Security Intelligence

Current WordPress Vulnerabilities

Vulnerability data for WordPress core and the most widely installed plugins, sourced from WPVulnerability.com. Unpatched issues are shown first. Recent disclosures (past 12 months) are highlighted regardless of patch status.

Data fetched live — last updated 3 June 2026 at 17:32. Cached for up to one hour.

Plugin / Component	Worst Severity	Unpatched	Recent (12m)	Total Known
Jetpack	Medium · 6.1	1	2	46
Fluent Forms	High · 8.2	0	11	36
WPForms Lite	High · 8.1	0	5	27
Slim SEO	High · 7.6	0	1	2
Advanced Custom Fields	High · 7.5	0	9	38
LiteSpeed Cache	High · 7.2	0	4	20
WooCommerce	Medium · 6.5	0	3	96
Elementor	Medium · 6.5	0	13	62
UpdraftPlus	Medium · 6.1	0	1	26
WordPress 6.8	Medium · 5.9	0	12	12
Yoast SEO	Medium · 4.3	0	3	33
Really Simple SSL	Medium · 4.3	0	2	5
Contact Form 7	None known	0	0	12
Akismet	None known	0	0	4
WP Mail SMTP	None known	0	0	4
Wordfence	None known	0	0	34
All-In-One Security	None known	0	0	0
EWWW Image Optimizer	None known	0	0	11
WP Super Cache	None known	0	0	22
Loginizer	None known	0	0	11
WPCode	None known	0	0	0

Requires Immediate Action

Unpatched vulnerabilities

These vulnerabilities have no available fix. Sites running affected versions are exposed until the vendor issues a patch or the plugin is replaced.

Jetpack

Jetpack — WP Security, Backup, Speed, & Growth [jetpack] <= 9.1 (unfixed)

Medium · CVSS 6.1

Disclosed: 2026-05-10 No fix available Advisory →

Recent Disclosures

High and critical — past 12 months

These vulnerabilities have available fixes. Sites running outdated versions remain exposed.

Fluent Forms High · 8.2

Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder [fluentform] < 6.2.0

2026-05-14 Fix: upgrade past 6.2.0 Advisory →

Fluent Forms High · 8.2

Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder [fluentform] < 6.2.1

2026-05-14 Fix: upgrade past 6.2.1 Advisory →

WPForms Lite High · 8.1

WPForms — Easy Form Builder for WordPress — Contact Forms, Payment Forms, Surveys, & More [wpforms-lite] < 1.10.0.3

2026-04-15 Fix: upgrade past 1.10.0.3 Advisory →

Slim SEO High · 7.6

Slim SEO — A Fast & Automated SEO Plugin For WordPress [slim-seo] < 4.5.5

2025-06-17 Fix: upgrade past 4.5.5 Advisory →

Advanced Custom Fields High · 7.5

Advanced Custom Fields (ACF®) [advanced-custom-fields] < 5.11

2025-10-03 Fix: upgrade past 5.11 Advisory →

LiteSpeed Cache High · 7.2

LiteSpeed Cache [litespeed-cache] < 7.8

2026-05-27 Fix: upgrade past 7.8 Advisory →

Understanding this data

What the severity scores mean

Critical CVSS 9.0–10.0

Typically exploitable remotely with no authentication. Patch immediately.

High CVSS 7.0–8.9

Significant risk. Patch or mitigate within days, not weeks.

Medium CVSS 4.0–6.9

Real risk, usually requires some access or conditions. Patch on your next maintenance window.

Low CVSS 0.1–3.9

Limited real-world impact. Patch during routine updates.

CVSS scores are provided by WPVulnerability.com, aggregated from sources including Wordfence Threat Intelligence, WPScan, and the NVD. Scores reflect the worst-case vector — actual exploitability varies by site configuration.

This page covers a curated set of commonly installed plugins. It is not a complete inventory of every WordPress vulnerability. For a full audit of your specific installation, get in touch.

Need help?

Found a vulnerability on your site?

I provide forensic security audits, malware removal, and hardening for WordPress sites. Every engagement starts with a diagnostic — I tell you exactly what the exposure is before touching anything.

Send your brief Security hardening