Last week, there were 54 vulnerabilities disclosed in 49 WordPress Plugins that have been added to the Wordfence Intelligence Vulnerability Database, and there were 36 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected. Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to implement layered security, aligning with our overarching mission to secure WordPress with defense in depth strategies. That is why the Wordfence Intelligence user interface , vulnerability API , webhook integration , and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report. As the world’s leading quality vulnerability database provider for WordPress, site owners can rest assured knowing Wordfence has their back. Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 33,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free . Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. New Firewall Rules Deployed Last Week The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection. The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium , Care , and Response customers last week: WAF-RULE-906 – Data redacted while we work with the vendor on a patch. Wordfence Premium , Care , and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay. Total Unpatched & Patched Vulnerabilities Last Week Patch Status Number of Vulnerabilities Patched 52 Unpatched 2 Total Vulnerabilities by CVSS Severity Last Week Severity Rating Number of Vulnerabilities Medium Severity 35 High Severity 14 Critical Severity 5 Total Vulnerabilities by CWE Type Last Week Vulnerability Type by CWE Number of Vulnerabilities Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') 23 Missing Authorization 7 Improper Control of Generation of Code ('Code Injection') 5 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') 4 Exposure of Sensitive Information to an Unauthorized Actor 3 Authorization Bypass Through User-Controlled Key 2 Server-Side Request Forgery (SSRF) 2 Unrestricted Upload of File with Dangerous Type 2 Cross-Site Request Forgery (CSRF) 1 Improper Authorization 1 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) 1 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') 1 Reliance on Cookies without Validation and Integrity Checking 1 Use of Hard-coded Credentials 1 Researchers That Contributed to WordPress Security Last Week Researcher Name Number of Vulnerabilities Dmitrii Ignatyev 4 Osvaldo Noe Gonzalez Del Rio (Os) 4 Muhammad Yudha - DJ 4 Nabil Irawan 3 Webbernaut 3 Duong Quang Hao 2 Paolo Tresso 2 knani alaaeddine (iwd) 2 hoshino 2 Kazuma Matsumoto 2 Supakiad S. (m3ez) 2 timomangcut 1 ISMAILSHADOW 1 Michael Perla (vizen5) 1 ibrahimsql 1 tiborisaak 1 Youssef Elouaer 1 Azril Fathoni (kiseki) 1 Khaled Alenazi (Nxploited) 1 lucsob 1 Michael Iden (Mickhat) 1 Conor Sullivan 1 Krugov Artyom 1 type5afe 1 zaim 1 Bonds 1 Erwan LR 1 Quốc Huy (jtwings) 1 Athiwat Tiprasaharn (Jitlada) 1 Alex Tselevich (nos3curity) 1 wesley (wcraft) 1 Jakub Herman 1 Muhammad Rohan Khan 1 Mohammad Aghdasi 1 Leonid Semenenko (lsemenenko) 1 Jack Pas (Dark.) 1 Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program . Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report. WordPress Plugins with Reported Vulnerabilities Last Week Software Name Software Slug Auto Post Scheduler auto-post-scheduler Booking for Appointments and Events Calendar – Amelia ameliabooking Contact Form by Supsystic contact-form-by-supsystic Database for Contact Form 7, WPforms, Elementor forms contact-form-entries Debugger & Troubleshooter debugger-troubleshooter ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor elementskit-lite Everest Forms Pro everest-forms-pro Export All URLs export-all-urls Extensions for Leaflet Map extensions-leaflet-map Gravity SMTP gravitysmtp Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem gutenverse Ibtana – WordPress Website Builder ibtana-visual-editor Kadence Blocks — Page Builder Toolkit for Gutenberg Editor kadence-blocks King Addons for Elementor – 80+ Elementor Widgets, 4 000+ Elementor Templates, WooCommerce, Mega Menu, Popup Builder king-addons Kubio AI Page Builder kubio LeadConnector leadconnector Listeo-Core - Directory Plugin by Purethemes listeo-core Loco Translate loco-translate Minify HTML minify-html-markup MSTW League Manager mstw-league-manager MW WP Form mw-wp-form Order Notification for WooCommerce – Get Audio Alert on new Orders woc-order-alert Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress wp-user-avatar Perfmatters perfmatters Pie Register – User Registration, Profiles & Content Restriction pie-register Query Monitor query-monitor Responsive Plus – Elementor Templates & Starter Sites responsive-add-ons Royal Addons for Elementor – Addons and Templates Kit for Elementor royal-elementor-addons Shared Files – Frontend File Upload Form & Secure File Sharing shared-files Simple Membership simple-membership Simple Shopping Cart wordpress-simple-paypal-shopping-cart Text to Speech – TTSWP text-to-speech-tts ThemeREX Addons trx_addons TrueBooker – Appointment Booking and Scheduler System truebooker-appointment-booking Ultimate Addons for WPBakery Ultimate_VC_Addons Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin ultimate-member User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor profile-builder Visitor Traffic Real Time Statistics visitors-traffic-real-time-statistics W3 Total Cache w3-total-cache WCFM – Frontend Manager for WooCommerce wc-frontend-manager Webmention webmention Widgets for Social Photo Feed social-photo-feed-widget WooPayments: Integrated WooCommerce Payments woocommerce-payments WP Lightbox 2 wp-lightbox-2 WP Shortcodes Plugin — Shortcodes Ultimate shortcodes-ultimate WP Travel Engine – Tour Booking Plugin – Tour Operator Software wp-travel-engine wpForo Forum wpforo WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell wpfunnels Xpro Addons — 140+ Widgets for Elementor xpro-elementor-addons Vulnerability Details Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration , which is completely free to utilize. Contact Form by Supsystic <= 1.7.36 - Unauthenticated Server-Side Template Injection via Prefill Functionality 9.8 CVSS Rating 9.8 (Critical) CVE-ID CVE-2026-4257 Patch Status Patched Published Mar 30, 2026 Affected Software Contact Form by Supsystic [contact-form-by-supsystic] Researcher Azril Fathoni (kiseki) More Details > Everest Forms Pro <= 1.9.12 - Unauthenticated Remote Code Execution via Calculation Field 9.8 CVSS Rating 9.8 (Critical) CVE-ID CVE-2026-3300 Patch Status Patched Published Mar 30, 2026 Affected Software Everest Forms Pro [everest-forms-pro] Researcher hoshino More Details > Order Notification for WooCommerce – Get Audio Alert on new Orders < 3.6.3 - Unauthenticated Remote Code Execution 9.8 CVSS Rating 9.8 (Critical) CVE-ID CVE-2025-15484 Patch Status Patched Published Apr 2, 2026 Affected Software Order Notification for WooCommerce – Get Audio Alert on new Orders [woc-order-alert] Researcher Khaled Alenazi (Nxploited) More Details > Responsive Plus – Elementor Templates & Starter Sites < 3.4.3 - Unauthenticated Arbitrary Code Execution 9.8 CVSS Rating 9.8 (Critical) CVE-ID CVE-2025-15488 Patch Status Patched Published Mar 30, 2026 Affected Software Responsive Plus – Elementor Templates & Starter Sites [responsive-add-ons] Researcher Alex Tselevich (nos3curity) More Details > ThemeREX Addons < 2.38.5 - Unauthenticated Arbitrary File Upload 9.8 CVSS Rating 9.8 (Critical) CVE-ID CVE-2026-1969 Patch Status Patched Published Mar 30, 2026 Affected Software ThemeREX Addons [trx_addons] Researcher Erwan LR More Details > Debugger & Troubleshooter <= 1.3.2 - Unauthenticated Privilege Escalation to Administrator via Cookie Manipulation 8.8 CVSS Rating 8.8 (High) CVE-ID CVE-2026-5130 Patch Status Patched Published Mar 30, 2026 Affected Software Debugger & Troubleshooter [debugger-troubleshooter] Researcher Nabil Irawan More Details > wpForo Forum <= 2.4.16 - Authenticated (Subscriber+) Arbitrary File Deletion via Post Body 8.8 CVSS Rating 8.8 (High) CVE-ID CVE-2026-3666 Patch Status Patched Published Apr 3, 2026 Affected Software wpForo Forum [wpforo] Researchers Webbernaut Leonid Semenenko (lsemenenko) More Details > MW WP Form <= 5.1.0 - Unauthenticated Arbitrary File Move via move_temp_file_to_upload_dir 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-4347 Patch Status Patched Published Apr 1, 2026 Affected Software MW WP Form [mw-wp-form] Researcher ISMAILSHADOW More Details > Perfmatters <= 2.5.9.1 - Authenticated (Subscriber+) Arbitrary File Deletion via 'delete' Parameter 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-4350 Patch Status Patched Published Apr 2, 2026 Affected Software Perfmatters [perfmatters] Researcher hoshino More Details > WCFM - WooCommerce Frontend Manager <= 6.7.25 - Insecure Direct Object References to Autenticated (Vendor+) Arbitrary Post/Product Manipulation 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-4896 Patch Status Patched Published Apr 3, 2026 Affected Software WCFM – Frontend Manager for WooCommerce [wc-frontend-manager] Researcher Osvaldo Noe Gonzalez Del Rio (Os) More Details > Export All URLs < 5.1 - Unauthenticated Information Exposure 7.5 CVSS Rating 7.5 (High) CVE-ID CVE-2026-2696 Patch Status Patched Published Apr 2, 2026 Affected Software Export All URLs [export-all-urls] Researcher Mohammad Aghdasi More Details > Gravity SMTP <= 2.1.4 - Unauthenticated Sensitive Information Exposure via REST API 7.5 CVSS Rating 7.5 (High) CVE-ID CVE-2026-4020 Patch Status Patched Published Mar 30, 2026 Affected Software Gravity SMTP [gravitysmtp] Researcher Osvaldo Noe Gonzalez Del Rio (Os) More Details > Text to Speech (TTS) by Mementor <= 1.9.8 - Use of Hardcoded Password to Unauthenticated Remote Database Access 7.5 CVSS Rating 7.5 (High) CVE-ID CVE-2026-1233 Patch Status Patched Published Apr 3, 2026 Affected Software Text to Speech – TTSWP [text-to-speech-tts] Researcher Kazuma Matsumoto More Details > W3 Total Cache <= 2.9.3 - Unauthenticated Security Token Exposure via User-Agent Header 7.5 CVSS Rating 7.5 (High) CVE-ID CVE-2026-5032 Patch Status Patched Published Apr 1, 2026 Affected Software W3 Total Cache [w3-total-cache] Researcher wesley (wcraft) More Details > Query Monitor <= 3.20.3 - Reflected Cross-Site Scripting via Request URI 7.2 CVSS Rating 7.2 (High) CVE-ID CVE-2026-4267 Patch Status Patched Published Mar 30, 2026 Affected Software Query Monitor [query-monitor] Researcher Dmitrii Ignatyev More Details > Visitor Traffic Real Time Statistics <= 8.4 - Unauthenticated Stored Cross-Site Scripting 7.2 CVSS Rating 7.2 (High) CVE-ID CVE-2026-2936 Patch Status Patched Published Apr 3, 2026 Affected Software Visitor Traffic Real Time Statistics [visitors-traffic-real-time-statistics] Researcher Supakiad S. (m3ez) More Details > Webmention <= 5.6.2 - Unauthenticated Blind Server-Side Request Forgery 7.2 CVSS Rating 7.2 (High) CVE-ID CVE-2026-0686 Patch Status Patched Published Apr 1, 2026 Affected Software Webmention [webmention] Researcher Duong Quang Hao More Details > Widgets for Social Photo Feed <= 1.7.9 - Unauthenticated Stored Cross-Site Scripting via feed_data 7.2 CVSS Rating 7.2 (High) CVE-ID CVE-2026-5425 Patch Status Patched Published Apr 3, 2026 Affected Software Widgets for Social Photo Feed [social-photo-feed-widget] Researcher Nabil Irawan More Details > Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress <= 4.16.11 - Missing Authorization to Authenticated (Subscriber+) Membership Payment Bypass 7.1 CVSS Rating 7.1 (High) CVE-ID CVE-2026-3445 Patch Status Patched Published Apr 3, 2026 Affected Software Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress [wp-user-avatar] Researcher Supakiad S. (m3ez) More Details > Amelia <= 2.1.2 - Authenticated (Manager+) SQL Injection via 'sort' Parameter 6.5 CVSS Rating 6.5 (Medium) CVE-ID CVE-2026-4668 Patch Status Patched Published Mar 31, 2026 Affected Software Booking for Appointments and Events Calendar – Amelia [ameliabooking] Researcher Michael Perla (vizen5) More Details > Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress <= 4.16.11 - Unauthenticated Arbitrary Shortcode Execution via Checkout Billing Fields 6.5 CVSS Rating 6.5 (Medium) CVE-ID CVE-2026-3309 Patch Status Patched Published Apr 3, 2026 Affected Software Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress [wp-user-avatar] Researcher Nabil Irawan More Details > Pie Register – User Registration, Profiles & Content Restriction <= 3.8.4.8 - Missing Authorization to Unauthenticated Registration Form Status Modification 6.5 CVSS Rating 6.5 (Medium) CVE-ID CVE-2026-3571 Patch Status Patched Published Apr 3, 2026 Affected Software Pie Register – User Registration, Profiles & Content Restriction [pie-register] Researcher Youssef Elouaer More Details > WooPayments <= 10.5.1 - Missing Authorization to Unauthenticated Plugin Settings Update via save_upe_appearance_ajax 6.5 CVSS Rating 6.5 (Medium) CVE-ID CVE-2026-1710 Patch Status Patched Published Mar 30, 2026 Affected Software WooPayments: Integrated WooCommerce Payments [woocommerce-payments] Researcher Dmitrii Ignatyev More Details > ElementsKit Elementor Addons and Templates <= 3.7.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Simple Tab Widget 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-2600 Patch Status Patched Published Apr 3, 2026 Affected Software ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor [elementskit-lite] Researcher knani alaaeddine (iwd) More Details > Extensions for Leaflet Map <= 4.14 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'elevation-track' Shortcode 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-5451 Patch Status Patched Published Apr 2, 2026 Affected Software Extensions for Leaflet Map [extensions-leaflet-map] Researcher zaim More Details > Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem <= 3.4.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'imageLoad' 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-2924 Patch Status Patched Published Apr 3, 2026 Affected Software Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem [gutenverse] Researcher Muhammad Yudha - DJ More Details > Ibtana - WordPress Website Builder <= 1.2.5.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-1834 Patch Status Patched Published Mar 30, 2026 Affected Software Ibtana – WordPress Website Builder [ibtana-visual-editor] Researcher Muhammad Yudha - DJ More Details > King Addons for Elementor <= 51.1.38 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via Multiple Widgets 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2025-13535 Patch Status Patched Published Mar 31, 2026 Affected Software King Addons for Elementor – 80+ Elementor Widgets, 4 000+ Elementor Templates, WooCommerce, Mega Menu, Popup Builder [king-addons] Researcher Webbernaut More Details > Kubio AI Page Builder <= 2.7.0 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-34887 Patch Status Patched Published Mar 31, 2026 Affected Software Kubio AI Page Builder [kubio] Researcher timomangcut More Details > MSTW League Manager <= 2.10 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-34890 Patch Status Unpatched Published Apr 2, 2026 Affected Software MSTW League Manager [mstw-league-manager] Researcher Conor Sullivan More Details > Royal Elementor Addons <= 1.7.1049 - Authenticated (Contributor+) Stored Cross-Site Scripting via REST API Meta Bypass 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-0664 Patch Status Patched Published Apr 3, 2026 Affected Software Royal Addons for Elementor – Addons and Templates Kit for Elementor [royal-elementor-addons] Researcher knani alaaeddine (iwd) More Details > Shortcodes Ultimate <= 7.4.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'su_lightbox' Shortcode 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-0737 Patch Status Patched Published Apr 3, 2026 Affected Software WP Shortcodes Plugin — Shortcodes Ultimate [shortcodes-ultimate] Researcher Dmitrii Ignatyev More Details > Shortcodes Ultimate <= 7.4.8 - authenticated (Contributor+) Stored Cross-Site Scripting via 'su_carousel' Shortcode 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-0738 Patch Status Patched Published Apr 3, 2026 Affected Software WP Shortcodes Plugin — Shortcodes Ultimate [shortcodes-ultimate] Researcher Dmitrii Ignatyev More Details > Simple Shopping Cart <= 5.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'wpsc_display_product' Shortcode 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-0552 Patch Status Patched Published Apr 3, 2026 Affected Software Simple Shopping Cart [wordpress-simple-paypal-shopping-cart] Researcher Muhammad Yudha - DJ More Details > Ultimate Addons for WPBakery Page Builder < 3.21.4 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-34889 Patch Status Patched Published Apr 1, 2026 Affected Software Ultimate Addons for WPBakery [Ultimate_VC_Addons] Researcher Bonds More Details > Ultimate Member <= 2.11.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting via DOM Gadgets 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2025-15064 Patch Status Patched Published Apr 3, 2026 Affected Software Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin [ultimate-member] Researcher tiborisaak More Details > Webmention <= 5.6.2 - Authenticated (Subscriber+) Server-Side Request Forgery 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-0688 Patch Status Patched Published Apr 1, 2026 Affected Software Webmention [webmention] Researcher Duong Quang Hao More Details > WP Shortcodes Plugin — Shortcodes Ultimate <= 7.4.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'max_width' Shortcode Attribute 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-2480 Patch Status Patched Published Mar 31, 2026 Affected Software WP Shortcodes Plugin — Shortcodes Ultimate [shortcodes-ultimate] Researcher Michael Iden (Mickhat) More Details > WP Travel Engine - Travel and Tour Booking Plugin <= 6.7.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via wte_trip_tax Shortcode 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-2437 Patch Status Patched Published Apr 3, 2026 Affected Software WP Travel Engine – Tour Booking Plugin – Tour Operator Software [wp-travel-engine] Researcher Muhammad Yudha - DJ More Details > WPFunnels <= 3.7.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'wpf_optin_form' Shortcode 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-0626 Patch Status Patched Published Apr 3, 2026 Affected Software WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell [wpfunnels] Researcher Paolo Tresso More Details > Xpro Addons — 140+ Widgets for Elementor <= 1.4.20 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2025-13368 Patch Status Patched Published Apr 3, 2026 Affected Software Xpro Addons — 140+ Widgets for Elementor [xpro-elementor-addons] Researcher Webbernaut More Details > Xpro Addons — 140+ Widgets for Elementor <= 1.4.24 - Authenticated (Contributor+) Stored Cross-Site Scripting via Icon Box Widget 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-2949 Patch Status Patched Published Apr 3, 2026 Affected Software Xpro Addons — 140+ Widgets for Elementor [xpro-elementor-addons] Researcher Athiwat Tiprasaharn (Jitlada) More Details > Auto Post Scheduler <= 1.84 - Cross-Site Request Forgery to Stored Cross-Site Scripting via aps_options_page 6.1 CVSS Rating 6.1 (Medium) CVE-ID CVE-2026-1877 Patch Status Unpatched Published Mar 30, 2026 Affected Software Auto Post Scheduler [auto-post-scheduler] Researcher Osvaldo Noe Gonzalez Del Rio (Os) More Details > Loco Translate <= 2.8.2 - Reflected Cross-Site Scripting via 'update_href' Parameter 6.1 CVSS Rating 6.1 (Medium) CVE-ID CVE-2026-4146 Patch Status Patched Published Mar 30, 2026 Affected Software Loco Translate [loco-translate] Researcher Jack Pas (Dark.) More Details > Minify HTML <= 2.1.12 - Cross-Site Request Forgery to Plugin Settings Update 5.4 CVSS Rating 5.4 (Medium) CVE-ID CVE-2026-3191 Patch Status Patched Published Mar 30, 2026 Affected Software Minify HTML [minify-html-markup] Researcher Osvaldo Noe Gonzalez Del Rio (Os) More Details > LeadConnector < 3.0.22 - Missing Authorization 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-1890 Patch Status Patched Published Mar 30, 2026 Affected Software LeadConnector [leadconnector] Researcher ibrahimsql More Details > Listeo-Core - Directory Plugin by Purethemes <= 2.0.27 - Unauthenticated Arbitrary Media Upload 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2025-14938 Patch Status Patched Published Apr 3, 2026 Affected Software Listeo-Core - Directory Plugin by Purethemes [listeo-core] Researcher Paolo Tresso More Details > Simple Membership <= 4.7.1 - Missing Authorization 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-34886 Patch Status Patched Published Mar 31, 2026 Affected Software Simple Membership [simple-membership] Researcher Jakub Herman More Details > Truebooker - Appointment Booking and Scheduler Plugin <= 1.1.4 - Sensitive Information Exposure via Views Files 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-1797 Patch Status Patched Published Mar 30, 2026 Affected Software TrueBooker – Appointment Booking and Scheduler System [truebooker-appointment-booking] Researcher Kazuma Matsumoto More Details > WP Lightbox 2 < 3.0.7 - Authenticated (Administrator+) Stored Cross-Site Scripting 4.4 CVSS Rating 4.4 (Medium) CVE-ID CVE-2026-1430 Patch Status Patched Published Mar 30, 2026 Affected Software WP Lightbox 2 [wp-lightbox-2] Researcher Krugov Artyom More Details > Database for Contact Form 7, WPforms, Elementor forms <= 1.4.9 - Missing Authorization to Authenticated (Contributor+) Sensitive Information Exposure via Shortcode 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-3831 Patch Status Patched Published Mar 31, 2026 Affected Software Database for Contact Form 7, WPforms, Elementor forms [contact-form-entries] Researcher Quốc Huy (jtwings) More Details > Kadence Blocks — Page Builder Toolkit for Gutenberg Editor <= 3.6.3 - Missing Authorization to Authenticated (Contributor+) Media Upload 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-2826 Patch Status Patched Published Apr 3, 2026 Affected Software Kadence Blocks — Page Builder Toolkit for Gutenberg Editor [kadence-blocks] Researcher lucsob More Details > Shared Files – Frontend File Upload Form & Secure File Sharing < 1.7.58 - Authenticated (Contributor+) Arbitrary File Download 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2025-15433 Patch Status Patched Published Mar 30, 2026 Affected Software Shared Files – Frontend File Upload Form & Secure File Sharing [shared-files] Researcher Muhammad Rohan Khan More Details > User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor <= 3.15.5 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Post Author Reassignment via Avatar Field 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-3139 Patch Status Patched Published Mar 30, 2026 Affected Software User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor [profile-builder] Researcher type5afe More Details > As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence. This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program , and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can. Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. The post Wordfence Intelligence Weekly WordPress Vulnerability Report (March 30, 2026 to April 5, 2026) appeared first on Wordfence .