WordPress Vulnerability Report � January 7, 2026

In this report, 333 vulnerabilities have been publicly disclosed. Security patches for 97 of these plugins and themes are now available. Please run these updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Currently, 236 plugin and theme vulnerabilities remain unpatched. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

WordPress Core

WordPress 6.9 “Gene” was released on December 2, 2025. This release brings major upgrades to how teams collaborate and create. The new Notes feature adds block-level commenting for posts and pages, streamlining editorial reviews, while an expanded Command Palette helps power users navigate and operate across the dashboard even faster. The introduction of the Abilities API delivers a standardized, machine-readable permissions system that lays the groundwork for next-generation AI-powered and automated workflows. WordPress 6.9 also includes notable performance improvements for faster page loads, several new practical blocks, and more visual drag-and-drop tools to help creators build richer, more dynamic content.

Following a major release, you should not update live sites without first taking backups and testing the update in a non-production environment.

WordPress Plugins � 83 Patched / 170 Unpatched

Plugin:: Master Addons For Elementor � White Label, Free Widgets, Hover Effects, Conditions, & Animations
Plugin Slug:: master-addons
Installations: 40,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-63053

Plugin:: Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers
Plugin Slug:: popup-builder-block
Installations: 40,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-69026

Plugin:: EasyTest � Simplify A/B Testing
Plugin Slug:: convertpro
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-63031

Plugin:: Post Snippets � Custom WordPress Code Snippets Customizer
Plugin Slug:: post-snippets
Installations: 20,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-63040

Plugin:: Cookies and Content Security Policy
Plugin Slug:: cookies-and-content-security-policy
Installations: 10,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-63019

Plugin:: Photo Gallery � GT3 Image Gallery & Gutenberg Block Gallery
Plugin Slug:: gt3-photo-video-gallery
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69084

Plugin:: Five Star Restaurant Reservations � WordPress Booking Plugin
Plugin Slug:: restaurant-reservations
Installations: 10,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68044

Plugin:: Simple Like Page Plugin
Plugin Slug:: simple-facebook-plugin
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-63022

Plugin:: Gmedia Photo Gallery
Plugin Slug:: grand-media
Installations: 8,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-63014

Plugin:: QuadLayers TikTok Feed
Plugin Slug:: wp-tiktok-feed
Installations: 8,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-63016

Plugin:: All in One Accessibility
Plugin Slug:: all-in-one-accessibility
Installations: 7,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-63004

Plugin:: Tooltips for WordPress
Plugin Slug:: wordpress-tooltips
Installations: 6,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-63005

Plugin:: Hotel Booking
Plugin Slug:: nd-booking
Installations: 5,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-63001

Plugin:: Zoho ZeptoMail
Plugin Slug:: transmail
Installations: 4,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-49028

Plugin:: Livemesh Addons for Beaver Builder
Plugin Slug:: addons-for-beaver-builder
Installations: 3,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62990

Plugin:: AnyComment
Plugin Slug:: anycomment
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62874

Plugin:: Cooked � Recipe Management
Plugin Slug:: cooked
Installations: 3,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62989

Plugin:: Everest Backup � WordPress Cloud Backup, Migration, Restore & Cloning Plugin
Plugin Slug:: everest-backup
Installations: 3,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62992

Plugin:: GS Portfolio for Envato
Plugin Slug:: gs-envato-portfolio
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62755

Plugin:: WP Attachments
Plugin Slug:: wp-attachments
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62888

Plugin:: Knowledge Base documentation & wiki plugin � BasePress Docs
Plugin Slug:: basepress
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62761

Plugin:: Carousel Horizontal Posts Content Slider
Plugin Slug:: carousel-horizontal-posts-content-slider
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-22347

Plugin:: Civic Cookie Control
Plugin Slug:: civic-cookie-control-8
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-22348

Plugin:: Curator.io
Plugin Slug:: curatorio
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62742

Plugin:: Featured Image Generator
Plugin Slug:: featured-image-generator
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62747

Plugin:: Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor � Funnelforms Free
Plugin Slug:: funnelforms-free
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62758

Plugin:: Calendar.online / Kalender.digital � Plugin
Plugin Slug:: kalender-digital
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62752

Plugin:: MAS Videos
Plugin Slug:: masvideos
Installations: 2,000+
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-62753

Plugin:: Menu In Post
Plugin Slug:: menu-in-post
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-22349

Plugin:: MyBookTable Bookstore by Stormhill Media
Plugin Slug:: mybooktable
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62743

Plugin:: Series
Plugin Slug:: series
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62759

Plugin:: teachPress
Plugin Slug:: teachpress
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-22353

Plugin:: The Moneytizer
Plugin Slug:: the-moneytizer
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62756

Plugin:: User Specific Content
Plugin Slug:: user-specific-content
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62749

Plugin:: Web and WooCommerce Addons for WPBakery Builder
Plugin Slug:: vc-addons-by-bit14
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62748

Plugin:: Wallet System for WooCommerce � Digital Wallet, Buy Now Pay Later (BNPL), Instant Cashback, Referral program, Partial & Subscription Payments
Plugin Slug:: wallet-system-for-woocommerce
Installations: 2,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-68029

Plugin:: WebMan Amplifier
Plugin Slug:: webman-amplifier
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62757

Plugin:: Accordion Slider Gallery
Plugin Slug:: accordion-slider-gallery
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62130

Plugin:: Add Custom Codes � Insert Header, Footer, Custom PHP Snippets, CSS, Javascript
Plugin Slug:: add-custom-codes
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62108

Plugin:: Add Custom Codes � Insert Header, Footer, Custom PHP Snippets, CSS, Javascript
Plugin Slug:: add-custom-codes
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62149

Plugin:: AdWords Conversion Tracking Code
Plugin Slug:: adwords-conversion-tracking-code
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62118

Plugin:: AI Content Writing Assistant
Plugin Slug:: ai-content-writing-assistant
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62154

Plugin:: AI Copilot � ChatGPT Chatbot & AI Engine for Post Automation
Plugin Slug:: ai-copilot
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62116

Plugin:: Payment Gateway Authorize.Net CIM for WooCommerce
Plugin Slug:: authnet-cim-for-woo
Installations: 1,000+
Vulnerability:: Arbitrary Content Deletion
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-68013

Plugin:: AweBooking � Hotel Booking System
Plugin Slug:: awebooking
Installations: 1,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-68014

Plugin:: Bootstrap Modals
Plugin Slug:: bootstrap-modals
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62095

Plugin:: Co-marquage service-public.fr
Plugin Slug:: co-marquage-service-public
Installations: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62113

Plugin:: CodeColorer
Plugin Slug:: codecolorer
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68012

Plugin:: Core Web Vitals & PageSpeed Booster
Plugin Slug:: core-web-vitals-pagespeed-booster
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62144

Plugin:: Custom Background Changer
Plugin Slug:: custom-background-changer
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62125

Plugin:: Add Featured Image Custom Link
Plugin Slug:: custom-url-to-featured-image
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62119

Plugin:: DMCA Protection Badge
Plugin Slug:: dmca-badge
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62145

Plugin:: Download Media Library
Plugin Slug:: download-media-library
Installations: 1,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62114

Plugin:: EasyIndex
Plugin Slug:: easyindex
Installations: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62117

Plugin:: Extra Shortcodes
Plugin Slug:: extra-shortcodes
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62111

Plugin:: FormFacade � Embed Google Forms in your website
Plugin Slug:: formfacade
Installations: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62133

Plugin:: Portfolio Gallery � Responsive Image Gallery
Plugin Slug:: gallery-portfolio
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62098

Plugin:: GLS Shipping for WooCommerce
Plugin Slug:: gls-shipping-for-woocommerce
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68011

Plugin:: Hide Plugins
Plugin Slug:: hide-plugins
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62115

Plugin:: Locatoraid Store Locator
Plugin Slug:: locatoraid
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62140

Plugin:: MX Time Zone Clocks
Plugin Slug:: mx-time-zone-clocks
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62146

Plugin:: Netgsm
Plugin Slug:: netgsm
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68010

Plugin:: Contact Form Widget
Plugin Slug:: new-contact-form-widget
Installations: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62134

Plugin:: Owl Carousel WP
Plugin Slug:: owl-carousel-wp
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-22388

Plugin:: Page Title Splitter
Plugin Slug:: page-title-splitter
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62744

Plugin:: ?????? ?????? ??????
Plugin Slug:: pardakht-delkhah
Installations: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62101

Plugin:: Product Delivery Date for WooCommerce � Lite
Plugin Slug:: product-delivery-date-for-woocommerce-lite
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-69027

Plugin:: Realbig For WordPress
Plugin Slug:: realbig-media
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62147

Plugin:: Responsive Block Control � Hide blocks based on display width
Plugin Slug:: responsive-block-control
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62135

Plugin:: RestroPress � Online Food Ordering System
Plugin Slug:: restropress
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62129

Plugin:: Robots.txt rewrite
Plugin Slug:: robotstxt-rewrite
Installations: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62148

Plugin:: SEO Slider
Plugin Slug:: seo-slider
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62097

Plugin:: Slider Templates
Plugin Slug:: slider-templates
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-68009

Plugin:: Tasty Recipes Lite
Plugin Slug:: tasty-recipes-lite
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62131

Plugin:: Tasty Recipes Lite
Plugin Slug:: tasty-recipes-lite
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62132

Plugin:: Logo Slider , Logo Carousel , Logo showcase , Client Logo
Plugin Slug:: tc-logo-slider
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62121

Plugin:: Terms descriptions
Plugin Slug:: terms-descriptions
Installations: 1,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62139

Plugin:: OpenHook
Plugin Slug:: thesis-openhook
Installations: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62120

Plugin:: History Timeline for Biography, Company History & Event Timeline
Plugin Slug:: timeline-awesome
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62150

Plugin:: Trash Duplicate and 301 Redirect
Plugin Slug:: trash-duplicate-and-301-redirect
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62122

Plugin:: Cincopa video and media plug-in
Plugin Slug:: video-playlist-and-gallery-plugin
Installations: 1,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62143

Plugin:: Cincopa video and media plug-in
Plugin Slug:: video-playlist-and-gallery-plugin
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62142

Plugin:: WP Gmail SMTP
Plugin Slug:: wp-gmail-smtp
Installations: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62123

Plugin:: WP Post Signature
Plugin Slug:: wp-post-signature
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62124

Plugin:: Varnish/Nginx Proxy Caching
Plugin Slug:: vcaching
Installations: 900+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62126

Plugin:: Sticky Notes for WP Dashboard
Plugin Slug:: wb-sticky-notes
Installations: 900+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62087

Plugin:: WP Advanced PDF
Plugin Slug:: wp-advanced-pdf
Installations: 900+
Vulnerability:: Other Vulnerability Type
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62138

Plugin:: iNext Woo Pincode Checker
Plugin Slug:: inext-woo-pincode-checker
Installations: 800+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62084

Plugin:: Mergado Pack
Plugin Slug:: mergado-marketing-pack
Installations: 800+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62089

Plugin:: Wiremo � Product Reviews for WooCommerce
Plugin Slug:: woo-reviews-by-wiremo
Installations: 800+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62092

Plugin:: BoomDevs WordPress Coming Soon Plugin
Plugin Slug:: coming-soon-by-boomdevs
Installations: 700+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62083

Plugin:: Easy Upload Files During Checkout
Plugin Slug:: easy-upload-files-during-checkout
Installations: 600+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62078

Plugin:: Live Shopping & Shoppable Videos For WooCommerce
Plugin Slug:: live-shopping-video-streams
Installations: 600+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62080

Plugin:: Live Shopping & Shoppable Videos For WooCommerce
Plugin Slug:: live-shopping-video-streams
Installations: 600+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62081

Plugin:: Ef� Bank
Plugin Slug:: woo-gerencianet-official
Installations: 500+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-59136

Plugin:: WP Export Categories & Taxonomies
Plugin Slug:: wp-export-categories-taxonomies
Installations: 500+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62079

Plugin:: Behance Portfolio Manager
Plugin Slug:: portfolio-manager-powered-by-behance
Installations: 400+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-59135

Plugin:: Behance Portfolio Manager
Plugin Slug:: portfolio-manager-powered-by-behance
Installations: 400+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-59137

Plugin:: WP-CalDav2ICS
Plugin Slug:: wp-caldav2ics
Installations: 300+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-59131

Plugin:: Audiomack
Plugin Slug:: audiomack
Installations: 200+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49357

Plugin:: Content Fetcher
Plugin Slug:: content-fetcher
Installations: 200+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49358

Plugin:: Sell Downloads
Plugin Slug:: sell-downloads
Installations: 200+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68850

Plugin:: Accessibility Press
Plugin Slug:: ilogic-accessibility
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49355

Plugin:: Infility Global
Plugin Slug:: infility-global
Installations: 100+
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-68865

Plugin:: MyD Delivery
Plugin Slug:: myd-delivery
Installations: 100+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49334

Plugin:: Orders Chat for WooCommerce
Plugin Slug:: orders-chat-for-woocommerce
Installations: 100+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49356

Plugin:: Simple XML Sitemap
Plugin Slug:: simple-xml-sitemap
Installations: 100+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-22355

Plugin:: Order Cancellation & Returns for WooCommerce
Plugin Slug:: wc-order-cancellation-return
Installations: 100+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49352

Plugin:: Effect Maker
Plugin Slug:: effect-maker
Installations: 80+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-68867

Plugin:: Flaming Password Reset
Plugin Slug:: flaming-password-reset
Installations: 70+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-68875

Plugin:: PRIMER by chlo�digital
Plugin Slug:: primer-by-chloedigital
Installations: 60+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68873

Plugin:: Visitor Stats Widget
Plugin Slug:: visitor-stats-widget
Installations: 60+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68874

Plugin:: Custom Style
Plugin Slug:: custom-style
Installations: 50+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-49342

Plugin:: e-shops???2
Plugin Slug:: e-shops-cart2
Installations: 50+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68890

Plugin:: Noindex by Path
Plugin Slug:: noindex-by-path
Installations: 50+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-49353

Plugin:: Pinpoll
Plugin Slug:: pinpoll
Installations: 50+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68889

Plugin:: Recent Posts From Each Category
Plugin Slug:: recent-posts-from-each-category
Installations: 50+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-49354

Plugin:: Scroll rss excerpt
Plugin Slug:: scroll-rss-excerpt
Installations: 50+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68892

Plugin:: SensitiveTagCloud
Plugin Slug:: sensitive-tag-cloud
Installations: 50+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-49344

Plugin:: Simple Archive Generator
Plugin Slug:: simple-archive-generator
Installations: 50+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-49346

Plugin:: Social Profilr
Plugin Slug:: social-profilr-display-social-network-profile
Installations: 50+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-49343

Plugin:: WP App Bar
Plugin Slug:: wp-app-bar
Installations: 50+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68891

Plugin:: WP-BusinessDirectory � Business directory plugin for WordPress
Plugin Slug:: wp-businessdirectory
Installations: 50+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68887

Plugin:: WP-EasyArchives
Plugin Slug:: wp-easyarchives
Installations: 50+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-49345

Plugin:: Custom Post Status
Plugin Slug:: custom-post-status
Installations: 40+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68885

Plugin:: Direct Payments WP
Plugin Slug:: direct-payments-wp
Installations: 40+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49339

Plugin:: Direct Payments WP
Plugin Slug:: direct-payments-wp
Installations: 40+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49340

Plugin:: Flowbox
Plugin Slug:: flowbox
Installations: 10+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49338

Plugin:: Dashboard Beacon
Plugin Slug:: wp-dashboard-beacon
Installations: 10+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49337

Plugin:: WPBookit
Plugin Slug:: wpbookit
Installations: 10+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12685

Plugin:: Advance WP Query Search Filter
Plugin Slug:: advance-wp-query-search-filter
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-14313

Plugin:: Advance WP Query Search Filter
Plugin Slug:: advance-wp-query-search-filter
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-14312

Plugin:: Appender
Plugin Slug:: appender
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-66150

Plugin:: Appointify
Plugin Slug:: appointify
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-59130

Plugin:: Appointify
Plugin Slug:: appointify
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-59129

Plugin:: Wawp
Plugin Slug:: automation-web-platform
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62141

Plugin:: BM Content Builder
Plugin Slug:: bm-builder
Vulnerability:: Arbitrary File Download
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-69055

Plugin:: Conformer for Elementor
Plugin Slug:: conformer-elementor
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-66148

Plugin:: Countdowner for Elementor
Plugin Slug:: countdowner-elementor
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-66151

Plugin:: Couponer for Elementor
Plugin Slug:: couponer-elementor
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-66154

Plugin:: Criptopayer for Elementor
Plugin Slug:: criptopayer-elementor
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-66152

Plugin:: Dental Care CPT
Plugin Slug:: dentalcare-cpt
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69035

Plugin:: Gmaper for Elementor
Plugin Slug:: gmaper-elementor
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-66158

Plugin:: Select Graphist for Elementor Graphist for Elementor
Plugin Slug:: graphist-elementor
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-66160

Plugin:: Headinger for Elementor
Plugin Slug:: headinger-elementor
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-66153

Plugin:: Hotel Listing
Plugin Slug:: hotel-listing
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69056

Plugin:: iRecco Core
Plugin Slug:: irecco-core
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69046

Plugin:: JobBank
Plugin Slug:: jobbank
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69085

Plugin:: ListingPro Reviews
Plugin Slug:: listingpro-reviews
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69051

Plugin:: Logger for Elementor
Plugin Slug:: logger-elementor
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-66146

Plugin:: WordPress Movies Bulk Importer
Plugin Slug:: movies importer
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-22359

Plugin:: Questionar for Elementor
Plugin Slug:: questionar-elementor
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-66155

Plugin:: Registration & Login with Mobile Phone Number for WooCommerce
Plugin Slug:: registration-login-with-mobile-phone-number
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-69052

Plugin:: Reuters Direct
Plugin Slug:: reuters-direct
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49349

Plugin:: SearchAzon
Plugin Slug:: searchazon
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-22360

Plugin:: Sermon Manager
Plugin Slug:: sermon-manager-for-wordpress
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-63000

Plugin:: Sliper for Elementor
Plugin Slug:: sliper-elementor
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-66157

Plugin:: Super Logos Showcase
Plugin Slug:: superlogoshowcase-wp
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69054

Plugin:: Tech Life CPT
Plugin Slug:: techlife-cpt
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69036

Plugin:: UnGrabber
Plugin Slug:: ungrabber
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-66149

Plugin:: Universal Video Player
Plugin Slug:: universal-video-player
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69053

Plugin:: Universal Video Player
Plugin Slug:: universal-video-player
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69048

Plugin:: Valenti Engine
Plugin Slug:: valenti-engine
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-63021

Plugin:: Walker for Elementor
Plugin Slug:: walker-elementor
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-66159

Plugin:: Watcher for Elementor
Plugin Slug:: watcher-elementor
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-66156

Plugin:: WING WordPress Migrator
Plugin Slug:: wing-migrator
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-52835

Plugin:: WooCommerce Parcelas
Plugin Slug:: woocommerce-parcelas
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62750

Plugin:: Worker for Elementor
Plugin Slug:: worker-elementor
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-66144

Plugin:: Worker for WPBakery
Plugin Slug:: worker-wpbakery
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-66145

Plugin:: WordPress & WooCommerce Scraper Plugin, Import Data from Any Site
Plugin Slug:: wp_scraper
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62088

Plugin:: PixelYourSite � Your smart PIXEL (TAG) & API Manager
Plugin Slug:: pixelyoursite
Installations: 500,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 11.1.5.1
Severity Score:: Medium
CVE:: 2025-14280

Plugin:: Advanced Ads ��Ad Manager & AdSense
Plugin Slug:: advanced-ads
Installations: 100,000+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 2.0.15
Severity Score:: Critical
CVE:: 2025-13592

Plugin:: Aruba HiSpeed Cache
Plugin Slug:: aruba-hispeed-cache
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.0.3
Severity Score:: Medium
CVE:: 2025-67913

Plugin:: Depicter � Popup & Slider Builder
Plugin Slug:: depicter
Installations: 90,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.7.0
Severity Score:: Medium
CVE:: 2025-11370

Plugin:: Depicter � Popup & Slider Builder
Plugin Slug:: depicter
Installations: 90,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.0.5
Severity Score:: Medium
CVE:: 2025-68558

Plugin:: Strong Testimonials
Plugin Slug:: strong-testimonials
Installations: 90,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.2.19
Severity Score:: Medium
CVE:: 2025-14426

Plugin:: LearnPress � WordPress LMS Plugin
Plugin Slug:: learnpress
Installations: 80,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.3.2.1
Severity Score:: Medium
CVE:: 2025-13964

Plugin:: Comments � wpDiscuz
Plugin Slug:: wpdiscuz
Installations: 80,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 7.6.40
Severity Score:: Critical
CVE:: 2025-13820

Plugin:: Post and Page Builder by BoldGrid � Visual Drag and Drop Editor
Plugin Slug:: post-and-page-builder
Installations: 60,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.27.10
Severity Score:: Medium
CVE:: 2025-69345

Plugin:: Table Field Add-on for ACF and SCF
Plugin Slug:: advanced-custom-fields-table-field
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.31
Severity Score:: Medium
CVE:: 2025-12067

Plugin:: TaxoPress: Tag, Category, and Taxonomy Manager � AI Autotagger
Plugin Slug:: simple-tags
Installations: 50,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.42.0
Severity Score:: Medium
CVE:: 2025-14371

Plugin:: Easy Digital Downloads � eCommerce Payments and Subscriptions made easy
Plugin Slug:: easy-digital-downloads
Installations: 40,000+
Vulnerability:: Open Redirection
Patched in Version:: 3.6.3
Severity Score:: Medium
CVE:: 2025-14783

Plugin:: Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers
Plugin Slug:: popup-builder-block
Installations: 40,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.2.1
Severity Score:: Medium
CVE:: 2025-14441

Plugin:: Quiz and Survey Master (QSM) � Easy Quiz and Survey Maker
Plugin Slug:: quiz-master-next
Installations: 40,000+
Vulnerability:: Broken Access Control
Patched in Version:: 10.3.2
Severity Score:: Medium
CVE:: 2025-9294

Plugin:: Link Whisper Free
Plugin Slug:: link-whisper
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 0.8.9
Severity Score:: High
CVE:: 2025-67927

Plugin:: Ultimate Post Kit Addons for Elementor
Plugin Slug:: ultimate-post-kit
Installations: 30,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 4.0.16
Severity Score:: Medium
CVE:: 2025-14434

Plugin:: WP Custom Admin Interface
Plugin Slug:: wp-custom-admin-interface
Installations: 30,000+
Vulnerability:: Broken Access Control
Patched in Version:: 7.41
Severity Score:: Medium
CVE:: 2025-63038

Plugin:: Branda � White Label & Branding, Free Login Page Customizer
Plugin Slug:: branda-white-labeling
Installations: 20,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 3.4.29
Severity Score:: Critical
CVE:: 2025-14998

Plugin:: Icegram Engage � Popups, Optins, CTAs & lot more�
Plugin Slug:: icegram
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.1.36
Severity Score:: Medium
CVE:: 2025-68507

Plugin:: WP Import � Ultimate CSV XML Importer for WordPress
Plugin Slug:: wp-ultimate-csv-importer
Installations: 20,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 7.36
Severity Score:: Medium
CVE:: 2025-14627

Plugin:: User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration
Plugin Slug:: wp-user-frontend
Installations: 20,000+
Vulnerability:: Arbitrary Content Deletion
Patched in Version:: 4.2.5
Severity Score:: High
CVE:: 2025-14047

Plugin:: AffiliateX � Amazon Affiliate Plugin
Plugin Slug:: affiliatex
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.4.0
Severity Score:: Medium
CVE:: 2025-69346

Plugin:: Demo Importer Plus
Plugin Slug:: demo-importer-plus
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.0.9
Severity Score:: Medium
CVE:: 2025-69091

Plugin:: Fluent Support � Helpdesk & Customer Support Ticket System
Plugin Slug:: fluent-support
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.10.5
Severity Score:: Medium
CVE:: 2025-67926

Plugin:: Form Vibes � Database Manager for Forms
Plugin Slug:: form-vibes
Installations: 10,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.5
Severity Score:: High
CVE:: 2025-13409

Plugin:: GamiPress � Gamification plugin to reward points, achievements, badges & ranks in WordPress
Plugin Slug:: gamipress
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 7.6.2
Severity Score:: Medium
CVE:: 2025-13812

Plugin:: Logo Slider � Logo Carousel, Logo Showcase & Client Logo Slider Plugin
Plugin Slug:: logo-slider-wp
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.9.0
Severity Score:: Medium
CVE:: 2025-13153

Plugin:: MasterStudy LMS WordPress Plugin � for Online Courses and Education
Plugin Slug:: masterstudy-lms-learning-management-system
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.7.7
Severity Score:: Medium
CVE:: 2025-13766

Plugin:: Plugin Organizer
Plugin Slug:: plugin-organizer
Installations: 10,000+
Vulnerability:: SQL Injection
Patched in Version:: 10.2.4
Severity Score:: High
CVE:: 2025-13417

Plugin:: Postie
Plugin Slug:: postie
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.9.74
Severity Score:: Medium
CVE:: 2025-63020

Plugin:: Team � Team Members Showcase Plugin
Plugin Slug:: tlp-team
Installations: 10,000+
Vulnerability:: SQL Injection
Patched in Version:: 5.0.11
Severity Score:: Critical
CVE:: 2025-14124

Plugin:: User Submitted Posts � Enable Users to Submit Posts from the Front End
Plugin Slug:: user-submitted-posts
Installations: 10,000+
Vulnerability:: Open Redirection
Patched in Version:: 20251210
Severity Score:: Medium
CVE:: 2025-68509

Plugin:: weForms � Easy Drag & Drop Contact Form Builder For WordPress
Plugin Slug:: weforms
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.6.26
Severity Score:: Medium
CVE:: 2025-69028

Plugin:: YaMaps for WordPress Plugin
Plugin Slug:: yamaps
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 0.6.40
Severity Score:: Medium
CVE:: 2025-13958

Plugin:: Blog Filter Post Filtering
Plugin Slug:: blog-filter
Installations: 8,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.7.4
Severity Score:: Medium
CVE:: 2025-69033

Plugin:: Customer Email Verification for WooCommerce
Plugin Slug:: emails-verification-for-woocommerce
Installations: 8,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.0.3
Severity Score:: Medium
CVE:: 2025-47504

Plugin:: ShopBuilder � WooCommerce Builder For Elementor
Plugin Slug:: shopbuilder
Installations: 7,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.2.2
Severity Score:: High
CVE:: 2025-13456

Plugin:: Ultimate Store Kit � Addon For WooCommerce, EDD and Elementor
Plugin Slug:: ultimate-store-kit
Installations: 5,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.9.5
Severity Score:: Medium
CVE:: 2025-69336

Plugin:: FlexTable � Data Table Sync with Google Sheets
Plugin Slug:: sheets-to-wp-table-live-sync
Installations: 4,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.19.2
Severity Score:: Medium
CVE:: 2025-9543

Plugin:: WpStream � Live Streaming, Video on Demand, Pay Per View
Plugin Slug:: wpstream
Installations: 4,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.9.6
Severity Score:: Medium
CVE:: 2025-68522

Plugin:: WpStream � Live Streaming, Video on Demand, Pay Per View
Plugin Slug:: wpstream
Installations: 4,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.9.6
Severity Score:: Medium
CVE:: 2025-68521

Plugin:: Spiffy Calendar
Plugin Slug:: spiffy-calendar
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: 5.0.8
Severity Score:: Medium
CVE:: 2025-68523

Plugin:: Academy LMS � WordPress LMS Plugin for Complete eLearning Solution
Plugin Slug:: academy
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.4.1
Severity Score:: Medium
CVE:: 2025-68527

Plugin:: Free Shipping Bar: Amount Left for Free Shipping for WooCommerce
Plugin Slug:: amount-left-free-shipping-woocommerce
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.5.0
Severity Score:: Medium
CVE:: 2025-68528

Plugin:: Auto Listings � Car Listings & Car Dealership Plugin for WordPress
Plugin Slug:: auto-listings
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.7.2
Severity Score:: Medium
CVE:: 2025-69089

Plugin:: BuddyPress Activity Shortcode
Plugin Slug:: bp-activity-shortcode
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.1.9
Severity Score:: Medium
CVE:: 2025-62760

Plugin:: Newsletters
Plugin Slug:: newsletters-lite
Installations: 2,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 4.12
Severity Score:: Critical
CVE:: 2025-67911

Plugin:: Team Showcase � Responsive Team Members Grid, Slider, and Carousel Plugin
Plugin Slug:: team-showcase
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.0.0
Severity Score:: Medium
CVE:: 2025-69335

Plugin:: Appointment Booking Calendar � WP Timetics Booking Plugin
Plugin Slug:: timetics
Installations: 2,000+
Vulnerability:: Broken Authentication
Patched in Version:: 1.0.48
Severity Score:: High
CVE:: 2025-67915

Plugin:: Featured Video for WordPress � VideographyWP
Plugin Slug:: videographywp
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.0.20
Severity Score:: Medium
CVE:: 2025-62746

Plugin:: Wishlist for WooCommerce: Multi Wishlists Per Customer
Plugin Slug:: wish-list-for-woocommerce
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.3.1
Severity Score:: Medium
CVE:: 2025-69334

Plugin:: Combo Offers WooCommerce
Plugin Slug:: woo-combo-offers
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.3
Severity Score:: Medium
CVE:: 2025-69088

Plugin:: Email Marketing Plugin � WP Email Capture
Plugin Slug:: wp-email-capture
Installations: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 3.12.6
Severity Score:: Medium
CVE:: 2025-68529

Plugin:: Yada Wiki
Plugin Slug:: yada-wiki
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.6
Severity Score:: Medium
CVE:: 2025-66094

Plugin:: Import into Easy Property Listings
Plugin Slug:: easy-property-listings-xml-csv-import
Installations: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.2.2
Severity Score:: Medium
CVE:: 2025-62112

Plugin:: Signature Add-On for Gravity Forms
Plugin Slug:: gravity-signature-forms-add-on
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.8.7
Severity Score:: Medium
CVE:: 2025-62099

Plugin:: Maximum Products per User for WooCommerce
Plugin Slug:: maximum-products-per-user-for-woocommerce
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.4.4
Severity Score:: Medium
CVE:: 2025-62096

Plugin:: Poptics � Popup Builder, Email Opt-ins, Exit-Intent & WooCommerce Popups Sales
Plugin Slug:: poptics
Installations: 1,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 1.0.21
Severity Score:: Medium
CVE:: 2025-69025

Plugin:: Print Anywhere & Create PDFs of Order Receipts, Invoices, Labels & More.
Plugin Slug:: print-google-cloud-print-gcp-woocommerce
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.7.1
Severity Score:: Medium
CVE:: 2025-69024

Plugin:: SiteLock Security � WP Hardening, Login Security & Malware Scans
Plugin Slug:: sitelock
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 5.0.2
Severity Score:: Medium
CVE:: 2025-62128

Plugin:: Sunshine Photo Cart: Free Client Photo Galleries for Photographers
Plugin Slug:: sunshine-photo-cart
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.5.7.2
Severity Score:: Medium
CVE:: 2025-68535

Plugin:: Lucky Wheel for WooCommerce � Spin a Sale
Plugin Slug:: woo-lucky-wheel
Installations: 1,000+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 1.1.14
Severity Score:: Critical
CVE:: 2025-14509

Plugin:: WPCal.io � Easy Meeting Scheduler
Plugin Slug:: wpcal
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 0.9.5.10
Severity Score:: Medium
CVE:: 2025-66103

Plugin:: Serial Codes Generator and Validator with WooCommerce Support
Plugin Slug:: serial-codes-generator-and-validator
Installations: 800+
Vulnerability:: Broken Access Control
Patched in Version:: 2.8.3
Severity Score:: Medium
CVE:: 2025-62091

Plugin:: URL Image Importer
Plugin Slug:: url-image-importer
Installations: 300+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.0.8
Severity Score:: Medium
CVE:: 2025-14120

Plugin:: ilGhera Support System for WooCommerce
Plugin Slug:: wc-support-system
Installations: 100+
Vulnerability:: Broken Access Control
Patched in Version:: 1.2.7
Severity Score:: Medium
CVE:: 2025-14034

Plugin:: Knowband Mobile App Builder
Plugin Slug:: knowband-mobile-app-builder-for-woocommerce
Installations: 10+
Vulnerability:: Broken Access Control
Patched in Version:: 3.0.0
Severity Score:: Medium
CVE:: 2025-13029

Plugin:: Page Expire Popup/Redirection for WordPress
Plugin Slug:: page-expire-popup
Installations: 10+
Vulnerability:: SQL Injection
Patched in Version:: 1.1
Severity Score:: High
CVE:: 2025-14153

Plugin:: Automotive Listings
Plugin Slug:: automotive
Vulnerability:: SQL Injection
Patched in Version:: 18.7
Severity Score:: Critical
CVE:: 2025-67928

Plugin:: XStore Core
Plugin Slug:: et-core-plugin
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.6
Severity Score:: Medium
CVE:: 2025-64190

Plugin:: Follow My Blog Post
Plugin Slug:: follow-my-blog-post
Vulnerability:: Arbitrary Content Deletion
Patched in Version:: 2.4.1
Severity Score:: High
CVE:: 2025-68547

Plugin:: FooEvents for WooCommerce
Plugin Slug:: fooevents
Vulnerability:: SQL Injection
Patched in Version:: 1.20.5
Severity Score:: High
CVE:: 2025-69045

Plugin:: WP Cookie Notice for GDPR, CCPA & ePrivacy Consent
Plugin Slug:: gdpr-cookie-consent
Vulnerability:: Broken Access Control
Patched in Version:: 4.0.4
Severity Score:: Medium
CVE:: 2025-66080

Plugin:: JetBlog
Plugin Slug:: jet-blog
Vulnerability:: Broken Access Control
Patched in Version:: 2.4.7.1
Severity Score:: Medium
CVE:: 2025-68503

Plugin:: JetEngine
Plugin Slug:: jet-engine
Vulnerability:: Broken Access Control
Patched in Version:: 3.8.1.2
Severity Score:: Medium
CVE:: 2025-69333

Plugin:: JetEngine
Plugin Slug:: jet-engine
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.7.8
Severity Score:: High
CVE:: 2025-67923

Plugin:: JetPopup
Plugin Slug:: jet-popup
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 2.0.20.2
Severity Score:: Medium
CVE:: 2025-68502

Plugin:: JetSearch
Plugin Slug:: jet-search
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.5.16.1
Severity Score:: Medium
CVE:: 2025-68504

Plugin:: JetTabs
Plugin Slug:: jet-tabs
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.2.12.1
Severity Score:: Medium
CVE:: 2025-68499

Plugin:: JetTabs
Plugin Slug:: jet-tabs
Vulnerability:: Broken Access Control
Patched in Version:: 2.2.12.1
Severity Score:: Medium
CVE:: 2025-68498

Plugin:: WBC907 Core
Plugin Slug:: wbc907-core
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.4.2
Severity Score:: Medium
CVE:: 2025-63027

Plugin:: WeDesignTech Ultimate Booking Addon
Plugin Slug:: wedesigntech-ultimate-booking-addon
Vulnerability:: Broken Access Control
Patched in Version:: 1.0.4
Severity Score:: Medium
CVE:: 2025-69341

Plugin:: Woffice Core
Plugin Slug:: woffice-core
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 5.4.31
Severity Score:: Medium
CVE:: 2025-67919

WordPress Themes � 14 Patched / 66 Unpatched

Theme:: Black Rider
Theme Slug:: black-rider
Downloads: 45,140
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-59003

Theme:: Consulting
Theme Slug:: consulting
Downloads: 428,660
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-63032

Theme:: Melos
Theme Slug:: melos
Downloads: 438,193
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62136

Theme:: Minamaze
Theme Slug:: minamaze
Downloads: 1,015,028
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62991

Theme:: Shuttle
Theme Slug:: shuttle
Downloads: 555,266
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62137

Theme:: Vireo
Theme Slug:: vireo
Downloads: 23,014
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62751

Theme:: Arcane
Theme Slug:: arcane
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-69031

Theme:: Arlo
Theme Slug:: arlo
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69082

Theme:: Backpack Traveler
Theme Slug:: backpacktraveler
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-69030

Theme:: Bailly
Theme Slug:: bailly
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69039

Theme:: Bfres
Theme Slug:: bfres
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69040

Theme:: Hope
Theme Slug:: charity-is-hope
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69081

Theme:: Cocco
Theme Slug:: cocco
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-22391

Theme:: Curly
Theme Slug:: curly
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-22393

Theme:: Dekoro
Theme Slug:: dekoro
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69041

Theme:: DiveIt
Theme Slug:: diveit
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69059

Theme:: Dolcino
Theme Slug:: dolcino
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-22411

Theme:: Eldon
Theme Slug:: eldon
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69057

Theme:: Electrician – Electrical Service WordPress
Theme Slug:: electrician
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-22358

Theme:: Fiorello
Theme Slug:: fiorello
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-22396

Theme:: FiveStar
Theme Slug:: fivestar
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-69032

Theme:: Fleur
Theme Slug:: fleur
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-22398

Theme:: Frapp�
Theme Slug:: frappe
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69083

Theme:: FreeAgent
Theme Slug:: freeagent
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69087

Theme:: Freshio
Theme Slug:: freshio
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-22401

Theme:: Gecko
Theme Slug:: gecko
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69080

Theme:: Genemy
Theme Slug:: genemy
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-59138

Theme:: Hobo
Theme Slug:: hobo
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69077

Theme:: Holmes
Theme Slug:: holmes
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-22400

Theme:: Hyori
Theme Slug:: hyori
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69038

Theme:: Indoor Plants
Theme Slug:: indoor-plants
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69066

Theme:: Innovio
Theme Slug:: innovio
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-22404

Theme:: Issabella
Theme Slug:: issabella
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69086

Theme:: Justicia
Theme Slug:: justicia
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-22409

Theme:: Lekker
Theme Slug:: lekker
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69034

Theme:: Lindo
Theme Slug:: lindo
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69042

Theme:: Malta
Theme Slug:: malta
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69078

Theme:: Modern Housewife
Theme Slug:: modernhousewife
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69076

Theme:: MoveMe
Theme Slug:: moveme
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69061

Theme:: Muji
Theme Slug:: muji
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69068

Theme:: Sound | Musical Instruments Online Store
Theme Slug:: musicplace
Vulnerability:: Deserialization of untrusted data
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-69079

Theme:: Overton
Theme Slug:: overton
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-22406

Theme:: Overworld
Theme Slug:: overworld
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69050

Theme:: PartyMaker
Theme Slug:: partymaker
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69058

Theme:: PawFriends – Pet Shop and Veterinary WordPress Theme
Theme Slug:: pawfriends
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-22382

Theme:: Pearson Specter
Theme Slug:: pearsonspecter
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69074

Theme:: Pets Land
Theme Slug:: petsland
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69064

Theme:: Pippo
Theme Slug:: pippo
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69037

Theme:: Piqes
Theme Slug:: piqes
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69073

Theme:: Prider
Theme Slug:: prider
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69072

Theme:: Rashy
Theme Slug:: rashy
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69043

Theme:: Roam
Theme Slug:: roam
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-22407

Theme:: Snow Mountain
Theme Slug:: snowmountain
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69065

Theme:: Struktur
Theme Slug:: struktur
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-69029

Theme:: MaxShop
Theme Slug:: sw_maxshop
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69047

Theme:: Sweet Jane
Theme Slug:: sweetjane
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-22426

Theme:: Tails
Theme Slug:: tails
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69067

Theme:: TanTum
Theme Slug:: tantum
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69071

Theme:: T�bel
Theme Slug:: tobel
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69049

Theme:: Tornados
Theme Slug:: tornados
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69070

Theme:: Triply
Theme Slug:: triply
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-22402

Theme:: uReach
Theme Slug:: ureach
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69060

Theme:: Vango
Theme Slug:: vango
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69044

Theme:: Verdure
Theme Slug:: verdure
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-22430

Theme:: Weedles
Theme Slug:: weedles
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69062

Theme:: Yolox
Theme Slug:: yolox
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69075

Theme:: Oneline Lite
Theme Slug:: oneline-lite
Downloads: 411,275
Vulnerability:: Broken Access Control
Patched in Version:: 6.7
Severity Score:: Medium
CVE:: 2025-69344

Theme:: Phlox
Theme Slug:: phlox
Downloads: 1,709,830
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.17.11
Severity Score:: Medium
CVE:: 2025-4776

Theme:: Bookory
Theme Slug:: bookory
Vulnerability:: Local File Inclusion
Patched in Version:: 2.2.8
Severity Score:: High
CVE:: 2025-68530

Theme:: Calafate
Theme Slug:: calafate
Vulnerability:: Local File Inclusion
Patched in Version:: 1.7.8
Severity Score:: High
CVE:: 2025-69342

Theme:: Corpkit
Theme Slug:: corpkit
Vulnerability:: Local File Inclusion
Patched in Version:: 2.0.1
Severity Score:: High
CVE:: 2025-67925

Theme:: Corpkit
Theme Slug:: corpkit
Vulnerability:: Arbitrary File Upload
Patched in Version:: 2.0.1
Severity Score:: Critical
CVE:: 2025-67924

Theme:: Grand Restaurant
Theme Slug:: grandrestaurant
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 7.0.9
Severity Score:: High
CVE:: 2025-67922

Theme:: Jobify
Theme Slug:: jobify
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.3.1
Severity Score:: High
CVE:: 2025-67916

Theme:: Lobo
Theme Slug:: lobo
Vulnerability:: SQL Injection
Patched in Version:: 2.8.6
Severity Score:: High
CVE:: 2025-67921

Theme:: Neo Ocular
Theme Slug:: neoocular
Vulnerability:: Local File Inclusion
Patched in Version:: 1.2
Severity Score:: High
CVE:: 2025-67920

Theme:: Photography
Theme Slug:: photography
Vulnerability:: Local File Inclusion
Patched in Version:: 7.7.5
Severity Score:: High
CVE:: 2025-68510

Theme:: Traveler
Theme Slug:: traveler
Vulnerability:: Broken Access Control
Patched in Version:: 3.2.7
Severity Score:: Medium
CVE:: 2025-67917

Theme:: VidMov
Theme Slug:: vidmov
Vulnerability:: Path Traversal
Patched in Version:: 2.3.9
Severity Score:: High
CVE:: 2025-67914

Theme:: Woffice
Theme Slug:: woffice
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.4.31
Severity Score:: High
CVE:: 2025-67918