Wordfence Weekly Report: 139 WordPress Vulnerabilities, 30 Unpatched, 6 Critical

Wordfence Intelligence has released its weekly WordPress vulnerability report covering April 13 to April 19, 2026. The report details 139 vulnerabilities disclosed in 118 WordPress plugins and 10 themes, with 109 patched and 30 remaining unpatched. Of these, six are rated critical severity, 44 high, 88 medium, and one low. The most common vulnerability types are Cross-Site Scripting (48), Missing Authorization (28), and SQL Injection (13).

The report highlights the importance of regular vulnerability scanning. Wordfence offers free tools including the Wordfence CLI Vulnerability Scanner, a vulnerability database API, and webhook integration to help site owners identify and remediate affected installations. The Wordfence Intelligence platform aims to make vulnerability data accessible to the entire WordPress community.

Among the critical vulnerabilities, details are provided for plugins such as 3D FlipBook, Academy LMS Pro, and others. The report also lists 84 security researchers who contributed, with Nguyen Ba Khanh and Muhammad Yudha - DJ each reporting nine vulnerabilities. Site owners are urged to review the full list and apply patches promptly.

Wordfence emphasizes that its vulnerability database contains over 33,000 entries and is freely available for personal and commercial use. The weekly report is part of an ongoing effort to keep the WordPress ecosystem informed and secure. Enterprises and hosting providers can leverage the CLI scanner for regular automated scans.

The report serves as a critical resource for WordPress administrators to stay ahead of emerging threats. With 30 vulnerabilities still unpatched, immediate action is recommended to mitigate risks. Wordfence also invites researchers to responsibly disclose vulnerabilities through its bug bounty program for inclusion in future reports.