WordPress Vulnerability Report � January 21, 2026

In this report, 180 vulnerabilities have been publicly disclosed. Security patches for 62 of these plugins and themes are now available. Please run these updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Currently, 118 plugin and theme vulnerabilities remain unpatched. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

WordPress Core

WordPress 6.9 “Gene” was released on December 2, 2025, adding Notes for block-level comments, an expanded Command Palette, and the new Abilities API to standardize permissions for future automation. It also includes performance improvements and new blocks and design tools to support faster, more flexible site building.

After any major release, don�t update live sites until you�ve taken backups and tested in a non-production environment.

WordPress Plugins � 57 Patched / 80 Unpatched

Plugin:: WP Test Email
Plugin Slug:: wp-test-email
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69102

Plugin:: Related Posts by Taxonomy
Plugin Slug:: related-posts-by-taxonomy
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-0916

Plugin:: GeekyBot � Generate AI Content Without Prompt, Chatbot and Lead Generation
Plugin Slug:: geeky-bot
Installations: 6,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-15266

Plugin:: CleverReach� WP
Plugin Slug:: cleverreach-wp
Installations: 4,000+
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-68034

Plugin:: DK PDF � WordPress PDF Generator
Plugin Slug:: dk-pdf
Installations: 3,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14793

Plugin:: Name Directory
Plugin Slug:: name-directory
Installations: 3,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-15283

Plugin:: Event Tickets with Ticket Scanner
Plugin Slug:: event-tickets-with-ticket-scanner
Installations: 1,000+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-68015

Plugin:: SEO Booster
Plugin Slug:: seo-booster
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-68019

Plugin:: Order Notification for WooCommerce � Get Audio Alert on new Orders
Plugin Slug:: woc-order-alert
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-68018

Plugin:: Rede Ita� for WooCommerce � Payment PIX, Credit Card and Debit
Plugin Slug:: woo-rede
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-0939

Plugin:: Rede Ita� for WooCommerce � Payment PIX, Credit Card and Debit
Plugin Slug:: woo-rede
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-0942

Plugin:: Antideo Email Validator
Plugin Slug:: antideo-email-validator
Installations: 900+
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68017

Plugin:: Event Espresso � Event Registration & Ticketing Sales
Plugin Slug:: event-espresso-decaf
Installations: 700+
Vulnerability:: Settings Change
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-68007

Plugin:: WP Mail
Plugin Slug:: wp-mail
Installations: 700+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68008

Plugin:: Shipping Rate By Cities
Plugin Slug:: shipping-rate-by-cities
Installations: 600+
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-14770

Plugin:: My Post Order
Plugin Slug:: my-posts-order
Installations: 400+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68004

Plugin:: Shown Connector
Plugin Slug:: shown-connector
Installations: 400+
Vulnerability:: Settings Change
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-68003

Plugin:: Table of Contents Creator
Plugin Slug:: table-of-contents-creator
Installations: 400+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68836

Plugin:: Netcash WooCommerce Payment Gateway
Plugin Slug:: netcash-pay-now-payment-gateway-for-woocommerce
Installations: 200+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14880

Plugin:: Quote Master
Plugin Slug:: quote-master
Installations: 200+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68849

Plugin:: Infility Global
Plugin Slug:: infility-global
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68864

Plugin:: Syntax Highlighter Compress
Plugin Slug:: syntax-highlighter-compress
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68859

Plugin:: HDForms | Contact Form Builder
Plugin Slug:: hdforms
Installations: 70+
Vulnerability:: Arbitrary File Deletion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68912

Plugin:: Dooodl
Plugin Slug:: dooodl
Installations: 60+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68871

Plugin:: Gotham Block Extra Light
Plugin Slug:: gotham-block-extra-light
Installations: 60+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-15021

Plugin:: Gotham Block Extra Light
Plugin Slug:: gotham-block-extra-light
Installations: 60+
Vulnerability:: Arbitrary File Download
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-15020

Plugin:: WP Simple Redirect
Plugin Slug:: wp-simple-redirect
Installations: 50+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68884

Plugin:: bidorbuy Store Integrator
Plugin Slug:: bidorbuystoreintegrator
Installations: 40+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68883

Plugin:: ShoutOut
Plugin Slug:: shoutout
Installations: 40+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68894

Plugin:: Accordion Slider PRO
Plugin Slug:: accordion_slider_pro
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-49066

Plugin:: AJS Footnotes
Plugin Slug:: ajs-footnotes
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-15378

Plugin:: Aplazo Payment Gateway
Plugin Slug:: aplazo-payment-gateway
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-15512

Plugin:: SocialChamp with WordPress
Plugin Slug:: auto-post-to-social-media-wp-to-social-champ
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14846

Plugin:: WP Page Permalink Extension
Plugin Slug:: change-wp-page-permalinks
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14172

Plugin:: Omnichannel for WooCommerce
Plugin Slug:: codistoconnect
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68041

Plugin:: Crush.pics Image Optimizer
Plugin Slug:: crush-pics
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14482

Plugin:: DASHBOARD BUILDER
Plugin Slug:: dashboard-builder
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-14615

Plugin:: Reservation Plugin
Plugin Slug:: dt-reservation-plugin
Vulnerability:: Settings Change
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-69095

Plugin:: Electric Studio Download Counter
Plugin Slug:: electric-studio-download-counter
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-0741

Plugin:: Shipping Rates by City for WooCommerce
Plugin Slug:: flat-shipping-rate-by-city-for-woocommerce
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-0678

Plugin:: Float Payment Gateway
Plugin Slug:: float-gateway
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-15513

Plugin:: GetContentFromURL
Plugin Slug:: getcontentfromurl
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14613

Plugin:: Hide My WP
Plugin Slug:: hide_my_wp
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69098

Plugin:: JNews – Frontend Submit
Plugin Slug:: jnews-frontend-submit
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68904

Plugin:: JNews – Pay Writer
Plugin Slug:: jnews-pay-writer
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68905

Plugin:: JNews – Video
Plugin Slug:: jnews-video
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68906

Plugin:: Kunze Law
Plugin Slug:: kunze-law
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-15486

Plugin:: LEAV Last Email Address Validator
Plugin Slug:: last-email-address-validator
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14853

Plugin:: LinkedIn SC
Plugin Slug:: linkedin-sc
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-0812

Plugin:: List Site Contributors
Plugin Slug:: list-site-contributors
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-0594

Plugin:: Makesweat
Plugin Slug:: makesweat
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13627

Plugin:: News and Blog Designer Bundle
Plugin Slug:: news-and-blog-designer-bundle
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-14502

Plugin:: PayHere Payment Gateway Plugin for WooCommerce
Plugin Slug:: payhere-payment-gateway
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-15475

Plugin:: PDF Resume Parser
Plugin Slug:: pdf-resume-parser
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14464

Plugin:: Perfit WooCommerce
Plugin Slug:: perfit-woocommerce
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14173

Plugin:: Real Post Slider Lite
Plugin Slug:: real-post-slider-lite
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-0680

Plugin:: Responsive Accordion Slider
Plugin Slug:: responsive-accordion-slider
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-0635

Plugin:: SearchWiz
Plugin Slug:: searchwiz
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-0694

Plugin:: Shabat Keeper
Plugin Slug:: shabat-keeper
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-13701

Plugin:: Short Link
Plugin Slug:: short-link
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-0813

Plugin:: Sosh Share Buttons
Plugin Slug:: sosh-share-buttons
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-15377

Plugin:: SpiceForms Form Builder
Plugin Slug:: spiceforms-form-builder
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12178

Plugin:: Stopwords for comments
Plugin Slug:: stopwords-for-comments
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-15376

Plugin:: Synergy Project Manager
Plugin Slug:: synergy-project-manager
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-68898

Plugin:: Testimonials Creator
Plugin Slug:: testimonials-creator
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14379

Plugin:: xPromoter
Plugin Slug:: top_bar_promoter
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-49046

Plugin:: Tutor LMS Pro
Plugin Slug:: tutor-pro
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2026-22332

Plugin:: Viet contact
Plugin Slug:: viet-contact
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1045

Plugin:: WooCommerce Frontend Manager � Ultimate
Plugin Slug:: wc-frontend-manager-ultimate
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-22335

Plugin:: WDV One Page Docs � Documentation Plugin for WordPress
Plugin Slug:: wdv-one-page-docs
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-68896

Plugin:: WMF Mobile Redirector
Plugin Slug:: wmf-mobile-redirector
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-0739

Plugin:: Woocommerce Book Price
Plugin Slug:: woo-book-price
Vulnerability:: Arbitrary File Download
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-22334

Plugin:: Integration Opvius AI for WooCommerce
Plugin Slug:: woosa-ai-for-woocommerce
Vulnerability:: Arbitrary File Deletion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-14301

Plugin:: Eli's WordCents adSense Widget with Analytics
Plugin Slug:: wordcents
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68872

Plugin:: Workreap Core
Plugin Slug:: workreap_core
Vulnerability:: Broken Authentication
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-69101

Plugin:: WP Allowed Hosts
Plugin Slug:: wp-allow-hosts
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-0734

Plugin:: WP Hello Bar
Plugin Slug:: wp-hello-bar
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1042

Plugin:: WP Lead Capturing Pages
Plugin Slug:: wp-lead-capture
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-49050

Plugin:: WPBlogSyn
Plugin Slug:: wpblogsync
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14389

Plugin:: WPLMS
Plugin Slug:: wplms_plugin
Vulnerability:: Arbitrary File Deletion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69097

Plugin:: All in One SEO � Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic
Plugin Slug:: all-in-one-seo-pack
Installations: 3,000,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.9.3
Severity Score:: Medium
CVE:: 2025-14384

Plugin:: Breeze Cache
Plugin Slug:: breeze
Installations: 400,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.2.22
Severity Score:: Medium
CVE:: 2025-69364

Plugin:: Newsletter � Send awesome emails from WordPress
Plugin Slug:: newsletter
Installations: 300,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 9.1.1
Severity Score:: Medium
CVE:: 2026-1051

Plugin:: Supreme Modules Lite � Divi Theme, Extra Theme and Divi Builder
Plugin Slug:: supreme-modules-for-divi
Installations: 200,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 2.5.63
Severity Score:: Critical
CVE:: 2025-13062

Plugin:: Advanced Ads ��Ad Manager & AdSense
Plugin Slug:: advanced-ads
Installations: 100,000+
Vulnerability:: SQL Injection
Patched in Version:: 2.0.16
Severity Score:: High
CVE:: 2025-12984

Plugin:: Jupiter X Core
Plugin Slug:: jupiterx-core
Installations: 80,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 4.11.0
Severity Score:: High
CVE:: 2025-50004

Plugin:: LearnPress � WordPress LMS Plugin for Create and Sell Online Courses
Plugin Slug:: learnpress
Installations: 80,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.3.2.5
Severity Score:: Medium
CVE:: 2025-14798

Plugin:: WooCommerce Square
Plugin Slug:: woocommerce-square
Installations: 80,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 5.1.2
Severity Score:: High
CVE:: 2025-13457

Plugin:: Appointment Booking Calendar � Simply Schedule Appointments Booking Plugin
Plugin Slug:: simply-schedule-appointments
Installations: 70,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.6.9.13
Severity Score:: Critical
CVE:: 2025-12166

Plugin:: Drag and Drop Multiple File Upload for Contact Form 7
Plugin Slug:: drag-and-drop-multiple-file-upload-contact-form-7
Installations: 60,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.3.9.3
Severity Score:: Low
CVE:: 2025-14457

Plugin:: Booking Calendar
Plugin Slug:: booking
Installations: 50,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 10.14.12
Severity Score:: Medium
CVE:: 2025-14982

Plugin:: WP Duplicate Page
Plugin Slug:: wp-duplicate-page
Installations: 50,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.8.1
Severity Score:: Medium
CVE:: 2025-14001

Plugin:: WP-Members Membership Plugin
Plugin Slug:: wp-members
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.5.4.4
Severity Score:: Medium
CVE:: 2025-14448

Plugin:: RSS Aggregator � RSS Import, News Feeds, Feed to Post, and Autoblogging
Plugin Slug:: wp-rss-aggregator
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.0.11
Severity Score:: High
CVE:: 2025-14375

Plugin:: Post Grid Gutenberg Blocks for News, Magazines, Blog Websites � PostX
Plugin Slug:: ultimate-post
Installations: 40,000+
Vulnerability:: Broken Access Control
Patched in Version:: 5.0.4
Severity Score:: High
CVE:: 2025-69313

Plugin:: Shield: Blocks Bots, Protects Users, and Prevents Security Breaches
Plugin Slug:: wp-simple-firewall
Installations: 40,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 21.0.10
Severity Score:: Medium
CVE:: 2025-15370

Plugin:: Cost Calculator Builder
Plugin Slug:: cost-calculator-builder
Installations: 30,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.6.10
Severity Score:: Medium
CVE:: 2025-14757

Plugin:: Modular DS: Monitor, update, and backup multiple websites
Plugin Slug:: modular-connector
Installations: 30,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 2.6.0
Severity Score:: Critical
CVE:: 2026-23800

Plugin:: Modular DS: Monitor, update, and backup multiple websites
Plugin Slug:: modular-connector
Installations: 30,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 2.5.2
Severity Score:: Critical
CVE:: 2026-23550

Plugin:: Xpro Addons � 140+ Widgets for Elementor
Plugin Slug:: xpro-elementor-addons
Installations: 30,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 1.4.20
Severity Score:: Critical
CVE:: 2025-69312

Plugin:: Image Photo Gallery Final Tiles Grid
Plugin Slug:: final-tiles-grid-gallery-lite
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.6.10
Severity Score:: Medium
CVE:: 2025-15466

Plugin:: Quiz Maker
Plugin Slug:: quiz-maker
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.7.0.89
Severity Score:: Medium
CVE:: 2025-14579

Plugin:: AffiliateX � Amazon Affiliate Plugin
Plugin Slug:: affiliatex
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.4.0
Severity Score:: Medium
CVE:: 2025-13859

Plugin:: Demo Importer Plus
Plugin Slug:: demo-importer-plus
Installations: 10,000+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 2.0.10
Severity Score:: High
CVE:: 2025-14478

Plugin:: Membership Plugin � Restrict Content
Plugin Slug:: restrict-content
Installations: 10,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 3.2.17
Severity Score:: High
CVE:: 2025-14844

Plugin:: User Submitted Posts � Enable Users to Submit Posts from the Front End
Plugin Slug:: user-submitted-posts
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 20260113
Severity Score:: Medium
CVE:: 2026-0913

Plugin:: weMail � Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation
Plugin Slug:: wemail
Installations: 10,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 2.0.8
Severity Score:: Medium
CVE:: 2025-14348

Plugin:: RegistrationMagic � Custom Registration Forms, User Registration, Payment, and User Login
Plugin Slug:: custom-registration-form-builder-with-submission-manager
Installations: 9,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 6.0.7.2
Severity Score:: Critical
CVE:: 2025-15403

Plugin:: NEX-Forms � Ultimate Forms Plugin for WordPress
Plugin Slug:: nex-forms-express-wp-form-builder
Installations: 8,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 9.1.8
Severity Score:: Medium
CVE:: 2025-14803

Plugin:: UiChemy � Figma Converter for Elementor, Gutenberg and Bricks
Plugin Slug:: uichemy
Installations: 8,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.4.3
Severity Score:: Medium
CVE:: 2025-69362

Plugin:: Awesome Support � WordPress HelpDesk & Support Plugin
Plugin Slug:: awesome-support
Installations: 7,000+
Vulnerability:: Broken Access Control
Patched in Version:: 6.3.7
Severity Score:: Medium
CVE:: 2025-12641

Plugin:: Poll, Survey & Quiz Maker Plugin by Opinion Stage
Plugin Slug:: social-polls-by-opinionstage
Installations: 7,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 19.6.25
Severity Score:: High

Plugin:: Responsive Addons for Elementor � Free Elementor Addons Plugin and Elementor Templates
Plugin Slug:: responsive-addons-for-elementor
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.0.9
Severity Score:: Medium
CVE:: 2025-69363

Plugin:: Tickera � Sell Tickets & Manage Events
Plugin Slug:: tickera-event-ticketing-system
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.5.6.3
Severity Score:: Medium
CVE:: 2025-67939

Plugin:: Wallet System for WooCommerce � Digital Wallet, Buy Now Pay Later (BNPL), Instant Cashback, Referral program, Partial & Subscription Payments
Plugin Slug:: wallet-system-for-woocommerce
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.7.3
Severity Score:: Medium
CVE:: 2025-14450

Plugin:: GDPR CCPA Compliance & Cookie Consent Banner
Plugin Slug:: ninja-gdpr-compliance
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.7.5
Severity Score:: Medium
CVE:: 2025-68073

Plugin:: Quick Contact Form
Plugin Slug:: quick-contact-form
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 8.2.7
Severity Score:: Medium
CVE:: 2025-12718

Plugin:: Team Section Block � Showcase Team Members with Layout Options
Plugin Slug:: team-section
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.1
Severity Score:: Medium
CVE:: 2026-0833

Plugin:: Peach Payments Gateway
Plugin Slug:: wc-peach-payments-gateway
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.3.7
Severity Score:: Medium
CVE:: 2025-67942

Plugin:: Church Admin
Plugin Slug:: church-admin
Installations: 900+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 5.0.29
Severity Score:: Medium
CVE:: 2026-0682

Plugin:: CM E-Mail Blacklist � Simple email filtering for safer registration
Plugin Slug:: cm-email-blacklist
Installations: 900+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.6.3
Severity Score:: Medium
CVE:: 2026-0691

Plugin:: onepay Payment Gateway For WooCommerce
Plugin Slug:: onepay-payment-gateway-for-woocommerce
Installations: 900+
Vulnerability:: Other Vulnerability Type
Patched in Version:: 1.1.3
Severity Score:: Medium
CVE:: 2025-68016

Plugin:: Filr � Secure document library
Plugin Slug:: filr-protection
Installations: 800+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.2.12
Severity Score:: Medium
CVE:: 2025-14632

Plugin:: Broadstreet
Plugin Slug:: broadstreet
Installations: 700+
Vulnerability:: Broken Access Control
Patched in Version:: 1.52.2
Severity Score:: High
CVE:: 2025-69311

Plugin:: My auctions allegro
Plugin Slug:: my-auctions-allegro-free-edition
Installations: 600+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.6.33
Severity Score:: High
CVE:: 2025-67943

Plugin:: Spin Wheel � Interactive spinning wheel that offers coupons
Plugin Slug:: spin-wheel
Installations: 600+
Vulnerability:: Broken Access Control
Patched in Version:: 2.1.1
Severity Score:: Medium
CVE:: 2026-0808

Plugin:: g-FFL Checkout
Plugin Slug:: g-ffl-checkout
Installations: 500+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 2.1.1
Severity Score:: Critical
CVE:: 2025-68001

Plugin:: User Registration Using Contact Form 7
Plugin Slug:: user-registration-using-contact-form-7
Installations: 500+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 2.6
Severity Score:: Medium
CVE:: 2025-12825

Plugin:: RepairBuddy � Repair Shop CRM & Booking Plugin for WordPress
Plugin Slug:: computer-repair-shop
Installations: 400+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 4.1121
Severity Score:: Medium
CVE:: 2026-0820

Plugin:: PeachPay � Payments & Express Checkout for WooCommerce (supports Stripe, PayPal, Square, Authorize.net)
Plugin Slug:: peachpay-for-woocommerce
Installations: 400+
Vulnerability:: Broken Access Control
Patched in Version:: 1.119.9
Severity Score:: Medium
CVE:: 2025-14978

Plugin:: Phrase TMS Integration for WordPress
Plugin Slug:: memsource-connector
Installations: 300+
Vulnerability:: Broken Access Control
Patched in Version:: 4.7.6
Severity Score:: Medium
CVE:: 2025-12168

Plugin:: Thim Blocks
Plugin Slug:: thim-blocks
Installations: 300+
Vulnerability:: Arbitrary File Download
Patched in Version:: 1.0.2
Severity Score:: Medium
CVE:: 2025-13725

Plugin:: PAYGENT for WooCommerce
Plugin Slug:: woocommerce-for-paygent-payment-main
Installations: 100+
Vulnerability:: Broken Access Control
Patched in Version:: 2.4.7
Severity Score:: Medium
CVE:: 2025-14078

Plugin:: Integrate Dynamics 365 CRM
Plugin Slug:: integrate-dynamics-365-crm
Installations: 80+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.1.2
Severity Score:: Medium
CVE:: 2026-0725

Plugin:: Community Events
Plugin Slug:: community-events
Installations: 30+
Vulnerability:: Broken Access Control
Patched in Version:: 1.5.7
Severity Score:: Medium
CVE:: 2025-14029

Plugin:: CP Image Store with Slideshow
Plugin Slug:: cp-image-store
Installations: 10+
Vulnerability:: Broken Access Control
Patched in Version:: 1.2.0
Severity Score:: Medium
CVE:: 2026-0684

Plugin:: YouTube Feed Pro
Plugin Slug:: youtube-feed-pro
Vulnerability:: Arbitrary File Download
Patched in Version:: 2.6.1
Severity Score:: High
CVE:: 2025-12002

WordPress Themes � 5 Patched / 38 Unpatched

Theme:: Blogistic
Theme Slug:: blogistic
Downloads: 6,185
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-68909

Theme:: Blogzee
Theme Slug:: blogzee
Downloads: 6,598
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-68910

Theme:: Solace
Theme Slug:: solace
Downloads: 45,016
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-68911

Theme:: Anon
Theme Slug:: anon2x
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-67620

Theme:: Anona
Theme Slug:: anona
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68903

Theme:: Anona
Theme Slug:: anona
Vulnerability:: Arbitrary File Download
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68902

Theme:: Anona
Theme Slug:: anona
Vulnerability:: Arbitrary File Deletion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68901

Theme:: Auto Repair
Theme Slug:: auto-repair
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-22328

Theme:: AutoParts
Theme Slug:: autoparts
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-22331

Theme:: Bajaar – Highly Customizable WooCommerce WordPress Theme
Theme Slug:: bajaar
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69004

Theme:: Barberry
Theme Slug:: barberry
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68908

Theme:: Brookside
Theme Slug:: brookside
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-67618

Theme:: Consult Aid
Theme Slug:: consultaid
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-67617

Theme:: Dreamer Blog
Theme Slug:: dreamer-blog
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-10915

Theme:: Drone
Theme Slug:: drone
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-49249

Theme:: Electron
Theme Slug:: electron
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-5805

Theme:: Hostme v2
Theme Slug:: hostmev2
Vulnerability:: Arbitrary File Deletion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68907

Theme:: Kids Heaven
Theme Slug:: kids-world
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-67619

Theme:: Melania
Theme Slug:: melania
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-22324

Theme:: Mella
Theme Slug:: mella
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-67616

Theme:: Miion
Theme Slug:: miion
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-68986

Theme:: Miion
Theme Slug:: miion
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68913

Theme:: Myour
Theme Slug:: myour
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-67615

Theme:: North
Theme Slug:: north-wp
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69100

Theme:: North
Theme Slug:: north-wp
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69099

Theme:: OneLife
Theme Slug:: onelife
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69002

Theme:: Promo
Theme Slug:: promo
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-22325

Theme:: KenthaRadio
Theme Slug:: qt-kentharadio
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69003

Theme:: Reprizo
Theme Slug:: reprizo
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-22326

Theme:: Restaurt
Theme Slug:: restaurt
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2026-22327

Theme:: Right Way
Theme Slug:: rightway
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-22330

Theme:: Search & Go
Theme Slug:: search-and-go
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69005

Theme:: Skillate
Theme Slug:: skillate
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-22329

Theme:: TheNa
Theme Slug:: thena
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-67614

Theme:: Vivagh
Theme Slug:: vivagh
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68899

Theme:: xSmart
Theme Slug:: xsmart
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-54002

Theme:: xSmart
Theme Slug:: xsmart
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-50007

Theme:: xSmart
Theme Slug:: xsmart
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-50006

Theme:: Biagiotti
Theme Slug:: biagiotti
Vulnerability:: Local File Inclusion
Patched in Version:: 3.5.2
Severity Score:: High
CVE:: 2025-67938

Theme:: Kalium
Theme Slug:: kalium
Vulnerability:: Broken Access Control
Patched in Version:: 3.30
Severity Score:: Medium
CVE:: 2025-12895

Theme:: Powerlift
Theme Slug:: powerlift
Vulnerability:: Local File Inclusion
Patched in Version:: 3.2.1
Severity Score:: High
CVE:: 2025-67940

Theme:: The Aisle
Theme Slug:: theaisle
Vulnerability:: Local File Inclusion
Patched in Version:: 2.9.1
Severity Score:: High
CVE:: 2025-67941

Theme:: Werkstatt
Theme Slug:: werkstatt
Vulnerability:: Local File Inclusion
Patched in Version:: 4.8.3
Severity Score:: High
CVE:: 2025-69314