Wordfence Intelligence Weekly WordPress Vulnerability Report (May 18, 2026 to May 24, 2026)

Last week, there were 101 vulnerabilities disclosed in 88 WordPress Plugins and 1 WordPress Theme that have been added to the Wordfence Intelligence Vulnerability Database, and there were 69 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities i...

WordPress Simple Divi Shortcode plugin <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Simple Divi Shortcode versions = 1.2...

WordPress Easy Form Builder plugin <= 4.0.6 - SQL Injection vulnerability

SQL Injection vulnerability discovered by kai63001 in WordPress Plugin Easy Form Builder versions = 4.0.6...

WordPress Breeze Cache plugin <= 2.5.2 - Unauthenticated Exposure of Sensitive Information to an Unauthorized Actor vulnerability

Unauthenticated Exposure of Sensitive Information to an Unauthorized Actor vulnerability discovered by Nguyen Ngoc Duc duc193 in WordPress Plugin Breeze versions = 2.5.2...

WordPress Smart Online Order for Clover plugin <= 1.6.0 - Broken Authentication vulnerability

Broken Authentication vulnerability discovered by she11f in WordPress Plugin Smart Online Order for Clover versions = 1.6.0...

Exploit for CVE-2026-8380

CVE-2026-8380 CVE-2026-8380 — Frontend File Manager = 23.6...

WordPress Post Snippets – Custom WordPress Code Snippets Customizer plugin <= 4.0.19 - Authenticated (Administrator+) Stored Cross-Site Scripting vulnerability

Authenticated Administrator+ Stored Cross-Site Scripting vulnerability discovered by a1batr0ss in WordPress Plugin Post Snippets versions = 4.0.19...

WordPress Poll Maker by AYS – Versus Polls, Anonymous Polls, Image Polls plugin <= 6.3.7 - Authenticated (Subscriber+) Sensitive Information Exposure in 'ays_poll_get_user_information' AJAX Action vulnerability

Authenticated Subscriber+ Sensitive Information Exposure in 'ayspollgetuserinformation' AJAX Action vulnerability discovered by Satoo Nakano in WordPress Plugin Poll Maker versions = 6.3.7...

WordPress Ads by WPQuads plugin <= 3.0.2 - Bypass Vulnerability vulnerability

Bypass Vulnerability vulnerability discovered by Bas Albers in WordPress Plugin Ads by WPQuads versions = 3.0.2...

WordPress SlimStat Analytics plugin <= 5.4.11 - Unauthenticated Stored Cross-Site Scripting vulnerability

Unauthenticated Stored Cross-Site Scripting vulnerability discovered by Supakiad S. m3ez - E-CQURITY Thailand in WordPress Plugin Slimstat Analytics versions = 5.4.11...

WordPress Easy Updates Manager plugin <= 9.0.20 - Reflected Cross-Site Scripting vulnerability

Reflected Cross-Site Scripting vulnerability discovered by Dmitrii Ignatyev - CleanTalk Inc in WordPress Plugin Easy Updates Manager versions = 9.0.20...

WordPress Login No Captcha reCAPTCHA plugin <= 1.8.0 - Unauthenticated Stored Cross-Site Scripting vulnerability

Unauthenticated Stored Cross-Site Scripting vulnerability discovered by ISMAILSHADOW in WordPress Plugin Login No Captcha reCAPTCHA versions = 1.8.0...

WordPress Independent Analytics – WordPress Analytics Plugin plugin <= 2.14.9 - Unauthenticated Server-Side Request Forgery vulnerability

Unauthenticated Server-Side Request Forgery vulnerability discovered by Kirasec in WordPress Plugin Independent Analytics - Google Analytics Alternative for WordPress versions = 2.14.9...

WordPress MinhNhut Link Gateway plugin <= 3.6.1 - Reflected Cross-Site Scripting vulnerability

Reflected Cross-Site Scripting vulnerability discovered by san6051 - COFFSec in WordPress Plugin MinhNhut Link Gateway versions = 3.6.1...

WordPress Gutenverse – WordPress Blocks, Page Builder & Site Editor plugin <= 3.4.6 - Reflected Cross-Site Scripting vulnerability

Reflected Cross-Site Scripting vulnerability discovered by Osvaldo Noe Gonzalez Del Rio Os - krei.dev | ogbuilders.io in WordPress Plugin Gutenverse versions = 3.4.6...

CVE-2026-9015

The Equalize Digital Accessibility Checker – WCAG, ADA, EAA and Section 508 compliance plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.42.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This mak...

CVE-2026-8689

The Visualizer: Tables and Charts Manager for WordPress plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.11.14. This is due to a missing capability check on the renderChartPages and uploadData functions, where the wpajaxvisualizer-create-chart an...

CVE-2026-6937

The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.6.11.8 due to the plugin not properly verifying that a user is authorized to perform an action via the bulk appointmen...

CVE-2026-7526

The PDF Embedder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.9.3 via the enqueueblockassets. This makes it possible for authenticated attackers, with contributor-level access and above, to extract configuration data. License key...

CVE-2026-7048

The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'orderby' parameter in all versions up to, and including, 1.8.40 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation o...