WordPress Vulnerability Report � July 9, 2025

In this report, 149 vulnerabilities have been publicly disclosed. Security patches for 65 of these plugins and themes are available now, so run those updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Additionally, there are 84 plugin and theme vulnerabilities, and no patch has been available yet. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

WordPress Core

WordPress 6.8.1 was released on April 30, 2025. This maintenance release includes fixes for 15 bugs throughout Core and the Block Editor, addressing issues affecting multiple areas of WordPress, including the block editor, multisite, and REST API. For a full list, refer to the release candidate announcement.

WordPress Plugins � 51 Patched / 75 Unpatched

Plugin:: Soumettre.fr
Plugin Slug:: soumettre-fr
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Low
CVE:: 2025-4654

Plugin:: Contact Form 7 reCAPTCHA
Plugin Slug:: contact-form-7-recaptcha
Installations: 6,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-23972

Plugin:: AI Bud � AI Content Generator, AI Chatbot, ChatGPT, Gemini, GPT-4o
Plugin Slug:: aibuddy-openai-chatgpt
Installations: 4,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-23968

Plugin:: Chatra Live Chat + ChatBot + Cart Saver
Plugin Slug:: chatra-live-chat
Installations: 4,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-24735

Plugin:: (Simply) Guest Author Name
Plugin Slug:: guest-author-name
Installations: 3,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-24764

Plugin:: MyRewards � Loyalty Points and Rewards for WooCommerce � Reward orders, referrals, product reviews and more
Plugin Slug:: woorewards
Installations: 3,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-24757

Plugin:: Leyka
Plugin Slug:: leyka
Installations: 2,000+
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-52805

Plugin:: WC Pickup Store
Plugin Slug:: wc-pickup-store
Installations: 2,000+
Vulnerability:: Settings Change
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-47634

Plugin:: Frontend File Manager Plugin
Plugin Slug:: nmedia-user-file-uploader
Installations: 1,000+
Vulnerability:: Content Injection
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-27358

Plugin:: Video Gallery Block � Display your videos as a gallery in a professional way
Plugin Slug:: video-gallery-block
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-27326

Plugin:: WP fancybox
Plugin Slug:: wp-fancybox
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-26591

Plugin:: Bulk Featured Image
Plugin Slug:: bulk-featured-image
Installations: 900+
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-28951

Plugin:: URL Shortener Plugin For WordPress
Plugin Slug:: exact-links
Installations: 700+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-28963

Plugin:: Gallery Widget
Plugin Slug:: gallery-widget
Installations: 600+
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-28969

Plugin:: OwnerRez
Plugin Slug:: ownerrez
Installations: 600+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-28957

Plugin:: MobiLoud � WordPress Mobile Apps � Convert your WordPress Website to Native Mobile Apps
Plugin Slug:: mobiloud-mobile-app-plugin
Installations: 500+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-52813

Plugin:: Easy Elements Hider
Plugin Slug:: easy-elements-hider
Installations: 400+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-28971

Plugin:: Aviation Weather from NOAA
Plugin Slug:: aviation-weather-from-noaa
Installations: 200+
Vulnerability:: Arbitrary File Deletion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-28980

Plugin:: Contact Form 7 Editor Button
Plugin Slug:: cf7-editor-button
Installations: 200+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-48345

Plugin:: LMSACE Connect � WooCommerce Moodle� LMS Integration
Plugin Slug:: lmsace-connect
Installations: 200+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-29007

Plugin:: bSecure � Your Universal Checkout
Plugin Slug:: bsecure
Installations: 100+
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-52830

Plugin:: Dot html,php,xml etc pages
Plugin Slug:: dot-htmlphpxml-etc-pages
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-52779

Plugin:: fluXtore Funnel Builder for WordPress � Earn More with Highly Converting Sales Funnels
Plugin Slug:: fluxtore
Installations: 100+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-30929

Plugin:: SMu Manual DoFollow
Plugin Slug:: manuall-dofollow
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-49031

Plugin:: Media Folder
Plugin Slug:: media-folder
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-52786

Plugin:: Pay with Contact Form 7
Plugin Slug:: pay-with-contact-form-7
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-52777

Plugin:: Printcart Web to Print Product Designer for WooCommerce
Plugin Slug:: printcart-integration
Installations: 100+
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-24780

Plugin:: Tennis Court Bookings
Plugin Slug:: tennis-court-bookings
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-52787

Plugin:: Video List Manager
Plugin Slug:: video-list-manager
Installations: 100+
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-52831

Plugin:: Infility Global
Plugin Slug:: infility-global
Installations: 80+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-47652

Plugin:: Paytiko for WooCommerce
Plugin Slug:: paytiko
Installations: 80+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-50032

Plugin:: Smart Docs
Plugin Slug:: smart-docs
Installations: 80+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-6787

Plugin:: Ultimate Push Notifications ( Mobile / Desktop ), Receive Notification From WooCommerce, BuddyPress, WordPress Default Events & Many More
Plugin Slug:: ultimate-push-notifications
Installations: 80+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-50028

Plugin:: Torod � The smart shipping and delivery portal for e-shops and retailers
Plugin Slug:: torod
Installations: 70+
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-30936

Plugin:: CoSchool LMS � A complete Learning Management System to Create and Sell Your Courses Online
Plugin Slug:: coschool
Installations: 40+
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-30973

Plugin:: Posts Slider Shortcode
Plugin Slug:: posts-slider-shortcode
Installations: 40+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-30943

Plugin:: Cool fade popup
Plugin Slug:: cool-fade-popup
Installations: 30+
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-30947

Plugin:: Card flip image slideshow
Plugin Slug:: card-flip-image-slideshow
Installations: 10+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-30983

Plugin:: Custom Login And Signup Widget
Plugin Slug:: custom-login-and-signup-widget
Installations: 10+
Vulnerability:: Arbitrary Code Execution
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-49029

Plugin:: Pixelating image slideshow gallery
Plugin Slug:: pixelating-image-slideshow-gallery
Installations: 10+
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-30979

Plugin:: iFrame Images Gallery
Plugin Slug:: wp-iframe-images-gallery
Installations: 10+
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-30969

Plugin:: CF7 7 Mailchimp Add-on
Plugin Slug:: CF7-mailchimp-addon
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-29012

Plugin:: WooCommerce Product Multi-Action
Plugin Slug:: Woo-product-multiaction
Vulnerability:: Deserialization of untrusted data
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-49417

Plugin:: Allmart
Plugin Slug:: allmart-core
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-49418

Plugin:: Ads Pro Plugin
Plugin Slug:: ap-plugin-scripteo
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-6437

Plugin:: Ads Pro Plugin
Plugin Slug:: ap-plugin-scripteo
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-6459

Plugin:: Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer)
Plugin Slug:: azon-addon-js-composer
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-30628

Plugin:: Booking X
Plugin Slug:: booking-x
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-6814

Plugin:: Contact Us page – Contact people LITE
Plugin Slug:: contact-us-page-contact-people
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-28967

Plugin:: DocCheck Login
Plugin Slug:: doccheck-login
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-6786

Plugin:: WooCommerce Shop Page Builder
Plugin Slug:: dzs-wootable
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-29001

Plugin:: EventON
Plugin Slug:: eventon
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-47565

Plugin:: FW Gallery
Plugin Slug:: fw-gallery
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-49414

Plugin:: GoZen Forms
Plugin Slug:: gozen-forms
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-6782

Plugin:: WP Human Resource Management
Plugin Slug:: hrm
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-5953

Plugin:: WP Human Resource Management
Plugin Slug:: hrm
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-5956

Plugin:: Amazon Products to WooCommerce
Plugin Slug:: import-products-to-wc
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-5817

Plugin:: JKDEVKIT
Plugin Slug:: jkdevkit
Vulnerability:: Arbitrary File Deletion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-2932

Plugin:: LoginWP – Pro
Plugin Slug:: loginwp-pro
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-39561

Plugin:: Magic Buttons for Elementor
Plugin Slug:: magic-buttons-for-elementor
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-6687

Plugin:: MF Plus WPML
Plugin Slug:: mf-plus-wpml
Vulnerability:: Settings Change
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49431

Plugin:: Opal Estate Pro
Plugin Slug:: opal-estate-pro
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-6934

Plugin:: PrivateContent – Mail Actions
Plugin Slug:: private-content-mail-actions
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-47627

Plugin:: ProcessingJS for WordPress
Plugin Slug:: processingjs-for-wp
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-6039

Plugin:: Profiler – What Slowing Down Your WP
Plugin Slug:: profiler-what-slowing-down
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-48339

Plugin:: RD Contacto
Plugin Slug:: rd-wapp
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-5933

Plugin:: Multi-language Responsive Contact Form
Plugin Slug:: responsive-contact-form
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-29000

Plugin:: Service Finder Booking
Plugin Slug:: sf-booking
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-23970

Plugin:: Super Store Finder
Plugin Slug:: superstorefinder-wp
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-47571

Plugin:: Email Address Security by WebEmailProtector
Plugin Slug:: webemailprotector
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-28976

Plugin:: PayMaster for WooCommerce
Plugin Slug:: woocommerce-paymaster-gateway-019
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-6729

Plugin:: WordPress Auto Spinner
Plugin Slug:: wp-auto-spinner
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-46500

Plugin:: WP Firebase Push Notification
Plugin Slug:: wp-push-notification-firebase
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-5924

Plugin:: WPQuiz
Plugin Slug:: wpquiz
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-6739

Plugin:: yContributors
Plugin Slug:: ycontributors
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-6041

Plugin:: Essential Addons for Elementor � Popular Elementor Templates & Widgets
Plugin Slug:: essential-addons-for-elementor-lite
Installations: 2,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.1.20
Severity Score:: Medium
CVE:: 2025-6244

Plugin:: Premium Addons for Elementor
Plugin Slug:: premium-addons-for-elementor
Installations: 700,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.10.70
Severity Score:: Medium
CVE:: 2024-11937

Plugin:: Migration, Backup, Staging � WPvivid Backup & Migration
Plugin Slug:: wpvivid-backuprestore
Installations: 700,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 0.9.117
Severity Score:: Critical
CVE:: 2025-5961

Plugin:: Contact Form 7 Database Addon � CFDB7
Plugin Slug:: contact-form-cfdb7
Installations: 600,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.2
Severity Score:: High
CVE:: 2025-6740

Plugin:: Forminator Forms � Contact Form, Payment Form & Custom Form Builder
Plugin Slug:: forminator
Installations: 600,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 1.44.3
Severity Score:: High
CVE:: 2025-6464

Plugin:: Forminator Forms � Contact Form, Payment Form & Custom Form Builder
Plugin Slug:: forminator
Installations: 600,000+
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 1.44.3
Severity Score:: High
CVE:: 2025-6463

Plugin:: WP Shortcodes Plugin � Shortcodes Ultimate
Plugin Slug:: shortcodes-ultimate
Installations: 500,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 7.4.1
Severity Score:: Medium
CVE:: 2025-5567

Plugin:: SureForms � Drag and Drop Form Builder for WordPress
Plugin Slug:: sureforms
Installations: 200,000+
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 1.7.4
Severity Score:: High

Plugin:: Dear Flipbook � PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer
Plugin Slug:: 3d-flipbook-dflip-lite
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.3.67
Severity Score:: High
CVE:: 2025-5314

Plugin:: AI Engine
Plugin Slug:: ai-engine
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.8.5
Severity Score:: Medium
CVE:: 2025-5570

Plugin:: AI Engine
Plugin Slug:: ai-engine
Installations: 100,000+
Vulnerability:: Open Redirection
Patched in Version:: 2.8.5
Severity Score:: High
CVE:: 2025-6238

Plugin:: Element Pack Elementor Addons and Templates
Plugin Slug:: bdthemes-element-pack-lite
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 8.1.0
Severity Score:: Medium
CVE:: 2025-5944

Plugin:: Contact Form by Everest Forms � Simple Contact Form to Advanced Contact Form, Quiz, Survey, & Custom Contact Form Builder for WordPress
Plugin Slug:: everest-forms
Installations: 100,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 3.2.3
Severity Score:: Critical
CVE:: 2025-52709

Plugin:: Ultra Addons for Contact Form 7
Plugin Slug:: ultimate-addons-for-contact-form-7
Installations: 60,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.5.22
Severity Score:: Medium
CVE:: 2025-6756

Plugin:: Beautiful Cookie Consent Banner
Plugin Slug:: beautiful-and-responsive-cookie-consent
Installations: 40,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.6.2
Severity Score:: High
CVE:: 2025-49866

Plugin:: Download Plugin
Plugin Slug:: download-plugin
Installations: 40,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 2.2.9
Severity Score:: Critical
CVE:: 2025-6586

Plugin:: WP Visitor Statistics (Real Time Traffic)
Plugin Slug:: wp-stats-manager
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 7.9
Severity Score:: Medium
CVE:: 2025-53566

Plugin:: Gutenberg Blocks � PublishPress Blocks Controls, Visibility, Reusable Blocks
Plugin Slug:: advanced-gutenberg
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.3.2
Severity Score:: Medium
CVE:: 2025-49032

Plugin:: Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder
Plugin Slug:: bit-form
Installations: 10,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 2.17.6
Severity Score:: Medium
CVE:: 2024-13451

Plugin:: LifterLMS � WP LMS for eLearning, Online Courses, & Quizzes
Plugin Slug:: lifterlms
Installations: 10,000+
Vulnerability:: SQL Injection
Patched in Version:: 8.0.7
Severity Score:: Critical
CVE:: 2025-52717

Plugin:: Paid Membership Subscriptions � Effortless Memberships, Recurring Payments & Content Restriction
Plugin Slug:: paid-member-subscriptions
Installations: 10,000+
Vulnerability:: SQL Injection
Patched in Version:: 2.15.2
Severity Score:: High
CVE:: 2025-49870

Plugin:: Portfolio for Elementor & Image Gallery | PowerFolio
Plugin Slug:: portfolio-elementor
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.2.1
Severity Score:: Medium
CVE:: 2025-7046

Plugin:: All-in-One Addons for Elementor � WidgetKit
Plugin Slug:: widgetkit-for-elementor
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.5.5
Severity Score:: Medium
CVE:: 2025-2330

Plugin:: WP Compress � Instant Performance & Speed Optimization
Plugin Slug:: wp-compress-image-optimizer
Installations: 9,000+
Vulnerability:: Broken Authentication
Patched in Version:: 6.30.31
Severity Score:: Medium
CVE:: 2025-47479

Plugin:: Melapress File Monitor
Plugin Slug:: website-file-changes-monitor
Installations: 5,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.2.0
Severity Score:: Medium
CVE:: 2025-3702

Plugin:: Booking calendar, Appointment Booking System
Plugin Slug:: booking-calendar
Installations: 4,000+
Vulnerability:: SQL Injection
Patched in Version:: 3.2.18
Severity Score:: Critical

Plugin:: VikRentCar Car Rental Management System
Plugin Slug:: vikrentcar
Installations: 4,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 1.4.4
Severity Score:: Critical
CVE:: 2025-5322

Plugin:: WordPress CRM, Email & Marketing Automation for WordPress | Award Winner � Groundhogg
Plugin Slug:: groundhogg
Installations: 2,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 4.2.2
Severity Score:: Critical
CVE:: 2025-48300

Plugin:: Radio Station by netmix� � Manage and play your Show Schedule in WordPress!
Plugin Slug:: radio-station
Installations: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.5.13
Severity Score:: Medium
CVE:: 2025-53568

Plugin:: WP Travel Gutenberg Blocks
Plugin Slug:: wp-travel-blocks
Installations: 1,000+
Vulnerability:: Local File Inclusion
Patched in Version:: 3.9.1
Severity Score:: High
CVE:: 2025-53207

Plugin:: Booking Calendar Contact Form
Plugin Slug:: booking-calendar-contact-form
Installations: 600+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.2.59
Severity Score:: Medium
CVE:: 2025-48231

Plugin:: NGG Smart Image Search
Plugin Slug:: ngg-smart-image-search
Installations: 500+
Vulnerability:: SQL Injection
Patched in Version:: 3.4.3
Severity Score:: Critical
CVE:: 2025-52832

Plugin:: PW WooCommerce On Sale!
Plugin Slug:: pw-woocommerce-on-sale
Installations: 400+
Vulnerability:: Broken Access Control
Patched in Version:: 1.40
Severity Score:: High
CVE:: 2025-49888

Plugin:: Easy restaurant menu manager
Plugin Slug:: easy-pdf-restaurant-menu-upload
Installations: 300+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.2
Severity Score:: Medium
CVE:: 2025-6673

Plugin:: Trust Payments Gateway for WooCommerce (JavaScript Library)
Plugin Slug:: trust-payments-gateway-3ds2
Installations: 300+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.3.7
Severity Score:: Medium
CVE:: 2025-53569

Plugin:: Click & Pledge Connect
Plugin Slug:: click-pledge-connect
Installations: 200+
Vulnerability:: Privilege Escalation
Patched in Version:: 25.07000000-WP6.8.1
Severity Score:: Critical
CVE:: 2025-28983

Plugin:: Easy Stripe � Tips, Payments, and Donations
Plugin Slug:: easy-stripe
Installations: 40+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 1.2
Severity Score:: Critical
CVE:: 2025-49302

Plugin:: Guest Support � Complete customer support ticket system for WordPress
Plugin Slug:: guest-support
Installations: 30+
Vulnerability:: Broken Access Control
Patched in Version:: 1.2.3
Severity Score:: Medium
CVE:: 2025-5957