Wordfence Weekly Report: 157 WordPress Vulnerabilities Disclosed, 11 Critical and 17 Unpatched
Wordfence's weekly vulnerability report reveals 157 flaws across 141 plugins and 23 themes, with 11 rated critical severity and 17 remaining unpatched as of April 12, 2026.
Wordfence Intelligence has published its weekly vulnerability report covering April 6 to April 12, 2026, disclosing 157 vulnerabilities across 141 WordPress plugins and 23 themes. Of these, 140 were patched during the reporting period, but 17 remain unpatched, leaving sites exposed to potential exploitation. The report highlights 11 critical-severity flaws that demand immediate attention from site administrators.
The most common vulnerability type was Cross-Site Cross-Site Scripting (XSS), accounting for 45 of the disclosed flaws, followed by Missing Authorization (27) and Deserialization of Untrusted Data (17). Other notable categories include PHP Remote File Inclusion (14), SQL Injection (11), and Cross-Site Request Forgery (9). The prevalence of XSS underscores the ongoing challenge of input sanitization in WordPress ecosystem development.
Security researchers contributed significantly to these disclosures, with Denver Jackson leading the pack at 17 vulnerabilities reported. Athiwat Tiprasaharn (Jitlada) followed with 11 disclosures, and João Pedro Soares de Alcântara reported 8. A total of 79 researchers contributed to WordPress security last week's WordPress security findings, reflecting the community's active role in identifying and responsibly disclosing vulnerabilities.
Wordfence emphasized that its Intelligence platform, including the vulnerability database API, webhook integration, and CLI Vulnerability Scanner, remains free for both personal and commercial use. The company encourages site owners to leverage these tools to regularly scan their installations and stay informed about newly disclosed vulnerabilities. The weekly report is part of Wordfence's broader mission to secure the WordPress ecosystem through accessible threat intelligence.
For site administrators, the key takeaway is to immediately patch the 140 vulnerabilities that have fixes available and to monitor the 17 unpatched flaws for any emerging exploits. Given that 11 critical-severity issues, prioritizing updates for plugins and themes with known vulnerabilities is essential. The full list of affected software spans a wide range of plugins, from Accordion and Accordion Slider to Backup Migration and BEAR – Bulk Editor and Products Manager, among many others.
Wordfence also reminded researchers that responsibly disclosing vulnerabilities through its bug bounty program can earn bounties and leaderboard recognition. The company continues to maintain a database of over 33,000 WordPress vulnerabilities, making it a central resource for securing WordPress sites against evolving threats.