Some links on this page are affiliate links. We may earn a commission when you click through and make a purchase, at no additional cost to you.
WordPress site operators face a critical need to act, as 116 vulnerabilities were disclosed across 78 plugins and 19 themes between March 9 and March 15, 2026, according to the latest report from Wordfence.com" rel="nofollow noopener" target="_blank">Wordfence. These vulnerabilities highlight the ongoing challenges in safeguarding WordPress websites and the vital role of proactive security measures.
The Wordfence Intelligence Vulnerability Database now includes these disclosures, making it one of the most comprehensive resources available for WordPress practitioners. Of the 116 vulnerabilities added, 86 have been patched, while 30 remain unpatched, exposing site operators to potential exploitation risks. The vulnerabilities span various classes, including Cross-site Scripting (XSS), SQL Injection, and Authorization Bypass, with six rated as critical severity.
Total Vulnerabilities by Severity
Breaking down the numbers, last week’s disclosures included:
- 6 critical severity vulnerabilities
- 39 high severity vulnerabilities
- 71 medium severity vulnerabilities
Among the most common vulnerability types were improper neutralization of input during web page generation (32 cases of XSS) and missing authorization (27 cases). Site operators using affected plugins or themes should review the full report to identify exposure risks.
Firewall Rules and Proactive Protection
Wordfence’s Threat Intelligence Team continues to deploy new firewall rules to mitigate immediate risks. Last week, two firewall rules—WAF-RULE-904 and WAF-RULE-905—were rolled out to Wordfence Premium, Care, and Response customers. Details on these rules remain redacted as Wordfence works with vendors to finalize patches. Free users will receive this protection after a 30-day delay.
The Wordfence CLI Vulnerability Scanner and API tools are freely available and enable enterprises, hosting providers, and individuals to run regular scans or integrate real-time updates into their workflows. With over 33,000 vulnerabilities cataloged, Wordfence offers unmatched access to actionable security intelligence.
Triple Threat Bug Bounty Challenge
Wordfence is incentivizing security researchers through its Triple Threat Bug Bounty Challenge, running until April 6, 2026. Researchers can earn triple bonuses on valid submissions from the ‘High Threat Vulnerabilities’ list:
- Double payouts for high threat vulnerabilities (excluding plugins with 5,000,000+ installs)
- 30% bonus for vulnerabilities in software with 30,000+ active installs
- $300 extra for every three high threat vulnerabilities submitted (minimum of 1,000 installs each)
Last week, 66 researchers contributed to WordPress security, with Tran Nguyen Bao Khanh leading the effort by disclosing 13 vulnerabilities. Active participation in the bounty program not only enhances WordPress security but also provides significant financial incentives.
What To Do
- Developers: Audit your plugins and themes against the latest vulnerabilities disclosed in the Wordfence Intelligence Weekly Report. Update codebases to address any flagged issues.
- Site Operators: Use the Wordfence CLI Vulnerability Scanner or Database API to check your installations for exposure to unpatched vulnerabilities.
- Managed Hosting Providers: Deploy the latest firewall rules immediately for customers using Wordfence Premium, Care, or Response plans. Monitor for unpatched risks.
- Security Researchers: Participate in the Triple Threat Bug Bounty Challenge for enhanced rewards and help mitigate high-risk vulnerabilities.
