Wordfence Weekly Report: 158 WordPress Vulnerabilities Disclosed, 42 Remain Unpatched
Wordfence reported 158 vulnerabilities in 123 WordPress plugins and 27 themes during the week of April 20–26, 2026, with 42 remaining unpatched and 6 rated critical severity.
Wordfence Intelligence weekly vulnerability report for April 20–26, 2026, reveals 158 new vulnerabilities across 123 WordPress plugins and 27 themes. Of these, 116 have been patched, but 42 remain unpatched vulnerabilities remain, leaving many sites exposed. Six vulnerabilities were rated critical severity, while 47 were high and 105 were medium. The most common vulnerability types were Cross-Site Scripting (XSS) accounted for 47 disclosures, followed by Missing Authorization (35) and Deserialization of Untrusted Data (23). Other notable types included CSRF (12 CSRF, 9 unrestricted file uploads, and 8 SQL injection flaws.
The Wordfence Threat Intelligence Team has deployed firewall rules for select vulnerabilities in real-time to Premium, Care, and Response customers. Free Wordfence users will receive the same protection after a 30-day delay. One rule, WAF-RULE-908, has been redacted while the vendor works on a patch, indicating an active zero-day scenario. The report also highlights 69 researchers who contributed to WordPress security last week, with Denver Jackson leading with 17 disclosures, followed by Jakub Herman (12) and Muhammad Nur Ibnu Hubab (9).
Wordfence Intelligence provides free access to its vulnerability database, API, webhook integration, and CLI scanner, aiming to help site owners and enterprises implement layered security. The weekly report is part of Wordfence's mission to make vulnerability information accessible to the WordPress community. The company encourages responsible disclosure through its bug bounty program, which offers bounties on in-scope vulnerabilities and recognition on the leaderboard.
This week's data underscores the persistent threat landscape for WordPress sites, with unpatched vulnerabilities posing significant risks. Site owners are urged to review the full list of affected plugins and themes, apply available patches, and consider using Wordfence's free scanning tools to identify exposures. The report serves as a critical resource for staying ahead of emerging threats in the WordPress ecosystem.