Freshy Security Bulletins | WordPress Vulnerabilities & Risks

Breeze Cache Plugin Vulnerability (CVE-2026-3844)

April 23, 2026

Security Alert Summary The Breeze Cache plugin for WordPress contains a file upload vulnerability that can allow unauthenticated attackers to upload arbitrary files when the “Host Files Locally – Gravatars”…

Read security notice

ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) Vulnerability (CVE-2026-5464)

April 23, 2026

Security Alert Summary The ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) contains a vulnerability that can allow authenticated users with report viewing capability to install and activate…

Read security notice

reCaptcha by WebDesignBy Plugin Vulnerability (CVE-2026-4512)

April 23, 2026

Security Alert Summary The reCaptcha by WebDesignBy WordPress plugin before 2.0 improperly handles the Site Key setting and does not sanitize or escape it before outputting into a JavaScript string…

Read security notice

Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor Plugin Vulnerability (CVE-2026-2951)

April 23, 2026

Security Alert Summary The Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability in versions up to and including…

Read security notice

HT Mega Addons for Elementor Plugin Vulnerability (CVE-2026-4106)

April 23, 2026

Security Alert Summary The HT Mega Addons for Elementor WordPress plugin contains an unauthenticated AJAX action that can return personally identifiable information (PII) for customers who placed orders in the…

Read security notice

Social Rocket – Social Sharing Plugin Vulnerability (CVE-2026-1923)

April 23, 2026

Security Alert Summary The Social Rocket – Social Sharing Plugin for WordPress contains a stored Cross-Site Scripting (XSS) vulnerability in the id parameter in all versions up to and including…

Read security notice

WP Store Locator Plugin Vulnerability (CVE-2026-3361)

April 23, 2026

Security Alert Summary The WP Store Locator plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability in the wpsl_address post meta value. Authenticated users with contributor-level access and above…

Read security notice

Gallagher Website Design Plugin Vulnerability (CVE-2026-1913)

April 22, 2026

Security Alert Summary The Gallagher Website Design WordPress plugin contains a stored cross-site scripting (XSS) vulnerability in the login_link shortcode. Insufficient input sanitization and output escaping of the prefix attribute…

Read security notice

Emailchef Plugin Vulnerability (CVE-2026-1930)

April 22, 2026

Security Alert Summary The Emailchef plugin for WordPress contains a vulnerability that allows authenticated users with Subscriber-level access and higher to delete the plugin’s settings via an AJAX action. The…

Read security notice

Fast & Fancy Filter – 3F Plugin Vulnerability (CVE-2026-6396)

April 22, 2026

Security Alert Summary The Fast & Fancy Filter – 3F plugin for WordPress (up to and including 1.2.2) contains a Cross-Site Request Forgery (CSRF) vulnerability due to a missing nonce…

Read security notice

Buzz Comments Plugin Vulnerability (CVE-2026-6041)

April 22, 2026

Security Alert Summary The Buzz Comments plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability in its Custom Buzz Avatar setting. Authenticated users with Administrator-level privileges can inject arbitrary…

Read security notice

Zypento Blocks Plugin Vulnerability (CVE-2026-5820)

April 22, 2026

Security Alert Summary The Zypento Blocks plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability in the Table of Contents block that allows authenticated users with Author-level access or…

Read security notice

SlideShowPro SC Plugin Vulnerability (CVE-2026-5767)

April 22, 2026

Security Alert Summary The SlideShowPro SC plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability in its slideShowProSC shortcode. Insufficient input sanitization and output escaping of user-supplied shortcode attributes…

Read security notice

Gutentools Plugin Vulnerability (CVE-2026-1395)

April 22, 2026

Security Alert Summary The Gutentools plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability in the Post Slider block. The issue allows authenticated users with Contributor-level access or higher…

Read security notice

Posts map Plugin Vulnerability (CVE-2026-6236)

April 22, 2026

Security Alert Summary The Posts map plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability in the name shortcode attribute. Authenticated users with contributor-level access or higher can supply…

Read security notice

Text Snippets Plugin Vulnerability (CVE-2026-5748)

April 22, 2026

Security Alert Summary The Text Snippets plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability in its ts shortcode due to insufficient input sanitization and output escaping on user-supplied…

Read security notice

Simple Random Posts Shortcode Plugin Vulnerability (CVE-2026-6246)

April 22, 2026

Security Alert Summary The Simple Random Posts Shortcode plugin for WordPress is vulnerable to stored cross-site scripting (XSS) via the container_right_width attribute of the simple_random_posts shortcode. Insufficient input sanitization and…

Read security notice

Google PageRank Display Plugin Vulnerability (CVE-2026-6294)

April 22, 2026

Security Alert Summary The Google PageRank Display plugin for WordPress contains a Cross-Site Request Forgery (CSRF) vulnerability in the plugin settings handler. Missing nonce validation in the settings form and…

Read security notice

DX Unanswered Comments Plugin Vulnerability (CVE-2026-4138)

April 22, 2026

Security Alert Summary The DX Unanswered Comments plugin for WordPress contains a Cross-Site Request Forgery (CSRF) vulnerability that affects all versions up to and including 1.7. Missing nonce validation on…

Read security notice

Sendmachine for WordPress Plugin Vulnerability (CVE-2026-6235)

April 22, 2026

Security Alert Summary The Sendmachine for WordPress plugin contains an authorization bypass vulnerability in the manage_admin_requests function that affects all versions up to and including 1.0.20. The issue can allow…

Read security notice

Ni WooCommerce Order Export Plugin Vulnerability (CVE-2026-4140)

April 22, 2026

Security Alert Summary The Ni WooCommerce Order Export plugin for WordPress (all versions up to and including 3.1.6) contains a Cross-Site Request Forgery (CSRF) vulnerability. A missing nonce validation in…

Read security notice

HTTP Headers Plugin Vulnerability (CVE-2026-4132)

April 22, 2026

Security Alert Summary The HTTP Headers plugin for WordPress contains a vulnerability (CVE-2026-4132) that allows authenticated users with Administrator-level privileges to write attacker-controlled content to arbitrary file paths. This is…

Read security notice

Create DB Tables Plugin Vulnerability (CVE-2026-4119)

April 22, 2026

Security Alert Summary The Create DB Tables plugin for WordPress contains an authorization bypass that affects all versions up to and including 1.2.1. The plugin registers admin_post action hooks for…

Read security notice

CI HUB Connector Plugin Vulnerability (CVE-2026-4353)

April 22, 2026

Security Alert Summary The CI HUB Connector plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability in the cihub_metadata shortcode ‘id’ attribute. Authenticated users with Contributor-level access and above…

Read security notice

WordPress security bulletins

Breeze Cache Plugin Vulnerability (CVE-2026-3844)

ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) Vulnerability (CVE-2026-5464)

reCaptcha by WebDesignBy Plugin Vulnerability (CVE-2026-4512)

Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor Plugin Vulnerability (CVE-2026-2951)

HT Mega Addons for Elementor Plugin Vulnerability (CVE-2026-4106)

Social Rocket – Social Sharing Plugin Vulnerability (CVE-2026-1923)

WP Store Locator Plugin Vulnerability (CVE-2026-3361)

Gallagher Website Design Plugin Vulnerability (CVE-2026-1913)

Emailchef Plugin Vulnerability (CVE-2026-1930)

Fast & Fancy Filter – 3F Plugin Vulnerability (CVE-2026-6396)

Buzz Comments Plugin Vulnerability (CVE-2026-6041)

Zypento Blocks Plugin Vulnerability (CVE-2026-5820)

SlideShowPro SC Plugin Vulnerability (CVE-2026-5767)

Gutentools Plugin Vulnerability (CVE-2026-1395)

Posts map Plugin Vulnerability (CVE-2026-6236)

Text Snippets Plugin Vulnerability (CVE-2026-5748)

Simple Random Posts Shortcode Plugin Vulnerability (CVE-2026-6246)

Google PageRank Display Plugin Vulnerability (CVE-2026-6294)

DX Unanswered Comments Plugin Vulnerability (CVE-2026-4138)

Sendmachine for WordPress Plugin Vulnerability (CVE-2026-6235)

Ni WooCommerce Order Export Plugin Vulnerability (CVE-2026-4140)

HTTP Headers Plugin Vulnerability (CVE-2026-4132)

Create DB Tables Plugin Vulnerability (CVE-2026-4119)

CI HUB Connector Plugin Vulnerability (CVE-2026-4353)

Thinking about selling your WordPress agency?

Our services

Our work

About us

For clients