Free tool · live NVD data

The live WordPress vulnerability feed.

Reviewed by Ali Yasin Jatoi, Founder & Lead Engineer· Updated 2026-07-03

Latest WordPress core, plugin, and theme CVEs from the NIST National Vulnerability Database — pulled fresh, severity-ranked, patch-linked. Bookmark it. Wire it into your ops channel. It costs nothing.

0
Critical
0
High
0
Medium
20
Tracked

Updated Jul 13, 2026 · source: NIST NVD

How to read this page. Each row is a Common Vulnerabilities and Exposures (CVE) record affecting WordPress or a WordPress plugin/theme. Severity comes from CVSS 3.1 — CRITICAL (9.0–10.0) means unauthenticated remote code execution or auth bypass. Patch immediately.

What to do if you're on a listed plugin. Update to the fixed version now. If no patch exists, disable the plugin, block the vulnerable endpoint at the WAF (Cloudflare or Wordfence), then wait for the fix. Never leave a critical CVE open with the plugin active.

Latest WordPress CVEs

Sorted newest-first. Click any CVE ID for the full NVD entry with affected versions and patch information.

Data from NIST NVD · CVSS 3.1
CVE
Severity
Description
NONE
Multiple unspecified vulnerabilities in WordPress before 2.0.4 have unknown impact and remote attack vectors. NOTE: due to lack of details, it is not clear how these issues are different from CVE-2006-3389 and CVE-2006-3390, although it is likely that 2.0.4 addresses an unspecified issue related to "Anyone can register" functionality (user registration for guests).
NONE
WordPress 2.0.3 allows remote attackers to obtain the installation path via a direct request to various files, such as those in the (1) wp-admin, (2) wp-content, and (3) wp-includes directories, possibly due to uninitialized variables.
NONE
index.php in WordPress 2.0.3 allows remote attackers to obtain sensitive information, such as SQL table prefixes, via an invalid paged parameter, which displays the information in an SQL error message. NOTE: this issue has been disputed by a third party who states that the issue does not leak any target-specific information.
NONE
vars.php in WordPress 2.0.2, possibly when running on Mac OS X, allows remote attackers to spoof their IP address via a PC_REMOTE_ADDR HTTP header, which vars.php uses to redefine $_SERVER['REMOTE_ADDR'].
NONE
Direct static code injection vulnerability in WordPress 2.0.2 and earlier allows remote attackers to execute arbitrary commands by inserting a carriage return and PHP code when updating a profile, which is appended after a special comment sequence into files in (1) wp-content/cache/userlogins/ (2) wp-content/cache/users/ which are later included by cache.php, as demonstrated…
NONE
Cross-site scripting (XSS) vulnerability in the paging links functionality in template-functions-links.php in Wordpress 1.5.2, and possibly other versions before 2.0.1, allows remote attackers to inject arbitrary web script or HTML to Internet Explorer users via the request URI ($_SERVER['REQUEST_URI']).
NONE
Multiple "unannounced" cross-site scripting (XSS) vulnerabilities in WordPress before 2.0.2 allow remote attackers to inject arbitrary web script or HTML via unknown attack vectors.
NONE
SQL injection vulnerability in WordPress 1.5.2, and possibly other versions before 2.0, allows remote attackers to execute arbitrary SQL commands via the User-Agent field in an HTTP header for a comment.
NONE
WordPress 2.0.1 and earlier allows remote attackers to obtain sensitive information via a direct request to (1) default-filters.php, (2) template-loader.php, (3) rss-functions.php, (4) locale.php, (5) wp-db.php, and (6) kses.php in the wp-includes/ directory; and (7) edit-form-advanced.php, (8) admin-functions.php, (9) edit-link-form.php, (10) edit-page-form.php, (11) admin-…
NONE
Multiple cross-site scripting (XSS) vulnerabilities in the "post comment" functionality of WordPress 2.0.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) name, (2) website, and (3) comment parameters.
NONE
Cross-site scripting (XSS) vulnerability in WordPress 2.0.0 allows remote attackers to inject arbitrary web script or HTML via scriptable attributes such as (1) onfocus and (2) onblur in the "author's website" field. NOTE: followup comments to the researcher's web log suggest that this issue is only exploitable by the same user who injects the XSS, so this might not be a vu…
NONE
WordPress before 1.5.2 allows remote attackers to obtain sensitive information via a direct request to (1) wp-includes/vars.php, (2) wp-content/plugins/hello.php, (3) wp-admin/upgrade-functions.php, (4) wp-admin/edit-form.php, (5) wp-settings.php, and (6) wp-admin/edit-form-comment.php, which leaks the path in an error message related to undefined functions or failed include…
NONE
The _httpsrequest function in Snoopy 1.2, as used in products such as (1) MagpieRSS, (2) WordPress, (3) Ampache, and (4) Jinzora, allows remote attackers to execute arbitrary commands via shell metacharacters in an HTTPS URL to an SSL protected web page, which is not properly handled by the fetch function.
NONE
Direct code injection vulnerability in WordPress 1.5.1.3 and earlier allows remote attackers to execute arbitrary PHP code via the cache_lastpostdate[server] cookie.
NONE
WordPress 1.5.1.2 and earlier allows remote attackers to obtain sensitive information via (1) a direct request to menu-header.php or a "1" value in the feed parameter to (2) wp-atom.php, (3) wp-rss.php, or (4) wp-rss2.php, which reveal the path in an error message. NOTE: vector [1] was later reported to also affect WordPress 2.0.1.
NONE
wp-login.php in WordPress 1.5.1.2 and earlier allows remote attackers to change the content of the forgotten password e-mail message via the message variable, which is not initialized before use.
NONE
SQL injection vulnerability in XMLRPC server in WordPress 1.5.1.2 and earlier allows remote attackers to execute arbitrary SQL commands via input that is not filtered in the HTTP_RAW_POST_DATA variable, which stores the data in an XML file.
NONE
Multiple cross-site scripting (XSS) vulnerabilities in post.php in WordPress 1.5.1.2 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) p or (2) comment parameter.
NONE
Eval injection vulnerability in PEAR XML_RPC 1.3.0 and earlier (aka XML-RPC or xmlrpc) and PHPXMLRPC (aka XML-RPC For PHP or php-xmlrpc) 1.1 and earlier, as used in products such as (1) WordPress, (2) Serendipity, (3) Drupal, (4) egroupware, (5) MailWatch, (6) TikiWiki, (7) phpWebSite, (8) Ampache, and others, allows remote attackers to execute arbitrary PHP code via an XML …
NONE
SQL injection vulnerability in template-functions-category.php in WordPress 1.5.1 allows remote attackers to execute arbitrary SQL commands via the $cat_ID variable, as demonstrated using the cat parameter to index.php.

Data licensed via public domain from the U.S. National Vulnerability Database. WebCare Studios is not affiliated with NIST. This feed is provided as-is with no warranty — always verify against the vendor advisory before acting.

A CVE feed is a warning system, not a fix.

Knowing a critical CVE dropped at 2am doesn't help if nobody's on-call to patch it. WebCare's care plans include automated CVE monitoring against your installed plugins — you get a Slack ping and a patched staging site inside the SLA, not a link to NVD.

  • Named engineer patches inside SLA (12h Care, 4h Commerce, 15 min Scale).
  • Patchstack + WPScan + NVD cross-check nightly.
  • Virtual-patched at the WAF if no vendor fix yet.

Wire this feed into your own ops

This page is stable — link it, embed it, ping it. If you want the raw JSON pushed to a Slack channel or a webhook, we ship that as an add-on on the Scale plan and above. No third-party SaaS in the loop.

  • · Slack / Teams / Discord webhook
  • · Filter by installed plugins only
  • · CVSS threshold routing
  • · Bundled with the WordPress vulnerability scanner tool
Try the vulnerability scanner

Related in the WordPress security cluster

Every page in this cluster answers a specific search intent. Jump to the one that matches yours.

Call Book a call