WordPress vulnerabilities - every known CVE across core, plugins, and themes
WordPress's attack surface comes mostly from its plugin and theme ecosystem, not core itself. Every disclosed CVE is scored, classified, and cross-referenced against the components that caused it.
WordPress security
The most targeted web platform
WordPress powers over 40% of all websites, which makes it the most targeted platform on the web. WordPress core is actively maintained and gets automatic security updates for minor releases. Core itself has relatively few CVEs each year. The real risk is in plugins and themes. There are over 60,000 plugins in the official directory, built by many different developers with varying security practices. One vulnerable plugin installed across millions of sites can be actively exploited within hours of a CVE going public.
The most common vulnerability types in the WordPress ecosystem are cross-site scripting (XSS), SQL injection, broken access control, cross-site request forgery (CSRF), PHP object injection, and unrestricted file upload. XSS and access control failures account for most WordPress CVEs. They are usually found in plugin code that processes user input without proper sanitisation or permission checks.
This database tracks every CVE that affects WordPress core, plugins, themes, and page builders including Elementor, Divi, WPBakery, and Beaver Builder. Records come from the official NVD feed and are updated continuously.
Triage and remediation
From CVE to fix
Search by plugin name, theme name, or vendor to filter the list down to what you care about. Click any CVE ID to open the full record: CVSS score breakdown, affected version range, disclosure dates, and a link to the original NVD entry.
If a plugin or theme on one of your sites shows up here with a Critical or High rating and your installed version is within the affected range, update or remove it right away. Most WordPress plugin vulnerabilities are patched within days of CVE assignment. Check the plugin changelog for a security release newer than the affected range. If the plugin has been abandoned or removed from WordPress.org, removal is the only safe option.
| CVE ID | Severity | CVSS | Title | Published |
|---|---|---|---|---|
| CVE-2026-13741 | high | 8.8/10 | Jul 16, 2026 yesterday | |
| CVE-2026-61985 | medium | 5.3/10 | Jul 13, 2026 4d ago | |
| CVE-2026-61983 | medium | 5.3/10 | Jul 13, 2026 4d ago | |
| CVE-2026-61977 | medium | 5.3/10 | Jul 13, 2026 4d ago | |
| CVE-2026-61976 | medium | 5.3/10 | Jul 13, 2026 4d ago | |
| CVE-2026-61975 | medium | 5.3/10 | Jul 13, 2026 4d ago | |
| CVE-2026-61971 | low | 2.7/10 | Jul 13, 2026 4d ago | |
| CVE-2026-61970 | medium | 4.9/10 | Jul 13, 2026 4d ago | |
| CVE-2026-61968 | medium | 5.4/10 | Jul 13, 2026 4d ago | |
| CVE-2026-61958 | medium | 5.4/10 | Jul 13, 2026 4d ago | |
| CVE-2026-61956 | high | 7.1/10 | Jul 13, 2026 4d ago | |
| CVE-2026-61955 | high | 7.6/10 | Jul 13, 2026 4d ago | |
| CVE-2026-61952 | medium | 4.9/10 | Jul 13, 2026 4d ago | |
| CVE-2026-59523 | medium | 6.5/10 | Jul 13, 2026 4d ago | |
| CVE-2026-59521 | high | 7.2/10 | Jul 13, 2026 4d ago | |
| CVE-2026-59518 | critical | 9.8/10 | Jul 13, 2026 4d ago | |
| CVE-2026-59516 | high | 7.1/10 | Jul 13, 2026 4d ago | |
| CVE-2026-59515 | critical | 9.3/10 | Jul 13, 2026 4d ago | |
| CVE-2026-57816 | high | 7.1/10 | Jul 13, 2026 4d ago | |
| CVE-2026-57815 | high | 7.5/10 | Jul 13, 2026 4d ago | |
| CVE-2026-57814 | high | 7.1/10 | Jul 13, 2026 4d ago | |
| CVE-2026-57813 | critical | 9.8/10 | Jul 13, 2026 4d ago | |
| CVE-2026-57812 | medium | 6.5/10 | Jul 13, 2026 4d ago | |
| CVE-2026-57811 | critical | 10.0/10 | Jul 13, 2026 4d ago | |
| CVE-2026-57810 | high | 8.5/10 | Jul 13, 2026 4d ago | |
| CVE-2026-57805 | high | 7.5/10 | Jul 13, 2026 4d ago | |
| CVE-2026-57804 | high | 7.5/10 | Jul 13, 2026 4d ago | |
| CVE-2026-57803 | high | 7.5/10 | Jul 13, 2026 4d ago | |
| CVE-2026-57802 | high | 7.5/10 | Jul 13, 2026 4d ago | |
| CVE-2026-57801 | high | 7.5/10 | Jul 13, 2026 4d ago |