Wordfence Weekly Report: 78 WordPress Vulnerabilities Disclosed, 3 Critical, 12 Remain Unpatched
Wordfence reported 78 vulnerabilities in 62 WordPress plugins and 2 themes during the week of May 11–17, 2026, with 66 patched and 12 still unpatched, including 3 critical-severity flaws.
Wordfence Intelligence has published its weekly WordPress vulnerability report for May 11–17, 2026, disclosing 78 vulnerabilities across 62 plugins and 2 themes. Of these, 66 have been patched, while 12 remain unpatched. Three vulnerabilities were rated Critical severity, 21 High, and 54 Medium. The report highlights a privilege escalation flaw in AI Engine 3.4.9, which involves missing authorization in the MCP OAuth Bearer Token, for which Wordfence deployed firewall rules to protect Premium, Care, and Response customers.
Cross-site scripting (XSS) was the most common vulnerability type, accounting for 23 of the disclosures, followed by missing authorization (17) and SQL injection (12). Other notable categories include path traversal (6), CSRF (5), and sensitive information exposure (4). The full breakdown by CWE type reflects the ongoing prevalence of input validation and access control issues in the WordPress ecosystem.
Wordfence's Threat Intelligence Team reviewed each vulnerability to assess impact and likelihood of exploitation, rolling out enhanced firewall protection in real-time for the AI Engine flaw. Premium, Care, and Response customers received immediate protection, while free-tier users will get the same protection after a 30-day delay. The company emphasizes that its vulnerability database, API, webhook integration, and CLI scanner remain free for personal and commercial use.
A total of 59 security researchers contributed to WordPress security last week, with the top contributors including zaim (4 vulnerabilities), Webbernaut (3), Athiwat Tiprasaharn (3), Nabil Irawan (3), and Niv Kochan (2). Wordfence encourages researchers to responsibly disclose vulnerabilities through its bug bounty program to earn bounties and recognition on the Wordfence Intelligence leaderboard.
The report lists 62 affected plugins and 2 themes, including popular tools like Activity Logs from Logtivity, AI Product Search for WooCommerce, All-in-One WP Migration Unlimited Extension, and the Simply Schedule Appointments booking plugin. Site owners are urged to review the full list and apply patches promptly to mitigate risk.
This weekly roundup underscores the persistent challenge of securing the WordPress ecosystem, where plugin and theme vulnerabilities remain a primary attack vector. With 12 vulnerabilities still unpatched, administrators should prioritize updating all software and leveraging free tools like Wordfence CLI to scan for known vulnerabilities. The report serves as a critical resource for WordPress site owners, hosting providers, and enterprises seeking to maintain a strong security posture.