Security

Wordfence Intelligence Weekly WordPress Vulnerability Report: 139 Flaws Disclosed (April 13–19, 2026)

Wordfence reports 139 new WordPress vulnerabilities last week across plugins and themes, with 109 patched and 30 unpatched. Cross-site scripting and authorization flaws dominate.

Editor · · 5 min read
Wordfence Intelligence Weekly WordPress Vulnerability Report: 139 Flaws Disclosed (April 13–19, 2026)
Photo: Miguel Á. Padriñán on Pexels

Some links on this page are affiliate links. We may earn a commission when you click through and make a purchase, at no additional cost to you.

The latest Wordfence Intelligence Weekly Report reveals a surge in WordPress vulnerabilities, with 139 newly disclosed issues across plugins and themes in just one week. These findings underscore the ongoing security challenges faced by WordPress site operators and the critical need for timely patching and layered defense strategies.

Key Takeaways

  • 139 vulnerabilities were disclosed last week in 116 plugins and 10 themes, emphasizing persistent security risks.
  • 109 of these vulnerabilities have patches available, but 30 remain unpatched, posing ongoing threats.
  • Cross-site scripting (XSS) and missing authorization vulnerabilities dominate the landscape.
  • 84 security researchers contributed to these disclosures, highlighting active community involvement.
  • Wordfence provides free tools and APIs to help site owners stay ahead of vulnerabilities.

Overview of Last Week’s Vulnerability Landscape

Between April 13 and April 19, 2026, the Wordfence Intelligence Vulnerability Database was updated with 139 new vulnerabilities affecting WordPress plugins and themes. Of these, 116 were plugin vulnerabilities and 10 were theme-related. This volume represents an active period of security research and disclosure within the WordPress ecosystem.

Importantly, 109 of these vulnerabilities have already been patched by their respective developers, reflecting a responsive security posture in many projects. However, 30 vulnerabilities remain unpatched, representing immediate risks to sites running affected software.

The severity distribution of these vulnerabilities is notable: 6 were classified as critical, 46 high severity, 86 medium, and 1 low severity. This means nearly 38% of vulnerabilities last week could lead to severe compromise if exploited.

Common Vulnerability Types and Their Implications

Cross-site scripting (XSS) vulnerabilities accounted for 48 of the disclosed issues, making them the most prevalent vulnerability class last week. XSS flaws allow attackers to inject malicious scripts into web pages viewed by other users, potentially leading to session hijacking, defacement, or redirecting users to malicious sites.

Missing authorization vulnerabilities were the second most common, with 27 reported cases. These flaws occur when plugins or themes fail to properly verify whether a user has the right privileges to perform an action, enabling unauthorized access or operations.

Other significant vulnerability types included SQL injection (15 cases), path traversal (10 cases), and deserialization of untrusted data (9 cases). Each of these can have severe consequences, ranging from data leakage to remote code execution.

Notable Plugins and Themes Affected

Among the affected plugins are some widely used solutions such as WooCommerce, Advanced Custom Fields (ACF), and Redirection. The presence of vulnerabilities in these popular plugins can have broad impacts across the WordPress ecosystem.

The report also highlights vulnerabilities in niche but critical plugins like 3D FlipBook, Academy LMS Pro, and Accessibility Suite by Ability, Inc, illustrating that security risks span both mainstream and specialized plugins.

Contributions from the Security Research Community

The report credits 84 vulnerability researchers who contributed to the disclosures last week. Leading contributors include Nguyen Ba Khanh and Muhammad Yudha – DJ, each responsible for 9 vulnerabilities, followed by other notable researchers with multiple reports.

This active researcher participation is vital for maintaining WordPress security and shows the strength of responsible disclosure practices within the community.

Wordfence’s Role and Tools for Site Security

Wordfence Intelligence aims to democratize access to vulnerability data by offering a free user interface, APIs, webhook integration, and a CLI Vulnerability Scanner. These tools empower site owners, agencies, and hosting providers to implement layered security measures and stay updated on emerging threats.

With over 33,000 vulnerabilities in their database, Wordfence provides a comprehensive resource that supports defense in depth strategies, crucial for protecting WordPress sites against escalating attack vectors.

What This Means for WordPress Users

The high number of vulnerabilities disclosed last week is a reminder that WordPress site security requires continuous attention. For developers, this means prioritizing timely updates and patches in plugin and theme development, as well as adopting secure coding practices to reduce common flaws such as XSS and authorization bypasses.

Site owners and agencies should regularly monitor vulnerability feeds like Wordfence Intelligence and use automated scanning tools to detect and remediate risks swiftly. Prioritizing patches for critical and high-severity vulnerabilities is essential to prevent exploitation.

This report also signals that while the WordPress security community is active and responsive, the ecosystem’s vast plugin and theme diversity presents ongoing challenges. Agencies managing multiple client sites should consider integrating vulnerability APIs and scanners into their workflows to maintain security at scale.

Finally, the availability of free vulnerability data and scanning tools from Wordfence lowers barriers to access essential security intelligence, encouraging best practices and proactive defense strategies across all levels of WordPress users.

Frequently Asked Questions

How can I check if my WordPress plugins or themes are vulnerable?

You can use tools like the Wordfence CLI Vulnerability Scanner or subscribe to vulnerability databases such as Wordfence Intelligence. These offer scans and real-time alerts for known vulnerabilities in your installed plugins and themes.

What should I do if my site uses a plugin with an unpatched vulnerability?

Immediately evaluate the risk and consider temporarily disabling the plugin if possible. Monitor for updates from the plugin developer and apply patches as soon as they become available. Implement additional security layers such as web application firewalls to mitigate exposure.

Are all WordPress vulnerabilities publicly disclosed?

Not all vulnerabilities are disclosed publicly right away. Responsible disclosure protocols often involve private reporting to developers to allow time for patches. However, databases like Wordfence Intelligence publish vulnerabilities once fixes are available or after a responsible disclosure period.

How does the severity rating affect vulnerability prioritization?

Severity ratings categorize vulnerabilities based on potential impact and exploitability. Critical and high-severity vulnerabilities usually require immediate attention, as they can lead to site compromise or data loss, whereas medium and low can be scheduled for regular maintenance cycles.

Related News

Related News
wordpress plugin build tooling
WordPress Core
@wordpress/build: The Next Generation of WordPress Plugin Build Tooling
real time collaboration
WordPress Core
Real Time Collaboration Performance Testing Reveals Custom-Table-With-Transients as Optimal Storage Strategy
WordPress vulnerabilities
Security
WordPress Vulnerabilities Surge in March 2026 Report