Skip to main content
VortexMedia

WordPress Security · Updated monthly

The WordPress Vulnerability Tracker

Every month we break down the most serious WordPress plugin vulnerabilities — the CVE, the severity, how many sites are exposed, and exactly what to do. One running record, sourced from the industry's vulnerability databases.

Read the latest roundup Get protected hosting
5+
Monthly editions
13
CVEs tracked
10.0
Peak CVSS score
15M+
Installs in one alert

The archive

Monthly plugin CVE roundups

Newest first. Each edition covers the month's most exploitable WordPress plugin disclosures — with CVSS scores, affected install counts, patch status, and a three-step response.

May 2026 May 26, 2026 Critical 9.8

A 9.8 critical authentication bypass and two high-severity flaws landed across plugins installed on more than fifteen million WordPress sites — what was disclosed, what is patched, and what still needs attention.

Read the May roundup
April 2026 April 30, 2026 Supply chain

The year's most consequential event so far: a supply-chain backdoor dormant inside 30+ plugins in the EssentialPlugin suite (400,000+ installs), plus a critical RCE in Ninja Forms.

Read the April roundup
March 2026 March 31, 2026 No fix available

A critical arbitrary code execution flaw in W3 Total Cache (900,000+ sites) shipped with no patch available, alongside arbitrary file upload and privilege escalation disclosures.

Read the March roundup
February 2026 February 28, 2026 Critical 9.8

A 9.8 critical remote code execution vulnerability in WPvivid Backup & Migration (900,000+ installs), plus high-severity SSRF and data-exposure flaws.

Read the February roundup
January 2026 January 31, 2026 Critical 10.0

A CVSS 10.0 zero-day in the Modular DS plugin, actively exploited in the wild from January 13, plus a 9.8 registration bypass — the most severe opening month in recent memory.

Read the January roundup
Sources: Patchstack Wordfence Intelligence WPScan

How we track

Signal, not noise

Hundreds of WordPress CVEs are published every month. We surface only the ones that actually put real sites at risk — and translate them into plain-English action.

We triage by impact

Every month we review disclosures from Patchstack, Wordfence and WPScan and keep the ones with critical or high severity, real-world exploitation, or large install bases.

We give the numbers

CVE identifier, CVSS score, affected plugin and version range, install count, and whether a patch exists yet — so you can judge your own exposure in seconds.

We tell you what to do

Each entry ends with a clear three-step response — update, mitigate, or remove — plus what to watch for next month. No jargon, no fear-mongering.

We read these so you don't have to

Vortex Media has kept WordPress sites secure since 1999. Move to our managed hosting and we monitor every disclosure, patch your plugins fast, and back it with a maintenance plan — so a roundup is just reading, not a fire drill.

Book a Free Security Call Explore Care Plans