Nexcess.com Servers.com LiquidWeb.com

Line illustration showing a black application window on a dark orange to black gradient background overlaid with a large exclamation point alert icon and three bugs.

WordPress Vulnerability Report � May 14, 2025

[email protected]

In this report, 234 vulnerabilities have been publicly disclosed. Security patches for 142 of these plugins and themes are available now, so run those updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Additionally, there are 92 plugin and theme vulnerabilities, and no patch has been available yet. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

WordPress Core

WordPress 6.8.1 has been released! This maintenance release includes fixes for 15 bugs throughout Core and the Block Editor, addressing issues affecting multiple areas of WordPress, including the block editor, multisite, and REST API. For a full list, refer to the release candidate announcement.

Plus, WordCamp Europe 2025 lands in Basel, Switzerland, June 5-7! Connect with WordPress enthusiasts, developers, and pros for three days of learning, networking, and collaboration with the global community.

WordPress Plugins � 138 Patched / 92 Unpatched

Plugin:: Ultimate Member � User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
Plugin Slug:: ultimate-member
Installations: 200,000+
Vulnerability:: Arbitrary Code Execution
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-47691

Plugin:: Inline Related Posts
Plugin Slug:: intelly-related-posts
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-47604

Plugin:: List category posts
Plugin Slug:: list-category-posts
Installations: 90,000+
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-47636

Plugin:: WP Maintenance
Plugin Slug:: wp-maintenance
Installations: 50,000+
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-47683

Plugin:: WordPress Infinite Scroll � Ajax Load More
Plugin Slug:: ajax-load-more
Installations: 40,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-47630

Plugin:: Photo Gallery � GT3 Image Gallery & Gutenberg Block Gallery
Plugin Slug:: gt3-photo-video-gallery
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-47677

Plugin:: User Login History
Plugin Slug:: user-login-history
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-47676

Plugin:: Easy PayPal & Stripe Buy Now Button
Plugin Slug:: wp-ecommerce-paypal
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-47623

Plugin:: Spiraclethemes Site Library
Plugin Slug:: spiraclethemes-site-library
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-47656

Plugin:: WPBakery Visual Composer WHMCS Elements
Plugin Slug:: void-visual-whmcs-element
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-47659

Plugin:: WP-Recall � Registration, Profile, Commerce & More
Plugin Slug:: wp-recall
Installations: 2,000+
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-47653

Plugin:: aBlocks � WordPress Gutenberg Blocks
Plugin Slug:: ablocks
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-47616

Plugin:: Web Accessibility with Max Access
Plugin Slug:: accessibility-toolbar
Installations: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-47681

Plugin:: Amazon Product in a Post Plugin
Plugin Slug:: amazon-product-in-a-post-plugin
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-47615

Plugin:: Awin � Advertiser Tracking for WooCommerce
Plugin Slug:: awin-advertiser-tracking
Installations: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-47633

Plugin:: belingoGeo
Plugin Slug:: belingogeo
Installations: 1,000+
Vulnerability:: Arbitrary File Download
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-47603

Plugin:: BMI Adult & Kid Calculator
Plugin Slug:: bmi-adultkid-calculator
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-47618

Plugin:: CBX Map for Google Map & OpenStreetMap
Plugin Slug:: cbxgooglemap
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-47669

Plugin:: ContentStudio
Plugin Slug:: contentstudio
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-47692

Plugin:: Contribuinte Checkout
Plugin Slug:: contribuinte-checkout
Installations: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-47685

Plugin:: DoFollow Case by Case
Plugin Slug:: dofollow-case-by-case
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-47625

Plugin:: DoFollow Case by Case
Plugin Slug:: dofollow-case-by-case
Installations: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-47624

Plugin:: Ebook Store
Plugin Slug:: ebook-store
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-47589

Plugin:: Email Notification on Login
Plugin Slug:: email-notification-on-login
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-47622

Plugin:: ????? ?? ???? � ???? ?? ????
Plugin Slug:: pgall-for-woocommerce
Installations: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-47661

Plugin:: RS WP Book Showcase � A Complete Book Catalogue & Library System
Plugin Slug:: rs-wp-books-showcase
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-47679

Plugin:: Sidebar Manager Light
Plugin Slug:: sidebar-manager-light
Installations: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-47647

Plugin:: Smaily for WP
Plugin Slug:: smaily-for-wp
Installations: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-47684

Plugin:: Woobox
Plugin Slug:: woobox
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-47675

Plugin:: Woobox
Plugin Slug:: woobox
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-47662

Plugin:: WordPress CRM Plugin � WP-CRM System
Plugin Slug:: wp-crm-system
Installations: 1,000+
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-47629

Plugin:: WordPress Webinar Plugin � WebinarPress
Plugin Slug:: wp-webinarsystem
Installations: 1,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-47635

Plugin:: WPSpeed
Plugin Slug:: wpspeed
Installations: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-47590

Plugin:: xili-tidy-tags
Plugin Slug:: xili-tidy-tags
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-47680

Plugin:: Bulk Featured Image
Plugin Slug:: bulk-featured-image
Installations: 900+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-47591

Plugin:: Open Close WooCommerce Store � Best Business Schedules Manager
Plugin Slug:: woc-open-close
Installations: 900+
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-47649

Plugin:: Really Simple Under Construction Page
Plugin Slug:: really-simple-under-construction
Installations: 700+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-47593

Plugin:: WP jQuery DataTable
Plugin Slug:: wp-jquery-datatable
Installations: 700+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-47605

Plugin:: Beacon Lead Magnets and Lead Capture
Plugin Slug:: beacon-by
Installations: 600+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-47596

Plugin:: Submission DOM tracking for Contact Form 7
Plugin Slug:: cf7-submission-dom-tracking
Installations: 600+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-47626

Plugin:: ClickWhale � Link Manager, Link Shortener and Click Tracker for Affiliate Links & Link Pages
Plugin Slug:: clickwhale
Installations: 600+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-47612

Plugin:: Color Your Bar
Plugin Slug:: color-your-bar
Installations: 600+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-47595

Plugin:: CookieCode
Plugin Slug:: cookiecode
Installations: 600+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-47668

Plugin:: EasyMe Connect
Plugin Slug:: easyme-connect
Installations: 600+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-47609

Plugin:: Simple Giveaways � Grow your business, email lists and traffic with contests
Plugin Slug:: giveasap
Installations: 600+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-47606

Plugin:: LiveAgent � Omnichannel Help Desk & Live Chat Software
Plugin Slug:: liveagent
Installations: 600+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-47667

Plugin:: N360 | Splash Screen
Plugin Slug:: n360-splash-screen
Installations: 600+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-47665

Plugin:: Show All Comments
Plugin Slug:: show-all-comments-in-one-page
Installations: 600+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-47607

Plugin:: Legal Terms and Conditions Popup for User Login and WooCommerce Checkout � TPUL
Plugin Slug:: terms-popup-on-user-login
Installations: 600+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-47592

Plugin:: WP Discord Invite
Plugin Slug:: wp-discord-invite
Installations: 600+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-47638

Plugin:: WP Pipes
Plugin Slug:: wp-pipes
Installations: 600+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-47664

Plugin:: DELUCKS SEO
Plugin Slug:: delucks-seo
Installations: 500+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-47686

Plugin:: Lead Form Data Collection to CRM
Plugin Slug:: wp-leads-builder-any-crm
Installations: 500+
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-47690

Plugin:: ELEX WordPress HelpDesk & Customer Ticketing System
Plugin Slug:: elex-helpdesk-customer-support-ticket-system
Installations: 400+
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-47658

Plugin:: FunnelCockpit
Plugin Slug:: funnelcockpit
Installations: 400+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-47678

Plugin:: theMarketer � Email marketing, Newsletters, Automation & Loyalty for Woocommerce
Plugin Slug:: themarketer
Installations: 400+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-47655

Plugin:: Ajar in5 Embed
Plugin Slug:: ajar-productions-in5-embed
Installations: 300+
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-47642

Plugin:: Pays � WooCommerce Payment Gateway
Plugin Slug:: axima-payment-gateway
Installations: 300+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-47648

Plugin:: Integrations of Zoho CRM with Elementor form
Plugin Slug:: integrations-of-zoho-crm-with-elementor-form
Installations: 300+
Vulnerability:: Open Redirection
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-47644

Plugin:: Guest posting / Frontend Posting / Front Editor � WP Front User Submit
Plugin Slug:: front-editor
Installations: 200+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-47617

Plugin:: Martins Free Monetized Ad Exchange Network � Get more website visitors
Plugin Slug:: martins-free-and-easy-ad-network-get-more-visitors
Installations: 200+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-47620

Plugin:: Calculate Prices based on Distance For WooCommerce
Plugin Slug:: calculate-prices-based-on-distance-for-woocommerce
Installations: 100+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-47602

Plugin:: Credova Financial
Plugin Slug:: credova-financial
Installations: 100+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-47674

Plugin:: Soccer Live Scores
Plugin Slug:: soccer-live-scores
Installations: 100+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-47594

Plugin:: PSW Front-end Login & Registration
Plugin Slug:: psw-login-and-registration
Installations: 90+
Vulnerability:: Broken Authentication
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-47646

Plugin:: WP Podcasts Manager
Plugin Slug:: wp-podcasts-manager
Installations: 80+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-47597

Plugin:: Supertext Translation and Proofreading
Plugin Slug:: polylang-supertext
Installations: 60+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-47639

Plugin:: Productive Commerce � WooCommerce Wishlist, Compare, Quick View, & MiniCart
Plugin Slug:: productive-commerce
Installations: 50+
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-47657

Plugin:: StoreKeeper for WooCommerce
Plugin Slug:: storekeeper-for-woocommerce
Installations: 50+
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-47687

Plugin:: CarDealerPress
Plugin Slug:: cardealerpress
Installations: 40+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-3860

Plugin:: ELEX Product Feed for WooCommerce
Plugin Slug:: elex-product-feed
Installations: 30+
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-47643

Plugin:: BNS Twitter Follow Button
Plugin Slug:: bns-twitter-follow-button
Installations: 10+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-47578

Plugin:: 1 Click WordPress Migration
Plugin Slug:: 1-click-migration
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-3455

Plugin:: AHAthat
Plugin Slug:: ahathat
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-4337

Plugin:: Awesome Gallery
Plugin Slug:: awesome-gallery
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-47632

Plugin:: External image replace
Plugin Slug:: external-image-replace
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-4279

Plugin:: Frontend Login and Registration Blocks
Plugin Slug:: frontend-login-and-registration-blocks
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-3605

Plugin:: LayoutBoxx
Plugin Slug:: layoutboxx
Vulnerability:: Content Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-2802

Plugin:: LessButtons Social Sharing and Statistics
Plugin Slug:: lessbuttons
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-47614

Plugin:: Multiple Post Type Order
Plugin Slug:: multiple-post-type-order
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-4055

Plugin:: PeproDev Ultimate Profile Solutions
Plugin Slug:: peprodev-ups
Vulnerability:: Broken Authentication
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-3921

Plugin:: PeproDev Ultimate Profile Solutions
Plugin Slug:: peprodev-ups
Vulnerability:: Broken Authentication
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-3924

Plugin:: PeproDev Ultimate Profile Solutions
Plugin Slug:: peprodev-ups
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-3844

Plugin:: QS Dark Mode
Plugin Slug:: qs-dark-mode
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-47628

Plugin:: Reales WP STPT
Plugin Slug:: short-tax-post
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-3609

Plugin:: Reales WP STPT
Plugin Slug:: short-tax-post
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-3610

Plugin:: WP SmartPay
Plugin Slug:: smartpay
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-3851

Plugin:: Woocommerce Multiple Addresses
Plugin Slug:: woocommerce-multiple-addresses
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-4335

Plugin:: WordPress Review Plugin
Plugin Slug:: wp-review
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-2158

Plugin:: WP shop
Plugin Slug:: wpshop
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-3852

Plugin:: WP shop
Plugin Slug:: wpshop
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-3853

Plugin:: Xavin’s List Subpages
Plugin Slug:: xavins-list-subpages
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-4220

Plugin:: LiteSpeed Cache
Plugin Slug:: litespeed-cache
Installations: 7,000,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 7.1
Severity Score:: Medium
CVE:: 2025-47437

Plugin:: WPForms � Easy Form Builder for WordPress � Contact Forms, Payment Forms, Surveys, & More
Plugin Slug:: wpforms-lite
Installations: 6,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.9.5.1
Severity Score:: Medium
CVE:: 2025-3794

Plugin:: Website Builder by SeedProd � Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode
Plugin Slug:: coming-soon
Installations: 800,000+
Vulnerability:: Broken Access Control
Patched in Version:: 6.18.16
Severity Score:: Medium
CVE:: 2025-3949

Plugin:: MailPoet � Newsletters, Email Marketing, and Automation
Plugin Slug:: mailpoet
Installations: 600,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.5.2
Severity Score:: Medium
CVE:: 2024-12743

Plugin:: Royal Elementor Addons and Templates
Plugin Slug:: royal-elementor-addons
Installations: 600,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.7.1018
Severity Score:: Medium
CVE:: 2025-39361

Plugin:: Jeg Elementor Kit
Plugin Slug:: jeg-elementor-kit
Installations: 300,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.6.13
Severity Score:: Medium
CVE:: 2025-2944

Plugin:: Newsletter � Send awesome emails from WordPress
Plugin Slug:: newsletter
Installations: 300,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 8.7.1
Severity Score:: Medium
CVE:: 2025-3583

Plugin:: Firelight Lightbox
Plugin Slug:: easy-fancybox
Installations: 200,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.3.15
Severity Score:: Medium
CVE:: 2025-3597

Plugin:: Advanced File Manager � Ultimate WordPress File Manager and Document Library Plugin
Plugin Slug:: file-manager-advanced
Installations: 200,000+
Vulnerability:: Broken Access Control
Patched in Version:: 5.3.2
Severity Score:: Medium
CVE:: 2025-47688

Plugin:: Popup and Slider Builder by Depicter � Add Email collecting Popup, Popup Modal, Coupon Popup, Image Slider, Carousel Slider, Post Slider Carousel
Plugin Slug:: depicter
Installations: 100,000+
Vulnerability:: SQL Injection
Patched in Version:: 3.6.2
Severity Score:: Critical
CVE:: 2025-2011

Plugin:: Login Lockdown & Protection
Plugin Slug:: login-lockdown
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.12
Severity Score:: Medium
CVE:: 2025-3766

Plugin:: Relevanssi � A Better Search
Plugin Slug:: relevanssi
Installations: 100,000+
Vulnerability:: SQL Injection
Patched in Version:: 4.24.5
Severity Score:: High
CVE:: 2025-4396

Plugin:: Relevanssi � A Better Search
Plugin Slug:: relevanssi
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.24.4
Severity Score:: High
CVE:: 2025-4054

Plugin:: Download Monitor
Plugin Slug:: download-monitor
Installations: 90,000+
Vulnerability:: Local File Inclusion
Patched in Version:: 5.0.23
Severity Score:: High
CVE:: 2025-47439

Plugin:: Jupiter X Core
Plugin Slug:: jupiterx-core
Installations: 90,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.8.12
Severity Score:: Medium
CVE:: 2025-47475

Plugin:: Contextual Related Posts
Plugin Slug:: contextual-related-posts
Installations: 70,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.0.3
Severity Score:: Medium
CVE:: 2025-47506

Plugin:: User Registration & Membership � Custom Registration Form, Login Form, and User Profile
Plugin Slug:: user-registration
Installations: 70,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 4.2.2
Severity Score:: Medium
CVE:: 2025-3281

Plugin:: Bold Page Builder
Plugin Slug:: bold-page-builder
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.3.1
Severity Score:: Medium
CVE:: 2025-47525

Plugin:: Bold Page Builder
Plugin Slug:: bold-page-builder
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.3.3
Severity Score:: Medium
CVE:: 2025-47488

Plugin:: Ultimate Blocks � WordPress Blocks Plugin
Plugin Slug:: ultimate-blocks
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.3.0
Severity Score:: Medium
CVE:: 2025-47493

Plugin:: Content Control � The Ultimate Content Restriction Plugin! Restrict Content, Create Conditional Blocks & More
Plugin Slug:: content-control
Installations: 40,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.6.2
Severity Score:: Medium
CVE:: 2025-47501

Plugin:: Ditty � Responsive News Tickers, Sliders, and Lists
Plugin Slug:: ditty-news-ticker
Installations: 40,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.1.52
Severity Score:: Medium
CVE:: 2024-13357

Plugin:: Photo Gallery, Images, Slider in Rbs Image Gallery
Plugin Slug:: robo-gallery
Installations: 40,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.0.3
Severity Score:: Medium
CVE:: 2025-47521

Plugin:: LightPress Lightbox
Plugin Slug:: wp-jquery-lightbox
Installations: 40,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.3.4
Severity Score:: Medium
CVE:: 2025-3649

Plugin:: Envo Extra
Plugin Slug:: envo-extra
Installations: 30,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.9.10
Severity Score:: Medium
CVE:: 2025-47471

Plugin:: WP SEO Structured Data Schema
Plugin Slug:: wp-seo-structured-data-schema
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.8.0
Severity Score:: Medium
CVE:: 2025-4127

Plugin:: Ultimate Before After Image Slider & Gallery � BEAF
Plugin Slug:: beaf-before-and-after-gallery
Installations: 20,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 4.6.11
Severity Score:: Critical
CVE:: 2025-47549

Plugin:: Accept Donations with PayPal & Stripe
Plugin Slug:: easy-paypal-donation
Installations: 20,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.5
Severity Score:: High
CVE:: 2025-47517

Plugin:: Meks Flexible Shortcodes
Plugin Slug:: meks-flexible-shortcodes
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.7
Severity Score:: Medium
CVE:: 2025-47621

Plugin:: Co-Authors, Multiple Authors and Guest Authors in an Author Box with PublishPress Authors
Plugin Slug:: publishpress-authors
Installations: 20,000+
Vulnerability:: Local File Inclusion
Patched in Version:: 4.7.6
Severity Score:: High
CVE:: 2025-47496

Plugin:: PW WooCommerce Bulk Edit
Plugin Slug:: pw-bulk-edit
Installations: 20,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.135
Severity Score:: Medium
CVE:: 2025-47473

Plugin:: Responsive Plus � Starter Templates, Advanced Features and Customizer Settings for Responsive Theme.
Plugin Slug:: responsive-add-ons
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.2.0
Severity Score:: Medium
CVE:: 2025-47486

Plugin:: Top 10 � WordPress Popular posts by WebberZone
Plugin Slug:: top-10
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.1.1
Severity Score:: Medium
CVE:: 2025-47509

Plugin:: BlockSpare: Gutenberg Blocks & Patterns for Blogs, Magazines, Business Sites � Post Grids, Sliders, Carousels, Counters, Page Builder & Starter Site Imports, No Coding Needed
Plugin Slug:: blockspare
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.2.10
Severity Score:: Medium
CVE:: 2025-47495

Plugin:: Charitable � Donation Plugin for WordPress � Fundraising with Recurring Donations & More
Plugin Slug:: charitable
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.8.5.2
Severity Score:: Medium
CVE:: 2025-47520

Plugin:: GamiPress � Gamification plugin to reward points, achievements, badges & ranks in WordPress
Plugin Slug:: gamipress
Installations: 10,000+
Vulnerability:: Local File Inclusion
Patched in Version:: 7.3.8
Severity Score:: High
CVE:: 2025-47508

Plugin:: AI Power: Complete AI Pack
Plugin Slug:: gpt3-ai-content-generator
Installations: 10,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.9.15
Severity Score:: Medium
CVE:: 2025-47470

Plugin:: Graphina � Elementor Charts and Graphs
Plugin Slug:: graphina-elementor-charts-and-graphs
Installations: 10,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 3.0.5
Severity Score:: High
CVE:: 2025-47533

Plugin:: Graphina � Elementor Charts and Graphs
Plugin Slug:: graphina-elementor-charts-and-graphs
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.0.5
Severity Score:: Medium
CVE:: 2025-47480

Plugin:: Meow Gallery
Plugin Slug:: meow-gallery
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.2.8
Severity Score:: Medium
CVE:: 2025-47449

Plugin:: NEX-Forms � Ultimate Forms Plugin for WordPress
Plugin Slug:: nex-forms-express-wp-form-builder
Installations: 10,000+
Vulnerability:: Arbitrary Code Execution
Patched in Version:: 8.9.2
Severity Score:: Medium
CVE:: 2025-4208

Plugin:: NEX-Forms � Ultimate Forms Plugin for WordPress
Plugin Slug:: nex-forms-express-wp-form-builder
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 8.9.2
Severity Score:: Medium
CVE:: 2025-3468

Plugin:: weMail � Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation
Plugin Slug:: wemail
Installations: 10,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 1.14.14
Severity Score:: Medium
CVE:: 2025-47540

Plugin:: Countdown Timer � Widget Countdown
Plugin Slug:: widget-countdown
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.7.5
Severity Score:: Medium
CVE:: 2025-47443

Plugin:: Event Manager, Events Calendar, Tickets, Registrations � Eventin
Plugin Slug:: wp-event-solution
Installations: 10,000+
Vulnerability:: Arbitrary File Download
Patched in Version:: 4.0.27
Severity Score:: High
CVE:: 2025-47445

Plugin:: Event Manager, Events Calendar, Tickets, Registrations � Eventin
Plugin Slug:: wp-event-solution
Installations: 10,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 4.0.27
Severity Score:: Critical
CVE:: 2025-47539

Plugin:: YaySMTP and Email Logs: Amazon SES, SendGrid, Outlook, Mailgun, Brevo, Google and Any SMTP Service
Plugin Slug:: yaysmtp
Installations: 10,000+
Vulnerability:: SQL Injection
Patched in Version:: 2.6.5
Severity Score:: High
CVE:: 2025-47587

Plugin:: Contact Form 7 � PayPal & Stripe Add-on
Plugin Slug:: contact-form-7-paypal-add-on
Installations: 9,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.4.1
Severity Score:: Medium
CVE:: 2025-47518

Plugin:: Cozy Blocks � Page Builder for Gutenberg & Site Editor with Post Blocks, WooCommerce Blocks, Magazine Blocks & WordPress Gutenberg Blocks
Plugin Slug:: cozy-addons
Installations: 9,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.1.23
Severity Score:: Medium
CVE:: 2025-47485

Plugin:: WP Compress � Instant Performance & Speed Optimization
Plugin Slug:: wp-compress-image-optimizer
Installations: 9,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 6.30.31
Severity Score:: High
CVE:: 2025-47546

Plugin:: WP Hotel Booking
Plugin Slug:: wp-hotel-booking
Installations: 8,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.2.0
Severity Score:: Medium
CVE:: 2025-47448

Plugin:: Easiest Funnel Builder For WordPress & WooCommerce, Specialized For Digital Creators � WPFunnels
Plugin Slug:: wpfunnels
Installations: 8,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 3.5.19
Severity Score:: Critical
CVE:: 2025-47530

Plugin:: Dynamic Pricing With Discount Rules for WooCommerce
Plugin Slug:: aco-woo-dynamic-pricing
Installations: 7,000+
Vulnerability:: SQL Injection
Patched in Version:: 4.5.9
Severity Score:: High
CVE:: 2025-47544

Plugin:: Email Marketing, Email Automation, Newsletter & Cart Abandonment for WordPress and WooCommerce � Mail Mint
Plugin Slug:: mail-mint
Installations: 7,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 1.17.8
Severity Score:: High
CVE:: 2025-47541

Plugin:: Poll Maker � Versus Polls, Anonymous Polls, Image Polls
Plugin Slug:: poll-maker
Installations: 7,000+
Vulnerability:: Race Condition
Patched in Version:: 5.7.8
Severity Score:: Medium
CVE:: 2025-47545

Plugin:: ProfileGrid � User Profiles, Groups and Communities
Plugin Slug:: profilegrid-user-profiles-groups-and-communities
Installations: 7,000+
Vulnerability:: SQL Injection
Patched in Version:: 5.9.5.1
Severity Score:: High
CVE:: 2025-47478

Plugin:: Simple File List
Plugin Slug:: simple-file-list
Installations: 7,000+
Vulnerability:: Settings Change
Patched in Version:: 6.1.14
Severity Score:: Medium
CVE:: 2025-47450

Plugin:: TrackShip for WooCommerce
Plugin Slug:: trackship-for-woocommerce
Installations: 7,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.9.2
Severity Score:: High
CVE:: 2025-47460

Plugin:: WP Job Portal � A Complete Recruitment System for Company or Job Board website
Plugin Slug:: wp-job-portal
Installations: 7,000+
Vulnerability:: Local File Inclusion
Patched in Version:: 2.3.2
Severity Score:: High
CVE:: 2025-47438

Plugin:: Better Search � Relevant search results for WordPress
Plugin Slug:: better-search
Installations: 6,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.1.1
Severity Score:: Medium
CVE:: 2025-47507

Plugin:: Drag and Drop Multiple File Upload for WooCommerce
Plugin Slug:: drag-and-drop-multiple-file-upload-for-woocommerce
Installations: 6,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 1.1.7
Severity Score:: Critical
CVE:: 2025-4403

Plugin:: EventON � Events Calendar
Plugin Slug:: eventon-lite
Installations: 6,000+
Vulnerability:: Local File Inclusion
Patched in Version:: 2.4.2
Severity Score:: High
CVE:: 2025-47494

Plugin:: Hotel Booking
Plugin Slug:: nd-booking
Installations: 5,000+
Vulnerability:: Local File Inclusion
Patched in Version:: 3.7
Severity Score:: High
CVE:: 2025-47498

Plugin:: Simple Blog Stats
Plugin Slug:: simple-blog-stats
Installations: 5,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 20250423
Severity Score:: Medium
CVE:: 2025-47499

Plugin:: SMS Alert Order Notifications � WooCommerce
Plugin Slug:: sms-alert
Installations: 5,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 3.8.2
Severity Score:: High
CVE:: 2025-3876

Plugin:: SMS Alert Order Notifications � WooCommerce
Plugin Slug:: sms-alert
Installations: 5,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.8.2
Severity Score:: Medium
CVE:: 2025-3878

Plugin:: SMS Alert Order Notifications � WooCommerce
Plugin Slug:: sms-alert
Installations: 5,000+
Vulnerability:: SQL Injection
Patched in Version:: 3.8.2
Severity Score:: Critical
CVE:: 2025-47682

Plugin:: WPAdverts � Classifieds Plugin
Plugin Slug:: wpadverts
Installations: 5,000+
Vulnerability:: Local File Inclusion
Patched in Version:: 2.2.3
Severity Score:: High
CVE:: 2025-47440

Plugin:: Ovation Elements
Plugin Slug:: ovation-elements
Installations: 4,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.1.3
Severity Score:: Medium
CVE:: 2025-47528

Plugin:: Hash Form � Drag & Drop Form Builder
Plugin Slug:: hash-form
Installations: 3,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.2.9
Severity Score:: Medium
CVE:: 2025-47468

Plugin:: Media Hygiene: Remove or Delete Unused Images and More!
Plugin Slug:: media-hygiene
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.0.1
Severity Score:: Medium
CVE:: 2025-47469

Plugin:: Mollie Forms
Plugin Slug:: mollie-forms
Installations: 3,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.7.13
Severity Score:: Medium
CVE:: 2025-47502

Plugin:: Newsletters
Plugin Slug:: newsletters-lite
Installations: 3,000+
Vulnerability:: SQL Injection
Patched in Version:: 4.9.9.9
Severity Score:: High
CVE:: 2025-3107

Plugin:: Solace Extra
Plugin Slug:: solace-extra
Installations: 3,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 1.3.2
Severity Score:: Medium
CVE:: 2025-47464

Plugin:: Challan � PDF Invoice & Packing Slip for WooCommerce
Plugin Slug:: webappick-pdf-invoice-for-woocommerce
Installations: 3,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 3.7.59
Severity Score:: High
CVE:: 2025-47462

Plugin:: Display Eventbrite Events
Plugin Slug:: widget-for-eventbrite-api
Installations: 3,000+
Vulnerability:: Local File Inclusion
Patched in Version:: 6.3
Severity Score:: High
CVE:: 2025-47510

Plugin:: Beds24 Online Booking
Plugin Slug:: beds24-online-booking
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.30
Severity Score:: Medium
CVE:: 2025-47489

Plugin:: CoinPayments.net Payment Gateway for WooCommerce
Plugin Slug:: coinpayments-payment-gateway-for-woocommerce
Installations: 2,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 1.0.18
Severity Score:: Critical
CVE:: 2025-47532

Plugin:: WordPress CRM, Email & Marketing Automation for WordPress | Award Winner � Groundhogg
Plugin Slug:: groundhogg
Installations: 2,000+
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 4.1.2
Severity Score:: Medium
CVE:: 2025-4206

Plugin:: A WordPress Testimonial Plugin to Showcase Testimonial Slider, Testimonial Grid and More: Solid Testimonials
Plugin Slug:: gs-testimonial
Installations: 2,000+
Vulnerability:: Content Injection
Patched in Version:: 3.3.0
Severity Score:: Medium
CVE:: 2025-47481

Plugin:: A WordPress Testimonial Plugin to Showcase Testimonial Slider, Testimonial Grid and More: Solid Testimonials
Plugin Slug:: gs-testimonial
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.3.1
Severity Score:: Medium
CVE:: 2025-47467

Plugin:: SendPulse Email Marketing Newsletter
Plugin Slug:: sendpulse-email-marketing-newsletter
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.1.7
Severity Score:: Medium
CVE:: 2025-47547

Plugin:: SKT Skill Bar
Plugin Slug:: skt-skill-bar
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.5
Severity Score:: Medium
CVE:: 2025-47482

Plugin:: CC BMI Calculator
Plugin Slug:: cc-bmi-calculator
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.1.1
Severity Score:: Medium
CVE:: 2025-47442

Plugin:: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery � Upload, Vote, Sell via PayPal or Stripe, Social Share Buttons
Plugin Slug:: contest-gallery
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 26.0.7
Severity Score:: Medium
CVE:: 2025-3862

Plugin:: Easy PayPal Events & Tickets
Plugin Slug:: easy-paypal-events-tickets
Installations: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.3
Severity Score:: Medium
CVE:: 2025-47519

Plugin:: Logo Showcase
Plugin Slug:: logo-showcase
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.0.5
Severity Score:: Medium
CVE:: 2025-47497

Plugin:: Music Player for WooCommerce
Plugin Slug:: music-player-for-woocommerce
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.6.0
Severity Score:: Medium
CVE:: 2025-47472

Plugin:: Contact Form Widget � Contact Query, Contact Page, Form Maker, Query Table
Plugin Slug:: new-contact-form-widget
Installations: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.4.7
Severity Score:: High
CVE:: 2025-47491

Plugin:: Progress Bar
Plugin Slug:: progress-bar
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.2.4
Severity Score:: Medium
CVE:: 2025-47441

Plugin:: Ultimate WP Mail
Plugin Slug:: ultimate-wp-mail
Installations: 1,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.3.5
Severity Score:: High
CVE:: 2025-47490

Plugin:: Ultimate WP Mail
Plugin Slug:: ultimate-wp-mail
Installations: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.3.5
Severity Score:: Medium
CVE:: 2025-47466

Plugin:: FundEngine � Donation and Crowdfunding Platform
Plugin Slug:: wp-fundraising-donation
Installations: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.7.4
Severity Score:: Medium
CVE:: 2025-47459

Plugin:: XT Event Widget for Social Events
Plugin Slug:: xt-facebook-events
Installations: 1,000+
Vulnerability:: Local File Inclusion
Patched in Version:: 1.1.8
Severity Score:: High
CVE:: 2025-47531

Plugin:: Display Remote Posts Block
Plugin Slug:: display-remote-posts-block
Installations: 800+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 1.1.1
Severity Score:: Medium
CVE:: 2025-47484

Plugin:: AWEOS WP Lock
Plugin Slug:: aweos-wp-lock
Installations: 700+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.4.9
Severity Score:: Medium
CVE:: 2025-47522

Plugin:: Frontend Dashboard
Plugin Slug:: frontend-dashboard
Installations: 700+
Vulnerability:: Privilege Escalation
Patched in Version:: 2.2.8
Severity Score:: High
CVE:: 2025-4474

Plugin:: Frontend Dashboard
Plugin Slug:: frontend-dashboard
Installations: 700+
Vulnerability:: Privilege Escalation
Patched in Version:: 2.2.7
Severity Score:: Critical
CVE:: 2025-4104

Plugin:: Instantio � WooCommerce Quick Checkout | Direct Checkout, Floating Cart, Side Cart & Popup Cart
Plugin Slug:: instantio
Installations: 700+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 3.3.17
Severity Score:: Medium
CVE:: 2025-47550

Plugin:: Quran multilanguage Text & Audio
Plugin Slug:: quran-text-multilanguage
Installations: 700+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.3.24
Severity Score:: Medium
CVE:: 2025-47524

Plugin:: Seznam Webmaster
Plugin Slug:: seznam-webmaster
Installations: 700+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.4.8
Severity Score:: Medium
CVE:: 2025-47523

Plugin:: WP DPE-GES
Plugin Slug:: wp-dpe-ges
Installations: 700+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.7
Severity Score:: Medium
CVE:: 2025-47515

Plugin:: Custom Checkout Fields for WooCommerce
Plugin Slug:: custom-checkout-fields-for-woocommerce
Installations: 600+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.9.0
Severity Score:: Medium
CVE:: 2025-47504

Plugin:: Cool Author Box � For Widget and Post Content
Plugin Slug:: hm-cool-author-box-widget
Installations: 600+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 3.0.1
Severity Score:: Medium
CVE:: 2025-47447

Plugin:: Listamester
Plugin Slug:: listamester
Installations: 600+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.3.7
Severity Score:: Medium
CVE:: 2025-47446

Plugin:: Time Clock � A WordPress Employee & Volunteer Time Clock Plugin
Plugin Slug:: time-clock
Installations: 600+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3
Severity Score:: Medium
CVE:: 2025-47516

Plugin:: Easy Replace Image
Plugin Slug:: easy-replace-image
Installations: 500+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 3.5.1
Severity Score:: Medium
CVE:: 2025-47483

Plugin:: NGG Smart Image Search
Plugin Slug:: ngg-smart-image-search
Installations: 500+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.4.1
Severity Score:: Medium
CVE:: 2025-47503

Plugin:: Product Time Countdown for WooCommerce
Plugin Slug:: product-countdown-for-woocommerce
Installations: 500+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.6.3
Severity Score:: Medium
CVE:: 2025-47505

Plugin:: TrueBooker � Appointment Booking and Scheduler Plugin.
Plugin Slug:: truebooker-appointment-booking
Installations: 500+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.0.8
Severity Score:: Medium
CVE:: 2025-47543

Plugin:: Simple calendar for Elementor
Plugin Slug:: simple-calendar-for-elementor
Installations: 400+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.6.6
Severity Score:: Medium
CVE:: 2025-47542

Plugin:: WZ Followed Posts � Display what visitors are reading
Plugin Slug:: where-did-they-go-from-here
Installations: 400+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.1.1
Severity Score:: Medium
CVE:: 2025-4171

Plugin:: WP Gravity Forms Dynamics CRM
Plugin Slug:: gf-dynamics-crm
Installations: 300+
Vulnerability:: Open Redirection
Patched in Version:: 1.1.5
Severity Score:: Medium
CVE:: 2025-47454

Plugin:: Subaccounts for WooCommerce
Plugin Slug:: subaccounts-for-woocommerce
Installations: 300+
Vulnerability:: Broken Authentication
Patched in Version:: 1.6.7
Severity Score:: High
CVE:: 2025-47461

Plugin:: Wbcom Designs � Activity Link Preview For BuddyPress
Plugin Slug:: activity-link-preview-for-buddypress
Installations: 200+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 1.6.0
Severity Score:: Medium
CVE:: 2025-47548

Plugin:: B2i Investor Tools
Plugin Slug:: b2i-investor-tools
Installations: 200+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.0.8
Severity Score:: High
CVE:: 2025-47458

Plugin:: Cart tracking for WooCommerce
Plugin Slug:: cart-tracking-for-woocommerce
Installations: 200+
Vulnerability:: SQL Injection
Patched in Version:: 1.0.18
Severity Score:: High
CVE:: 2025-47538

Plugin:: EUCookieLaw
Plugin Slug:: eucookielaw
Installations: 200+
Vulnerability:: Arbitrary File Download
Patched in Version:: 2.7.3
Severity Score:: High
CVE:: 2025-3897

Plugin:: WP Gravity Forms Zendesk
Plugin Slug:: gf-zendesk
Installations: 200+
Vulnerability:: Open Redirection
Patched in Version:: 1.1.3
Severity Score:: Medium
CVE:: 2025-47456

Plugin:: LocateAndFilter
Plugin Slug:: locateandfilter
Installations: 200+
Vulnerability:: Broken Access Control
Patched in Version:: 1.6.17
Severity Score:: Medium
CVE:: 2025-47457

Plugin:: Product Quantity Dropdown For Woocommerce
Plugin Slug:: product-quantity-dropdown-for-woocommerce
Installations: 200+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.3
Severity Score:: Medium
CVE:: 2025-47451

Plugin:: EZ Related Posts Footer Links and Widget
Plugin Slug:: spostarbust
Installations: 200+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.2.04.25
Severity Score:: High
CVE:: 2025-47514

Plugin:: Integration for WooCommerce and Salesforce
Plugin Slug:: woo-salesforce-plugin-crm-perks
Installations: 200+
Vulnerability:: Open Redirection
Patched in Version:: 1.7.6
Severity Score:: Medium
CVE:: 2025-47455

Plugin:: Cision Block
Plugin Slug:: cision-block
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.4.0
Severity Score:: Medium
CVE:: 2025-3782

Plugin:: PDF for WooCommerce � ALL in One + Drag And Drop Template Builder
Plugin Slug:: pdf-for-woocommerce
Installations: 100+
Vulnerability:: SQL Injection
Patched in Version:: 5.4.0
Severity Score:: High
CVE:: 2025-47537

Plugin:: Wiki Embed
Plugin Slug:: wiki-embed
Installations: 100+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.4.7
Severity Score:: Medium
CVE:: 2025-47551

Plugin:: GS Variation Swatches for WooCommerce
Plugin Slug:: gs-woo-variation-swatches
Installations: 50+
Vulnerability:: Broken Access Control
Patched in Version:: 3.0.5
Severity Score:: Medium
CVE:: 2025-47526

Plugin:: WPBookit
Plugin Slug:: wpbookit
Installations: 50+
Vulnerability:: Privilege Escalation
Patched in Version:: 1.0.3
Severity Score:: Critical
CVE:: 2025-3810

Plugin:: BuddyPress Platform Pro
Plugin Slug:: buddyboss-platform-pro
Vulnerability:: Broken Authentication
Patched in Version:: 2.7.10
Severity Score:: Critical
CVE:: 2025-1909

Plugin:: Cost Calculator for Elementor
Plugin Slug:: cost-calculator-for-elementor
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.4
Severity Score:: Medium
CVE:: 2025-47476

Plugin:: Envolve Plugin
Plugin Slug:: envolve-plugin
Vulnerability:: Arbitrary File Upload
Patched in Version:: 1.1.0
Severity Score:: Critical
CVE:: 2024-11617

Plugin:: Envolve Plugin
Plugin Slug:: envolve-plugin
Vulnerability:: Broken Access Control
Patched in Version:: 1.1.0
Severity Score:: Medium
CVE:: 2024-11615

Plugin:: IMITHEMES Listing
Plugin Slug:: imithemes-listing
Vulnerability:: Privilege Escalation
Patched in Version:: 3.4
Severity Score:: Critical
CVE:: 2025-2253

Plugin:: Opal Woo Custom Product Variation
Plugin Slug:: opal-woo-custom-product-variation
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 1.2.1
Severity Score:: High
CVE:: 2025-47535

Plugin:: PGS Core
Plugin Slug:: pgs-core
Vulnerability:: PHP Object Injection
Patched in Version:: 5.9.0
Severity Score:: Critical
CVE:: 2025-0855

Plugin:: PGS Core
Plugin Slug:: pgs-core
Vulnerability:: SQL Injection
Patched in Version:: 5.9.0
Severity Score:: Critical
CVE:: 2025-0853

Plugin:: PGS Core
Plugin Slug:: pgs-core
Vulnerability:: Broken Access Control
Patched in Version:: 5.9.0
Severity Score:: High
CVE:: 2025-0856

Plugin:: Relevanssi Premium
Plugin Slug:: relevanssi-premium
Vulnerability:: SQL Injection
Patched in Version:: 2.27.5
Severity Score:: High
CVE:: 2025-4396

WordPress Themes � 4 Patched / 0 Unpatched

Theme:: Blocksy
Theme Slug:: blocksy
Downloads: 4,484,472
Vulnerability:: Broken Access Control
Patched in Version:: 2.0.98
Severity Score:: Medium
CVE:: 2025-47465

Theme:: TheGem
Theme Slug:: thegem
Vulnerability:: Broken Access Control
Patched in Version:: 5.10.3.1
Severity Score:: Medium
CVE:: 2025-4339

Theme:: TheGem
Theme Slug:: thegem
Vulnerability:: Arbitrary File Upload
Patched in Version:: 5.10.3.1
Severity Score:: High
CVE:: 2025-4317

Theme:: Wolmart
Theme Slug:: wolmart
Vulnerability:: Content Injection
Patched in Version:: 1.8.12
Severity Score:: High
CVE:: 2024-13793