Skip to main content

WordPress

Vendor security scorecard – 613 CVEs in the selected period

Period: 30d 90d 6m 1y All
Risk 1996
613
CVEs
41
Critical
190
High
0
KEV
101
PoC
186
Unpatched C/H
15.2%
Patch Rate
0.3%
Avg EPSS

Severity Breakdown

CRITICAL
41
HIGH
190
MEDIUM
374
LOW
7

Monthly CVE Trend

Top Risky CVEs

CVE Summary Severity CVSS EPSS Priority Signals
CVE-2026-12415 Account takeover in the Invoice Generator (Pravel) plugin for WordPress through version 1.0.0 lets unauthenticated attackers hijack any account, including administrators. The pravel_invoice_edit_account() AJAX handler is registered for unauthenticated users and calls wp_update_user() with attacker-supplied user_id and user_email without any capability check, nonce, or ownership verification, so an attacker can overwrite an admin's email and then drive the password-reset flow to seize the account. Rated CVSS 9.8 and reported by Wordfence; no public exploit identified at time of analysis and it is not in CISA KEV. CRITICAL 9.8 0.7% 70
PoC No patch
CVE-2026-12417 Unauthenticated account takeover in the SignUp & SignIn WordPress plugin (versions ≤ 1.0.0) allows remote attackers to reset any user's password - including administrators - via the unauthenticated `pravel_change_password` AJAX action. No public exploit identified at time of analysis, but the trivially-bypassable empty-string comparison and AV:N/AC:L/PR:N/UI:N vector make exploitation essentially one HTTP request. The plugin's small footprint likely keeps EPSS low, but any site running it is fully exposed. CRITICAL 9.8 0.5% 69
PoC No patch
CVE-2026-12416 Account takeover in the Invoice Generator WordPress plugin (versions through 1.0.0) allows unauthenticated remote attackers to reset the password of any user, including administrators, by abusing the nopriv `pravel_invoice_change_password()` AJAX handler. Reported by Wordfence with a CVSS of 9.8 and tagged for RCE potential via subsequent admin compromise; no public exploit identified at time of analysis, though the trivial nature of the bug makes weaponization straightforward. CRITICAL 9.8 0.4% 69
PoC No patch
CVE-2026-12492 Authentication bypass in the Happy Coders OTP Login for WooCommerce WordPress plugin (versions 1.5 through 2.7) lets unauthenticated remote attackers log in as any existing user, including administrators, and create arbitrary accounts. The plugin authenticates a user from a supplied identifier without confirming that the one-time password was ever validated. Publicly available exploit code exists (WPScan) and a vendor patch (2.8) is available; EPSS remains low at 0.15% despite the maximal 9.8 CVSS score. CRITICAL 9.8 0.1% 69
PoC
CVE-2026-11563 Arbitrary file deletion in the Word Count and Social Shares WordPress plugin (versions through 1.0) lets any authenticated low-privilege user, including a Subscriber, delete any file the web server can reach because the plugin neither validates the supplied file path nor enforces authorization or CSRF protection. Deleting critical files such as wp-config.php can trigger WordPress's setup/installation flow and enable a full site takeover. Publicly available exploit code exists (reported by WPScan); there is no public exploit identified as actively used, and the issue is not on the CISA KEV list. CRITICAL 9.6 0.1% 68
PoC No patch
CVE-2022-50972 WooCommerce 7.1.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary PHP code by injecting shell commands through the product-type parameter. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available. CRITICAL 9.3 0.6% 67
PoC No patch
CVE-2019-25763 WordPress Ultimate Addons for Beaver Builder 1.2.4.1 contains an authentication bypass vulnerability that allows attackers to gain unauthorized access by exploiting the social media login form. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available. CRITICAL 9.3 0.4% 67
PoC
CVE-2026-6382 The FileOrganizer WordPress plugin before 1.1.9, Advanced File Manager WordPress plugin before 5.4.12, File Manager Pro WordPress plugin before 2.1 CRITICAL 9.1 0.5% 66
PoC
CVE-2026-11964 Payment-verification bypass in the User Registration & Membership WordPress plugin before 5.2.2 lets unauthenticated attackers forge a payment-provider webhook to mark a subscription as paid, activating premium memberships without any real transaction. WPScan reports publicly available exploit code, though there is no public exploit identified as being used in active attacks (not in CISA KEV). The core weakness is that inbound webhook notifications are trusted and acted upon without authenticating their origin or signature. CRITICAL 9.1 0.1% 66
PoC
CVE-2026-11962 Authenticated remote code execution in the FileOrganizer WordPress plugin before 1.2.0 lets users granted file-manager access upload arbitrary PHP files because several file-management operations skip file-type validation. Publicly available exploit code exists, and the flaw is an incomplete fix of CVE-2024-7985, which only hardened the upload operation while leaving other file-management endpoints unvalidated. With CVSS 3.1 base 8.8 (PR:L) and a working PoC, any low-privileged account with file-manager rights - extendable to sub-administrator roles via the premium add-on - can achieve full site compromise. HIGH 8.8 0.2% 64
PoC
CVE-2026-11855 The Simple Membership WordPress plugin before 4.7.5 does not verify the authenticity of Stripe webhook requests when no signing secret is configured, HIGH 8.8 0.2% 64
PoC
CVE-2026-11589 Stored cross-site scripting in the WP Support Plus Responsive Ticket System WordPress plugin (all versions through 9.1.2) lets unauthenticated attackers upload files containing malicious JavaScript - such as HTML or SVG payloads - to a publicly accessible location, where the script executes in the browsers of site users and administrators who view it. The flaw stems from missing validation of uploaded file types/content. Publicly available exploit code exists (reported by WPScan), though it is not listed in CISA KEV and no EPSS score was provided. HIGH 8.8 0.2% 64
PoC No patch
CVE-2026-8163 SQL injection in the Infility Global WordPress plugin before 2.15.19 allows authenticated users with Subscriber-level access or higher to inject arbitrary SQL via unsanitized parameters. Publicly available exploit code exists (WPScan), and a vendor patch has been released, raising the practical risk on sites that allow open user registration. No CISA KEV listing at time of analysis. HIGH 8.8 0.2% 64
PoC
CVE-2026-12525 The Redux Framework WordPress plugin before 4.5.13 does not restrict which user meta keys can be written when saving custom profile fields, allowing u HIGH 8.8 0.1% 64
PoC
CVE-2026-10830 The AllCoach WordPress plugin before 1.0.2 does not verify that an email address submitted to a public account-registration endpoint is not already a HIGH 8.8 0.1% 64
PoC

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy