Security News

Cybersecurity news aggregator

INFO News Wordfence

Wordfence Intelligence Weekly WordPress Vulnerability Report (March 2, 2026 to March 8, 2026)

Read Full Article →

Triple Threat Bug Bounty Challenge Hunt High Threat vulnerabilities and earn triple the incentives! Now through April 6, 2026 , earn three stacked bonuses on all valid submissions from our 'High Threat Vulnerabilities' list: 2x all high threat vulnerability bounties (excluding 5,000,000+ installs) +30% bonus for high threat vulnerabilities in software with 30,000+ active installs (excluding 5,000,000+ installs) $300 extra for every 3 High Threat vulnerabilities submitted (minimum of 1,000 installs) Use the Bounty Estimator to see what rewards are possible through the promotion. Submit through our Bug Bounty Program today to maximize your impact and your payout. Last week, there were 201 vulnerabilities disclosed in 84 WordPress Plugins and 107 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 60 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected. Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to implement layered security, aligning with our overarching mission to secure WordPress with defense in depth strategies. That is why the Wordfence Intelligence user interface , vulnerability API , webhook integration , and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report. As the world’s leading quality vulnerability database provider for WordPress, site owners can rest assured knowing Wordfence has their back. Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 33,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free . Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. New Firewall Rules Deployed Last Week The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection. The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium , Care , and Response customers last week: Master Addons for Elementor Premium <= 2.1.3 – Authenticated (Subscriber+) Remote Code Execution via render_preview Woocommerce Wholesale Lead Capture <= 2.0.3.1 – Unauthenticated Privilege Escalation Woocommerce Wholesale Lead Capture <= 2.0.3.1 – Unauthenticated Arbitrary File Upload WAF-RULE-896 – Data redacted while we work with the vendor on a patch. WAF-RULE-897 – Data redacted while we work with the vendor on a patch. WAF-RULE-901 – Data redacted while we work with the vendor on a patch. Wordfence Premium , Care , and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay. Total Unpatched & Patched Vulnerabilities Last Week Patch Status Number of Vulnerabilities Patched 72 Unpatched 129 Total Vulnerabilities by CVSS Severity Last Week Severity Rating Number of Vulnerabilities Medium Severity 70 High Severity 124 Critical Severity 7 Total Vulnerabilities by CWE Type Last Week Vulnerability Type by CWE Number of Vulnerabilities Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') 81 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') 38 Deserialization of Untrusted Data 21 Missing Authorization 16 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') 10 Exposure of Sensitive Information to an Unauthorized Actor 6 Unrestricted Upload of File with Dangerous Type 6 Cross-Site Request Forgery (CSRF) 5 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') 5 Improper Control of Generation of Code ('Code Injection') 4 Improper Privilege Management 4 Server-Side Request Forgery (SSRF) 2 Authentication Bypass Using an Alternate Path or Channel 1 Authorization Bypass Through User-Controlled Key 1 Incorrect Privilege Assignment 1 Researchers That Contributed to WordPress Security Last Week Researcher Name Number of Vulnerabilities Tran Nguyen Bao Khanh 79 Bonds 25 Muhammad Yudha - DJ 7 Nabil Irawan 6 Athiwat Tiprasaharn (Jitlada) 6 João Pedro S Alcântara (Kinorth) 5 Itthidej Aramsri (Boeing777) 4 zaim 3 Quốc Huy (jtwings) 3 Osvaldo Noe Gonzalez Del Rio (Os) 3 ibrahimsql 3 Chiao-Lin Yu (Steven Meow) 3 Waris Damkham 3 0x34rth 2 Mrreee 2 Thomas Sanzey 2 daroo 2 Sergej Ljubojevic 2 Boris Bogosavac 2 MD. TAREQ AHAMED JONY (itztrq) 2 Prickly Cactus 2 lucsob 2 Phap Nguyen Anh 2 afnaan 2 Legion Hunter 2 Rafie Muhammad 2 Ronnachai Chaipha (rxnr) 2 JongHwan Shin (zzzsleep) 1 benzdeus 1 Hieus 1 Muhammad Sharief 1 luc 1 Or Benit 1 Jarno Vos (jarnovos) 1 Doan Dinh Van (DinhVan52) 1 PPzzAArr 1 Ananda Dhakal 1 Youssef Elouaer 1 Lucas Montes (NiRoX) 1 theviper17 1 Phap Nguyen Anh - FIS 1 Drew Webber (mcdruid) 1 johska 1 Ren Voza 1 Foxyyy 1 Arthur GRIMAULT 1 Thái An 1 Nguyen Xuan Chien 1 Louis Deschanel 1 shark3y 1 Mohammad Amin Hajian (mamadrce) 1 Pouria Shahba (p0or1ya) 1 Bee 1 Nguyen Ba Hung (bashu) 1 dragonzenai 1 chaeyp 1 Ronnachai Sretawat Na Ayutaya (Simonhaskelly) 1 san6051 1 Peter Thaleikis 1 ZAST.AI 1 Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program . Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report. WordPress Plugins with Reported Vulnerabilities Last Week Software Name Software Slug AI ChatBot with ChatGPT and Content Generator by AYS ays-chatgpt-assistant All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login login-with-azure All-in-One Video Gallery all-in-one-video-gallery Apocalypse Meow apocalypse-meow Booking for Appointments and Events Calendar – Amelia ameliabooking Bus Ticket Booking with Seat Reservation bus-ticket-booking-with-seat-reservation Carta Online carta-online CM Custom Reports – Flexible reporting to track what matters most cm-custom-reports Community Events community-events Consensus Embed consensus-embed Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe contest-gallery DA Media GigList damedia-giglist Database for Contact Form 7, WPforms, Elementor forms contact-form-entries Drag and Drop Multiple File Upload for Contact Form 7 drag-and-drop-multiple-file-upload-contact-form-7 Easy PHP Settings easy-php-settings Easy Post Submission – Frontend Posting, Guest Publishing & Submit Content for WordPress easy-post-submission Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin for WordPress email-subscribers Enable Media Replace enable-media-replace Envira Gallery – Image Photo Gallery, Albums, Video Gallery, Slideshows & More envira-gallery-lite EventON (Pro) - WordPress Virtual Event Calendar Plugin eventON Fast Page & Post Duplicator page-or-post-clone Fluent Forms Pro Add On Pack fluentformpro Font Pairing Preview For Landing Pages wp-font-pairing-preview FormGent – Next-Gen AI Form Builder for WordPress with Multi-Step, Quizzes, Payments & More formgent Greenshift – animation and page builder blocks greenshift-animation-and-page-builder-blocks Gutena Forms – Contact Form, Survey Form, Feedback Form, Booking Form, and Custom Form Builder gutena-forms Hammas Calendar hammas-calendar HUMN-1 AI Website Scanner & Human Certification by Winston AI winston-ai-wp Infomaniak Connect for OpenID infomaniak-connect-openid ionCube Tester Plus ioncube-tester-plus JS Archive List jquery-archive-list-widget JS Help Desk – AI-Powered Support & Ticketing System js-support-ticket LatePoint – Calendar Booking Plugin for Appointments and Events latepoint Lisfinity Core - Lisfinity Core plugin used for pebas® Lisfinity WordPress theme lisfinity-core LMS Elementor Pro lms-elementor-pro LotekMedia Popup Form ltm-popup-form Mail Mint – Newsletters, Email Marketing, Automation, WooCommerce Emails, Post Notification, and more mail-mint MailArchiver mailarchiver Master Addons for Elementor Premium master-addons-pro MDJM Event Management mobile-dj-manager Media Library Alt Text Editor media-library-alt-text-editor Media Library Assistant media-library-assistant Membership Plugin – Restrict Content restrict-content Meta Box meta-box Morkva UA Shipping morkva-ua-shipping My Album Gallery my-album-gallery My auctions allegro my-auctions-allegro-free-edition My Calendar – Accessible Event Manager my-calendar MyQtip – easy qTip2 myqtip-easy-qtip2 OoohBoi Steroids for Elementor ooohboi-steroids-for-elementor Page Builder by SiteOrigin siteorigin-panels Paid Videochat Turnkey Site – HTML5 PPV Live Webcams ppv-live-webcams Pixfort Core pixfort-core Podlove Web Player podlove-web-player Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX ultimate-post ProfileGrid – User Profiles, Groups and Communities profilegrid-user-profiles-groups-and-communities Purchase Button For Affiliate Link purchase-button RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging wp-rss-aggregator Secudeal Payments for Ecommerce secudeal-payments-for-ecommerce Seraphinite Accelerator seraphinite-accelerator Show YouTube video show-youtube-video Stock Ticker stock-ticker Subscription for WooCommerce – WordPress Recurring Payments Plugin subscription Super Stage WP super-stage-wp Taskbuilder – Project Management & Task Management Tool With Kanban Board taskbuilder True Ranker seo-local-rank Ultimate Addons for WPBakery Ultimate_VC_Addons Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin uncanny-automator User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder user-registration WebToffee WooCommerce Product Feeds – Google Shopping, Pinterest, TikTok Ads, & More webtoffee-product-feed Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets widget-options WowOptin: Next-Gen Popup Maker – Create Stunning Popups and Optins for Lead Generation optin WP All Import – Drag & Drop Import for CSV, XML, Excel & Google Sheets wp-all-import WP App Bar wp-app-bar WP Booking System – Booking Calendar wp-booking-system WP CTA – Sticky CTA Builder, Generate Leads, Promote Sales easy-sticky-sidebar Wp EMember wp-eMember WP Frontend Profile wp-front-end-profile WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms cf7-zendesk WP-Members Membership Plugin wp-members WPBookit wpbookit wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin wpdatatables Wueen wueen ZIP Code Based Content Protection zip-code-based-content-protection WordPress Themes with Reported Vulnerabilities Last Week Software Name Software Slug AC Services | HVAC, Air Conditioning & Heating Company WordPress Theme window-ac-services Agrofood - Elementor WooCommerce WordPress Theme agrofood Aldo aldo Amoli - Fashion Photography WordPress Theme amoli Askka - Candle Shop WordPress Theme askka Au Pair Agency - Babysitting & Nanny Theme au-pair-agency Avventure avventure Berger - WordPress Creative Agency Portfolio Theme berger Blocksy blocksy Bonbon bonbon BuddyApp - Mobile First Community WordPress theme buddyapp CarZone - A Complete Car Dealer HTML Wire-Frame carzone CasaMia | Property Rental Real Estate WordPress Theme casamia Charety - Charity & Donation WordPress Theme charety Chroma chroma Classter | Multi-Purpose HTML Theme classter Coinpress coinpress ConFix - Expo & Events WordPress Theme confix Cookiteer cookiteer Craftis - Handcraft & Artisan Elementor Template Kit craftis DeepDigital – Web Design Agency WordPress Theme deepdigital Dental Clinic dental Dentalux | Dentist & Healthcare Site Template dentalux Don Peppe - Pizza and Fast Food WordPress Theme donpeppe DroneX dronex Edifice edifice EmojiNation emojination Equadio equadio Equestrian Centre - Horse-riding School Theme equestrian-centre Estate estate Etchy - Print Shop WordPress Theme etchy Felizia | Fertility Center & Medical WordPress Theme felizia FindAll - Business Directory WordPress Theme findall Foodie foodie Gaspard - Restaurant and Coffee Shop WordPress Theme gaspard Gioia - Modern Fashion Shop WordPress Theme gioia Global Logistics globallogistics Good Homes - Real Estate WordPress Theme good-homes Grand Wedding WordPress grandwedding Green Thumb | Gardening & Landscaping Services WP greenthumb Greenville | Private School & University Education WordPress Theme greenville Gridiron | American Football & NFL Team WordPress gridiron Grit - Life Coach & Business Coaching WordPress Theme grit Handyman - Home Services Booking App, Website & Admin Panel handyman-services Healer WordPress Themes, Plugins & Template Kits. healer Helion | Personal Portfolio & Agency WordPress Theme helion Hoverex | Cryptocurrency & ICO Elementor Template Kit hoverex Humanum humanum Hypnotherapy - Psychologist Theme hypnotherapy Invetex invetex Jardi | Winery, Vineyard & Wine Shop WordPress Theme jardi Justitia | Lawyer & Legal Adviser WordPress Theme justitia Kayon kayon Keenarch - Building & Construction WordPress Theme keenarch Kratz kratz Laurent - Elegant Restaurant WordPress Theme laurent Law Office law-office Lella - Hairdresser and Beauty Salon WordPress Theme lella Lendiz - Loan & Funding Agency WordPress Theme lendiz Lingvico | Language Center & Training Courses WordPress Theme lingvico Listify listify luxury-wine luxury-wine m2 | Construction and Tools Store WordPress Theme m2-ce Manoir manoir Maxify maxify Meals & Wheels meals-wheels MoneyFlow moneyflow Morning Records - Music Sound Studio WordPress Theme morning-records Motorix motorix Mounthood | Ski and Snowboarding HTML Template mounthood Mr. Cobbler | Custom Shoemaking & Footwear Repairs WordPress Theme mr-cobbler N7 n7-golf-club nelson nelson NeoBeat - Music WordPress Theme neobeat Nutrie - Health Coach and Nutrition WordPress Theme nutrie Nuts nuts OsTende ostende Pets Club - Pet Care WordPress Theme + Shop petclub Printy printy progress progress ProLingua | Translation Bureau & Interpreting Services WordPress Theme prolingua Prowess - Fitness and Gym WordPress Theme prowess Quanzo - Creative Portfolio Template Kit quanzo Remons - Car Rental Elementor Template Kit remons Restaurant WordPress Theme | Ratatouille ratatouille Roisin - Flower Shop and Florist WordPress Theme roisin Scientia | Public Library & Book Store Education WordPress Theme scientia ShiftCV - Blog \ Resume \ Portfolio \ WordPress Theme shift-cv Solaris solaris Stargaze stargaze Tediss | Play Area & Child Care Center WordPress Theme tediss The Qlean the-qlean Thebe - Portfolio WordPress Theme thebe TheBi - Photography WordPress Theme thebi Thecs - Portfolio WordPress Theme thecs Tour Booking WordPress Theme - Tripgo tripgo Translogic | Logistics & Shipment Transportation translogic Triompher | Golf Course & Sports Club WordPress Theme triompher Tuning tuning Unica - Event Planning & Wedding WordPress Theme unica VegaDays - Vegetarian Food Festival & Eco Event WordPress Theme vegadays Victo - Ultimate Responsive Magento 2 Theme victo Vixus - Business Startup Elementor Template Kit vixus Wanderland - Travel Blog wanderland Wizor's | Investments, Economics & Bankin WordPress Theme wizors-investments Yottis yottis Yungen yungen Vulnerability Details Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration , which is completely free to utilize. All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login <= 2.2.5 - Authentication Bypass 9.8 CVSS Rating 9.8 (Critical) CVE-ID CVE-2026-2628 Patch Status Patched Published Mar 2, 2026 Affected Software All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login [login-with-azure] Researcher Nabil Irawan More Details > Au Pair Agency - Babysitting & Nanny Theme <= 1.2.2 - Unauthenticated PHP Object Injection 9.8 CVSS Rating 9.8 (Critical) CVE-ID CVE-2026-27098 Patch Status Unpatched Published Mar 4, 2026 Affected Software Au Pair Agency - Babysitting & Nanny Theme [au-pair-agency] Researcher Tran Nguyen Bao Khanh More Details > Database for Contact Form 7, WPforms, Elementor forms <= 1.4.7 - Unauthenticated PHP Object Injection via 'download_csv' 9.8 CVSS Rating 9.8 (Critical) CVE-ID CVE-2026-2599 Patch Status Patched Published Mar 4, 2026 Affected Software Database for Contact Form 7, WPforms, Elementor forms [contact-form-entries] Researcher Chiao-Lin Yu (Steven Meow) More Details > LMS Elementor Pro <= 1.0.4 - Unauthenticated Privilege Escalation 9.8 CVSS Rating 9.8 (Critical) CVE-ID CVE-2026-27983 Patch Status Unpatched Published Mar 2, 2026 Affected Software LMS Elementor Pro [lms-elementor-pro] Researcher luc More Details > User Registration & Membership <= 5.1.2 - Unauthenticated Privilege Escalation via Membership Registration 9.8 CVSS Rating 9.8 (Critical) CVE-ID CVE-2026-1492 Patch Status Patched Published Mar 2, 2026 Affected Software User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder [user-registration] Researcher Foxyyy More Details > FormGent – Next-Gen AI Form Builder for WordPress with Multi-Step, Quizzes, Payments & More <= 1.4.2 - Unauthenticated Arbitrary File Deletion 9.1 CVSS Rating 9.1 (Critical) CVE-ID CVE-2026-22460 Patch Status Unpatched Published Mar 3, 2026 Affected Software FormGent – Next-Gen AI Form Builder for WordPress with Multi-Step, Quizzes, Payments & More [formgent] Researcher Thái An More Details > ionCube Tester Plus <= 1.3 - Unauthenticated Arbitrary File Download 9.1 CVSS Rating 9.1 (Critical) CVE-ID CVE-2025-69411 Patch Status Patched Published Mar 4, 2026 Affected Software ionCube Tester Plus [ioncube-tester-plus] Researcher Jarno Vos (jarnovos) More Details > Booking for Appointments and Events Calendar – Amelia <= 1.2.38 - Authenticated (Employee+) Privilege Escalation 8.8 CVSS Rating 8.8 (High) CVE-ID CVE-2026-24963 Patch Status Patched Published Mar 4, 2026 Affected Software Booking for Appointments and Events Calendar – Amelia [ameliabooking] Researcher daroo More Details > Charety < 2.0.2 - Authenticated (Subscriber+) Arbitrary File Upload 8.8 CVSS Rating 8.8 (High) CVE-ID CVE-2026-24960 Patch Status Patched Published Mar 3, 2026 Affected Software Charety - Charity & Donation WordPress Theme [charety] Researcher Tran Nguyen Bao Khanh More Details > Keenarch < 2.0.1 - Authenticated (Subscriber+) Arbitrary File Upload 8.8 CVSS Rating 8.8 (High) CVE-ID CVE-2025-68554 Patch Status Patched Published Mar 3, 2026 Affected Software Keenarch - Building & Construction WordPress Theme [keenarch] Researcher Tran Nguyen Bao Khanh More Details > LatePoint <= 5.2.7 - Authenticated (Agent+) Privilege Escalation 8.8 CVSS Rating 8.8 (High) CVE-ID CVE-2026-1566 Patch Status Patched Published Mar 2, 2026 Affected Software LatePoint – Calendar Booking Plugin for Appointments and Events [latepoint] Researcher Nguyen Ba Hung (bashu) More Details > Master Addons for Elementor Premium <= 2.1.3 - Authenticated (Subscriber+) Remote Code Execution via render_preview 8.8 CVSS Rating 8.8 (High) CVE-ID CVE-2026-3132 Patch Status Patched Published Mar 2, 2026 Affected Software Master Addons for Elementor Premium [master-addons-pro] Researcher Ren Voza More Details > Nutrie < 2.0.1 - Authenticated (Subscriber+) Arbitrary File Upload 8.8 CVSS Rating 8.8 (High) CVE-ID CVE-2025-68555 Patch Status Patched Published Mar 3, 2026 Affected Software Nutrie - Health Coach and Nutrition WordPress Theme [nutrie] Researcher Tran Nguyen Bao Khanh More Details > Page Builder by SiteOrigin <= 2.33.5 - Authenticated (Contributor+) Local File Inclusion 8.8 CVSS Rating 8.8 (High) CVE-ID CVE-2026-2448 Patch Status Patched Published Mar 2, 2026 Affected Software Page Builder by SiteOrigin [siteorigin-panels] Researcher dragonzenai More Details > Paid Videochat Turnkey Site – HTML5 PPV Live Webcams <= 7.3.20 - Authenticated (Author+) Privilege Escalation 8.8 CVSS Rating 8.8 (High) CVE-ID CVE-2025-8899 Patch Status Patched Published Mar 6, 2026 Affected Software Paid Videochat Turnkey Site – HTML5 PPV Live Webcams [ppv-live-webcams] Researcher Peter Thaleikis More Details > Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets <= 4.1.3 - Authenticated (Contributor+) Remote Code Execution 8.8 CVSS Rating 8.8 (High) CVE-ID CVE-2026-27984 Patch Status Unpatched Published Mar 2, 2026 Affected Software Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets [widget-options] Researcher Drew Webber (mcdruid) More Details > WowOptin: Next-Gen Popup Maker – Create Stunning Popups and Optins for Lead Generation <= 1.4.24 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation 8.8 CVSS Rating 8.8 (High) CVE-ID CVE-2026-1720 Patch Status Patched Published Mar 4, 2026 Affected Software WowOptin: Next-Gen Popup Maker – Create Stunning Popups and Optins for Lead Generation [optin] Researchers Itthidej Aramsri (Boeing777) Waris Damkham More Details > AC Services | HVAC, Air Conditioning & Heating Company WordPress <= 1.2.5 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-27326 Patch Status Unpatched Published Mar 4, 2026 Affected Software AC Services | HVAC, Air Conditioning & Heating Company WordPress Theme [window-ac-services] Researcher Tran Nguyen Bao Khanh More Details > Aldo <= 1.0.10 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-27993 Patch Status Unpatched Published Mar 2, 2026 Affected Software Aldo [aldo] Researcher Bonds More Details > Amoli <= 1.0 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-22506 Patch Status Unpatched Published Mar 6, 2026 Affected Software Amoli - Fashion Photography WordPress Theme [amoli] Researcher Tran Nguyen Bao Khanh More Details > Askka <= 1.0 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-22456 Patch Status Unpatched Published Mar 3, 2026 Affected Software Askka - Candle Shop WordPress Theme [askka] Researcher Tran Nguyen Bao Khanh More Details > Avventure <= 1.1.12 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-27991 Patch Status Unpatched Published Mar 2, 2026 Affected Software Avventure [avventure] Researcher Bonds More Details > Berger <= 1.1.1 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2025-53335 Patch Status Unpatched Published Mar 3, 2026 Affected Software Berger - WordPress Creative Agency Portfolio Theme [berger] Researcher Tran Nguyen Bao Khanh More Details > Bonbon <= 1.6 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28030 Patch Status Unpatched Published Mar 2, 2026 Affected Software Bonbon [bonbon] Researcher Tran Nguyen Bao Khanh More Details > Bus Ticket Booking with Seat Reservation <= 5.6.2 - Unauthenticated PHP Object Injection 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-27095 Patch Status Unpatched Published Mar 5, 2026 Affected Software Bus Ticket Booking with Seat Reservation [bus-ticket-booking-with-seat-reservation] Researcher daroo More Details > CasaMia | Property Rental Real Estate WordPress Theme <= 1.1.2 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-27097 Patch Status Unpatched Published Mar 4, 2026 Affected Software CasaMia | Property Rental Real Estate WordPress Theme [casamia] Researcher Tran Nguyen Bao Khanh More Details > Chroma <= 1.11 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28020 Patch Status Unpatched Published Mar 2, 2026 Affected Software Chroma [chroma] Researcher Tran Nguyen Bao Khanh More Details > Classter <= 2.5 - Unauthenticated PHP Object Injection 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2025-54001 Patch Status Unpatched Published Mar 3, 2026 Affected Software Classter | Multi-Purpose HTML Theme [classter] Researcher Tran Nguyen Bao Khanh More Details > Coinpress <= 1.0.14 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28007 Patch Status Unpatched Published Mar 2, 2026 Affected Software Coinpress [coinpress] Researcher Bonds More Details > ConFix <= 1.013 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-27990 Patch Status Unpatched Published Mar 2, 2026 Affected Software ConFix - Expo & Events WordPress Theme [confix] Researcher Bonds More Details > Craftis - Handcraft & Artisan Elementor Template Kit <= 1.2.8 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28021 Patch Status Unpatched Published Mar 2, 2026 Affected Software Craftis - Handcraft & Artisan Elementor Template Kit [craftis] Researcher Tran Nguyen Bao Khanh More Details > Dentalux | Dentist & Healthcare Site Template <= 3.3 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-22508 Patch Status Unpatched Published Mar 5, 2026 Affected Software Dentalux | Dentist & Healthcare Site Template [dentalux] Researcher Tran Nguyen Bao Khanh More Details > Don Peppe - Pizza and Fast Food WordPress Theme <= 1.3 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-22449 Patch Status Unpatched Published Mar 3, 2026 Affected Software Don Peppe - Pizza and Fast Food WordPress Theme [donpeppe] Researcher Tran Nguyen Bao Khanh More Details > Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.9.5 - Unauthenticated Arbitrary File Upload 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-3459 Patch Status Patched Published Mar 5, 2026 Affected Software Drag and Drop Multiple File Upload for Contact Form 7 [drag-and-drop-multiple-file-upload-contact-form-7] Researcher Thomas Sanzey More Details > DroneX <= 1.1.12 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28009 Patch Status Unpatched Published Mar 2, 2026 Affected Software DroneX [dronex] Researcher Bonds More Details > Edifice <= 1.8 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28033 Patch Status Unpatched Published Mar 2, 2026 Affected Software Edifice [edifice] Researcher Tran Nguyen Bao Khanh More Details > EmojiNation <= 1.0.12 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28029 Patch Status Unpatched Published Mar 2, 2026 Affected Software EmojiNation [emojination] Researcher Tran Nguyen Bao Khanh More Details > Equadio <= 1.1.3 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-27988 Patch Status Unpatched Published Mar 2, 2026 Affected Software Equadio [equadio] Researcher Bonds More Details > Equestrian Centre <= 1.5 - Unauthenticated PHP Object Injection 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-22474 Patch Status Unpatched Published Mar 4, 2026 Affected Software Equestrian Centre - Horse-riding School Theme [equestrian-centre] Researcher Tran Nguyen Bao Khanh More Details > Estate <= 1.3.4 - Unauthenticated PHP Object Injection 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-22475 Patch Status Unpatched Published Mar 4, 2026 Affected Software Estate [estate] Researcher Tran Nguyen Bao Khanh More Details > Etchy <= 1.0 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-22476 Patch Status Unpatched Published Mar 4, 2026 Affected Software Etchy - Print Shop WordPress Theme [etchy] Researcher Tran Nguyen Bao Khanh More Details > Felizia | Fertility Center & Medical WordPress Theme <= 1.3.4 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-22477 Patch Status Unpatched Published Mar 4, 2026 Affected Software Felizia | Fertility Center & Medical WordPress Theme [felizia] Researcher Tran Nguyen Bao Khanh More Details > FindAll - Business Directory WordPress Theme <= 1.4 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-22478 Patch Status Unpatched Published Mar 4, 2026 Affected Software FindAll - Business Directory WordPress Theme [findall] Researcher Tran Nguyen Bao Khanh More Details > Foodie <= 1.14 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28022 Patch Status Unpatched Published Mar 2, 2026 Affected Software Foodie [foodie] Researcher Tran Nguyen Bao Khanh More Details > Gaspard <= 1.3 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-22493 Patch Status Unpatched Published Mar 5, 2026 Affected Software Gaspard - Restaurant and Coffee Shop WordPress Theme [gaspard] Researcher Tran Nguyen Bao Khanh More Details > Gioia <= 1.4 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-22509 Patch Status Unpatched Published Mar 5, 2026 Affected Software Gioia - Modern Fashion Shop WordPress Theme [gioia] Researcher Tran Nguyen Bao Khanh More Details > Global Logistics <= 3.20 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28018 Patch Status Unpatched Published Mar 2, 2026 Affected Software Global Logistics [globallogistics] Researcher Tran Nguyen Bao Khanh More Details > Good Homes <= 1.3.13 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-22494 Patch Status Unpatched Published Mar 5, 2026 Affected Software Good Homes - Real Estate WordPress Theme [good-homes] Researcher Tran Nguyen Bao Khanh More Details > Grand Wedding <= 3.1.0 - Unauthenticated PHP Object Injection 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-22417 Patch Status Unpatched Published Mar 3, 2026 Affected Software Grand Wedding WordPress [grandwedding] Researcher Tran Nguyen Bao Khanh More Details > Green Thumb <= 1.1.12 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28017 Patch Status Unpatched Published Mar 2, 2026 Affected Software Green Thumb | Gardening & Landscaping Services WP [greenthumb] Researcher Bonds More Details > Greenville | Private School & University Education WordPress Theme <= 1.3.2 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-22495 Patch Status Unpatched Published Mar 5, 2026 Affected Software Greenville | Private School & University Education WordPress Theme [greenville] Researcher Tran Nguyen Bao Khanh More Details > Gridiron <= 1.0.14 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28012 Patch Status Unpatched Published Mar 2, 2026 Affected Software Gridiron | American Football & NFL Team WordPress [gridiron] Researcher Bonds More Details > Grit - Life Coach & Business Coaching WordPress Theme <= 1.0.1 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28041 Patch Status Unpatched Published Mar 2, 2026 Affected Software Grit - Life Coach & Business Coaching WordPress Theme [grit] Researcher Tran Nguyen Bao Khanh More Details > Handyman <= 1.4 - Unauthenticated PHP Object Injection 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-22451 Patch Status Unpatched Published Mar 3, 2026 Affected Software Handyman - Home Services Booking App, Website & Admin Panel [handyman-services] Researcher Tran Nguyen Bao Khanh More Details > Healer - Doctor, Clinic & Medical WordPress <= 1.0.0 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28043 Patch Status Unpatched Published Mar 2, 2026 Affected Software Healer WordPress Themes, Plugins & Template Kits. [healer] Researcher Tran Nguyen Bao Khanh More Details > Helion | Personal Portfolio & Agency WordPress Theme <= 1.1.12 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28024 Patch Status Unpatched Published Mar 2, 2026 Affected Software Helion | Personal Portfolio & Agency WordPress Theme [helion] Researcher Tran Nguyen Bao Khanh More Details > Hoverex | Cryptocurrency & ICO Elementor Template Kit <= 1.5.10 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-22452 Patch Status Unpatched Published Mar 3, 2026 Affected Software Hoverex | Cryptocurrency & ICO Elementor Template Kit [hoverex] Researcher Tran Nguyen Bao Khanh More Details > Humanum <= 1.1.4 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-27985 Patch Status Unpatched Published Mar 2, 2026 Affected Software Humanum [humanum] Researcher Bonds More Details > Hypnotherapy - Psychologist Theme <= 1.2.10 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-22496 Patch Status Unpatched Published Mar 5, 2026 Affected Software Hypnotherapy - Psychologist Theme [hypnotherapy] Researcher Tran Nguyen Bao Khanh More Details > Invetex <= 2.18 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28031 Patch Status Unpatched Published Mar 2, 2026 Affected Software Invetex [invetex] Researcher Tran Nguyen Bao Khanh More Details > Jardi | Winery, Vineyard & Wine Shop WordPress Theme <= 1.7.2 - Unauthenticated PHP Object Injection 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-22497 Patch Status Unpatched Published Mar 4, 2026 Affected Software Jardi | Winery, Vineyard & Wine Shop WordPress Theme [jardi] Researcher Tran Nguyen Bao Khanh More Details > Justitia <= 1.1.0 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-27995 Patch Status Unpatched Published Mar 2, 2026 Affected Software Justitia | Lawyer & Legal Adviser WordPress Theme [justitia] Researcher Bonds More Details > Kayon <= 1.3 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28027 Patch Status Unpatched Published Mar 2, 2026 Affected Software Kayon [kayon] Researcher Tran Nguyen Bao Khanh More Details > Kratz <= 1.0.12 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28013 Patch Status Unpatched Published Mar 2, 2026 Affected Software Kratz [kratz] Researcher Bonds More Details > Laurent - Elegant Restaurant WordPress Theme <= 3.1 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-22498 Patch Status Unpatched Published Mar 5, 2026 Affected Software Laurent - Elegant Restaurant WordPress Theme [laurent] Researcher Tran Nguyen Bao Khanh More Details > Law Office <= 3.3.0 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28046 Patch Status Unpatched Published Mar 2, 2026 Affected Software Law Office [law-office] Researcher Tran Nguyen Bao Khanh More Details > Lella <= 1.2 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-22499 Patch Status Unpatched Published Mar 5, 2026 Affected Software Lella - Hairdresser and Beauty Salon WordPress Theme [lella] Researcher Tran Nguyen Bao Khanh More Details > Lingvico <= 1.0.14 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-27996 Patch Status Unpatched Published Mar 2, 2026 Affected Software Lingvico | Language Center & Training Courses WordPress Theme [lingvico] Researcher Bonds More Details > Luxury Wine <= 1.1.14 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28016 Patch Status Unpatched Published Mar 2, 2026 Affected Software luxury-wine [luxury-wine] Researcher Bonds More Details > m2 | Construction and Tools Store <= 1.1.2 - Unauthenticated PHP Object Injection 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-22500 Patch Status Unpatched Published Mar 5, 2026 Affected Software m2 | Construction and Tools Store WordPress Theme [m2-ce] Researcher Tran Nguyen Bao Khanh More Details > Manoir <= 1.11 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28019 Patch Status Unpatched Published Mar 2, 2026 Affected Software Manoir [manoir] Researcher Tran Nguyen Bao Khanh More Details > Maxify <= 1.0.16 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-27997 Patch Status Unpatched Published Mar 2, 2026 Affected Software Maxify [maxify] Researcher Bonds More Details > Meals & Wheels <= 1.1.12 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-27992 Patch Status Unpatched Published Mar 2, 2026 Affected Software Meals & Wheels [meals-wheels] Researcher Bonds More Details > Membership Plugin – Restrict Content <= 3.2.20 - Unauthenticated Privilege Escalation via 'rcp_level' 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-1321 Patch Status Patched Published Mar 4, 2026 Affected Software Membership Plugin – Restrict Content [restrict-content] Researcher shark3y More Details > MoneyFlow <= 1.0 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28028 Patch Status Unpatched Published Mar 2, 2026 Affected Software MoneyFlow [moneyflow] Researcher Tran Nguyen Bao Khanh More Details > Morning Records - Music Sound Studio WordPress Theme <= 1.2 - Unauthenticated PHP Object Injection 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-22505 Patch Status Unpatched Published Mar 5, 2026 Affected Software Morning Records - Music Sound Studio WordPress Theme [morning-records] Researcher Tran Nguyen Bao Khanh More Details > Motorix <= 1.6 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28026 Patch Status Unpatched Published Mar 2, 2026 Affected Software Motorix [motorix] Researcher Tran Nguyen Bao Khanh More Details > Mounthood | Ski and Snowboarding HTML Template <= 1.3.2 - Unauthenticated PHP Object Injection 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-22501 Patch Status Unpatched Published Mar 4, 2026 Affected Software Mounthood | Ski and Snowboarding HTML Template [mounthood] Researcher Tran Nguyen Bao Khanh More Details > Mr. Cobbler | Custom Shoemaking & Footwear Repairs WordPress Theme <= 1.1.9 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-22502 Patch Status Unpatched Published Mar 5, 2026 Affected Software Mr. Cobbler | Custom Shoemaking & Footwear Repairs WordPress Theme [mr-cobbler] Researcher Tran Nguyen Bao Khanh More Details > My Album Gallery <= 1.0.4 - Authenticated (Subscriber+) Arbitrary File Deletion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-22485 Patch Status Unpatched Published Mar 5, 2026 Affected Software My Album Gallery [my-album-gallery] Researcher Athiwat Tiprasaharn (Jitlada) More Details > N7 | Golf Club Sports & Events <= 2.16.0 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28045 Patch Status Unpatched Published Mar 2, 2026 Affected Software N7 [n7-golf-club] Researcher Tran Nguyen Bao Khanh More Details > Nelson <= 1.2.0 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-22503 Patch Status Unpatched Published Mar 5, 2026 Affected Software nelson [nelson] Researcher Tran Nguyen Bao Khanh More Details > NeoBeat <= 1.2 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-22511 Patch Status Unpatched Published Mar 6, 2026 Affected Software NeoBeat - Music WordPress Theme [neobeat] Researcher Tran Nguyen Bao Khanh More Details > Nuts <= 1.10 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28023 Patch Status Unpatched Published Mar 2, 2026 Affected Software Nuts [nuts] Researcher Tran Nguyen Bao Khanh More Details > OsTende <= 1.4.3 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-27986 Patch Status Unpatched Published Mar 2, 2026 Affected Software OsTende [ostende] Researcher Bonds More Details > Pets Club <= 2.3 - Unauthenticated PHP Object Injection 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-22453 Patch Status Unpatched Published Mar 3, 2026 Affected Software Pets Club - Pet Care WordPress Theme + Shop [petclub] Researcher Tran Nguyen Bao Khanh More Details > Printy <= 1.8 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28035 Patch Status Unpatched Published Mar 2, 2026 Affected Software Printy [printy] Researcher Tran Nguyen Bao Khanh More Details > Progress <= 1.2 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28034 Patch Status Unpatched Published Mar 2, 2026 Affected Software progress [progress] Researcher Tran Nguyen Bao Khanh More Details > ProLingua <= 1.1.12 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-22504 Patch Status Unpatched Published Mar 5, 2026 Affected Software ProLingua | Translation Bureau & Interpreting Services WordPress Theme [prolingua] Researcher Tran Nguyen Bao Khanh More Details > Prowess - Fitness and Gym WordPress Theme <= 1.8.1 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-22446 Patch Status Unpatched Published Mar 3, 2026 Affected Software Prowess - Fitness and Gym WordPress Theme [prowess] Researcher Tran Nguyen Bao Khanh More Details > Quanzo - Creative Portfolio Template Kit <= 1.0.10 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-27989 Patch Status Unpatched Published Mar 2, 2026 Affected Software Quanzo - Creative Portfolio Template Kit [quanzo] Researcher Bonds More Details > Remons <= 1.3.4 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2025-69090 Patch Status Patched Published Mar 3, 2026 Affected Software Remons - Car Rental Elementor Template Kit [remons] Researcher Tran Nguyen Bao Khanh More Details > Roisin <= 1.2.1 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-22512 Patch Status Unpatched Published Mar 6, 2026 Affected Software Roisin - Flower Shop and Florist WordPress Theme [roisin] Researcher Tran Nguyen Bao Khanh More Details > Scientia <= 1.2.4 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28010 Patch Status Unpatched Published Mar 2, 2026 Affected Software Scientia | Public Library & Book Store Education WordPress Theme [scientia] Researcher Bonds More Details > Secudeal Payments for Ecommerce <= 1.1 - Unauthenticated PHP Object Injection 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-22471 Patch Status Unpatched Published Mar 4, 2026 Affected Software Secudeal Payments for Ecommerce [secudeal-payments-for-ecommerce] Researcher Mrreee More Details > ShiftCV - Blog \ Resume \ Portfolio \ WordPress Theme <= 3.0.14 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28015 Patch Status Unpatched Published Mar 2, 2026 Affected Software ShiftCV - Blog \ Resume \ Portfolio \ WordPress Theme [shift-cv] Researcher Bonds More Details > Solaris <= 2.5 - Unauthenticated PHP Object Injection 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-22454 Patch Status Unpatched Published Mar 3, 2026 Affected Software Solaris [solaris] Researcher Tran Nguyen Bao Khanh More Details > Stargaze <= 1.5 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28025 Patch Status Unpatched Published Mar 2, 2026 Affected Software Stargaze [stargaze] Researcher Tran Nguyen Bao Khanh More Details > Super Stage WP <= 1.0.1 - Unauthenticated PHP Object Injection 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-1542 Patch Status Unpatched Published Mar 2, 2026 Affected Software Super Stage WP [super-stage-wp] Researcher ibrahimsql More Details > Tediss <= 1.2.4 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-27994 Patch Status Unpatched Published Mar 2, 2026 Affected Software Tediss | Play Area & Child Care Center WordPress Theme [tediss] Researcher Bonds More Details > The Qlean <= 2.12 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-27987 Patch Status Unpatched Published Mar 2, 2026 Affected Software The Qlean [the-qlean] Researcher Bonds More Details > Translogic <= 1.2.11 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28014 Patch Status Unpatched Published Mar 2, 2026 Affected Software Translogic | Logistics & Shipment Transportation [translogic] Researcher Bonds More Details > Triompher | Golf Course & Sports Club WordPress Theme <= 1.1.0 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-22513 Patch Status Unpatched Published Mar 5, 2026 Affected Software Triompher | Golf Course & Sports Club WordPress Theme [triompher] Researcher Tran Nguyen Bao Khanh More Details > Tripgo <= 1.5.3 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-27093 Patch Status Unpatched Published Mar 5, 2026 Affected Software Tour Booking WordPress Theme - Tripgo [tripgo] Researcher Tran Nguyen Bao Khanh More Details > Tuning <= 1.3 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28032 Patch Status Unpatched Published Mar 2, 2026 Affected Software Tuning [tuning] Researcher Tran Nguyen Bao Khanh More Details > Unica - Event Planning & Wedding WordPress Theme <= 1.4.1 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-22514 Patch Status Unpatched Published Mar 6, 2026 Affected Software Unica - Event Planning & Wedding WordPress Theme [unica] Researcher Tran Nguyen Bao Khanh More Details > VegaDays - Vegetarian Food Festival & Eco Event WordPress Theme <= 1.2.0 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-22515 Patch Status Unpatched Published Mar 6, 2026 Affected Software VegaDays - Vegetarian Food Festival & Eco Event WordPress Theme [vegadays] Researcher Tran Nguyen Bao Khanh More Details > Victo <= 1.4.16 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28047 Patch Status Unpatched Published Mar 2, 2026 Affected Software Victo - Ultimate Responsive Magento 2 Theme [victo] Researcher Tran Nguyen Bao Khanh More Details > Vixus - Business Startup Elementor Template Kit <= 1.0.16 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-27998 Patch Status Unpatched Published Mar 2, 2026 Affected Software Vixus - Business Startup Elementor Template Kit [vixus] Researcher Bonds More Details > Wanderland - Travel Blog <= 1.5 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-22457 Patch Status Unpatched Published Mar 3, 2026 Affected Software Wanderland - Travel Blog [wanderland] Researcher Tran Nguyen Bao Khanh More Details > Wizor's <= 2.12 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-22516 Patch Status Unpatched Published Mar 6, 2026 Affected Software Wizor's | Investments, Economics & Bankin WordPress Theme [wizors-investments] Researcher Tran Nguyen Bao Khanh More Details > wpDataTables (Premium) <= 6.5.0.1 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28039 Patch Status Unpatched Published Mar 3, 2026 Affected Software wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin [wpdatatables] Researcher Nguyen Xuan Chien More Details > Yottis <= 1.0.10 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28011 Patch Status Unpatched Published Mar 2, 2026 Affected Software Yottis [yottis] Researcher Bonds More Details > Yungen <= 1.0.12 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28006 Patch Status Unpatched Published Mar 2, 2026 Affected Software Yungen [yungen] Researcher Bonds More Details > Car Zone <= 3.7 - Authenticated (Subscriber+) PHP Object Injection 7.5 CVSS Rating 7.5 (High) CVE-ID CVE-2026-27338 Patch Status Unpatched Published Mar 3, 2026 Affected Software CarZone - A Complete Car Dealer HTML Wire-Frame [carzone] Researcher Tran Nguyen Bao Khanh More Details > Contest Gallery <= 28.1.4 - Unauthenticated SQL Injection 7.5 CVSS Rating 7.5 (High) CVE-ID CVE-2026-3180 Patch Status Patched Published Mar 2, 2026 Affected Software Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe [contest-gallery] Researcher Thomas Sanzey More Details > Cookiteer <= 1.4.8 - Authenticated (Subscriber+) Local File Inclusion 7.5 CVSS Rating 7.5 (High) CVE-ID CVE-2025-68886 Patch Status Unpatched Published Mar 3, 2026 Affected Software Cookiteer [cookiteer] Researcher Tran Nguyen Bao Khanh More Details > Dental Clinic <= 3.7 - Authenticated (Subscriber+) PHP Object Injection 7.5 CVSS Rating 7.5 (High) CVE-ID CVE-2026-22473 Patch Status Unpatched Published Mar 4, 2026 Affected Software Dental Clinic [dental] Researcher Tran Nguyen Bao Khanh More Details > JS Archive List <= 6.1.7 - Authenticated (Contributor+) PHP Object Injection via 'included' Shortcode Attribute 7.5 CVSS Rating 7.5 (High) CVE-ID CVE-2026-2020 Patch Status Patched Published Mar 6, 2026 Affected Software JS Archive List [jquery-archive-list-widget] Researchers Athiwat Tiprasaharn (Jitlada) Itthidej Aramsri (Boeing777) Waris Damkham More Details > JS Help Desk – AI-Powered Support & Ticketing System 2.8.2 - Unauthenticated SQL Injection via 'js-support-ticket-token-tkstatus' Cookie 7.5 CVSS Rating 7.5 (High) CVE-ID CVE-2023-7337 Patch Status Patched Published Mar 3, 2026 Affected Software JS Help Desk – AI-Powered Support & Ticketing System [js-support-ticket] Researcher(s): Unknown More Details > Lisfinity Core - Lisfinity Core plugin used for pebas® Lisfinity WordPress theme <= 1.5.0 - Unauthenticated SQL Injection 7.5 CVSS Rating 7.5 (High) CVE-ID CVE-2026-22484 Patch Status Unpatched Published Mar 5, 2026 Affected Software Lisfinity Core - Lisfinity Core plugin used for pebas® Lisfinity WordPress theme [lisfinity-core] Researcher João Pedro S Alcântara (Kinorth) More Details > Podlove Web Player <= 5.9.1 - Authenticated (Contributor+) PHP Object Injection 7.5 CVSS Rating 7.5 (High) CVE-ID CVE-2026-24385 Patch Status Patched Published Mar 3, 2026 Affected Software Podlove Web Player [podlove-web-player] Researcher PPzzAArr More Details > ZIP Code Based Content Protection <= 1.0.2 - Unauthenticated SQL Injection via 'zipcode' Parameter 7.5 CVSS Rating 7.5 (High) CVE-ID CVE-2025-14353 Patch Status Patched Published Mar 6, 2026 Affected Software ZIP Code Based Content Protection [zip-code-based-content-protection] Researcher Athiwat Tiprasaharn (Jitlada) More Details > Easy PHP Settings <= 1.0.4 - Authenticated (Administrator+) PHP Code Injection via 'wp_memory_limit' Setting 7.2 CVSS Rating 7.2 (High) CVE-ID CVE-2026-3352 Patch Status Patched Published Mar 6, 2026 Affected Software Easy PHP Settings [easy-php-settings] Researcher ZAST.AI More Details > Fluent Forms Pro <= 6.1.17 - Unauthenticated Stored Cross-Site Scripting via Draft Form Submission 7.2 CVSS Rating 7.2 (High) CVE-ID CVE-2026-2365 Patch Status Patched Published Mar 4, 2026 Affected Software Fluent Forms Pro Add On Pack [fluentformpro] Researcher Prickly Cactus More Details > Meta Box <= 5.11.1 - Authenticated (Contributor+) Arbitrary File Deletion 7.2 CVSS Rating 7.2 (High) CVE-ID CVE-2025-14675 Patch Status Patched Published Mar 6, 2026 Affected Software Meta Box [meta-box] Researcher JongHwan Shin (zzzsleep) More Details > PostX <= 5.0.8 - Authenticated (Administrator+) Server-Side Request Forgery via REST API Endpoints 7.2 CVSS Rating 7.2 (High) CVE-ID CVE-2026-1273 Patch Status Patched Published Mar 3, 2026 Affected Software Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX [ultimate-post] Researchers Mohammad Amin Hajian (mamadrce) Pouria Shahba (p0or1ya) More Details > Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin <= 7.0.0.3 - Authenticated (Administrator+) Server-Side Request Forgery to Arbitrary File Upload 7.2 CVSS Rating 7.2 (High) CVE-ID CVE-2026-2269 Patch Status Patched Published Mar 2, 2026 Affected Software Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin [uncanny-automator] Researcher lucsob More Details > WP App Bar <= 1.5 - Unauthenticated Stored Cross-Site Scripting via 'app-bar-features' Parameter 7.2 CVSS Rating 7.2 (High) CVE-ID CVE-2026-1074 Patch Status Unpatched Published Mar 6, 2026 Affected Software WP App Bar [wp-app-bar] Researcher 0x34rth More Details > WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms <= 1.1.5 - Unauthenticated Stored Cross-Site Scripting 7.2 CVSS Rating 7.2 (High) CVE-ID CVE-2026-2568 Patch Status Patched Published Mar 2, 2026 Affected Software WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms [cf7-zendesk] Researcher Nabil Irawan More Details > WPBookit <= 1.0.8 - Unauthenticated Stored Cross-Site Scripting via 'wpb_user_name' and 'wpb_user_email' Parameters 7.2 CVSS Rating 7.2 (High) CVE-ID CVE-2026-1945 Patch Status Patched Published Mar 3, 2026 Affected Software WPBookit [wpbookit] Researcher MD. TAREQ AHAMED JONY (itztrq) More Details > WebToffee WooCommerce Product Feeds – Google Shopping, Pinterest, TikTok Ads, & More <= 2.3.3 - Authenticated (Shop manager+) PHP Object Injection 6.6 CVSS Rating 6.6 (Medium) CVE-ID CVE-2026-22480 Patch Status Patched Published Mar 5, 2026 Affected Software WebToffee WooCommerce Product Feeds – Google Shopping, Pinterest, TikTok Ads, & More [webtoffee-product-feed] Researcher Mrreee More Details > Email Subscribers & Newsletters <= 5.9.16 - Authenticated (Administrator+) SQL Injection via 'workflow_ids' Parameter 6.5 CVSS Rating 6.5 (Medium) CVE-ID CVE-2026-1651 Patch Status Patched Published Mar 3, 2026 Affected Software Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin for WordPress [email-subscribers] Researcher Chiao-Lin Yu (Steven Meow) More Details > Fluent Forms Pro Add On Pack <= 6.1.17 - Missing Authorization to Unauthenticated Arbitrary Attachment Deletion 6.5 CVSS Rating 6.5 (Medium) CVE-ID CVE-2026-2899 Patch Status Patched Published Mar 4, 2026 Affected Software Fluent Forms Pro Add On Pack [fluentformpro] Researcher Prickly Cactus More Details > Gutena Forms – Contact Form, Survey Form, Feedback Form, Booking Form, and Custom Form Builder <= 1.6.0 - Authenticated (Contributor+) Limited Options Update in save_gutena_forms_schema() 6.5 CVSS Rating 6.5 (Medium) CVE-ID CVE-2026-1674 Patch Status Patched Published Mar 3, 2026 Affected Software Gutena Forms – Contact Form, Survey Form, Feedback Form, Booking Form, and Custom Form Builder [gutena-forms] Researcher Youssef Elouaer More Details > LatePoint <= 5.2.7 - Authenticated (Administrator+) SQL Injection via JSON Import 6.5 CVSS Rating 6.5 (Medium) CVE-ID CVE-2026-1487 Patch Status Patched Published Mar 2, 2026 Affected Software LatePoint – Calendar Booking Plugin for Appointments and Events [latepoint] Researcher Chiao-Lin Yu (Steven Meow) More Details > Page and Post Clone <= 6.3 - Authenticated (Contributor+) SQL Injection via 'meta_key' Parameter 6.5 CVSS Rating 6.5 (Medium) CVE-ID CVE-2026-2893 Patch Status Patched Published Mar 4, 2026 Affected Software Fast Page & Post Duplicator [page-or-post-clone] Researcher Arthur GRIMAULT More Details > WP-Members Membership Plugin <= 3.5.5.1 - Authenticated (Contributor+) SQL Injection via 'order_by' Shortcode Attribute 6.5 CVSS Rating 6.5 (Medium) CVE-ID CVE-2026-2363 Patch Status Patched Published Mar 3, 2026 Affected Software WP-Members Membership Plugin [wp-members] Researcher Quốc Huy (jtwings) More Details > Blocksy <= 2.1.30 - Authenticated (Contributor+) Stored Cross-Site Scripting via `blocksy_meta` Fields 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-2583 Patch Status Patched Published Mar 2, 2026 Affected Software Blocksy [blocksy] Researcher Quốc Huy (jtwings) More Details > Consensus Embed <= 1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'src' Shortcode Attribute 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-1823 Patch Status Unpatched Published Mar 6, 2026 Affected Software Consensus Embed [consensus-embed] Researcher Muhammad Yudha - DJ More Details > DA Media GigList <= 1.9.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'list_title' Shortcode Attribute 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-1805 Patch Status Unpatched Published Mar 6, 2026 Affected Software DA Media GigList [damedia-giglist] Researcher Muhammad Yudha - DJ More Details > Envira Gallery for WordPress <= 1.12.3 - Authenticated (Author+) Stored Cross-Site Scripting via 'justified_gallery_theme' Parameter via REST API 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-1236 Patch Status Patched Published Mar 3, 2026 Affected Software Envira Gallery – Image Photo Gallery, Albums, Video Gallery, Slideshows & More [envira-gallery-lite] Researchers Athiwat Tiprasaharn (Jitlada) Itthidej Aramsri (Boeing777) Waris Damkham More Details > Greenshift – animation and page builder blocks <= 12.8.5 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-2593 Patch Status Patched Published Mar 5, 2026 Affected Software Greenshift – animation and page builder blocks [greenshift-animation-and-page-builder-blocks] Researchers Athiwat Tiprasaharn (Jitlada) Itthidej Aramsri (Boeing777) More Details > Hammas Calendar <= 1.5.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'apix' Shortcode Attribute 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-1902 Patch Status Patched Published Mar 6, 2026 Affected Software Hammas Calendar [hammas-calendar] Researcher zaim More Details > Infomaniak Connect for OpenID <= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-1824 Patch Status Unpatched Published Mar 6, 2026 Affected Software Infomaniak Connect for OpenID [infomaniak-connect-openid] Researcher Muhammad Yudha - DJ More Details > Media Library Alt Text Editor <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'post_id' Shortcode Attribute 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-1820 Patch Status Unpatched Published Mar 6, 2026 Affected Software Media Library Alt Text Editor [media-library-alt-text-editor] Researcher Muhammad Yudha - DJ More Details > My Calendar – Accessible Event Manager <= 3.7.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-2355 Patch Status Patched Published Mar 3, 2026 Affected Software My Calendar – Accessible Event Manager [my-calendar] Researcher Muhammad Yudha - DJ More Details > MyQtip – easy qTip2 <= 2.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-1574 Patch Status Unpatched Published Mar 6, 2026 Affected Software MyQtip – easy qTip2 [myqtip-easy-qtip2] Researcher zaim More Details > OoohBoi Steroids for Elementor <= 2.1.24 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple URL Controls 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-3034 Patch Status Patched Published Mar 4, 2026 Affected Software OoohBoi Steroids for Elementor [ooohboi-steroids-for-elementor] Researcher Osvaldo Noe Gonzalez Del Rio (Os) More Details > Ratatouille <= 1.2.6 - Authenticated (Subscriber+) Server-Side Request Forgery 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-28036 Patch Status Unpatched Published Mar 2, 2026 Affected Software Restaurant WordPress Theme | Ratatouille [ratatouille] Researcher Tran Nguyen Bao Khanh More Details > Show YouTube video <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'id' Shortcode Attribute 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-1825 Patch Status Unpatched Published Mar 6, 2026 Affected Software Show YouTube video [show-youtube-video] Researcher Muhammad Yudha - DJ More Details > Wueen <= 0.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Plugin's Shortcode 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-1569 Patch Status Unpatched Published Mar 6, 2026 Affected Software Wueen [wueen] Researcher zaim More Details > Agrofood <= 1.3.0 - Reflected Cross-Site Scripting 6.1 CVSS Rating 6.1 (Medium) CVE-ID CVE-2026-27332 Patch Status Unpatched Published Mar 3, 2026 Affected Software Agrofood - Elementor WooCommerce WordPress Theme [agrofood] Researcher Tran Nguyen Bao Khanh More Details > All-in-One Video Gallery <= 4.7.1 - Reflected Cross-Site Scripting via 'vi' Parameter 6.1 CVSS Rating 6.1 (Medium) CVE-ID CVE-2026-1706 Patch Status Patched Published Mar 3, 2026 Affected Software All-in-One Video Gallery [all-in-one-video-gallery] Researcher Muhammad Yudha - DJ More Details > BuddyApp <= 1.9.2 - Reflected Cross-Site Scripting 6.1 CVSS Rating 6.1 (Medium) CVE-ID CVE-2026-22465 Patch Status Unpatched Published Mar 3, 2026 Affected Software BuddyApp - Mobile First Community WordPress theme [buddyapp] Researcher João Pedro S Alcântara (Kinorth) More Details > CM Custom Reports <= 1.2.7 - Reflected Cross-Site Scripting via 'date_from' and 'date_to' Parameters 6.1 CVSS Rating 6.1 (Medium) CVE-ID CVE-2026-2431 Patch Status Patched Published Mar 6, 2026 Affected Software CM Custom Reports – Flexible reporting to track what matters most [cm-custom-reports] Researcher san6051 More Details > DeepDigital – Web Design Agency WordPress Theme <= 1.0.2 - Reflected Cross-Site Scripting 6.1 CVSS Rating 6.1 (Medium) CVE-ID CVE-2026-22467 Patch Status Unpatched Published Mar 4, 2026 Affected Software DeepDigital – Web Design Agency WordPress Theme [deepdigital] Researcher João Pedro S Alcântara (Kinorth) More Details > EventON <= 4.9.12 - Reflected Cross-Site Scripting 6.1 CVSS Rating 6.1 (Medium) CVE-ID CVE-2026-28037 Patch Status Unpatched Published Mar 2, 2026 Affected Software EventON (Pro) - WordPress Virtual Event Calendar Plugin [eventON] Researcher João Pedro S Alcântara (Kinorth) More Details > Listify <= 3.2.5 - Reflected Cross-Site Scripting 6.1 CVSS Rating 6.1 (Medium) CVE-ID CVE-2026-28042 Patch Status Unpatched Published Mar 2, 2026 Affected Software Listify [listify] Researcher Ananda Dhakal More Details > My auctions allegro <= 3.6.34 - Reflected Cross-Site Scripting 6.1 CVSS Rating 6.1 (Medium) CVE-ID CVE-2026-22491 Patch Status Unpatched Published Mar 5, 2026 Affected Software My auctions allegro [my-auctions-allegro-free-edition] Researcher theviper17 More Details > pixfort Core <= 3.2.22 - Reflected Cross-Site Scripting 6.1 CVSS Rating 6.1 (Medium) CVE-ID CVE-2026-28072 Patch Status Patched Published Mar 2, 2026 Affected Software Pixfort Core [pixfort-core] Researcher Rafie Muhammad More Details > RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging <= 5.0.11 - Unauthenticated DOM-Based Reflected Cross-Site Scripting via postMessage 6.1 CVSS Rating 6.1 (Medium) CVE-ID CVE-2026-2433 Patch Status Patched Published Mar 6, 2026 Affected Software RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging [wp-rss-aggregator] Researcher Osvaldo Noe Gonzalez Del Rio (Os) More Details > Thebe <= 1.3.0 - Reflected Cross-Site Scripting 6.1 CVSS Rating 6.1 (Medium) CVE-ID CVE-2026-22455 Patch Status Unpatched Published Mar 3, 2026 Affected Software Thebe - Portfolio WordPress Theme [thebe] Researcher Tran Nguyen Bao Khanh More Details > TheBi <= 1.0.5 - Reflected Cross-Site Scripting 6.1 CVSS Rating 6.1 (Medium) CVE-ID CVE-2026-22438 Patch Status Unpatched Published Mar 3, 2026 Affected Software TheBi - Photography WordPress Theme [thebi] Researcher Tran Nguyen Bao Khanh More Details > Thecs <= 1.4.7 - Reflected Cross-Site Scripting 6.1 CVSS Rating 6.1 (Medium) CVE-ID CVE-2026-22440 Patch Status Unpatched Published Mar 3, 2026 Affected Software Thecs - Portfolio WordPress Theme [thecs] Researcher Tran Nguyen Bao Khanh More Details > WP All Import <= 4.0.0 - Reflected Cross-Site Scripting via 'filepath' 6.1 CVSS Rating 6.1 (Medium) CVE-ID CVE-2026-2830 Patch Status Patched Published Mar 5, 2026 Affected Software WP All Import – Drag & Drop Import for CSV, XML, Excel & Google Sheets [wp-all-import] Researcher Osvaldo Noe Gonzalez Del Rio (Os) More Details > Wp EMember <= v10.2.2 - Reflected Cross-Site Scripting 6.1 CVSS Rating 6.1 (Medium) CVE-ID CVE-2026-28073 Patch Status Unpatched Published Mar 2, 2026 Affected Software Wp EMember [wp-eMember] Researcher Tran Nguyen Bao Khanh More Details > Enable Media Replace <= 4.1.7 - Improper Authorization to Authenticated (Author+) Arbitrary Attachment Change via Background Replace 5.4 CVSS Rating 5.4 (Medium) CVE-ID CVE-2026-2732 Patch Status Patched Published Mar 3, 2026 Affected Software Enable Media Replace [enable-media-replace] Researcher Or Benit More Details > AI ChatBot with ChatGPT and Content Generator by AYS <= 2.7.5 - Missing Authorization to Unauthenticated API Key Modification 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-1336 Patch Status Patched Published Mar 2, 2026 Affected Software AI ChatBot with ChatGPT and Content Generator by AYS [ays-chatgpt-assistant] Researcher Nabil Irawan More Details > Easy Post Submission – Frontend Posting, Guest Publishing & Submit Content for WordPress <= 2.2.0 - Missing Authorization 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-22479 Patch Status Unpatched Published Mar 4, 2026 Affected Software Easy Post Submission – Frontend Posting, Guest Publishing & Submit Content for WordPress [easy-post-submission] Researcher Doan Dinh Van (DinhVan52) More Details > Greenshift – animation and page builder blocks <= 12.8.3 - Unauthenticated Sensitive Information Exposure via Settings Backup 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-2589 Patch Status Patched Published Mar 5, 2026 Affected Software Greenshift – animation and page builder blocks [greenshift-animation-and-page-builder-blocks] Researcher Quốc Huy (jtwings) More Details > Greenshift <= 12.8.3 - Missing Authorization to Unauthenticated Private Reusable Block Disclosure via 'gspb_el_reusable_load' 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-2371 Patch Status Patched Published Mar 6, 2026 Affected Software Greenshift – animation and page builder blocks [greenshift-animation-and-page-builder-blocks] Researcher Lucas Montes (NiRoX) More Details > Lendiz < 2.0.1 - Authenticated (Subscriber+) Arbitrary File Upload 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2025-68553 Patch Status Patched Published Mar 3, 2026 Affected Software Lendiz - Loan & Funding Agency WordPress Theme [lendiz] Researcher Tran Nguyen Bao Khanh More Details > Mail Mint – Newsletters, Email Marketing, Automation, WooCommerce Emails, Post Notification, and more < 1.19.5 - Unauthenticated Information Disclosure 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-2025 Patch Status Patched Published Mar 5, 2026 Affected Software Mail Mint – Newsletters, Email Marketing, Automation, WooCommerce Emails, Post Notification, and more [mail-mint] Researcher ibrahimsql More Details > Mail Mint – Newsletters, Email Marketing, Automation, WooCommerce Emails, Post Notification, and more < 1.19.5 - Unauthenticated Information Exposure 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-2025 Patch Status Patched Published Mar 5, 2026 Affected Software Mail Mint – Newsletters, Email Marketing, Automation, WooCommerce Emails, Post Notification, and more [mail-mint] Researcher ibrahimsql More Details > MDJM Event Management <= 1.7.8.1 - Missing Authorization to Unauthenticated Arbitrary Custom Event Field Deletion 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-1650 Patch Status Patched Published Mar 6, 2026 Affected Software MDJM Event Management [mobile-dj-manager] Researcher Legion Hunter More Details > WP Booking System – Booking Calendar <= 2.0.19.12 - Unauthenticated Information Exposure 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2025-68515 Patch Status Patched Published Mar 4, 2026 Affected Software WP Booking System – Booking Calendar [wp-booking-system] Researcher benzdeus More Details > WP CTA – Sticky CTA Builder, Generate Leads, Promote Sales <= 1.7.4 - Missing Authorization 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-22459 Patch Status Unpatched Published Mar 3, 2026 Affected Software WP CTA – Sticky CTA Builder, Generate Leads, Promote Sales [easy-sticky-sidebar] Researcher Nabil Irawan More Details > WPBookit <= 1.0.8 - Missing Authorization to Unauthenticated Sensitive Customer Data Exposure 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-1980 Patch Status Patched Published Mar 3, 2026 Affected Software WPBookit [wpbookit] Researcher MD. TAREQ AHAMED JONY (itztrq) More Details > Apocalypse Meow <= 22.1.0 - Authenticated (Administrator+) SQL Injection via 'type' Parameter 4.9 CVSS Rating 4.9 (Medium) CVE-ID CVE-2026-3523 Patch Status Patched Published Mar 4, 2026 Affected Software Apocalypse Meow [apocalypse-meow] Researcher Louis Deschanel More Details > Community Events <= 1.5.8 - Authenticated (Administrator+) SQL Injection via 'ce_venue_name' CSV Field 4.9 CVSS Rating 4.9 (Medium) CVE-ID CVE-2026-2429 Patch Status Patched Published Mar 6, 2026 Affected Software Community Events [community-events] Researcher Bee More Details > MailArchiver <= 4.4.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via Settings 4.8 CVSS Rating 4.8 (Medium) CVE-ID CVE-2026-2721 Patch Status Patched Published Mar 6, 2026 Affected Software MailArchiver [mailarchiver] Researcher Ronnachai Chaipha (rxnr) More Details > Stock Ticker <= 3.26.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via Template 4.8 CVSS Rating 4.8 (Medium) CVE-ID CVE-2026-2722 Patch Status Patched Published Mar 6, 2026 Affected Software Stock Ticker [stock-ticker] Researchers chaeyp Ronnachai Sretawat Na Ayutaya (Simonhaskelly) Ronnachai Chaipha (rxnr) More Details > Carta Online <= 2.13.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings 4.4 CVSS Rating 4.4 (Medium) CVE-ID CVE-2026-1071 Patch Status Unpatched Published Mar 6, 2026 Affected Software Carta Online [carta-online] Researcher 0x34rth More Details > LotekMedia Popup Form <= 1.0.6 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings 4.4 CVSS Rating 4.4 (Medium) CVE-ID CVE-2026-2420 Patch Status Unpatched Published Mar 6, 2026 Affected Software LotekMedia Popup Form [ltm-popup-form] Researcher Hieus More Details > Morkva UA Shipping <= 1.7.9 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Weight, kg' Field 4.4 CVSS Rating 4.4 (Medium) CVE-ID CVE-2026-2292 Patch Status Patched Published Mar 3, 2026 Affected Software Morkva UA Shipping [morkva-ua-shipping] Researcher Phap Nguyen Anh More Details > Taskbuilder – Project Management & Task Management Tool With Kanban Board <= 5.0.3 - Authenticated (Administrator+) Stored Cross-Site Scripting 4.4 CVSS Rating 4.4 (Medium) CVE-ID CVE-2026-2289 Patch Status Patched Published Mar 3, 2026 Affected Software Taskbuilder – Project Management & Task Management Tool With Kanban Board [taskbuilder] Researcher Phap Nguyen Anh - FIS More Details > Taskbuilder <= 5.0.3 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Block Emails' Field 4.4 CVSS Rating 4.4 (Medium) CVE-ID CVE-2026-2289 Patch Status Patched Published Mar 3, 2026 Affected Software Taskbuilder – Project Management & Task Management Tool With Kanban Board [taskbuilder] Researcher Phap Nguyen Anh More Details > Font Pairing Preview For Landing Pages <= 1.3 - Cross-Site Request Forgery to Settings Update 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-1086 Patch Status Unpatched Published Mar 6, 2026 Affected Software Font Pairing Preview For Landing Pages [wp-font-pairing-preview] Researcher afnaan More Details > Media Library Assistant <= 3.33 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Attachment Taxonomy Modification 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-3072 Patch Status Patched Published Mar 4, 2026 Affected Software Media Library Assistant [media-library-assistant] Researcher Muhammad Sharief More Details > pixfort Core <= 3.2.22 - Missing Authorization 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-28071 Patch Status Patched Published Mar 2, 2026 Affected Software Pixfort Core [pixfort-core] Researcher Rafie Muhammad More Details > ProfileGrid <= 5.9.8.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Message Deletion 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-2488 Patch Status Patched Published Mar 6, 2026 Affected Software ProfileGrid – User Profiles, Groups and Communities [profilegrid-user-profiles-groups-and-communities] Researchers Sergej Ljubojevic Boris Bogosavac More Details > ProfileGrid <= 5.9.8.2 - Cross-Site Request Forgery to Group Membership Request Approval/Denial 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-2494 Patch Status Patched Published Mar 6, 2026 Affected Software ProfileGrid – User Profiles, Groups and Communities [profilegrid-user-profiles-groups-and-communities] Researchers Sergej Ljubojevic Boris Bogosavac More Details > Purchase Button For Affiliate Link <= 1.0.2 - Cross-Site Request Forgery to Settings Update 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-1073 Patch Status Unpatched Published Mar 6, 2026 Affected Software Purchase Button For Affiliate Link [purchase-button] Researcher afnaan More Details > Seraphinite Accelerator <= 2.28.14 - Authenticated (Subscriber+) Exposure of Sensitive Information to an Unauthorized Actor 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-3058 Patch Status Patched Published Mar 3, 2026 Affected Software Seraphinite Accelerator [seraphinite-accelerator] Researcher lucsob More Details > Seraphinite Accelerator <= 2.28.14 - Missing Authorization to Authenticated (Subscriber+) Log Clearing 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-3056 Patch Status Patched Published Mar 3, 2026 Affected Software Seraphinite Accelerator [seraphinite-accelerator] Researcher Nabil Irawan More Details > Subscription for WooCommerce – WordPress Recurring Payments Plugin <= 1.8.10 - Authenticated (Customer+) Insecure Direct Object Reference 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2025-69347 Patch Status Patched Published Mar 5, 2026 Affected Software Subscription for WooCommerce – WordPress Recurring Payments Plugin [subscription] Researcher Athiwat Tiprasaharn (Jitlada) More Details > True Ranker <= 2.2.9 - Cross-Site Request Forgery to Unauthorized True Ranker Disconnection 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-1085 Patch Status Unpatched Published Mar 6, 2026 Affected Software True Ranker [seo-local-rank] Researcher Nabil Irawan More Details > Ultimate Addons for WPBakery Page Builder <= 3.21.1 - Missing Authorization 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-28038 Patch Status Unpatched Published Mar 2, 2026 Affected Software Ultimate Addons for WPBakery [Ultimate_VC_Addons] Researcher João Pedro S Alcântara (Kinorth) More Details > Winston AI <= 0.0.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Settings Deletion 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-1981 Patch Status Patched Published Mar 6, 2026 Affected Software HUMN-1 AI Website Scanner & Human Certification by Winston AI [winston-ai-wp] Researcher Legion Hunter More Details > WP Frontend Profile <= 1.3.8 - Cross-Site Request Forgery to Unauthorized User Account Approval or Rejection 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-1644 Patch Status Patched Published Mar 6, 2026 Affected Software WP Frontend Profile [wp-front-end-profile] Researcher johska More Details > As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence. This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program , and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can. Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. The post Wordfence Intelligence Weekly WordPress Vulnerability Report (March 2, 2026 to March 8, 2026) appeared first on Wordfence .

Related Articles

INFO Wordfence Intelligence Weekly WordPress Vulnerability Report (March 23, 2026 to March 29, 2026) Wordfence HIGH Wordfence Intelligence Weekly WordPress Vulnerability Report (March 16, 2026 to March 22, 2026) Wordfence INFO Wordfence Intelligence Weekly WordPress Vulnerability Report (March 9, 2026 to March 15, 2026) Wordfence INFO Wordfence Intelligence Weekly WordPress Vulnerability Report (February 23, 2026 to March 1, 2026) Wordfence
Read Full Article → ← Back to News

Share this article

Twitter Facebook LinkedIn