Skip to content

Security data

Weaknesses (CWE)The MITRE CWE weakness catalog
Attack Patterns (CAPEC)MITRE CAPEC attack patterns
CNAsNumbering authorities + report cards
VendorsVulnerabilities by vendor

Tools

CVSS CalculatorScore CVSS 4.0, 3.1, 3.0 & 2.0

Resources

LearnPlain-English security guides
Data SourcesHow we source CVE data

About Us Blog Pricing Book a Demo

Log in

RadicalNotion.AI

We do not sell or share your personal information

© 2026 RadicalNotion.AI

Security Data

CWE Directory
CAPEC Directory
CNA Directory
CNA Report Cards
Data Sources

Calculators

CVSS Calculator
CVSS 4.0
CVSS 3.1
CVSS 3.0
CVSS 2.0

Platform

My Vulnerabilities
Insights
Notifications
Account
Pricing

Company

About us
Blog
Learn
Book a demo

Get Started

Sign up
Log in

Legal

Privacy
Terms

Home
CNAs
Wpscan

WPScan CNA: CVE Report Card & Published CVEs

Grade D

Active

WPScan

CVE Numbering Authority

4,218

CVEs published

Total assigned

4.9

Years active

2021–2026

N/A

Avg CVSS

Across scored CVEs

1,252

Recent CVEs

Last 2 years

Overview

WPScan is a CVE Numbering Authority that has published 4,218 CVE records since 2021. It is currently classified as active, with 1,252 CVEs published in the last two years. Its CVE data quality is graded D (61.4% overall completeness).

Among the 370 CNAs tracked here, WPScan ranks #15 by CVE volume and reports more complete records than 15% of all CNAs.

Data quality report card

How complete and consistent WPScan's CVE records are, scored across vendor, product, CVSS, and CWE coverage.

A CVE record only requires a description to be published. “Completeness” measures how often WPScan also fills in the optional — but extremely useful — fields that make a vulnerability actually actionable: the affected vendor and product, a CVSS severity score, and a CWE weakness type. A higher score means more of this CNA’s CVEs include those details, so defenders spend less time enriching records by hand.

Report card grade

D

61.4%

Overall score

Overall completeness61.4%

Vendor completeness99.7%

Product completeness99.7%

CVSS completeness0%

CWE completeness46%

99.9%

Update rate

Records revised after publishing

101

Vendor diversity

Distinct vendors covered

260 chars

Avg description length

Per CVE record

2021-03-18

First CVE date

Earliest assignment

2026-02-11

Latest CVE date

Most recent assignment

N/A

Average CVSS

Across scored CVEs

What these scores mean

Vendor completeness: The share of this CNA's CVEs that name an affected vendor.
Product completeness: The share that name a specific affected product.
CVSS completeness: The share that include a CVSS severity score.
CWE completeness: The share mapped to a CWE weakness type.
Update rate: How often this CNA revises CVE records after first publishing them.
Vendor diversity: How many distinct vendors this CNA publishes CVEs for.

Severity and exploitation

How the CVSS severity of WPScan's published CVEs breaks down, and how many are known to be exploited in the wild.

Critical111

High424

Medium1,768

Low85

1,890 additional CVEs have no CVSS severity score.

In CISA’s Known Exploited Vulnerabilities catalog

0

None of WPScan's CVEs are currently listed in CISA's Known Exploited Vulnerabilities catalog.

Common weakness types

The CWE weakness categories WPScan most often assigns to its CVEs. Follow any weakness to its full explanation.

CWE-79Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')1,051 CVEs
CWE-89Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')258 CVEs
CWE-352Cross-Site Request Forgery (CSRF)241 CVEs
CWE-862Missing Authorization77 CVEs
CWE-434Unrestricted Upload of File with Dangerous Type54 CVEs
CWE-22Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')42 CVEs
CWE-863Incorrect Authorization31 CVEs
CWE-639Authorization Bypass Through User-Controlled Key30 CVEs

Publishing activity by year

How many CVEs WPScan has published each year.

2021

747

2022

1,144

2023

935

2024

773

2025

595

2026

84

Top vendors

The vendors WPScan publishes the most CVEs for.

tipsandtricks-hq48 CVEs
10Web47 CVEs
WordPress37 CVEs
ays-pro35 CVEs
Automattic29 CVEs
wow-company24 CVEs
Themeum24 CVEs
hasthemes21 CVEs

Top products

The products WPScan publishes the most CVEs for.

Contest Gallery20 CVEs
photo gallery19 CVEs
Contest Gallery Pro17 CVEs
Ninja Forms16 CVEs
Download Manager16 CVEs
Tutor LMS15 CVEs
EventON13 CVEs
Form Maker12 CVEs

Latest CVEs

The most recent CVEs assigned by WPScan.

CVE-2026-8293CWE-287
Really Simple Security < 9.5.10.1 - Authentication Bypass via Two-Factor OTP Skip
High · CVSS 7.5
EPSS 0.1%2026-06-02
CVE-2026-7862CWE-284
Eupago Gateway For Woocommerce < 4.7.2 - Unauthenticated Arbitrary Refund Initiation
High · CVSS 8.6
EPSS 0.0%2026-05-28
CVE-2026-6268CWE-79
EventPress < 22.2 – Reflected Cross-Site Scripting
High · CVSS 7.1
EPSS 0.1%2026-05-27
CVE-2026-7385
Decent Comments < 3.0.2 - Unauthenticated Email Address Disclosure
Medium · CVSS 5.8
EPSS 0.0%2026-05-20
CVE-2026-5776
Email Encoder < 2.4.7 - Unauthenticated Stored XSS
Medium · CVSS 6.1
EPSS 0.1%2026-05-20
CVE-2025-15609
Fortis For WooCommerce < 1.3.1 - Sensitive API Key Disclosure
High · CVSS 7.5
EPSS 0.0%2026-05-19
CVE-2026-6495CWE-79
Ajax Load More < 7.8.4 - Reflected XSS
High · CVSS 7.1
EPSS 0.0%2026-05-18
CVE-2026-6381CWE-22
WP Maps < 4.9.3 - Subscriber+ Local File Inclusion
High · CVSS 7.5
EPSS 0.0%2026-05-18
CVE-2026-6379CWE-89
WP Photo Album Plus < 9.1.11.001 - Unauthenticated SQL Injection via 'wppa-supersearch' Parameter
High · CVSS 8.6
EPSS 0.1%2026-05-18
CVE-2026-3220CWE-79
Multiple Plugins - Unauthenticated Stored XSS via Minify Library
High · CVSS 8.8
EPSS 0.0%2026-05-18
CVE-2026-1631CWE-862
Feeds for YouTube < 2.6.4 - Subscriber+ License Data Deletion
Medium · CVSS 5.4
EPSS 0.0%2026-05-18
CVE-2026-6433
Custom CSS JS PHP <= 2.0.7 - Unauthenticated SQL Injection to RCE
High · CVSS 7.3
EPSS 1.0%2026-05-11

Track new WPScan CVEs as they are published and get AI-written analysis and remediation guidance.

Monitor WPScan CVEs

Other CNAs

Compare data quality across other CVE Numbering Authorities.

mitreGrade F · 112,208 CVEs PatchstackGrade A · 14,729 CVEs VulDBGrade A · 12,140 CVEs microsoftGrade F · 11,701 CVEs redhatGrade F · 10,745 CVEs GitHub_MGrade A · 10,605 CVEs LinuxGrade F · 10,294 CVEs WordfenceGrade A · 8,652 CVEs

Browse all CNAs

Frequently asked questions

Common questions about the WPScan CNA.

What is the WPScan CNA?

WPScan is a CVE Numbering Authority (CNA) — an organization authorized to assign CVE IDs to vulnerabilities in its scope. It has published 4,218 CVE records since 2021.

How many CVEs has WPScan published?

WPScan has published 4,218 CVE records, including 1,252 in the last two years.

What is WPScan's CVE data quality grade?

RadicalNotion.AI grades WPScan's CVE data quality as D, with an overall completeness score of 61.4%. This reflects how consistently its CVE records include vendor (99.7%), product (99.7%), CVSS (0%), and CWE (46%) information.

What products does WPScan publish CVEs for?

WPScan most frequently publishes CVEs for Contest Gallery, photo gallery, Contest Gallery Pro, Ninja Forms, Download Manager.

Which vendors does WPScan cover?

WPScan publishes CVEs across 101 distinct vendors, most often tipsandtricks-hq, 10Web, WordPress, ays-pro, Automattic.

Is WPScan actively publishing CVEs?

WPScan is currently active, based on 1,252 CVEs in the last two years.

How many critical CVEs has WPScan published?

WPScan has published 111 critical-severity CVEs and 424 high-severity CVEs.

Are any of WPScan's CVEs in CISA's Known Exploited Vulnerabilities catalog?

No. None of WPScan's CVEs are currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.

What are the most common weakness types in WPScan's CVEs?

WPScan's CVEs most often map to these CWE weakness types: CWE-79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')), CWE-89 (Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')), CWE-352 (Cross-Site Request Forgery (CSRF)), CWE-862 (Missing Authorization).

How does WPScan rank among CNAs?

By total CVE volume, WPScan ranks #15 of 370 CNAs, and it reports more complete CVE records than 15% of all CNAs.

References

Official CVE.org list of CNA partners (opens in a new tab)
Learn: What is a CNA?
CWE directory: the weakness types this CNA maps its CVEs to

CNA report-card grades are computed by RadicalNotion.AI from published CVE records. CVE data is sourced from the CVE Program.

Track WPScan CVEs

Monitor new vulnerabilities as this CNA publishes them, with AI-written analysis and remediation guidance.

Start free See pricing

On this page

Overview
Data quality report card
Severity and exploitation
Common weakness types
Publishing activity
Top vendors
Top products
Latest CVEs
Other CNAs
FAQ
References