Wordpress-plugins
This hub aggregates every CVE we track for Wordpress-plugins, a product in the web cms plugins space. Use it to gauge the current risk picture and drill into individual advisories.
3,655
CVEs tracked
248
Critical
1,026
High
1
In CISA KEV
Severity distribution
MEDIUM2,310HIGH1,026CRITICAL248LOW71
Monthly trend
61
46
62
79
63
123
64
69
74
79
60
43
54
75
62
53
196
114
72
172
47
66
74
0
2024-082026-07
Latest CVEs
The 15 most recently published vulnerabilities affecting Wordpress-plugins.
- CVE-2026-57334WordPress WP User Frontend plugin <= 4.3.7 - Broken Access Control vulnerability6.5
- CVE-2026-57320WordPress BEAR plugin <= 1.1.8 - Cross Site Scripting (XSS) vulnerability7.1
- CVE-2026-9233Quiz and Survey Master (QSM) <= 11.1.4 - Missing Authorization to Authenticated (Contributor+) Arbitrary Modification via qsm_insert_quiz_template AJAX Action4.3
- CVE-2026-13335CodePeople Post Map for Google Maps <= 1.2.6 - Authenticated (Contributor +) Stored Cross-Site Scripting via 'cpm_point' Post Meta6.4
- CVE-2026-57647WordPress Panorama Viewer – 360 Degree Image + Video Viewer plugin <= 1.6.1 - Local File Inclusion vulnerability7.5
- CVE-2026-57323WordPress Flash & HTML5 Video plugin <= 2.11.0 - Broken Access Control vulnerability5.8
- CVE-2026-57322WordPress weMail plugin <= 2.1.2 - Reflected Cross Site Scripting (XSS) vulnerability7.1
- CVE-2026-57316WordPress GetGenie plugin <= 4.4.2 - Sensitive Data Exposure vulnerability6.5
- CVE-2026-57312WordPress Everest Forms plugin <= 3.4.8 - Reflected Cross Site Scripting (XSS) vulnerability7.1
- CVE-2026-56063WordPress MailChimp Block plugin <= 1.1.15 - Broken Access Control vulnerability8.3
- CVE-2025-63079WordPress Live Copy Paste for Elementor plugin <= 1.5.3 - Broken Access Control vulnerability4.3
- CVE-2026-1869User Registration & Membership <= 5.2.0 - Missing Authorization to Unauthenticated Payment Bypass6.5
- CVE-2026-56014WordPress Master Slider plugin <= 3.11.2 - Cross Site Scripting (XSS) vulnerability7.1
- CVE-2026-12077Dokan Pro <= 5.0.4 - Unauthenticated SQL Injection via 'latitude' and 'longitude' Parameters7.5
- CVE-2026-12079Dokan Pro <= 5.0.4 - Authenticated (Subscriber+) SQL Injection via 'orderby' Parameter6.5
Product normalization is registry-driven with AI assist and human review. How it works