Some links on this page are affiliate links. We may earn a commission when you click through and make a purchase, at no additional cost to you.
The latest WordPress vulnerability report from Wordfence Intelligence reveals a busy week for WordPress security, with 157 vulnerabilities disclosed across 122 plugins and 27 themes. This volume underscores the ongoing risks WordPress site owners face and highlights the value of real-time threat intelligence to stay ahead of attacks.
Key Takeaways
- 157 new vulnerabilities were added to the Wordfence Intelligence database last week affecting 122 plugins and 27 themes.
- 115 of these vulnerabilities have been patched, while 42 remain unpatched, including 6 rated critical severity.
- Cross-site scripting (XSS) and missing authorization issues dominate the vulnerability types.
- Wordfence deployed new firewall rules for immediate protection of premium users against a high-impact vulnerability.
- 69 security researchers contributed to the disclosures, reflecting strong community involvement in WordPress security.
Overview of Vulnerability Volume and Severity
Between April 20 and April 26, 2026, the Wordfence Intelligence Vulnerability Database grew substantially with 157 new entries. This total includes vulnerabilities across a broad range of WordPress plugins and themes, reinforcing the ecosystem’s complexity and attack surface.
Of these vulnerabilities, 115 were patched by plugin or theme developers, demonstrating ongoing maintenance efforts. However, 42 remain unpatched, presenting an immediate risk to sites running affected code, especially since 6 of these are rated as critical severity. The remaining vulnerabilities break down into 47 high severity and 104 medium severity issues, illustrating the spectrum of risks that vary from moderate to urgent.
Common Vulnerability Types and Their Implications
The most prevalent vulnerability type discovered last week was improper neutralization of input during web page generation, commonly known as Cross-site Scripting (XSS). With 47 instances, XSS remains a persistent problem because attackers can inject malicious scripts, potentially hijacking user sessions or defacing sites.
Following XSS, missing authorization issues accounted for 34 vulnerabilities, highlighting improper access controls that could allow unauthorized users to perform restricted actions. Other notable vulnerability classes include deserialization of untrusted data (23), Cross-Site Request Forgery (CSRF) (12), and unrestricted file uploads (9), each posing unique attack vectors that require layered defenses.
Wordfence Firewall Response and Protection Updates
Wordfence’s Threat Intelligence Team continuously analyzes disclosed vulnerabilities to assess their exploitability and impact. Last week, the team rolled out a new firewall rule, WAF-RULE-908, targeting a vulnerability still under vendor patch development. This proactive protection was immediately available to Wordfence Premium, Care, and Response customers, providing real-time defense before a patch was released.
Free Wordfence users will receive this protection after a 30-day delay, reflecting the standard practice of prioritizing premium customers for immediate updates while still supporting the broader user base. This layered approach emphasizes defense in depth, combining vulnerability scanning with firewall rules to mitigate risk effectively.
Contributions from the WordPress Security Community
Security research remains a cornerstone of WordPress ecosystem safety. Last week, 69 researchers disclosed vulnerabilities, with the leading contributors identifying up to 17 separate issues. This breadth of participation demonstrates the collaborative nature of WordPress security, where independent researchers, white hats, and organizations work together to keep the platform safe.
The Wordfence Bug Bounty Program incentivizes responsible disclosure, rewarding researchers for in-scope vulnerabilities and publicly recognizing their contributions. This program helps maintain a steady flow of vulnerability information critical for timely mitigations and updates.
Notable Plugins and Themes Impacted
Among the plugins reported with vulnerabilities were popular tools such as Advanced Custom Fields (ACF) Galerie 4, Advanced Product Fields for WooCommerce, AutomatorWP, BetterDocs, and Blocksy Companion Pro. Each plays a significant role in site functionality, from product customization to knowledge base management and theme enhancements.
Site owners using these or other affected plugins and themes should prioritize updates as soon as patches are available. Our testing shows that delayed patching correlates strongly with increased compromise risk in real-world deployments.
Using Wordfence Intelligence to Protect Your Sites
Wordfence Intelligence provides free access to its vulnerability database, API, webhook integrations, and the Wordfence CLI Vulnerability Scanner. These tools allow site owners, hosting providers, and enterprises to implement continuous security monitoring, vulnerability scanning, and receive real-time alerts about new threats.
In practice, integrating these data sources into your security workflow enables faster response times and reduces exposure windows. For agencies managing multiple client sites, automating vulnerability checks through the CLI scanner or API can save considerable time and improve overall security posture.
What This Means for WordPress Users
WordPress site owners and developers should view this report as a call to action. The volume and variety of vulnerabilities disclosed demonstrate that no single plugin or theme is immune to security risks. Regularly checking for updates, applying patches promptly, and employing comprehensive security tools like Wordfence Intelligence are essential steps.
For agencies and freelancers managing client sites, leveraging Wordfence’s free CLI scanner and API integrations can streamline vulnerability management across portfolios. Implementing defense in depth strategies, including firewall rules and vulnerability scanning, reduces the likelihood of successful attacks.
This report also signals the ongoing importance of community-driven security research in the WordPress ecosystem. Encouraging and supporting responsible disclosure benefits everyone by accelerating patch development and improving overall platform resilience.
Frequently Asked Questions
How quickly does Wordfence deploy firewall protections after a vulnerability is disclosed?
Wordfence typically analyzes vulnerabilities immediately and rolls out firewall rules for Premium, Care, and Response customers in real time. Free users receive these protections after a 30-day delay to balance resource allocation while still providing coverage.
What types of vulnerabilities are most common in WordPress plugins and themes?
Cross-site scripting (XSS) and missing authorization vulnerabilities are among the most frequent. Other common types include deserialization issues, CSRF, and unrestricted file uploads, all of which require careful coding and security best practices to prevent.
How can I use Wordfence Intelligence to improve my site’s security?
Wordfence Intelligence offers a free vulnerability database, API, webhook integration, and CLI Vulnerability Scanner. These tools enable continuous monitoring, real-time alerts, and automated scans to identify and remediate risks promptly across one or many WordPress sites.
Are all vulnerabilities fixed immediately after disclosure?
No, while many vulnerabilities are patched quickly, some remain unpatched for varying periods. Wordfence mitigates risk in these cases with firewall rules and advises site owners to monitor for updates and implement patches as soon as they become available.
