“vendor on a patch. wordfence premium, care, and response customers received this protection immediately, while users still running the free version of wordfence will receive this enhanced protection after a 30 day delay. total unpatched & patched vulnerabilities last week patch s…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1190Exploit Public-Facing Application
93%
“– upload & vote photos, media, sell with paypal & stripe < = 28. 1. 6 - unauthenticated sql injection 7. 5 cvss rating 7. 5 ( high ) cve - id cve - 2026 - 40771 patch status patched published apr 21, 2026 affected software contest gallery – upload & vote photos, media, sell with …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1190Exploit Public-Facing Application
87%
“more details > dx unanswered comments < = 1. 7 - cross - site request forgery via settings update 4. 3 cvss rating 4. 3 ( medium ) cve - id cve - 2026 - 4138 patch status unpatched published apr 21, 2026 affected software dx unanswered comments [ dx - unanswered - comments ] rese…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1190Exploit Public-Facing Application
72%
“- coupon - usage ] researcher nguyen ba khanh more details > exactmetrics < = 9. 1. 2 - authenticated ( editor + ) arbitrary plugin installation / activation via exactmetrics _ connect _ process 7. 2 cvss rating 7. 2 ( high ) cve - id cve - 2026 - 5464 patch status patched publis…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1190Exploit Public-Facing Application
72%
“##ss rating 6. 5 ( medium ) cve - id cve - 2026 - 4280 patch status unpatched published apr 21, 2026 affected software breaking news wp [ breaking - news - wp ] researcher t0ann9uy3n more details > masterstudy lms wordpress plugin – for online courses and education < = 3. 7. 25 -…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1588.006Vulnerabilities
61%
“3 cvss rating 5. 3 ( medium ) cve - id cve - 2025 - 64215 patch status patched published apr 23, 2026 affected software masterstudy lms pro [ masterstudy - lms - learning - management - system - pro ] researcher rafie muhammad more details > maxi blocks < = 2. 1. 8 - missing auth…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1588.006Vulnerabilities
50%
“jakub herman more details > table manager < = 1. 0. 0 - authenticated ( contributor + ) sensitive information exposure via ' table ' shortcode attribute 4. 3 cvss rating 4. 3 ( medium ) cve - id cve - 2026 - 4126 patch status unpatched published apr 21, 2026 affected software tab…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1190Exploit Public-Facing Application
49%
“unauthenticated php object injection 8. 1 cvss rating 8. 1 ( high ) cve - id cve - 2026 - 40759 patch status patched published apr 20, 2026 affected software esmee - fashion store wordpress theme [ esme ] researcher denver jackson more details > everest forms < = 3. 4. 4 - unauth…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1190Exploit Public-Facing Application
42%
“- missing authorization to authenticated ( contributor + ) installed plugin disclosure 4. 3 cvss rating 4. 3 ( medium ) cve - id cve - 2025 - 11762 patch status patched published apr 23, 2026 affected software hubspot all - in - one marketing – forms, popups, live chat [ leadin ]…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1190Exploit Public-Facing Application
38%
“stored cross - site scripting via ' exceptions ' setting 4. 4 cvss rating 4. 4 ( medium ) cve - id cve - 2026 - 2719 patch status unpatched published apr 21, 2026 affected software private wp suite [ private - wp - suite ] researcher muhammad nur ibnu hubab ( ibnu ) more details …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1588.006Vulnerabilities
32%
“23, 2026 affected software wpbot – ai chatbot for live support, lead generation, ai services [ chatbot ] researcher mehdi ouassou more details > wsms ( formerly wp sms ) – sms & mms notifications with otp and 2fa for woocommerce < = 7. 2. 1 - authenticated ( subscriber + ) inform…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1588.006Vulnerabilities
32%
“) cve - id cve - 2026 - 4133 patch status unpatched published apr 21, 2026 affected software textp2p texting widget [ textp2p - texting - widget ] researcher afnaan more details > tp restore categories and taxonomies < = 1. 0. 1 - missing authorization to authenticated ( subscrib…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
Last week, there were 157 vulnerabilities disclosed in 122 WordPress Plugins and 27 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 69 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.