WP Secure Stack Intelligence
Real-time tracking of CVEs, plugin exploits, and WordPress core vulnerabilities. Updated daily from Wordfence, NVD, and WPScan.
Latest CVE Advisories
Updated daily · Sortable & filterable
| CVE ID | Plugin / Theme / Core | Affected Versions | Vulnerability Type | Severity | CVSS Score | Patch Status | Date Disclosed |
|---|---|---|---|---|---|---|---|
| CVE-2026-10580 | Hippoo Mobile App | ≤ 1.9.4 | Unauthenticated Authentication Bypass | Critical | 9.8 | Patched | June 5, 2026 |
| CVE-2026-5076 | ARMember Premium | ≤ 7.3.1 | Privilege Escalation | Critical | 9.8 | Patched | June 2, 2026 |
| CVE-2026-8206 | Kirki | 6.0.0 – 6.0.6 | Unauthenticated Privilege Escalation | Critical | 9.8 | Patched | June 1, 2026 |
| CVE-2026-48866 | Gravity Forms | ≤ 2.10.0.1 | Unauthenticated Arbitrary File Deletion | Critical | 9.1 | Patched | June 5, 2026 |
| CVE-2026-5415 | WP Captcha PRO | ≤ 5.38 | Authenticated (Subscriber+) Authentication Bypass | High | 8.8 | Patched | June 5, 2026 |
| CVE-2026-1829 | Content Visibility for Divi Builder | ≤ 4.02 | Remote Code Execution | High | 8.8 | Patched | June 2, 2026 |
| CVE-2026-8438 | All-In-One Security (AIOS) | ≤ 5.4.7 | Cross-Site Scripting (XSS) | High | 7.2 | Patched | June 5, 2026 |
| CVE-2026-10586 | Gutenberg Essential Blocks | ≤ 6.3.1 | Authenticated (Author+) Server-Side Request Forgery | High | 7.2 | Patched | June 4, 2026 |
| CVE-2026-48839 | WP Statistics | ≤ 14.16.6 | Unauthenticated Stored Cross-Site Scripting | High | 7.2 | Patched | June 1, 2026 |
| CVE-2026-8732 | WP Maps Pro | ≤ 6.1.0 | Unauthenticated Privilege Escalation | Critical | 9.8 | Patched | May 28, 2026 |
Data sourced from Wordfence Intelligence, WPScan, and NVD. CVSS scores from NVD. See our methodology.
Detailed Advisories
Full write-ups with remediation steps
-
WordPress Security Intelligence Report – May 2026
In May 2026, security researchers disclosed over 500 WordPress plugin vulnerabilities, including 28 critical issues, 118 high-severity flaws, and 344 medium-risk vulnerabilities. The high number of critical issues points to a clear pattern: attackers and researchers continue to uncover severe flaws in unauthenticated privilege escalation, arbitrary file uploads, and authentication bypass mechanisms. Most vulnerabilities now…
-
WP Maps Pro Privilege Escalation Exploit Explained
A critical vulnerability has been discovered in WP Maps Pro (versions ≤ 6.1.0) that allows unauthenticated attackers to create administrator accounts via the wpgmp_temp_access_ajax AJAX action. This plugin security flaw enables privilege escalation without requiring login credentials, effectively allowing remote attackers to take full control of affected WordPress sites. Site administrators using WP Maps Pro…
-
Spectra Gutenberg Blocks Remote Code Execution Vulnerability CVE-2026-7465 Disclosed
Security researchers have identified a critical remote code execution vulnerability in the Spectra Gutenberg Blocks plugin for WordPress, a widely used extension for building Gutenberg-based layouts. The flaw allows authenticated users with contributor-level permissions to execute arbitrary PHP code under certain conditions involving block attributes. If exploited, this vulnerability can lead to full site compromise,…
-
What Is a CVE? WordPress Vulnerabilities and Exposures Explained
WordPress powers over 43% of the web. That popularity makes it a prime target. In 2024 alone, security researchers discovered and registered 7,966 new vulnerabilities across WordPress plugins, themes, and core — a 34% jump from 2023. Each one got a CVE. If you run a WordPress site and don’t know what a CVE is,…
-
Top 5 Security Breaches in WordPress History: Learn from the Past
A security breach in the WordPress context means one of three things: unauthorized access to site files or the database, mass exploitation of a vulnerability across thousands of sites simultaneously, or a supply chain attack where the infection arrives through a trusted update or package. The breaches in this list qualify on at least one…
-
Masteriyo LMS Vulnerability Lets Students Hijack WordPress Admin — Here’s What You Need to Know
A missing authorization check just handed student-level users the keys to your entire WordPress site discovered By: SecurityLab Blogger (Hunter Jensen / skid — original researcher) Published: March 25, 2026 · Updated: March 27, 2026 Imagine this. You run a thriving online course business on WordPress. You’re using Masteriyo LMS to deliver content to hundreds of…
-
How to Detect and Fix Vulnerable Plugins in WordPress
Vulnerable plugins cause more WordPress hacks than almost anything else. Not weak passwords. Not outdated WordPress core. Plugins. According to WPScan’s 2025 WordPress Vulnerability Report, plugins account for over 93% of all known WordPress vulnerabilities. That number should scares. You can have the strongest password on the planet, the best hosting money can buy, and…
-
Weekly Most Exploited WordPress Vulnerabilities
Is Your WordPress Site Already Exposed? Here’s a question that should keep every WordPress site owner up at night: how many plugins on your site haven’t been updated in the last 30 days? If you’re like most WordPress users, the honest answer is a few, maybe more. And that’s exactly how hackers get in. This…
Understanding severity
Critical (9.0–10.0) — Immediate action required. Exploit likely in the wild.
High (7.0–8.9) — Patch within 72 hours. Significant risk.
Medium (4.0–6.9) — Patch on next maintenance cycle.
fixed / unpatched — Current patch status.
Browse by tag
Component Type: Plugin CVE-2026-4484 CVE-2026-7465 CVSS : 8.8 (High) Featured Firewall IP Allowlisting Patched:Yes Severity: High Two-Factor Authentication WordPress Login Security
Related security guides
Responsible Disclosure
Found a vulnerability?
We follow a 90-day responsible disclosure policy and acknowledge within 12 hours.