Vulnerabilities
What a Real WordPress Site Attack Looks Like (And How We Stopped It)
Most articles about WordPress security talk in generalities: keep your plugins updated, use strong passwords, install a firewall. This post is different. This is a real WordPress site attack that hit one of our client sites on July 13, 2026, told with the actual numbers, the actual IP addresses, and the actual fixes we deployed…
Yoast SEO – Advanced SEO with real-time guidance and built-in AI Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘jsonText’ Block Attribute – CVE-2026-3427 | WordPress Plugin Vulnerability Report
Plugin Name: Yoast SEO – Advanced SEO with real-time guidance and built-in AI Key Information: Software Type: PluginSoftware Slug: wordpress-seoSoftware Status: ActiveSoftware Author: yoastSoftware Downloads: 930,902,675Active Installs: 10,000,000Last Updated: March 22, 2026Patched Versions: 27.2Affected Versions: <= 27.1.1 Vulnerability Details: Name: Yoast SEO <= 27.1.1Title: Authenticated (Contributor+) Stored Cross-Site Scripting via ‘jsonText’ Block AttributeType: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:NCVE: CVE-2026-3427CVSS…
The Events Calendar Vulnerability – Missing Authorization to Authenticated (Subscriber+) Data Migration Control – CVE-2025-15043 | WordPress Plugin Vulnerability Report
Plugin Name: The Events Calendar Key Information Software Type: PluginSoftware Slug: the-events-calendarSoftware Status: ActiveSoftware Author: stellarwpSoftware Downloads: 78,686,265Active Installs: 700,000Last Updated: January 22, 2026Patched Versions: 6.15.13.1Affected Versions: ≤ 6.15.13 Vulnerability Details Name: The Events Calendar ≤ 6.15.13 – Missing Authorization to Authenticated Data Migration ControlTitle: Missing Authorization to Authenticated (Subscriber+) Data Migration ControlType: Missing Authorization…
Custom Fonts – Host Your Fonts Locally Vulnerability – Missing Authorization to Unauthenticated Font Deletion – CVE-2025-14351 | WordPress Plugin Vulnerability Report
Plugin Name: Custom Fonts – Host Your Fonts Locally Key Information Software Type: PluginSoftware Slug: custom-fontsSoftware Status: ActiveSoftware Author: brainstormforceSoftware Downloads: 6,158,177Active Installs: 300,000Last Updated: January 22, 2026Patched Versions: 2.1.17Affected Versions: ≤ 2.1.16 Vulnerability Details Name: Custom Fonts – Host Your Fonts Locally ≤ 2.1.16 Title: Missing Authorization to Unauthenticated Font DeletionType: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NCVE: CVE-2025-14351CVSS Score: 5.3Publicly…
Essential Addons for Elementor – Popular Elementor Templates & Widgets Vulnerability – Missing Authorization to Unauthenticated Sensitive Information Exposure – CVE-2026-1004 | WordPress Plugin Vulnerability Report
Plugin Name: Essential Addons for Elementor – Popular Elementor Templates & Widgets Key Information Software Type: PluginSoftware Slug: essential-addons-for-elementor-liteSoftware Status: ActiveSoftware Author: wpdevteamSoftware Downloads: 117,159,772Active Installs: 2,000,000Last Updated: January 22, 2026Patched Versions: 6.5.6Affected Versions: ≤ 6.5.5 Vulnerability Details Name: Essential Addons for Elementor ≤ 6.5.5 – Missing Authorization to Unauthenticated Sensitive Information ExposureTitle: Missing Authorization…
All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic Vulnerability – Missing Authorization to Authenticated (Contributor+) AI Access Token and Credit Disclosure – CVE-2025-14384 | WordPress Plugin Vulnerability Report
Plugin Name: All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic Key Information: Software Type: PluginSoftware Slug: all-in-one-seo-packSoftware Status: PatchedSoftware Author: smubSoftware Downloads: 196,420,959Active Installs: 3,000,000Last Updated: January 16, 2026Patched Versions: 4.9.3Affected Versions: ≤ 4.9.2 Vulnerability Details: Name: All in One SEO – Powerful SEO Plugin to Boost SEO…
Starter Templates Vulnerability – Authenticated (Author+) Arbitrary File Upload via WXR Upload Bypass – CVE-2025-13065 | WordPress Plugin Vulnerability Report
Plugin Name: Starter Templates – AI-Powered Templates for Elementor & Gutenberg Key Information: Software Type: PluginSoftware Slug: astra-sitesSoftware Status: ActiveSoftware Author: brainstormforceSoftware Downloads: 86,521,101Active Installs: 2,000,000Last Updated: December 6, 2025Patched Versions: 4.4.42Affected Versions: ≤ 4.4.41 Vulnerability Details: Name: Starter Templates ≤ 4.4.41 – Authenticated (Author+) Arbitrary File Upload via WXR Upload BypassTitle: Authenticated (Author+) Arbitrary…