Security Intelligence
Current WordPress Vulnerabilities
Vulnerability data for WordPress core and the most widely installed plugins, sourced from WPVulnerability.com. Unpatched issues are shown first. Recent disclosures (past 12 months) are highlighted regardless of patch status.
Data fetched live — last updated . Cached for up to one hour.
| Plugin / Component | Worst Severity | Unpatched | Recent (12m) | Total Known |
|---|---|---|---|---|
| WooCommerce | Critical · 9.8 | 1 | 4 | 97 |
| Jetpack | Medium · 6.1 | 1 | 2 | 46 |
| Fluent Forms | High · 8.2 | 0 | 11 | 36 |
| UpdraftPlus | High · 8.1 | 0 | 2 | 27 |
| Really Simple SSL | High · 8.1 | 0 | 4 | 7 |
| WPForms Lite | High · 8.1 | 0 | 7 | 29 |
| Advanced Custom Fields | High · 7.5 | 0 | 9 | 38 |
| LiteSpeed Cache | High · 7.2 | 0 | 4 | 20 |
| Elementor | Medium · 6.5 | 0 | 13 | 62 |
| WordPress 6.8 | Medium · 5.9 | 0 | 12 | 12 |
| Yoast SEO | Medium · 4.3 | 0 | 3 | 33 |
| Contact Form 7 | None known | 0 | 0 | 12 |
| Akismet | None known | 0 | 0 | 4 |
| WP Mail SMTP | None known | 0 | 0 | 4 |
| Wordfence | None known | 0 | 0 | 34 |
| All-In-One Security | None known | 0 | 0 | 0 |
| EWWW Image Optimizer | None known | 0 | 0 | 11 |
| WP Super Cache | None known | 0 | 0 | 22 |
| Loginizer | None known | 0 | 0 | 11 |
| WPCode | None known | 0 | 0 | 0 |
| Slim SEO | None known | 0 | 0 | 2 |
Requires Immediate Action
Unpatched vulnerabilities
These vulnerabilities have no available fix. Sites running affected versions are exposed until the vendor issues a patch or the plugin is replaced.
WooCommerce [woocommerce] == 7.1.0 (unfixed)
Jetpack — WP Security, Backup, Speed, & Growth [jetpack] <= 9.1 (unfixed)
Recent Disclosures
High and critical — past 12 months
These vulnerabilities have available fixes. Sites running outdated versions remain exposed.
Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder [fluentform] < 6.2.0
Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder [fluentform] < 6.2.1
UpdraftPlus: WP Backup & Migration Plugin [updraftplus] < 1.26.5
Really Simple Security — Simple and Performant Security (formerly Really Simple SSL) [really-simple-ssl] < 9.5.10.1
WPForms — Easy Form Builder for WordPress — Contact Forms, Payment Forms, Surveys, & More [wpforms-lite] < 1.10.0.3
WPForms — Easy Form Builder for WordPress — Contact Forms, Payment Forms, Surveys, & More [wpforms-lite] < 1.10.0.5
Advanced Custom Fields (ACF®) [advanced-custom-fields] < 5.11
LiteSpeed Cache [litespeed-cache] < 7.8
Understanding this data
What the severity scores mean
Typically exploitable remotely with no authentication. Patch immediately.
Significant risk. Patch or mitigate within days, not weeks.
Real risk, usually requires some access or conditions. Patch on your next maintenance window.
Limited real-world impact. Patch during routine updates.
CVSS scores are provided by WPVulnerability.com, aggregated from sources including Wordfence Threat Intelligence, WPScan, and the NVD. Scores reflect the worst-case vector — actual exploitability varies by site configuration.
This page covers a curated set of commonly installed plugins. It is not a complete inventory of every WordPress vulnerability. For a full audit of your specific installation, get in touch.
Need help?
Found a vulnerability on your site?
I provide forensic security audits, malware removal, and hardening for WordPress sites. Every engagement starts with a diagnostic — I tell you exactly what the exposure is before touching anything.
