734 CVEs

2 in CISA KEV

wordpress Vulnerabilities

CVE security advisories and vulnerability history for wordpress.

734

Total CVEs

Published

2

In CISA KEV

Exploited in the wild

269

Public exploits

With known exploit

6.2

Avg CVSS

2005–2026

Overview

wordpress has 734 published CVE records since 2005, of which 2 are in CISA's Known Exploited Vulnerabilities catalog and 269 have a known public exploit. The average CVSS base score across scored CVEs is 6.2.

This page aggregates every publicly disclosed vulnerability (CVE) affecting wordpress products, with severity breakdowns, the most-affected products, the most common weakness types, and the latest disclosures.

Severity and exploitation

How the CVSS severity of wordpress's CVEs breaks down, plus how many are exploited in the wild or have public exploit code.

Critical12

High28

Medium110

Low6

578 additional CVEs have no CVSS severity score.

In CISA’s Known Exploited Vulnerabilities catalog

2

2 of wordpress's CVEs are confirmed exploited in the wild.

Public exploits

269

269 of wordpress's CVEs have a known public exploit available.

Most affected products

The wordpress products with the most published CVEs.

wordpress584 CVEs
debian linux93 CVEs
wordpress-multisite44 CVEs
fedora20 CVEs
wordpress-develop19 CVEs
wordpress mu10 CVEs
mingle-forum5 CVEs
backupbuddy4 CVEs

Common weakness types

The CWE weakness categories most often found in wordpress CVEs. Follow any weakness for its full explanation.

CNAs that assign these CVEs

The CVE Numbering Authorities that publish wordpress CVE records.

Disclosure activity by year

How many wordpress CVEs were published each year.

2019

23

2020

23

2021

10

2022

10

2023

10

2024

76

2025

15

2026

19

Latest wordpress CVEs

The most recently disclosed vulnerabilities affecting wordpress.

WordPress Plugin Buddypress 6.2.0 Persistent Cross-Site Scripting
CWE-79
Medium · CVSS 6.4
EPSS 0.0%2026-05-16
Check & Log Email < 2.0.13 - Unauthenticated Stored XSS
Medium · CVSS 5.4
EPSS 0.1%2026-04-28
Spam Protect for Contact Form 7 < 1.2.10 - Editor+ Remote Code Execution
CWE-94
High · CVSS 7.2
EPSS 0.1%2026-04-02
Export All URLs < 5.1 - Unauthenticated Sensitive Data Exposure
CWE-200
Medium · CVSS 5.3
EPSS 0.0%2026-04-01
Performance Monitor <= 1.0.6 - Unauthenticated Blind SSRF
CWE-918
Medium · CVSS 5.8
EPSS 0.0%2026-03-31
WP Lightbox 2 < 3.0.7 - Admin+ Stored XSS
Medium · CVSS 4.8
EPSS 0.0%2026-03-26
Shared Files < 1.7.58 - Contributor+ Arbitrary File Download
Medium · CVSS 6.8
EPSS 0.0%2026-03-26
Get Use APIs < 2.0.10 - Contributor+ Stored XSS
CWE-79
Medium · CVSS 5.9
EPSS 0.0%2026-03-18
Login with Salesforce <= 1.0.2 - Unauthenticated Authentication Bypass
Critical · CVSS 9.1
EPSS 0.1%2026-03-05
Super Stage WP <= 1.0.1 - Unauthenticated PHP Object Injection
CWE-502
Medium · CVSS 6.5
EPSS 0.1%2026-02-28
Conditional CAPTCHA <= 4.0.0 - Open Redirect
CWE-601
Medium · CVSS 4.3
EPSS 0.0%2026-02-22
Frontend File Manager Plugin <= 23.5 - Unauthenticated Arbitrary Email Sending
CWE-862
Medium · CVSS 5.8
EPSS 2.6%2026-02-17

Track new wordpress CVEs as they are disclosed and get AI-written analysis and remediation guidance.

Monitor wordpress CVEs

Other vendors

Browse vulnerabilities for other tracked vendors.

foxitsoftware802 CVEs php783 CVEs schneider-electric777 CVEs oretnom23766 CVEs imagemagick740 CVEs wireshark735 CVEs novell675 CVEs broadcom674 CVEs

Browse all vendors

Frequently asked questions

Common questions about wordpress vulnerabilities.

How many CVEs does wordpress have?

wordpress has 734 published CVE records since 2005, including 34 in the last two years.

How many wordpress CVEs are in CISA KEV?

Yes — 2 of wordpress's CVEs are listed in CISA's Known Exploited Vulnerabilities catalog, confirmed exploited in the wild and carrying a CISA remediation deadline.

Which wordpress products have the most CVEs?

The wordpress products with the most published CVEs are wordpress, debian linux, wordpress-multisite, fedora, wordpress-develop.

What are the most common weakness types in wordpress CVEs?

wordpress's CVEs most often map to these CWE weakness types: CWE-79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')), CWE-862 (Missing Authorization), CWE-352 (Cross-Site Request Forgery (CSRF)), CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor).

Are there public exploits for wordpress vulnerabilities?

Yes — 269 of wordpress's CVEs have a known public exploit.

How many critical wordpress vulnerabilities are there?

wordpress has 12 critical and 28 high-severity CVEs.

What is the average severity of wordpress CVEs?

The average CVSS base score across wordpress's scored CVEs is 6.2.

References

Vulnerability data is sourced from the CVE Program; severity, KEV, and exploit signals are aggregated by RadicalNotion.AI.

Track wordpress vulnerabilities

Monitor new wordpress vulnerabilities as they are disclosed, with AI-written analysis and remediation guidance.

Start free See pricing