Freshy Security Bulletins | WordPress Vulnerabilities & Risks

WordPress Security Bulletin: MW WP Form Plugin Vulnerability (CVE-2026-4347)

April 2, 2026

Security Alert Summary The MW WP Form plugin for WordPress contains a vulnerability that allows arbitrary file moving due to insufficient file path validation. An unauthenticated attacker can move files…

Read security notice

WordPress Security Bulletin: Webmention Plugin Vulnerability (CVE-2026-0688)

April 2, 2026

Security Alert Summary The Webmention plugin for WordPress contains a server-side request forgery (SSRF) vulnerability via its Tools::read function in all versions up to and including 5.6.2. Authenticated users with…

Read security notice

WordPress Security Bulletin: W3 Total Cache Plugin Vulnerability (CVE-2026-5032)

April 2, 2026

Security Alert Summary The W3 Total Cache plugin for WordPress contains an information exposure vulnerability in all versions up to and including 2.9.3. When a request’s User-Agent header contains “W3…

Read security notice

WordPress Security Bulletin: Webmention Plugin Vulnerability (CVE-2026-0686)

April 2, 2026

Security Alert Summary The Webmention plugin for WordPress contains a Server-Side Request Forgery (SSRF) vulnerability that affects all versions up to and including 5.6.2. An unauthenticated attacker can trigger the…

Read security notice

WordPress Security Bulletin: Spam Protect for Contact Form 7 Plugin Vulnerability (CVE-2026-1540)

April 2, 2026

Security Alert Summary The Spam Protect for Contact Form 7 plugin contains a vulnerability that allows logging to a PHP file. An attacker with editor-level access could leverage a crafted…

Read security notice

WordPress Security Bulletin: King Addons for Elementor Plugin Vulnerability (CVE-2025-13535)

April 1, 2026

Security Alert Summary The King Addons for Elementor plugin for WordPress contains multiple DOM-based stored Cross-Site Scripting (XSS) vulnerabilities that can be abused by authenticated users with Contributor-level access or…

Read security notice

WordPress Security Bulletin: Export All URLs Plugin Vulnerability (CVE-2026-2696)

April 1, 2026

Security Alert Summary The Export All URLs WordPress plugin before 5.1 generates exported CSV filenames containing post URLs (including private posts) using a predictable pattern with a random 6-digit number.…

Read security notice

WordPress Security Bulletin: Order Notification for WooCommerce Plugin Vulnerability (CVE-2025-15484)

April 1, 2026

Security Alert Summary The Order Notification for WooCommerce WordPress plugin contains a vulnerability that overrides WooCommerce permission checks and grants full access to unauthenticated requests. This could allow anonymous users…

Read security notice

WordPress Security Bulletin: Database for Contact Form 7, WPforms, Elementor forms Plugin Vulnerability (CVE-2026-3831)

April 1, 2026

Security Alert Summary The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress contains a missing capability check in the entries_shortcode() function in all versions up to and…

Read security notice

WordPress Security Bulletin: WP Shortcodes Plugin – Shortcodes Ultimate (CVE-2026-2480)

April 1, 2026

Security Alert Summary The WP Shortcodes Plugin – Shortcodes Ultimate for WordPress contains a stored cross-site scripting (XSS) vulnerability in the su_box shortcode. Insufficient input sanitization and output escaping for…

Read security notice

WordPress Security Bulletin: Booking for Appointments and Events Calendar – Amelia Plugin Vulnerability (CVE-2026-4668)

April 1, 2026

Security Alert Summary The Booking for Appointments and Events Calendar – Amelia plugin for WordPress contains a SQL injection vulnerability in the payments listing endpoint. The issue involves the sort…

Read security notice

WordPress Security Bulletin: Query Monitor Plugin Vulnerability (CVE-2026-4267)

March 31, 2026

Security Alert Summary The Query Monitor plugin for WordPress is affected by a reflected cross-site scripting (XSS) vulnerability via the $_SERVER['REQUEST_URI'] parameter in all versions up to and including 3.20.3.…

Read security notice

WordPress Security Bulletin: Auto Post Scheduler Plugin Vulnerability (CVE-2026-1877)

March 31, 2026

Security Alert Summary The Auto Post Scheduler plugin for WordPress is affected by a Cross-Site Request Forgery (CSRF) vulnerability in all versions up to and including 1.84. Missing nonce validation…

Read security notice

WordPress Security Bulletin: Performance Monitor Plugin Vulnerability (CVE-2026-3881)

March 31, 2026

Security Alert Summary The Performance Monitor WordPress plugin through 1.0.6 contains a server-side request forgery (SSRF) issue: a parameter is not validated before being used to make an outbound request,…

Read security notice

WordPress Security Bulletin: Minify HTML Plugin Vulnerability (CVE-2026-3191)

March 31, 2026

Security Alert Summary The Minify HTML plugin for WordPress contains a Cross-Site Request Forgery (CSRF) vulnerability that affects all versions up to, and including, 2.1.12. The issue stems from missing…

Read security notice

WordPress Security Bulletin: Ibtana – WordPress Website Builder Plugin Vulnerability (CVE-2026-1834)

March 31, 2026

Security Alert Summary The Ibtana – WordPress Website Builder plugin contains a stored cross-site scripting (XSS) vulnerability in the plugin’s 'ive' shortcode. Insufficient input sanitization and output escaping of user-supplied…

Read security notice

WordPress Security Bulletin: User Profile Builder Plugin Vulnerability (CVE-2026-3139)

March 31, 2026

Security Alert Summary The User Profile Builder plugin for WordPress contains an Insecure Direct Object Reference (IDOR) vulnerability in the wppb_save_avatar_value() function that allows authenticated users with subscriber-level access and…

Read security notice

WordPress Security Bulletin: Gravity SMTP Plugin Vulnerability (CVE-2026-4020)

March 31, 2026

Security Alert Summary The Gravity SMTP plugin for WordPress (all versions up to and including 2.1.4) exposes sensitive system configuration data through a publicly accessible REST API endpoint. An unauthenticated…

Read security notice

WordPress Security Bulletin: Loco Translate Plugin Vulnerability (CVE-2026-4146)

March 31, 2026

Security Alert Summary The Loco Translate plugin for WordPress contains a reflected cross-site scripting (XSS) vulnerability via the update_href parameter in all versions up to and including 2.8.2. Insufficient input…

Read security notice

WordPress Security Bulletin: WooPayments: Integrated WooCommerce Payments Plugin Vulnerability (CVE-2026-1710)

March 31, 2026

Security Alert Summary The WooPayments: Integrated WooCommerce Payments plugin for WordPress contains a missing capability check in the save_upe_appearance_ajax function in all versions up to and including 10.5.1. This allows…

Read security notice

WordPress Security Bulletin: Debugger & Troubleshooter Plugin Vulnerability (CVE-2026-5130)

March 31, 2026

Security Alert Summary The Debugger & Troubleshooter plugin for WordPress contains an unauthenticated privilege escalation vulnerability (CVE-2026-5130) in versions up to and including 1.3.2. The plugin accepted a cookie value…

Read security notice

WordPress Security Bulletin: Everest Forms Pro Plugin Vulnerability (CVE-2026-3300)

March 31, 2026

Security Alert Summary The Everest Forms Pro plugin for WordPress contains a remote code execution vulnerability (CVE-2026-3300) tied to the Calculation Addon. The addon concatenates user-submitted values into PHP code…

Read security notice

WordPress Security Bulletin: Appointment Booking and Scheduler Plugin – Truebooker (CVE-2026-1797)

March 31, 2026

Security Alert Summary The Appointment Booking and Scheduler Plugin – Truebooker for WordPress contains a sensitive information exposure vulnerability in its view files that can allow unauthenticated users to directly…

Read security notice

WordPress Security Bulletin: Contact Form by Supsystic Plugin Vulnerability (CVE-2026-4257)

March 31, 2026

Security Alert Summary The Contact Form by Supsystic WordPress plugin contains a server-side template injection (SSTI) vulnerability that can lead to remote code execution (RCE). Unauthenticated users can inject arbitrary…

Read security notice

WordPress security bulletins

WordPress Security Bulletin: MW WP Form Plugin Vulnerability (CVE-2026-4347)

WordPress Security Bulletin: Webmention Plugin Vulnerability (CVE-2026-0688)

WordPress Security Bulletin: W3 Total Cache Plugin Vulnerability (CVE-2026-5032)

WordPress Security Bulletin: Webmention Plugin Vulnerability (CVE-2026-0686)

WordPress Security Bulletin: Spam Protect for Contact Form 7 Plugin Vulnerability (CVE-2026-1540)

WordPress Security Bulletin: King Addons for Elementor Plugin Vulnerability (CVE-2025-13535)

WordPress Security Bulletin: Export All URLs Plugin Vulnerability (CVE-2026-2696)

WordPress Security Bulletin: Order Notification for WooCommerce Plugin Vulnerability (CVE-2025-15484)

WordPress Security Bulletin: Database for Contact Form 7, WPforms, Elementor forms Plugin Vulnerability (CVE-2026-3831)

WordPress Security Bulletin: WP Shortcodes Plugin – Shortcodes Ultimate (CVE-2026-2480)

WordPress Security Bulletin: Booking for Appointments and Events Calendar – Amelia Plugin Vulnerability (CVE-2026-4668)

WordPress Security Bulletin: Query Monitor Plugin Vulnerability (CVE-2026-4267)

WordPress Security Bulletin: Auto Post Scheduler Plugin Vulnerability (CVE-2026-1877)

WordPress Security Bulletin: Performance Monitor Plugin Vulnerability (CVE-2026-3881)

WordPress Security Bulletin: Minify HTML Plugin Vulnerability (CVE-2026-3191)

WordPress Security Bulletin: Ibtana – WordPress Website Builder Plugin Vulnerability (CVE-2026-1834)

WordPress Security Bulletin: User Profile Builder Plugin Vulnerability (CVE-2026-3139)

WordPress Security Bulletin: Gravity SMTP Plugin Vulnerability (CVE-2026-4020)

WordPress Security Bulletin: Loco Translate Plugin Vulnerability (CVE-2026-4146)

WordPress Security Bulletin: WooPayments: Integrated WooCommerce Payments Plugin Vulnerability (CVE-2026-1710)

WordPress Security Bulletin: Debugger & Troubleshooter Plugin Vulnerability (CVE-2026-5130)

WordPress Security Bulletin: Everest Forms Pro Plugin Vulnerability (CVE-2026-3300)

WordPress Security Bulletin: Appointment Booking and Scheduler Plugin – Truebooker (CVE-2026-1797)

WordPress Security Bulletin: Contact Form by Supsystic Plugin Vulnerability (CVE-2026-4257)

Our services

Our work

About us

For clients