VYPR
researchPublished Jul 2, 2026· 1 source

Wordfence Reports 199 WordPress Vulnerabilities in One Week

Wordfence Intelligence has identified 199 vulnerabilities across 169 WordPress plugins and 9 themes during the week of June 22-28, 2026, highlighting ongoing security challenges in the popular CMS ecosystem.

The latest weekly vulnerability report from Wordfence Intelligence reveals a significant security landscape for WordPress users, detailing 199 vulnerabilities discovered in 169 plugins and 9 themes between June 22 and June 28, 2026. This influx underscores the persistent need for vigilance and timely patching within the vast WordPress ecosystem.

Of the reported vulnerabilities, 148 have been patched by vendors, while 51 remain unpatched, posing an immediate risk to websites that have not updated their plugins or themes. The severity distribution is concerning, with 6 critical and 49 high-severity issues among the total, alongside 143 medium-severity and only one low-severity vulnerability.

A notable vulnerability highlighted is an unauthenticated arbitrary file upload flaw in OMGF Pro versions up to 5.2.6, which could allow attackers to upload malicious files to a WordPress site without prior authentication. Additionally, Wordfence has deployed firewall rules to protect against several other redacted vulnerabilities, indicating active threats that the company is working with vendors to address.

The Wordfence Intelligence platform aims to democratize vulnerability information, offering free access to its comprehensive database, API, webhook integration, and CLI scanner. This initiative allows individuals, hosting providers, and enterprises to implement robust security measures and stay informed about emerging threats.

The report also acknowledges the contributions of 111 vulnerability researchers who actively participated in securing the WordPress platform during that week. Prominent researchers like Ananda Dhakal, daroo, and Nguyen Ba Khanh are recognized for their significant contributions to identifying and reporting security flaws.

Common vulnerability types identified include Cross-Site Scripting (XSS) with 53 instances, Missing Authorization with 52, and SQL Injection with 29. These prevalent issues highlight recurring weaknesses in web application development that attackers frequently exploit.

Wordfence's Threat Intelligence Team continuously monitors these vulnerabilities, developing and deploying firewall rules to protect its Premium, Care, and Response customers. Free users receive this protection with a 30-day delay, emphasizing the benefit of upgrading for immediate security.

This weekly report serves as a critical reminder for WordPress site owners and administrators to prioritize regular security audits, prompt updates, and the use of reputable security solutions to mitigate the risks associated with the ever-evolving threat landscape.

Synthesized by Vypr AI