VYPR
advisoryPublished Jul 16, 2026· 1 source

Wordfence Reports 267 WordPress Vulnerabilities in Week of July 6-12

Wordfence Intelligence disclosed 267 vulnerabilities in 222 WordPress plugins and 6 themes between July 6-12, 2026, with 136 researchers contributing to WordPress security.

Wordfence Intelligence has released its weekly report detailing a significant number of vulnerabilities discovered in WordPress plugins and themes. For the period of July 6 to July 12, 2026, a total of 267 vulnerabilities were identified across 222 WordPress plugins and 6 themes. This comprehensive report highlights the ongoing efforts of the security community, with 136 researchers contributing to the security of the WordPress ecosystem during that week.

The Wordfence Intelligence Vulnerability Database serves as a crucial resource for site owners and security professionals. Its mission is to make valuable vulnerability information readily accessible, enabling individuals and organizations to implement robust, layered security strategies. The platform offers free access to its user interface, vulnerability API, webhook integration, and the Wordfence CLI Vulnerability Scanner, supporting both personal and commercial use.

During the reporting week, the Wordfence Threat Intelligence Team actively reviewed each disclosed vulnerability. They assessed the potential impact, severity, and likelihood of exploitation to ensure the Wordfence Firewall provided adequate protection. As a result, enhanced protection via firewall rules was deployed in real-time for four specific vulnerabilities to Wordfence Premium, Care, and Response customers. Details for these rules were redacted pending vendor patch releases, with free version users receiving protection after a 30-day delay.

Of the 267 vulnerabilities reported, the vast majority, 234, have already been patched by their respective vendors. However, 33 vulnerabilities remain unpatched, posing a continued risk to users who have not updated their plugins or themes. The severity of these vulnerabilities varied, with 13 classified as critical, 104 as high, and 150 as medium severity.

The report also breaks down vulnerabilities by Common Weakness Enumeration (CWE) types. The most prevalent weaknesses include 'Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)' with 94 instances, followed by 'Missing Authorization' (61), and 'Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)' (26). Other notable categories include 'Path Traversal,' 'Authorization Bypass,' and 'Deserialization of Untrusted Data.'

The contributions of individual researchers are also recognized, with PRISM leading the list with 22 reported vulnerabilities, followed by daroo (15) and dutafi (10). This collaborative effort underscores the dynamic nature of WordPress security and the continuous work required to identify and remediate potential threats.

Site owners are strongly encouraged to review the disclosed vulnerabilities and ensure their WordPress installations are up-to-date. Utilizing tools like the Wordfence CLI Vulnerability Scanner or subscribing to security advisories can help maintain a strong security posture against the ever-evolving threat landscape.

Synthesized by Vypr AI