Quick answer
A WordPress plugin vulnerability is a security flaw in a plugin's code that lets an attacker do something they should not — inject scripts, read your database, bypass a login, or run code on your server. Because most WordPress sites run many third-party plugins, these flaws are the single most common way WordPress sites get hacked. This tracker records the most serious plugin vulnerabilities disclosed each month — the CVE, its severity, how many installs are exposed, plus the exact fix — sourced from Patchstack, Wordfence, and WPScan.
The archive
Monthly plugin CVE roundups
Newest first. Each edition covers the month's most exploitable WordPress plugin disclosures — with CVSS scores, affected install counts, patch status, and a three-step response.
How we track
Signal, not noise
Hundreds of WordPress CVEs are published every month. We surface only the ones that actually put real sites at risk — and translate them into plain-English action.
We triage by impact
Every month we review disclosures from Patchstack, Wordfence and WPScan and keep the ones with critical or high severity, real-world exploitation, or large install bases.
We give the numbers
CVE identifier, CVSS score, affected plugin and version range, install count, and whether a patch exists yet — so you can judge your own exposure in seconds.
We tell you what to do
Each entry ends with a clear three-step response — update, mitigate, or remove — plus what to watch for next month. No jargon, no fear-mongering.
Questions
WordPress plugin vulnerabilities, explained
How are WordPress plugin vulnerabilities classified?
They are rated two ways. Severity uses the CVSS score from 0 to 10 — anything 9.0 or above is critical, meaning it is easy to exploit with serious impact. Type describes the flaw itself: cross-site scripting (XSS) injects malicious scripts, SQL injection reaches your database, cross-site request forgery (CSRF) tricks a logged-in user into an unwanted action, authentication bypass skips the login check, plus remote code execution (RCE) runs attacker code on your server. Each roundup below lists the score alongside the type for every CVE.
How often is the tracker updated?
Monthly. We publish a new roundup at the end of each month covering the most serious plugin vulnerabilities disclosed during it, then keep every past edition here as a running archive. The latest roundup is always linked at the top of this page.
Where does the vulnerability data come from?
Every entry is sourced from the established WordPress vulnerability databases — Patchstack, Wordfence, plus WPScan — which publish disclosures as they are confirmed. We read those feeds, then summarize what matters for a site owner: which plugin, how severe, how many installs are affected, plus the version that fixes it.
How do I check if my plugins are vulnerable?
Install our free Vortex Security Check plugin. It reads your installed plugins, themes, plus WordPress core, matches them against known published vulnerabilities, then shows the exact version that fixes each one — all locally, so nothing about your site ever leaves it. You can also search the Patchstack database by plugin name.
What should I do when a plugin vulnerability is disclosed?
Update the affected plugin immediately — the patched version is the fix in almost every case. Then do the cleanup the vulnerability calls for: rotate passwords or API keys if credentials could have leaked, review your administrator accounts, plus scan for unexpected changes. Updating alone does not undo a breach that already happened, so speed matters most in the window right after disclosure.