Wordfence Weekly Report: 159 WordPress Vulnerabilities Disclosed, Critical UpdraftPlus Auth Bypass Highlighted
Wordfence's weekly vulnerability report for June 1-7, 2026, discloses 159 flaws across 140 plugins and 2 themes, including a critical unauthenticated authentication bypass in the UpdraftPlus backup plugin.
Wordfence Intelligence has published its weekly WordPress vulnerability report covering June 1 through June 7, 2026, cataloging 159 vulnerabilities across 140 plugins and 2 themes. The report highlights a critical unauthenticated authentication bypass in the UpdraftPlus WP Backup & Migration Plugin (versions <= 1.26.4) via the UpdraftCentral udrpc component, for which Wordfence has deployed firewall rules to Premium, Care, and Response customers. Free-tier users will receive protection after a 30-day delay.
Of the 159 vulnerabilities disclosed, 134 have been patched while 25 remain unpatched, leaving sites exposed. Nine vulnerabilities were rated critical severity, 53 high, 96 medium, and one low. The most common vulnerability types were Cross-Site Scripting (43 instances), Missing Authorization (28), Deserialization of Untrusted Data (17), and SQL Injection (16). Other notable categories include Path Traversal (9), CSRF (9), and Code Injection (5).
The report also credits 96 security researchers who contributed to WordPress security during the week. Top contributors included Frissi0n and daroo (8 vulnerabilities each), Jakub Herman (6), and dodoh4t, san6051, kai63001, swat, and h0xilo (4 each). Wordfence's bug bounty program continues to incentivize responsible disclosure, with researchers earning bounties and leaderboard recognition.
Wordfence emphasized that its Intelligence platform — including the vulnerability database API, webhook integration, and CLI Vulnerability Scanner — remains free for personal and commercial use. The company positions these tools as part of a defense-in-depth strategy for securing WordPress sites, which power over 40% of the web.
The UpdraftPlus authentication bypass is particularly concerning given the plugin's widespread use for backup and migration. An unauthenticated attacker exploiting this flaw could gain administrative access to a WordPress site, potentially leading to full site compromise, data theft, or malware injection. Site owners are urged to update to the latest patched version immediately.
This weekly report follows a trend of increasing WordPress vulnerability disclosures. Wordfence's Q1 2026 Threat Intelligence Report, published earlier this year, documented a near-100% increase in critical flaws compared to the previous quarter, with billions of attacks blocked. The June 1-7 report reinforces the need for continuous patching and monitoring.
Wordfence encourages site owners to subscribe to its mailing list for real-time vulnerability alerts and to use the free CLI scanner to identify vulnerable plugins and themes across their managed sites. Enterprises and hosting providers can leverage the database API and webhooks to integrate vulnerability data into their security workflows.