Last week, there were 199 vulnerabilities disclosed in 169 WordPress Plugins and 9 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 111 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to implement layered security, aligning with our overarching mission to secure WordPress with defense in depth strategies. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report. As the world’s leading quality vulnerability database provider for WordPress, site owners can rest assured knowing Wordfence has their back.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 35,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.


New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our PremiumCare, and Response customers last week:

Wordfence PremiumCare, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.


Total Unpatched & Patched Vulnerabilities Last Week

Patch Status Number of Vulnerabilities
Patched 148
Unpatched 51


Total Vulnerabilities by CVSS Severity Last Week

Severity Rating Number of Vulnerabilities
Low Severity 1
Medium Severity 143
High Severity 49
Critical Severity 6


Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') 53
Missing Authorization 52
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') 29
Cross-Site Request Forgery (CSRF) 15
Exposure of Sensitive Information to an Unauthorized Actor 9
Authorization Bypass Through User-Controlled Key 8
Deserialization of Untrusted Data 6
Server-Side Request Forgery (SSRF) 5
Unrestricted Upload of File with Dangerous Type 5
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') 3
Improper Control of Generation of Code ('Code Injection') 3
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') 3
Incorrect Privilege Assignment 3
Weak Password Recovery Mechanism for Forgotten Password 2
External Control of File Name or Path 1
Improper Privilege Management 1
Insufficient Verification of Data Authenticity 1


Researchers That Contributed to WordPress Security Last Week

Researcher Name Number of Vulnerabilities
14
11
6
6
6
5
5
5
5
4
4
4
4
3
3
3
3
3
2
2
2
2
2
2
2
2
2
lb
2
2
2
2
2
2
2
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
L4m
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.


WordPress Plugins with Reported Vulnerabilities Last Week

Software Name Software Slug
24liveblog – live blog tool 24liveblog
Abandoned Cart Lite for WooCommerce woocommerce-abandoned-cart
AdRotate Banner Manager adrotate
Advance Nav Menu Manager advance-nav-menu-manager
Advance Product Search- Voice & Ajax Search for WooCommerce th-advance-product-search
Advanced Contact Form 7 – Compact DB advanced-contact-form-7-compact-db
Advanced Order Export For WooCommerce woo-order-export-lite
Affiliates Manager affiliates-manager
AI Share & Summarize ai-share-summarize
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin simply-schedule-appointments
ARforms arforms
Assistio assistio
Auros Core auros-core
Avalon23 Products Filter for WooCommerce avalon23-products-filter-for-woocommerce
BitFire Security – Firewall, Malware Scanner, Bot Blocker, Login Protection bitfire
Block for Mailchimp – Add Email Subscription Forms and Collect Leads block-for-mailchimp
Blocksy Companion Pro blocksy-companion-pro
Blog2Social: Social Media Auto Post & Scheduler blog2social
Blue Captcha blue-captcha
BNE Testimonials bne-testimonials
Book a Room Event Calendar book-a-room-event-calendar
Booking and Rental Manager for Bike | Car | Resort | Appointment | Dress | Equipment booking-and-rental-manager-for-woocommerce
BookPro - Appointment Booking WordPress Plugin ovabookpro
Booster for WooCommerce – PDF Invoices, Abandoned Cart, Variation Swatches & 100+ Tools woocommerce-jetpack
Bopo – WooCommerce Product Bundle Builder bopo-woo-product-bundle-builder
BuddyBoss Platform buddyboss-platform
Bulk SEO Image bulk-seo-image
Child Theme Wizard child-theme-wizard
Cincopa video and media plug-in video-playlist-and-gallery-plugin
ClearSale Total clearsale-total
CodePeople Post Map for Google Maps codepeople-post-map
Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe contest-gallery
Cornerstone cornerstone
CorvusPay WooCommerce Payment Gateway corvuspay-woocommerce-integration
Customer Reviews for WooCommerce customer-reviews-woocommerce
Devs Accounting – Simple Accounting and Invoicing Solution devs-accounting
Dokan Pro dokan-pro
Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy dokan-lite
Donation Thermometer donation-thermometer
Eagle Booking eagle-booking
Elementor Website Builder – more than just a page builder elementor
Email JavaScript Cloak email-javascript-cloaker
Email Marketing for WooCommerce by Omnisend omnisend-connect
EntreDroppers entredropper
EventPrime – Events Calendar, Bookings and Tickets eventprime-event-calendar-management
Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder with AI everest-forms
Exclusive Addons for Elementor exclusive-addons-for-elementor
Featured Image featured-image
Fluent Booking – The Ultimate Appointments Scheduling, Events Booking, Events Calendar Solution fluent-booking
Forget About Shortcode Buttons forget-about-shortcode-buttons
Forminator Forms – Contact Form, Payment Form & Custom Form Builder forminator
FOX – Currency Switcher Professional for WooCommerce woocommerce-currency-switcher
Frisbii Pay reepay-checkout-gateway
Frontend File Manager Plugin nmedia-user-file-uploader
FunnelKit Payment Gateway for Stripe WooCommerce funnelkit-stripe-woo-payment-gateway
FunnelKit – Funnel Builder for WooCommerce Checkout funnel-builder
Gallery by BestWebSoft – Customizable Image and Photo Galleries for WordPress gallery-plugin
Generate Security.txt generate-security-txt
GetGenie – AI Content Writer with Keyword Research & SEO Tracking getgenie
Ghost Kit – Page Builder Blocks, Motion Effects & Extensions ghostkit
GIFT4U – Gift Cards All in One for Woo gift4u-gift-cards-all-in-one-for-woo
Gmail SMTP gmail-smtp
Goya Core goya-core
Gravity Bookings gf-bookings-premium
GravityView gravityview
Groundhogg — CRM, Newsletters, and Marketing Automation groundhogg
Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns essential-blocks
Gutenverse Form – Contact Form Builder, Block Form & Booking Form gutenverse-form
Gutenverse – WordPress Blocks, Page Builder & Site Editor gutenverse
HD Quiz hd-quiz
Hester Core hester-core
HTML5 Video Player – Embed and Play Videos in Custom Player html5-video-player
Image Carousel image-carousel
Image Sizes on Demand image-sizes-on-demand
Infility Global infility-global
Interactive Content – H5P h5p
Invoice Generator invoice-creator
Ivory Search – WordPress Search Plugin add-search-to-menu
JetEngine jet-engine
JetSmartFilters jet-smart-filters
JS Help Desk – AI-Powered Support & Ticketing System js-support-ticket
Kargo Takip kargo-takip
Kirki – Freeform Page Builder, Website Builder & Customizer kirki
Library Management System library-management-system
Live Copy Paste for Elementor – Cross Domain Copy Paste & Page Duplicator live-copy-paste
Magazine Blocks – Blog Designer, Magazine & Newspaper Website Builder, Page Builder with Posts Blocks, Post Grid magazine-blocks
MainWP Child – Securely Connects to the MainWP Dashboard to Manage Multiple Sites mainwp-child
Majestic Support – The Leading-Edge Help Desk & Customer Support Plugin majestic-support
Masteriyo LMS – LMS Course Builder, Quizzes & Certificates learning-management-system
MasterStudy LMS WordPress Plugin – for Online Courses and Education masterstudy-lms-learning-management-system
MaxButtons – Create buttons maxbuttons
MIR blocks and shortcodes mir-blocks-and-shortcodes
MotorDesk motordesk
Motors – Car Dealership & Classified Listings Plugin motors-car-dealership-classified-listings
MP Customize Login Page mp-customize-login-page
Nelio Content – Editorial Calendar & Social Media Auto-Posting nelio-content
Newsletters newsletters-lite
NEX-Forms – Ultimate Forms Plugin for WordPress nex-forms-express-wp-form-builder
OMGF Pro host-google-fonts-pro
Osiris Signature Banner osiris-signature-banner
Page Builder by SiteOrigin siteorigin-panels
Paid Memberships Pro - Add Member From Admin pmpro-add-member-admin
Panorama – 360 degree Virtual Tour, Panoramic Image viewer and More panorama
Payment Gateway Based Fees and Discounts for WooCommerce checkout-fees-for-woocommerce
Paytium: Mollie payment forms & donations paytium
Perfmatters perfmatters
Pie Register – User Registration, Profiles & Content Restriction pie-register
Popup Box – Create Countdown, Coupon, Video, Contact Form Popups ays-popup-box
Post Duplicator post-duplicator
Post Snippets – Custom WordPress Code Snippets Customizer post-snippets
PPOM – Product Addons & Custom Fields for WooCommerce woocommerce-product-addon
PPWP – Password Protect Pages password-protect-page
Print Invoice & Delivery Notes for WooCommerce woocommerce-delivery-notes
Product Specifications for Woocommerce product-specifications
ProfileGrid – User Profiles, Groups and Communities profilegrid-user-profiles-groups-and-communities
Quform - WordPress Form Builder quform
Quick Interest Slider quick-interest-slider
Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker quiz-master-next
Quotes llama quotes-llama
Recipe Cards For Your Food Blog from Zip Recipes zip-recipes
RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login custom-registration-form-builder-with-submission-manager
RentMy Real-Time Rental Management Plugin rentmy-online-rental-shop
Responsive Lightbox & Gallery responsive-lightbox
Restaurant Menu and Food Ordering mp-restaurant-menu
Reviews and Rating – Docplanner reviews-and-rating-docplanner
SearchPlus searchplus
Secufor_OAuth wpoauth
SeedProd Pro seedprod-coming-soon-pro-5
SEOPress PRO wp-seopress-pro
Shoppable Images (Lookbook) for WooCommerce mabel-shoppable-images-lite
ShortPixel Adaptive Images – WebP, AVIF, CDN, Image Optimization shortpixel-adaptive-images
SignUp & SignIn signup-signin
Simple Basic Contact Form simple-basic-contact-form
Site Kit by Google – Analytics, Search Console, AdSense, Speed google-site-kit
Site Reviews site-reviews
SiteGround Email Marketing siteground-email-marketing
Slim SEO – A Fast & Automated SEO Plugin For WordPress slim-seo
StatCounter – Free Real Time Visitor Stats official-statcounter-plugin-for-wordpress
Stripe Payment Forms by WP Full Pay – Accept Credit Card Payments, Donations & Subscriptions wp-full-stripe-free
Subscriptions for WooCommerce subscriptions-for-woocommerce
Surbma | Infusionsoft Shortcode surbma-infusionsoft-shortcode
SureCart – Ecommerce Made Easy For Selling Physical Products, Digital Downloads, Subscriptions, Donations, & Payments surecart
TablePress – Tables in WordPress made easy tablepress
TemplateSpare – 1000+ WordPress Starter Templates & Full Site Migration Tool | 1-Click Import/Export & No-Code Builder templatespare
Toolset Forms cred-frontend-editor
Tourfic – AI Powered Travel Booking, Hotel Booking & Car Rental WordPress Plugin tourfic
Transbank Webpay transbank-webpay-plus-rest
Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin ultimate-member
Uncanny Automator Pro uncanny-automator-pro
Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin uncanny-automator
URL Preview link-preview
User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder user-registration
utm.codes utm-dot-codes
WCBoost – Products Compare wcboost-products-compare
Welcome Software Publishing newscred-publishing
weMail – Email Marketing, Newsletter Builder & Email Automations for WooCommerce wemail
WhatsOrder – Instant Checkout for WooCommerce whatsorder-instant-checkout-for-woocommerce
WordPress Automatic Plugin wp-automatic
WP All Import – Drag & Drop Import for CSV, XML, Excel & Google Sheets wp-all-import
WP Forms Connector wp-forms-connector
WP Job Portal – AI-Powered Recruitment System for Company or Job Board website wp-job-portal
WP Latest Posts wp-latest-posts
WP Meta SEO wp-meta-seo
WP Post Author – Author Box, Multiple Authors, Guest Authors & Custom Avatars wp-post-author
WPCafe – Restaurant Menu, Online Food Ordering & Table Booking System wp-cafe
WPComplete wpcomplete
wpForo Forum wpforo
Xpro Addons — 140+ Widgets for Elementor xpro-elementor-addons
워드프레스 결제 심플페이 – 우커머스 결제 플러그인 pgall-for-woocommerce


WordPress Themes with Reported Vulnerabilities Last Week

Software Name Software Slug
ListingPro - WordPress Directory & Listing Theme listingpro
NanoMag - Responsive WordPress Magazine Theme nanomag
Neve PRO neve-pro-addon
Real Estate 7 WordPress realestate-7
RH - Real Estate WordPress Theme realhomes
Spexo spexo
splash splash
Travel Booking travel-booking
Woodmart woodmart


Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

CVSS Rating
9.8 (Critical)
Patch Status
Patched
Published
Jun 23, 2026
Affected Software
Dokan Pro [dokan-pro]
Researcher
CVSS Rating
9.8 (Critical)
Patch Status
Unpatched
Published
Jun 23, 2026
Affected Software
Invoice Generator [invoice-creator]
Researcher
CVSS Rating
9.8 (Critical)
Patch Status
Unpatched
Published
Jun 26, 2026
Affected Software
Invoice Generator [invoice-creator]
Researcher
CVSS Rating
9.8 (Critical)
Patch Status
Patched
Published
Jun 25, 2026
Affected Software
OMGF Pro [host-google-fonts-pro]
CVSS Rating
9.8 (Critical)
Patch Status
Patched
Published
Jun 23, 2026
Affected Software
Researcher
CVSS Rating
8.8 (High)
CVE-ID
CVE-2026-12242

[Article truncated — read full content at source]

Source Attribution
This intelligence summary is sourced from Wordfence Blog and curated by CyberHawk Threat Intel for the security community. Full article content is displayed with attribution under fair use for security research and education.

Read original at Wordfence Blog →

Accelerate Your Security Operations

CyberHawk Threat Intel is a complete Cyber Intelligence Platform — one place for every tool a security professional needs. Built by Rudra Verma, Senior Security Architect and Researcher, CyberHawk Consultancy.

IOC Scanner — scan any domain, IP, hash, URL
Live IOC Feed — 3.6M+ indicators, filterable
Infostealer Intelligence — live compromised creds
Live Threat Map — real-time global attack vectors
MISP Threat Feeds — CIRCL, Feodo, Botvrij, more
GitHub Arsenal — curated security tools and scripts
Security Blog — CVE advisories and threat research
Video Courses — cybersecurity training and education
SOPs and Playbooks — SecOps procedures
Analyst Library — references and toolkits
Scan Reports — historical threat intelligence
Cyber News — this feed, aggregated in-platform