WordPress Security Tracker

Name: WordPress Vulnerability Statistics
Creator: WordPress Security Tracker
License: https://creativecommons.org/publicdomain/zero/1.0/

Counting vulnerabilities so you don't have to.

10,826

Vulnerabilities in 2025

3,843

2026 (so far)

533

Last 30 days

Last 30 Days Breakdown

510 plugin vulnerabilities
23 theme vulnerabilities
0 core vulnerabilities

Recent Critical & High Severity

critical ARMember Premium <= 7.3.1 - Insecure Password Reset Mechanism to Unauthenticated Privilege Escalation CVSS 9.8 · ARMember Premium – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup
high ARMember Premium <= 7.3.1 - Unauthenticated SQL Injection via 'order' Parameter CVSS 7.5 · ARMember Premium – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup
high Content Visibility for Divi Builder <= 4.02 - Authenticated (Contributor+) Remote Code Execution CVSS 8.8 · Content Visibility for Divi Builder
critical Kirki 6.0.0 - 6.0.6 - Unauthenticated Privilege Escalation via 'handle_forgot_password' CVSS 9.8 · Kirki – Freeform Page Builder, Website Builder & Customizer
high WP Statistics – Simple, privacy-friendly Google Analytics alternative <= 14.16.6 - Unauthenticated Stored Cross-Site Scripting CVSS 7.2 · WP Statistics – Simple, privacy-friendly Google Analytics alternative
high Affiliate Super Assistent <= 1.10.1 - Unauthenticated Stored Cross-Site Scripting CVSS 7.2 · Affiliate Super Assistent
high TableOn – WordPress Posts Table Filterable <= 1.0.5.1 - Unauthenticated SQL Injection CVSS 7.5 · TableOn – WordPress Posts Table Filterable
high Favicon by RealFaviconGenerator <= 1.3.46 - Unauthenticated Stored Cross-Site Scripting CVSS 7.2 · Favicon by RealFaviconGenerator
high GEO my WP <= 4.5.5 - Unauthenticated SQL Injection via 'swlatlng' / 'nelatlng' Parameters CVSS 7.5 · GEO my WP
high Simple History – Track, Log, and Audit WordPress Changes <= 5.26.0 - Authenticated (Subscriber+) Account Takeover via Missing Authorization on Event Reaction Endpoint CVSS 7.5 · Simple History – Track, Log, and Audit WordPress Changes

Last updated: Jun 2, 2026, 07:43 AM

Why This Matters