Wordfence Intelligence Reports 277 WordPress Vulnerabilities in Late May 2026
Wordfence Intelligence has disclosed 277 vulnerabilities affecting 184 WordPress plugins and 70 themes between May 25-31, 2026, including critical flaws in WP Maps Pro and WooCommerce Custom Product Addons Pro.
Wordfence Intelligence has released its weekly report detailing a significant number of vulnerabilities discovered in the WordPress ecosystem during the week of May 25th to May 31st, 2026. The report identifies a total of 277 vulnerabilities across 184 distinct WordPress plugins and 70 themes, highlighting the ongoing security challenges within the popular content management system.
Among the disclosed vulnerabilities, two stand out due to their severity and potential impact. The first is an Unauthenticated Privilege Escalation flaw in WP Maps Pro, affecting versions up to 6.1.0. This vulnerability, identified by the AJAX action wpgmp_temp_access_ajax, could allow an unauthenticated attacker to create an administrator account, effectively granting them full control over a compromised website. The second critical vulnerability is an Unauthenticated Remote Code Execution (RCE) in WooCommerce Custom Product Addons Pro, impacting versions up to 5.4.1. This RCE stems from a flaw in the plugin's custom pricing formula, enabling attackers to execute arbitrary code on the server.
The Wordfence Threat Intelligence Team has been actively reviewing these disclosures to assess their impact and likelihood of exploitation. Consequently, enhanced protection via firewall rules has been deployed in real-time for Wordfence Premium, Care, and Response customers. While these premium users receive immediate protection, users of the free Wordfence version will gain similar protection after a 30-day delay, a standard practice to allow for broader patching.
Of the 277 vulnerabilities reported, 131 have been patched by vendors, while 146 remain unpatched as of the report's publication. The severity distribution shows a concerning number of high and critical-severity flaws, with 106 rated as high and 10 as critical. Medium-severity vulnerabilities also form a substantial portion, with 159 identified.
Analysis by Common Weakness Enumeration (CWE) reveals that Cross-Site Scripting (XSS) is the most prevalent vulnerability type, with 77 instances. This is followed by PHP Remote File Inclusion (58 instances), Missing Authorization (56 instances), and Cross-Site Request Forgery (CSRF) (19 instances). Other notable weaknesses include SQL Injection, Deserialization of Untrusted Data, and various privilege management and authorization bypass flaws.
The report also acknowledges the contributions of 94 vulnerability researchers who contributed to WordPress security during the reported week. Prominent among them are "Bonds" with 35 disclosed vulnerabilities and Tran Nguyen Bao Khanh with 28, underscoring the collaborative nature of security research in the WordPress community.
Wordfence emphasizes its commitment to making vulnerability information accessible through its free Intelligence database, API, and CLI scanner. This initiative aims to empower site owners and developers with the data needed to implement robust security measures and a defense-in-depth strategy for their WordPress installations. The weekly reports serve as a crucial resource for staying informed about emerging threats and ensuring timely patching.
Site owners are strongly advised to review the disclosed vulnerabilities and prioritize patching any affected plugins or themes. The significant number of unpatched vulnerabilities, particularly those with critical severity ratings, poses a substantial risk to websites that do not implement timely updates and security monitoring.