Last week, there were 277 vulnerabilities disclosed in 184 WordPress Plugins and 70 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 94 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected. Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to implement layered security, aligning with our overarching mission to secure WordPress with defense in depth strategies. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report. As the world’s leading quality vulnerability database provider for WordPress, site owners can rest assured knowing Wordfence has their back. Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 35,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free. Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. New Firewall Rules Deployed Last Week The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection. The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week: WP Maps Pro <= 6.1.0 – Unauthenticated Privilege Escalation via Administrator Account Creation to wpgmp_temp_access_ajax AJAX Action Woocommerce Custom Product Addons Pro <= 5.4.1 – Unauthenticated Remote Code Execution via Custom Pricing Formula Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay. Total Unpatched & Patched Vulnerabilities Last Week Patch Status Number of Vulnerabilities Patched 131 Unpatched 146 Total Vulnerabilities by CVSS Severity Last Week Severity Rating Number of Vulnerabilities Low Severity 2 Medium Severity 159 High Severity 106 Critical Severity 10 Total Vulnerabilities by CWE Type Last Week Vulnerability Type by CWE Number of Vulnerabilities Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') 77 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') 58 Missing Authorization 56 Cross-Site Request Forgery (CSRF) 19 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') 16 Deserialization of Untrusted Data 9 Authorization Bypass Through User-Controlled Key 6 Exposure of Sensitive Information to an Unauthorized Actor 6 Improper Privilege Management 5 Improper Control of Generation of Code ('Code Injection') 4 Incorrect Privilege Assignment 4 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') 3 Unrestricted Upload of File with Dangerous Type 3 Improper Authentication 2 Authentication Bypass by Alternate Name 1 External Control of File Name or Path 1 Improper Restriction of Excessive Authentication Attempts 1 Insufficient Verification of Data Authenticity 1 Missing Authentication for Critical Function 1 Server-Side Request Forgery (SSRF) 1 Uncontrolled Resource Consumption 1 URL Redirection to Untrusted Site ('Open Redirect') 1 Weak Password Recovery Mechanism for Forgotten Password 1 Researchers That Contributed to WordPress Security Last Week Researcher Name Number of Vulnerabilities Bonds 35 Tran Nguyen Bao Khanh 28 Muhammad Yudha - DJ 16 João Pedro Soares de Alcântara 10 Gilang - DJ 9 MAJidox 9 dodoh4t 9 zakaria 7 afnaan 7 hhhai 7 daroo 6 timomangcut 6 Phat RiO 6 Legion Hunter 6 she11f 4 Osvaldo Noe Gonzalez Del Rio (Os) 4 Nabil Irawan 4 kai63001 4 0xd4rk5id3 4 Muhammad Nur Ibnu Hubab 4 san6051 4 Nguyen Ba Khanh 2 Supakiad S. (m3ez) 2 Dmitrii Ignatyev 2 Jack Pas (Dark.) 2 ZAST.AI 2 Athiwat Tiprasaharn (Jitlada) 2 Denver Jackson 2 johska 2 Louis Deschanel (JeanJeanLeHaxor) 2 Pascal SUN 2 ParkHyunWoo 2 lucky_buddy 2 Nguyen Ngoc Duc (duc193) 2 Osvaldo Noe Gonzalez Del Rio (Os) - krei.dev | ogbuilders.io 2 mikemyers 2 0xzenko 2 Sarawut Poolkhet (MisterHelloz) 2 Naoya Takahashi (nakko) 1 NumeX 1 Kirasec 1 Steven Julian 1 Peter Thaleikis 1 theviper17 1 Chiao-Lin Yu (Steven Meow) 1 Long Lagon 1 stealthcopter 1 Benedictus Jovan (aillesiM) 1 Or Benit 1 Bao - BlueRock 1 HieuPenguin 1 theviper17y 1 a1batr0ss 1 Satoo Nakano 1 Muni Nitish Kumar Yaddala (Stranger825) 1 t0ann9uy3n 1 w1zard 1 darkmode 1 David Brown 1 Abu Hurayra (HurayraIIT) 1 Win3 1 Peng Zhou 1 devploit 1 John P 1 Drew Webber (mcdruid) 1 Ren Voza 1 Quốc Huy (jtwings) 1 Farrukh Ziyaev 1 lhking 1 ISMAILSHADOW 1 jamaal 1 SSL-6-s0d 1 Maurice Fielenbach (Hexastrike) 1 cuokon 1 Cyrille COQUARD 1 Irwan Kusuma 1 ammonia 1 Trương Hữu Phúc (truonghuuphuc) 1 Nguyen Quang Truong 1 ChuongVN 1 Tiago Ventura (perses) 1 Mateusz Gierblinski 1 davidfdzmorilla 1 Abdulsamad Yusuf (0xVenus) 1 Itthidej Aramsri (Boeing777) 1 Bas Albers 1 abrahack 1 type5afe 1 Ilay Striechman 1 Azril Fathoni (kiseki) 1 winrace 1 g0wthr 1 Dave Jong 1 bosz 1 Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report. WordPress Plugins with Reported Vulnerabilities Last Week Software Name Software Slug 3D Viewer – 3D Model Viewer – Augmented Reality – Virtual Try On ar-vr-3d-model-try-on a3 Lazy Load a3-lazy-load Accept Stripe Payments stripe-payments Admin Chat Management admin-chat-box Adminimize adminimize Advanced Custom Fields (ACF®) advanced-custom-fields Advanced Custom Fields: Extended acf-extended Advanced Custom Fields: Font Awesome Field advanced-custom-fields-font-awesome Advanced IP Blocker advanced-ip-blocker Affiliate Super Assistent amazonsimpleadmin affiliate-toolkit – Multi-Network Affiliate & Amazon Product Display affiliate-toolkit-starter AI Engine – The Chatbot, AI Framework & MCP for WordPress ai-engine Animate Your Content animate-your-content Animation Addons for Elementor – GSAP Motion Elementor Addons & Website Templates animation-addons-for-elementor Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin simply-schedule-appointments Appointment Booking Plugin for WooCommerce – WpBookingly | All-in-One Service Manager service-booking-manager Auto Affiliate Links wp-auto-affiliate-links auto making JSON-LD auto-making-json-ld Auto Thumbnails automatic-thumbnail Autoship Cloud for WooCommerce Subscription Products autoship-cloud B2BKing — Ultimate WooCommerce B2B and Wholesale Plugin — Wholesale Prices, Bulk Order Form & More b2bking-wholesale-for-woocommerce Better Messages – Chat Rooms, Group Chat, Private Messages & AI Chat Bots bp-better-messages BitForm – Data management solution for WordPress bitform Booking Manager – Sync WP Booking Calendar – Import Events, Export Bookings to ICS Calendar booking-manager Breeze Cache breeze Broadcast Live Video – Live Streaming : WebRTC, HLS, RTSP, RTMP videowhisper-live-streaming-integration CDN Linker lite ossdl-cdn-off-linker cformsII cforms2 CloudSecure WP Security cloudsecure-wp-security CM Ad Changer – A simple tool to control and optimize your site's banners cm-ad-changer Contact Form 7 – PayPal & Stripe Add-on contact-form-7-paypal-add-on Content Slideshow content-slideshow Crawlomatic Multipage Scraper Post Generator crawlomatic-multipage-scraper-post-generator Cryptocurrency Prijsvergelijking Widget cryptocurrency-prijsvergelijking-widget DearFlip – PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer 3d-flipbook-dflip-lite Dideo wp-dideo Disable Comments & Delete All Comments comments-plus Duplicate Page and Post duplicate-wp-page-post E-cab Taxi Booking Manager for Woocommerce ecab-taxi-booking-manager Easy Digital Downloads – eCommerce Payments and Subscriptions made easy easy-digital-downloads Easy Form Builder by WhiteStudio — Drag & Drop Form Builder easy-form-builder Easy Prism Syntax Highlighter easy-prism-syntax-highlighter Easy Updates Manager stops-core-theme-and-plugin-updates ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor elementskit-lite Enable jQuery Migrate Helper enable-jquery-migrate-helper Endless Scroll endless-scroll EnvíaloSimple: Email Marketing y Newsletters envialosimple-email-marketing-y-newsletters-gratis Equalize Digital Accessibility Checker – WCAG, ADA, EAA and Section 508 compliance accessibility-checker Event Booking Manager for WooCommerce mage-eventpress EventPrime – Events Calendar, Bookings and Tickets eventprime-event-calendar-management Events In City events-in-city Events Schedule - WordPress Events Calendar Plugin weekly-class Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder everest-forms Export WordPress Pages to Static HTML & PDF — Static Site Export export-wp-page-to-static-html faq shortocde faq-shortcode Favicon by RealFaviconGenerator favicon-by-realfavicongenerator Feeds for TikTok – Display Video Feeds in Grid Layouts b-tiktok-feed Felan Framework felan-framework FlexTable – Data Table Sync with Google Sheets sheets-to-wp-table-live-sync Formidable Kinetic formidable-kinetic FOX – Currency Switcher Professional for WooCommerce woocommerce-currency-switcher Frontend Admin by DynamiApps acf-frontend-form-element GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress gamipress GBI To Print gbi-to-print GenerateBlocks generateblocks Genzel breadcrumbs genzel-breadcrumbs Geo Mashup geo-mashup GEO my WP geo-my-wp Github Shortcode github-shortcode GNTT Post Title Ticker gntt-post-title-ticker Google+ Link Name google-plus-name-link-popup-badge GoStats for WordPress gostats-for-wordpress GutenBee – Gutenberg Blocks gutenbee Gutenverse – WordPress Blocks, Page Builder & Site Editor gutenverse hk_shortcode hk-shortcode HT Contact Form – Drag & Drop Form Builder for WordPress ht-contactform Independent Analytics – WordPress Analytics Plugin independent-analytics Instant-Quote.co Quotation Page iq-quotation-page Islamic Database islamic-database iWR Tooltip iwr-tooltip jQuery googleslides jquery-googleslides KiviCare – Clinic & Patient Management System (EHR) kivicare-clinic-management-system Link Whisper Free link-whisper Listen Shortcode listen-shortcode LiteSpeed Cache litespeed-cache Livemesh Addons for Beaver Builder addons-for-beaver-builder Livemesh SiteOrigin Widgets livemesh-siteorigin-widgets LiveSmart Video Chat Live Video Chat new-dev-livesmart-video-chat Login No Captcha reCAPTCHA login-recaptcha Login with NEAR near-login Login with OTP otp-login Master Slider – Responsive Touch Slider master-slider Masteriyo LMS – LMS Course Builder, Quizzes & Certificates learning-management-system Mayosis Core mayosis-core Media Library Assistant media-library-assistant Meta Field Block – Display custom fields in the Block Editor without coding display-a-meta-field-as-block Meta for WooCommerce facebook-for-woocommerce MetaMagic SEO Plugin metamagic MinhNhut Link Gateway minhnhut-link-gateway Modula Image Gallery – Photo Grid & Video Gallery modula-best-grid-gallery Mutual Funds Data mutual-funds-data My Email Shortcode my-email-shortcode myLinksDump mylinksdump Ninja Forms Views – Display & Edit Ninja Forms Submissions on your site frontend views-for-ninja-forms NS Product icon badge product-icon-badge Old Posts Highlighter old-posts-highlighter Organization chart organization-chart OTP Login With Phone Number, OTP Verification login-with-phone-number Paid Videochat Turnkey Site – HTML5 PPV Live Webcams ppv-live-webcams PDF Embedder pdf-embedder PeachPay — Payments & Express Checkout for WooCommerce (supports Stripe, PayPal, Square, Authorize.net, NMI) peachpay-for-woocommerce Photo Gallery by 10Web – Mobile-Friendly Image Gallery photo-gallery Poll Maker by AYS – Versus Polls, Anonymous Polls, Image Polls poll-maker Post Categories Gallery post-category-gallery Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App post-smtp Post Snippets – Custom WordPress Code Snippets Customizer post-snippets Product Import Export for WooCommerce – Import Export Product CSV Suite product-import-export-for-woo QR Redirector qr-redirector Quads Ads Manager for Google AdSense quick-adsense-reloaded Query Shortcode query-shortcode Rank Math SEO – AI SEO Tools to Dominate SEO Rankings seo-by-rank-math Realtyna Organic IDX plugin + WPL Real Estate real-estate-listing-realtyna-wpl RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress computer-repair-shop Responsive Check responsive-checker-real-time Responsive Video Embedder responsive-video-embedder rexCrawler rexcrawler RSVP and Event Management rsvp Search Analytics for WP search-analytics Search Simple Fields search-simple-fields SeedProd Pro seedprod-coming-soon-pro-5 SePay Gateway sepay-gateway Shariff Wrapper shariff ShopLentor – All-in-One WooCommerce Growth & Store Enhancement Plugin woolentor-addons Shortcode Buddy shortcode-buddy Simple Divi Shortcode simple-divi-shortcode Simple History – Track, Log, and Audit WordPress Changes simple-history Single Mailchimp single-mailchimp SlimStat Analytics wp-slimstat Smart Online Order for Clover clover-online-orders SMTP2GO for WordPress – Email Made Easy smtp2go Spectra Gutenberg Blocks – Website Builder for the Block Editor ultimate-addons-for-gutenberg Splide Carousel Block splide-carousel StatCounter – Free Real Time Visitor Stats official-statcounter-plugin-for-wordpress Style Kits for Elementor analogwp-templates Subscription & Recurring Payment for WooCommerce subscription Sunshine Photo Cart – Client Photo Gallery & Photo Proofing for Photographers sunshine-photo-cart Support Ticket Management System for WordPress support_ticket SVG Support svg-support sw_core sw_core Sweet Date Core sweetdate-core TableOn – WordPress Posts Table Filterable  posts-table-filterable Tainacan tainacan Team Master – A Modern WordPress Team Showcase team-master Team Showcase team The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce the-plus-addons-for-elementor-page-builder The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid the-post-grid Timetable and Event Schedule by MotoPress mp-timetable Travelly – Tour & Travel Booking Manager for WooCommerce | Tour & Hotel Booking Solution tour-booking-manager Tuxquote tuxquote Two-factor authentication (formerly IP Vault) ip-vault-wp-firewall Unlimited Elements For Elementor unlimited-elements-for-elementor User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder user-registration Views for WPForms – Display & Edit WPForms Entries on your site frontend views-for-wpforms-lite VikBooking Hotel Booking Engine & PMS vikbooking Visualizer: Tables and Charts Manager for WordPress visualizer WCFM Membership – WooCommerce Memberships for Multivendor Marketplace wc-multivendor-membership WebinarIgnition – Live, Automated & Evergreen Webinar System also for WooCommerce webinar-ignition Woocommerce Envato Affiliates wooenvato WooCommerce Infinite Scroll and Ajax Pagination sb-woocommerce-infinite-scrol WP AutoBuzz wp-autobuzz WP Contact Form 7 DB Handler wp-contact-form-7-db-handler WP Iframe Geo Style for Amazon affiliates wp-iframe-geo-style-for-amazon-affiliates WP Maps Pro wp-google-map-gold WP Meta and Date Remover wp-meta-and-date-remover WP Promoter wp-promoter WP Travel Pro wp-travel-pro WPBakery Page Builder Addons by Livemesh addons-for-visual-composer WPCode – Insert Headers and Footers + Custom Code Snippets – WordPress Code Manager insert-headers-and-footers WPComplete wpcomplete WPCS – WordPress Currency Switcher Professional currency-switcher WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More wpforms-lite WPify Woo – Withdrawal, CRN/VAT, QR payments, Heureka and more for WooCommerce wpify-woo Xpro Elementor Addons - Pro xpro-elementor-addons-pro Yoast SEO – Advanced SEO with real-time guidance and built-in AI wordpress-seo WordPress Themes with Reported Vulnerabilities Last Week Software Name Software Slug Abelle abelle AirSupply | Conditioning Company and Heating Services WordPress Theme + RTL air-supply Automotive Car Dealership Business WordPress Theme automotive Brikk - Directory & Listing WordPress Theme brikk CarZone - A Complete Car Dealer HTML Wire-Frame carzone Choreo choreo Confidant - Startup & Consulting Services WordPress Theme confidant CopyPress copypress Corbesier corbesier Crafti - Handmade Store WordPress Theme crafti Dazzle - Manufacturing & Factory Elementor Pro template Kit dazzle Deliciosa deliciosa Dom dom Entrepreneur - Booking for Small Businesses WordPress Theme entrepreneurx Eros eros Especio - Food Blog Elementor Pro Template Kit especio Etude - Design Agency & Branding Agency WordPress Theme etude Eventicity eventicity Fermentio — Brewery and Winemaking Restaurant WordPress Theme fermentio Food Drop | Meal Ordering & Delivery Mobile App WordPress Theme food-drop Fortius fortius Gamic - Gaming Metaverse Game & Crypto WordPress Theme gamic Gat gat Genemy - Creative Minimal Landing Page Builder for Digital Startup Design Studio Agency in Marketing genemy Geya - Renewable Energy & Ecology WordPress Theme geya Gita gita Grand Car Rental | Limousine HTML Template grandcarrental Granola - SEO & Marketing Agency WordPress Theme granola Grecko | Business WordPress Theme grecko Gunslinger gunslinger Home Health Care, Medical Care WordPress Theme - NanoCare nanocare Hot Coffee | Coffee Shop & Cafe WordPress Theme hot-coffee Imba imba Ingenioso ingenioso Iona - Handmade & Crafts Shop WordPress Theme iona ITactics - IT Solutions & Digital Startup WordPress Theme + AI itactics JobCareer jobcareer Kelly Young kelly-young Line Agency | Interior Design & Architecture WordPress Theme lineagency LuxMed | Medicine & Healthcare Doctor WordPress Theme luxmed MaxiNet - Internet & IPTV Provider Elementor Template Kit maxinet Medeus medeus Mission mission Modernee modernee Newses newses Nexio nexio Nyla - A Fresh & Modern WooCommerce Theme nyla Orpheus orpheus Planty planty Plumbing - Plumber and Handyman WordPress Theme plumbing-parts Preservation preservation Printo printo Putter putter Qreatix – Interactive Portfolio WordPress Theme qreatix quirky quirky Reisen | Auto Store & Car Repair WordPress Theme reisen Resurs - Physiotherapy & Psychology Rehabilitation WordPress Theme resurs Roneous - Creative Multi-Purpose WordPress Theme roneous Rosaleen rosaleen SeaFood Company - Fish Restaurant WordPress Theme seafood-company Skyward skyward Snow Club | Ski Resort and Snowboard Classes WordPress Theme snow-club snowy snowy Spike - Volleyball Sports WordPress Theme spike Spin - Cricket Team Sports WordPress Theme + AI spin tipsy tipsy Top Dog top-dog Truemag truemag Wanium - A Elegant Multi-Concept Theme wanium WineShop - Food & Wine Store WordPress Theme wineshop Vulnerability Details Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize. Advanced Custom Fields: Extended <= 0.9.2.5 - Unauthenticated Privilege Escalation via Validation Bypass to '_acf_post_id' Parameter 9.8 CVSS Rating 9.8 (Critical) CVE-ID CVE-2026-8809 Patch Status Patched Published May 28, 2026 Affected Software Advanced Custom Fields: Extended [acf-extended] Researcher daroo More Details > Login with OTP <= 1.6 - Unauthenticated Authentication Bypass via OTP Brute Force 9.8 CVSS Rating 9.8 (Critical) CVE-ID CVE-2026-8760 Patch Status Unpatched Published May 26, 2026 Affected Software Login with OTP [otp-login] Researcher Irwan Kusuma More Details > OTP Login With Phone Number, OTP Verification <= 1.8.60 - Unauthenticated Authentication Bypass via Firebase OTP Verification 9.8 CVSS Rating 9.8 (Critical) CVE-ID CVE-2026-3655 Patch Status Patched Published May 28, 2026 Affected Software OTP Login With Phone Number, OTP Verification [login-with-phone-number] Researcher lucky_buddy More Details > Support Ticket Management System <= 1.9 - Unauthenticated Privilege Escalation 9.8 CVSS Rating 9.8 (Critical) CVE-ID CVE-2025-69179 Patch Status Unpatched Published May 28, 2026 Affected Software Support Ticket Management System for WordPress [support_ticket] Researcher Phat RiO More Details > WebinarIgnition – Live, Automated & Evergreen Webinar System also for WooCommerce < 4.08.253 - Unauthenticated Privilege Escalation 9.8 CVSS Rating 9.8 (Critical) CVE-ID CVE-2026-42758 Patch Status Patched Published May 30, 2026 Affected Software WebinarIgnition – Live, Automated & Evergreen Webinar System also for WooCommerce [webinar-ignition] Researcher hhhai More Details > WP Maps Pro <= 6.1.0 - Unauthenticated Privilege Escalation via Administrator Account Creation to wpgmp_temp_access_ajax AJAX Action 9.8 CVSS Rating 9.8 (Critical) CVE-ID CVE-2026-8732 Patch Status Patched Published May 28, 2026 Affected Software WP Maps Pro [wp-google-map-gold] Researcher David Brown More Details > CarZone - A Complete Car Dealer HTML Wire-Frame <= 3.7 - Unauthenticated Arbitrary File Deletion 9.1 CVSS Rating 9.1 (Critical) CVE-ID CVE-2025-69139 Patch Status Unpatched Published May 26, 2026 Affected Software CarZone - A Complete Car Dealer HTML Wire-Frame [carzone] Researcher Tran Nguyen Bao Khanh More Details > GEO my WP <= 4.5.4 - Unauthenticated SQL Injection via 'distance' / 'lat' / 'lng' Parameters 9.1 CVSS Rating 9.1 (Critical) Patch Status Patched Published May 27, 2026 Affected Software GEO my WP [geo-my-wp] Researcher(s): Unknown More Details > VikBooking Hotel Booking Engine & PMS <= 1.8.10 - Unauthenticated Arbitrary File Deletion 9.1 CVSS Rating 9.1 (Critical) CVE-ID CVE-2026-42737 Patch Status Unpatched Published May 27, 2026 Affected Software VikBooking Hotel Booking Engine & PMS [vikbooking] Researcher dodoh4t More Details > WP Travel Pro <= 10.6.0 - Missing Authorization to Unauthenticated Arbitrary User Deletion Including Administrators 9.1 CVSS Rating 9.1 (Critical) CVE-ID CVE-2026-4290 Patch Status Unpatched Published May 28, 2026 Affected Software WP Travel Pro [wp-travel-pro] Researcher Ren Voza More Details > Crawlomatic Multipage Scraper Post Generator <= 2.7.2 - Authenticated (Author+) Remote Code Execution via 'callback_raw' Shortcode Attribute 8.8 CVSS Rating 8.8 (High) CVE-ID CVE-2026-9009 Patch Status Patched Published May 27, 2026 Affected Software Crawlomatic Multipage Scraper Post Generator [crawlomatic-multipage-scraper-post-generator] Researcher Nguyen Ngoc Duc (duc193) More Details > Firebase Support & Chat Management <= 3.1.1 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation 8.8 CVSS Rating 8.8 (High) CVE-ID CVE-2026-8787 Patch Status Unpatched Published May 26, 2026 Affected Software Admin Chat Management [admin-chat-box] Researcher Farrukh Ziyaev More Details > Frontend Admin by DynamiApps <= 3.29.2 - Missing Authorization to Authenticated (Subscriber+) Account Takeover via 'user_id' URL Query Parameter 8.8 CVSS Rating 8.8 (High) CVE-ID CVE-2026-7802 Patch Status Patched Published May 27, 2026 Affected Software Frontend Admin by DynamiApps [acf-frontend-form-element] Researcher Tiago Ventura (perses) More Details > Frontend Admin by DynamiApps <= 3.29.2 - Unauthenticated Privilege Escalation via Form Configuration Injection 8.8 CVSS Rating 8.8 (High) CVE-ID CVE-2026-6226 Patch Status Patched Published May 27, 2026 Affected Software Frontend Admin by DynamiApps [acf-frontend-form-element] Researcher daroo More Details > Genemy - Creative Minimal Landing Page Builder for Digital Startup Design Studio Agency in Marketing <= 1.6.6 - Authenticated (Subscriber+) Privilege Escalation 8.8 CVSS Rating 8.8 (High) CVE-ID CVE-2025-69138 Patch Status Unpatched Published May 26, 2026 Affected Software Genemy - Creative Minimal Landing Page Builder for Digital Startup Design Studio Agency in Marketing [genemy] Researcher Tran Nguyen Bao Khanh More Details > GutenBee <= 2.20.1 - Authenticated (Author+) Arbitrary File Upload via wp_check_filetype_and_ext Filter 8.8 CVSS Rating 8.8 (High) CVE-ID CVE-2026-9227 Patch Status Patched Published May 27, 2026 Affected Software GutenBee – Gutenberg Blocks [gutenbee] Researcher Athiwat Tiprasaharn (Jitlada) More Details > Spectra Gutenberg Blocks <= 2.19.25 - Authenticated (Contributor+) Remote Code Execution via Arbitrary PHP Function Call via Block Attributes 8.8 CVSS Rating 8.8 (High) CVE-ID CVE-2026-7465 Patch Status Patched Published May 29, 2026 Affected Software Spectra Gutenberg Blocks – Website Builder for the Block Editor [ultimate-addons-for-gutenberg] Researcher kai63001 More Details > WooCommerce Infinite Scroll and Ajax Pagination <= 1.8 - Authenticated (Subscriber+) PHP Object Injection 8.8 CVSS Rating 8.8 (High) CVE-ID CVE-2025-11993 Patch Status Unpatched Published May 28, 2026 Affected Software WooCommerce Infinite Scroll and Ajax Pagination [sb-woocommerce-infinite-scrol] Researcher cuokon More Details > WPCode <= 2.3.5 - Authenticated (Author+) Remote Code Execution via CPT Capability Bypass via XML-RPC wp.newPost 8.8 CVSS Rating 8.8 (High) CVE-ID CVE-2026-8832 Patch Status Patched Published May 26, 2026 Affected Software WPCode – Insert Headers and Footers + Custom Code Snippets – WordPress Code Manager [insert-headers-and-footers] Researcher Win3 More Details > WPify Woo – Withdrawal, CRN/VAT, QR payments, Heureka and more for WooCommerce <= 5.4.1 - Authenticated (Contributor+) Arbitrary File Upload 8.8 CVSS Rating 8.8 (High) CVE-ID CVE-2026-42748 Patch Status Patched Published May 29, 2026 Affected Software WPify Woo – Withdrawal, CRN/VAT, QR payments, Heureka and more for WooCommerce [wpify-woo] Researcher kai63001 More Details > Abelle <= 1.22 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2025-69142 Patch Status Unpatched Published May 26, 2026 Affected Software Abelle [abelle] Researcher Bonds More Details > AirSupply <= 2.0.0 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2025-69110 Patch Status Unpatched Published May 26, 2026 Affected Software AirSupply | Conditioning Company and Heating Services WordPress Theme + RTL [air-supply] Researcher Tran Nguyen Bao Khanh More Details > Broadcast Live Video – Live Streaming : WebRTC, HLS, RTSP, RTMP < 7.1.3 - Unauthenticated PHP Object Injection 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-27053 Patch Status Patched Published May 28, 2026 Affected Software Broadcast Live Video – Live Streaming : WebRTC, HLS, RTSP, RTMP [videowhisper-live-streaming-integration] Researcher Phat RiO More Details > Choreo <= 1.6 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2025-69165 Patch Status Unpatched Published May 27, 2026 Affected Software Choreo [choreo] Researcher Bonds More Details > Confidant - Startup & Consulting Services WordPress Theme <= 1.4 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2025-53440 Patch Status Unpatched Published May 26, 2026 Affected Software Confidant - Startup & Consulting Services WordPress Theme [confidant] Researcher Bonds More Details > CopyPress <= 1.4.5 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2025-69118 Patch Status Unpatched Published May 26, 2026 Affected Software CopyPress [copypress] Researcher Tran Nguyen Bao Khanh More Details > Corbesier <= 1.15.0 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2025-69119 Patch Status Unpatched Published May 26, 2026 Affected Software Corbesier [corbesier] Researcher Tran Nguyen Bao Khanh More Details > Crafti - Handmade Store WordPress Theme <= 1.12 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2025-58705 Patch Status Unpatched Published May 26, 2026 Affected Software Crafti - Handmade Store WordPress Theme [crafti] Researcher Bonds More Details > Dazzle <= 1.0.0 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2025-69120 Patch Status Unpatched Published May 26, 2026 Affected Software Dazzle - Manufacturing & Factory Elementor Pro template Kit [dazzle] Researcher Tran Nguyen Bao Khanh More Details > Deliciosa <= 1.10.0 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2025-69121 Patch Status Unpatched Published May 26, 2026 Affected Software Deliciosa [deliciosa] Researcher Tran Nguyen Bao Khanh More Details > Dom <= 1.24 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2025-69146 Patch Status Unpatched Published May 26, 2026 Affected Software Dom [dom] Researcher Bonds More Details > Eros <= 1.3 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2025-69167 Patch Status Unpatched Published May 27, 2026 Affected Software Eros [eros] Researcher Bonds More Details > Especio - Food Blog Elementor Pro Template Kit <= 1.0 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2025-69124 Patch Status Unpatched Published May 26, 2026 Affected Software Especio - Food Blog Elementor Pro Template Kit [especio] Researcher Tran Nguyen Bao Khanh More Details > Etude <= 1.6 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2025-69174 Patch Status Unpatched Published May 27, 2026 Affected Software Etude - Design Agency & Branding Agency WordPress Theme [etude] Researcher Bonds More Details > Eventicity <= 1.5 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2025-69170 Patch Status Unpatched Published May 27, 2026 Affected Software Eventicity [eventicity] Researcher Bonds More Details > EventPrime – Events Calendar, Bookings and Tickets <= 4.3.2.1 - Unauthenticated PHP Object Injection 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-42687 Patch Status Patched Published May 25, 2026 Affected Software EventPrime – Events Calendar, Bookings and Tickets [eventprime-event-calendar-management] Researcher hhhai More Details > Fermentio — Brewery and Winemaking Restaurant WordPress Theme <= 1.5.0 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2025-58897 Patch Status Unpatched Published May 26, 2026 Affected Software Fermentio — Brewery and Winemaking Restaurant WordPress Theme [fermentio] Researcher Tran Nguyen Bao Khanh More Details > Food Drop <= 1.3 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2025-69125 Patch Status Unpatched Published May 26, 2026 Affected Software Food Drop | Meal Ordering & Delivery Mobile App WordPress Theme [food-drop] Researcher Tran Nguyen Bao Khanh More Details > Fortius <= 2.3.0 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2025-69126 Patch Status Unpatched Published May 26, 2026 Affected Software Fortius [fortius] Researcher Tran Nguyen Bao Khanh More Details > Gamic <= 1.15 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2025-69157 Patch Status Unpatched Published May 27, 2026 Affected Software Gamic - Gaming Metaverse Game & Crypto WordPress Theme [gamic] Researcher Bonds More Details > Gat <= 1.16 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2025-69145 Patch Status Unpatched Published May 26, 2026 Affected Software Gat [gat] Researcher Bonds More Details > Geya - Renewable Energy & Ecology WordPress Theme <= 1.15 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2025-58924 Patch Status Unpatched Published May 26, 2026 Affected Software Geya - Renewable Energy & Ecology WordPress Theme [geya] Researcher Bonds More Details > Gita <= 1.11 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2025-69160 Patch Status Unpatched Published May 27, 2026 Affected Software Gita [gita] Researcher Bonds More Details > Granola <= 1.13 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2025-69158 Patch Status Unpatched Published May 27, 2026 Affected Software Granola - SEO & Marketing Agency WordPress Theme [granola] Researcher Bonds More Details > Grecko <= 5.17 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2025-69162 Patch Status Unpatched Published May 27, 2026 Affected Software Grecko | Business WordPress Theme [grecko] Researcher Bonds More Details > Gunslinger <= 1.7 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2025-69166 Patch Status Unpatched Published May 27, 2026 Affected Software Gunslinger [gunslinger] Researcher Bonds More Details > Hot Coffee <= 1.7 - Unauthenticated PHP Object Injection 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2025-69108 Patch Status Unpatched Published May 26, 2026 Affected Software Hot Coffee | Coffee Shop & Cafe WordPress Theme [hot-coffee] Researcher Tran Nguyen Bao Khanh More Details > Imba <= 1.5.0 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2025-69106 Patch Status Unpatched Published May 26, 2026 Affected Software Imba [imba] Researcher Tran Nguyen Bao Khanh More Details > Ingenioso <= 1.14.0 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2025-69117 Patch Status Unpatched Published May 26, 2026 Affected Software Ingenioso [ingenioso] Researcher Tran Nguyen Bao Khanh More Details > Iona <= 1.0.8 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2025-69116 Patch Status Unpatched Published May 26, 2026 Affected Software Iona - Handmade & Crafts Shop WordPress Theme [iona] Researcher Tran Nguyen Bao Khanh More Details > ITactics <= 1.0 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2025-69176 Patch Status Unpatched Published May 27, 2026 Affected Software ITactics - IT Solutions & Digital Startup WordPress Theme + AI [itactics] Researcher Bonds More Details > Kelly Young <= 1.1.0 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2025-69141 Patch Status Unpatched Published May 26, 2026 Affected Software Kelly Young [kelly-young] Researcher Bonds More Details > Line Agency <= 1.3.1 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2025-69175 Patch Status Unpatched Published May 27, 2026 Affected Software Line Agency | Interior Design & Architecture WordPress Theme [lineagency] Researcher Bonds More Details > Login with NEAR <= 0.3.3 - Authentication Bypass via 'account' Parameter 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-8994 Patch Status Unpatched Published May 26, 2026 Affected Software Login with NEAR [near-login] Researcher g0wthr More Details > LuxMed | Medicine & Healthcare Doctor WordPress <= 1.2.2 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2025-69115 Patch Status Unpatched Published May 26, 2026 Affected Software LuxMed | Medicine & Healthcare Doctor WordPress Theme [luxmed] Researcher Tran Nguyen Bao Khanh More Details > MaxiNet - Internet & IPTV Provider Elementor Template Kit <= 1.2.10 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2025-69114 Patch Status Unpatched Published May 26, 2026 Affected Software MaxiNet - Internet & IPTV Provider Elementor Template Kit [maxinet] Researcher Tran Nguyen Bao Khanh More Details > Medeus <= 1.14 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2025-69150 Patch Status Unpatched Published May 26, 2026 Affected Software Medeus [medeus] Researcher Bonds More Details > Media Library Assistant <= 3.35 - Cross-Site Request Forgery via Bulk Action Form 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-6075 Patch Status Patched Published May 28, 2026 Affected Software Media Library Assistant [media-library-assistant] Researcher Jack Pas (Dark.) More Details > Mission <= 1.22 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2025-69143 Patch Status Unpatched Published May 26, 2026 Affected Software Mission [mission] Researcher Bonds More Details > Modernee <= 1.6.0 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2025-69105 Patch Status Unpatched Published May 26, 2026 Affected Software Modernee [modernee] Researcher Tran Nguyen Bao Khanh More Details > Nexio <= 1.10.0 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2025-69113 Patch Status Unpatched Published May 26, 2026 Affected Software Nexio [nexio] Researcher Tran Nguyen Bao Khanh More Details > Orpheus <= 1.3 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2025-69171 Patch Status Unpatched Published May 27, 2026 Affected Software Orpheus [orpheus] Researcher Bonds More Details > Paid Videochat Turnkey Site – HTML5 PPV Live Webcams <= 7.3.23 - Unauthenticated PHP Object Injection 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-27333 Patch Status Patched Published May 28, 2026 Affected Software Paid Videochat Turnkey Site – HTML5 PPV Live Webcams [ppv-live-webcams] Researcher Phat RiO More Details > Planty <= 1.14.0 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2025-69112 Patch Status Unpatched Published May 26, 2026 Affected Software Planty [planty] Researcher Tran Nguyen Bao Khanh More Details > Plumbing <= 1.6 - Unauthenticated PHP Object Injection 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2025-69127 Patch Status Unpatched Published May 26, 2026 Affected Software Plumbing - Plumber and Handyman WordPress Theme [plumbing-parts] Researcher Tran Nguyen Bao Khanh More Details > Preservation <= 1.10 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2025-69144 Patch Status Unpatched Published May 26, 2026 Affected Software Preservation [preservation] Researcher Bonds More Details > Printo <= 1.11 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2025-69159 Patch Status Unpatched Published May 27, 2026 Affected Software Printo [printo] Researcher Bonds More Details > Putter <= 1.17 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2025-69147 Patch Status Unpatched Published May 26, 2026 Affected Software Putter [putter] Researcher Bonds More Details > Quirky <= 1.23 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2025-69148 Patch Status Unpatched Published May 26, 2026 Affected Software quirky [quirky] Researcher Bonds More Details > Reisen <= 1.4.1 - Unauthenticated PHP Object Injection 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2025-69111 Patch Status Unpatched Published May 26, 2026 Affected Software Reisen | Auto Store & Car Repair WordPress Theme [reisen] Researcher Tran Nguyen Bao Khanh More Details > Resurs <= 1.3 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2025-69172 Patch Status Unpatched Published May 27, 2026 Affected Software Resurs - Physiotherapy & Psychology Rehabilitation WordPress Theme [resurs] Researcher Bonds More Details > Roneous - Creative Multi-Purpose WordPress Theme <= 2.1.5 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2025-69177 Patch Status Unpatched Published May 27, 2026 Affected Software Roneous - Creative Multi-Purpose WordPress Theme [roneous] Researcher João Pedro Soares de Alcântara More Details > Rosaleen <= 2.8 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2025-69107 Patch Status Unpatched Published May 26, 2026 Affected Software Rosaleen [rosaleen] Researcher Tran Nguyen Bao Khanh More Details > SeaFood Company <= 1.4 - Unauthenticated PHP Object Injection 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2025-69122 Patch Status Unpatched Published May 26, 2026 Affected Software SeaFood Company - Fish Restaurant WordPress Theme [seafood-company] Researcher Tran Nguyen Bao Khanh More Details > Skyward <= 1.10 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2025-69164 Patch Status Unpatched Published May 27, 2026 Affected Software Skyward [skyward] Researcher Bonds More Details > Snow Club <= 1.1 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2025-69123 Patch Status Unpatched Published May 26, 2026 Affected Software Snow Club | Ski Resort and Snowboard Classes WordPress Theme [snow-club] Researcher Tran Nguyen Bao Khanh More Details > Snowy <= 1.13 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2025-69161 Patch Status Unpatched Published May 27, 2026 Affected Software snowy [snowy] Researcher Bonds More Details > Spike <= 1.2 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2025-69168 Patch Status Unpatched Published May 27, 2026 Affected Software Spike - Volleyball Sports WordPress Theme [spike] Researcher Bonds More Details > Spin - Cricket Team Sports WordPress Theme + AI <= 1.8 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2025-58707 Patch Status Unpatched Published May 26, 2026 Affected Software Spin - Cricket Team Sports WordPress Theme + AI [spin] Researcher Bonds More Details > Tipsy <= 1.1 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2025-69173 Patch Status Unpatched Published May 27, 2026 Affected Software tipsy [tipsy] Researcher Bonds More Details > Top Dog <= 1.0.5 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2025-69149 Patch Status Unpatched Published May 26, 2026 Affected Software Top Dog [top-dog] Researcher Bonds More Details > Truemag <= 4.3.14.2 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2025-69178 Patch Status Unpatched Published May 27, 2026 Affected Software Truemag [truemag] Researcher João Pedro Soares de Alcântara More Details > Wanium <= 1.9.8 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2025-69136 Patch Status Unpatched Published May 26, 2026 Affected Software Wanium - A Elegant Multi-Concept Theme [wanium] Researcher Tran Nguyen Bao Khanh More Details > WebinarIgnition – Live, Automated & Evergreen Webinar System also for WooCommerce < 4.08.253 - Authenticated (Subscriber+) Arbitrary File Deletion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-42757 Patch Status Patched Published May 30, 2026 Affected Software WebinarIgnition – Live, Automated & Evergreen Webinar System also for WooCommerce [webinar-ignition] Researcher hhhai More Details > WineShop - Food & Wine Store WordPress Theme <= 3.17 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2025-69163 Patch Status Unpatched Published May 27, 2026 Affected Software WineShop - Food & Wine Store WordPress Theme [wineshop] Researcher Bonds More Details > WP Contact Form 7 DB Handler <= 3.0 - Cross-Site Request Forgery to Arbitrary File Deletion via 'contact_form' Parameter 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-6455 Patch Status Patched Published May 27, 2026 Affected Software WP Contact Form 7 DB Handler [wp-contact-form-7-db-handler] Researchers Louis Deschanel (JeanJeanLeHaxor)Pascal SUN More Details > Appointment Booking Calendar <= 1.6.11.8 - Unauthenticated SQL Injection via 'append_where_sql' Parameter 7.5 CVSS Rating 7.5 (High) CVE-ID CVE-2026-7797 Patch Status Patched Published May 27, 2026 Affected Software Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin [simply-schedule-appointments] Researcher daroo More Details > Easy Form Builder by WhiteStudio — Drag & Drop Form Builder <= 4.0.6 - Unauthenticated SQL Injection 7.5 CVSS Rating 7.5 (High) CVE-ID CVE-2026-42747 Patch Status Patched Published May 28, 2026 Affected Software Easy Form Builder by WhiteStudio — Drag & Drop Form Builder [easy-form-builder] Researcher kai63001 More Details > Entrepreneur - Booking for Small Businesses WordPress <= 3.1.3 - Authenticated (Subscriber+) PHP Object Injection 7.5 CVSS Rating 7.5 (High) CVE-ID CVE-2025-69130 Patch Status Unpatched Published May 26, 2026 Affected Software Entrepreneur - Booking for Small Businesses WordPress Theme [entrepreneurx] Researcher 0xd4rk5id3 More Details > GEO my WP <= 4.5.4 - Unauthenticated SQL Injection 7.5 CVSS Rating 7.5 (High) Patch Status Patched Published May 28, 2026 Affected Software GEO my WP [geo-my-wp] Researcher(s): Unknown More Details > GEO my WP <= 4.5.5 - Unauthenticated SQL Injection via 'swlatlng' / 'nelatlng' Parameters 7.5 CVSS Rating 7.5 (High) CVE-ID CVE-2026-9757 Patch Status Patched Published May 29, 2026 Affected Software GEO my WP [geo-my-wp] Researcher Naoya Takahashi (nakko) More Details > Query Shortcode <= 0.2.1 - Authenticated (Contributor+) Local File Inclusion via 'lens' Shortcode Attribute 7.5 CVSS Rating 7.5 (High) CVE-ID CVE-2026-9200 Patch Status Unpatched Published May 26, 2026 Affected Software Query Shortcode [query-shortcode] Researcher Muhammad Yudha - DJ More Details > Realtyna Organic IDX plugin + WPL Real Estate <= 5.1.0 - Unauthenticated SQL Injection 7.5 CVSS Rating 7.5 (High) CVE-ID CVE-2026-45439 Patch Status Patched Published May 26, 2026 Affected Software Realtyna Organic IDX plugin + WPL Real Estate [real-estate-listing-realtyna-wpl] Researcher ParkHyunWoo More Details > SeedProd Pro < 6.19.5 - Authenticated (Contributor+) Local File Inclusion 7.5 CVSS Rating 7.5 (High) CVE-ID CVE-2026-48972 Patch Status Patched Published May 27, 2026 Affected Software SeedProd Pro [seedprod-coming-soon-pro-5] Researcher João Pedro Soares de Alcântara More Details > Simple History – Track, Log, and Audit WordPress Changes <= 5.26.0 - Authenticated (Subscriber+) Account Takeover via Missing Authorization on Event Reaction Endpoint 7.5 CVSS Rating 7.5 (High) CVE-ID CVE-2026-7459 Patch Status Patched Published May 29, 2026 Affected Software Simple History – Track, Log, and Audit WordPress Changes [simple-history] Researcher lhking More Details > SW Core <= 1.7.18 - Authenticated (Contributor+) Local File Inclusion 7.5 CVSS Rating 7.5 (High) CVE-ID CVE-2026-39661 Patch Status Unpatched Published May 26, 2026 Affected Software sw_core [sw_core] Researcher João Pedro Soares de Alcântara More Details > TableOn – WordPress Posts Table Filterable  <= 1.0.5.1 - Unauthenticated SQL Injection 7.5 CVSS Rating 7.5 (High) CVE-ID CVE-2026-42755 Patch Status Patched Published May 30, 2026 Affected Software TableOn – WordPress Posts Table Filterable  [posts-table-filterable] Researcher hhhai More Details > Tainacan <= 1.0.3 - Unauthenticated SQL Injection 7.5 CVSS Rating 7.5 (High) CVE-ID CVE-2026-42740 Patch Status Patched Published May 28, 2026 Affected Software Tainacan [tainacan] Researcher hhhai More Details > Advanced IP Blocker <= 8.10.7 - Unauthenticated Stored Cross-Site Scripting 7.2 CVSS Rating 7.2 (High) CVE-ID CVE-2026-42739 Patch Status Patched Published May 28, 2026 Affected Software Advanced IP Blocker [advanced-ip-blocker] Researcher Peng Zhou More Details > Affiliate Super Assistent <= 1.10.1 - Unauthenticated Stored Cross-Site Scripting 7.2 CVSS Rating 7.2 (High) CVE-ID CVE-2026-42759 Patch Status Patched Published May 30, 2026 Affected Software Affiliate Super Assistent [amazonsimpleadmin] Researcher Nguyen Ba Khanh More Details > affiliate-toolkit <= 3.8.5 - Authenticated (Editor+) Remote Code Execution 7.2 CVSS Rating 7.2 (High) CVE-ID CVE-2026-6169 Patch Status Unpatched Published May 26, 2026 Affected Software affiliate-toolkit – Multi-Network Affiliate & Amazon Product Display [affiliate-toolkit-starter] Researcher Nguyen Quang Truong More Details > AI Engine – The Chatbot, AI Framework & MCP for WordPress <= 3.4.9 - Authenticated (Editor+) Privilege Escalation 7.2 CVSS Rating 7.2 (High) CVE-ID CVE-2026-27407 Patch Status Patched Published May 28, 2026 Affected Software AI Engine – The Chatbot, AI Framework & MCP for WordPress [ai-engine] Researcher Phat RiO More Details > Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin <= 1.6.10.6 - Unauthenticated Stored Cross-Site Scripting 7.2 CVSS Rating 7.2 (High) CVE-ID CVE-2026-39447 Patch Status Patched Published May 28, 2026 Affected Software Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin [simply-schedule-appointments] Researcher devploit More Details > Broadcast Live Video – Live Streaming : WebRTC, HLS, RTSP, RTMP < 7.1.3 - Authenticated (Admin+) Remote Code Execution 7.2 CVSS Rating 7.2 (High) CVE-ID CVE-2026-24937 Patch Status Patched Published May 25, 2026 Affected Software Broadcast Live Video – Live Streaming : WebRTC, HLS, RTSP, RTMP [videowhisper-live-streaming-integration] Researcher SSL-6-s0d More Details > Favicon by RealFaviconGenerator <= 1.3.46 - Unauthenticated Stored Cross-Site Scripting 7.2 CVSS Rating 7.2 (High) CVE-ID CVE-2026-42754 Patch Status Patched Published May 30, 2026 Affected Software Favicon by RealFaviconGenerator [favicon-by-realfavicongenerator] Researcher dodoh4t More Details > Geo Mashup <= 1.13.19 - Unauthenticated Stored Cross-Site Scripting 7.2 CVSS Rating 7.2 (High) CVE-ID CVE-2026-42734 Patch Status Patched Published May 26, 2026 Affected Software Geo Mashup [geo-mashup] Researcher she11f More Details > Grand Car Rental | Limousine HTML Template <= 3.7 - Unauthenticated Stored Cross-Site Scripting 7.2 CVSS Rating 7.2 (High) CVE-ID CVE-2025-69151 Patch Status Unpatched Published May 28, 2026 Affected Software Grand Car Rental | Limousine HTML Template [grandcarrental] Researcher João Pedro Soares de Alcântara More Details > HT Contact Form <= 2.8.2 - Unauthenticated Stored Cross-Site Scripting via File Upload Field 7.2 CVSS Rating 7.2 (High) CVE-ID CVE-2026-7052 Patch Status Patched Published May 27, 2026 Affected Software HT Contact Form – Drag & Drop Form Builder for WordPress [ht-contactform] Researcher Azril Fathoni (kiseki) More Details > Link Whisper Free <= 0.9.0 - Unauthenticated Stored Cross-Site Scripting 7.2 CVSS Rating 7.2 (High) CVE-ID CVE-2025-11262 Patch Status Patched Published May 28, 2026 Affected Software Link Whisper Free [link-whisper] Researcher mikemyers More Details > LiteSpeed Cache <= 7.7 - Unauthenticated Stored Cross-Site Scripting via QUIC.cloud CCSS/UCSS REST API Endpoints 7.2 CVSS Rating 7.2 (High) CVE-ID CVE-2026-3375 Patch Status Patched Published May 26, 2026 Affected Software LiteSpeed Cache [litespeed-cache] Researcher Osvaldo Noe Gonzalez Del Rio (Os) More Details > Login No Captcha reCAPTCHA <= 1.8.0 - Unauthenticated Stored Cross-Site Scripting via PHP_SELF 7.2 CVSS Rating 7.2 (High) CVE-ID CVE-2026-2374 Patch Status Patched Published May 27, 2026 Affected Software Login No Captcha reCAPTCHA [login-recaptcha] Researcher ISMAILSHADOW More Details > Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App <= 3.6.2 - Unauthenticated Stored Cross-Site Scripting 7.2 CVSS Rating 7.2 (High) CVE-ID CVE-2026-48838 Patch Status Patched Published May 28, 2026 Affected Software Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App [post-smtp] Researcher Drew Webber (mcdruid) More Details > Qreatix <= 1.9.4 - Unauthenticated Stored Cross-Site Scripting 7.2 CVSS Rating 7.2 (High) CVE-ID CVE-2025-69104 Patch Status Unpatched Published May 26, 2026 Affected Software Qreatix – Interactive Portfolio WordPress Theme [qreatix] Researcher Tran Nguyen Bao Khanh More Details > SlimStat Analytics <= 5.4.11 - Unauthenticated Stored Cross-Site Scripting via User-Agent Header 7.2 CVSS Rating 7.2 (High) CVE-ID CVE-2026-7634 Patch Status Patched Published May 27, 2026 Affected Software SlimStat Analytics [wp-slimstat] Researcher Supakiad S. (m3ez) More Details > Smart Online Order for Clover <= 1.6.0 - Unauthenticated Stored Cross-Site Scripting 7.2 CVSS Rating 7.2 (High) CVE-ID CVE-2026-42738 Patch Status Patched Published May 27, 2026 Affected Software Smart Online Order for Clover [clover-online-orders] Researcher she11f More Details > WPCS – WordPress Currency Switcher Professional <= 1.3.1 - Unauthenticated Stored Cross-Site Scripting 7.2 CVSS Rating 7.2 (High) CVE-ID CVE-2026-42733 Patch Status Patched Published May 25, 2026 Affected Software WPCS – WordPress Currency Switcher Professional [currency-switcher] Researcher hhhai More Details > Duplicate Page and Post <= 2.9.5 - Authenticated (Contributor+) SQL Injection 6.5 CVSS Rating 6.5 (Medium) CVE-ID CVE-2026-49046 Patch Status Unpatched Published May 27, 2026 Affected Software Duplicate Page and Post [duplicate-wp-page-post] Researcher timomangcut More Details > Enable jQuery Migrate Helper <= 1.4.1 - Missing Authorization to Authenticated (Subscriber+) jQuery Version Downgrade 6.5 CVSS Rating 6.5 (Medium) CVE-ID CVE-2026-3279 Patch Status Unpatched Published May 26, 2026 Affected Software Enable jQuery Migrate Helper [enable-jquery-migrate-helper] Researcher Chiao-Lin Yu (Steven Meow) More Details > Events Schedule - WordPress Events Calendar <= 2.7.2 - Authenticated (Subscriber+) SQL Injection 6.5 CVSS Rating 6.5 (Medium) CVE-ID CVE-2025-69135 Patch Status Unpatched Published May 26, 2026 Affected Software Events Schedule - WordPress Events Calendar Plugin [weekly-class] Researcher 0xd4rk5id3 More Details > Independent Analytics <= 2.14.9 - Unauthenticated Server-Side Request Forgery via Tracking Route 6.5 CVSS Rating 6.5 (Medium) CVE-ID CVE-2026-5737 Patch Status Patched Published May 27, 2026 Affected Software Independent Analytics – WordPress Analytics Plugin [independent-analytics] Researcher Kirasec More Details > Meta Field Block <= 1.5.1 - Insecure Direct Object Reference to Authenticated (Contributor+) Arbitrary User Meta Exposure 6.5 CVSS Rating 6.5 (Medium) CVE-ID CVE-2026-3173 Patch Status Patched Published May 27, 2026 Affected Software Meta Field Block – Display custom fields in the Block Editor without coding [display-a-meta-field-as-block] Researcher Osvaldo Noe Gonzalez Del Rio (Os) More Details > Ninja Forms Views – Display & Edit Ninja Forms Submissions on your site frontend <= 3.3.2 - Authenticated (Contributor+) SQL Injection 6.5 CVSS Rating 6.5 (Medium) CVE-ID CVE-2026-42741 Patch Status Patched Published May 28, 2026 Affected Software Ninja Forms Views – Display & Edit Ninja Forms Submissions on your site frontend [views-for-ninja-forms] Researcher dodoh4t More Details > Nyla <= 1.7 - Unauthenticated Arbitrary Shortcode Execution 6.5 CVSS Rating 6.5 (Medium) CVE-ID CVE-2026-39642 Patch Status Unpatched Published May 26, 2026 Affected Software Nyla - A Fresh & Modern WooCommerce Theme [nyla] Researcher João Pedro Soares de Alcântara More Details > Photo Gallery by 10Web <= 1.8.40 - Authenticated (Contributor+) SQL Injection via 'order_by' Shortcode Attribute 6.5 CVSS Rating 6.5 (Medium) CVE-ID CVE-2026-7048 Patch Status Patched Published May 27, 2026 Affected Software Photo Gallery by 10Web – Mobile-Friendly Image Gallery [photo-gallery] Researcher Or Benit More Details > Unlimited Elements For Elementor <= 2.0.8 - Authenticated (Contributor+) SQL Injection 6.5 CVSS Rating 6.5 (Medium) CVE-ID CVE-2026-48837 Patch Status Patched Published May 26, 2026 Affected Software Unlimited Elements For Elementor [unlimited-elements-for-elementor] Researcher daroo More Details > Views for WPForms – Display & Edit WPForms Entries on your site frontend <= 3.4.6 - Authenticated (Contributor+) SQL Injection 6.5 CVSS Rating 6.5 (Medium) CVE-ID CVE-2026-42742 Patch Status Patched Published May 28, 2026 Affected Software Views for WPForms – Display & Edit WPForms Entries on your site frontend [views-for-wpforms-lite] Researcher dodoh4t More Details > Xpro Elementor Addons - Pro <= 1.4.7 - Authenticated (Contributor+) Arbitrary File Read via Draw SVG 6.5 CVSS Rating 6.5 (Medium) CVE-ID CVE-2025-0898 Patch Status Patched Published May 26, 2026 Affected Software Xpro Elementor Addons - Pro [xpro-elementor-addons-pro] Researcher stealthcopter More Details > a3 Lazy Load <= 2.7.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Video Element 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-6427 Patch Status Patched Published May 27, 2026 Affected Software a3 Lazy Load [a3-lazy-load] Researcher theviper17y More Details > Advanced Custom Fields: Font Awesome Field <= 5.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-49044 Patch Status Patched Published May 27, 2026 Affected Software Advanced Custom Fields: Font Awesome Field [advanced-custom-fields-font-awesome] Researcher timomangcut More Details > Animate Your Content <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-8872 Patch Status Unpatched Published May 26, 2026 Affected Software Animate Your Content [animate-your-content] Researcher Gilang - DJ More Details > Animation Addons for Elementor – GSAP Motion Elementor Addons & Website Templates <= 2.6.3 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating 6.4 (Medium) Patch Status Patched Published May 26, 2026 Affected Software Animation Addons for Elementor – GSAP Motion Elementor Addons & Website Templates [animation-addons-for-elementor] Researcher Osvaldo Noe Gonzalez Del Rio (Os) - krei.dev | ogbuilders.io More Details > Animation Addons for Elementor – GSAP Motion Elementor Addons & Website Templates <= 2.6.3 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating 6.4 (Medium) Patch Status Patched Published May 26, 2026 Affected Software Animation Addons for Elementor – GSAP Motion Elementor Addons & Website Templates [animation-addons-for-elementor] Researcher Osvaldo Noe Gonzalez Del Rio (Os) - krei.dev | ogbuilders.io More Details > Animation Addons for Elementor <= 2.6.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Weather Widget 6.4 CVSS Rating 6.4 (Medium) Patch Status Patched Published May 26, 2026 Affected Software Animation Addons for Elementor – GSAP Motion Elementor Addons & Website Templates [animation-addons-for-elementor] Researcher Osvaldo Noe Gonzalez Del Rio (Os) More Details > Auto Thumbnails <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-8899 Patch Status Unpatched Published May 26, 2026 Affected Software Auto Thumbnails [automatic-thumbnail] Researcher Gilang - DJ More Details > Automotive Car Dealership Business WordPress Theme <= 13.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Portfolio Project Details 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2025-14042 Patch Status Patched Published May 28, 2026 Affected Software Automotive Car Dealership Business WordPress Theme [automotive] Researcher Mateusz Gierblinski More Details > BitForm <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-8891 Patch Status Unpatched Published May 26, 2026 Affected Software BitForm – Data management solution for WordPress [bitform] Researcher Muhammad Yudha - DJ More Details > Booking Manager – Sync WP Booking Calendar – Import Events, Export Bookings to ICS Calendar <= 2.1.18 - Authenticated (Subscriber+) Stored Cross-Site Scripting 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-42751 Patch Status Patched Published May 29, 2026 Affected Software Booking Manager – Sync WP Booking Calendar – Import Events, Export Bookings to ICS Calendar [booking-manager] Researcher dodoh4t More Details > Content Slideshow <= 2.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-8873 Patch Status Unpatched Published May 26, 2026 Affected Software Content Slideshow [content-slideshow] Researcher Gilang - DJ More Details > Cryptocurrency Prijsvergelijking Widget <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'width' Shortcode Attribute 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-8698 Patch Status Unpatched Published May 26, 2026 Affected Software Cryptocurrency Prijsvergelijking Widget [cryptocurrency-prijsvergelijking-widget] Researcher MAJidox More Details > Dideo <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-8847 Patch Status Unpatched Published May 26, 2026 Affected Software Dideo [wp-dideo] Researcher MAJidox More Details > Easy Prism Syntax Highlighter <= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-8875 Patch Status Unpatched Published May 26, 2026 Affected Software Easy Prism Syntax Highlighter [easy-prism-syntax-highlighter] Researcher Gilang - DJ More Details > Endless Scroll <= 1.0.0 - [Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')] 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-8703 Patch Status Unpatched Published May 26, 2026 Affected Software Endless Scroll [endless-scroll] Researcher MAJidox More Details > Events In City <= 3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-8898 Patch Status Unpatched Published May 26, 2026 Affected Software Events In City [events-in-city] Researcher Gilang - DJ More Details > faq shortocde <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'color' Shortcode Attribute 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-8040 Patch Status Unpatched Published May 26, 2026 Affected Software faq shortocde [faq-shortcode] Researcher zakaria More Details > Formidable Kinetic <= 1.1.01 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-8871 Patch Status Unpatched Published May 26, 2026 Affected Software Formidable Kinetic [formidable-kinetic] Researcher Muhammad Yudha - DJ More Details > GBI To Print <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'div' Shortcode Attribute 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-8702 Patch Status Unpatched Published May 26, 2026 Affected Software GBI To Print [gbi-to-print] Researcher MAJidox More Details > Geo Mashup <= 1.13.18 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-27427 Patch Status Patched Published May 26, 2026 Affected Software Geo Mashup [geo-mashup] Researcher Muhammad Yudha - DJ More Details > Github Shortcode <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-8042 Patch Status Unpatched Published May 26, 2026 Affected Software Github Shortcode [github-shortcode] Researcher zakaria More Details > GNTT Post Title Ticker <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-8701 Patch Status Unpatched Published May 26, 2026 Affected Software GNTT Post Title Ticker [gntt-post-title-ticker] Researcher MAJidox More Details > Google+ Link Name <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-8842 Patch Status Unpatched Published May 26, 2026 Affected Software Google+ Link Name [google-plus-name-link-popup-badge] Researcher MAJidox More Details > hk_shortcode <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'title' Shortcode Attribute 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-8886 Patch Status Unpatched Published May 26, 2026 Affected Software hk_shortcode [hk-shortcode] Researcher zakaria More Details > Instant-Quote.co Quotation Page <= 1.3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-8884 Patch Status Unpatched Published May 26, 2026 Affected Software Instant-Quote.co Quotation Page [iq-quotation-page] Researcher Muhammad Yudha - DJ More Details > Islamic Database <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-8845 Patch Status Unpatched Published May 26, 2026 Affected Software Islamic Database [islamic-database] Researcher MAJidox More Details > iWR Tooltip <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-8894 Patch Status Unpatched Published May 26, 2026 Affected Software iWR Tooltip [iwr-tooltip] Researcher Muhammad Yudha - DJ More Details > jQuery googleslides <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-8866 Patch Status Unpatched Published May 26, 2026 Affected Software jQuery googleslides [jquery-googleslides] Researcher Gilang - DJ More Details > Listen Shortcode <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-8887 Patch Status Unpatched Published May 26, 2026 Affected Software Listen Shortcode [listen-shortcode] Researcher zakaria More Details > Livemesh Addons for Beaver Builder <= 3.9.2 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Missing Authorization 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-3897 Patch Status Unpatched Published May 26, 2026 Affected Software Livemesh Addons for Beaver Builder [addons-for-beaver-builder] Researcher Muhammad Yudha - DJ More Details > Livemesh SiteOrigin Widgets <= 3.9.2 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-3896 Patch Status Unpatched Published May 26, 2026 Affected Software Livemesh SiteOrigin Widgets [livemesh-siteorigin-widgets] Researcher Muhammad Yudha - DJ More Details > LiveSmart Video Chat <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-9644 Patch Status Patched Published May 27, 2026 Affected Software LiveSmart Video Chat Live Video Chat [new-dev-livesmart-video-chat] Researcher Muhammad Yudha - DJ More Details > Master Slider – Responsive Touch Slider <= 3.10.8 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-48968 Patch Status Patched Published May 27, 2026 Affected Software Master Slider – Responsive Touch Slider [master-slider] Researcher Peter Thaleikis More Details > Modula Image Gallery – Photo Grid & Video Gallery <= 2.14.23 - Authenticated (Subscriber+) Stored Cross-Site Scripting 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-42688 Patch Status Patched Published May 26, 2026 Affected Software Modula Image Gallery – Photo Grid & Video Gallery [modula-best-grid-gallery] Researcher Nguyen Ba Khanh More Details > Mutual Funds Data <= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'title' Shortcode Attribute 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-8869 Patch Status Unpatched Published May 26, 2026 Affected Software Mutual Funds Data [mutual-funds-data] Researcher Muhammad Yudha - DJ More Details > My Email Shortcode <= 0.91 - [Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')] 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-8048 Patch Status Unpatched Published May 26, 2026 Affected Software My Email Shortcode [my-email-shortcode] Researcher zakaria More Details > Post Categories Gallery <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-8867 Patch Status Unpatched Published May 26, 2026 Affected Software Post Categories Gallery [post-category-gallery] Researcher Gilang - DJ More Details > Responsive Check <= 0.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-8844 Patch Status Unpatched Published May 26, 2026 Affected Software Responsive Check [responsive-checker-real-time] Researcher MAJidox More Details > Responsive Video Embedder <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-8877 Patch Status Unpatched Published May 26, 2026 Affected Software Responsive Video Embedder [responsive-video-embedder] Researcher Gilang - DJ More Details > Shariff Wrapper <= 4.6.20 - Authenticated (Contributor+) Cross-Site Scripting 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-4334 Patch Status Patched Published May 27, 2026 Affected Software Shariff Wrapper [shariff] Researcher Muhammad Yudha - DJ More Details > Shortcode Buddy <= 0.1.9.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-8897 Patch Status Unpatched Published May 26, 2026 Affected Software Shortcode Buddy [shortcode-buddy] Researcher zakaria More Details > Simple Divi Shortcode <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'id' Shortcode Attribute 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-9714 Patch Status Patched Published May 28, 2026 Affected Software Simple Divi Shortcode [simple-divi-shortcode] Researcher Muhammad Yudha - DJ More Details > Single Mailchimp <= 1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-8868 Patch Status Unpatched Published May 26, 2026 Affected Software Single Mailchimp [single-mailchimp] Researcher Gilang - DJ More Details > Splide Carousel Block <= 1.7.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'url' Block Attribute 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-9022 Patch Status Patched Published May 26, 2026 Affected Software Splide Carousel Block [splide-carousel] Researcher ZAST.AI More Details > StatCounter <= 2.1.1 - Authenticated (Author+) Stored Cross-Site Scripting via Author Nickname 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-6275 Patch Status Patched Published May 28, 2026 Affected Software StatCounter – Free Real Time Visitor Stats [official-statcounter-plugin-for-wordpress] Researcher ZAST.AI More Details > Style Kits – Advanced Theme Styles for Elementor <= 2.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Kit Title 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-6565 Patch Status Patched Published May 26, 2026 Affected Software Style Kits for Elementor [analogwp-templates] Researchers Athiwat Tiprasaharn (Jitlada)Itthidej Aramsri (Boeing777) More Details > Team Master <= 1.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-8870 Patch Status Unpatched Published May 26, 2026 Affected Software Team Master – A Modern WordPress Team Showcase [team-master] Researcher Muhammad Yudha - DJ More Details > Team Showcase <= 1.22.28 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2025-62745 Patch Status Unpatched Published May 25, 2026 Affected Software Team Showcase [team] Researcher Muhammad Yudha - DJ More Details > The Plus Addons for Elementor <= 6.4.15 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'carousel_direction' Parameter 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-9243 Patch Status Patched Published May 28, 2026 Affected Software The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce [the-plus-addons-for-elementor-page-builder] Researcher João Pedro Soares de Alcântara More Details > Tuxquote <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-8846 Patch Status Unpatched Published May 26, 2026 Affected Software Tuxquote [tuxquote] Researcher MAJidox More Details > WP Iframe Geo Style for Amazon affiliates <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'adid' Shortcode Attribute 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-8837 Patch Status Unpatched Published May 26, 2026 Affected Software WP Iframe Geo Style for Amazon affiliates [wp-iframe-geo-style-for-amazon-affiliates] Researcher zakaria More Details > WPBakery Page Builder Addons by Livemesh <= 3.9.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-2030 Patch Status Unpatched Published May 26, 2026 Affected Software WPBakery Page Builder Addons by Livemesh [addons-for-visual-composer] Researcher Muhammad Yudha - DJ More Details > WPBakery Page Builder Addons by Livemesh <= 3.9.4 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-3895 Patch Status Unpatched Published May 26, 2026 Affected Software WPBakery Page Builder Addons by Livemesh [addons-for-visual-composer] Researcher Muhammad Yudha - DJ More Details > WPComplete <= 2.9.5.4 - Authenticated (Subscriber+) Stored Cross-Site Scripting 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-42750 Patch Status Patched Published May 29, 2026 Affected Software WPComplete [wpcomplete] Researcher hhhai More Details > Easy Updates Manager <= 9.0.20 - Reflected Cross-Site Scripting via 'paged' Parameter 6.1 CVSS Rating 6.1 (Medium) CVE-ID CVE-2026-7660 Patch Status Patched Published May 27, 2026 Affected Software Easy Updates Manager [stops-core-theme-and-plugin-updates] Researcher Dmitrii Ignatyev More Details > Felan Framework <= 1.1.3 - Reflected Cross-Site Scripting 6.1 CVSS Rating 6.1 (Medium) CVE-ID CVE-2025-22741 Patch Status Unpatched Published May 26, 2026 Affected Software Felan Framework [felan-framework] Researcher 0xd4rk5id3 More Details > Gutenverse <= 3.4.6 - Reflected Cross-Site Scripting via 's' Parameter 6.1 CVSS Rating 6.1 (Medium) CVE-ID CVE-2026-3001 Patch Status Patched Published May 26, 2026 Affected Software Gutenverse – WordPress Blocks, Page Builder & Site Editor [gutenverse] Researcher Osvaldo Noe Gonzalez Del Rio (Os) More Details > MinhNhut Link Gateway <= 3.6.1 - Reflected Cross-Site Scripting via 'url' Parameter 6.1 CVSS Rating 6.1 (Medium) CVE-ID CVE-2026-3349 Patch Status Unpatched Published May 26, 2026 Affected Software MinhNhut Link Gateway [minhnhut-link-gateway] Researcher san6051 More Details > NS Product icon badge <= 1.2.4 - Reflected Cross-Site Scripting via PHP_SELF 6.1 CVSS Rating 6.1 (Medium) CVE-ID CVE-2026-8707 Patch Status Unpatched Published May 26, 2026 Affected Software NS Product icon badge [product-icon-badge] Researcher Abdulsamad Yusuf (0xVenus) More Details > SweetDate Core < 1.1.5 - Reflected Cross-Site Scripting 6.1 CVSS Rating 6.1 (Medium) CVE-ID CVE-2025-69140 Patch Status Patched Published May 26, 2026 Affected Software Sweet Date Core [sweetdate-core] Researcher João Pedro Soares de Alcântara More Details > WP AutoBuzz <= 1.1.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting via 'googleAccount' Parameter 6.1 CVSS Rating 6.1 (Medium) CVE-ID CVE-2026-8911 Patch Status Unpatched Published May 26, 2026 Affected Software WP AutoBuzz [wp-autobuzz] Researcher Muhammad Nur Ibnu Hubab More Details > WP Promoter <= 1.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting via 'popup_width' Parameter 6.1 CVSS Rating 6.1 (Medium) CVE-ID CVE-2026-8906 Patch Status Unpatched Published May 26, 2026 Affected Software WP Promoter [wp-promoter] Researcher Muhammad Nur Ibnu Hubab More Details > ShopLentor - WooCommerce Builder for Elementor & Gutenberg <= 3.3.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Product Grid 'blockUniqId' Block Attribute 5.4 CVSS Rating 5.4 (Medium) CVE-ID CVE-2026-6287 Patch Status Patched Published May 26, 2026 Affected Software ShopLentor – All-in-One WooCommerce Growth & Store Enhancement Plugin [woolentor-addons] Researcher ammonia More Details > Accept Stripe Payments <= 2.0.98 - Unauthenticated Payment Bypass 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-42752 Patch Status Patched Published May 29, 2026 Affected Software Accept Stripe Payments [stripe-payments] Researcher dodoh4t More Details > Advanced Custom Fields (ACF®) <= 6.8.1 - Missing Authorization 5.3 CVSS Rating 5.3 (Medium) Patch Status Patched Published May 27, 2026 Affected Software Advanced Custom Fields (ACF®) [advanced-custom-fields] Researcher Sarawut Poolkhet (MisterHelloz) More Details > Advanced Custom Fields (ACF®) <= 6.8.1 - Unauthenticated Arbitrary Post Modification via Front-End Form '_post_title' and '_post_content' Parameters 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-8382 Patch Status Patched Published May 30, 2026 Affected Software Advanced Custom Fields (ACF®) [advanced-custom-fields] Researcher Sarawut Poolkhet (MisterHelloz) More Details > Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin <= 1.6.11.5 - Unauthenticated Denial of Service 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-7493 Patch Status Patched Published May 26, 2026 Affected Software Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin [simply-schedule-appointments] Researcher lucky_buddy More Details > Appointment Booking Calendar <= 1.6.11.8 - Missing Authorization to Unauthenticated Arbitrary Modification via Bulk Appointments REST API Endpoint 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-6937 Patch Status Patched Published May 27, 2026 Affected Software Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin [simply-schedule-appointments] Researcher winrace More Details > Auto Affiliate Links <= 6.8.8.3 - Missing Authorization 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-24592 Patch Status Patched Published May 25, 2026 Affected Software Auto Affiliate Links [wp-auto-affiliate-links] Researcher Nabil Irawan More Details > Better Messages – Chat Rooms, Group Chat, Private Messages & AI Chat Bots <= 2.14.16 - Unauthenticated Insecure Direct Object Reference 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-42736 Patch Status Patched Published May 27, 2026 Affected Software Better Messages – Chat Rooms, Group Chat, Private Messages & AI Chat Bots [bp-better-messages] Researcher dodoh4t More Details > Breeze Cache <= 2.5.2 - Unauthenticated Exposure of Sensitive Information to an Unauthorized Actor via Crafted Login Cookie 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-2128 Patch Status Patched Published May 28, 2026 Affected Software Breeze Cache [breeze] Researcher Nguyen Ngoc Duc (duc193) More Details > CloudSecure WP Security <= 1.4.7 - Two-Factor Authentication Bypass 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-42411 Patch Status Patched Published May 28, 2026 Affected Software CloudSecure WP Security [cloudsecure-wp-security] Researcher 0xzenko More Details > Contact Form 7 – PayPal & Stripe Add-on <= 2.4.9 - Unauthenticated Payment Bypass via Insufficient Verification of Data Authenticity via PayPal IPN Handler ('invoice'/'mc_gross' Verification) 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-9189 Patch Status Patched Published May 28, 2026 Affected Software Contact Form 7 – PayPal & Stripe Add-on [contact-form-7-paypal-add-on] Researcher Muni Nitish Kumar Yaddala (Stranger825) More Details > E-cab Taxi Booking Manager for Woocommerce <= 2.0.1 - Missing Authorization 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-25426 Patch Status Patched Published May 26, 2026 Affected Software E-cab Taxi Booking Manager for Woocommerce [ecab-taxi-booking-manager] Researcher Bao - BlueRock More Details > ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor <= 3.9.6 - Missing Authorization 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-49053 Patch Status Unpatched Published May 27, 2026 Affected Software ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor [elementskit-lite] Researcher Bonds More Details > Event Booking Manager for WooCommerce <= 5.3.3 - Missing Authorization 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-45441 Patch Status Patched Published May 26, 2026 Affected Software Event Booking Manager for WooCommerce [mage-eventpress] Researcher dodoh4t More Details > GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress <= 7.6.3 - Missing Authorization 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-24546 Patch Status Patched Published May 25, 2026 Affected Software GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress [gamipress] Researcher bosz More Details > Geo Mashup <= 1.13.19 - Missing Authorization to Unauthenticated Plugin Settings Disclosure via 'geo_mashup_content' Parameter 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-7552 Patch Status Patched Published May 27, 2026 Affected Software Geo Mashup [geo-mashup] Researcher t0ann9uy3n More Details > KiviCare – Clinic & Patient Management System (EHR) <= 4.3.0 - Missing Authorization 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-42735 Patch Status Patched Published May 26, 2026 Affected Software KiviCare – Clinic & Patient Management System (EHR) [kivicare-clinic-management-system] Researcher kai63001 More Details > Masteriyo LMS – LMS Course Builder, Quizzes & Certificates <= 2.1.8 - Missing Authorization 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-42743 Patch Status Patched Published May 28, 2026 Affected Software Masteriyo LMS – LMS Course Builder, Quizzes & Certificates [learning-management-system] Researcher HieuPenguin More Details > Mayosis Core <= 5.4.7 - Missing Authorization 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-39655 Patch Status Unpatched Published May 26, 2026 Affected Software Mayosis Core [mayosis-core] Researcher João Pedro Soares de Alcântara More Details > Paid Videochat Turnkey Site – HTML5 PPV Live Webcams <= 7.3.23 - Missing Authorization 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-24590 Patch Status Patched Published May 26, 2026 Affected Software Paid Videochat Turnkey Site – HTML5 PPV Live Webcams [ppv-live-webcams] Researcher ChuongVN More Details > Quads Ads Manager for Google AdSense <= 3.0.2 - Missing Authorization 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-42744 Patch Status Patched Published May 28, 2026 Affected Software Quads Ads Manager for Google AdSense [quick-adsense-reloaded] Researcher Bas Albers More Details > Rank Math SEO – AI SEO Tools to Dominate SEO Rankings <= 1.0.271 - Missing Authorization to Unauthenticated Homepage Settings Modification 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2025-12714 Patch Status Patched Published May 28, 2026 Affected Software Rank Math SEO – AI SEO Tools to Dominate SEO Rankings [seo-by-rank-math] Researchers mikemyersabrahack More Details > RSVP and Event Management <= 2.7.16 - Missing Authorization 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-27398 Patch Status Patched Published May 25, 2026 Affected Software RSVP and Event Management [rsvp] Researcher daroo More Details > Search Analytics for WP < 1.5.0 - Missing Authorization 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-27357 Patch Status Patched Published May 25, 2026 Affected Software Search Analytics for WP [search-analytics] Researcher Legion Hunter More Details > SePay Gateway <= 1.1.20 - Unauthenticated Information Exposure 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-42763 Patch Status Patched Published May 26, 2026 Affected Software SePay Gateway [sepay-gateway] Researcher ParkHyunWoo More Details > Smart Online Order for Clover <= 1.6.0 - Missing Authorization 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-42745 Patch Status Patched Published May 28, 2026 Affected Software Smart Online Order for Clover [clover-online-orders] Researcher she11f More Details > Smart Online Order for Clover <= 1.6.0 - Unauthenticated Sensitive Information Exposure 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-42746 Patch Status Patched Published May 28, 2026 Affected Software Smart Online Order for Clover [clover-online-orders] Researcher she11f More Details > User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder <= 5.1.2 - Missing Authorization 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-25425 Patch Status Patched Published May 28, 2026 Affected Software User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder [user-registration] Researcher 0xd4rk5id3 More Details > User Registration & Membership <= 5.1.5 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Media Deletion via 'profile-pic-url' Parameter 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-7651 Patch Status Patched Published May 27, 2026 Affected Software User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder [user-registration] Researcher Supakiad S. (m3ez) More Details > WCFM Membership – WooCommerce Memberships for Multivendor Marketplace <= 2.11.10 - Missing Authorization 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-42753 Patch Status Patched Published May 29, 2026 Affected Software WCFM Membership – WooCommerce Memberships for Multivendor Marketplace [wc-multivendor-membership] Researcher 0xzenko More Details > WP Promoter <= 1.3 - Missing Authorization to Unauthenticated Statistics Reset via wpp-reset_stats AJAX Action 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-9014 Patch Status Unpatched Published May 26, 2026 Affected Software WP Promoter [wp-promoter] Researcher Muhammad Nur Ibnu Hubab More Details > WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More <= 1.10.0.4 - Missing Authorization 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-48835 Patch Status Patched Published May 28, 2026 Affected Software WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More [wpforms-lite] Researcher Cyrille COQUARD More Details > EnvíaloSimple: Email Marketing y Newsletters <= 2.4.5 - Authenticated (Administrator+) SQL Injection via 'orderby' Parameter 4.9 CVSS Rating 4.9 (Medium) CVE-ID CVE-2026-7618 Patch Status Unpatched Published May 26, 2026 Affected Software EnvíaloSimple: Email Marketing y Newsletters [envialosimple-email-marketing-y-newsletters-gratis] Researcher Maurice Fielenbach (Hexastrike) More Details > Frontend Admin by DynamiApps <= 3.28.28 - Authenticated (Administrator+) SQL Injection via 'order' Parameter 4.9 CVSS Rating 4.9 (Medium) CVE-ID CVE-2026-10039 Patch Status Patched Published May 28, 2026 Affected Software Frontend Admin by DynamiApps [acf-frontend-form-element] Researchers Louis Deschanel (JeanJeanLeHaxor)Pascal SUN More Details > myLinksDump <= 1.6 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'link_title' Parameter 4.8 CVSS Rating 4.8 (Medium) CVE-ID CVE-2026-2288 Patch Status Unpatched Published May 26, 2026 Affected Software myLinksDump [mylinksdump] Researcher san6051 More Details > rexCrawler <= 1.0.15 - Authenticated (Administrator+) Stored Cross-Site Scripting via Settings 4.8 CVSS Rating 4.8 (Medium) CVE-ID CVE-2026-2280 Patch Status Unpatched Published May 26, 2026 Affected Software rexCrawler [rexcrawler] Researcher san6051 More Details > Meta for WooCommerce <= 3.7.0 - Unauthenticated Open Redirect 4.7 CVSS Rating 4.7 (Medium) CVE-ID CVE-2026-49059 Patch Status Unpatched Published May 27, 2026 Affected Software Meta for WooCommerce [facebook-for-woocommerce] Researcher timomangcut More Details > MinhNhut Link Gateway <= 3.6.1 - Authenticated (Admin+) Stored Cross-Site Scripting via Plugin Settings 4.4 CVSS Rating 4.4 (Medium) CVE-ID CVE-2026-3348 Patch Status Unpatched Published May 26, 2026 Affected Software MinhNhut Link Gateway [minhnhut-link-gateway] Researcher san6051 More Details > Post Snippets <= 4.0.19 - Authenticated (Administrator+) Stored Cross-Site Scripting via Import 4.4 CVSS Rating 4.4 (Medium) CVE-ID CVE-2026-7430 Patch Status Patched Published May 28, 2026 Affected Software Post Snippets – Custom WordPress Code Snippets Customizer [post-snippets] Researcher a1batr0ss More Details > 3D Viewer <= 2.0.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Settings Modification via settings REST endpoint 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-8682 Patch Status Patched Published May 27, 2026 Affected Software 3D Viewer – 3D Model Viewer – Augmented Reality – Virtual Try On [ar-vr-3d-model-try-on] Researcher Legion Hunter More Details > Adminimize <= 1.11.11 - Missing Authorization 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-49045 Patch Status Unpatched Published May 27, 2026 Affected Software Adminimize [adminimize] Researcher timomangcut More Details > Appointment Booking Plugin for WooCommerce – WpBookingly | All-in-One Service Manager <= 1.2.9 - Missing Authorization 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-25444 Patch Status Patched Published May 26, 2026 Affected Software Appointment Booking Plugin for WooCommerce – WpBookingly | All-in-One Service Manager [service-booking-manager] Researcher johska More Details > auto making JSON-LD <= 4.5.3 - Cross-Site Request Forgery to Plugin Certification Settings via Nonce Validation Bypass 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-8938 Patch Status Unpatched Published May 26, 2026 Affected Software auto making JSON-LD [auto-making-json-ld] Researcher afnaan More Details > Autoship Cloud for WooCommerce Subscription Products <= 2.14.0 - Missing Authorization 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-24527 Patch Status Unpatched Published May 25, 2026 Affected Software Autoship Cloud for WooCommerce Subscription Products [autoship-cloud] Researcher Legion Hunter More Details > Brikk <= 3.0.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Content Deletion 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2025-69103 Patch Status Unpatched Published May 26, 2026 Affected Software Brikk - Directory & Listing WordPress Theme [brikk] Researcher Denver Jackson More Details > CDN Linker lite <= 1.3.1 - Cross-Site Request Forgery to Plugin Settings Update 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-8941 Patch Status Unpatched Published May 26, 2026 Affected Software CDN Linker lite [ossdl-cdn-off-linker] Researcher afnaan More Details > cformsII <= 15.1.3 - Cross-Site Request Forgery 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-39436 Patch Status Patched Published May 25, 2026 Affected Software cformsII [cforms2] Researcher Ilay Striechman More Details > CM Ad Changer <= 2.0.7 - Cross-Site Request Forgery to Campaign Deletion via Campaign Management 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-9236 Patch Status Patched Published May 26, 2026 Affected Software CM Ad Changer – A simple tool to control and optimize your site's banners [cm-ad-changer] Researcher jamaal More Details > DearFlip – PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer <= 2.4.28 - Missing Authorization 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-49047 Patch Status Unpatched Published May 27, 2026 Affected Software DearFlip – PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer [3d-flipbook-dflip-lite] Researcher timomangcut More Details > Easy Digital Downloads <= 3.6.7 - Cross-Site Request Forgery to Payment Account Hijacking via 'square_tokens' Parameter 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-7533 Patch Status Patched Published May 27, 2026 Affected Software Easy Digital Downloads – eCommerce Payments and Subscriptions made easy [easy-digital-downloads] Researcher type5afe More Details > ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor <= 3.9.6 - Missing Authorization 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-49052 Patch Status Unpatched Published May 27, 2026 Affected Software ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor [elementskit-lite] Researcher Bonds More Details > Equalize Digital Accessibility Checker <= 1.42.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Accessibility Issue Modification via edac_insert_ignore_data AJAX Action 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-9015 Patch Status Patched Published May 27, 2026 Affected Software Equalize Digital Accessibility Checker – WCAG, ADA, EAA and Section 508 compliance [accessibility-checker] Researcher w1zard More Details > Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder <= 3.4.7 - Missing Authorization to Authenticated (Subscriber+) Email Sending 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-4888 Patch Status Patched Published May 27, 2026 Affected Software Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder [everest-forms] Researcher Quốc Huy (jtwings) More Details > Export WordPress Pages to Static HTML & PDF — Static Site Export <= 6.0.0 - Cross-Site Request Forgery 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-24574 Patch Status Patched Published May 25, 2026 Affected Software Export WordPress Pages to Static HTML & PDF — Static Site Export [export-wp-page-to-static-html] Researcher Nabil Irawan More Details > Feeds for TikTok – Display Video Feeds in Grid Layouts <= 1.0.24 - Missing Authorization 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-24520 Patch Status Patched Published May 26, 2026 Affected Software Feeds for TikTok – Display Video Feeds in Grid Layouts [b-tiktok-feed] Researcher Nabil Irawan More Details > FlexTable – Data Table Sync with Google Sheets <= 3.24.0 - Missing Authorization 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-24582 Patch Status Unpatched Published May 25, 2026 Affected Software FlexTable – Data Table Sync with Google Sheets [sheets-to-wp-table-live-sync] Researcher Nabil Irawan More Details > FOX – Currency Switcher Professional for WooCommerce <= 1.4.6 - Authenticated (Subscriber+) Authorization Bypass via User-Controlled Key to 'wooc_order_user_roles' Parameter 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-9241 Patch Status Patched Published May 27, 2026 Affected Software FOX – Currency Switcher Professional for WooCommerce [woocommerce-currency-switcher] Researcher Long Lagon More Details > Genemy - Creative Minimal Landing Page Builder for Digital Startup Design Studio Agency in Marketing <= 1.6.6 - Missing Authorization 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2025-69137 Patch Status Unpatched Published May 26, 2026 Affected Software Genemy - Creative Minimal Landing Page Builder for Digital Startup Design Studio Agency in Marketing [genemy] Researcher Tran Nguyen Bao Khanh More Details > GenerateBlocks <= 2.1.0 - Authenticated (Contributor+) Information Disclosure 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-48877 Patch Status Patched Published May 27, 2026 Affected Software GenerateBlocks [generateblocks] Researcher Abu Hurayra (HurayraIIT) More Details > Genzel breadcrumbs <= 1.2 - Cross-Site Request Forgery to Settings Update via Plugin Settings Page 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-8708 Patch Status Unpatched Published May 26, 2026 Affected Software Genzel breadcrumbs [genzel-breadcrumbs] Researcher Muhammad Nur Ibnu Hubab More Details > GoStats for WordPress <= 1.4 - Cross-Site Request Forgery via gostats_manage() Function 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-8943 Patch Status Unpatched Published May 26, 2026 Affected Software GoStats for WordPress [gostats-for-wordpress] Researcher afnaan More Details > JobCareer <= 7.3 - Authenticated (Subscriber+) Arbitrary File Deletion 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2025-69128 Patch Status Unpatched Published May 26, 2026 Affected Software JobCareer [jobcareer] Researcher Denver Jackson More Details > MetaMagic SEO Plugin <= 1.6 - Cross-Site Request Forgery to Plugin Settings Update via Settings Page 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-8942 Patch Status Unpatched Published May 26, 2026 Affected Software MetaMagic SEO Plugin [metamagic] Researcher afnaan More Details > NanoCare < 1.2.2 - Missing Authorization 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-32389 Patch Status Patched Published May 25, 2026 Affected Software Home Health Care, Medical Care WordPress Theme - NanoCare [nanocare] Researcher Phat RiO More Details > Newses <= 2.0.0.77 - Missing Authorization 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-24586 Patch Status Unpatched Published May 25, 2026 Affected Software Newses [newses] Researcher John P More Details > Old Posts Highlighter <= 1.0.3 - Cross-Site Request Forgery to Settings Update 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-7614 Patch Status Unpatched Published May 26, 2026 Affected Software Old Posts Highlighter [old-posts-highlighter] Researcher afnaan More Details > Organization chart <= 1.7.5 - Cross-Site Request Forgery 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-24597 Patch Status Patched Published May 25, 2026 Affected Software Organization chart [organization-chart] Researcher daroo More Details > PDF Embedder <= 4.9.3 - Authenticated (Contributor+) Information Exposure via Block Editor Page 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-7526 Patch Status Patched Published May 27, 2026 Affected Software PDF Embedder [pdf-embedder] Researcher Dmitrii Ignatyev More Details > PeachPay <= 1.120.46 - Cross-Site Request Forgery to Stripe Unlink 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-9618 Patch Status Patched Published May 27, 2026 Affected Software PeachPay — Payments & Express Checkout for WooCommerce (supports Stripe, PayPal, Square, Authorize.net, NMI) [peachpay-for-woocommerce] Researcher Benedictus Jovan (aillesiM) More Details > Poll Maker by AYS <= 6.3.7 - Authenticated (Subscriber+) Sensitive Information Exposure in 'ays_poll_get_user_information' AJAX Action 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-8995 Patch Status Patched Published May 28, 2026 Affected Software Poll Maker by AYS – Versus Polls, Anonymous Polls, Image Polls [poll-maker] Researcher Satoo Nakano More Details > Product Import Export for WooCommerce – Import Export Product CSV Suite <= 2.5.6 - Missing Authorization 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-48971 Patch Status Patched Published May 27, 2026 Affected Software Product Import Export for WooCommerce – Import Export Product CSV Suite [product-import-export-for-woo] Researcher Legion Hunter More Details > QR Redirector <= 2.0.3 - Missing Authorization 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-24545 Patch Status Patched Published May 25, 2026 Affected Software QR Redirector [qr-redirector] Researcher Legion Hunter More Details > RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress <= 4.1121 - Missing Authorization 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-24638 Patch Status Patched Published May 26, 2026 Affected Software RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress [computer-repair-shop] Researcher Legion Hunter More Details > Search Simple Fields <= 0.2 - Cross-Site Request Forgery to Plugin Settings Update 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-8939 Patch Status Unpatched Published May 26, 2026 Affected Software Search Simple Fields [search-simple-fields] Researcher afnaan More Details > SMTP2GO for WordPress <= 1.16.0 - Missing Authorization to Authenticated (Subscriber+) Log Read/Truncate 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-7621 Patch Status Patched Published May 27, 2026 Affected Software SMTP2GO for WordPress – Email Made Easy [smtp2go] Researcher darkmode More Details > Subscription & Recurring Payment for WooCommerce <= 1.9.1 - Cross-Site Request Forgery 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-24554 Patch Status Patched Published May 25, 2026 Affected Software Subscription & Recurring Payment for WooCommerce [subscription] Researcher theviper17 More Details > Sunshine Photo Cart – Client Photo Gallery & Photo Proofing for Photographers <= 3.6.7 - Missing Authorization 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-42776 Patch Status Patched Published May 26, 2026 Affected Software Sunshine Photo Cart – Client Photo Gallery & Photo Proofing for Photographers [sunshine-photo-cart] Researcher Dave Jong More Details > SVG Support <= 2.5.14 - Missing Authorization 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-48973 Patch Status Patched Published May 27, 2026 Affected Software SVG Support [svg-support] Researcher Steven Julian More Details > The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid <= 7.9.2 - Missing Authorization 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-49054 Patch Status Unpatched Published May 27, 2026 Affected Software The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid [the-post-grid] Researcher timomangcut More Details > Timetable and Event Schedule by MotoPress <= 2.4.16 - Insecure Direct Object Reference to Authenticated (Contributor+) Sensitive Information Exposure via action_get_event_data Function 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-9228 Patch Status Patched Published May 27, 2026 Affected Software Timetable and Event Schedule by MotoPress [mp-timetable] Researcher Jack Pas (Dark.) More Details > Travelly – Tour & Travel Booking Manager for WooCommerce | Tour & Hotel Booking Solution <= 2.1.5 - Missing Authorization 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-27331 Patch Status Patched Published May 26, 2026 Affected Software Travelly – Tour & Travel Booking Manager for WooCommerce | Tour & Hotel Booking Solution [tour-booking-manager] Researcher johska More Details > Two-factor authentication (formerly IP Vault) <= 2.1 - Cross-Site Request Forgery to Settings Update 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-8903 Patch Status Unpatched Published May 26, 2026 Affected Software Two-factor authentication (formerly IP Vault) [ip-vault-wp-firewall] Researcher afnaan More Details > Visualizer: Tables and Charts Manager for WordPress <= 3.11.14 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Chart Creation and Modification via renderChartPages() and uploadData() Functions 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-8689 Patch Status Patched Published May 27, 2026 Affected Software Visualizer: Tables and Charts Manager for WordPress [visualizer] Researcher davidfdzmorilla More Details > Woocommerce Envato Affiliates <= 1.2.1 - Missing Authorization 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2025-14361 Patch Status Unpatched Published May 26, 2026 Affected Software Woocommerce Envato Affiliates [wooenvato] Researcher João Pedro Soares de Alcântara More Details > WP Meta and Date Remover <= 2.3.6 - Missing Authorization 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-49051 Patch Status Patched Published May 27, 2026 Affected Software WP Meta and Date Remover [wp-meta-and-date-remover] Researcher Trương Hữu Phúc (truonghuuphuc) More Details > Yoast SEO <= 26.5 - Insecure Direct Object Reference to Authenticated (Contributor+) Sensitive Information Exposure via 'post_id' Parameter 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2025-14481 Patch Status Patched Published May 26, 2026 Affected Software Yoast SEO – Advanced SEO with real-time guidance and built-in AI [wordpress-seo] Researcher NumeX More Details > Disable Comments & Delete All Comments <= 1.3.0 - Missing Authorization 3.1 CVSS Rating 3.1 (Low) CVE-ID CVE-2026-42749 Patch Status Patched Published May 29, 2026 Affected Software Disable Comments & Delete All Comments [comments-plus] Researcher dodoh4t More Details > B2BKing — Ultimate WooCommerce B2B and Wholesale Plugin — Wholesale Prices, Bulk Order Form & More < 5.2.10 - Missing Authorization 2.7 CVSS Rating 2.7 (Low) CVE-ID CVE-2026-27346 Patch Status Patched Published May 25, 2026 Affected Software B2BKing — Ultimate WooCommerce B2B and Wholesale Plugin — Wholesale Prices, Bulk Order Form & More [b2bking-wholesale-for-woocommerce] Researcher Phat RiO More Details > As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence. This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can. Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. The post Wordfence Intelligence Weekly WordPress Vulnerability Report (May 25, 2026 to May 31, 2026) appeared first on Wordfence.