeing777) More Details > The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce <= 6.4.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Progress Bar 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-3311 Patch Status Patched Published Apr 7, 2026 Affected Software The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce [the-plus-addons-for-elementor-page-builder] Researcher Osvaldo Noe Gonzalez Del Rio (Os) More Details > Ultimate FAQ Accordion Plugin <= 2.4.7 - Authenticated (Author+) Stored Cross-Site Scripting via FAQ Content 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-4336 Patch Status Patched Published Apr 8, 2026 Affected Software Ultimate FAQ Accordion Plugin [ultimate-faqs] Researchers Athiwat Tiprasaharn (Jitlada)Itthidej Aramsri (Boeing777) More Details > UsersWP <= 1.2.60 - Authenticated (Subscriber+) Stored Cross-Site Scripting via User Badge Link Substitution 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-5742 Patch Status Patched Published Apr 8, 2026 Affected Software UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP [userswp] Researcher Osvaldo Noe Gonzalez Del Rio (Os) More Details > Wavr <= 0.2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-5506 Patch Status Unpatched Published Apr 7, 2026 Affected Software Wavr [wavr] Researcher zakaria More Details > Webling <= 3.9.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'title' Parameter 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-1263 Patch Status Patched Published Apr 9, 2026 Affected Software Webling [webling] Researcher Kate Kligman More Details > WowPress <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-5508 Patch Status Unpatched Published Apr 7, 2026 Affected Software WowPress [wowpress] Researcher zakaria More Details > WP Visitor Statistics (Real Time Traffic) <= 8.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'height' Shortcode Attribute 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-4303 Patch Status Patched Published Apr 7, 2026 Affected Software WP Visitor Statistics (Real Time Traffic) [wp-stats-manager] Researcher Muhammad Yudha - DJ More Details > Gravity Forms <= 2.9.30 - Unauthenticated Stored Cross-Site Scripting via Credit Card 'Card Type' Sub-Field 6.1 CVSS Rating 6.1 (Medium) CVE-ID CVE-2026-4394 Patch Status Patched Published Apr 7, 2026 Affected Software Gravity Forms [gravityforms] Researcher tadokun More Details > Optimole <= 4.2.3 - Reflected Cross-Site Scripting via Page Profiler URL 6.1 CVSS Rating 6.1 (Medium) CVE-ID CVE-2026-5226 Patch Status Patched Published Apr 10, 2026 Affected Software Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization [optimole-wp] Researchers Ali Cem HavareSencer KılıçCesi De Taranto More Details > Royal WordPress Backup & Restore Plugin <= 1.0.16 - Reflected Cross-Site Scripting via 'wpr_pending_template' Parameter 6.1 CVSS Rating 6.1 (Medium) CVE-ID CVE-2026-4305 Patch Status Patched Published Apr 9, 2026 Affected Software Royal WordPress Backup, Restore & Migration Plugin – Backup WordPress Sites Safely [royal-backup-reset] Researcher Abi Wiranata More Details > Advanced CF7 DB <= 2.0.9 - Cross-Site Request Forgery to Form Entry Deletion 5.4 CVSS Rating 5.4 (Medium) CVE-ID CVE-2026-0811 Patch Status Patched Published Apr 8, 2026 Affected Software Advanced Contact form 7 DB [advanced-cf7-db] Researcher Kai Aizen More Details > AM LottiePlayer <= 3.6.0 - Authenticated (Author+) Stored Cross-Site Scripting via SVG 5.4 CVSS Rating 5.4 (Medium) CVE-ID CVE-2025-1794 Patch Status Unpatched Published Apr 7, 2026 Affected Software AM LottiePlayer [am-lottieplayer] Researcher Alex Thomas More Details > Attendance Manager <= 0.6.2 - Authenticated (Subscriber+) SQL Injection via 'attmgr_off' Parameter 5.4 CVSS Rating 5.4 (Medium) CVE-ID CVE-2026-3781 Patch Status Unpatched Published Apr 7, 2026 Affected Software Attendance Manager [attendance-manager] Researcher Maurice Fielenbach (Hexastrike) More Details > Download Monitor <= 5.1.10 - Cross-Site Request Forgery to Download Path Deletion and Disabling 5.4 CVSS Rating 5.4 (Medium) CVE-ID CVE-2026-4401 Patch Status Patched Published Apr 7, 2026 Affected Software Download Monitor [download-monitor] Researcher Kirasec More Details > Smart Slider 3 <= 3.5.1.33 - Missing Authorization to Authenticated (Contributor+) Slider Data Read and Image Record Manipulation 5.4 CVSS Rating 5.4 (Medium) CVE-ID CVE-2026-4065 Patch Status Patched Published Apr 7, 2026 Affected Software Smart Slider 3 [smart-slider-3] Researcher darkmode More Details > Tutor LMS <= 3.9.7 - Missing Authorization to Authenticated (Subscriber+) Unauthorized Private Course Enrollment 5.4 CVSS Rating 5.4 (Medium) CVE-ID CVE-2026-3358 Patch Status Patched Published Apr 10, 2026 Affected Software Tutor LMS – eLearning and online course solution [tutor] Researcher Mohammad Amin Hajian (mamadrce) More Details > WP-Optimize <= 4.5.0 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Update and Image Manipulation 5.4 CVSS Rating 5.4 (Medium) CVE-ID CVE-2026-2712 Patch Status Patched Published Apr 9, 2026 Affected Software WP-Optimize – Cache, Compress images, Minify & Clean database to boost page speed & performance [wp-optimize] Researcher Dmitrii Ignatyev More Details > Ziggeo <= 3.1.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Modification via 'ziggeo_ajax' AJAX Action 5.4 CVSS Rating 5.4 (Medium) CVE-ID CVE-2026-4124 Patch Status Patched Published Apr 8, 2026 Affected Software Ziggeo [ziggeo] Researcher Nabil Irawan More Details > Awesome Support <= 6.3.7 - Authenticated (Subscriber+) Insecure Direct Object Reference to Unauthorized Ticket Reply Access via 'ticket_id' Parameter 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-4654 Patch Status Patched Published Apr 7, 2026 Affected Software Awesome Support – WordPress HelpDesk & Support Plugin [awesome-support] Researcher Michael Iden (Mickhat) More Details > Backup Migration <= 2.0.0 - Missing Authorization to Unauthenticated Backup Upload to Offline Storage 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2025-14944 Patch Status Patched Published Apr 6, 2026 Affected Software BackupBliss – Backup & Migration with Free Cloud Storage [backup-backup] Researcher 0N0ise More Details > BackupBliss – Backup & Migration with Free Cloud Storage <= 2.1.1 - Unauthenticated Information Exposure 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-39480 Patch Status Patched Published Apr 8, 2026 Affected Software BackupBliss – Backup & Migration with Free Cloud Storage [backup-backup] Researcher ch4r0n More Details > Bricksforge <= 3.1.8.4 - Unauthenticated Information Exposure 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-34888 Patch Status Patched Published Apr 6, 2026 Affected Software Bricksforge [bricksforge] Researcher luc More Details > Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More <= 1.8.9.7 - Insufficient Verification of Data Authenticity to Unauthenticated Donation Status Forgery via Stripe Webhook 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-3177 Patch Status Patched Published Apr 6, 2026 Affected Software Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More [charitable] Researcher Andrés Cruciani More Details > Customer Reviews for WooCommerce <= 5.103.0 - Unauthenticated Authentication Bypass to Arbitrary Review Submission via 'key' Parameter 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-4664 Patch Status Patched Published Apr 9, 2026 Affected Software Customer Reviews for WooCommerce [customer-reviews-woocommerce] Researcher kai63001 More Details > Event Tickets Manager for WooCommerce <= 1.5.3 - Missing Authorization 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-34898 Patch Status Patched Published Apr 7, 2026 Affected Software Event Tickets Manager for WooCommerce [event-tickets-manager-for-woocommerce] Researcher Nguyen Ba Khanh More Details > Hustle – Email Marketing, Lead Generation, Optins, Popups <= 7.8.10.2 - Missing Authorization to Unauthenticated Conversion Tracking Data Manipulation 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-2263 Patch Status Patched Published Apr 7, 2026 Affected Software Hustle – Email Marketing, Lead Generation, Optins, Popups [wordpress-popup] Researcher Nguyen C More Details > IDPay Payment Gateway for Woocommerce <= 2.2.5 - Unauthenticated Information Exposure 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-34891 Patch Status Unpatched Published Apr 6, 2026 Affected Software IDPay Payment Gateway for Woocommerce [woo-idpay-gateway] Researcher Chawabhon Netisingha (JNX03) More Details > Link Whisper Free < 0.9.1 - Missing Authorization to Unauthenticated Settings Change 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-1900 Patch Status Patched Published Apr 7, 2026 Affected Software Link Whisper Free [link-whisper] Researcher ibrahimsql More Details > LTL Freight Quotes – R+L Carriers Edition <= 3.3.13 - Missing Authorization to Unauthenticated Settings Update 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-3646 Patch Status Patched Published Apr 7, 2026 Affected Software LTL Freight Quotes – R+L Carriers Edition [ltl-freight-quotes-rl-edition] Researcher Poli More Details > LTL Freight Quotes – Worldwide Express Edition <= 5.2.1 - Missing Authorization 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-34899 Patch Status Patched Published Apr 7, 2026 Affected Software LTL Freight Quotes – Worldwide Express Edition [ltl-freight-quotes-worldwide-express-edition] Researcher Legion Hunter More Details > MainWP Child Reports <= 2.2.6 - Missing Authorization to Authenticated (Subscriber+) Information Disclosure via Heartbeat API 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-4299 Patch Status Patched Published Apr 7, 2026 Affected Software MainWP Child Reports [mainwp-child-reports] Researcher Hunter Jensen (skid) More Details > Masteriyo LMS – Online Course Builder for eLearning, LMS & Education <= 2.1.5 - Missing Authorization 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-39524 Patch Status Patched Published Apr 8, 2026 Affected Software Masteriyo LMS – Online Course Builder for eLearning, LMS & Education [learning-management-system] Researcher davidfdzmorilla More Details > Masteriyo LMS <= 2.1.7 - Unauthenticated Authorization Bypass to Arbitrary Order Completion via Stripe Webhook Endpoint 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-5167 Patch Status Patched Published Apr 7, 2026 Affected Software Masteriyo LMS – Online Course Builder for eLearning, LMS & Education [learning-management-system] Researcher Md. Moniruzzaman Prodhan (NomanProdhan) More Details > Online Scheduling and Appointment Booking System – Bookly <= 27.0 - Unauthenticated Price Manipulation via 'tips' 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-2519 Patch Status Patched Published Apr 8, 2026 Affected Software Online Scheduling and Appointment Booking System – Bookly [bookly-responsive-appointment-booking-tool] Researcher Youssef Elouaer More Details > PZ Frontend Manager <= 1.0.6 - Missing Authorization to Arbitrary User Deletion via 'dataType' Parameter 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-3477 Patch Status Unpatched Published Apr 7, 2026 Affected Software PZ Frontend Manager [pz-frontend-manager] Researcher theviper17y More Details > Riaxe Product Customizer <= 2.4 - Unauthenticated Sensitive Information Disclosure via '/orders' REST API Endpoint 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-3594 Patch Status Unpatched Published Apr 7, 2026 Affected Software Riaxe Product Customizer [riaxe-product-customizer] Researcher Kai Aizen More Details > Timetics – Appointment Booking & Scheduling <= 1.0.53 - Missing Authorization 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-39432 Patch Status Patched Published Apr 7, 2026 Affected Software Timetics – Appointment Booking & Scheduling [timetics] Researcher Simone Maion More Details > WP Directory Kit <= 1.5.0 - Missing Authorization 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-39534 Patch Status Patched Published Apr 8, 2026 Affected Software WP Directory Kit [wpdirectorykit] Researcher Martín Martín More Details > UsersWP <= 1.2.58 - Authenticated (Subscriber+) Server-Side Request Forgery via 'uwp_crop' Parameter 5.0 CVSS Rating 5.0 (Medium) CVE-ID CVE-2026-4979 Patch Status Patched Published Apr 10, 2026 Affected Software UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP [userswp] Researcher s00me00ne More Details > Gravity Forms <= 2.9.30 - Reflected Cross-Site Scripting via 'form_ids' Parameter 4.7 CVSS Rating 4.7 (Medium) CVE-ID CVE-2026-4406 Patch Status Patched Published Apr 7, 2026 Affected Software Gravity Forms [gravityforms] Researcher Anthony Cihan (Hann1bl3L3ct3r) More Details > Experto Dashboard for WooCommerce <= 1.0.4 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Navigation Font Size' Setting 4.4 CVSS Rating 4.4 (Medium) CVE-ID CVE-2026-3574 Patch Status Patched Published Apr 8, 2026 Affected Software Experto Dashboard for WooCommerce [experto-custom-dashboard] Researcher Muhammad Nur Ibnu Hubab (Ibnu) More Details > Inquiry form to posts or pages <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via Form Header Field 4.4 CVSS Rating 4.4 (Medium) CVE-ID CVE-2026-5169 Patch Status Unpatched Published Apr 7, 2026 Affected Software Inquiry form to posts or pages [inquiry-form-to-posts-or-pages] Researcher Muhammad Nur Ibnu Hubab (Ibnu) More Details > Whole Enquiry Cart for WooCommerce <= 1.2.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'woowhole_success_msg' Parameter 4.4 CVSS Rating 4.4 (Medium) CVE-ID CVE-2026-2838 Patch Status Unpatched Published Apr 7, 2026 Affected Software Whole Enquiry Cart for WooCommerce [whole-cart-enquiry] Researcher Muhammad Nur Ibnu Hubab (Ibnu) More Details > Advanced CF7 DB <= 2.0.9 - Missing Authorization to Authenticated (Subscriber+) Form Submissions Excel Export 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-0814 Patch Status Patched Published Apr 8, 2026 Affected Software Advanced Contact form 7 DB [advanced-cf7-db] Researcher Kai Aizen More Details > Aruba HiSpeed Cache <= 3.0.4 - Cross-Site Request Forgery to Plugin Settings Reset 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-1924 Patch Status Patched Published Apr 9, 2026 Affected Software Aruba HiSpeed Cache [aruba-hispeed-cache] Researcher Legion Hunter More Details > BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net <= 1.1.5 - Cross-Site Request Forgery to Taxonomy Term Deletion 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-1673 Patch Status Patched Published Apr 7, 2026 Affected Software BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net [woo-bulk-editor] Researcher Dmitrii Ignatyev More Details > Blog2Social: Social Media Auto Post & Scheduler <= 8.8.3 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Post Schedule Modification via 'b2s_id' Parameter 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-4330 Patch Status Patched Published Apr 7, 2026 Affected Software Blog2Social: Social Media Auto Post & Scheduler [blog2social] Researcher s00me00ne More Details > Download Manager <= 3.3.51 - Missing Authorization to Authenticated (Contributor+) Media File Protection Removal 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-4057 Patch Status Patched Published Apr 9, 2026 Affected Software Download Manager [download-manager] Researcher Or Benit More Details > MStore API <= 4.18.3 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary User Meta Update 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-3568 Patch Status Patched Published Apr 8, 2026 Affected Software MStore API – Create Native Android & iOS Apps On The Cloud [mstore-api] Researcher Osvaldo Noe Gonzalez Del Rio (Os) More Details > Ocean Extra <= 2.5.3 - Missing Authorization 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-34903 Patch Status Patched Published Apr 7, 2026 Affected Software Ocean Extra [ocean-extra] Researcher Nguyen Ba Khanh More Details > Quran Translations <= 1.7 - Cross-Site Request Forgery to Playlist Settings Form 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-4141 Patch Status Unpatched Published Apr 7, 2026 Affected Software Quran Translations [quran-translations-by-edc] Researcher afnaan More Details > Simple Social Media Share Buttons – Social Sharing for Everyone <= 6.2.0 - Cross-Site Request Forgery 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-34904 Patch Status Patched Published Apr 7, 2026 Affected Software Simple Social Media Share Buttons – Social Sharing for Everyone [simple-social-buttons] Researcher Carlos Ferreira More Details > Tutor LMS <= 3.9.7 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Course Content Modification 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-3371 Patch Status Patched Published Apr 10, 2026 Affected Software Tutor LMS – eLearning and online course solution [tutor] Researcher Hunter Jensen (skid) More Details > Under Construction, Coming Soon & Maintenance Mode <= 2.1.1 - Cross-Site Request Forgery 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-34896 Patch Status Patched Published Apr 7, 2026 Affected Software Under Construction, Coming Soon & Maintenance Mode [under-construction-maintenance-mode] Researcher Carlos Ferreira More Details > UsersWP <= 1.2.58 - Authenticated (Subscriber+) Restricted Usermeta Modification via 'htmlvar' Parameter 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-4977 Patch Status Patched Published Apr 9, 2026 Affected Software UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP [userswp] Researcher nquangit More Details > WPAMS - Apartment Management System for wordpress < 49.5.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Content Deletion 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-39433 Patch Status Patched Published Apr 7, 2026 Affected Software WPAMS - Apartment Management System for wordpress [apartment-management] Researcher Denver Jackson More Details > As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence. This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can. Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. The post Wordfence Intelligence Weekly WordPress Vulnerability Report (April 6, 2026 to April 12, 2026) appeared first on Wordfence.