WordPress Security Audit Checklist for Production Sites
A WordPress security audit checklist should produce clear remediation actions, not a long report nobody executes. Use this guide to review core, plugins, themes, privileg...
Read guideVulnTitan Plugin
Scan WordPress with VulnTitan.
Free plugin for live checks. Pro adds scheduled scans, malware detection, integrity monitoring, alerts and guided remediation.
-
Gutentools <= 1.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Slider Block Attributes
The Gutentools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Post Slider block's block_id attribute in all versions up to, and including, 1.1.3. This is due to insufficient input sanitization and output escaping combined with a custom unescaping routine that reintroduces dangerous characters. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PublishedApr 21, 2026Affected ProductGutentoolsPlugin · gutentoolsAffected windowVersions up to 1.1.3Expand for exact coverage and remediation detail.Patch statusPatched release availableFixed in 1.1.4Recommended next stepUpdate to 1.1.4Move to a safe release and validate after update.Affected if you're usingVersions up to 1.1.3Check the full report if you need exact branch-by-branch coverage.Patch availableYesA fixed release is listed for this issue.Fixed in1.1.4Update to this version or a newer safe release.What to doUpdate to version 1.1.4, or a newer patched version
Affected versionsVersions up to 1.1.3Safe / patched versions1.1.4 -
Gallagher Website Design <= 2.6.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'prefix' Shortcode Attribute
The Gallagher Website Design plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's login_link shortcode in all versions up to, and including, 2.6.4 due to insufficient input sanitization and output escaping on the 'prefix' attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PublishedApr 21, 2026Affected ProductGallagher Website DesignPlugin · gallagher-website-designAffected windowVersions up to 2.6.4Expand for exact coverage and remediation detail.Patch statusPatched release availableFixed in 2.6.5Recommended next stepUpdate to 2.6.5Move to a safe release and validate after update.Affected if you're usingVersions up to 2.6.4Check the full report if you need exact branch-by-branch coverage.Patch availableYesA fixed release is listed for this issue.Fixed in2.6.5Update to this version or a newer safe release.What to doUpdate to version 2.6.5, or a newer patched version
Affected versionsVersions up to 2.6.4Safe / patched versions2.6.5 -
Emailchef <= 3.5.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Settings Deletion
The Emailchef plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the page_options_ajax_disconnect() function in all versions up to, and including, 3.5.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete the plugin's settings via the 'emailchef_disconnect' AJAX action.
PublishedApr 21, 2026Affected ProductEmailchefPlugin · emailchefAffected windowVersions up to 3.5.1Expand for exact coverage and remediation detail.Patch statusPatched release availableFixed in 3.5.2Recommended next stepUpdate to 3.5.2Move to a safe release and validate after update.Affected if you're usingVersions up to 3.5.1Check the full report if you need exact branch-by-branch coverage.Patch availableYesA fixed release is listed for this issue.Fixed in3.5.2Update to this version or a newer safe release.What to doUpdate to version 3.5.2, or a newer patched version
Affected versionsVersions up to 3.5.1Safe / patched versions3.5.2 -
Short Comment Filter <= 2.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Minimum Count' Setting
The Short Comment Filter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Minimum Count' settings field in all versions up to and including 2.2. This is due to insufficient input sanitization (no sanitize callback on register_setting) and missing output escaping (no esc_attr() on the echoed value in the input's value attribute). The option value is stored via update_option() and rendered unescaped in an HTML attribute context. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in the settings page that will execute whenever a user accesses that page. This is particularly impactful in WordPress multisite installations or when DISALLOW_UNFILTERED_HTML is set, where administrators are not granted the unfiltered_html capability.
PublishedApr 21, 2026Affected ProductShort Comment FilterPlugin · short-comment-filterAffected windowVersions up to 2.2Expand for exact coverage and remediation detail.Patch statusNo safe release listedVendor patch has not been published in the feed yet.Recommended next stepMonitor vendor releaseReduce exposure until the vendor ships a safe release.Affected if you're usingVersions up to 2.2Check the full report if you need exact branch-by-branch coverage.Patch availableNoNo fixed release is listed in the feed yet.Fixed inNot publishedWatch for a vendor release before treating the issue as fixed.What to doNo known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Affected versionsVersions up to 2.2Safe / patched versionsNo safe version is published yet. -
Private WP suite <= 0.4.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Exceptions' Setting
The Private WP suite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Exceptions' setting in all versions up to, and including, 0.4.1. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PublishedApr 21, 2026Affected ProductPrivate WP suitePlugin · private-wp-suiteAffected windowVersions up to 0.4.1Expand for exact coverage and remediation detail.Patch statusNo safe release listedVendor patch has not been published in the feed yet.Recommended next stepMonitor vendor releaseReduce exposure until the vendor ships a safe release.Affected if you're usingVersions up to 0.4.1Check the full report if you need exact branch-by-branch coverage.Patch availableNoNo fixed release is listed in the feed yet.Fixed inNot publishedWatch for a vendor release before treating the issue as fixed.What to doNo known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Affected versionsVersions up to 0.4.1Safe / patched versionsNo safe version is published yet. -
Real Estate Pro <= 1.0.9 - Authenticated (Admin+) Stored Cross-Site Scripting via Settings
The Real Estate Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PublishedApr 21, 2026Affected ProductReal Estate ProPlugin · re-proAffected windowVersions up to 1.0.9Expand for exact coverage and remediation detail.Patch statusNo safe release listedVendor patch has not been published in the feed yet.Recommended next stepMonitor vendor releaseReduce exposure until the vendor ships a safe release.Affected if you're usingVersions up to 1.0.9Check the full report if you need exact branch-by-branch coverage.Patch availableNoNo fixed release is listed in the feed yet.Fixed inNot publishedWatch for a vendor release before treating the issue as fixed.What to doNo known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Affected versionsVersions up to 1.0.9Safe / patched versionsNo safe version is published yet. -
HTTP Headers <= 1.19.2 - Authenticated (Administrator+) External Control of File Name or Path to RCE via 'hh_htpasswd_path' and 'hh_www_authenticate_user' Parameters
The HTTP Headers plugin for WordPress is vulnerable to External Control of File Name or Path leading to Remote Code Execution in all versions up to and including 1.19.2. This is due to insufficient validation of the file path stored in the 'hh_htpasswd_path' option and lack of sanitization on the 'hh_www_authenticate_user' option value. The plugin allows administrators to set an arbitrary file path for the htpasswd file location and does not validate that the path has a safe file extension (e.g., restricting to .htpasswd). Additionally, the username field used for HTTP Basic Authentication is written directly into the file without sanitization. The apache_auth_credentials() function constructs the file content using the unsanitized username via sprintf('%s:{SHA}%s', $user, ...), and update_auth_credentials() writes this content to the attacker-controlled path via file_put_contents(). This makes it possible for authenticated attackers, with Administrator-level access and above, to write arbitrary content (including PHP code) to arbitrary file paths on the server, effectively achieving Remote Code Execution.
PublishedApr 21, 2026Affected ProductHTTP HeadersPlugin · http-headersAffected windowVersions up to 1.19.2Expand for exact coverage and remediation detail.Patch statusNo safe release listedVendor patch has not been published in the feed yet.Recommended next stepMonitor vendor releaseReduce exposure until the vendor ships a safe release.Affected if you're usingVersions up to 1.19.2Check the full report if you need exact branch-by-branch coverage.Patch availableNoNo fixed release is listed in the feed yet.Fixed inNot publishedWatch for a vendor release before treating the issue as fixed.What to doNo known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Affected versionsVersions up to 1.19.2Safe / patched versionsNo safe version is published yet. -
HTTP Headers <= 1.19.2 - Authenticated (Administrator+) CRLF Injection via Custom Header Values
The HTTP Headers plugin for WordPress is vulnerable to CRLF Injection in all versions up to, and including, 1.19.2. This is due to insufficient sanitization of custom header name and value fields before writing them to the Apache .htaccess file via `insert_with_markers()`. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary newline characters and additional Apache directives into the .htaccess configuration file via the 'Custom Headers' settings, leading to Apache configuration parse errors and potential site-wide denial of service.
PublishedApr 21, 2026Affected ProductHTTP HeadersPlugin · http-headersAffected windowVersions up to 1.19.2Expand for exact coverage and remediation detail.Patch statusNo safe release listedVendor patch has not been published in the feed yet.Recommended next stepMonitor vendor releaseReduce exposure until the vendor ships a safe release.Affected if you're usingVersions up to 1.19.2Check the full report if you need exact branch-by-branch coverage.Patch availableNoNo fixed release is listed in the feed yet.Fixed inNot publishedWatch for a vendor release before treating the issue as fixed.What to doNo known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Affected versionsVersions up to 1.19.2Safe / patched versionsNo safe version is published yet. -
HTTP Headers <= 1.19.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Custom Headers' Plugin Setting
The HTTP Headers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.19.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PublishedApr 21, 2026Affected ProductHTTP HeadersPlugin · http-headersAffected windowVersions up to 1.19.2Expand for exact coverage and remediation detail.Patch statusNo safe release listedVendor patch has not been published in the feed yet.Recommended next stepMonitor vendor releaseReduce exposure until the vendor ships a safe release.Affected if you're usingVersions up to 1.19.2Check the full report if you need exact branch-by-branch coverage.Patch availableNoNo fixed release is listed in the feed yet.Fixed inNot publishedWatch for a vendor release before treating the issue as fixed.What to doNo known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Affected versionsVersions up to 1.19.2Safe / patched versionsNo safe version is published yet. -
Table Manager <= 1.0.0 - Authenticated (Contributor+) Sensitive Information Exposure via 'table' Shortcode Attribute
The Table Manager plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.0 via the 'table_manager' shortcode. The shortcode handler `tablemanager_render_table_shortcode()` takes a user-controlled `table` attribute, applies only `sanitize_key()` for sanitization, and concatenates the value with `$wpdb->prefix` to form a full database table name. It then executes `DESC` and `SELECT *` queries against this table and renders all rows and columns to the frontend. There is no allowlist check to ensure only plugin-created tables can be accessed — the `tablemanager_created_tables` option is only referenced in admin functions, never in the shortcode handler. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data from arbitrary WordPress database tables.
PublishedApr 21, 2026Affected ProductTable ManagerPlugin · table-managerAffected windowVersions up to 1.0.0Expand for exact coverage and remediation detail.Patch statusNo safe release listedVendor patch has not been published in the feed yet.Recommended next stepMonitor vendor releaseReduce exposure until the vendor ships a safe release.Affected if you're usingVersions up to 1.0.0Check the full report if you need exact branch-by-branch coverage.Patch availableNoNo fixed release is listed in the feed yet.Fixed inNot publishedWatch for a vendor release before treating the issue as fixed.What to doNo known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Affected versionsVersions up to 1.0.0Safe / patched versionsNo safe version is published yet.
Coverage Hubs
Browse high-interest plugin and theme vulnerability hubs.
Use hub pages to review all indexed records for a single WordPress plugin or theme instead of scanning the global feed one advisory at a time.
Download Manager Pro
· plugin
Ninja Forms – The Contact Form Builder That Grows With You
· plugin
Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
· plugin
GiveWP – Donation Plugin and Fundraising Platform
· plugin
Royal Addons for Elementor – Addons and Templates Kit for Elementor
· plugin
LearnPress – WordPress LMS Plugin for Create and Sell Online Courses
· plugin
Tutor LMS – eLearning and online course solution
· plugin
Photo Gallery by 10Web – Mobile-Friendly Image Gallery
· plugin
Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker
· plugin
Essential Addons for Elementor – Popular Elementor Templates & Widgets
· plugin
Security Guides
Start with the WordPress security topics already showing search demand.
Browse practical guides for WordPress security audit, WooCommerce security, hardening, brute force protection, monitoring, and incident response.
WooCommerce Security Checklist for WordPress Stores
Use this WooCommerce security checklist to review payment-related plugins, customer account exposure, checkout integrity, and patch response before a vulnerability impact...
Read guideWordPress Security Hardening Checklist for 2026
Use this WordPress security hardening checklist for 2026 to review patch cadence, privileged access, XML-RPC exposure, backup readiness, and daily vulnerability monitorin...
Read guidePrevent Brute Force Attacks in WordPress: Best Practices
If you need to prevent brute force attacks in WordPress, the goal is to make credential abuse expensive and noisy for attackers. Brute force attacks are still one of the...
Read guideWordPress Security Monitoring: Metrics That Matter
WordPress security monitoring should drive action, not dashboard vanity. Focus on metrics that influence patching speed, detection quality, and incident outcomes.
Read guideWordPress Incident Response Plan Template for Security Teams
This WordPress incident response plan template helps security teams move from detection to containment, patching, recovery, and post-incident review when a plugin or them...
Read guide