WordPress Vulnerability Report � June 25, 2025

In this report, 177 vulnerabilities have been publicly disclosed. Security patches for 59 of these plugins and themes are available now, so run those updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Additionally, there are 118 plugin and theme vulnerabilities, and no patch has been available yet. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

WordPress Core

WordPress 6.8.1 was released on April 30, 2025. This maintenance release includes fixes for 15 bugs throughout Core and the Block Editor, addressing issues affecting multiple areas of WordPress, including the block editor, multisite, and REST API. For a full list, refer to the release candidate announcement.

WordPress Plugins � 56 Patched / 105 Unpatched

Plugin:: Zapier for WordPress
Plugin Slug:: zapier
Installations: 50,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-50010

Plugin:: Auto Upload Images
Plugin Slug:: auto-upload-images
Installations: 30,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49985

Plugin:: PowerPress Podcasting plugin by Blubrry
Plugin Slug:: powerpress
Installations: 30,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49984

Plugin:: Giveaways and Contests by RafflePress � Get More Website Traffic, Email Subscribers, and Social Followers
Plugin Slug:: rafflepress
Installations: 30,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49997

Plugin:: WP Visitor Statistics (Real Time Traffic)
Plugin Slug:: wp-stats-manager
Installations: 30,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49996

Plugin:: WP Customer Area
Plugin Slug:: customer-area
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49982

Plugin:: Job Postings
Plugin Slug:: job-postings
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-50050

Plugin:: User Roles and Capabilities
Plugin Slug:: user-roles-and-capabilities
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49981

Plugin:: WP User Profile Avatar
Plugin Slug:: wp-user-profile-avatar
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49980

Plugin:: Cookie-Script.com
Plugin Slug:: cookie-script-com
Installations: 9,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49993

Plugin:: Download Attachments
Plugin Slug:: download-attachments
Installations: 9,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49995

Plugin:: Media Hygiene: Remove or Delete Unused Images and More!
Plugin Slug:: media-hygiene
Installations: 4,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49979

Plugin:: Automatically Hierarchic Categories in Menu
Plugin Slug:: automatically-hierarchic-categories-in-menu
Installations: 3,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-50048

Plugin:: App Builder � Create Native Android & iOS Apps On The Flight
Plugin Slug:: app-builder
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49989

Plugin:: ContentStudio
Plugin Slug:: contentstudio
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49990

Plugin:: Notifier � Send Notifications from Woocommerce, Form Plugins and More!
Plugin Slug:: notifier
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49976

Plugin:: WP Inventory Manager
Plugin Slug:: wp-inventory-manager
Installations: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49977

Plugin:: WPThumb
Plugin Slug:: wp-thumb
Installations: 1,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49983

Plugin:: Football Pool
Plugin Slug:: football-pool
Installations: 900+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-5490

Plugin:: ATP Call Now
Plugin Slug:: atp-call-now
Installations: 800+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-50024

Plugin:: Better Random Redirect
Plugin Slug:: better-random-redirect
Installations: 800+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-50021

Plugin:: CodePen Embed Block
Plugin Slug:: codepen-embed-block
Installations: 800+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-50023

Plugin:: RDFa Breadcrumb
Plugin Slug:: rdfa-breadcrumb
Installations: 800+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-50020

Plugin:: Real Estate Manager � Property Listing and Agent Management
Plugin Slug:: real-estate-manager
Installations: 800+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-50044

Plugin:: Real Estate Manager � Property Listing and Agent Management
Plugin Slug:: real-estate-manager
Installations: 800+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-52825

Plugin:: Simple Sticky Footer
Plugin Slug:: simple-sticky-footer
Installations: 800+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-50019

Plugin:: Spoki � Chat Buttons and WooCommerce Notifications
Plugin Slug:: spoki
Installations: 800+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-50026

Plugin:: Tealium
Plugin Slug:: tealium
Installations: 800+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-50018

Plugin:: WP Social AutoConnect
Plugin Slug:: wp-fb-autoconnect
Installations: 800+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-50022

Plugin:: Polls CP
Plugin Slug:: cp-polls
Installations: 700+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-50025

Plugin:: Code Engine
Plugin Slug:: code-engine
Installations: 600+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-50043

Plugin:: FormLift for Infusionsoft Web Forms
Plugin Slug:: formlift
Installations: 600+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-47654

Plugin:: Image Sizes Controller, Create Custom Image Sizes, Disable Image Sizes
Plugin Slug:: image-sizes-controller
Installations: 600+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49973

Plugin:: Trusty Whistleblowing Solution
Plugin Slug:: trusty-whistleblowing-solution
Installations: 600+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-52818

Plugin:: UpStream: a Project Management Plugin for WordPress
Plugin Slug:: upstream
Installations: 600+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49974

Plugin:: Gutenberg Blocks � ACF Blocks Suite
Plugin Slug:: acf-blocks
Installations: 500+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-50041

Plugin:: Anant Addons for Elementor
Plugin Slug:: anant-addons-for-elementor
Installations: 500+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-50038

Plugin:: Hand Talk
Plugin Slug:: handtalk
Installations: 500+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-50015

Plugin:: PDPA Consent for Thailand
Plugin Slug:: pdpa-consent
Installations: 500+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-50014

Plugin:: WP Register Profile With Shortcode
Plugin Slug:: wp-register-profile-with-shortcode
Installations: 500+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-50042

Plugin:: WP Voting Contest Lite
Plugin Slug:: wp-voting-contest
Installations: 500+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-50017

Plugin:: Contact Form 7 AWeber Extension
Plugin Slug:: integrate-contact-form-7-and-aweber
Installations: 400+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49988

Plugin:: IP Based Login
Plugin Slug:: ip-based-login
Installations: 400+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-50016

Plugin:: Buying Buddy IDX CRM � Real Estate MLS Plugin
Plugin Slug:: buying-buddy-idx-crm
Installations: 300+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-50037

Plugin:: Content No Cache | Serve uncached partial content even when you add it to a page that is fully cached.
Plugin Slug:: content-no-cache
Installations: 300+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-28993

Plugin:: WooCommerce Manager � Customize and Control Cart page, Add to Cart button, Checkout fields easily
Plugin Slug:: innovs-woo-manager
Installations: 300+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-50008

Plugin:: TM Replace Howdy
Plugin Slug:: tm-replace-howdy
Installations: 300+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49972

Plugin:: WooCommerce Fortnox Integration
Plugin Slug:: woocommerce-fortnox-integration
Installations: 300+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49998

Plugin:: WP Roadmap � Product Feedback Board
Plugin Slug:: wp-roadmap
Installations: 300+
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-52822

Plugin:: Abandoned Contact Form 7
Plugin Slug:: abandoned-contact-form-7
Installations: 200+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-52817

Plugin:: Lewe ChordPress � ChordPro Text Formatter
Plugin Slug:: chordpress
Installations: 200+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-52789

Plugin:: CSV Importer Improved
Plugin Slug:: csv-importer-improved
Installations: 200+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-50013

Plugin:: eDS Responsive Menu
Plugin Slug:: eds-responsive-menu
Installations: 200+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49971

Plugin:: Esselink.nu Settings
Plugin Slug:: esselinknu-settings
Installations: 200+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-52793

Plugin:: Guest posting / Frontend Posting / Front Editor � WP Front User Submit
Plugin Slug:: front-editor
Installations: 200+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-52795

Plugin:: Fyrebox Quizzes
Plugin Slug:: fyrebox-shortcode
Installations: 200+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-50035

Plugin:: Knowledge Base � Knowledge Base Maker
Plugin Slug:: knowledge-base-maker
Installations: 200+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-52791

Plugin:: Creative Contact Form
Plugin Slug:: sexy-contact-form
Installations: 200+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-52794

Plugin:: WP-DownloadCounter
Plugin Slug:: wp-downloadcounter
Installations: 200+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-52790

Plugin:: Mailing Group Listserv
Plugin Slug:: wp-mailing-group
Installations: 200+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-50036

Plugin:: Bluff Post
Plugin Slug:: bluff-post
Installations: 100+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-52784

Plugin:: CRM ERP Business Solution | freelancers & SME | for WordPress & WooCommerce
Plugin Slug:: crm-erp-business-solution
Installations: 100+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49987

Plugin:: Enhanced Blocks � Page Builder Blocks for Gutenberg
Plugin Slug:: enhanced-blocks
Installations: 100+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-50034

Plugin:: Import YouTube videos as WP Posts
Plugin Slug:: import-youtube-videos-as-wp-post
Installations: 100+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-52802

Plugin:: Inventory Presser � Car Dealer Listings
Plugin Slug:: inventory-presser
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-50012

Plugin:: National Weather Service Alerts
Plugin Slug:: national-weather-service-alerts
Installations: 100+
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-52809

Plugin:: Logo Manager For Samandehi
Plugin Slug:: samandehi-logo-manager
Installations: 100+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-52780

Plugin:: Scroll UP
Plugin Slug:: scroll-to-up
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-52782

Plugin:: TinyNav
Plugin Slug:: tinynav
Installations: 100+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-52781

Plugin:: Video List Manager
Plugin Slug:: video-list-manager
Installations: 100+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49986

Plugin:: Video List Manager
Plugin Slug:: video-list-manager
Installations: 100+
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-52821

Plugin:: Change Cart button Colors WooCommerce
Plugin Slug:: wc-style
Installations: 100+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-52783

Plugin:: WP User Stylesheet Switcher
Plugin Slug:: wp-user-stylesheet-switcher
Installations: 100+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-52792

Plugin:: xili-dictionary
Plugin Slug:: xili-dictionary
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-52778

Plugin:: Zara 4 Image Compression
Plugin Slug:: zara-4
Installations: 100+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49969

Plugin:: Infility Global
Plugin Slug:: infility-global
Installations: 90+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-52774

Plugin:: MDJM Event Management
Plugin Slug:: mobile-dj-manager
Installations: 90+
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-52824

Plugin:: Photo Express for Google
Plugin Slug:: photo-express-for-google
Installations: 80+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-27361

Plugin:: XML Travel Portal Widget
Plugin Slug:: oganro-reservation-widget
Installations: 70+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49968

Plugin:: SpecFit-Virtual Try On Woocommerce
Plugin Slug:: try-on-for-woocommerce
Installations: 60+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-23973

Plugin:: DirectIQ Email Marketing
Plugin Slug:: directiq-wp
Installations: 40+
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-52829

Plugin:: Live Sports Streamthunder
Plugin Slug:: live-sports-streamthunder
Installations: 40+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49967

Plugin:: Oganro Travel Portal Search Widget for HotelBeds APITUDE API
Plugin Slug:: oganro-travel-portal-search-widget-for-hotelbeds-apitude-api
Installations: 10+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49966

Plugin:: PixelBeds Channel Manager and Hotel Booking Engine
Plugin Slug:: pixelbeds-channel-manager-booking-engine
Installations: 10+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49965

Plugin:: Backwp
Plugin Slug:: backwp
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-28956

Plugin:: Bulk YouTube Post Creator
Plugin Slug:: bulk-youtube-post-creator
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-49423

Plugin:: ClipLink
Plugin Slug:: cliplink
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49964

Plugin:: CSV Me
Plugin Slug:: csv-me
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-6086

Plugin:: Evangelische Termine
Plugin Slug:: evangtermine
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-28960

Plugin:: FastBook
Plugin Slug:: fastbook-responsive-appointment-booking-and-scheduling-system
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-25173

Plugin:: Flexo Counter
Plugin Slug:: flexo-countdown
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-50052

Plugin:: Image Shadow
Plugin Slug:: image-shadow
Vulnerability:: Arbitrary File Deletion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-24765

Plugin:: BRW
Plugin Slug:: ova-brw
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-52814

Plugin:: Pixabay Images
Plugin Slug:: pixabay-images
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-4413

Plugin:: Simple Link Directory
Plugin Slug:: qc-simple-link-directory
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-32297

Plugin:: School Management
Plugin Slug:: school-management
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-47574

Plugin:: Smart Notification
Plugin Slug:: smio-push-notification
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-39478

Plugin:: Virtual Moderator
Plugin Slug:: virtual-moderator
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-52772

Plugin:: Woocommerce Line Notify
Plugin Slug:: woo-line-notify
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-30972

Plugin:: JobSearch
Plugin Slug:: wp-jobsearch
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49978

Plugin:: WP Optimize By xTraffic
Plugin Slug:: wp-optimize-by-xtraffic
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-28970

Plugin:: WP-Recall
Plugin Slug:: wp-recall
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49991

Plugin:: WPCRM – CRM for Contact form CF7 & WooCommerce
Plugin Slug:: wpcrm
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-24774

Plugin:: Recipes manager � WPH
Plugin Slug:: wph-recipes-manager
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-50011

Plugin:: WPKit For Elementor
Plugin Slug:: wpkit-elementor
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-32281

Plugin:: Elementor Website Builder � More Than Just a Page Builder
Plugin Slug:: elementor
Installations: 10,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.29.1
Severity Score:: Medium
CVE:: 2024-50555

Plugin:: ElementsKit Elementor Addons and Templates
Plugin Slug:: elementskit-lite
Installations: 1,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.5.3
Severity Score:: Medium
CVE:: 2025-4479

Plugin:: Click to Chat � HoliThemes
Plugin Slug:: click-to-chat-for-whatsapp
Installations: 600,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.23
Severity Score:: Medium
CVE:: 2025-5336

Plugin:: Slider, Gallery, and Carousel by MetaSlider � Image Slider, Video Slider
Plugin Slug:: ml-slider
Installations: 600,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.99.0
Severity Score:: Medium
CVE:: 2025-5337

Plugin:: YITH WooCommerce Wishlist
Plugin Slug:: yith-woocommerce-wishlist
Installations: 600,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.6.0
Severity Score:: Medium
CVE:: 2025-5238

Plugin:: Breeze � WordPress Cache Plugin
Plugin Slug:: breeze
Installations: 400,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.2.14
Severity Score:: Medium
CVE:: 2025-23999

Plugin:: Firelight Lightbox
Plugin Slug:: easy-fancybox
Installations: 200,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.3.17
Severity Score:: Medium
CVE:: 2025-52707

Plugin:: Ivory Search � WordPress Search Plugin
Plugin Slug:: add-search-to-menu
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.5.10
Severity Score:: Medium
CVE:: 2025-5209

Plugin:: AI Engine
Plugin Slug:: ai-engine
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.8.4
Severity Score:: High
CVE:: 2025-5071

Plugin:: Download Manager
Plugin Slug:: download-manager
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.3.19
Severity Score:: Medium
CVE:: 2025-4367

Plugin:: File Manager Pro � Filester
Plugin Slug:: filester
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.8.9
Severity Score:: Medium
CVE:: 2025-52710

Plugin:: GiveWP � Donation Plugin and Fundraising Platform
Plugin Slug:: give
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.3.1
Severity Score:: Medium
CVE:: 2025-4571

Plugin:: HUSKY � Products Filter Professional for WooCommerce
Plugin Slug:: woocommerce-products-filter
Installations: 100,000+
Vulnerability:: Local File Inclusion
Patched in Version:: 1.3.7.1
Severity Score:: High
CVE:: 2025-52708

Plugin:: Master Slider � Responsive Touch Slider
Plugin Slug:: master-slider
Installations: 70,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.10.9
Severity Score:: Medium
CVE:: 2025-5291

Plugin:: Drag and Drop Multiple File Upload for Contact Form 7
Plugin Slug:: drag-and-drop-multiple-file-upload-contact-form-7
Installations: 60,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 1.3.9.0
Severity Score:: High
CVE:: 2025-3515

Plugin:: Post and Page Builder by BoldGrid � Visual Drag and Drop Editor
Plugin Slug:: post-and-page-builder
Installations: 60,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 1.27.9
Severity Score:: Medium
CVE:: 2025-52713

Plugin:: Post and Page Builder by BoldGrid � Visual Drag and Drop Editor
Plugin Slug:: post-and-page-builder
Installations: 60,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.27.9
Severity Score:: Medium
CVE:: 2025-52711

Plugin:: Appointment Booking Calendar � Simply Schedule Appointments Booking Plugin
Plugin Slug:: simply-schedule-appointments
Installations: 60,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.6.8.32
Severity Score:: Medium
CVE:: 2025-4667

Plugin:: Ultra Addons for Contact Form 7
Plugin Slug:: ultimate-addons-for-contact-form-7
Installations: 60,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 3.5.13
Severity Score:: High
CVE:: 2025-6220

Plugin:: WP-Members Membership Plugin
Plugin Slug:: wp-members
Installations: 60,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.5.4.1
Severity Score:: Medium
CVE:: 2025-50051

Plugin:: Blog2Social: Social Media Auto Post & Scheduler
Plugin Slug:: blog2social
Installations: 50,000+
Vulnerability:: SQL Injection
Patched in Version:: 8.4.5
Severity Score:: High
CVE:: 2025-5673

Plugin:: Login & Register Customizer � Popup | Slider | Inline | WooCommerce
Plugin Slug:: easy-login-woocommerce
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.9.5
Severity Score:: Medium
CVE:: 2025-50027

Plugin:: Pixel Manager for WooCommerce � Track Conversions and Analytics, Google Ads, TikTok and more
Plugin Slug:: woocommerce-google-adwords-conversion-tracking-tag
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.49.1
Severity Score:: Medium
CVE:: 2025-6201

Plugin:: WordPress Infinite Scroll � Ajax Load More
Plugin Slug:: ajax-load-more
Installations: 40,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 7.4.1
Severity Score:: Medium
CVE:: 2025-4775

Plugin:: FunnelKit Automations � Email Marketing Automation and CRM for WordPress & WooCommerce
Plugin Slug:: wp-marketing-automations
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.6.0
Severity Score:: Critical
CVE:: 2025-1562

Plugin:: Classified Listing � Classified ads & Business Directory Plugin
Plugin Slug:: classified-listing
Installations: 10,000+
Vulnerability:: Local File Inclusion
Patched in Version:: 4.2.1
Severity Score:: High
CVE:: 2025-52715

Plugin:: tarteaucitron.io
Plugin Slug:: tarteaucitronjs
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.9.5
Severity Score:: Medium
CVE:: 2025-4955

Plugin:: Event Manager, Events Calendar, Booking, Registrations and Tickets � Eventin
Plugin Slug:: wp-event-solution
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.0.29
Severity Score:: High
CVE:: 2025-49321

Plugin:: eCommerce Product Catalog Plugin for WordPress
Plugin Slug:: ecommerce-product-catalog
Installations: 9,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 3.4.4
Severity Score:: High
CVE:: 2025-49331

Plugin:: Poll, Survey & Quiz Maker Plugin by Opinion Stage
Plugin Slug:: social-polls-by-opinionstage
Installations: 8,000+
Vulnerability:: Broken Access Control
Patched in Version:: 19.10.0
Severity Score:: Medium
CVE:: 2025-3880

Plugin:: WP Dummy Content Generator
Plugin Slug:: wp-dummy-content-generator
Installations: 8,000+
Vulnerability:: Arbitrary Content Deletion
Patched in Version:: 4.0.0
Severity Score:: Medium
CVE:: 2025-49234

Plugin:: ProfileGrid � User Profiles, Groups and Communities
Plugin Slug:: profilegrid-user-profiles-groups-and-communities
Installations: 7,000+
Vulnerability:: Full Path Disclosure (FPD)
Patched in Version:: <= 5.9.5.3
Severity Score:: Medium
CVE:: 2025-52719

Plugin:: Wise Chat
Plugin Slug:: wise-chat
Installations: 7,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.3.5
Severity Score:: High
CVE:: 2025-3774

Plugin:: Modern Footnotes
Plugin Slug:: modern-footnotes
Installations: 6,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.4.20
Severity Score:: Medium
CVE:: 2025-50049

Plugin:: WP Zoho for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms � CRM, Bigin
Plugin Slug:: cf7-zoho
Installations: 3,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 1.3.1
Severity Score:: Critical
CVE:: 2025-49330

Plugin:: Sitekit
Plugin Slug:: sitekit
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0
Severity Score:: Medium
CVE:: 2025-50047

Plugin:: YITH PayPal Express Checkout for WooCommerce
Plugin Slug:: yith-paypal-express-checkout-for-woocommerce
Installations: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.49.1
Severity Score:: Medium
CVE:: 2025-48111

Plugin:: JobWP � Job Board, Job Listing, Career Page and Recruitment Plugin
Plugin Slug:: jobwp
Installations: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.4.1
Severity Score:: Medium
CVE:: 2025-49975

Plugin:: Off-Canvas Sidebars & Menus (Slidebars)
Plugin Slug:: off-canvas-sidebars
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 0.5.8.5
Severity Score:: High
CVE:: 2025-49290

Plugin:: Related Products Manager for WooCommerce
Plugin Slug:: related-products-manager-woocommerce
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.6.3
Severity Score:: Medium
CVE:: 2025-50045

Plugin:: WPComplete
Plugin Slug:: wpcomplete
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.9.5.1
Severity Score:: Medium
CVE:: 2025-50046

Plugin:: Gutenverse News � Advanced News Magazine Blog Gutenberg Blocks Addons
Plugin Slug:: gutenverse-news
Installations: 600+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.0
Severity Score:: Medium
CVE:: 2025-5234

Plugin:: Kata Plus � Addons for Elementor � Widgets, Extensions and Templates
Plugin Slug:: kata-plus
Installations: 600+
Vulnerability:: Broken Access Control
Patched in Version:: 1.5.4
Severity Score:: Medium
CVE:: 2025-50009

Plugin:: Conference Scheduler
Plugin Slug:: conference-scheduler
Installations: 300+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.5.2
Severity Score:: Medium
CVE:: 2025-5258

Plugin:: Euro FxRef Currency Converter
Plugin Slug:: euro-fxref-currency-converter
Installations: 200+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.3
Severity Score:: Medium
CVE:: 2025-6257

Plugin:: Guest posting / Frontend Posting / Front Editor � WP Front User Submit
Plugin Slug:: front-editor
Installations: 200+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.9.4
Severity Score:: High
CVE:: 2025-28988