WordPress Security Audit Checklist for Production Sites
A WordPress security audit checklist should produce clear remediation actions, not a long report nobody executes. Use this guide to review core, plugins, themes, privileg...
Read guideVulnTitan Plugin
Scan WordPress with VulnTitan.
Free plugin for live checks. Pro adds scheduled scans, malware detection, integrity monitoring, alerts and guided remediation.
-
Xpro Elementor Addons - Pro <= 1.4.7 - Authenticated (Contributor+) Arbitrary File Read via Draw SVG
The Xpro Elementor Addons - Pro plugin for WordPress is vulnerable to Arbitrary File Reading in all versions up to, and including, 1.4.7 via the Draw SVG widget. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
PublishedMay 26, 2026Affected ProductXpro Elementor Addons - ProPlugin · xpro-elementor-addons-proAffected windowVersions up to 1.4.7Expand for exact coverage and remediation detail.Patch statusPatched release availableFixed in 1.4.8Recommended next stepUpdate to 1.4.8Move to a safe release and validate after update.Affected if you're usingVersions up to 1.4.7Check the full report if you need exact branch-by-branch coverage.Patch availableYesA fixed release is listed for this issue.Fixed in1.4.8Update to this version or a newer safe release.What to doUpdate to version 1.4.8, or a newer patched version
Affected versionsVersions up to 1.4.7Safe / patched versions1.4.8 -
MinhNhut Link Gateway <= 3.6.1 - Authenticated (Admin+) Stored Cross-Site Scripting via Plugin Settings
The MinhNhut Link Gateway plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's settings (Description, Title, and other fields) in all versions up to, and including, 3.6.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the redirect page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PublishedMay 26, 2026Affected ProductMinhNhut Link GatewayPlugin · minhnhut-link-gatewayAffected windowVersions up to 3.6.1Expand for exact coverage and remediation detail.Patch statusNo safe release listedVendor patch has not been published in the feed yet.Recommended next stepMonitor vendor releaseReduce exposure until the vendor ships a safe release.Affected if you're usingVersions up to 3.6.1Check the full report if you need exact branch-by-branch coverage.Patch availableNoNo fixed release is listed in the feed yet.Fixed inNot publishedWatch for a vendor release before treating the issue as fixed.What to doNo known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Affected versionsVersions up to 3.6.1Safe / patched versionsNo safe version is published yet. -
MinhNhut Link Gateway <= 3.6.1 - Reflected Cross-Site Scripting via 'url' Parameter
The MinhNhut Link Gateway plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'url' parameter on the redirect page in all versions up to, and including, 3.6.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PublishedMay 26, 2026Affected ProductMinhNhut Link GatewayPlugin · minhnhut-link-gatewayAffected windowVersions up to 3.6.1Expand for exact coverage and remediation detail.Patch statusNo safe release listedVendor patch has not been published in the feed yet.Recommended next stepMonitor vendor releaseReduce exposure until the vendor ships a safe release.Affected if you're usingVersions up to 3.6.1Check the full report if you need exact branch-by-branch coverage.Patch availableNoNo fixed release is listed in the feed yet.Fixed inNot publishedWatch for a vendor release before treating the issue as fixed.What to doNo known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Affected versionsVersions up to 3.6.1Safe / patched versionsNo safe version is published yet. -
myLinksDump <= 1.6 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'link_title' Parameter
The myLinksDump plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link_title' parameter in all versions up to, and including, 1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PublishedMay 26, 2026Affected ProductmyLinksDumpPlugin · mylinksdumpAffected windowVersions up to 1.6Expand for exact coverage and remediation detail.Patch statusNo safe release listedVendor patch has not been published in the feed yet.Recommended next stepMonitor vendor releaseReduce exposure until the vendor ships a safe release.Affected if you're usingVersions up to 1.6Check the full report if you need exact branch-by-branch coverage.Patch availableNoNo fixed release is listed in the feed yet.Fixed inNot publishedWatch for a vendor release before treating the issue as fixed.What to doNo known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Affected versionsVersions up to 1.6Safe / patched versionsNo safe version is published yet. -
rexCrawler <= 1.0.15 - Authenticated (Administrator+) Stored Cross-Site Scripting via Settings
The rexCrawler plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PublishedMay 26, 2026Affected ProductrexCrawlerPlugin · rexcrawlerAffected windowVersions up to 1.0.15Expand for exact coverage and remediation detail.Patch statusNo safe release listedVendor patch has not been published in the feed yet.Recommended next stepMonitor vendor releaseReduce exposure until the vendor ships a safe release.Affected if you're usingVersions up to 1.0.15Check the full report if you need exact branch-by-branch coverage.Patch availableNoNo fixed release is listed in the feed yet.Fixed inNot publishedWatch for a vendor release before treating the issue as fixed.What to doNo known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Affected versionsVersions up to 1.0.15Safe / patched versionsNo safe version is published yet. -
WP Promoter <= 1.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting via 'popup_width' Parameter
The WP Promoter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PublishedMay 26, 2026Affected ProductWP PromoterPlugin · wp-promoterAffected windowVersions up to 1.3Expand for exact coverage and remediation detail.Patch statusNo safe release listedVendor patch has not been published in the feed yet.Recommended next stepMonitor vendor releaseReduce exposure until the vendor ships a safe release.Affected if you're usingVersions up to 1.3Check the full report if you need exact branch-by-branch coverage.Patch availableNoNo fixed release is listed in the feed yet.Fixed inNot publishedWatch for a vendor release before treating the issue as fixed.What to doNo known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Affected versionsVersions up to 1.3Safe / patched versionsNo safe version is published yet. -
MetaMagic SEO Plugin <= 1.6 - Cross-Site Request Forgery to Plugin Settings Update via Settings Page
The MetaMagic SEO Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.6. This is due to missing or incorrect nonce validation on the metamagic_update_options function. This makes it possible for unauthenticated attackers to modify the plugin's SEO settings, including enabling or disabling the plugin and toggling description and keyword meta tag output via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PublishedMay 26, 2026Affected ProductMetaMagic SEO PluginPlugin · metamagicAffected windowVersions up to 1.6Expand for exact coverage and remediation detail.Patch statusNo safe release listedVendor patch has not been published in the feed yet.Recommended next stepMonitor vendor releaseReduce exposure until the vendor ships a safe release.Affected if you're usingVersions up to 1.6Check the full report if you need exact branch-by-branch coverage.Patch availableNoNo fixed release is listed in the feed yet.Fixed inNot publishedWatch for a vendor release before treating the issue as fixed.What to doNo known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Affected versionsVersions up to 1.6Safe / patched versionsNo safe version is published yet. -
Github Shortcode <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
The Github Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'repo' shortcode attribute in the 'github' shortcode in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PublishedMay 26, 2026Affected ProductGithub ShortcodePlugin · github-shortcodeAffected windowVersions up to 0.1Expand for exact coverage and remediation detail.Patch statusNo safe release listedVendor patch has not been published in the feed yet.Recommended next stepMonitor vendor releaseReduce exposure until the vendor ships a safe release.Affected if you're usingVersions up to 0.1Check the full report if you need exact branch-by-branch coverage.Patch availableNoNo fixed release is listed in the feed yet.Fixed inNot publishedWatch for a vendor release before treating the issue as fixed.What to doNo known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Affected versionsVersions up to 0.1Safe / patched versionsNo safe version is published yet. -
WPCode <= 2.3.5 - Authenticated (Author+) Remote Code Execution via CPT Capability Bypass via XML-RPC wp.newPost
The WPCode - Insert Headers and Footers + Custom Code Snippets - WordPress Code Manager plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.3.5 This is due to the 'wpcode' custom post type being registered without a custom capability_type or capability restrictions in the wpcode_register_post_type() function, allowing WordPress core to fall back to standard post capabilities for all creation paths including XML-RPC. This makes it possible for authenticated attackers, with author-level access and above, to create and publish executable PHP snippet posts via XML-RPC wp.newPost, which are then executed server-side via eval() in the run_eval() function when the snippet is rendered through the [wpcode] shortcode.
PublishedMay 26, 2026Affected ProductWPCode – Insert Headers and Footers + Custom Code Snippets – WordPress Code ManagerPlugin · insert-headers-and-footersAffected windowVersions up to 2.3.5Expand for exact coverage and remediation detail.Patch statusPatched release availableFixed in 2.3.6Recommended next stepUpdate to 2.3.6Move to a safe release and validate after update.Affected if you're usingVersions up to 2.3.5Check the full report if you need exact branch-by-branch coverage.Patch availableYesA fixed release is listed for this issue.Fixed in2.3.6Update to this version or a newer safe release.What to doUpdate to version 2.3.6, or a newer patched version
Affected versionsVersions up to 2.3.5Safe / patched versions2.3.6 -
Enable jQuery Migrate Helper <= 1.4.1 - Missing Authorization to Authenticated (Subscriber+) jQuery Version Downgrade
The Enable jQuery Migrate Helper plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `downgrade_jquery_version()` function in all versions up to, and including, 1.4.1. This is due to the function only verifying a nonce without checking user capabilities. This makes it possible for authenticated attackers, with Subscriber-level access and above, to downgrade the site-wide jQuery version from 3.7.1 to the legacy 1.12.4-wp release, which has knowns security vulnerabilities.
PublishedMay 26, 2026Affected ProductEnable jQuery Migrate HelperPlugin · enable-jquery-migrate-helperAffected windowVersions up to 1.4.1Expand for exact coverage and remediation detail.Patch statusNo safe release listedVendor patch has not been published in the feed yet.Recommended next stepMonitor vendor releaseReduce exposure until the vendor ships a safe release.Affected if you're usingVersions up to 1.4.1Check the full report if you need exact branch-by-branch coverage.Patch availableNoNo fixed release is listed in the feed yet.Fixed inNot publishedWatch for a vendor release before treating the issue as fixed.What to doNo known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Affected versionsVersions up to 1.4.1Safe / patched versionsNo safe version is published yet.
Coverage Hubs
Browse high-interest plugin and theme vulnerability hubs.
Use hub pages to review all indexed records for a single WordPress plugin or theme instead of scanning the global feed one advisory at a time.
Download Manager Pro
· plugin
Royal Addons for Elementor – Addons and Templates Kit for Elementor
· plugin
Ninja Forms – The Contact Form Builder That Grows With You
· plugin
GiveWP – Donation Plugin and Fundraising Platform
· plugin
Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
· plugin
Tutor LMS – eLearning and online course solution
· plugin
LearnPress – WordPress LMS Plugin for Create and Sell Online Courses
· plugin
Photo Gallery by 10Web – Mobile-Friendly Image Gallery
· plugin
Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker
· plugin
Essential Addons for Elementor – Popular Elementor Templates & Widgets
· plugin
Security Guides
Start with the WordPress security topics already showing search demand.
Browse practical guides for WordPress security audit, WooCommerce security, hardening, brute force protection, monitoring, and incident response.
WooCommerce Security Checklist for WordPress Stores
Use this WooCommerce security checklist to review payment-related plugins, customer account exposure, checkout integrity, and patch response before a vulnerability impact...
Read guideWordPress Security Hardening Checklist for 2026
Use this WordPress security hardening checklist for 2026 to review patch cadence, privileged access, XML-RPC exposure, backup readiness, and daily vulnerability monitorin...
Read guidePrevent Brute Force Attacks in WordPress: Best Practices
If you need to prevent brute force attacks in WordPress, the goal is to make credential abuse expensive and noisy for attackers. Brute force attacks are still one of the...
Read guideWordPress Security Monitoring: Metrics That Matter
WordPress security monitoring should drive action, not dashboard vanity. Focus on metrics that influence patching speed, detection quality, and incident outcomes.
Read guideWordPress Incident Response Plan Template for Security Teams
This WordPress incident response plan template helps security teams move from detection to containment, patching, recovery, and post-incident review when a plugin or them...
Read guide