Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.

To help educate website owners about potential threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.

The vulnerabilities listed below are virtually patched by the Sucuri Firewall and existing clients are protected. If you don’t have it installed yet, you can use our web application firewall to protect your site against known vulnerabilities.

Plugins

Elementor Website Builder – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-14732
Number of Installations: 10,000,000+
Affected Software: Elementor Website Builder <= 3.35.5
Patched Versions: Elementor Website Builder 3.35.6

Mitigation steps: Update to Elementor Website Builder version 3.35.6 or greater.

Advanced Custom Fields (ACF®) – Broken Access Control

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Broken Access Control
CVE: CVE-2026-4812
Number of Installations: 2,000,000+
Affected Software: Advanced Custom Fields (ACF®) <= 6.7.0
Patched Versions: Advanced Custom Fields (ACF®) 6.7.1

Mitigation steps: Update to Advanced Custom Fields (ACF®) version 6.7.1 or greater.

ElementsKit Elementor Addons – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-2600
Number of Installations: 2,000,000+
Affected Software: ElementsKit Elementor Addons <= 3.7.9
Patched Versions: ElementsKit Elementor Addons 3.8.0

Mitigation steps: Update to ElementsKit Elementor Addons version 3.8.0 or greater.

ManageWP Worker – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-39463
Number of Installations: 1,000,000+
Affected Software: ManageWP Worker <= 4.9.31
Patched Versions: ManageWP Worker 4.9.32

Mitigation steps: Update to ManageWP Worker version 4.9.32 or greater.

WP-Optimize – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2026-2712
Number of Installations: 1,000,000+
Affected Software: WP-Optimize <= 4.5.0
Patched Versions: WP-Optimize 4.5.1

Mitigation steps: Update to WP-Optimize version 4.5.1 or greater.

W3 Total Cache – Sensitive Data Exposure

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Sensitive Data Exposure
CVE: CVE-2026-5032
Number of Installations: 900,000+
Affected Software: W3 Total Cache <= 2.9.3
Patched Versions: W3 Total Cache 2.9.4

Mitigation steps: Update to W3 Total Cache version 2.9.4 or greater.

Smart Slider 3 – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2026-4065
Number of Installations: 800,000+
Affected Software: Smart Slider 3 <= 3.5.1.33
Patched Versions: Smart Slider 3 3.5.1.34

Mitigation steps: Update to Smart Slider 3 version 3.5.1.34 or greater.

Fluent Forms – Broken Authentication

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Broken Authentication
CVE: CVE-2026-4160
Number of Installations: 700,000+
Affected Software: Fluent Forms <= 6.1.9
Patched Versions: Fluent Forms 6.2.0

Mitigation steps: Update to Fluent Forms version 6.2.0 or greater.

Royal Addons for Elementor – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-5162
Number of Installations: 600,000+
Affected Software: Royal Addons for Elementor <= 1.7.1056
Patched Versions: Royal Addons for Elementor 1.7.1057

Mitigation steps: Update to Royal Addons for Elementor version 1.7.1057 or greater.

Kadence Blocks – Broken Access Control

Security Risk: High
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2026-2826
Number of Installations: 600,000+
Affected Software: Kadence Blocks <= 3.6.3
Patched Versions: Kadence Blocks 3.6.4

Mitigation steps: Update to Kadence Blocks version 3.6.4 or greater.

Royal Addons for Elementor – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-0664
Number of Installations: 600,000+
Affected Software: Royal Addons for Elementor <= 1.7.1049
Patched Versions: Royal Addons for Elementor 1.7.1050

Mitigation steps: Update to Royal Addons for Elementor version 1.7.1050 or greater.

WP Statistics – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-5231
Number of Installations: 600,000+
Affected Software: WP Statistics <= 14.16.4
Patched Versions: WP Statistics 14.16.5

Mitigation steps: Update to WP Statistics version 14.16.5 or greater.

BackWPup – Local File Inclusion

Security Risk: High
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Local File Inclusion
CVE: CVE-2026-6227
Number of Installations: 500,000+
Affected Software: BackWPup <= 5.6.6
Patched Versions: BackWPup 5.6.7

Mitigation steps: Update to BackWPup version 5.6.7 or greater.

Meta Box – Arbitrary File Deletion

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Arbitrary File Deletion
CVE: CVE-2026-39468
Number of Installations: 500,000+
Affected Software: Meta Box <= 5.11.1
Patched Versions: Meta Box 5.11.2

Mitigation steps: Update to Meta Box version 5.11.2 or greater.

Ocean Extra – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2026-34903
Number of Installations: 500,000+
Affected Software: Ocean Extra <= 2.5.3
Patched Versions: Ocean Extra 2.5.4

Mitigation steps: Update to Ocean Extra version 2.5.4 or greater.

YITH WooCommerce Wishlist – Insecure Direct Object References (IDOR)

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Insecure Direct Object References (IDOR)
CVE: CVE-2026-4432
Number of Installations: 500,000+
Affected Software: YITH WooCommerce Wishlist <= 4.12.9
Patched Versions: YITH WooCommerce Wishlist 4.13.0

Mitigation steps: Update to YITH WooCommerce Wishlist version 4.13.0 or greater.

Slider, Gallery, and Carousel by MetaSlider – PHP Object Injection

Security Risk: High
Exploitation Level: Requires Editor or higher level authentication.
Vulnerability: PHP Object Injection
CVE: CVE-2026-39467
Number of Installations: 500,000+
Affected Software: MetaSlider <= 3.106.9
Patched Versions: MetaSlider 3.107.0

Mitigation steps: Update to MetaSlider version 3.107.0 or greater.

Slider, Gallery, and Carousel by MetaSlider – Remote Code Execution (RCE)

Security Risk: Critical
Exploitation Level: Requires Editor or higher level authentication.
Vulnerability: Remote Code Execution (RCE)
CVE: CVE-2026-39465
Number of Installations: 500,000+
Affected Software: MetaSlider <= 3.106.9
Patched Versions: MetaSlider 3.107.0

Mitigation steps: Update to MetaSlider version 3.107.0 or greater.

WP Shortcodes Plugin — Shortcodes Ultimate – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-3885
Number of Installations: 400,000+
Affected Software: Shortcodes Ultimate <= 7.4.9
Patched Versions: Shortcodes Ultimate 7.5.0

Mitigation steps: Update to Shortcodes Ultimate version 7.5.0 or greater.

WP Shortcodes Plugin — Shortcodes Ultimate – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-0738
Number of Installations: 400,000+
Affected Software: Shortcodes Ultimate <= 7.4.8
Patched Versions: Shortcodes Ultimate 7.4.9

Mitigation steps: Update to Shortcodes Ultimate version 7.4.9 or greater.

WP Shortcodes Plugin — Shortcodes Ultimate – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-0737
Number of Installations: 400,000+
Affected Software: Shortcodes Ultimate <= 7.4.7
Patched Versions: Shortcodes Ultimate 7.4.8

Mitigation steps: Update to Shortcodes Ultimate version 7.4.8 or greater.

Pagelayer – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-2509
Number of Installations: 400,000+
Affected Software: Pagelayer <= 2.0.8
Patched Versions: Pagelayer 2.0.9

Mitigation steps: Update to Pagelayer version 2.0.9 or greater.

Page Builder Gutenberg Blocks – CoBlocks – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-4801
Number of Installations: 300,000+
Affected Software: CoBlocks <= 3.1.16
Patched Versions: CoBlocks 3.1.17

Mitigation steps: Update to CoBlocks version 3.1.17 or greater.

ShortPixel Image Optimizer – PHP Object Injection

Security Risk: High
Exploitation Level: Requires Author or higher level authentication.
Vulnerability: PHP Object Injection
CVE: CVE-2026-39471
Number of Installations: 300,000+
Affected Software: ShortPixel Image Optimizer <= 6.4.3
Patched Versions: ShortPixel Image Optimizer 6.4.4

Mitigation steps: Update to ShortPixel Image Optimizer version 6.4.4 or greater.

Cart Abandonment Recovery for WooCommerce – Privilege Escalation

Security Risk: High
Exploitation Level: Requires Shop Manager or higher level authentication.
Vulnerability: Privilege Escalation
CVE: CVE-2026-39470
Number of Installations: 300,000+
Affected Software: Cart Abandonment Recovery for WooCommerce <= 2.0.9
Patched Versions: Cart Abandonment Recovery for WooCommerce 2.1.0

Mitigation steps: Update to Cart Abandonment Recovery for WooCommerce version 2.1.0 or greater.

Unlimited Elements For Elementor – Arbitrary File Download

Security Risk: High
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Arbitrary File Download
CVE: CVE-2026-4659
Number of Installations: 300,000+
Affected Software: Unlimited Elements For Elementor <= 2.0.6
Patched Versions: Unlimited Elements For Elementor 2.0.7

Mitigation steps: Update to Unlimited Elements For Elementor version 2.0.7 or greater.

PDF Invoices & Packing Slips for WooCommerce – PHP Object Injection

Security Risk: High
Exploitation Level: Requires Shop Manager or higher level authentication.
Vulnerability: PHP Object Injection
CVE: CVE-2026-39472
Number of Installations: 300,000+
Affected Software: PDF Invoices & Packing Slips for WooCommerce <= 5.8.9
Patched Versions: PDF Invoices & Packing Slips for WooCommerce 5.9.0

Mitigation steps: Update to PDF Invoices & Packing Slips for WooCommerce version 5.9.0 or greater.

CMP – Coming Soon & Maintenance Plugin – Arbitrary File Upload

Security Risk: High
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Arbitrary File Upload
CVE: CVE-2026-6518
Number of Installations: 200,000+
Affected Software: CMP – Coming Soon & Maintenance Plugin <= 4.1.16
Patched Versions: CMP – Coming Soon & Maintenance Plugin 4.1.17

Mitigation steps: Update to CMP – Coming Soon & Maintenance Plugin version 4.1.17 or greater.

MW WP Form – Directory Traversal

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Directory Traversal
CVE: CVE-2026-5436
Number of Installations: 200,000+
Affected Software: MW WP Form <= 5.1.1
Patched Versions: MW WP Form 5.1.2

Mitigation steps: Update to MW WP Form version 5.1.2 or greater.

Optimole – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-5217
Number of Installations: 200,000+
Affected Software: Optimole <= 4.2.2
Patched Versions: Optimole 4.2.3

Mitigation steps: Update to Optimole version 4.2.3 or greater.

Optimole – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-5226
Number of Installations: 200,000+
Affected Software: Optimole <= 4.2.3
Patched Versions: Optimole 4.2.4

Mitigation steps: Update to Optimole version 4.2.4 or greater.

Post Duplicator – PHP Object Injection

Security Risk: High
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: PHP Object Injection
CVE: CVE-2026-39474
Number of Installations: 200,000+
Affected Software: Post Duplicator <= 3.0.10
Patched Versions: Post Duplicator 3.0.11

Mitigation steps: Update to Post Duplicator version 3.0.11 or greater.

MW WP Form – Directory Traversal

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Directory Traversal
CVE: CVE-2026-4347
Number of Installations: 200,000+
Affected Software: MW WP Form <= 5.1.0
Patched Versions: MW WP Form 5.1.1

Mitigation steps: Update to MW WP Form version 5.1.1 or greater.

Ultimate Member – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-15064
Number of Installations: 200,000+
Affected Software: Ultimate Member <= 2.11.1
Patched Versions: Ultimate Member 2.11.2

Mitigation steps: Update to Ultimate Member version 2.11.2 or greater.

JetBackup – Path Traversal

Security Risk: Medium
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Path Traversal
CVE: CVE-2026-4853
Number of Installations: 100,000+
Affected Software: JetBackup <= 3.1.20.2
Patched Versions: JetBackup 3.1.20.3

Mitigation steps: Update to JetBackup version 3.1.20.3 or greater.

Everest Forms – Directory Traversal

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Directory Traversal
CVE: CVE-2026-5478
Number of Installations: 100,000+
Affected Software: Everest Forms <= 3.4.4
Patched Versions: Everest Forms 3.4.5

Mitigation steps: Update to Everest Forms version 3.4.5 or greater.

Anti-Malware Security and Brute-Force Firewall – PHP Object Injection

Security Risk: High
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: PHP Object Injection
CVE: CVE-2026-39478
Number of Installations: 100,000+
Affected Software: Anti-Malware Security and Brute-Force Firewall <= 4.23.87
Patched Versions: Anti-Malware Security and Brute-Force Firewall 4.23.88

Mitigation steps: Update to Anti-Malware Security and Brute-Force Firewall version 4.23.88 or greater.

Kubio AI Page Builder – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2026-5427
Number of Installations: 100,000+
Affected Software: Kubio <= 2.7.2
Patched Versions: Kubio 2.7.3

Mitigation steps: Update to Kubio version 2.7.3 or greater.

LatePoint – Sensitive Data Exposure

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Sensitive Data Exposure
CVE: CVE-2026-5234
Number of Installations: 100,000+
Affected Software: LatePoint <= 5.3.9
Patched Versions: LatePoint 5.4.0

Mitigation steps: Update to LatePoint version 5.4.0 or greater.

Modula Image Gallery – PHP Object Injection

Security Risk: High
Exploitation Level: Requires Author or higher level authentication.
Vulnerability: PHP Object Injection
CVE: CVE-2026-39481
Number of Installations: 100,000+
Affected Software: Modula Image Gallery <= 2.14.18
Patched Versions: Modula Image Gallery 2.14.19

Mitigation steps: Update to Modula Image Gallery version 2.14.19 or greater.

Tutor LMS – Broken Access Control

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Broken Access Control
CVE: CVE-2026-40743
Number of Installations: 100,000+
Affected Software: Tutor LMS <= 3.9.7
Patched Versions: Tutor LMS 3.9.8

Mitigation steps: Update to Tutor LMS version 3.9.8 or greater.

Tutor LMS – SQL Injection

Security Risk: High
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: SQL Injection
CVE: CVE-2026-6080
Number of Installations: 100,000+
Affected Software: Tutor LMS <= 3.9.8
Patched Versions: Tutor LMS 3.9.9

Mitigation steps: Update to Tutor LMS version 3.9.9 or greater.

Tutor LMS – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2026-5502
Number of Installations: 100,000+
Affected Software: Tutor LMS <= 3.9.8
Patched Versions: Tutor LMS 3.9.9

Mitigation steps: Update to Tutor LMS version 3.9.9 or greater.

Element Pack – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-4655
Number of Installations: 100,000+
Affected Software: Element Pack <= 8.4.9
Patched Versions: Element Pack 8.5.0

Mitigation steps: Update to Element Pack version 8.5.0 or greater.

Prime Slider – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-4341
Number of Installations: 100,000+
Affected Software: Prime Slider <= 4.1.10
Patched Versions: Prime Slider 4.1.11

Mitigation steps: Update to Prime Slider version 4.1.11 or greater.

Beaver Builder Page Builder – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Author or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-2481
Number of Installations: 100,000+
Affected Software: Beaver Builder <= 2.10.1.1
Patched Versions: Beaver Builder 2.10.1.2

Mitigation steps: Update to Beaver Builder version 2.10.1.2 or greater.

Download Manager – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2026-4057
Number of Installations: 100,000+
Affected Software: Download Manager <= 3.3.51
Patched Versions: Download Manager 3.3.52

Mitigation steps: Update to Download Manager version 3.3.52 or greater.

Download Manager – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-5357
Number of Installations: 100,000+
Affected Software: Download Manager <= 3.3.52
Patched Versions: Download Manager 3.3.53

Mitigation steps: Update to Download Manager version 3.3.53 or greater.

Everest Forms – PHP Object Injection

Security Risk: Critical
Exploitation Level: No authentication required.
Vulnerability: PHP Object Injection
CVE: CVE-2026-3296
Number of Installations: 100,000+
Affected Software: Everest Forms <= 3.4.3
Patched Versions: Everest Forms 3.4.4

Mitigation steps: Update to Everest Forms version 3.4.4 or greater.

LatePoint – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-4785
Number of Installations: 100,000+
Affected Software: LatePoint <= 5.3.0
Patched Versions: LatePoint 5.3.1

Mitigation steps: Update to LatePoint version 5.3.1 or greater.

MainWP Child Reports – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2026-4299
Number of Installations: 100,000+
Affected Software: MainWP Child Reports <= 2.2
Patched Versions: MainWP Child Reports 2.3

Mitigation steps: Update to MainWP Child Reports version 2.3 or greater.

The Plus Addons for Elementor – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-3311
Number of Installations: 100,000+
Affected Software: The Plus Addons for Elementor <= 6.4.9
Patched Versions: The Plus Addons for Elementor 6.4.10

Mitigation steps: Update to The Plus Addons for Elementor version 6.4.10 or greater.

Tutor LMS – Insecure Direct Object References (IDOR)

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Insecure Direct Object References (IDOR)
CVE: CVE-2026-3371
Number of Installations: 100,000+
Affected Software: Tutor LMS <= 3.9.7
Patched Versions: Tutor LMS 3.9.8

Mitigation steps: Update to Tutor LMS version 3.9.8 or greater.

Tutor LMS – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2026-3358
Number of Installations: 100,000+
Affected Software: Tutor LMS <= 3.9.7
Patched Versions: Tutor LMS 3.9.8

Mitigation steps: Update to Tutor LMS version 3.9.8 or greater.

Tutor LMS – Broken Access Control

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Broken Access Control
CVE: CVE-2026-3360
Number of Installations: 100,000+
Affected Software: Tutor LMS – eLearning and online course solution <= 3.9.7
Patched Versions: Tutor LMS – eLearning and online course solution 3.9.8

Mitigation steps: Update to Tutor LMS – eLearning and online course solution version 3.9.8 or greater.

ProfilePress – Content Injection

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Content Injection
CVE: CVE-2026-3309
Number of Installations: 100,000+
Affected Software: ProfilePress <= 4.16.11
Patched Versions: ProfilePress 4.16.12

Mitigation steps: Update to ProfilePress version 4.16.12 or greater.

ProfilePress – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2026-4949
Number of Installations: 100,000+
Affected Software: ProfilePress <= 4.16.12
Patched Versions: ProfilePress 4.16.13

Mitigation steps: Update to ProfilePress version 4.16.13 or greater.

Amelia – Insecure Direct Object References (IDOR)

Security Risk: High
Exploitation Level: Requires Employee or higher level authentication.
Vulnerability: Insecure Direct Object References (IDOR)
CVE: CVE-2026-5465
Number of Installations: 90,000+
Affected Software: Amelia <= 2.1
Patched Versions: Amelia 2.2

Mitigation steps: Update to Amelia version 2.2 or greater.

BackupBliss – Sensitive Data Exposure

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Sensitive Data Exposure
CVE: CVE-2026-39480
Number of Installations: 90,000+
Affected Software: BackupBliss <= 2.1.1
Patched Versions: BackupBliss 2.1.2

Mitigation steps: Update to BackupBliss version 2.1.2 or greater.

BackupBliss – Broken Access Control

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Broken Access Control
CVE: CVE-2025-14944
Number of Installations: 90,000+
Affected Software: BackupBliss <= 2.0.9
Patched Versions: BackupBliss 2.1.0

Mitigation steps: Update to BackupBliss version 2.1.0 or greater.

Email Encoder – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-7083
Number of Installations: 90,000+
Affected Software: Email Encoder <= 2.3.3
Patched Versions: Email Encoder 2.3.4

Mitigation steps: Update to Email Encoder version 2.3.4 or greater.

Email Encoder – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-2840
Number of Installations: 90,000+
Affected Software: Email Encoder <= 2.4.4
Patched Versions: Email Encoder 2.4.5

Mitigation steps: Update to Email Encoder version 2.4.5 or greater.

Download Monitor – Arbitrary File Download

Security Risk: Medium
Exploitation Level: Requires Author or higher level authentication.
Vulnerability: Arbitrary File Download
CVE: CVE-2026-39489
Number of Installations: 90,000+
Affected Software: Download Monitor <= 5.1.9
Patched Versions: Download Monitor 5.1.10

Mitigation steps: Update to Download Monitor version 5.1.10 or greater.

Strong Testimonials – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-3239
Number of Installations: 90,000+
Affected Software: Strong Testimonials <= 3.2.21
Patched Versions: Strong Testimonials 3.2.22

Mitigation steps: Update to Strong Testimonials version 3.2.22 or greater.

ShopLentor – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-4059
Number of Installations: 90,000+
Affected Software: ShopLentor <= 3.3.5
Patched Versions: ShopLentor 3.3.6

Mitigation steps: Update to ShopLentor version 3.3.6 or greater.

Hustle – Broken Access Control

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Broken Access Control
CVE: CVE-2026-2263
Number of Installations: 90,000+
Affected Software: Hustle <= 7.8.10
Patched Versions: Hustle 7.8.11

Mitigation steps: Update to Hustle version 7.8.11 or greater.

Customer Reviews for WooCommerce – Broken Authentication

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Broken Authentication
CVE: CVE-2026-4664
Number of Installations: 80,000+
Affected Software: Customer Reviews for WooCommerce <= 5.103.9
Patched Versions: Customer Reviews for WooCommerce 5.104.0

Mitigation steps: Update to Customer Reviews for WooCommerce version 5.104.0 or greater.

Jupiter X Core – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-39491
Number of Installations: 80,000+
Affected Software: Jupiter X Core <= 4.14.1
Patched Versions: Jupiter X Core 4.14.2

Mitigation steps: Update to Jupiter X Core version 4.14.2 or greater.

LearnPress – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-4333
Number of Installations: 80,000+
Affected Software: LearnPress <= 4.3.3
Patched Versions: LearnPress 4.3.4

Mitigation steps: Update to LearnPress version 4.3.4 or greater.

List category posts – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Author or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-3005
Number of Installations: 80,000+
Affected Software: List category posts <= 0.94.9
Patched Versions: List category posts 0.95.0

Mitigation steps: Update to List category posts version 0.95.0 or greater.

Customer Reviews for WooCommerce – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-3355
Number of Installations: 80,000+
Affected Software: Customer Reviews for WooCommerce <= 5.101.9
Patched Versions: Customer Reviews for WooCommerce 5.102.0

Mitigation steps: Update to Customer Reviews for WooCommerce version 5.102.0 or greater.

3D FlipBook – Broken Access Control

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Broken Access Control
CVE: CVE-2026-1314
Number of Installations: 80,000+
Affected Software: 3D FlipBook <= 1.16.17
Patched Versions: 3D FlipBook 1.16.18

Mitigation steps: Update to 3D FlipBook version 1.16.18 or greater.

Jupiter X Core – Broken Access Control

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Broken Access Control
CVE: CVE-2026-39490
Number of Installations: 80,000+
Affected Software: Jupiter X Core <= 4.14.1
Patched Versions: Jupiter X Core 4.14.2

Mitigation steps: Update to Jupiter X Core version 4.14.2 or greater.

LearnPress – Broken Access Control

Security Risk: Critical
Exploitation Level: No authentication required.
Vulnerability: Broken Access Control
CVE: CVE-2026-4365
Number of Installations: 80,000+
Affected Software: LearnPress <= 4.3.2
Patched Versions: LearnPress 4.3.3

Mitigation steps: Update to LearnPress version 4.3.3 or greater.

OneSignal – Broken Access Control

Security Risk: Low
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2026-3155
Number of Installations: 70,000+
Affected Software: OneSignal <= 3.8.0
Patched Versions: OneSignal 3.8.1

Mitigation steps: Update to OneSignal version 3.8.1 or greater.

Germanized for WooCommerce – Content Injection

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Content Injection
CVE: CVE-2026-2582
Number of Installations: 70,000+
Affected Software: Germanized for WooCommerce <= 3.20.5
Patched Versions: Germanized for WooCommerce 3.20.6

Mitigation steps: Update to Germanized for WooCommerce version 3.20.6 or greater.

wpDataTables – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-5721
Number of Installations: 70,000+
Affected Software: wpDataTables <= 6.5.0.4
Patched Versions: wpDataTables 6.5.0.5

Mitigation steps: Update to wpDataTables version 6.5.0.5 or greater.

Advanced Contact form 7 DB – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2026-0814
Number of Installations: 70,000+
Affected Software: Advanced Contact form 7 DB <= 2.0.9
Patched Versions: Advanced Contact form 7 DB 2.1.0

Mitigation steps: Update to Advanced Contact form 7 DB version 2.1.0 or greater.

Bookly – Content Injection

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Content Injection
CVE: CVE-2026-2519
Number of Installations: 70,000+
Affected Software: Bookly <= 27.0
Patched Versions: Bookly 27.1

Mitigation steps: Update to Bookly version 27.1 or greater.

Greenshift – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-4895
Number of Installations: 70,000+
Affected Software: Greenshift <= 12.8.9
Patched Versions: Greenshift 12.9.0

Mitigation steps: Update to Greenshift 12.9.0 or greater.

Database for Contact Form 7, WPforms, Elementor forms – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2026-3831
Number of Installations: 70,000+
Affected Software: Database for Contact Form 7, WPforms, Elementor forms <= 1.4.9
Patched Versions: Database for Contact Form 7, WPforms, Elementor forms 1.5.0

Mitigation steps: Update to Database for Contact Form 7, WPforms, Elementor forms version 1.5.0 or greater.

Media Library Assistant – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-34897
Number of Installations: 70,000+
Affected Software: Media Library Assistant <= 3.34
Patched Versions: Media Library Assistant 3.35

Mitigation steps: Update to Media Library Assistant version 3.35 or greater.

Media Library Assistant – SQL Injection

Security Risk: High
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: SQL Injection
CVE: CVE-2026-34885
Number of Installations: 70,000+
Affected Software: Media Library Assistant <= 3.34
Patched Versions: Media Library Assistant 3.35

Mitigation steps: Update to Media Library Assistant version 3.35 or greater.

CTX Feed – PHP Object Injection

Security Risk: High
Exploitation Level: Requires Shop Manager or higher level authentication.
Vulnerability: PHP Object Injection
CVE: CVE-2026-39434
Number of Installations: 70,000+
Affected Software: CTX Feed <= 6.6.26
Patched Versions: CTX Feed 6.6.27

Mitigation steps: Update to CTX Feed version 6.6.27 or greater.

Drag and Drop Multiple File Upload for Contact Form 7 – Arbitrary File Upload

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Arbitrary File Upload
CVE: CVE-2026-5718
Number of Installations: 60,000+
Affected Software: Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.9.6
Patched Versions: Drag and Drop Multiple File Upload for Contact Form 7 1.3.9.7

Mitigation steps: Update to Drag and Drop Multiple File Upload for Contact Form 7 version 1.3.9.7 or greater.

Drag and Drop Multiple File Upload for Contact Form 7 – Arbitrary File Download

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Arbitrary File Download
CVE: CVE-2026-5710
Number of Installations: 60,000+
Affected Software: Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.9.6
Patched Versions: Drag and Drop Multiple File Upload for Contact Form 7 1.3.9.7

Mitigation steps: Update to Drag and Drop Multiple File Upload for Contact Form 7 version 1.3.9.7 or greater.

Product Filter for WooCommerce – SQL Injection

Security Risk: Critical
Exploitation Level: No authentication required.
Vulnerability: SQL Injection
CVE: CVE-2026-3830
Number of Installations: 60,000+
Affected Software: Product Filter for WooCommerce <= 3.1.2
Patched Versions: Product Filter for WooCommerce 3.1.3

Mitigation steps: Update to Product Filter for WooCommerce version 3.1.3 or greater.

Contextual Related Posts – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-2986
Number of Installations: 60,000+
Affected Software: Contextual Related Posts <= 4.2.1
Patched Versions: Contextual Related Posts 4.2.2

Mitigation steps: Update to Contextual Related Posts version 4.2.2 or greater.

Appointment Booking Calendar – SQL Injection

Security Risk: Critical
Exploitation Level: No authentication required.
Vulnerability: SQL Injection
CVE: CVE-2026-39493
Number of Installations: 60,000+
Affected Software: Appointment Booking Calendar <= 1.6.9.28
Patched Versions: Appointment Booking Calendar 1.6.9.29

Mitigation steps: Update to Appointment Booking Calendar version 1.6.9.29 or greater.

User Registration & Membership – Open Redirection

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Open Redirection
CVE: CVE-2026-6203
Number of Installations: 60,000+
Affected Software: User Registration & Membership <= 5.1.4
Patched Versions: User Registration & Membership 5.1.5

Mitigation steps: Update to User Registration & Membership version 5.1.5 or greater.

User Registration & Membership – SQL Injection

Security Risk: High
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: SQL Injection
CVE: CVE-2026-1865
Number of Installations: 60,000+
Affected Software: User Registration & Membership <= 5.1.2
Patched Versions: User Registration & Membership 5.1.3

Mitigation steps: Update to User Registration & Membership version 5.1.3 or greater.

Product Filter for WooCommerce – SQL Injection

Security Risk: Critical
Exploitation Level: No authentication required.
Vulnerability: SQL Injection
CVE: CVE-2026-39494
Number of Installations: 60,000+
Affected Software: Product Filter for WooCommerce <= 3.1.2
Patched Versions: Product Filter for WooCommerce 3.1.3

Mitigation steps: Update to Product Filter for WooCommerce version 3.1.3 or greater.

WP Maps – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-13364
Number of Installations: 60,000+
Affected Software: WP Maps <= 4.8.7
Patched Versions: WP Maps 4.8.8

Mitigation steps: Update to WP Maps version 4.8.8 or greater.

WP Maps – SQL Injection

Security Risk: Critical
Exploitation Level: No authentication required.
Vulnerability: SQL Injection
CVE: CVE-2026-39492
Number of Installations: 60,000+
Affected Software: WP Maps <= 4.9.1
Patched Versions: WP Maps 4.9.2

Mitigation steps: Update to WP Maps version 4.9.2 or greater.

Advanced Product Fields (Product Addons) for WooCommerce – PHP Object Injection

Security Risk: High
Exploitation Level: Requires Shop Manager or higher level authentication.
Vulnerability: PHP Object Injection
CVE: CVE-2026-39499
Number of Installations: 50,000+
Affected Software: Advanced Product Fields (Product Addons) for WooCommerce <= 1.6.19
Patched Versions: Advanced Product Fields (Product Addons) for WooCommerce 1.6.20

Mitigation steps: Update to Advanced Product Fields (Product Addons) for WooCommerce version 1.6.20 or greater.

Categories Images – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-2505
Number of Installations: 50,000+
Affected Software: Categories Images <= 3.3.1
Patched Versions: Categories Images 3.3.2

Mitigation steps: Update to Categories Images version 3.3.2 or greater.

Better Find and Replace – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Author or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-3369
Number of Installations: 50,000+
Affected Software: Better Find and Replace <= 1.7.9
Patched Versions: Better Find and Replace 1.8.0

Mitigation steps: Update to Better Find and Replace version 1.8.0 or greater.

Export All URLs – Sensitive Data Exposure

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Sensitive Data Exposure
CVE: CVE-2026-2696
Number of Installations: 50,000+
Affected Software: Export All URLs <= 5.0
Patched Versions: Export All URLs 5.1

Mitigation steps: Update to Export All URLs version 5.1 or greater.

Popup Box – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-15611
Number of Installations: 50,000+
Affected Software: Popup Box <= 5.4.9
Patched Versions: Popup Box 5.5.0

Mitigation steps: Update to Popup Box version 5.5.0 or greater.

Blog2Social – Broken Authentication

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Authentication
CVE: CVE-2026-4330
Number of Installations: 50,000+
Affected Software: Blog2Social <= 8.8.3
Patched Versions: Blog2Social 8.8.4

Mitigation steps: Update to Blog2Social version 8.8.4 or greater.

YayMail – PHP Object Injection

Security Risk: High
Exploitation Level: Requires Shop Manager or higher level authentication.
Vulnerability: PHP Object Injection
CVE: CVE-2026-39498
Number of Installations: 50,000+
Affected Software: YayMail <= 4.3.3
Patched Versions: YayMail 4.3.4

Mitigation steps: Update to YayMail version 4.3.4 or greater.

Themes

Vantage – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-5070
Number of Downloads: 3,232,270
Affected Software: Vantage <= 1.20.32
Patched Versions: Vantage 1.20.33

Mitigation steps: Update to Vantage theme version 1.20.33 or greater.

Charity Zone – Arbitrary File Upload

Security Risk: Critical
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Arbitrary File Upload
CVE: CVE-2026-40749
Number of Downloads: 112,126
Affected Software: Charity Zone <= 1.1.1
Patched Versions: Charity Zone 1.1.2

Mitigation steps: Update to Charity Zone theme version 1.1.2 or greater.

Ecommerce Zone – Arbitrary File Upload

Security Risk: Critical
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Arbitrary File Upload
CVE: CVE-2026-40747
Number of Downloads: 89,443
Affected Software: Ecommerce Zone <= 0.9.7
Patched Versions: Ecommerce Zone 0.9.8

Mitigation steps: Update to Ecommerce Zone theme version 0.9.8 or greater.

Kids Online Store – Arbitrary File Upload

Security Risk: Critical
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Arbitrary File Upload
CVE: CVE-2026-40750
Number of Downloads: 53,065
Affected Software: Kids Online Store <= 0.8.9
Patched Versions: Kids Online Store 0.9.0

Mitigation steps: Update to Kids Online Store theme version 0.9.0 or greater.

Restaurant Zone – Arbitrary File Upload

Security Risk: Critical
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Arbitrary File Upload
CVE: CVE-2026-40746
Number of Downloads: 80,108
Affected Software: Restaurant Zone <= 0.7.8
Patched Versions: Restaurant Zone 0.7.9

Mitigation steps: Update to Restaurant Zone theme version 0.7.9 or greater.

Update your website software to mitigate risk. Users who are not able to update their software with the latest version are encouraged to use a web application firewall to help virtually patch known vulnerabilities and protect their website.