WordPress Vulnerability Report: March 2026
By WP Vanguard Team
Every week the WordPress ecosystem produces a fresh wave of vulnerability disclosures. Most site owners never hear about them until something goes wrong. This report covers every significant disclosure from March 12-19, 2026 -- what was found, how severe it is, whether a patch exists, and what you should do right now.
This week had two standout issues: a pair of WordPress themes carrying CVSS 9.8 privilege escalation vulnerabilities, and five high-severity flaws still waiting for patches from their developers.
The Numbers This Week
| Severity | Count | Patched | Unpatched |
|---|---|---|---|
| Critical (9.0+) | 2 | 1 | 1 |
| High (7.0-8.9) | 9 | 4 | 5 |
| Medium (4.0-6.9) | 10 | 8 | 2 |
| Total | 21 | 13 | 8 |
The ratio of unpatched to patched is worse than usual this week. Eight vulnerabilities have no fix available -- five of those are rated high or critical.
Critical Severity (CVSS 9.0+)
Golo Theme -- Privilege Escalation (CVE-2026-27051)
CVSS: 9.8 | Affected: Golo Theme <= 1.7.0 | Patch: Unavailable
The Golo multipurpose theme contains a privilege escalation vulnerability that allows an attacker with little to no authentication to elevate themselves to full administrator access on the target site. A CVSS score of 9.8 is the highest tier of severity short of a theoretical perfect 10.
Privilege escalation at this level is devastating. An attacker does not need to compromise a password or exploit a separate authentication bypass. They can send a crafted request to the Golo theme's vulnerable endpoint and come back with administrator credentials.
What happens next depends only on what the attacker wants. Common post-exploitation paths include:
- Installing a backdoor plugin that persists even after the theme is removed
- Adding a hidden administrator account for long-term access
- Injecting PHP webshells into theme files or the uploads directory
- Redirecting all visitors to phishing or malware distribution sites
- Exfiltrating the entire database including customer data and password hashes
The Golo theme is a popular multipurpose theme available on ThemeForest with tens of thousands of sales. The actual active installation count is not tracked on WordPress.org since it is a premium theme, but its commercial popularity translates to significant real-world exposure.
What to do: Check Appearance > Themes in your WordPress admin. If you are running Golo 1.7.0 or earlier, either apply a patch immediately when one is released by the developer, or temporarily switch to a different active theme while you wait. Do not leave a site with this theme active and unpatched in a production environment.
Search & Go Theme -- Privilege Escalation (CVE-2026-24971)
CVSS: 9.8 | Affected: Search & Go <= 2.8 | Patch: Version 2.8.1
The Search & Go theme carries an identical vulnerability class to Golo -- unauthenticated or low-privilege users can escalate to administrator access. The difference: a patch is available in version 2.8.1.
This distinction matters. The patch exists. The only remaining question is whether site owners apply it.
Theme vulnerabilities are chronically under-patched compared to plugin vulnerabilities for predictable reasons. Most sites run one active theme that rarely changes, so owners check for theme updates less frequently. WordPress automatic background updates do not cover premium themes purchased from third-party marketplaces. And theme update notifications are easier to dismiss than plugin notifications.
What to do: Update Search & Go to version 2.8.1 immediately. If you purchased the theme from ThemeForest or another marketplace, log into your account and download the latest version from your purchases section.
High Severity (CVSS 7.0-8.9)
Mixtape Theme -- Local File Inclusion (LFI)
CVSS: 8.1 | Affected: Mixtape <= 2.1 | Patch: None
Local File Inclusion vulnerabilities allow an attacker to force the server to read or execute arbitrary files from the filesystem. In a WordPress context, a successful LFI attack typically means reading wp-config.php -- the file containing database credentials, authentication keys, and salt values.
Once an attacker has wp-config.php contents, they can connect directly to your database and extract or modify any data, forge valid login cookies for any user account, and use hosting details for further reconnaissance. In the worst case, LFI can escalate to remote code execution if the attacker can first upload a file via a contact form or media upload, then include it through the LFI vulnerability.
No patch is available for Mixtape. The safest response is to deactivate the theme and switch to an alternative until a fix is released.
What to do: Deactivate Mixtape if running version 2.1 or earlier. Monitor the developer's site or changelog for a patch release.
Moments Theme -- Local File Inclusion (LFI)
CVSS: 8.1 | Affected: Moments <= 2.2 | Patch: None
The Moments theme shares the same vulnerability class as Mixtape -- local file inclusion, same severity score, same absence of a patch. Two themes with the same vulnerability type disclosed in the same week suggests either a shared underlying codebase, a shared vulnerable library, or a researcher who found the same pattern across multiple themes simultaneously.
The risk profile is identical to Mixtape. Any site running Moments 2.2 or earlier should treat this as a priority issue.
What to do: Deactivate Moments until a patch is available.
The Events Calendar -- Path Traversal (CVE-2026-3585)
CVSS: 7.5 | Affected: The Events Calendar <= 6.15.17 | Patch: None
This is the week's most impactful vulnerability by raw installation count. The Events Calendar has over 6 million active installations -- one of the most widely deployed plugins in the WordPress ecosystem. All of those sites are running an unpatched high-severity flaw as of this writing.
The vulnerability lives in the ajax_create_import function, which fails to properly validate file paths. An authenticated attacker with Author-level access can exploit this to read arbitrary files on the server.
Requiring Author-level access is a meaningful constraint -- this is not zero-click unauthenticated exploitation. But it is a lower bar than it appears. Sites with guest posting, multiple contributors, or any compromised contributor account are all vulnerable. The Events Calendar is especially common on community sites, event-driven platforms, and membership sites -- exactly the kinds of sites with multiple contributors at different access levels.
The most obvious target is wp-config.php. From there, database credentials, authentication keys, and hosting configurations are exposed. Attackers rarely stop at one file.
What to do: No patch is available yet for CVE-2026-3585. Restrict Author-level accounts to only trusted users. Remove any inactive contributor accounts. Monitor the Events Calendar changelog for a fix. For full technical detail on this vulnerability, see our dedicated writeup: The Events Calendar Path Traversal: What 6 Million Sites Need to Know.
PublishPress Authors -- Broken Access Control
CVSS: 7.5 | Affected: PublishPress Authors <= 4.10.1 | Patch: 4.11.0
PublishPress Authors allows WordPress sites to assign multiple authors to a single post and display detailed author profile pages. The broken access control vulnerability means certain privileged actions can be performed by lower-privileged users than intended. A patch is available in version 4.11.0.
What to do: Update PublishPress Authors to 4.11.0 or later.
Automated FedEx Shipping -- Broken Access Control
CVSS: 7.3 | Affected: Automated FedEx Shipping <= 5.1.8 | Patch: None
This WooCommerce shipping plugin handles real-time FedEx rates and order management. Broken access control in this context could expose order data, customer shipping addresses, and carrier configurations to unauthorized users. No patch is currently available.
What to do: No patch available. Consider temporarily switching to manual shipping rates until the developer releases a fix. Check the plugin's support forum for updates.
XStore Core -- Reflected XSS
CVSS: 7.1 | Affected: XStore Core <= 5.6.4 | Patch: 5.6.5
XStore is a popular WooCommerce theme with a companion Core plugin. The reflected XSS vulnerability means an attacker can craft a malicious URL that, when clicked by a logged-in administrator, executes JavaScript in their browser -- a common technique for stealing session cookies and hijacking the admin account.
What to do: Update XStore Core to version 5.6.5.
Remoji -- XSS (No Patch)
CVSS: 7.1 | Affected: Remoji <= 2.2 | Patch: None
An XSS vulnerability with no available fix. Limited installations, but unpatched XSS vulnerabilities attract attention from automated scanners once they are in public disclosure databases.
What to do: Deactivate Remoji until a patch is available.
Writeprint Stylometry -- Reflected XSS (No Patch)
CVSS: 7.1 | Affected: Writeprint <= 0.1 | Patch: None
An early-stage plugin with a reflected XSS flaw in the p parameter. No patch available.
What to do: Remove the plugin if not actively using it.
[CR] Paid Link Manager -- Reflected XSS
CVSS: 7.1 | Affected: [CR] Paid Link Manager <= 0.5 | Patch: 0.6
Reflected XSS fixed in version 0.6.
What to do: Update to version 0.6.
Medium Severity (CVSS 4.0-6.9)
These vulnerabilities are real but carry lower risk in most configurations. Patches are available for the majority.
| Plugin / Theme | CVSS | Type | Affected | Patched |
|---|---|---|---|---|
| Code Embed | 6.5 | Stored XSS via Custom Fields | <= 2.5.1 | 2.5.2 |
| JSON Content Importer | 6.5 | Contributor+ Stored XSS | < 2.0.10 | 2.0.10 |
| WP Go Maps | 6.5 | Settings Stored XSS | <= 10.0.05 | 10.0.06 |
| Education Zone Theme | 6.5 | Broken Access Control | <= 1.3.8 | 1.3.9 |
| Post SMTP | 5.4 | Missing Auth - OAuth Config | <= 3.8.0 | 3.9.0 |
| Duplicate Post | 5.4 | Missing Auth - Post Duplication | <= 4.5 | 4.6 |
| Royal Elementor Addons | 5.3 | Missing Auth - Content Exposure | <= 1.7.1049 | 1.7.1050 |
| Contextual Related Posts | 5.3 | Broken Access Control | < 4.2.2 | 4.2.2 |
| Subscriptions for WooCommerce | 5.3 | Missing Auth - Subscription Cancel | <= 1.9.2 | 1.9.3 |
| Energox Theme | N/A | Arbitrary File Deletion | <= 1.2 | None |
Post SMTP deserves a brief callout. The missing authorization flaw on handle_office365_oauth_redirect() means a Subscriber-level user could overwrite the site's Office 365 OAuth email configuration. That is the kind of access that can disrupt transactional email, intercept password reset flows, or cut off two-factor authentication delivery. Update to 3.9.0.
WordPress Core: Update to 6.9.3
WordPress 6.9.3 was released this week as a mandatory security and maintenance update. It patches CVE-2026-3906, a permissions-check flaw in the REST API comments controller introduced with the Notes feature in WordPress 6.9.
This is a Core update -- apply it universally. If you have automatic background updates enabled for minor releases (the default on most hosts), your site may already be on 6.9.3. Verify under Dashboard > Updates.
Prioritized Action List
If you maintain WordPress sites, here is the order in which to address this week's issues:
- Update WordPress Core to 6.9.3 -- 30 seconds, applies to every site
- Deactivate Golo Theme -- CVSS 9.8, no patch confirmed yet. Deactivate until resolved.
- Update Search & Go to 2.8.1 -- CVSS 9.8, patch available. Apply now.
- Deactivate Mixtape and Moments -- CVSS 8.1, no patches. Switch themes temporarily.
- Restrict author-level access if running Events Calendar <= 6.15.17 -- no patch yet
- Update XStore Core to 5.6.5 -- CVSS 7.1, patch available
- Update PublishPress Authors to 4.11.0 -- CVSS 7.5, patch available
- Update [CR] Paid Link Manager to 0.6 -- CVSS 7.1, patch available
- Work through the medium-severity table above -- all except Energox have patches
How to Check Your Sites
Manually reviewing plugin and theme versions across multiple sites is time-consuming. A faster path is to run a surface scan, which flags outdated software, security header gaps, and any domains showing up in threat intelligence feeds.
Scan your WordPress site free -- no login, results in under 2 minutes.
About This Report
We publish this vulnerability roundup weekly to help WordPress site owners and developers stay ahead of newly disclosed threats. Sources include Patchstack, Wordfence, SolidWP, NVD, and direct CVE disclosures. Severity scores are CVSS v3.1 base scores. Patch status is verified at time of publication -- check each plugin or theme's official changelog for current status.
Scan your site | View pricing | WordPress security for agencies
Related reading
Check Your WordPress Site Security
Free scan, no login required. Find vulnerabilities before attackers do.
Scan Your Site FreeGet weekly WordPress security tips
Vulnerability alerts, plugin updates, and security guides. No spam. Unsubscribe any time.