Skip to main content

WordPress

Vendor security scorecard – 2624 CVEs in the selected period

Period: 30d 90d 6m 1y All
Risk 6712
2624
CVEs
163
Critical
695
High
0
KEV
285
PoC
781
Unpatched C/H
6.7%
Patch Rate
0.1%
Avg EPSS

Severity Breakdown

CRITICAL
163
HIGH
695
MEDIUM
1734
LOW
21

Monthly CVE Trend

Top Risky CVEs

CVE Summary Severity CVSS EPSS Priority Signals
CVE-2026-4257 Remote code execution in Contact Form by Supsystic plugin for WordPress (all versions ≤1.7.36) allows unauthenticated attackers to execute arbitrary PHP functions and OS commands via Server-Side Template Injection. Attackers exploit the plugin's unsandboxed Twig template engine by injecting malicious Twig expressions through GET parameters in the cfsPreFill functionality, leveraging registerUndefinedFilterCallback() to register arbitrary PHP callbacks. CVSS 9.8 (Critical) with network-accessible, low-complexity attack vector requiring no authentication. EPSS data not provided, but the combination of unauthenticated RCE in a widely-deployed WordPress plugin represents severe real-world risk. No KEV status confirmed at time of analysis. CRITICAL 9.8 0.2% 84
PoC No patch
CVE-2026-49777 Backdoor/malicious code implant in the ShapedPlugin Product Slider Pro for WooCommerce WordPress plugin (versions before 3.5.3) allows remote unauthenticated attackers full compromise of the hosting site with CVSS 10.0 and a scope-changing vector. The Patchstack reference characterizes this as a backdoor vulnerability, and no public exploit has been identified at the time of analysis, though the trivial nature of supply-chain implants means abuse is plausible. Notably, the vendor patched the existing release without bumping the version number, so administrators cannot reliably tell whether their installation is fixed. CRITICAL 10.0 0.1% 70
PoC
CVE-2026-12415 Account takeover in the Invoice Generator (Pravel) plugin for WordPress through version 1.0.0 lets unauthenticated attackers hijack any account, including administrators. The pravel_invoice_edit_account() AJAX handler is registered for unauthenticated users and calls wp_update_user() with attacker-supplied user_id and user_email without any capability check, nonce, or ownership verification, so an attacker can overwrite an admin's email and then drive the password-reset flow to seize the account. Rated CVSS 9.8 and reported by Wordfence; no public exploit identified at time of analysis and it is not in CISA KEV. CRITICAL 9.8 0.7% 70
PoC No patch
CVE-2026-12417 Unauthenticated account takeover in the SignUp & SignIn WordPress plugin (versions ≤ 1.0.0) allows remote attackers to reset any user's password - including administrators - via the unauthenticated `pravel_change_password` AJAX action. No public exploit identified at time of analysis, but the trivially-bypassable empty-string comparison and AV:N/AC:L/PR:N/UI:N vector make exploitation essentially one HTTP request. The plugin's small footprint likely keeps EPSS low, but any site running it is fully exposed. CRITICAL 9.8 0.5% 69
PoC No patch
CVE-2026-1357 Unauthenticated arbitrary file upload in WPvivid Backup & Migration WordPress plugin. EPSS 0.44%. CRITICAL 9.8 0.4% 69
PoC No patch
CVE-2026-12416 Account takeover in the Invoice Generator WordPress plugin (versions through 1.0.0) allows unauthenticated remote attackers to reset the password of any user, including administrators, by abusing the nopriv `pravel_invoice_change_password()` AJAX handler. Reported by Wordfence with a CVSS of 9.8 and tagged for RCE potential via subsequent admin compromise; no public exploit identified at time of analysis, though the trivial nature of the bug makes weaponization straightforward. CRITICAL 9.8 0.4% 69
PoC No patch
CVE-2026-10580 Unauthenticated administrator account takeover in the Hippoo Mobile App for WooCommerce WordPress plugin (versions ≤ 1.9.4) allows remote attackers to reset any user's password - including the site administrator's - by sending a single crafted POST request to a cloned REST route. The root cause is a logic conflation in HippooPermissions::get_user_permissions() that returns the same null sentinel for both administrators and anonymous visitors, which is then interpreted as full admin access. No public exploit identified at time of analysis, but the trivial exploitation path and 9.8 CVSS score make this an urgent patch priority for any WordPress site running the plugin. CRITICAL 9.8 0.3% 69
PoC No patch
CVE-2026-8181 Authentication bypass in the Burst Statistics WordPress plugin versions 3.4.0 through 3.4.1.1 allows unauthenticated remote attackers to impersonate any administrator whose username they know by supplying an arbitrary Basic Authentication password. The flaw resides in flawed return-value handling within the `is_mainwp_authenticated()` function used to validate application passwords from the Authorization header, enabling privilege escalation per request. No public exploit identified at time of analysis, and EPSS is low (0.26%), but the CVSS 9.8 score and SSVC 'total' technical impact mark it as a high-severity authentication bypass worth prioritizing. CRITICAL 9.8 0.3% 69
PoC No patch
CVE-2026-0926 Local File Inclusion in Prodigy Commerce WordPress plugin <= 3.2.9. CRITICAL 9.8 0.2% 69
PoC No patch
CVE-2026-3584 The Kali Forms plugin for WordPress contains a critical remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary code on the server. All versions up to and including 2.4.9 are affected, including the popular 'Kali Forms - Contact Form & Drag-and-Drop Builder' plugin by WPChill. The vulnerability carries a critical CVSS score of 9.8 due to its network-based attack vector, low complexity, and lack of required authentication or user interaction. CRITICAL 9.8 0.2% 69
PoC No patch
CVE-2026-3300 Remote code execution in Everest Forms Pro plugin for WordPress ≤1.9.12 allows unauthenticated attackers to execute arbitrary PHP code on the server via the Complex Calculation feature. Attackers can inject malicious PHP through any string-type form field (text, email, URL, select, radio) due to unsafe concatenation into eval() without proper escaping. This vulnerability carries a 9.8 CVSS score with maximum impact (confidentiality, integrity, availability) and requires no authentication or user interaction, representing a critical immediate threat to all installations using the affected plugin versions. CRITICAL 9.8 0.2% 69
PoC No patch
CVE-2026-1405 Arbitrary file upload in Slider Future WordPress plugin. CRITICAL 9.8 0.2% 69
PoC No patch
CVE-2026-8935 The WP MAPS PRO WordPress plugin before 6.1.1 registers an unauthenticated AJAX action which, given a valid nonce that is publicly emitted on any fron CRITICAL 9.8 0.1% 69
PoC
CVE-2026-1492 Privilege escalation in User Registration & Membership WordPress plugin. CRITICAL 9.8 0.1% 69
PoC No patch
CVE-2026-0740 Unauthenticated arbitrary file upload in Ninja Forms - File Uploads plugin for WordPress (versions ≤3.3.26) enables remote code execution through missing file type validation in the upload handler. Attackers can upload malicious PHP files without authentication, achieving complete server compromise. CVSS 9.8 (Critical) with CVSS:3.1/AV:N/AC:L/PR:N/UI:N indicates network-based exploitation requiring no privileges or user interaction. Fully patched in version 3.3.27 following a partial fix in 3.3.25. No public exploit identified at time of analysis, though the vulnerability class (CWE-434: Unrestricted Upload of File with Dangerous Type) is well-understood and readily exploitable. CRITICAL 9.8 0.1% 69
PoC No patch

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy