Skip to main content

WordPress Security · Updated monthly

The WordPress Plugin Vulnerability Tracker

Every month we break down the most serious WordPress plugin vulnerabilities — the CVE, the severity, how many sites are exposed, and exactly what to do. One running record, sourced from the industry's vulnerability databases.

6+
Monthly editions
17
CVEs tracked
10.0
Peak CVSS score
15M+
Installs in one alert

Quick answer

A WordPress plugin vulnerability is a security flaw in a plugin's code that lets an attacker do something they should not — inject scripts, read your database, bypass a login, or run code on your server. Because most WordPress sites run many third-party plugins, these flaws are the single most common way WordPress sites get hacked. This tracker records the most serious plugin vulnerabilities disclosed each month — the CVE, its severity, how many installs are exposed, plus the exact fix — sourced from Patchstack, Wordfence, and WPScan.

The archive

Monthly plugin CVE roundups

Newest first. Each edition covers the month's most exploitable WordPress plugin disclosures — with CVSS scores, affected install counts, patch status, and a three-step response.

Sources: Patchstack Wordfence Intelligence WPScan

How we track

Signal, not noise

Hundreds of WordPress CVEs are published every month. We surface only the ones that actually put real sites at risk — and translate them into plain-English action.

We triage by impact

Every month we review disclosures from Patchstack, Wordfence and WPScan and keep the ones with critical or high severity, real-world exploitation, or large install bases.

We give the numbers

CVE identifier, CVSS score, affected plugin and version range, install count, and whether a patch exists yet — so you can judge your own exposure in seconds.

We tell you what to do

Each entry ends with a clear three-step response — update, mitigate, or remove — plus what to watch for next month. No jargon, no fear-mongering.

Questions

WordPress plugin vulnerabilities, explained

How are WordPress plugin vulnerabilities classified?

They are rated two ways. Severity uses the CVSS score from 0 to 10 — anything 9.0 or above is critical, meaning it is easy to exploit with serious impact. Type describes the flaw itself: cross-site scripting (XSS) injects malicious scripts, SQL injection reaches your database, cross-site request forgery (CSRF) tricks a logged-in user into an unwanted action, authentication bypass skips the login check, plus remote code execution (RCE) runs attacker code on your server. Each roundup below lists the score alongside the type for every CVE.

How often is the tracker updated?

Monthly. We publish a new roundup at the end of each month covering the most serious plugin vulnerabilities disclosed during it, then keep every past edition here as a running archive. The latest roundup is always linked at the top of this page.

Where does the vulnerability data come from?

Every entry is sourced from the established WordPress vulnerability databases — Patchstack, Wordfence, plus WPScan — which publish disclosures as they are confirmed. We read those feeds, then summarize what matters for a site owner: which plugin, how severe, how many installs are affected, plus the version that fixes it.

How do I check if my plugins are vulnerable?

Install our free Vortex Security Check plugin. It reads your installed plugins, themes, plus WordPress core, matches them against known published vulnerabilities, then shows the exact version that fixes each one — all locally, so nothing about your site ever leaves it. You can also search the Patchstack database by plugin name.

What should I do when a plugin vulnerability is disclosed?

Update the affected plugin immediately — the patched version is the fix in almost every case. Then do the cleanup the vulnerability calls for: rotate passwords or API keys if credentials could have leaked, review your administrator accounts, plus scan for unexpected changes. Updating alone does not undo a breach that already happened, so speed matters most in the window right after disclosure.

We read these so you don't have to

Vortex Media has kept WordPress sites secure since 1999. Move to our managed hosting and we monitor every disclosure, patch your plugins fast, and back it with a maintenance plan — so a roundup is just reading, not a fire drill.