Feed live

WordPress vulnerabilities - every known CVE across core, plugins, and themes

WordPress's attack surface comes mostly from its plugin and theme ecosystem, not core itself. Every disclosed CVE is scored, classified, and cross-referenced against the components that caused it.

Total CVEs tracked
339,613
All time
Critical · Active
10,844
CVSS ≥ 9.0
New · 14 days
2,602
Newly disclosed
Feed last synced
2 hrs ago
Data freshness

WordPress security

The most targeted web platform

WordPress powers over 40% of all websites, which makes it the most targeted platform on the web. WordPress core is actively maintained and gets automatic security updates for minor releases. Core itself has relatively few CVEs each year. The real risk is in plugins and themes. There are over 60,000 plugins in the official directory, built by many different developers with varying security practices. One vulnerable plugin installed across millions of sites can be actively exploited within hours of a CVE going public.

The most common vulnerability types in the WordPress ecosystem are cross-site scripting (XSS), SQL injection, broken access control, cross-site request forgery (CSRF), PHP object injection, and unrestricted file upload. XSS and access control failures account for most WordPress CVEs. They are usually found in plugin code that processes user input without proper sanitisation or permission checks.

This database tracks every CVE that affects WordPress core, plugins, themes, and page builders including Elementor, Divi, WPBakery, and Beaver Builder. Records come from the official NVD feed and are updated continuously.

Triage and remediation

From CVE to fix

Search by plugin name, theme name, or vendor to filter the list down to what you care about. Click any CVE ID to open the full record: CVSS score breakdown, affected version range, disclosure dates, and a link to the original NVD entry.

If a plugin or theme on one of your sites shows up here with a Critical or High rating and your installed version is within the affected range, update or remove it right away. Most WordPress plugin vulnerabilities are patched within days of CVE assignment. Check the plugin changelog for a security release newer than the affected range. If the plugin has been abandoned or removed from WordPress.org, removal is the only safe option.

Critical 9.0–10.0 Remote, no auth, max impact
High 7.0–8.9 Serious, remotely exploitable
Medium 4.0–6.9 Often requires auth or conditions
Low 0.1–3.9 Limited exploitability or impact
Showing 1–30 CVEs
Sorted by Published · Newest first
CVE ID Severity CVSS Title Published
CVE-2026-13741 high 8.8/10 Jul 16, 2026 yesterday
CVE-2026-61985 medium 5.3/10 Jul 13, 2026 4d ago
CVE-2026-61983 medium 5.3/10 Jul 13, 2026 4d ago
CVE-2026-61977 medium 5.3/10 Jul 13, 2026 4d ago
CVE-2026-61976 medium 5.3/10 Jul 13, 2026 4d ago
CVE-2026-61975 medium 5.3/10 Jul 13, 2026 4d ago
CVE-2026-61971 low 2.7/10 Jul 13, 2026 4d ago
CVE-2026-61970 medium 4.9/10 Jul 13, 2026 4d ago
CVE-2026-61968 medium 5.4/10 Jul 13, 2026 4d ago
CVE-2026-61958 medium 5.4/10 Jul 13, 2026 4d ago
CVE-2026-61956 high 7.1/10 Jul 13, 2026 4d ago
CVE-2026-61955 high 7.6/10 Jul 13, 2026 4d ago
CVE-2026-61952 medium 4.9/10 Jul 13, 2026 4d ago
CVE-2026-59523 medium 6.5/10 Jul 13, 2026 4d ago
CVE-2026-59521 high 7.2/10 Jul 13, 2026 4d ago
CVE-2026-59518 critical 9.8/10 Jul 13, 2026 4d ago
CVE-2026-59516 high 7.1/10 Jul 13, 2026 4d ago
CVE-2026-59515 critical 9.3/10 Jul 13, 2026 4d ago
CVE-2026-57816 high 7.1/10 Jul 13, 2026 4d ago
CVE-2026-57815 high 7.5/10 Jul 13, 2026 4d ago
CVE-2026-57814 high 7.1/10 Jul 13, 2026 4d ago
CVE-2026-57813 critical 9.8/10 Jul 13, 2026 4d ago
CVE-2026-57812 medium 6.5/10 Jul 13, 2026 4d ago
CVE-2026-57811 critical 10.0/10 Jul 13, 2026 4d ago
CVE-2026-57810 high 8.5/10 Jul 13, 2026 4d ago
CVE-2026-57805 high 7.5/10 Jul 13, 2026 4d ago
CVE-2026-57804 high 7.5/10 Jul 13, 2026 4d ago
CVE-2026-57803 high 7.5/10 Jul 13, 2026 4d ago
CVE-2026-57802 high 7.5/10 Jul 13, 2026 4d ago
CVE-2026-57801 high 7.5/10 Jul 13, 2026 4d ago
Page 1
Prev 1 2