Last week, there were 78 vulnerabilities disclosed in 62 WordPress Plugins and 2 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 59 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected. Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to implement layered security, aligning with our overarching mission to secure WordPress with defense in depth strategies. That is why the Wordfence Intelligence user interface , vulnerability API , webhook integration , and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report. As the world’s leading quality vulnerability database provider for WordPress, site owners can rest assured knowing Wordfence has their back. Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 35,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free . Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. New Firewall Rules Deployed Last Week The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection. The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium , Care , and Response customers last week: AI Engine 3.4.9 – Authenticated (Subscriber+) Privilege Escalation via Missing Authorization in MCP OAuth Bearer Token Wordfence Premium , Care , and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay. Total Unpatched & Patched Vulnerabilities Last Week Patch Status Number of Vulnerabilities Patched 66 Unpatched 12 Total Vulnerabilities by CVSS Severity Last Week Severity Rating Number of Vulnerabilities Medium Severity 54 High Severity 21 Critical Severity 3 Total Vulnerabilities by CWE Type Last Week Vulnerability Type by CWE Number of Vulnerabilities Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') 23 Missing Authorization 17 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') 12 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') 6 Cross-Site Request Forgery (CSRF) 5 Exposure of Sensitive Information to an Unauthorized Actor 4 Authorization Bypass Through User-Controlled Key 3 Unrestricted Upload of File with Dangerous Type 2 Deserialization of Untrusted Data 1 Improper Authentication 1 Improper Authorization 1 Improper Privilege Management 1 Server-Side Request Forgery (SSRF) 1 Weak Password Recovery Mechanism for Forgotten Password 1 Researchers That Contributed to WordPress Security Last Week Researcher Name Number of Vulnerabilities zaim 4 Webbernaut 3 Athiwat Tiprasaharn (Jitlada) 3 Nabil Irawan 3 Niv Kochan 2 Nguyen Ba Khanh 2 Leonid Semenenko (lsemenenko) 2 Muhammad Nur Ibnu Hubab (Ibnu) 2 Nguyen Ngoc Duc (duc193) 2 Muhammad Yudha - DJ 2 Julian Chibuike Nwadinobi (Wackydawg) 2 h0xilo 2 Hunter Jensen (skid) 2 benzdeus 2 lhking 2 anhcd05 2 kai63001 1 Tiago Ventura (perses) 1 Kittipat Jitphonchana 1 d.v4n_s3c 1 Bao - BlueRock 1 NumeX 1 AmonRa 1 Benedictus Jovan (aillesiM) 1 Mukhlis Amien 1 nquangit 1 Ronnachai Chaipha (rxnr) 1 DJumanto 1 シルAsuna 1 PPzzAArr 1 Jarno Vos (jarnovos) 1 Jack Pas (Dark.) 1 daroo 1 David Marín 1 Peter Thaleikis 1 Supakiad S. (m3ez) 1 Ossacip Thanh 1 Nhut Quang 1 Muhammad Sharief 1 Evan NR 1 Dahmani Toumi (pegaSUS) 1 kiemtiendinhau 1 Sélim Lanouar (whattheslime) 1 Osvaldo Noe Gonzalez Del Rio (Os) 1 Nguyen Cong Quang 1 Nabil Irawan - Heroes Cyber Security 1 afnaan 1 Michael Iden (Mickhat) 1 andrea bocchetti 1 shrikant bhosale 1 Abdulsamad Yusuf (0xVenus) 1 Legion Hunter 1 MAJidox 1 João Pedro Soares de Alcântara 1 zakaria 1 Caspian 1 type5afe 1 Ren Voza 1 shark3y 1 Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program . Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report. WordPress Plugins with Reported Vulnerabilities Last Week Software Name Software Slug Activity Logs, User Activity Tracking, Multisite Activity Log from Logtivity logtivity addfreespace addfreespace Affiliate Program Suite — SliceWP Affiliates slicewp AI Product Search for WooCommerce – Motive Commerce Search motive-commerce-search All-in-One WP Migration Unlimited Extension all-in-one-wp-migration-unlimited-extension Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin simply-schedule-appointments Auto Affiliate Links wp-auto-affiliate-links AWP Classifieds another-wordpress-classifieds-plugin BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net woo-bulk-editor BetterDocs Pro betterdocs-pro Blog Settings blog-settings bunny.net – WordPress CDN Plugin bunnycdn Bus Ticket Booking with Seat Reservation bus-ticket-booking-with-seat-reservation Carousel, Slider, Photo Gallery with Lightbox, Video Slider, by WP Carousel wp-carousel-free Charts Ninja: Create Beautiful Graphs & Charts and Easily Add Them to Your Website charts-ninja-graphs-and-charts DX Sources dx-sources E2Pdf – Export Pdf Tool for WordPress e2pdf ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor elementskit-lite eMagicOne Store Manager for WooCommerce store-manager-connector EmailKit – Email Customizer for WooCommerce & WP emailkit Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder fluentform Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder form-maker Forminator Forms – Contact Form, Payment Form & Custom Form Builder forminator GeekyBot — AI Copilot, Chatbot, WooCommerce Lead Gen & Zero-Prompt Content geeky-bot GenerateBlocks generateblocks Gravity Bookings gf-bookings-premium Gutenverse – WordPress Blocks, Page Builder & Site Editor gutenverse Happy Addons for Elementor happy-elementor-addons LatePoint – Calendar Booking Plugin for Appointments and Events latepoint Loco Translate loco-translate Mentoring mentoring Mercado Pago payments for WooCommerce woocommerce-mercadopago MoreConvert Pro smart-wishlist-for-more-convert-premium Ninja Tables – Easy Data Table Builder ninja-tables NMR Strava activities nmr-strava-activities Online Scheduling and Appointment Booking System – Bookly bookly-responsive-appointment-booking-tool PDF Poster – Display PDF Files with Custom Viewer pdf-poster Publish 2 Ping.fm publish-2-pingfm Royal Addons for Elementor – Addons and Templates Kit for Elementor royal-elementor-addons Salon Booking System – Free Version salon-booking-system Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories post-expirator Simple CAPTCHA Alternative with Cloudflare Turnstile simple-cloudflare-turnstile Simple Owl Shortcodes simple-owl-shortcodes Sky Addons – Elementor Addons with Widgets & Templates sky-elementor-addons Slider Revolution revslider Snow Monkey Blocks snow-monkey-blocks Subscribe To Comments Reloaded subscribe-to-comments-reloaded Team Members – Multi Language Supported Team Plugin team-showcase-supreme User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration wp-user-frontend User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder user-registration WebinarIgnition – Live, Automated & Evergreen Webinar System also for WooCommerce webinar-ignition WeePie Cookie Allow wp-cookie-allow WEN Logo Slider wen-logo-slider WP Business Intelligence Lite wp-business-intelligence-lite WP Data Access – App Builder for Tables, Forms, Charts, Maps & Dashboards wp-data-access WP Travel – Ultimate Travel Booking System, Tour Management Engine wp-travel WP-Clippy wp-clippy WP-Optimize – Cache, Compress images, Minify & Clean database to boost page speed & performance wp-optimize wpForo Forum wpforo WPGraphQL wp-graphql YITH WooCommerce Wishlist yith-woocommerce-wishlist Zingaya Click-to-Call zingaya-click-to-call WordPress Themes with Reported Vulnerabilities Last Week Software Name Software Slug avante avante Betheme betheme Vulnerability Details Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration , which is completely free to utilize. GeekyBot <= 1.2.2 - Missing Authorization to Unauthenticated Arbitrary Plugin Installation via 'geekybot_frontendajax' AJAX Action 9.8 CVSS Rating 9.8 (Critical) CVE-ID CVE-2026-5294 Patch Status Patched Published May 4, 2026 Affected Software GeekyBot — AI Copilot, Chatbot, WooCommerce Lead Gen & Zero-Prompt Content [geeky-bot] Researcher kiemtiendinhau More Details > Mentoring <= 1.2.8 - Unauthenticated Privilege Escalation in mentoring_process_registration 9.8 CVSS Rating 9.8 (Critical) CVE-ID CVE-2025-13618 Patch Status Patched Published May 4, 2026 Affected Software Mentoring [mentoring] Researcher シルAsuna More Details > MoreConvert Pro <= 1.9.14 - Authentication Bypass via Waitlist Guest Verification Token Reuse 9.8 CVSS Rating 9.8 (Critical) CVE-ID CVE-2026-5722 Patch Status Patched Published May 4, 2026 Affected Software MoreConvert Pro [smart-wishlist-for-more-convert-premium] Researcher Nguyen Ngoc Duc (duc193) More Details > Betheme <= 28.4 - Authenticated (Author+) Arbitrary File Upload to Remote Code Execution via Icon Pack Upload 8.8 CVSS Rating 8.8 (High) CVE-ID CVE-2026-6261 Patch Status Patched Published May 4, 2026 Affected Software Betheme [betheme] Researchers Webbernaut Leonid Semenenko (lsemenenko) More Details > Slider Revolution 7.0.0 - 7.0.10 - Authenticated (Subscriber+) Arbitrary File Upload via _get_media_url 8.8 CVSS Rating 8.8 (High) CVE-ID CVE-2026-6692 Patch Status Patched Published May 6, 2026 Affected Software Slider Revolution [revslider] Researcher h0xilo More Details > User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration <= 4.3.1 - Authenticated (Subscriber+) PHP Object Injection 8.8 CVSS Rating 8.8 (High) CVE-ID CVE-2026-5127 Patch Status Patched Published May 7, 2026 Affected Software User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration [wp-user-frontend] Researcher d.v4n_s3c More Details > WP-Optimize <= 4.5.2 - Authenticated (Author+) Arbitrary File Deletion via 'original-file' Post Meta 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-7252 Patch Status Patched Published May 6, 2026 Affected Software WP-Optimize – Cache, Compress images, Minify & Clean database to boost page speed & performance [wp-optimize] Researcher lhking More Details > WP Business Intelligence Lite <= 3.2.0 - Authenticated (Subscriber+) Missing Authorization to Privilege Escalation via Arbitrary SQL Modification 8.0 CVSS Rating 8.0 (High) Patch Status Unpatched Published May 4, 2026 Affected Software WP Business Intelligence Lite [wp-business-intelligence-lite] Researcher Nabil Irawan More Details > AWP Classifieds <= 4.4.6 - Unauthenticated SQL Injection via 'regions' 7.5 CVSS Rating 7.5 (High) CVE-ID CVE-2026-5100 Patch Status Patched Published May 4, 2026 Affected Software AWP Classifieds [another-wordpress-classifieds-plugin] Researcher Hunter Jensen (skid) More Details > BetterDocs Pro <= 3.7.0 - Unauthenticated SQL Injection via Encyclopedia 'limit' Parameter 7.5 CVSS Rating 7.5 (High) CVE-ID CVE-2026-4348 Patch Status Patched Published May 6, 2026 Affected Software BetterDocs Pro [betterdocs-pro] Researcher h0xilo More Details > eMagicOne Store Manager for WooCommerce <= 1.3.2 - Unauthenticated SQL Injection 7.5 CVSS Rating 7.5 (High) CVE-ID CVE-2026-42773 Patch Status Unpatched Published May 7, 2026 Affected Software eMagicOne Store Manager for WooCommerce [store-manager-connector] Researcher Ossacip Thanh More Details > Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder <= 1.15.42 - Unauthenticated SQL Injection via 'inputs' 7.5 CVSS Rating 7.5 (High) CVE-ID CVE-2026-3359 Patch Status Patched Published May 4, 2026 Affected Software Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder [form-maker] Researcher type5afe More Details > Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.52.1 - Unauthenticated Arbitrary File Read via 'upload-1[file][file_path]' 7.5 CVSS Rating 7.5 (High) CVE-ID CVE-2026-5192 Patch Status Patched Published May 4, 2026 Affected Software Forminator Forms – Contact Form, Payment Form & Custom Form Builder [forminator] Researcher daroo More Details > GeekyBot — Generate AI Content Without Prompt, Chatbot and Lead Generation <= 1.2.0 - Unauthenticated SQL Injection via 'attributekey' 7.5 CVSS Rating 7.5 (High) CVE-ID CVE-2026-3456 Patch Status Patched Published May 4, 2026 Affected Software GeekyBot — AI Copilot, Chatbot, WooCommerce Lead Gen & Zero-Prompt Content [geeky-bot] Researcher Nguyen Ngoc Duc (duc193) More Details > Gravity Bookings <= 2.5.9 - Unauthenticated SQL Injection via 'category_id' Parameter 7.5 CVSS Rating 7.5 (High) CVE-ID CVE-2026-1719 Patch Status Patched Published May 5, 2026 Affected Software Gravity Bookings [gf-bookings-premium] Researcher Abdulsamad Yusuf (0xVenus) More Details > WebinarIgnition < 4.09.86 - Unauthenticated SQL Injection 7.5 CVSS Rating 7.5 (High) CVE-ID CVE-2026-40797 Patch Status Patched Published May 4, 2026 Affected Software WebinarIgnition – Live, Automated & Evergreen Webinar System also for WooCommerce [webinar-ignition] Researcher Dahmani Toumi (pegaSUS) More Details > WeePie Cookie Allow <= 3.4.11 - Unauthenticated SQL Injection via 'consent' Parameter 7.5 CVSS Rating 7.5 (High) CVE-ID CVE-2026-4304 Patch Status Patched Published May 4, 2026 Affected Software WeePie Cookie Allow [wp-cookie-allow] Researcher Ren Voza More Details > WP Data Access – App Builder for Tables, Forms, Charts, Maps & Dashboards <= 5.5.70 - Unauthenticated SQL Injection 7.5 CVSS Rating 7.5 (High) CVE-ID CVE-2026-42665 Patch Status Patched Published May 9, 2026 Affected Software WP Data Access – App Builder for Tables, Forms, Charts, Maps & Dashboards [wp-data-access] Researcher Mukhlis Amien More Details > wpForo Forum <= 3.0.4 - Unauthenticated SQL Injection 7.5 CVSS Rating 7.5 (High) CVE-ID CVE-2026-40798 Patch Status Patched Published May 7, 2026 Affected Software wpForo Forum [wpforo] Researcher Nguyen Ba Khanh More Details > Affiliate Program Suite — SliceWP Affiliates <= 1.2.6 - Unauthenticated Stored Cross-Site Scripting 7.2 CVSS Rating 7.2 (High) CVE-ID CVE-2026-42653 Patch Status Patched Published May 6, 2026 Affected Software Affiliate Program Suite — SliceWP Affiliates [slicewp] Researcher Nguyen Ba Khanh More Details > Auto Affiliate Links <= 6.8.8 - Unauthenticated Stored Cross-Site Scripting via 'url' Parameter 7.2 CVSS Rating 7.2 (High) CVE-ID CVE-2026-7330 Patch Status Patched Published May 7, 2026 Affected Software Auto Affiliate Links [wp-auto-affiliate-links] Researcher DJumanto More Details > LatePoint – Calendar Booking Plugin for Appointments and Events <= 5.5.0 - Unauthenticated Stored Cross-Site Scripting 7.2 CVSS Rating 7.2 (High) CVE-ID CVE-2026-7448 Patch Status Patched Published May 6, 2026 Affected Software LatePoint – Calendar Booking Plugin for Appointments and Events [latepoint] Researcher AmonRa More Details > LatePoint <= 5.5.0 - Unauthenticated Stored Cross-Site Scripting via 'booking_form_page_url' Parameter 7.2 CVSS Rating 7.2 (High) CVE-ID CVE-2026-7332 Patch Status Patched Published May 5, 2026 Affected Software LatePoint – Calendar Booking Plugin for Appointments and Events [latepoint] Researcher lhking More Details > Royal Addons for Elementor <= 1.7.1056 - Unauthenticated Stored Cross-Site Scripting via 'status' Parameter in wpr_update_form_action_meta 7.2 CVSS Rating 7.2 (High) CVE-ID CVE-2026-4803 Patch Status Patched Published May 4, 2026 Affected Software Royal Addons for Elementor – Addons and Templates Kit for Elementor [royal-elementor-addons] Researcher andrea bocchetti More Details > All-in-One WP Migration Unlimited Extension <= 2.83 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Backup Schedule Creation and Backup File Download 6.5 CVSS Rating 6.5 (Medium) CVE-ID CVE-2026-5753 Patch Status Patched Published May 5, 2026 Affected Software All-in-One WP Migration Unlimited Extension [all-in-one-wp-migration-unlimited-extension] Researcher Sélim Lanouar (whattheslime) More Details > Appointment Booking Calendar <= 1.6.10.6 - Unauthenticated Arbitrary Appointment View, Modification and Deletion 6.5 CVSS Rating 6.5 (Medium) CVE-ID CVE-2026-4807 Patch Status Patched Published May 6, 2026 Affected Software Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin [simply-schedule-appointments] Researcher Athiwat Tiprasaharn (Jitlada) More Details > Betheme <= 28.4 - Authenticated (Contributor+) Arbitrary File Deletion via 'mfn-icon-upload' 6.5 CVSS Rating 6.5 (Medium) CVE-ID CVE-2026-6262 Patch Status Patched Published May 4, 2026 Affected Software Betheme [betheme] Researchers Webbernaut Leonid Semenenko (lsemenenko) More Details > ElementsKit Elementor Addons <= 3.8.2 - Missing Authorization to Unauthenticated Widget Content Overwrite 6.5 CVSS Rating 6.5 (Medium) CVE-ID CVE-2026-4362 Patch Status Patched Published May 4, 2026 Affected Software ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor [elementskit-lite] Researcher Jack Pas (Dark.) More Details > EmailKit <= 1.6.5 - Authenticated (Author+) Arbitrary File Read via 'emailkit-editor-template' REST Parameter 6.5 CVSS Rating 6.5 (Medium) CVE-ID CVE-2026-5957 Patch Status Patched Published May 4, 2026 Affected Software EmailKit – Email Customizer for WooCommerce & WP [emailkit] Researcher Nguyen Cong Quang More Details > Forminator Forms <= 1.53.0 - Missing Authorization to Authenticated (Subscriber+) Scheduled Form Submission Export via forminator_export_entries Action on wp_loaded Hook 6.5 CVSS Rating 6.5 (Medium) CVE-ID CVE-2026-6214 Patch Status Patched Published May 6, 2026 Affected Software Forminator Forms – Contact Form, Payment Form & Custom Form Builder [forminator] Researcher anhcd05 More Details > GenerateBlocks <= 2.2.0 - Insecure Direct Object Reference to Authenticated (Contributor+) Sensitive Information Exposure via Dynamic Tag Replacements 6.5 CVSS Rating 6.5 (Medium) CVE-ID CVE-2026-3454 Patch Status Patched Published May 4, 2026 Affected Software GenerateBlocks [generateblocks] Researcher kai63001 More Details > Subscribe To Comments Reloaded <= 240119 - Improper Authorization to Unauthenticated Arbitrary Subscription Management 6.5 CVSS Rating 6.5 (Medium) CVE-ID CVE-2026-4409 Patch Status Unpatched Published May 4, 2026 Affected Software Subscribe To Comments Reloaded [subscribe-to-comments-reloaded] Researcher Supakiad S. (m3ez) More Details > WP Travel – Ultimate Travel Booking System, Tour Management Engine <= 11.4.0 - Authenticated (Contributor+) SQL Injection 6.5 CVSS Rating 6.5 (Medium) CVE-ID CVE-2026-45218 Patch Status Patched Published May 9, 2026 Affected Software WP Travel – Ultimate Travel Booking System, Tour Management Engine [wp-travel] Researcher Nhut Quang More Details > Affiliate Program Suite <= 1.2.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via slicewp_affiliate_url Shortcode 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-6672 Patch Status Patched Published May 5, 2026 Affected Software Affiliate Program Suite — SliceWP Affiliates [slicewp] Researcher Muhammad Yudha - DJ More Details > Charts Ninja: Create Beautiful Graphs & Charts and Easily Add Them to Your Website <= 2.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'chartid' Shortcode Attribute 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-4730 Patch Status Unpatched Published May 4, 2026 Affected Software Charts Ninja: Create Beautiful Graphs & Charts and Easily Add Them to Your Website [charts-ninja-graphs-and-charts] Researcher zaim More Details > E2Pdf – Export Pdf Tool for WordPress <= 1.32.17 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'id' Shortcode Attribute 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-7650 Patch Status Patched Published May 7, 2026 Affected Software E2Pdf – Export Pdf Tool for WordPress [e2pdf] Researcher zaim More Details > Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem <= 3.5.3 - Authenticated (Contributor+) Server-Side Request Forgery via 'imageUrl' 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-2948 Patch Status Patched Published May 4, 2026 Affected Software Gutenverse – WordPress Blocks, Page Builder & Site Editor [gutenverse] Researcher Osvaldo Noe Gonzalez Del Rio (Os) More Details > Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem <= 3.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'separatorIconSVG' 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-2868 Patch Status Patched Published May 4, 2026 Affected Software Gutenverse – WordPress Blocks, Page Builder & Site Editor [gutenverse] Researcher Athiwat Tiprasaharn (Jitlada) More Details > LatePoint <= 5.5.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Customer Cabinet Profile Update 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-7457 Patch Status Patched Published May 5, 2026 Affected Software LatePoint – Calendar Booking Plugin for Appointments and Events [latepoint] Researcher Niv Kochan More Details > NMR Strava activities <= 1.0.14 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-5341 Patch Status Patched Published May 7, 2026 Affected Software NMR Strava activities [nmr-strava-activities] Researcher zaim More Details > Royal Addons for Elementor – Addons and Templates Kit for Elementor < 1.7.1053 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-27421 Patch Status Patched Published May 7, 2026 Affected Software Royal Addons for Elementor – Addons and Templates Kit for Elementor [royal-elementor-addons] Researcher Peter Thaleikis More Details > Royal Addons for Elementor <= 1.7.1056 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'Follow Button Text' Parameter 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-5159 Patch Status Patched Published May 4, 2026 Affected Software Royal Addons for Elementor – Addons and Templates Kit for Elementor [royal-elementor-addons] Researcher Caspian More Details > Simple Owl Shortcodes <= 2.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'num' Shortcode Attribute 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-6255 Patch Status Unpatched Published May 4, 2026 Affected Software Simple Owl Shortcodes [simple-owl-shortcodes] Researcher MAJidox More Details > Sky Addons <= 3.3.2 - Authenticated (Author+) Stored Cross-Site Scripting via Custom Script 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-7475 Patch Status Patched Published May 7, 2026 Affected Software Sky Addons – Elementor Addons with Widgets & Templates [sky-elementor-addons] Researcher Athiwat Tiprasaharn (Jitlada) More Details > Snow Monkey Blocks <= 24.1.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'data-slick' Attribute 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-3004 Patch Status Patched Published May 5, 2026 Affected Software Snow Monkey Blocks [snow-monkey-blocks] Researcher Muhammad Yudha - DJ More Details > WEN Logo Slider <= 3.4.0 - Authenticated (Author+) Stored Cross-Site Scripting 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2025-62127 Patch Status Patched Published May 7, 2026 Affected Software WEN Logo Slider [wen-logo-slider] Researcher Nabil Irawan More Details > WP Carousel Free <= 2.7.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'data-caption' Attribute 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-4665 Patch Status Patched Published May 4, 2026 Affected Software Carousel, Slider, Photo Gallery with Lightbox, Video Slider, by WP Carousel [wp-carousel-free] Researcher Webbernaut More Details > WP-Clippy <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-5505 Patch Status Unpatched Published May 4, 2026 Affected Software WP-Clippy [wp-clippy] Researcher zakaria More Details > Avante < 3.0.5 - Reflected Cross-Site Scripting 6.1 CVSS Rating 6.1 (Medium) CVE-ID CVE-2025-68524 Patch Status Patched Published May 8, 2026 Affected Software avante [avante] Researcher João Pedro Soares de Alcântara More Details > Blog Settings <= 1.0 - Reflected Cross-Site Scripting via 'page' Parameter 6.1 CVSS Rating 6.1 (Medium) CVE-ID CVE-2026-6704 Patch Status Unpatched Published May 4, 2026 Affected Software Blog Settings [blog-settings] Researcher Julian Chibuike Nwadinobi (Wackydawg) More Details > Publish 2 Ping.fm <= 1.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting via 'wpPingPingKey' Parameter 6.1 CVSS Rating 6.1 (Medium) CVE-ID CVE-2026-6702 Patch Status Unpatched Published May 4, 2026 Affected Software Publish 2 Ping.fm [publish-2-pingfm] Researcher Muhammad Nur Ibnu Hubab (Ibnu) More Details > Zingaya Click-to-Call <= 1.0 - Reflected Cross-Site Scripting via 'email' Parameter 6.1 CVSS Rating 6.1 (Medium) CVE-ID CVE-2026-6696 Patch Status Unpatched Published May 4, 2026 Affected Software Zingaya Click-to-Call [zingaya-click-to-call] Researcher Julian Chibuike Nwadinobi (Wackydawg) More Details > Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories <= 4.10.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'wrapper' Shortcode Attribute 5.5 CVSS Rating 5.5 (Medium) CVE-ID CVE-2026-5247 Patch Status Patched Published May 4, 2026 Affected Software Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories [post-expirator] Researcher zaim More Details > Activity Logs, User Activity Tracking, Multisite Activity Log from Logtivity <= 3.3.6 - Unauthenticated Information Disclosure via REST API 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-8198 Patch Status Patched Published May 8, 2026 Affected Software Activity Logs, User Activity Tracking, Multisite Activity Log from Logtivity [logtivity] Researcher Ronnachai Chaipha (rxnr) More Details > AI Product Search for WooCommerce – Motive Commerce Search <= 1.38.2 - Missing Authorization 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-42664 Patch Status Patched Published May 9, 2026 Affected Software AI Product Search for WooCommerce – Motive Commerce Search [motive-commerce-search] Researcher Benedictus Jovan (aillesiM) More Details > Bus Ticket Booking with Seat Reservation < 5.6.8 - Missing Authorization 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2025-66105 Patch Status Patched Published May 7, 2026 Affected Software Bus Ticket Booking with Seat Reservation [bus-ticket-booking-with-seat-reservation] Researcher Legion Hunter More Details > Forminator – Contact Form, Payment Form & Custom Form Builder <= 1.52.0 - Missing Authorization to Unauthenticated Stripe PaymentIntent Reuse / Underpayment Bypass via 'paymentid' Parameter 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-2729 Patch Status Patched Published May 4, 2026 Affected Software Forminator Forms – Contact Form, Payment Form & Custom Form Builder [forminator] Researcher Kittipat Jitphonchana More Details > Forminator Forms <= 1.51.1 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Disclosure via 'forminator_action' Parameter 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-6222 Patch Status Patched Published May 6, 2026 Affected Software Forminator Forms – Contact Form, Payment Form & Custom Form Builder [forminator] Researcher anhcd05 More Details > Happy Addons for Elementor <= 3.20.8 - Unauthenticated Information Exposure 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-25468 Patch Status Patched Published May 7, 2026 Affected Software Happy Addons for Elementor [happy-elementor-addons] Researcher shrikant bhosale More Details > LatePoint <= 5.5.0 - Unauthenticated Account Takeover via Weak Password Recovery Mechanism 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-7652 Patch Status Patched Published May 8, 2026 Affected Software LatePoint – Calendar Booking Plugin for Appointments and Events [latepoint] Researcher Michael Iden (Mickhat) More Details > Mercado Pago payments for WooCommerce <= 8.7.11 - Missing Authorization to Unauthenticated PIX Payment QR Code Image Disclosure 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-3208 Patch Status Patched Published May 5, 2026 Affected Software Mercado Pago payments for WooCommerce [woocommerce-mercadopago] Researcher Muhammad Sharief More Details > Online Scheduling and Appointment Booking System – Bookly <= 27.4 - Unauthenticated Information Exposure 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-42667 Patch Status Patched Published May 10, 2026 Affected Software Online Scheduling and Appointment Booking System – Bookly [bookly-responsive-appointment-booking-tool] Researcher Tiago Ventura (perses) More Details > PDF Poster – Display PDF Files with Custom Viewer <= 2.4.1 - Missing Authorization 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-27416 Patch Status Patched Published May 7, 2026 Affected Software PDF Poster – Display PDF Files with Custom Viewer [pdf-poster] Researcher benzdeus More Details > Royal Addons for Elementor – Addons and Templates Kit for Elementor < 1.7.1053 - Missing Authorization 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-25436 Patch Status Patched Published May 7, 2026 Affected Software Royal Addons for Elementor – Addons and Templates Kit for Elementor [royal-elementor-addons] Researcher Bao - BlueRock More Details > Salon Booking System – Free Version <= 10.30.25 - Missing Authorization 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-42666 Patch Status Patched Published May 10, 2026 Affected Software Salon Booking System – Free Version [salon-booking-system] Researcher Evan NR More Details > Simple CAPTCHA Alternative with Cloudflare Turnstile <= 1.38.0 - Broken Authorization 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-40799 Patch Status Patched Published May 8, 2026 Affected Software Simple CAPTCHA Alternative with Cloudflare Turnstile [simple-cloudflare-turnstile] Researcher David Marín More Details > YITH WooCommerce Wishlist <= 4.12.0 - Unauthenticated Insecure Direct Object Reference 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-27329 Patch Status Patched Published May 7, 2026 Affected Software YITH WooCommerce Wishlist [yith-woocommerce-wishlist] Researcher PPzzAArr More Details > Fluent Forms <= 6.2.1 - Authenticated (Administrator+) Arbitrary File Read via Path Traversal in Email Attachment 4.9 CVSS Rating 4.9 (Medium) CVE-ID CVE-2026-6344 Patch Status Patched Published May 5, 2026 Affected Software Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder [fluentform] Researcher Niv Kochan More Details > Loco Translate <= 2.8.2 - Authenticated (Translator+) Path Traversal to Limited File Read via 'ref' Parameter 4.9 CVSS Rating 4.9 (Medium) CVE-ID CVE-2026-1921 Patch Status Patched Published May 4, 2026 Affected Software Loco Translate [loco-translate] Researcher shark3y More Details > Team Members – Multi Language Supported Team Plugin <= 8.5 - Authenticated (Editor+) SQL Injection 4.9 CVSS Rating 4.9 (Medium) CVE-ID CVE-2025-68060 Patch Status Patched Published May 7, 2026 Affected Software Team Members – Multi Language Supported Team Plugin [team-showcase-supreme] Researcher Jarno Vos (jarnovos) More Details > addfreespace <= 0.1.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting via Settings Page 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-6701 Patch Status Unpatched Published May 4, 2026 Affected Software addfreespace [addfreespace] Researcher Muhammad Nur Ibnu Hubab (Ibnu) More Details > BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net <= 1.1.5 - Cross-Site Request Forgery 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-27415 Patch Status Patched Published May 7, 2026 Affected Software BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net [woo-bulk-editor] Researcher benzdeus More Details > bunny.net – WordPress CDN Plugin <= 2.3.6 - Missing Authorization 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2025-68049 Patch Status Patched Published May 7, 2026 Affected Software bunny.net – WordPress CDN Plugin [bunnycdn] Researcher NumeX More Details > DX Sources <= 2.0.1 - Cross-Site Request Forgery to Settings Update 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-6700 Patch Status Unpatched Published May 4, 2026 Affected Software DX Sources [dx-sources] Researcher afnaan More Details > Ninja Tables <= 5.2.6 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Table Creation 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-2306 Patch Status Patched Published May 5, 2026 Affected Software Ninja Tables – Easy Data Table Builder [ninja-tables] Researcher nquangit More Details > User Registration & Membership <= 5.1.4 - Missing Authorization to Authenticated (Contributor+) Limited Page Content Modification 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-3601 Patch Status Patched Published May 4, 2026 Affected Software User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder [user-registration] Researcher Hunter Jensen (skid) More Details > WP Business Intelligence Lite <= 3.2.0 - Missing Authorization 4.3 CVSS Rating 4.3 (Medium) Patch Status Unpatched Published May 5, 2026 Affected Software WP Business Intelligence Lite [wp-business-intelligence-lite] Researcher Nabil Irawan - Heroes Cyber Security More Details > WPGraphQL <= 2.5.3 - Cross-Site Request Forgery 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2025-68604 Patch Status Patched Published May 7, 2026 Affected Software WPGraphQL [wp-graphql] Researcher Nabil Irawan More Details > As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence. This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program , and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can. Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. The post Wordfence Intelligence Weekly WordPress Vulnerability Report (May 11, 2026 to May 17, 2026) appeared first on Wordfence .