Wordfence Weekly Report: 102 WordPress Vulnerabilities Disclosed, 24 Remain Unpatched
Wordfence's weekly vulnerability report for June 8-14, 2026, discloses 102 flaws across 90 plugins and 5 themes, with 78 patched and 24 still unpatched.
Wordfence has released its weekly WordPress vulnerability report covering the period from June 8 to June 14, 2026. During this week, 102 vulnerabilities were disclosed across 90 WordPress plugins and 5 themes. Of these, 78 have been patched, while 24 remain unpatched, leaving many sites potentially exposed. The vulnerabilities span a range of severity levels, with 4 rated as critical, 36 as high, and 62 as medium severity.
The most common vulnerability type reported was Cross-Site Scripting (XSS), accounting for 35 of the disclosed flaws. SQL Injection followed with 13 vulnerabilities, and Information Exposure with 12. Other notable types include Cross-Site Request Forgery (CSRF) with 8, Missing Authorization with 8, and Path Traversal with 5. The report also highlights 4 deserialization flaws and 3 PHP Remote File Inclusion vulnerabilities, among others.
A total of 68 security researchers contributed to WordPress security during this period. The top contributors were dodoh4t with 6 disclosures, Bonds with 5, and daroo with 4. Other active researchers included Muhammad Yudha - DJ, afnaan, and Muhammad Nur Ibnu Hubab, each with 3 disclosures. The full list of researchers is available in the report, which also encourages new researchers to responsibly disclose vulnerabilities through Wordfence's bug bounty program.
The report provides a detailed list of affected plugins and themes, including popular ones like Affiliates Manager, Ajax Load More, and CleanTalk Anti-Spam. Site owners are urged to review the list and apply patches promptly. Wordfence emphasizes that its vulnerability database, API, and CLI scanner are free to use, aiming to help the WordPress community maintain layered security.
This weekly report is part of Wordfence's ongoing effort to keep the WordPress ecosystem informed. With over 35,000 vulnerabilities in its database, Wordfence offers real-time updates via webhooks and API access. The company also provides a mailing list for those who want to receive these reports directly.
As WordPress continues to be a prime target for attackers, such regular disclosures are critical for site administrators. The high number of unpatched vulnerabilities (24) underscores the importance of timely updates and proactive security measures. Wordfence's report serves as a valuable resource for staying ahead of potential threats.