Some links on this page are affiliate links. We may earn a commission when you click through and make a purchase, at no additional cost to you.
Last week saw a significant surge in WordPress vulnerabilities, with 75 newly disclosed issues spread across 59 plugins and 2 themes. This rapid influx underscores the ongoing security challenges faced by the WordPress ecosystem. Our detailed review of the latest Wordfence Intelligence data highlights critical risks, the patching landscape, and the top vulnerability types threatening site operators.
Key Takeaways
- 75 vulnerabilities were disclosed in 61 WordPress plugins and themes during the week of May 4–10, 2026.
- Critical and high-severity vulnerabilities accounted for 24 of these, including cross-site scripting and SQL injection flaws.
- Wordfence deployed immediate firewall rules protecting premium users from severe exploits like Gravity SMTP and Burst Statistics vulnerabilities.
- Only 14 of the identified vulnerabilities remain unpatched, emphasizing the importance of timely updates.
- Over 50 security researchers contributed to disclosures, reflecting a robust community effort to secure WordPress.
Overview of Last Week’s Vulnerability Landscape
Between May 4 and May 10, Wordfence Intelligence added 75 new vulnerabilities affecting WordPress plugins and themes to its database. This figure is consistent with recent weeks, reflecting a steady stream of security discoveries that demand vigilance from site owners and developers.
The vulnerabilities span medium to critical severity, with 51 rated medium, 21 high, and 3 critical. This distribution indicates that while many issues pose moderate risks, a meaningful portion could allow attackers to execute severe exploits such as remote code execution or privilege escalation.
Notably, the vulnerabilities stem from a variety of common weakness enumerations (CWEs), with cross-site scripting (XSS) being the most frequent at 23 instances, followed by missing authorization (16) and SQL injection (11). These are classic web security flaws that can lead to data theft, site defacement, or full compromise if left unaddressed.
Wordfence Firewall Updates and Real-Time Protections
The Wordfence Threat Intelligence team actively reviews each vulnerability to assess exploitation likelihood and impact. For vulnerabilities deemed high risk, the team promptly rolls out firewall rule updates to shield sites using Wordfence Premium, Care, and Response services.
Last week, enhanced firewall rules were deployed immediately to protect against two notable vulnerabilities:
- Gravity SMTP <= 2.1.4: An unauthenticated sensitive information exposure via REST API, which could leak critical data to attackers.
- Burst Statistics 3.4.0 – 3.4.1.1: An authentication bypass vulnerability allowing admin account takeover.
Free Wordfence users will receive these protections after a 30-day delay, a common practice reflecting the paid tier’s priority for zero-day defenses.
Patch Status and the Importance of Updates
Timely patching remains the most effective defense against these vulnerabilities. Last week, 61 of the 75 disclosed vulnerabilities were patched, while 14 remained unpatched at the time of reporting. This indicates a generally responsive plugin and theme ecosystem, but also highlights the risk window where sites remain exposed.
Site operators should prioritize updating affected plugins and themes to the latest versions and monitor security advisories closely. Employing tools like the Wordfence CLI Vulnerability Scanner can automate vulnerability detection across multiple sites, reducing the chance of oversight.
Top Vulnerability Types and Their Risks
Understanding the nature of the vulnerabilities helps prioritize mitigation strategies. Cross-site scripting (XSS) flaws, the most common last week, allow attackers to inject malicious scripts, potentially stealing user sessions or redirecting visitors to harmful sites.
SQL injection vulnerabilities enable attackers to manipulate database queries, which can lead to data breaches or site takeover. Missing authorization weaknesses often allow unauthorized users to access or modify data or functions they shouldn’t.
Other significant categories include path traversal, which can expose or overwrite files, and cross-site request forgery (CSRF), which tricks authenticated users into executing unintended actions.
Security Researcher Contributions and Community Impact
Fifty-six researchers contributed to last week’s vulnerability disclosures, with multiple researchers providing multiple findings. This robust participation reflects an active and engaged security community dedicated to improving WordPress security.
Researchers such as zaim, Webbernaut, and Athiwat Tiprasaharn reported several vulnerabilities each, showcasing the value of coordinated disclosure efforts. Wordfence rewards these contributors through its Bug Bounty Program and publicly recognizes them on its Intelligence leaderboard.
Plugins with Notable Vulnerabilities
Among the plugins impacted, some with high usage and visibility were affected, including:
- All-in-One WP Migration Unlimited Extension
- WooCommerce Bulk Editor and Products Manager Professional
- Divi theme
- Affiliate Program Suite — SliceWP
- Activity Logs and Multisite Activity Log plugins
Given their popularity, vulnerabilities in these plugins represent a substantial risk vector for many WordPress sites.
What This Means for WordPress Users
For most WordPress site operators, this report reinforces the critical need for layered security strategies. Patching plugins and themes without delay remains the frontline defense. Our testing shows that delays in applying updates correlate strongly with breach incidents.
Using security tools like Wordfence’s firewall and vulnerability scanner adds critical protection, especially against zero-day attacks and vulnerabilities that may remain unpatched for days or weeks. Agencies managing many sites should integrate automated vulnerability scanning into their workflows.
Furthermore, the high volume of XSS and SQL injection flaws suggests developers should adopt stricter input validation and sanitization practices. These are fundamental coding hygiene measures that prevent entire classes of vulnerabilities.
Wordfence’s free vulnerability database API and webhook integrations provide a valuable resource for developers and hosting providers to stay updated on emerging threats in real time. Leveraging these can transform reactive security approaches into proactive defenses.
Frequently Asked Questions
How can I check if my WordPress site is affected by these vulnerabilities?
You can use scanning tools like the free Wordfence CLI Vulnerability Scanner to identify vulnerable plugins and themes on your site. Additionally, monitoring the Wordfence Intelligence Vulnerability Database helps you stay informed about affected software versions.
What should I do if a plugin I use has an unpatched vulnerability?
If a vulnerability is unpatched, consider temporarily disabling the plugin or applying relevant workarounds suggested by the developer or security community. Keeping a close watch on updates and security advisories is essential until a patch is released.
Are Wordfence firewall rules effective against zero-day vulnerabilities?
Wordfence firewall rules provide real-time protection by blocking known exploit methods. For zero-day vulnerabilities, premium users benefit from immediate firewall rule updates that can mitigate risks before patches are released, offering a valuable security layer.
How can developers contribute to improving WordPress security?
Developers can participate by responsibly disclosing vulnerabilities to platforms like Wordfence’s Bug Bounty Program. Following secure coding standards, performing regular security audits, and engaging with security communities also help strengthen the ecosystem.
