VYPR
advisoryPublished Jul 9, 2026· 1 source

Wordfence Reports 246 WordPress Vulnerabilities in Week of June 29 - July 5

Wordfence Intelligence disclosed 246 vulnerabilities in 179 WordPress plugins and 40 themes between June 29 and July 5, 2026, with immediate firewall protection for premium users.

Wordfence Intelligence has cataloged a significant number of security flaws affecting the WordPress ecosystem, reporting 246 vulnerabilities across 179 plugins and 40 themes during the week of June 29 to July 5, 2026. This weekly report aims to provide the WordPress community with accessible vulnerability data to implement robust security measures.

The Wordfence Threat Intelligence Team actively reviews each disclosed vulnerability to assess its impact, severity, and potential for exploitation. Based on these assessments, the team deploys protective measures through the Wordfence Firewall. For premium, care, and response customers, enhanced protection was rolled out in real-time for several vulnerabilities, including an unauthenticated arbitrary file read in Ninja Forms <= 3.3.29 via the 'files[].data.file_path' parameter. Free users of Wordfence will receive similar protection after a 30-day delay.

Of the total vulnerabilities reported, 158 have been patched, while 88 remain unpatched. The distribution by CVSS severity shows a substantial number of high and critical severity issues, with 150 rated as Medium, 87 as High, and 9 as Critical. This highlights the ongoing need for vigilance and prompt patching within the WordPress user base.

Analysis by Common Weakness Enumeration (CWE) reveals that Cross-Site Scripting (XSS) remains a prevalent threat, accounting for 87 vulnerabilities. Other common weaknesses include Missing Authorization (50), PHP Remote File Inclusion (25), and SQL Injection (19), indicating a broad range of attack vectors targeting WordPress sites.

The report also acknowledges the contributions of 100 vulnerability researchers who identified these flaws. Notably, João Pedro S Alcântara (Kinorth) is credited with discovering 34 vulnerabilities, followed by PRISM with 18 and Ananda Dhakal with 14, underscoring the collaborative effort in securing the WordPress platform.

Wordfence emphasizes its commitment to making vulnerability information freely accessible through its Intelligence user interface, API, webhook integration, and CLI scanner. This initiative supports individuals and organizations in adopting layered security strategies and defense-in-depth approaches.

Site owners are encouraged to review the disclosed vulnerabilities and ensure their plugins and themes are up-to-date. The delay in protection for free users underscores the importance of upgrading to premium services or diligently monitoring for patches to mitigate risks associated with unpatched vulnerabilities.

The sheer volume of vulnerabilities reported weekly underscores the dynamic and often challenging security landscape of the WordPress ecosystem. Continuous monitoring, timely updates, and proactive security measures are essential for protecting websites from compromise.

Synthesized by Vypr AI