WordPress Security Audit Checklist for Production Sites
A WordPress security audit checklist should produce clear remediation actions, not a long report nobody executes. Use this guide to review core, plugins, themes.
Read guideVulnTitan Plugin
Scan WordPress with VulnTitan.
Free plugin for live checks. Pro adds scheduled scans, malware detection, integrity monitoring, alerts and guided remediation.
-
Royal Addons for Elementor <= 1.7.1058 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'title_tag' Parameter
The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title_tag' parameter in all versions up to, and including, 1.7.1058 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PublishedMay 13, 2026Affected ProductRoyal Addons for Elementor – Addons and Templates Kit for ElementorPlugin · royal-elementor-addonsAffected windowVersions up to 1.7.1058Expand for exact coverage and remediation detail.Patch statusPatched release availableFixed in 1.7.1059Recommended next stepUpdate to 1.7.1059Move to a safe release and validate after update.Affected if you're usingVersions up to 1.7.1058Check the full report if you need exact branch-by-branch coverage.Patch availableYesA fixed release is listed for this issue.Fixed in1.7.1059Update to this version or a newer safe release.What to doUpdate to version 1.7.1059, or a newer patched version
Affected versionsVersions up to 1.7.1058Safe / patched versions1.7.1059 -
User Registration & Membership <= 5.1.5 - Unauthenticated Missing Authorization to Admin Approval Bypass via 'action' Parameter
The User Registration & Membership plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 5.1.5. This is due to the is_admin_creation_process() method relying solely on the presence of action=createuser in the $_REQUEST superglobal without performing any authentication or capability check. This makes it possible for unauthenticated attackers to bypass the admin approval requirement when registering new accounts via the fallback submission path.
PublishedMay 13, 2026Affected ProductUser Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login BuilderPlugin · user-registrationAffected windowVersions up to 5.1.5Expand for exact coverage and remediation detail.Patch statusPatched release availableFixed in 5.1.6Recommended next stepUpdate to 5.1.6Move to a safe release and validate after update.Affected if you're usingVersions up to 5.1.5Check the full report if you need exact branch-by-branch coverage.Patch availableYesA fixed release is listed for this issue.Fixed in5.1.6Update to this version or a newer safe release.What to doUpdate to version 5.1.6, or a newer patched version
Affected versionsVersions up to 5.1.5Safe / patched versions5.1.6 -
InfusedWoo Pro <= 5.1.2 - Unauthenticated Arbitrary File Read via 'url' Parameter
The InfusedWoo Pro plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 5.1.2 via the popup_submit. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
PublishedMay 13, 2026Affected ProductInfusedWoo ProPlugin · infusedwooPROAffected windowVersions up to 5.1.2Expand for exact coverage and remediation detail.Patch statusPatched release availableFixed in 5.1.3Recommended next stepUpdate to 5.1.3Move to a safe release and validate after update.Affected if you're usingVersions up to 5.1.2Check the full report if you need exact branch-by-branch coverage.Patch availableYesA fixed release is listed for this issue.Fixed in5.1.3Update to this version or a newer safe release.What to doUpdate to version 5.1.3, or a newer patched version
Affected versionsVersions up to 5.1.2Safe / patched versions5.1.3 -
MW WP Form <= 5.1.2 - Insecure Direct Object Reference to Unauthenticated Sensitive Information Disclosure via 'post_id' Query Parameter
The MW WP Form plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 5.1.2 via the _get_post_property_from_querystring() function due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
PublishedMay 13, 2026Affected ProductMW WP FormPlugin · mw-wp-formAffected windowVersions up to 5.1.2Expand for exact coverage and remediation detail.Patch statusPatched release availableFixed in 5.1.3Recommended next stepUpdate to 5.1.3Move to a safe release and validate after update.Affected if you're usingVersions up to 5.1.2Check the full report if you need exact branch-by-branch coverage.Patch availableYesA fixed release is listed for this issue.Fixed in5.1.3Update to this version or a newer safe release.What to doUpdate to version 5.1.3, or a newer patched version
Affected versionsVersions up to 5.1.2Safe / patched versions5.1.3 -
CC Child Pages <= 2.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'more' Parameter
The CC Child Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'more' parameter in all versions up to, and including, 2.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PublishedMay 13, 2026Affected ProductCC Child PagesPlugin · cc-child-pagesAffected windowVersions up to 2.1.1Expand for exact coverage and remediation detail.Patch statusPatched release availableFixed in 2.1.2Recommended next stepUpdate to 2.1.2Move to a safe release and validate after update.Affected if you're usingVersions up to 2.1.1Check the full report if you need exact branch-by-branch coverage.Patch availableYesA fixed release is listed for this issue.Fixed in2.1.2Update to this version or a newer safe release.What to doUpdate to version 2.1.2, or a newer patched version
Affected versionsVersions up to 2.1.1Safe / patched versions2.1.2 -
InfusedWoo Pro <= 5.1.2 - Unauthenticated Missing Authorization to Arbitrary Post Deletion via Multiple Parameters
The InfusedWoo Pro plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.1.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to permanently delete arbitrary posts, pages, products, or orders, mass-delete all comments on any post, and change any post's status.
PublishedMay 13, 2026Affected ProductInfusedWoo ProPlugin · infusedwooPROAffected windowVersions up to 5.1.2Expand for exact coverage and remediation detail.Patch statusPatched release availableFixed in 5.1.3Recommended next stepUpdate to 5.1.3Move to a safe release and validate after update.Affected if you're usingVersions up to 5.1.2Check the full report if you need exact branch-by-branch coverage.Patch availableYesA fixed release is listed for this issue.Fixed in5.1.3Update to this version or a newer safe release.What to doUpdate to version 5.1.3, or a newer patched version
Affected versionsVersions up to 5.1.2Safe / patched versions5.1.3 -
Taskbuilder – Project Management & Task Management Tool With Kanban Board <= 5.0.6 - Authenticated (Subscriber+) Time-Based Blind SQL Injection via 'project_search' Parameter
The Taskbuilder – Project Management & Task Management Tool With Kanban Board plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'project_search' parameter in all versions up to, and including, 5.0.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PublishedMay 13, 2026Affected ProductTaskbuilder – Project Management & Task Management Tool With Kanban BoardPlugin · taskbuilderAffected windowVersions up to 5.0.6Expand for exact coverage and remediation detail.Patch statusPatched release availableFixed in 5.0.7Recommended next stepUpdate to 5.0.7Move to a safe release and validate after update.Affected if you're usingVersions up to 5.0.6Check the full report if you need exact branch-by-branch coverage.Patch availableYesA fixed release is listed for this issue.Fixed in5.0.7Update to this version or a newer safe release.What to doUpdate to version 5.0.7, or a newer patched version
Affected versionsVersions up to 5.0.6Safe / patched versions5.0.7 -
Bold Page Builder <= 5.6.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via bt_bb_button Shortcode
The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'text' attribute of the bt_bb_button shortcode in all versions up to, and including, 5.6.8. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PublishedMay 13, 2026Affected ProductBold Page BuilderPlugin · bold-page-builderAffected windowVersions up to 5.6.8Expand for exact coverage and remediation detail.Patch statusPatched release availableFixed in 5.6.9Recommended next stepUpdate to 5.6.9Move to a safe release and validate after update.Affected if you're usingVersions up to 5.6.8Check the full report if you need exact branch-by-branch coverage.Patch availableYesA fixed release is listed for this issue.Fixed in5.6.9Update to this version or a newer safe release.What to doUpdate to version 5.6.9, or a newer patched version
Affected versionsVersions up to 5.6.8Safe / patched versions5.6.9 -
Meta Field Block <= 1.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'tagName' Block Attribute
The Meta Field Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tagName' block attribute in all versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PublishedMay 13, 2026Affected ProductMeta Field Block – Display custom fields in the Block Editor without codingPlugin · display-a-meta-field-as-blockAffected windowVersions up to 1.5.2Expand for exact coverage and remediation detail.Patch statusPatched release availableFixed in 1.5.3Recommended next stepUpdate to 1.5.3Move to a safe release and validate after update.Affected if you're usingVersions up to 1.5.2Check the full report if you need exact branch-by-branch coverage.Patch availableYesA fixed release is listed for this issue.Fixed in1.5.3Update to this version or a newer safe release.What to doUpdate to version 1.5.3, or a newer patched version
Affected versionsVersions up to 1.5.2Safe / patched versions1.5.3 -
Media Sync <= 1.4.9 - Authenticated (Author+) Path Traversal via 'sub_dir' and 'media_items' Parameters
The Media Sync plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.4.9 via the 'sub_dir' and 'media_items' parameters. This is due to insufficient validation of user-supplied file paths, which are not checked for directory traversal sequences or restricted to the intended uploads directory. This makes it possible for authenticated attackers, with Author-level access and above, to perform actions on files outside of the originally intended directory.
PublishedMay 13, 2026Affected ProductMedia SyncPlugin · media-syncAffected windowVersions up to 1.4.9Expand for exact coverage and remediation detail.Patch statusPatched release availableFixed in 1.5.0Recommended next stepUpdate to 1.5.0Move to a safe release and validate after update.Affected if you're usingVersions up to 1.4.9Check the full report if you need exact branch-by-branch coverage.Patch availableYesA fixed release is listed for this issue.Fixed in1.5.0Update to this version or a newer safe release.What to doUpdate to version 1.5.0, or a newer patched version
Affected versionsVersions up to 1.4.9Safe / patched versions1.5.0
Coverage Hubs
Browse high-interest plugin and theme vulnerability hubs.
Use hub pages to review all indexed records for a single WordPress plugin or theme instead of scanning the global feed one advisory at a time.
ElementsKit Pro
· plugin
Web Directory Free
· plugin
WP-Stateless – Google Cloud Storage
· plugin
WooCommerce
· plugin
Contact Form 7
· plugin
Advanced Custom Fields (ACF®)
· plugin
Redux Framework
· plugin
Calendar
· plugin
Export WordPress Pages to Static HTML & PDF — Static Site Export
· plugin
Download Manager Pro
· plugin
Royal Addons for Elementor – Addons and Templates Kit for Elementor
· plugin
Ninja Forms – The Contact Form Builder That Grows With You
· plugin
Security Guides
Start with the WordPress security topics already showing search demand.
Browse practical guides for WordPress security audit, WooCommerce security, hardening, brute force protection, monitoring, and incident response.
WooCommerce Security Checklist for WordPress Stores
Use this WooCommerce security checklist to review payment-related plugins, customer account exposure, checkout integrity, and patch response before a vulnerability.
Read guideWordPress Security Hardening Checklist for 2026
Use this WordPress security hardening checklist for 2026 to review patch cadence, privileged access, XML-RPC exposure, backup readiness, and daily vulnerability.
Read guidePrevent Brute Force Attacks in WordPress: Best Practices
If you need to prevent brute force attacks in WordPress, the goal is to make credential abuse expensive and noisy for attackers. Brute force attacks are still one.
Read guideWordPress Security Monitoring: Metrics That Matter
WordPress security monitoring should drive action, not dashboard vanity. Focus on metrics that influence patching speed, detection quality, and incident outcomes.
Read guideWordPress Incident Response Plan Template for Security Teams
This WordPress incident response plan template helps security teams move from detection to containment, patching, recovery, and post-incident review when a plugin.
Read guide