386
CVEs
21
Critical
105
High
0
KEV
16
PoC
115
Unpatched C/H
3.9%
Patch Rate
0.1%
Avg EPSS
Severity Breakdown
CRITICAL
21
HIGH
105
MEDIUM
260
LOW
0
Monthly CVE Trend
Affected Products (30)
PHP
2591
Open Redirect
16
Ltl Freight Quotes
13
Industrial
12
AI / ML
12
Ninja Forms
9
Givewp
9
Wsdesk
8
Wp Job Portal
8
Ads Pro
7
Gdpr Cookie Compliance
7
Sureforms
7
Wp Recall
6
Zoomsounds
6
Booster For Woocommerce
6
Royal Elementor Addons
6
Everest Forms
6
Wpbookit
6
Form Maker
6
Forminator Forms
6
Buddyboss Platform
6
Jobcareer
5
Golang
5
School Management System
5
Wp Project Manager
5
Quiz Maker
5
Profilegrid
5
Jupiter X Core
5
Email Subscribers Newsletters
5
Learnpress
5
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2026-3220 | The Autoptimize WordPress plugin before 3.1.15, Clearfy Cache WordPress plugin before 2.4.2, Speed Optimizer WordPress plugin before 7.7.9 are vulne | HIGH | 8.8 | 0.0% | 64 |
PoC
|
| CVE-2026-32834 | Hardcoded authentication bypass in Easy PayPal Events & Tickets plugin allows unauthenticated remote attackers to retrieve sensitive order data by supplying 'test' as the hash parameter to the QR code scanning endpoint. Attackers can access PayPal transaction IDs, customer emails, purchase amounts, and ticket information for any order by enumerating post IDs. Public exploit code exists on GitHub, significantly lowering the exploitation barrier. The plugin was officially closed by WordPress.org on 2026-03-18, leaving installations vulnerable with no future patches. | HIGH | 8.7 | 0.1% | 64 |
PoC
No patch
|
| CVE-2026-4935 | Unauthenticated attackers can exploit SQL injection in OttoKit: All-in-One Automation Platform WordPress plugin versions before 1.1.23 due to improper input sanitization in SQL statement construction. The vulnerability allows remote attackers to extract sensitive data and modify database contents without authentication, though integrity impact is limited. Publicly available exploit code exists, and a patch has been released by the vendor. | HIGH | 8.6 | 0.0% | 63 |
PoC
|
| CVE-2026-6379 | The WP Photo Album Plus WordPress plugin before 9.1.11.001 does not properly sanitize and escape a parameter before using it in a SQL query, allowing | HIGH | 8.6 | 0.0% | 63 |
PoC
|
| CVE-2026-7862 | Unauthenticated refund abuse in the Eupago Gateway for WooCommerce WordPress plugin before 4.7.2 lets remote attackers trigger refunds on arbitrary WooCommerce orders using the merchant's own payment gateway credentials, and for certain payment methods divert the refunded funds to an attacker-controlled bank account. The CVSS 8.6 score reflects the network-reachable, no-auth, no-interaction attack path against a financial workflow; publicly available exploit code exists per WPScan, though there is no public exploit identified at time of analysis confirming active exploitation in CISA KEV. | HIGH | 8.6 | 0.0% | 63 |
PoC
|
| CVE-2026-41471 | Unauthenticated attackers can enumerate and exfiltrate all customer order records from Easy PayPal Events & Tickets plugin for WordPress through an exposed QR code scanning endpoint. The scan_qr.php file accepts sequential WordPress post IDs without authentication, enabling complete database harvesting of payment and customer information. Publicly available exploit code exists, but no evidence of active exploitation (not in CISA KEV). The plugin was officially closed and removed from WordPress.org on 2026-03-18, leaving existing installations vulnerable with no official patch path. | HIGH | 8.2 | 0.2% | 61 |
PoC
No patch
|
| CVE-2026-6381 | The WP Maps WordPress plugin before 4.9.3 does not properly sanitize a parameter before using it in a file path, allowing authenticated users to perf | HIGH | 7.5 | 0.0% | 58 |
PoC
|
| CVE-2025-15609 | The Fortis for WooCommerce WordPress plugin before 1.3.1 may leak sensitive API keys to unauthenticated attackers, allowing them to query Fortis' API | HIGH | 7.5 | 0.0% | 58 |
PoC
|
| CVE-2026-6495 | The Ajax Load More WordPress plugin before 7.8.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflect | HIGH | 7.1 | 0.0% | 56 |
PoC
|
| CVE-2026-5337 | Frontend File Manager Plugin for WordPress through version 23.6 allows authenticated Subscriber-level users and higher to read arbitrary files belonging to other users via insecure direct object reference (IDOR) in the download endpoint. By manipulating the 'file_id' parameter, attackers can bypass authorization checks and access sensitive data stored by administrators and other privileged users. Publicly available exploit code exists for this vulnerability, though EPSS scoring (0.02%) suggests limited real-world exploitation relative to its high CVSS rating. | MEDIUM | 6.5 | 0.0% | 53 |
PoC
No patch
|
| CVE-2026-5776 | Stored XSS in the Email Encoder WordPress plugin (all versions before 2.4.7) permits unauthenticated remote attackers to inject persistent malicious scripts by supplying unsanitized email addresses through public-facing input fields. Because the CVSS scope is Changed (S:C), injected payloads execute in victim browsers rather than the server context, enabling session hijacking, credential theft, or malicious redirects against any visitor who loads an affected page. A publicly available proof-of-concept exists per WPScan reporting; no public exploit identified at time of analysis as actively exploited via CISA KEV. | MEDIUM | 6.1 | 0.1% | 51 |
PoC
|
| CVE-2026-45444 | Unrestricted file upload in WP Swings Gift Cards For WooCommerce Pro plugin (versions up to and including 4.2.6) allows remote unauthenticated attackers to upload malicious files of dangerous types to vulnerable WordPress sites. With a maximum CVSS score of 10.0 and a scope-changed vector, successful exploitation typically leads to remote code execution and full site compromise. No public exploit identified at time of analysis, though the high severity and ease of exploitation make this a priority concern for any WooCommerce site using this plugin. | CRITICAL | 10.0 | 0.0% | 50 |
No patch
|
| CVE-2026-5229 | Authentication bypass in Form Notify WordPress plugin versions ≤1.1.10 allows remote unauthenticated attackers to gain administrator access through LINE OAuth flow manipulation. Attackers exploit the plugin's trust of the 'form_notify_line_email' cookie when LINE OAuth doesn't return an email address, authenticating as any site user by injecting a cookie containing the victim's email while completing OAuth with their own LINE account. Wordfence reported this vulnerability with proof-of-concept code available via GitHub commit diffs. EPSS data not available, but the CVSS 9.8 score and network vector with no authentication requirement indicate critical severity. No CISA KEV listing at time of analysis. | CRITICAL | 9.8 | 0.3% | 49 |
No patch
|
| CVE-2026-6555 | Unauthenticated remote code execution in the ProSolution WP Client WordPress plugin (versions ≤ 2.0.0) allows attackers to upload malicious PHP files to a web-accessible directory by abusing an array validation mismatch in its upload handler. Because only the first file in a multi-file upload array is checked for extension and MIME type while the remaining files are processed unchecked, attackers can pair a benign first file with a PHP webshell to achieve full code execution on the host. No public exploit identified at time of analysis, but the high CVSS 9.8 score and trivially scriptable nature place this in the realistic mass-exploitation tier for WordPress plugins. | CRITICAL | 9.8 | 0.3% | 49 |
No patch
|
| CVE-2026-5722 | Authentication bypass in MoreConvert Pro for WordPress allows remote unauthenticated attackers to hijack any user account, including administrators, by exploiting token reuse in the guest waitlist verification flow. Attackers obtain a verification token for their own email, change the guest customer email to the target victim's email via the public waitlist API, then use the original token to authenticate as the victim. This critical vulnerability (CVSS 9.8) affects all versions through 1.9.14, with network-accessible, low-complexity exploitation requiring no privileges or user interaction. EPSS data not available; no confirmed active exploitation or public POC identified at time of analysis. | CRITICAL | 9.8 | 0.2% | 49 |
No patch
|