Security News

Cybersecurity news aggregator

INFO News Wordfence

Wordfence Intelligence Weekly WordPress Vulnerability Report (February 23, 2026 to March 1, 2026)

Read Full Article →

Triple Threat Bug Bounty Challenge Hunt High Threat vulnerabilities and earn triple the incentives! Now through April 6, 2026 , earn three stacked bonuses on all valid submissions from our 'High Threat Vulnerabilities' list: 2x all high threat vulnerability bounties (excluding 5,000,000+ installs) +30% bonus for high threat vulnerabilities in software with 30,000+ active installs (excluding 5,000,000+ installs) $300 extra for every 3 High Threat vulnerabilities submitted (minimum of 1,000 installs) Use the Bounty Estimator to see what rewards are possible through the promotion. Submit through our Bug Bounty Program today to maximize your impact and your payout. Last week, there were 204 vulnerabilities disclosed in 77 WordPress Plugins and 119 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 39 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected. Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to implement layered security, aligning with our overarching mission to secure WordPress with defense in depth strategies. That is why the Wordfence Intelligence user interface , vulnerability API , webhook integration , and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report. As the world’s leading quality vulnerability database provider for WordPress, site owners can rest assured knowing Wordfence has their back. Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 33,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free . Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. New Firewall Rules Deployed Last Week The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection. The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium , Care , and Response customers last week: Master Addons for Elementor Premium <= 2.1.3 – Authenticated (Subscriber+) Remote Code Execution via render_preview Woocommerce Wholesale Lead Capture <= 2.0.3.1 – Unauthenticated Privilege Escalation Woocommerce Wholesale Lead Capture <= 2.0.3.1 – Unauthenticated Arbitrary File Upload WAF-RULE-896 – Data redacted while we work with the vendor on a patch. WAF-RULE-897 – Data redacted while we work with the vendor on a patch. WAF-RULE-901 – Data redacted while we work with the vendor on a patch. Wordfence Premium , Care , and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay. Total Unpatched & Patched Vulnerabilities Last Week Patch Status Number of Vulnerabilities Patched 41 Unpatched 163 Total Vulnerabilities by CVSS Severity Last Week Severity Rating Number of Vulnerabilities Medium Severity 70 High Severity 131 Critical Severity 3 Total Vulnerabilities by CWE Type Last Week Vulnerability Type by CWE Number of Vulnerabilities Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') 99 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') 43 Missing Authorization 16 Deserialization of Untrusted Data 10 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') 8 Improper Control of Generation of Code ('Code Injection') 4 Unrestricted Upload of File with Dangerous Type 4 Authentication Bypass Using an Alternate Path or Channel 3 Authorization Bypass Through User-Controlled Key 3 Exposure of Sensitive Information to an Unauthorized Actor 3 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') 3 Cross-Site Request Forgery (CSRF) 1 Embedded Malicious Code 1 Improper Access Control 1 Improper Authentication 1 Improper Authorization 1 Improper Privilege Management 1 Insufficient Verification of Data Authenticity 1 Server-Side Request Forgery (SSRF) 1 Researchers That Contributed to WordPress Security Last Week Researcher Name Number of Vulnerabilities Tran Nguyen Bao Khanh 65 Bonds 38 João Pedro S Alcântara (Kinorth) 30 Phat RiO 12 Muhammad Yudha - DJ 6 daroo 4 Rafie Muhammad 3 Quốc Huy (jtwings) 3 Muhammad Nur Ibnu Hubab (Ibnu) 3 0xd4rk5id3 3 Osvaldo Noe Gonzalez Del Rio (Os) 3 Supakiad S. (m3ez) 2 Athiwat Tiprasaharn (Jitlada) 2 Nabil Irawan 2 PPzzAArr 2 lucsob 2 stealthcopter 2 dcodx 1 Mateusz Gierblinski 1 Abhinav Jaswal (wrath_exe) 1 Marco Wotschka 1 Williwollo (CybrX) 1 zakaria 1 Doan Dinh Van (DinhVan52) 1 Itthidej Aramsri (Boeing777) 1 Que Thanh Tuan 1 zer0gh0st 1 Ronnachai Chaipha (rxnr) 1 type5afe 1 Rahul Karne 1 Ahmad 1 Trương Hữu Phúc (truonghuuphuc) 1 hoshino 1 Legion Hunter 1 Drew Webber (mcdruid) 1 シルAsuna 1 Prickly Cactus 1 Nguyen Ba Hung (bashu) 1 CODE WHITE GmbH 1 Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program . Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report. WordPress Plugins with Reported Vulnerabilities Last Week Software Name Software Slug Advanced Woo Labels – Product Labels & Badges for WooCommerce advanced-woo-labels AI Engine – The Chatbot, AI Framework & MCP for WordPress ai-engine AllInOne - Banner Rotator all-in-one-bannerRotator Bakery Autoresponder Addon vc-autoresponder-addon Builderall for WordPress builderall-cheetah-for-wp Classified Listing – AI-Powered Classified ads & Business Directory Plugin classified-listing Custom Logo custom-logo designthemes-portfolio designthemes-portfolio Directory Listings WordPress plugin – uListing ulisting Directory Pro directory-pro Disable Admin Notices – Hide Dashboard Notifications disable-admin-notices DT - Directory WordPress Plugin designthemes-directory-addon DT Booking - WordPress Ultimate Booking Plugin designthemes-booking-manager Eagle Booking eagle-booking Electric Enquiries electric-enquiries ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor elementskit-lite EM Cost Calculator cost-calculator Filr – Secure document library filr-protection Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button – Chaty chaty Fluent Forms Pro Add On Pack fluentformpro Frontend Publishing Pro rh-frontend Geo Mashup geo-mashup Japanized for WooCommerce woocommerce-for-japan JetEngine jet-engine LambertGroup - AllInOne - Banner with Playlist all-in-one-bannerWithPlaylist LambertGroup - AllInOne - Banner with Thumbnails all-in-one-thumbnailsBanner LambertGroup - AllInOne - Content Slider all-in-one-contentSlider Lawyer Directory lawyer-directory ListingPro Plugin listingpro-plugin Livemesh Addons for Beaver Builder addons-for-beaver-builder MailArchiver mailarchiver My Tickets – Accessible Event Ticketing my-tickets NextScripts: Social Networks Auto-Poster social-networks-auto-poster-facebook-twitter-g OVRI Payment moneytigo Portfolio Awa awa-plugins Post Duplicator post-duplicator PowerPress Podcasting plugin by Blubrry powerpress Profile Builder Pro profile-builder-pro Really Simple Security Pro really-simple-ssl-pro Responsive Lightbox & Gallery responsive-lightbox Responsive Posts Carousel WordPress Plugin responsive-posts-carousel-pro Responsive Zoom In/Out Slider WordPress Plugin lbg_zoominoutslider Riode Core riode-core Rise Blocks – A Complete Gutenberg Page Builder rise-blocks Royal Addons for Elementor – Addons and Templates Kit for Elementor royal-elementor-addons Scientific and Interactive Blocks – inseri core inseri-core Secure Copy Content Protection and Content Locking secure-copy-content-protection Simple Download Monitor simple-download-monitor Site Suggest site-suggest SiteGuard WP Plugin siteguard Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent tablesome The Events Calendar the-events-calendar Theater for WordPress theatre TP2WP Importer tp2wp-importer Tutor LMS – eLearning and online course solution tutor UberSlider - Layer Slider WordPress Plugin uberSlider_perpetuummobile UberSlider - Layer Slider WordPress Plugin uberSlider_mouseinteraction UberSlider - Layer Slider WordPress Plugin uberSlider_ultra uberSlider_classic uberSlider_classic Ultimate Learning Pro indeed-learning-pro User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration wp-user-frontend User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder user-registration W3 Total Cache w3-total-cache WeDesignTech Ultimate Booking Addon wedesigntech-ultimate-booking-addon WooCommerce Coming Soon Product with Countdown woo-coming-soon-product WooCommerce License Manager fs-license-manager WooCommerce Order Details woocommerce-order-details Worry Proof Backup worry-proof-backup WP Accessibility wp-accessibility WP Attractive Donations System - Easy Stripe & Paypal donations WP_AttractiveDonationsSystem WP Mail Logging wp-mail-logging WP Recipe Maker wp-recipe-maker WP Responsive Images wp-responsive-images WP Social Meta wp-social-meta WPGSI: Spreadsheet Integration wpgsi WPZOOM Addons for Elementor – Starter Templates & Widgets wpzoom-elementor-addons Xpro Addons — 140+ Widgets for Elementor xpro-elementor-addons WordPress Themes with Reported Vulnerabilities Last Week Software Name Software Slug Accalia | Dermatology Clinic & Cosmetology WordPress Theme + Elementor dermatology-clinic Alchemists - Sports, eSports & Gaming Club and News WordPress Theme alchemists Alliance | Intranet & Extranet BuddyPress WordPress Theme alliance Anderson | Physical Therapy & Orthopedic Clinic WordPress Theme andersonclinic Aora - Home & Lifestyle Elementor WooCommerce Theme aora apollo apollo Aqualots aqualots Architecturer WordPress for Interior Designer architecturer Artrium - Creative Agency & Web Studio WP Theme artrium asia-garden asia-garden Automotive Car Dealership Business WordPress Theme automotive Aviana - Elegant Wellness & Spa WordPress Theme aviana Bassein | Swimming Pool Cleaning & Maintenance WordPress Theme bassein Bazinga | Viral Blog WordPress Theme bazinga Beacon | Funeral Services WordPress Theme beacon Buzz Stone | Magazine & Viral Blog WordPress Theme buzzstone Celeste - Life Coach & Therapist WordPress Theme celeste Chronicle chronicle Claue - Clean, Minimal Elementor WooCommerce Them claue CloudMe | Cloud Storage & File-Sharing WordPress Theme cloudme Cocco - Kids Store and Baby Shop WordPress Theme cocco Coleo coleo Conquerors | American Football & NFL PSD Template conquerors Consultor | A Business Financial Advisor PSD Template consultor Cortex - Agency WordPress Theme cortex Crown Art | Drawing and Music School WordPress Theme crown-art Daiquiri daiquiri Dentario - Dentist & Medical Elementor Template Kit dentario Dixon & Lamber dixon Dolcino - Pastry and Cake Shop WordPress Theme dolcino Dr.Patterson | Medical & Healthcare Doctor WordPress Theme dr-patterson Edge Decor edge-decor Eject eject Ekoterra - NonProfit & Ecology Theme ekoterra ElectroServ | Electrical Repair Service WordPress Theme electroserv Eona - Fashion WordPress Theme eona Evently - Conference & Meetup WordPress Theme evently Filmax | Cinema & Movie News Magazine WordPress Theme filmax Fiorello - Florist and Flower Shop WordPress Theme fiorello FixTeam | Electronics & Mobile Devices Repair WordPress Theme fixteam fleur fleur gamezone gamezone Gecko 6.0 - Responsive Shopify Theme - RTL support gecko Good Energy - Ecology & Renewable Energy WordPress Theme goodenergy GoTravel - Travel Agency WordPress Theme gotravel grandnews grandnews Great Lotus | Buddhist Temple WordPress Theme + RTL great-lotus Green Planet | Environmental Non-Profit WordPress Theme green-planet Guff - Blog & Magazine Ghost Theme guff Happy Baby | Nanny & Babysitting Services Children WordPress Theme happy-baby Helvig - Creative Portfolio WordPress Theme helvig Holmes - Digital Agency WordPress Theme holmes Honor | Shooting Club & Weapon and Gun Store Theme honor horizon horizon Innovio - Multipurpose Landing Page WordPress Theme innovio Justicia - Lawyer WordPress Theme justicia Kingler kingler Le Truffe letruffe Legal Stone | Lawyers & Attorneys WordPress Theme legal-stone LeGrand | Modern Business WordPress Theme legrand Listee listee Little Birdies | Multipurpose Children PSD Template little-birdies M.Williamson | Lawyer & Legal Adviser WordPress Theme williamson Mahogany mahogany Malgré - Creative Agency WordPress Theme malgre Mandala - Responsive Ecommerce WordPress Theme mandala Marcell - Personal Blog & Magazine WordPress Theme marcell Marra - Beauty WordPress Theme marra MCKinney's Politics mckinney-politics MediCenter - Health Medical Clinic WordPress Theme medicenter metro metro Midi - Sound & Music WordPress Theme midi Miller | Personal Assistant & Administrative Services WordPress Theme christine-miller Molla - eCommerce HTML5 Template molla Music WordPress musico Muzicon - Music Festival & Concert WordPress Theme muzicon Nirvana nirvana Notarius - Legal Advisor WordPress Theme notarius Overton - Creative WordPress Theme for Agencies and Freelancers overton Ozisti | Augmented Reality WooCommerce Theme ozisti Peter Mason | Custom Tailoring and Clothing Store WordPress Theme petermason photography photography Pizza House - Restaurant / Cafe / Bistro WordPress Theme pizzahouse Playa | Beach & Pool Club WordPress Theme playa Police Department - Fire & Security WordPress Theme police-department porto porto quantum quantum RexCoin - Cryptocurrency & Coin ICO WordPress rexcoin Run Gran run-gran Rythmo rhythmo Save Life | Non-Profit, Charity & Donations WordPress Theme save-life SetSail - Travel Agency WordPress Theme setsail Shaha | Islamic Centre & Mosque Theme + RTL shaha SmartSEO | SEO & Marketing HTML Theme smartseo Sounder | Internet Radio & Streaming Elementor Template Kit sounder Starto | Software AI Startup WordPress starto Sweet Date sweetdate Sweet Jane - Delightful Cake Shop Theme sweetjane Tennis SportClub - Tennis Sports Events WordPress Theme tennis-sportclub The Issue - Versatile Magazine WordPress Theme theissue The Mounty | Hiking Campground & Children Camping WordPress Theme the-mounty Tiger Claw tiger-claw Tooth Fairy - Dentist & Dental Clinic WordPress Theme tooth-fairy TopFit - Fitness and Gym WordPress Theme topfit TopScorer - Sports WordPress Theme topscorer tribe tribe uDesign - Responsive WordPress Theme u-design Vapester | Cigarette Store & Vape Shop WooCommerce Theme vapester Veil - Wedding & Photographer WordPress Theme veil Verdure - Organic Tea Shop WordPress Theme verdure Verse - Music, Radio & Concert WordPress Theme verse wabi-sabi wabi-sabi WealthCo wealthco Welldone - Sports Store WordPress Theme welldone Windsor - Apartment Complex Single Property WordPress Theme windsor Wolmart | Multi-Vendor Marketplace WooCommerce Theme wolmart Woopy - Multipurpose Store WooCommerce WordPress Shop Theme woopy Yacht Rental - Boat Services WordPress Theme yacht-rental Zentrum - Property & Apartment Showcase WordPress Theme zentrum Vulnerability Details Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration , which is completely free to utilize. Listee <= 1.1.6 - Unauthenticated Privilege Escalation 9.8 CVSS Rating 9.8 (Critical) CVE-ID CVE-2025-12981 Patch Status Patched Published Feb 26, 2026 Affected Software Listee [listee] Researcher シルAsuna More Details > W3 Total Cache <= 2.9.1 - Unauthenticated Arbitrary Code Execution 9.8 CVSS Rating 9.8 (Critical) CVE-ID CVE-2026-27384 Patch Status Unpatched Published Feb 24, 2026 Affected Software W3 Total Cache [w3-total-cache] Researcher CODE WHITE GmbH More Details > WeDesignTech Ultimate Booking Addon <= 1.0.1 - Authentication Bypass 9.8 CVSS Rating 9.8 (Critical) CVE-ID CVE-2026-27389 Patch Status Unpatched Published Feb 23, 2026 Affected Software WeDesignTech Ultimate Booking Addon [wedesigntech-ultimate-booking-addon] Researcher Phat RiO More Details > Advanced Woo Labels <= 2.37 - Authenticated (Contributor+) Remote Code Execution via 'callback' Parameter 8.8 CVSS Rating 8.8 (High) CVE-ID CVE-2026-1929 Patch Status Patched Published Feb 24, 2026 Affected Software Advanced Woo Labels – Product Labels & Badges for WooCommerce [advanced-woo-labels] Researcher Osvaldo Noe Gonzalez Del Rio (Os) More Details > Builderall for WordPress <= 3.0.1 - Authenticated (Contributor+) Remote Code Execution 8.8 CVSS Rating 8.8 (High) CVE-ID CVE-2026-22390 Patch Status Unpatched Published Feb 25, 2026 Affected Software Builderall for WordPress [builderall-cheetah-for-wp] Researcher Doan Dinh Van (DinhVan52) More Details > Filr – Secure document library <= 1.2.13 - Authenticated (Contributor+) Arbitrary File Uploads 8.8 CVSS Rating 8.8 (High) CVE-ID CVE-2026-28133 Patch Status Unpatched Published Feb 26, 2026 Affected Software Filr – Secure document library [filr-protection] Researcher Que Thanh Tuan More Details > JetEngine <= 3.7.2 - Authenticated (Contributor+) Remote Code Execution 8.8 CVSS Rating 8.8 (High) CVE-ID CVE-2026-28134 Patch Status Patched Published Feb 26, 2026 Affected Software JetEngine [jet-engine] Researcher stealthcopter More Details > User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration <= 4.2.8 - Authenticated (Author+) Arbitrary File Upload 8.8 CVSS Rating 8.8 (High) CVE-ID CVE-2026-1565 Patch Status Patched Published Feb 26, 2026 Affected Software User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration [wp-user-frontend] Researcher Williwollo (CybrX) More Details > WeDesignTech Ultimate Booking Addon <= 1.0.1 - Authenticated (Subscriber+) Authentication Bypass 8.8 CVSS Rating 8.8 (High) CVE-ID CVE-2026-27390 Patch Status Unpatched Published Feb 23, 2026 Affected Software WeDesignTech Ultimate Booking Addon [wedesigntech-ultimate-booking-addon] Researcher Phat RiO More Details > Worry Proof Backup <= 0.2.4 - Authenticated (Subscriber+) Path Traversal via Backup Upload 8.8 CVSS Rating 8.8 (High) CVE-ID CVE-2026-1311 Patch Status Unpatched Published Feb 25, 2026 Affected Software Worry Proof Backup [worry-proof-backup] Researchers Athiwat Tiprasaharn (Jitlada) Itthidej Aramsri (Boeing777) More Details > Alchemists <= 4.6.0 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-27334 Patch Status Unpatched Published Feb 25, 2026 Affected Software Alchemists - Sports, eSports & Gaming Club and News WordPress Theme [alchemists] Researcher João Pedro S Alcântara (Kinorth) More Details > Alliance <= 3.1.1 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-22443 Patch Status Unpatched Published Feb 23, 2026 Affected Software Alliance | Intranet & Extranet BuddyPress WordPress Theme [alliance] Researcher Tran Nguyen Bao Khanh More Details > Anderson <= 1.4.2 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28121 Patch Status Unpatched Published Feb 26, 2026 Affected Software Anderson | Physical Therapy & Orthopedic Clinic WordPress Theme [andersonclinic] Researcher Tran Nguyen Bao Khanh More Details > Aora - Home & Lifestyle Elementor WooCommerce Theme <= 1.3.15 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-27381 Patch Status Unpatched Published Feb 24, 2026 Affected Software Aora - Home & Lifestyle Elementor WooCommerce Theme [aora] Researcher João Pedro S Alcântara (Kinorth) More Details > Apollo | Night Club, DJ Event WordPress <= 1.3.1 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-27340 Patch Status Unpatched Published Feb 25, 2026 Affected Software apollo [apollo] Researcher Tran Nguyen Bao Khanh More Details > Aqualots <= 1.1.6 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28088 Patch Status Unpatched Published Feb 27, 2026 Affected Software Aqualots [aqualots] Researcher Bonds More Details > Artrium <= 1.0.14 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28097 Patch Status Unpatched Published Feb 27, 2026 Affected Software Artrium - Creative Agency & Web Studio WP Theme [artrium] Researcher Bonds More Details > Asia Garden <= 1.3.1 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28063 Patch Status Unpatched Published Feb 27, 2026 Affected Software asia-garden [asia-garden] Researcher Bonds More Details > Aviana <= 2.1 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-22387 Patch Status Unpatched Published Feb 25, 2026 Affected Software Aviana - Elegant Wellness & Spa WordPress Theme [aviana] Researcher Tran Nguyen Bao Khanh More Details > Bassein <= 1.0.15 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28067 Patch Status Unpatched Published Feb 27, 2026 Affected Software Bassein | Swimming Pool Cleaning & Maintenance WordPress Theme [bassein] Researcher Bonds More Details > Bazinga <= 1.1.9 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28084 Patch Status Unpatched Published Feb 27, 2026 Affected Software Bazinga | Viral Blog WordPress Theme [bazinga] Researcher Bonds More Details > Beacon <= 2.24 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28050 Patch Status Unpatched Published Feb 27, 2026 Affected Software Beacon | Funeral Services WordPress Theme [beacon] Researcher Bonds More Details > Buzz Stone | Magazine & Viral Blog WordPress <= 1.0.2 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-27339 Patch Status Unpatched Published Feb 25, 2026 Affected Software Buzz Stone | Magazine & Viral Blog WordPress Theme [buzzstone] Researcher Tran Nguyen Bao Khanh More Details > Celeste <= 1.3.6 - Unauthenticated PHP Object Injection 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-27369 Patch Status Unpatched Published Feb 24, 2026 Affected Software Celeste - Life Coach & Therapist WordPress Theme [celeste] Researcher João Pedro S Alcântara (Kinorth) More Details > Chronicle <= 1.0 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-27337 Patch Status Unpatched Published Feb 25, 2026 Affected Software Chronicle [chronicle] Researcher Tran Nguyen Bao Khanh More Details > CloudMe | Cloud Storage & File-Sharing WordPress Theme <= 1.2.2 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-22433 Patch Status Unpatched Published Feb 25, 2026 Affected Software CloudMe | Cloud Storage & File-Sharing WordPress Theme [cloudme] Researcher Tran Nguyen Bao Khanh More Details > Cocco - Kids Store and Baby Shop WordPress Theme <= 1.5.1 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-22389 Patch Status Unpatched Published Feb 25, 2026 Affected Software Cocco - Kids Store and Baby Shop WordPress Theme [cocco] Researcher Tran Nguyen Bao Khanh More Details > Coleo <= 1.1.7 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28091 Patch Status Unpatched Published Feb 27, 2026 Affected Software Coleo [coleo] Researcher Bonds More Details > Conquerors | American Football & NFL PSD Template <= 1.2.13 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28079 Patch Status Unpatched Published Feb 27, 2026 Affected Software Conquerors | American Football & NFL PSD Template [conquerors] Researcher Tran Nguyen Bao Khanh More Details > Consultor | A Business Financial Advisor PSD Template <= 1.2.4 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-27336 Patch Status Unpatched Published Feb 25, 2026 Affected Software Consultor | A Business Financial Advisor PSD Template [consultor] Researcher Tran Nguyen Bao Khanh More Details > Cortex <= 1.5 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-22392 Patch Status Unpatched Published Feb 25, 2026 Affected Software Cortex - Agency WordPress Theme [cortex] Researcher Tran Nguyen Bao Khanh More Details > Crown Art | Drawing and Music School WordPress Theme <= 1.2.11 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-22434 Patch Status Unpatched Published Feb 25, 2026 Affected Software Crown Art | Drawing and Music School WordPress Theme [crown-art] Researcher Tran Nguyen Bao Khanh More Details > Daiquiri <= 1.2.4 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28089 Patch Status Unpatched Published Feb 27, 2026 Affected Software Daiquiri [daiquiri] Researcher Bonds More Details > Dentario <= 1.5 - Unauthenticated PHP Object Injection 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-27439 Patch Status Unpatched Published Feb 23, 2026 Affected Software Dentario - Dentist & Medical Elementor Template Kit [dentario] Researcher Tran Nguyen Bao Khanh More Details > Dermatology Clinic <= 1.4.3 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28059 Patch Status Unpatched Published Feb 27, 2026 Affected Software Accalia | Dermatology Clinic & Cosmetology WordPress Theme + Elementor [dermatology-clinic] Researcher Bonds More Details > Dixon <= 1.4.2.1 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28058 Patch Status Unpatched Published Feb 27, 2026 Affected Software Dixon & Lamber [dixon] Researcher Bonds More Details > Dolcino - Pastry and Cake Shop WordPress Theme <= 1.6 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-22410 Patch Status Unpatched Published Feb 25, 2026 Affected Software Dolcino - Pastry and Cake Shop WordPress Theme [dolcino] Researcher Tran Nguyen Bao Khanh More Details > Dr.Patterson <= 1.3.2 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28120 Patch Status Unpatched Published Feb 26, 2026 Affected Software Dr.Patterson | Medical & Healthcare Doctor WordPress Theme [dr-patterson] Researcher Tran Nguyen Bao Khanh More Details > Edge Decor <= 2.2 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28064 Patch Status Unpatched Published Feb 27, 2026 Affected Software Edge Decor [edge-decor] Researcher Bonds More Details > Eject <= 2.17 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28065 Patch Status Unpatched Published Feb 27, 2026 Affected Software Eject [eject] Researcher Bonds More Details > Ekoterra - NonProfit & Ecology Theme <= 1.0.0 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-27335 Patch Status Unpatched Published Feb 25, 2026 Affected Software Ekoterra - NonProfit & Ecology Theme [ekoterra] Researcher Tran Nguyen Bao Khanh More Details > ElectroServ | Electrical Repair Service WordPress Theme <= 1.3.2 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-22435 Patch Status Unpatched Published Feb 25, 2026 Affected Software ElectroServ | Electrical Repair Service WordPress Theme [electroserv] Researcher Tran Nguyen Bao Khanh More Details > Eona <= 1.3 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-22412 Patch Status Unpatched Published Feb 25, 2026 Affected Software Eona - Fashion WordPress Theme [eona] Researcher Tran Nguyen Bao Khanh More Details > Evently <= 1.7 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-22394 Patch Status Unpatched Published Feb 25, 2026 Affected Software Evently - Conference & Meetup WordPress Theme [evently] Researcher Tran Nguyen Bao Khanh More Details > Filmax <= 1.1.11 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28087 Patch Status Unpatched Published Feb 27, 2026 Affected Software Filmax | Cinema & Movie News Magazine WordPress Theme [filmax] Researcher Bonds More Details > Fiorello - Florist and Flower Shop WordPress Theme <= 1.0 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-22395 Patch Status Unpatched Published Feb 25, 2026 Affected Software Fiorello - Florist and Flower Shop WordPress Theme [fiorello] Researcher Tran Nguyen Bao Khanh More Details > FixTeam | Electronics & Mobile Devices Repair WordPress Theme <= 1.4 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-22416 Patch Status Unpatched Published Feb 25, 2026 Affected Software FixTeam | Electronics & Mobile Devices Repair WordPress Theme [fixteam] Researcher Tran Nguyen Bao Khanh More Details > Fleur <= 2.0 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-22397 Patch Status Unpatched Published Feb 25, 2026 Affected Software fleur [fleur] Researcher Tran Nguyen Bao Khanh More Details > Gamezone <= 1.1.11 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28090 Patch Status Unpatched Published Feb 27, 2026 Affected Software gamezone [gamezone] Researcher Bonds More Details > Good Energy <= 1.7.7 - Unauthenticated PHP Object Injection 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28105 Patch Status Unpatched Published Feb 26, 2026 Affected Software Good Energy - Ecology & Renewable Energy WordPress Theme [goodenergy] Researcher Tran Nguyen Bao Khanh More Details > GoTravel <= 2.1 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-22427 Patch Status Unpatched Published Feb 25, 2026 Affected Software GoTravel - Travel Agency WordPress Theme [gotravel] Researcher Tran Nguyen Bao Khanh More Details > Great Lotus | Buddhist Temple WordPress Theme + RTL <= 1.3.1 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-22418 Patch Status Unpatched Published Feb 25, 2026 Affected Software Great Lotus | Buddhist Temple WordPress Theme + RTL [great-lotus] Researcher Tran Nguyen Bao Khanh More Details > Green Planet | Environmental Non-Profit WordPress Theme <= 1.1.14 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-22439 Patch Status Unpatched Published Feb 25, 2026 Affected Software Green Planet | Environmental Non-Profit WordPress Theme [green-planet] Researcher Tran Nguyen Bao Khanh More Details > Happy Baby <= 1.2.12 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28062 Patch Status Unpatched Published Feb 27, 2026 Affected Software Happy Baby | Nanny & Babysitting Services Children WordPress Theme [happy-baby] Researcher Bonds More Details > Helvig <= 1.0 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-22436 Patch Status Unpatched Published Feb 25, 2026 Affected Software Helvig - Creative Portfolio WordPress Theme [helvig] Researcher Tran Nguyen Bao Khanh More Details > Holmes - Digital Agency WordPress Theme <= 1.7 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-22399 Patch Status Unpatched Published Feb 25, 2026 Affected Software Holmes - Digital Agency WordPress Theme [holmes] Researcher Tran Nguyen Bao Khanh More Details > Honor | Shooting Club & Weapon and Gun Store Theme <= 2.3 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-22419 Patch Status Unpatched Published Feb 25, 2026 Affected Software Honor | Shooting Club & Weapon and Gun Store Theme [honor] Researcher Tran Nguyen Bao Khanh More Details > Horizon <= 1.1 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-22420 Patch Status Unpatched Published Feb 25, 2026 Affected Software horizon [horizon] Researcher Tran Nguyen Bao Khanh More Details > Innovio - Multipurpose Landing Page WordPress Theme <= 1.7 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-22403 Patch Status Unpatched Published Feb 25, 2026 Affected Software Innovio - Multipurpose Landing Page WordPress Theme [innovio] Researcher Tran Nguyen Bao Khanh More Details > Justicia - Lawyer WordPress Theme <= 1.2 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-22408 Patch Status Unpatched Published Feb 25, 2026 Affected Software Justicia - Lawyer WordPress Theme [justicia] Researcher Tran Nguyen Bao Khanh More Details > Kingler <= 1.7 - Unauthenticated PHP Object Injection 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-27438 Patch Status Unpatched Published Feb 23, 2026 Affected Software Kingler [kingler] Researcher Tran Nguyen Bao Khanh More Details > Le Truffe <= 1.1.7 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28069 Patch Status Unpatched Published Feb 27, 2026 Affected Software Le Truffe [letruffe] Researcher Bonds More Details > Legal Stone <= 1.2.11 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28054 Patch Status Unpatched Published Feb 27, 2026 Affected Software Legal Stone | Lawyers & Attorneys WordPress Theme [legal-stone] Researcher Bonds More Details > Legrand <= 2.17 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28066 Patch Status Unpatched Published Feb 27, 2026 Affected Software LeGrand | Modern Business WordPress Theme [legrand] Researcher Bonds More Details > Little Birdies | Multipurpose Children PSD Template <= 1.3.16 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28129 Patch Status Unpatched Published Feb 26, 2026 Affected Software Little Birdies | Multipurpose Children PSD Template [little-birdies] Researcher Tran Nguyen Bao Khanh More Details > M.Williamson <= 1.2.11 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28055 Patch Status Unpatched Published Feb 27, 2026 Affected Software M.Williamson | Lawyer & Legal Adviser WordPress Theme [williamson] Researcher Bonds More Details > Mahogany <= 2.9 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28085 Patch Status Unpatched Published Feb 27, 2026 Affected Software Mahogany [mahogany] Researcher Bonds More Details > Malgré <= 1.0.3 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-22413 Patch Status Unpatched Published Feb 25, 2026 Affected Software Malgré - Creative Agency WordPress Theme [malgre] Researcher Tran Nguyen Bao Khanh More Details > Mandala <= 2.8 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28057 Patch Status Unpatched Published Feb 27, 2026 Affected Software Mandala - Responsive Ecommerce WordPress Theme [mandala] Researcher Bonds More Details > Marcell <= 1.2.14 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28095 Patch Status Unpatched Published Feb 27, 2026 Affected Software Marcell - Personal Blog & Magazine WordPress Theme [marcell] Researcher Bonds More Details > Marra <= 1.2 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-22414 Patch Status Unpatched Published Feb 25, 2026 Affected Software Marra - Beauty WordPress Theme [marra] Researcher Tran Nguyen Bao Khanh More Details > MCKinney's Politics <= 1.2.8 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28056 Patch Status Unpatched Published Feb 27, 2026 Affected Software MCKinney's Politics [mckinney-politics] Researcher Bonds More Details > Metro <= 2.13 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-27383 Patch Status Unpatched Published Feb 24, 2026 Affected Software metro [metro] Researcher João Pedro S Alcântara (Kinorth) More Details > Midi - Sound & Music WordPress Theme <= 1.14 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28125 Patch Status Unpatched Published Feb 26, 2026 Affected Software Midi - Sound & Music WordPress Theme [midi] Researcher Tran Nguyen Bao Khanh More Details > Miller <= 1.3.3 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28053 Patch Status Unpatched Published Feb 27, 2026 Affected Software Miller | Personal Assistant & Administrative Services WordPress Theme [christine-miller] Researcher Bonds More Details > Molla - eCommerce HTML5 Template <= 1.5.16 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2025-69339 Patch Status Patched Published Feb 25, 2026 Affected Software Molla - eCommerce HTML5 Template [molla] Researcher João Pedro S Alcântara (Kinorth) More Details > Muzicon <= 1.9.0 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28107 Patch Status Unpatched Published Feb 26, 2026 Affected Software Muzicon - Music Festival & Concert WordPress Theme [muzicon] Researcher Tran Nguyen Bao Khanh More Details > Nirvana <= 2.6 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28119 Patch Status Unpatched Published Feb 26, 2026 Affected Software Nirvana [nirvana] Researcher Tran Nguyen Bao Khanh More Details > Notarius - Legal Advisor WordPress Theme <= 1.9 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28124 Patch Status Unpatched Published Feb 26, 2026 Affected Software Notarius - Legal Advisor WordPress Theme [notarius] Researcher Tran Nguyen Bao Khanh More Details > Overton - Creative WordPress Theme for Agencies and Freelancers <= 1.3 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-22405 Patch Status Unpatched Published Feb 25, 2026 Affected Software Overton - Creative WordPress Theme for Agencies and Freelancers [overton] Researcher Tran Nguyen Bao Khanh More Details > Ozisti <= 1.1.10 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28093 Patch Status Unpatched Published Feb 27, 2026 Affected Software Ozisti | Augmented Reality WooCommerce Theme [ozisti] Researcher Bonds More Details > Peter Mason <= 1.4.5 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28052 Patch Status Unpatched Published Feb 27, 2026 Affected Software Peter Mason | Custom Tailoring and Clothing Store WordPress Theme [petermason] Researcher Bonds More Details > Pizza House <= 1.4.0 - Unauthenticated PHP Object Injection 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28074 Patch Status Unpatched Published Feb 27, 2026 Affected Software Pizza House - Restaurant / Cafe / Bistro WordPress Theme [pizzahouse] Researcher Tran Nguyen Bao Khanh More Details > Playa | Beach & Pool Club WordPress Theme <= 1.3.9 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-22437 Patch Status Unpatched Published Feb 25, 2026 Affected Software Playa | Beach & Pool Club WordPress Theme [playa] Researcher Tran Nguyen Bao Khanh More Details > Police Department <= 2.17 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28049 Patch Status Unpatched Published Feb 27, 2026 Affected Software Police Department - Fire & Security WordPress Theme [police-department] Researcher Bonds More Details > Quantum <= 1.0 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-22421 Patch Status Unpatched Published Feb 25, 2026 Affected Software quantum [quantum] Researcher Tran Nguyen Bao Khanh More Details > RexCoin <= 1.2.6 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28094 Patch Status Unpatched Published Feb 27, 2026 Affected Software RexCoin - Cryptocurrency & Coin ICO WordPress [rexcoin] Researcher Bonds More Details > Rhythmo <= 1.3.4 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28068 Patch Status Unpatched Published Feb 27, 2026 Affected Software Rythmo [rhythmo] Researcher Bonds More Details > Run Gran <= 2.0 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28086 Patch Status Unpatched Published Feb 27, 2026 Affected Software Run Gran [run-gran] Researcher Bonds More Details > Save Life <= 1.2.13 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28098 Patch Status Unpatched Published Feb 27, 2026 Affected Software Save Life | Non-Profit, Charity & Donations WordPress Theme [save-life] Researcher Bonds More Details > SetSail <= 1.8 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-22423 Patch Status Unpatched Published Feb 25, 2026 Affected Software SetSail - Travel Agency WordPress Theme [setsail] Researcher Tran Nguyen Bao Khanh More Details > Shaha | Islamic Centre & Mosque Theme + RTL <= 1.1.2 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-22424 Patch Status Unpatched Published Feb 25, 2026 Affected Software Shaha | Islamic Centre & Mosque Theme + RTL [shaha] Researcher Tran Nguyen Bao Khanh More Details > smart SEO <= 2.9 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28117 Patch Status Unpatched Published Feb 26, 2026 Affected Software SmartSEO | SEO & Marketing HTML Theme [smartseo] Researcher Tran Nguyen Bao Khanh More Details > Sounder | Internet Radio & Streaming Elementor Template Kit <= 1.3.11 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28092 Patch Status Unpatched Published Feb 27, 2026 Affected Software Sounder | Internet Radio & Streaming Elementor Template Kit [sounder] Researcher Bonds More Details > Sweet Date < 4.0.1 - Unauthenticated PHP Object Injection 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-27417 Patch Status Patched Published Feb 23, 2026 Affected Software Sweet Date [sweetdate] Researcher João Pedro S Alcântara (Kinorth) More Details > Sweet Jane - Delightful Cake Shop Theme <= 1.2 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-22425 Patch Status Unpatched Published Feb 25, 2026 Affected Software Sweet Jane - Delightful Cake Shop Theme [sweetjane] Researcher Tran Nguyen Bao Khanh More Details > Tennis SportClub - Tennis Sports Events WordPress Theme <= 1.2.3 - Unauthenticated PHP Object Injection 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-27437 Patch Status Unpatched Published Feb 23, 2026 Affected Software Tennis SportClub - Tennis Sports Events WordPress Theme [tennis-sportclub] Researcher Tran Nguyen Bao Khanh More Details > The Issue <= 1.6.11 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-23801 Patch Status Patched Published Feb 25, 2026 Affected Software The Issue - Versatile Magazine WordPress Theme [theissue] Researcher João Pedro S Alcântara (Kinorth) More Details > The Mounty | Hiking Campground & Children Camping WordPress Theme <= 1.1 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-22415 Patch Status Unpatched Published Feb 25, 2026 Affected Software The Mounty | Hiking Campground & Children Camping WordPress Theme [the-mounty] Researcher Tran Nguyen Bao Khanh More Details > Tiger Claw <= 1.1.14 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28061 Patch Status Unpatched Published Feb 27, 2026 Affected Software Tiger Claw [tiger-claw] Researcher Bonds More Details > Tooth Fairy - Dentist & Dental Clinic WordPress Theme <= 1.16 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-22428 Patch Status Unpatched Published Feb 25, 2026 Affected Software Tooth Fairy - Dentist & Dental Clinic WordPress Theme [tooth-fairy] Researcher Tran Nguyen Bao Khanh More Details > TopFit - Fitness and Gym WordPress <= 1.9 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-27342 Patch Status Unpatched Published Feb 25, 2026 Affected Software TopFit - Fitness and Gym WordPress Theme [topfit] Researcher Tran Nguyen Bao Khanh More Details > TopScorer - Sports WordPress <= 1.2 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-27341 Patch Status Unpatched Published Feb 25, 2026 Affected Software TopScorer - Sports WordPress Theme [topscorer] Researcher Tran Nguyen Bao Khanh More Details > Tribe <= 1.7.3 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-22442 Patch Status Unpatched Published Feb 25, 2026 Affected Software tribe [tribe] Researcher João Pedro S Alcântara (Kinorth) More Details > User Registration & Membership <= 5.1.2 - Authentication Bypass 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-1779 Patch Status Patched Published Feb 25, 2026 Affected Software User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder [user-registration] Researcher 0xd4rk5id3 More Details > Vapester <= 1.1.10 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28077 Patch Status Unpatched Published Feb 27, 2026 Affected Software Vapester | Cigarette Store & Vape Shop WooCommerce Theme [vapester] Researcher Tran Nguyen Bao Khanh More Details > Veil - Wedding & Photographer WordPress Theme <= 1.9 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28123 Patch Status Unpatched Published Feb 26, 2026 Affected Software Veil - Wedding & Photographer WordPress Theme [veil] Researcher Tran Nguyen Bao Khanh More Details > Verdure - Organic Tea Shop WordPress Theme <= 1.6 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-22429 Patch Status Unpatched Published Feb 25, 2026 Affected Software Verdure - Organic Tea Shop WordPress Theme [verdure] Researcher Tran Nguyen Bao Khanh More Details > Verse <= 1.7.0 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28128 Patch Status Unpatched Published Feb 26, 2026 Affected Software Verse - Music, Radio & Concert WordPress Theme [verse] Researcher Tran Nguyen Bao Khanh More Details > Wabi-Sabi <= 1.2 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-22431 Patch Status Unpatched Published Feb 25, 2026 Affected Software wabi-sabi [wabi-sabi] Researcher Tran Nguyen Bao Khanh More Details > WealthCo <= 2.18 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28096 Patch Status Unpatched Published Feb 27, 2026 Affected Software WealthCo [wealthco] Researcher Bonds More Details > Welldone - Sports Store WordPress Theme <= 2.4 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28118 Patch Status Unpatched Published Feb 26, 2026 Affected Software Welldone - Sports Store WordPress Theme [welldone] Researcher Tran Nguyen Bao Khanh More Details > Windsor <= 2.5.0 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28081 Patch Status Unpatched Published Feb 27, 2026 Affected Software Windsor - Apartment Complex Single Property WordPress Theme [windsor] Researcher Tran Nguyen Bao Khanh More Details > Wolmart | Multi-Vendor Marketplace WooCommerce Theme <= 1.9.6 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-22385 Patch Status Unpatched Published Feb 25, 2026 Affected Software Wolmart | Multi-Vendor Marketplace WooCommerce Theme [wolmart] Researcher João Pedro S Alcântara (Kinorth) More Details > Woopy - Multipurpose Store WooCommerce WordPress Shop Theme <= 1.2 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-22432 Patch Status Unpatched Published Feb 25, 2026 Affected Software Woopy - Multipurpose Store WooCommerce WordPress Shop Theme [woopy] Researcher Tran Nguyen Bao Khanh More Details > Yacht Rental <= 2.6 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-28051 Patch Status Unpatched Published Feb 27, 2026 Affected Software Yacht Rental - Boat Services WordPress Theme [yacht-rental] Researcher Bonds More Details > Zentrum <= 1.0 - Unauthenticated Local File Inclusion 8.1 CVSS Rating 8.1 (High) CVE-ID CVE-2026-22441 Patch Status Unpatched Published Feb 25, 2026 Affected Software Zentrum - Property & Apartment Showcase WordPress Theme [zentrum] Researcher Tran Nguyen Bao Khanh More Details > Fluent Forms Pro Add On Pack <= 6.1.17 - Missing Authorization to Unauthenticated Payment Status modification 7.5 CVSS Rating 7.5 (High) CVE-ID CVE-2026-2428 Patch Status Patched Published Feb 26, 2026 Affected Software Fluent Forms Pro Add On Pack [fluentformpro] Researcher Prickly Cactus More Details > Geo Mashup <= 1.13.17 - Unauthenticated SQL Injection via 'sort' Parameter 7.5 CVSS Rating 7.5 (High) CVE-ID CVE-2026-2416 Patch Status Patched Published Feb 24, 2026 Affected Software Geo Mashup [geo-mashup] Researcher Nabil Irawan More Details > NextScripts: Social Networks Auto-Poster <= 4.4.7 - Authenticated (Contributor+) PHP Object Injection 7.5 CVSS Rating 7.5 (High) CVE-ID CVE-2026-27379 Patch Status Unpatched Published Feb 24, 2026 Affected Software NextScripts: Social Networks Auto-Poster [social-networks-auto-poster-facebook-twitter-g] Researcher Muhammad Yudha - DJ More Details > PowerPress Podcasting plugin by Blubrry <= 11.15.10 - Authenticated (Contributor+) PHP Object Injection 7.5 CVSS Rating 7.5 (High) CVE-ID CVE-2026-23798 Patch Status Patched Published Feb 25, 2026 Affected Software PowerPress Podcasting plugin by Blubrry [powerpress] Researcher Muhammad Yudha - DJ More Details > Profile Builder Pro <= 3.13.9 - Unauthenticated SQL Injection 7.5 CVSS Rating 7.5 (High) CVE-ID CVE-2026-27413 Patch Status Unpatched Published Feb 23, 2026 Affected Software Profile Builder Pro [profile-builder-pro] Researcher 0xd4rk5id3 More Details > Riode Core <= 1.6.26 - Unauthenticated SQL Injection 7.5 CVSS Rating 7.5 (High) CVE-ID CVE-2025-69338 Patch Status Patched Published Feb 25, 2026 Affected Software Riode Core [riode-core] Researcher João Pedro S Alcântara (Kinorth) More Details > Tutor LMS <= 3.9.6 - Unauthenticated SQL Injection via coupon_code 7.5 CVSS Rating 7.5 (High) CVE-ID CVE-2025-13673 Patch Status Patched Published Feb 27, 2026 Affected Software Tutor LMS – eLearning and online course solution [tutor] Researcher Supakiad S. (m3ez) More Details > WP Attractive Donations System - Easy Stripe & Paypal donations <= 1.25 - Unauthenticated SQL Injection 7.5 CVSS Rating 7.5 (High) CVE-ID CVE-2026-28115 Patch Status Unpatched Published Feb 26, 2026 Affected Software WP Attractive Donations System - Easy Stripe & Paypal donations [WP_AttractiveDonationsSystem] Researcher João Pedro S Alcântara (Kinorth) More Details > WP Mail Logging <= 1.15.0 - Unauthenticated PHP Object Injection via Email Log Message Field 7.5 CVSS Rating 7.5 (High) CVE-ID CVE-2026-2471 Patch Status Patched Published Feb 27, 2026 Affected Software WP Mail Logging [wp-mail-logging] Researcher Quốc Huy (jtwings) More Details > WP Responsive Images <= 1.0 - Unauthenticated Path Traversal to Arbitrary File Read via src 7.5 CVSS Rating 7.5 (High) CVE-ID CVE-2026-1557 Patch Status Unpatched Published Feb 25, 2026 Affected Software WP Responsive Images [wp-responsive-images] Researcher Muhammad Yudha - DJ More Details > WPGSI: Spreadsheet Integration <= 3.8.3 - Missing Authorization to Unauthenticated Arbitrary Post Creation and Deletion via Forged Base64 Token 7.5 CVSS Rating 7.5 (High) CVE-ID CVE-2026-1916 Patch Status Patched Published Feb 24, 2026 Affected Software WPGSI: Spreadsheet Integration [wpgsi] Researcher Osvaldo Noe Gonzalez Del Rio (Os) More Details > AI Engine – The Chatbot, AI Framework & MCP for WordPress <= 3.3.2 - Authenticated (Editor+) Arbitrary File Upload 7.2 CVSS Rating 7.2 (High) CVE-ID CVE-2026-23802 Patch Status Patched Published Feb 25, 2026 Affected Software AI Engine – The Chatbot, AI Framework & MCP for WordPress [ai-engine] Researcher 0xd4rk5id3 More Details > Bakery Autoresponder Addon <= 1.0.6 - Unauthenticated Stored Cross-Site Scripting 7.2 CVSS Rating 7.2 (High) CVE-ID CVE-2026-27363 Patch Status Unpatched Published Feb 25, 2026 Affected Software Bakery Autoresponder Addon [vc-autoresponder-addon] Researcher Phat RiO More Details > Lawyer Directory <= 1.3.2 - Unauthenticated Stored Cross-Site Scripting 7.2 CVSS Rating 7.2 (High) CVE-ID CVE-2026-28127 Patch Status Unpatched Published Feb 26, 2026 Affected Software Lawyer Directory [lawyer-directory] Researcher João Pedro S Alcântara (Kinorth) More Details > Photography <= 7.6.1 - Unauthenticated Stored Cross-Site Scripting 7.2 CVSS Rating 7.2 (High) CVE-ID CVE-2026-27348 Patch Status Unpatched Published Feb 25, 2026 Affected Software photography [photography] Researcher Tran Nguyen Bao Khanh More Details > Responsive Lightbox & Gallery < 2.6.1 - Unauthenticated Stored Cross-Site Scripting 7.2 CVSS Rating 7.2 (High) CVE-ID CVE-2025-15386 Patch Status Patched Published Feb 26, 2026 Affected Software Responsive Lightbox & Gallery [responsive-lightbox] Researcher stealthcopter More Details > WooCommerce License Manager <= 7.0.6 - Authenticated (Shop Manager+) Arbitrary File Upload 7.2 CVSS Rating 7.2 (High) CVE-ID CVE-2026-28114 Patch Status Patched Published Feb 26, 2026 Affected Software WooCommerce License Manager [fs-license-manager] Researcher Bonds More Details > Eagle Booking <= 1.3.4.3 - Authenticated (Subscriber+) SQL Injection 6.5 CVSS Rating 6.5 (Medium) CVE-ID CVE-2026-27428 Patch Status Unpatched Published Feb 23, 2026 Affected Software Eagle Booking [eagle-booking] Researcher Bonds More Details > OVRI Payment 1.7.0 - Malicious .htaccess directive 6.5 CVSS Rating 6.5 (Medium) CVE-ID CVE-2024-10938 Patch Status Unpatched Published Feb 26, 2026 Affected Software OVRI Payment [moneytigo] Researcher Marco Wotschka More Details > Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent <= 1.2.3 - Authenticated (Subscriber+) SQL Injection 6.5 CVSS Rating 6.5 (Medium) CVE-ID CVE-2026-27373 Patch Status Unpatched Published Feb 24, 2026 Affected Software Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent [tablesome] Researcher daroo More Details > Automotive Car Dealership Business WordPress Theme <= 13.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Call to Action Fields 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2025-14040 Patch Status Patched Published Feb 26, 2026 Affected Software Automotive Car Dealership Business WordPress Theme [automotive] Researcher Mateusz Gierblinski More Details > Electric Enquiries <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'button' Shortcode Attribute 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2025-14142 Patch Status Unpatched Published Feb 26, 2026 Affected Software Electric Enquiries [electric-enquiries] Researcher zakaria More Details > Livemesh Addons for Beaver Builder <= 3.9.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'title' and 'value' Shortcode Attributes 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-2029 Patch Status Unpatched Published Feb 25, 2026 Affected Software Livemesh Addons for Beaver Builder [addons-for-beaver-builder] Researcher Muhammad Yudha - DJ More Details > Rise Blocks – A Complete Gutenberg Page Builder <= 3.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Site Identity Block Attributes 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-1614 Patch Status Unpatched Published Feb 24, 2026 Affected Software Rise Blocks – A Complete Gutenberg Page Builder [rise-blocks] Researcher Athiwat Tiprasaharn (Jitlada) More Details > Secure Copy Content Protection and Content Locking <= 5.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attribute 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-2367 Patch Status Patched Published Feb 24, 2026 Affected Software Secure Copy Content Protection and Content Locking [secure-copy-content-protection] Researcher Muhammad Yudha - DJ More Details > Simple Download Monitor <= 4.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Field 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-2383 Patch Status Patched Published Feb 26, 2026 Affected Software Simple Download Monitor [simple-download-monitor] Researcher Muhammad Yudha - DJ More Details > Theater for WordPress <= 0.19 - Authenticated (Subscriber+) Stored Cross-Site Scripting 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2025-69343 Patch Status Patched Published Feb 25, 2026 Affected Software Theater for WordPress [theatre] Researcher PPzzAArr More Details > WooCommerce Coming Soon Product with Countdown <= 5.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-27354 Patch Status Unpatched Published Feb 25, 2026 Affected Software WooCommerce Coming Soon Product with Countdown [woo-coming-soon-product] Researcher Phat RiO More Details > WP Accessibility <= 2.3.1 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via 'alt' Attribute 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2026-2362 Patch Status Patched Published Feb 26, 2026 Affected Software WP Accessibility [wp-accessibility] Researcher Quốc Huy (jtwings) More Details > Xpro Addons — 140+ Widgets for Elementor <= 1.4.24 - Authenticated (Contributor+) Stored Cross-Site Scripting via Image Scroller Widget box link 6.4 CVSS Rating 6.4 (Medium) CVE-ID CVE-2025-14149 Patch Status Patched Published Feb 26, 2026 Affected Software Xpro Addons — 140+ Widgets for Elementor [xpro-elementor-addons] Researcher zer0gh0st More Details > AllInOne - Banner Rotator <= 3.8 - Reflected Cross-Site Scripting 6.1 CVSS Rating 6.1 (Medium) CVE-ID CVE-2026-28112 Patch Status Unpatched Published Feb 26, 2026 Affected Software AllInOne - Banner Rotator [all-in-one-bannerRotator] Researcher João Pedro S Alcântara (Kinorth) More Details > Architecturer <= 3.8.8 - Reflected Cross-Site Scripting 6.1 CVSS Rating 6.1 (Medium) CVE-ID CVE-2026-27358 Patch Status Unpatched Published Feb 25, 2026 Affected Software Architecturer WordPress for Interior Designer [architecturer] Researcher João Pedro S Alcântara (Kinorth) More Details > Awa Plugins <= 1.4.4 - Reflected Cross-Site Scripting 6.1 CVSS Rating 6.1 (Medium) CVE-ID CVE-2026-27359 Patch Status Unpatched Published Feb 25, 2026 Affected Software Portfolio Awa [awa-plugins] Researcher João Pedro S Alcântara (Kinorth) More Details > Claue - Clean, Minimal Elementor WooCommerce <= 2.2.7 - Reflected Cross-Site Scripting 6.1 CVSS Rating 6.1 (Medium) CVE-ID CVE-2026-27376 Patch Status Unpatched Published Feb 24, 2026 Affected Software Claue - Clean, Minimal Elementor WooCommerce Them [claue] Researcher João Pedro S Alcântara (Kinorth) More Details > DesignThemes Portfolio <= 1.3 - Reflected Cross-Site Scripting 6.1 CVSS Rating 6.1 (Medium) CVE-ID CVE-2026-27385 Patch Status Unpatched Published Feb 24, 2026 Affected Software designthemes-portfolio [designthemes-portfolio] Researcher Phat RiO More Details > EM Cost Calculator <= 2.3.1 - Unauthenticated Stored Cross-Site Scripting via 'customer_name' 6.1 CVSS Rating 6.1 (Medium) CVE-ID CVE-2026-2506 Patch Status Unpatched Published Feb 25, 2026 Affected Software EM Cost Calculator [cost-calculator] Researcher Nabil Irawan More Details > Gecko 6.0 - Responsive Shopify Theme - RTL support <= 1.9.8 - Reflected Cross-Site Scripting 6.1 CVSS Rating 6.1 (Medium) CVE-ID CVE-2026-27375 Patch Status Unpatched Published Feb 24, 2026 Affected Software Gecko 6.0 - Responsive Shopify Theme - RTL support [gecko] Researcher João Pedro S Alcântara (Kinorth) More Details > Grand News <= 3.4.3 - Reflected Cross-Site Scripting 6.1 CVSS Rating 6.1 (Medium) CVE-ID CVE-2026-27353 Patch Status Unpatched Published Feb 25, 2026 Affected Software grandnews [grandnews] Researcher João Pedro S Alcântara (Kinorth) More Details > LambertGroup - AllInOne - Banner with Playlist <= 3.8 - Reflected Cross-Site Scripting 6.1 CVSS Rating 6.1 (Medium) CVE-ID CVE-2026-28110 Patch Status Unpatched Published Feb 26, 2026 Affected Software LambertGroup - AllInOne - Banner with Playlist [all-in-one-bannerWithPlaylist] Researcher João Pedro S Alcântara (Kinorth) More Details > LambertGroup - AllInOne - Banner with Thumbnails <= 3.8 - Reflected Cross-Site Scripting 6.1 CVSS Rating 6.1 (Medium) CVE-ID CVE-2026-28108 Patch Status Unpatched Published Feb 26, 2026 Affected Software LambertGroup - AllInOne - Banner with Thumbnails [all-in-one-thumbnailsBanner] Researcher João Pedro S Alcântara (Kinorth) More Details > LambertGroup - AllInOne - Content Slider <= 3.8 - Reflected Cross-Site Scripting 6.1 CVSS Rating 6.1 (Medium) CVE-ID CVE-2026-28109 Patch Status Unpatched Published Feb 26, 2026 Affected Software LambertGroup - AllInOne - Content Slider [all-in-one-contentSlider] Researcher João Pedro S Alcântara (Kinorth) More Details > ListingPro Plugin <= 2.9.8 - Reflected Cross-Site Scripting 6.1 CVSS Rating 6.1 (Medium) CVE-ID CVE-2026-28122 Patch Status Unpatched Published Feb 26, 2026 Affected Software ListingPro Plugin [listingpro-plugin] Researcher Rafie Muhammad More Details > MediCenter - Health Medical Clinic WordPress Theme <= 14.9 - Reflected Cross-Site Scripting 6.1 CVSS Rating 6.1 (Medium) CVE-ID CVE-2026-28137 Patch Status Unpatched Published Feb 26, 2026 Affected Software MediCenter - Health Medical Clinic WordPress Theme [medicenter] Researcher Tran Nguyen Bao Khanh More Details > Metro <= 2.13 - Reflected Cross-Site Scripting 6.1 CVSS Rating 6.1 (Medium) CVE-ID CVE-2026-27382 Patch Status Unpatched Published Feb 24, 2026 Affected Software metro [metro] Researcher João Pedro S Alcântara (Kinorth) More Details > Musico <= 3.2.4 - Reflected Cross-Site Scripting 6.1 CVSS Rating 6.1 (Medium) CVE-ID CVE-2026-27367 Patch Status Unpatched Published Feb 24, 2026 Affected Software Music WordPress [musico] Researcher João Pedro S Alcântara (Kinorth) More Details > Porto <= 7.6.2 - Reflected Cross-Site Scripting 6.1 CVSS Rating 6.1 (Medium) CVE-ID CVE-2026-28075 Patch Status Unpatched Published Feb 27, 2026 Affected Software porto [porto] Researcher João Pedro S Alcântara (Kinorth) More Details > Responsive Zoom In/Out Slider WordPress Plugin <= 5.4.5 - Reflected Cross-Site Scripting 6.1 CVSS Rating 6.1 (Medium) CVE-ID CVE-2026-28103 Patch Status Unpatched Published Feb 26, 2026 Affected Software Responsive Zoom In/Out Slider WordPress Plugin [lbg_zoominoutslider] Researcher João Pedro S Alcântara (Kinorth) More Details > RH Frontend Publishing Pro <= 4.3.2 - Reflected Cross-Site Scripting 6.1 CVSS Rating 6.1 (Medium) CVE-ID CVE-2026-28126 Patch Status Unpatched Published Feb 26, 2026 Affected Software Frontend Publishing Pro [rh-frontend] Researcher Rafie Muhammad More Details > Starto <= 2.1.9 - Reflected Cross-Site Scripting 6.1 CVSS Rating 6.1 (Medium) CVE-ID CVE-2026-27352 Patch Status Unpatched Published Feb 25, 2026 Affected Software Starto | Software AI Startup WordPress [starto] Researcher João Pedro S Alcântara (Kinorth) More Details > UberSlider Classic <= 2.5 - Reflected Cross-Site Scripting 6.1 CVSS Rating 6.1 (Medium) CVE-ID CVE-2026-28102 Patch Status Unpatched Published Feb 27, 2026 Affected Software uberSlider_classic [uberSlider_classic] Researcher João Pedro S Alcântara (Kinorth) More Details > UberSlider MouseInteraction <= 2.3 - Reflected Cross-Site Scripting 6.1 CVSS Rating 6.1 (Medium) CVE-ID CVE-2026-28101 Patch Status Unpatched Published Feb 27, 2026 Affected Software UberSlider - Layer Slider WordPress Plugin [uberSlider_mouseinteraction] Researcher João Pedro S Alcântara (Kinorth) More Details > UberSlider PerpetuumMobile <= 2.3 - Reflected Cross-Site Scripting 6.1 CVSS Rating 6.1 (Medium) CVE-ID CVE-2026-28100 Patch Status Unpatched Published Feb 27, 2026 Affected Software UberSlider - Layer Slider WordPress Plugin [uberSlider_perpetuummobile] Researcher João Pedro S Alcântara (Kinorth) More Details > UberSlider Ultra <= 2.3 - Reflected Cross-Site Scripting 6.1 CVSS Rating 6.1 (Medium) CVE-ID CVE-2026-28099 Patch Status Unpatched Published Feb 27, 2026 Affected Software UberSlider - Layer Slider WordPress Plugin [uberSlider_ultra] Researcher João Pedro S Alcântara (Kinorth) More Details > uDesign - Responsive WordPress Theme <= 4.14.0 - Reflected Cross-Site Scripting 6.1 CVSS Rating 6.1 (Medium) CVE-ID CVE-2026-28130 Patch Status Unpatched Published Feb 26, 2026 Affected Software uDesign - Responsive WordPress Theme [u-design] Researcher Rafie Muhammad More Details > Ultimate Learning Pro <= 3.9.1 - Reflected Cross-Site Scripting 6.1 CVSS Rating 6.1 (Medium) CVE-ID CVE-2026-28113 Patch Status Unpatched Published Feb 26, 2026 Affected Software Ultimate Learning Pro [indeed-learning-pro] Researcher Bonds More Details > WPZOOM Addons for Elementor – Starter Templates & Widgets <= 1.3.4 - Unauthenticated Reflected Cross-Site Scripting via 'title_tag' Parameter 6.1 CVSS Rating 6.1 (Medium) Patch Status Patched Published Feb 26, 2026 Affected Software WPZOOM Addons for Elementor – Starter Templates & Widgets [wpzoom-elementor-addons] Researcher(s): Unknown More Details > The Events Calendar <= 6.15.16 - Improper Authorization to Authenticated (Contributor+) Event/Organizer/Venue Update/Trash via REST API 5.4 CVSS Rating 5.4 (Medium) CVE-ID CVE-2026-2694 Patch Status Patched Published Feb 25, 2026 Affected Software The Events Calendar [the-events-calendar] Researcher type5afe More Details > Bakery Autoresponder Addon <= 1.0.6 - Missing Authorization 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-27362 Patch Status Unpatched Published Feb 25, 2026 Affected Software Bakery Autoresponder Addon [vc-autoresponder-addon] Researcher Phat RiO More Details > DesignThemes Booking Manager <= 2.0 - Missing Authorization 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-27388 Patch Status Unpatched Published Feb 23, 2026 Affected Software DT Booking - WordPress Ultimate Booking Plugin [designthemes-booking-manager] Researcher Phat RiO More Details > DesignThemes Directory Addon <= 1.8 - Missing Authorization 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-27386 Patch Status Unpatched Published Feb 23, 2026 Affected Software DT - Directory WordPress Plugin [designthemes-directory-addon] Researcher Phat RiO More Details > Directory Pro <= 2.5.6 - Missing Authorization 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-27396 Patch Status Unpatched Published Feb 23, 2026 Affected Software Directory Pro [directory-pro] Researcher Phat RiO More Details > ElementsKit Elementor addons Lite < 3.7.9 - Missing Authorization 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-23693 Patch Status Patched Published Feb 24, 2026 Affected Software ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor [elementskit-lite] Researcher Rahul Karne More Details > Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button – Chaty <= 3.5.1 - Unauthenticated Information Exposure 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-27370 Patch Status Patched Published Feb 24, 2026 Affected Software Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button – Chaty [chaty] Researcher daroo More Details > Guff <= 1.0.1 - Missing Authorization 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-28076 Patch Status Unpatched Published Feb 27, 2026 Affected Software Guff - Blog & Magazine Ghost Theme [guff] Researcher Tran Nguyen Bao Khanh More Details > Japanized for WooCommerce <= 2.8.4 - Missing Authorization to Unauthenticated Paidy Order Manipulation 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-1305 Patch Status Patched Published Feb 26, 2026 Affected Software Japanized for WooCommerce [woocommerce-for-japan] Researcher Osvaldo Noe Gonzalez Del Rio (Os) More Details > My Tickets – Accessible Event Ticketing <= 2.1.0 - Unauthenticated Information Exposure 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-27406 Patch Status Patched Published Feb 23, 2026 Affected Software My Tickets – Accessible Event Ticketing [my-tickets] Researcher daroo More Details > Responsive Posts Carousel WordPress Plugin <= 15.1 - Missing Authorization 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-27361 Patch Status Unpatched Published Feb 25, 2026 Affected Software Responsive Posts Carousel WordPress Plugin [responsive-posts-carousel-pro] Researcher Phat RiO More Details > Royal Addons for Elementor – Addons and Templates Kit for Elementor <= 1.7.1049 - Missing Authorization 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-28135 Patch Status Unpatched Published Feb 26, 2026 Affected Software Royal Addons for Elementor – Addons and Templates Kit for Elementor [royal-elementor-addons] Researcher Drew Webber (mcdruid) More Details > Scientific and Interactive Blocks – inseri core <= 1.0.5 - Missing Authorization 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-27344 Patch Status Unpatched Published Feb 25, 2026 Affected Software Scientific and Interactive Blocks – inseri core [inseri-core] Researcher PPzzAArr More Details > Site Suggest <= 1.3.9 - Missing Authorization 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-28104 Patch Status Unpatched Published Feb 26, 2026 Affected Software Site Suggest [site-suggest] Researcher Legion Hunter More Details > SiteGuard WP Plugin <= 1.7.9 - Missing Authorization 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-27411 Patch Status Unpatched Published Feb 23, 2026 Affected Software SiteGuard WP Plugin [siteguard] Researcher Ahmad More Details > User Registration & Membership <= 5.1.2 - Insecure Direct Object Reference to Unauthenticated Limited User Deletion 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-2356 Patch Status Patched Published Feb 25, 2026 Affected Software User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder [user-registration] Researcher hoshino More Details > WeDesignTech Ultimate Booking Addon <= 1.0.3 - Missing Authorization 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2025-69340 Patch Status Patched Published Feb 25, 2026 Affected Software WeDesignTech Ultimate Booking Addon [wedesigntech-ultimate-booking-addon] Researcher Phat RiO More Details > WooCommerce Order Details <= 3.1 - Missing Authorization 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-27374 Patch Status Unpatched Published Feb 24, 2026 Affected Software WooCommerce Order Details [woocommerce-order-details] Researcher Phat RiO More Details > WP Recipe Maker <= 10.3.2 - Insecure Direct Object Reference to Unauthenticated Arbitrary Post Metadata Modification via 'recipeId' Parameter 5.3 CVSS Rating 5.3 (Medium) CVE-ID CVE-2026-1558 Patch Status Patched Published Feb 26, 2026 Affected Software WP Recipe Maker [wp-recipe-maker] Researcher Quốc Huy (jtwings) More Details > Responsive Lightbox & Gallery <= 2.7.1 - Authenticated (Author+) Server-Side Request Forgery via Remote Library Image Upload 5.0 CVSS Rating 5.0 (Medium) CVE-ID CVE-2026-2479 Patch Status Patched Published Feb 24, 2026 Affected Software Responsive Lightbox & Gallery [responsive-lightbox] Researcher lucsob More Details > Directory Listings WordPress plugin – uListing <= 2.2.0 - Authenticated (Editor+) Arbitrary File Download 4.9 CVSS Rating 4.9 (Medium) CVE-ID CVE-2026-28078 Patch Status Unpatched Published Feb 26, 2026 Affected Software Directory Listings WordPress plugin – uListing [ulisting] Researcher Trương Hữu Phúc (truonghuuphuc) More Details > MailArchiver <= 4.5.0 - Authenticated (Admininistrator+) SQL Injection via 'logid' Parameter 4.9 CVSS Rating 4.9 (Medium) CVE-ID CVE-2026-2831 Patch Status Patched Published Feb 26, 2026 Affected Software MailArchiver [mailarchiver] Researcher Ronnachai Chaipha (rxnr) More Details > Custom Logo <= 2.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via Logo Path Setting 4.4 CVSS Rating 4.4 (Medium) CVE-ID CVE-2026-2499 Patch Status Unpatched Published Feb 25, 2026 Affected Software Custom Logo [custom-logo] Researcher Muhammad Nur Ibnu Hubab (Ibnu) More Details > TP2WP Importer <= 1.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Watched domains' Textarea 4.4 CVSS Rating 4.4 (Medium) CVE-ID CVE-2026-2489 Patch Status Unpatched Published Feb 25, 2026 Affected Software TP2WP Importer [tp2wp-importer] Researcher Muhammad Nur Ibnu Hubab (Ibnu) More Details > WP Social Meta <= 1.0.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via Settings 4.4 CVSS Rating 4.4 (Medium) CVE-ID CVE-2026-2498 Patch Status Unpatched Published Feb 25, 2026 Affected Software WP Social Meta [wp-social-meta] Researcher Muhammad Nur Ibnu Hubab (Ibnu) More Details > Classified Listing – AI-Powered Classified ads & Business Directory Plugin <= 5.3.4 - Authenticated (Subscriber+) Sensitive Data Exposure 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-23546 Patch Status Patched Published Feb 23, 2026 Affected Software Classified Listing – AI-Powered Classified ads & Business Directory Plugin [classified-listing] Researcher daroo More Details > Disable Admin Notices – Hide Dashboard Notifications <= 1.4.2 - Cross-Site Request Forgery to Plugin Settings Update 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-2410 Patch Status Patched Published Feb 24, 2026 Affected Software Disable Admin Notices – Hide Dashboard Notifications [disable-admin-notices] Researcher lucsob More Details > Post Duplicator <= 3.0.8 - Missing Authorization to Authenticated (Contributor+) Protected Post Meta Insertion via 'customMetaData' Parameter 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-2301 Patch Status Patched Published Feb 24, 2026 Affected Software Post Duplicator [post-duplicator] Researcher Nguyen Ba Hung (bashu) More Details > Really Simple Security Pro <= 9.5.4.0 - Authenticated (Subscriber+) Insecure Direct Object Reference 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-27397 Patch Status Patched Published Feb 23, 2026 Affected Software Really Simple Security Pro [really-simple-ssl-pro] Researcher dcodx More Details > Tutor LMS – eLearning and online course solution <= 3.9.5 - Missing Authorization 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2026-23799 Patch Status Patched Published Feb 25, 2026 Affected Software Tutor LMS – eLearning and online course solution [tutor] Researcher Supakiad S. (m3ez) More Details > WP Recipe Maker <= 10.2.3 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure 4.3 CVSS Rating 4.3 (Medium) CVE-ID CVE-2025-14742 Patch Status Patched Published Feb 24, 2026 Affected Software WP Recipe Maker [wp-recipe-maker] Researcher Abhinav Jaswal (wrath_exe) More Details > As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence. This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program , and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can. Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. The post Wordfence Intelligence Weekly WordPress Vulnerability Report (February 23, 2026 to March 1, 2026) appeared first on Wordfence .

Related Articles

INFO Wordfence Intelligence Weekly WordPress Vulnerability Report (March 23, 2026 to March 29, 2026) Wordfence HIGH Wordfence Intelligence Weekly WordPress Vulnerability Report (March 16, 2026 to March 22, 2026) Wordfence INFO Wordfence Intelligence Weekly WordPress Vulnerability Report (March 9, 2026 to March 15, 2026) Wordfence INFO Wordfence Intelligence Weekly WordPress Vulnerability Report (March 2, 2026 to March 8, 2026) Wordfence
Read Full Article → ← Back to News

Share this article

Twitter Facebook LinkedIn