In this report, 68 vulnerabilities have been publicly disclosed. Security patches for 64 of these plugins and themes are now available. Please run these updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.
Currently, 4 plugin and theme vulnerabilities remain unpatched. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.
WordPress Core
WordPress 6.9.4 is available, addressing 10 security issues and a template loading bug. Immediate updates are recommended for all production sites.
WordPress 7.0 Release Candidate 2 (RC2) is now ready for testing via the Beta Tester plugin, direct download, WP-CLI, or WordPress Playground. As a pre-release version, it should only be evaluated in staging or local environments.
WordPress 7.0 is scheduled for release on April 9, 2026.
WordPress Plugins � 63 Patched / 4 Unpatched
MSTW League Manager
- Plugin:
-
MSTW League Manager
- Plugin Slug:
- mstw-league-manager
- Installations
- 100+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2026-34890
Auto Post Scheduler
- Plugin:
Auto Post Scheduler
- Plugin Slug:
- auto-post-scheduler
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
-
2026-1877
Performance Monitor
- Plugin:
Performance Monitor
- Plugin Slug:
- performance-monitor
- Vulnerability:
- Server Side Request Forgery (SSRF)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2026-3881
IDPay Payment Gateway for Woocommerce
- Plugin:
IDPay Payment Gateway for Woocommerce
- Plugin Slug:
- woo-idpay-gateway
- Vulnerability:
- Sensitive Data Exposure
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
-
2026-34891
Elementor Website Builder � more than just a page builder
- Plugin Slug:
- elementor
- Installations
- 10,000,000+
- Vulnerability:
- Sensitive Data Exposure
- Patched in Version:
- 3.35.8
- Severity Score:
- Medium
- CVE:
-
2026-1206
ElementsKit Elementor Addons � Advanced Widgets & Templates Addons for Elementor
- Plugin Slug:
- elementskit-lite
- Installations
- 2,000,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 3.8.0
- Severity Score:
- Medium
- CVE:
-
2026-2600
Complianz � GDPR/CCPA Cookie Consent
- Plugin Slug:
- complianz-gdpr
- Installations
- 1,000,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 7.4.5
- Severity Score:
- Medium
- CVE:
-
2026-2389
Loco Translate
- Plugin:
-
Loco Translate
- Plugin Slug:
- loco-translate
- Installations
- 1,000,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 2.8.3
- Severity Score:
- High
- CVE:
-
2026-4146
W3 Total Cache
- Plugin:
-
W3 Total Cache
- Plugin Slug:
- w3-total-cache
- Installations
- 900,000+
- Vulnerability:
- Sensitive Data Exposure
- Patched in Version:
- 2.9.4
- Severity Score:
- High
- CVE:
-
2026-5032
WooPayments: Integrated WooCommerce Payments
- Plugin Slug:
- woocommerce-payments
- Installations
- 900,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 10.6.0
- Severity Score:
- Medium
- CVE:
-
2026-1710
Kadence Blocks � Page Builder Toolkit for Gutenberg Editor
- Plugin Slug:
- kadence-blocks
- Installations
- 600,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 3.6.4
- Severity Score:
- High
- CVE:
-
2026-2826
Kadence Blocks � Page Builder Toolkit for Gutenberg Editor
- Plugin Slug:
- kadence-blocks
- Installations
- 600,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 3.6.4
- Severity Score:
- Medium
- CVE:
-
2026-2826
Royal Addons for Elementor � Addons and Templates Kit for Elementor
- Plugin Slug:
- royal-elementor-addons
- Installations
- 600,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 1.7.1050
- Severity Score:
- Medium
- CVE:
-
2026-0664
SureForms � Contact Form, Payment Form & Other Custom Form Builder
- Plugin Slug:
- sureforms
- Installations
- 500,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 2.6.0
- Severity Score:
- High
- CVE:
-
2026-4987
WP Shortcodes Plugin � Shortcodes Ultimate
- Plugin Slug:
- shortcodes-ultimate
- Installations
- 400,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 7.4.9
- Severity Score:
- Medium
- CVE:
-
2026-0738
WP Shortcodes Plugin � Shortcodes Ultimate
- Plugin Slug:
- shortcodes-ultimate
- Installations
- 400,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 7.4.8
- Severity Score:
- Medium
- CVE:
-
2026-0737
WP Shortcodes Plugin � Shortcodes Ultimate
- Plugin Slug:
- shortcodes-ultimate
- Installations
- 400,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 7.5.0
- Severity Score:
- Medium
- CVE:
-
2026-2480
MW WP Form
- Plugin:
-
MW WP Form
- Plugin Slug:
- mw-wp-form
- Installations
- 200,000+
- Vulnerability:
- Directory Traversal
- Patched in Version:
- 5.1.1
- Severity Score:
- High
- CVE:
-
2026-4347
Query Monitor
- Plugin:
-
Query Monitor
- Plugin Slug:
- query-monitor
- Installations
- 200,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 3.20.4
- Severity Score:
- High
- CVE:
-
2026-4267
Ultimate Member � User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
- Plugin Slug:
- ultimate-member
- Installations
- 200,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 2.11.2
- Severity Score:
- Medium
- CVE:
-
2025-15064
Ultimate Member � User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
- Plugin Slug:
- ultimate-member
- Installations
- 200,000+
- Vulnerability:
- Privilege Escalation
- Patched in Version:
- 2.11.3
- Severity Score:
- High
- CVE:
-
2026-4248
Kubio AI Page Builder
- Plugin:
-
Kubio AI Page Builder
- Plugin Slug:
- kubio
- Installations
- 100,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 2.7.1
- Severity Score:
- Medium
- CVE:
-
2026-34887
Booking for Appointments and Events Calendar � Amelia
- Plugin Slug:
- ameliabooking
- Installations
- 90,000+
- Vulnerability:
- Insecure Direct Object References (IDOR)
- Patched in Version:
- 2.2
- Severity Score:
- High
- CVE:
-
2026-5465
Booking for Appointments and Events Calendar � Amelia
- Plugin Slug:
- ameliabooking
- Installations
- 90,000+
- Vulnerability:
- SQL Injection
- Patched in Version:
- 2.1.3
- Severity Score:
- High
- CVE:
-
2026-4668
Download Monitor
- Plugin:
-
Download Monitor
- Plugin Slug:
- download-monitor
- Installations
- 90,000+
- Vulnerability:
- Insecure Direct Object References (IDOR)
- Patched in Version:
- 5.1.8
- Severity Score:
- Medium
- CVE:
-
2026-3124
Database for Contact Form 7, WPforms, Elementor forms
- Plugin Slug:
- contact-form-entries
- Installations
- 70,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 1.5.0
- Severity Score:
- Medium
- CVE:
-
2026-3831
Media Library Assistant
- Plugin:
-
Media Library Assistant
- Plugin Slug:
- media-library-assistant
- Installations
- 70,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 3.35
- Severity Score:
- Medium
- CVE:
-
2026-34897
Media Library Assistant
- Plugin:
-
Media Library Assistant
- Plugin Slug:
- media-library-assistant
- Installations
- 70,000+
- Vulnerability:
- SQL Injection
- Patched in Version:
- 3.35
- Severity Score:
- High
- CVE:
-
2026-34885
Conditional Menus
- Plugin:
-
Conditional Menus
- Plugin Slug:
- conditional-menus
- Installations
- 60,000+
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- 1.2.7
- Severity Score:
- Medium
- CVE:
-
2026-1032
Export All URLs
- Plugin:
-
Export All URLs
- Plugin Slug:
- export-all-urls
- Installations
- 50,000+
- Vulnerability:
- Sensitive Data Exposure
- Patched in Version:
- 5.1
- Severity Score:
- Medium
- CVE:
-
2026-2696
User Profile Builder � Beautiful User Registration Forms, User Profiles & User Role Editor
- Plugin Slug:
- profile-builder
- Installations
- 50,000+
- Vulnerability:
- Insecure Direct Object References (IDOR)
- Patched in Version:
- 3.15.6
- Severity Score:
- Medium
- CVE:
-
2026-3139
Simple Membership
- Plugin:
-
Simple Membership
- Plugin Slug:
- simple-membership
- Installations
- 40,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 4.7.2
- Severity Score:
- High
- CVE:
-
2026-34886
Blackhole for Bad Bots
- Plugin:
-
Blackhole for Bad Bots
- Plugin Slug:
- blackhole-bad-bots
- Installations
- 30,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 3.8.1
- Severity Score:
- High
- CVE:
-
2026-4329
Gutenverse � Ultimate WordPress FSE Blocks Addons & Ecosystem
- Plugin Slug:
- gutenverse
- Installations
- 30,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 3.4.7
- Severity Score:
- Medium
- CVE:
-
2026-2924
WP Lightbox 2
- Plugin:
-
WP Lightbox 2
- Plugin Slug:
- wp-lightbox-2
- Installations
- 30,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 3.0.7
- Severity Score:
- Medium
- CVE:
-
2026-1430
Xpro Addons � 140+ Widgets for Elementor
- Plugin Slug:
- xpro-elementor-addons
- Installations
- 30,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 1.4.21
- Severity Score:
- Medium
- CVE:
-
2025-13368
Xpro Addons � 140+ Widgets for Elementor
- Plugin Slug:
- xpro-elementor-addons
- Installations
- 30,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 1.4.25
- Severity Score:
- Medium
- CVE:
-
2026-2949
Fluent Booking � The Ultimate Appointments Scheduling, Events Booking, Events Calendar Solution
- Plugin:
-
Fluent Booking � The Ultimate Appointments Scheduling, Events Booking, Events Calendar Solution
- Plugin Slug:
- fluent-booking
- Installations
- 20,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 2.0.05
- Severity Score:
- High
- CVE:
-
2026-2231
Twentig Supercharged Block Editor � Blocks, Patterns, Starter Sites, Portfolio
- Plugin Slug:
- twentig
- Installations
- 20,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 2.0
- Severity Score:
- Medium
- CVE:
-
2026-2602
WCFM � Frontend Manager for WooCommerce
- Plugin Slug:
- wc-frontend-manager
- Installations
- 20,000+
- Vulnerability:
- Insecure Direct Object References (IDOR)
- Patched in Version:
- 6.7.26
- Severity Score:
- High
- CVE:
-
2026-4896
WP Travel Engine � Tour Booking Plugin � Tour Operator Software
- Plugin Slug:
- wp-travel-engine
- Installations
- 20,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 6.7.6
- Severity Score:
- Medium
- CVE:
-
2026-2437
Frontend Admin by DynamiApps
- Plugin:
-
Frontend Admin by DynamiApps
- Plugin Slug:
- acf-frontend-form-element
- Installations
- 10,000+
- Vulnerability:
- PHP Object Injection
- Patched in Version:
- 3.28.32
- Severity Score:
- High
- CVE:
-
2026-3328
Ibtana � WordPress Website Builder
- Plugin Slug:
- ibtana-visual-editor
- Installations
- 10,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 1.2.5.8
- Severity Score:
- Medium
- CVE:
-
2026-1834
King Addons for Elementor � 80+ Elementor Widgets, 4 000+ Elementor Templates, WooCommerce, Mega Menu, Popup Builder
- Plugin Slug:
- king-addons
- Installations
- 10,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 51.1.54
- Severity Score:
- Medium
- CVE:
-
2025-13535
Minify HTML
- Plugin:
-
Minify HTML
- Plugin Slug:
- minify-html-markup
- Installations
- 10,000+
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- 2.1.13
- Severity Score:
- Medium
- CVE:
-
2026-3191
Responsive Plus � Elementor Templates & Starter Sites
- Plugin Slug:
- responsive-add-ons
- Installations
- 10,000+
- Vulnerability:
- Arbitrary Code Execution
- Patched in Version:
- 3.4.3
- Severity Score:
- Medium
- CVE:
-
2025-15488
Simple Shopping Cart
- Plugin:
-
Simple Shopping Cart
- Plugin Slug:
- wordpress-simple-paypal-shopping-cart
- Installations
- 10,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 5.2.5
- Severity Score:
- Medium
- CVE:
-
2026-0552
Spam Protect for Contact Form 7
- Plugin:
-
Spam Protect for Contact Form 7
- Plugin Slug:
- wp-contact-form-7-spam-blocker
- Installations
- 10,000+
- Vulnerability:
- Remote Code Execution (RCE)
- Patched in Version:
- 1.2.10
- Severity Score:
- High
- CVE:
-
2026-1540
JS Help Desk � AI-Powered Support & Ticketing System
- Plugin Slug:
- js-support-ticket
- Installations
- 8,000+
- Vulnerability:
- SQL Injection
- Patched in Version:
- 3.0.5
- Severity Score:
- Critical
- CVE:
-
2026-2511
WP Job Portal � AI-Powered Recruitment System for Company or Job Board website
- Plugin Slug:
- wp-job-portal
- Installations
- 8,000+
- Vulnerability:
- Arbitrary File Deletion
- Patched in Version:
- 2.5.0
- Severity Score:
- High
- CVE:
-
2026-4758
Contact Form by Supsystic
- Plugin:
-
Contact Form by Supsystic
- Plugin Slug:
- contact-form-by-supsystic
- Installations
- 7,000+
- Vulnerability:
- Remote Code Execution (RCE)
- Patched in Version:
- 1.8.0
- Severity Score:
- Critical
- CVE:
-
2026-4257
WPFunnels � Funnel Builder for WooCommerce with Checkout & One Click Upsell
- Plugin Slug:
- wpfunnels
- Installations
- 6,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 3.8.0
- Severity Score:
- Medium
- CVE:
-
2026-0626
Masteriyo LMS � Online Course Builder for eLearning, LMS & Education
- Plugin Slug:
- learning-management-system
- Installations
- 4,000+
- Vulnerability:
- Privilege Escalation
- Patched in Version:
- 2.1.7
- Severity Score:
- High
- CVE:
-
2026-4484
Shared Files � Frontend File Upload Form & Secure File Sharing
- Plugin Slug:
- shared-files
- Installations
- 4,000+
- Vulnerability:
- Arbitrary File Download
- Patched in Version:
- 1.7.58
- Severity Score:
- Medium
- CVE:
-
2025-15433
Webmention
- Plugin:
-
Webmention
- Plugin Slug:
- webmention
- Installations
- 900+
- Vulnerability:
- Server Side Request Forgery (SSRF)
- Patched in Version:
- 5.7.0
- Severity Score:
- Medium
- CVE:
-
2026-0688
Webmention
- Plugin:
-
Webmention
- Plugin Slug:
- webmention
- Installations
- 900+
- Vulnerability:
- Server Side Request Forgery (SSRF)
- Patched in Version:
- 5.7.0
- Severity Score:
- Medium
- CVE:
-
2026-0686
Order Notification for WooCommerce � Get Audio Alert on new Orders
- Plugin Slug:
- woc-order-alert
- Installations
- 900+
- Vulnerability:
- Remote Code Execution (RCE)
- Patched in Version:
- 3.6.3
- Severity Score:
- High
- CVE:
-
2025-15484
TrueBooker � Appointment Booking and Scheduler System
- Plugin Slug:
- truebooker-appointment-booking
- Installations
- 600+
- Vulnerability:
- Sensitive Data Exposure
- Patched in Version:
- 1.1.5
- Severity Score:
- Medium
- CVE:
-
2026-1797
Debugger & Troubleshooter
- Plugin:
-
Debugger & Troubleshooter
- Plugin Slug:
- debugger-troubleshooter
- Installations
- 50+
- Vulnerability:
- Privilege Escalation
- Patched in Version:
- 1.4.0
- Severity Score:
- Critical
- CVE:
-
2026-5130
FloristPress for Woo � Customize your eCommerce store for your Florist
- Plugin Slug:
- bakkbone-florist-companion
- Installations
- 10+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 7.8.3
- Severity Score:
- High
- CVE:
-
2026-1986
Bricksforge
- Plugin:
Bricksforge
- Plugin Slug:
- bricksforge
- Vulnerability:
- Sensitive Data Exposure
- Patched in Version:
- 3.1.8.5
- Severity Score:
- High
- CVE:
-
2026-34888
Everest Forms Pro
- Plugin:
Everest Forms Pro
- Plugin Slug:
- everest-forms-pro
- Vulnerability:
- Remote Code Execution (RCE)
- Patched in Version:
- 1.9.13
- Severity Score:
- Critical
- CVE:
-
2026-3300
Gravity SMTP
- Plugin:
Gravity SMTP
- Plugin Slug:
- gravitysmtp
- Vulnerability:
- Sensitive Data Exposure
- Patched in Version:
- 2.1.5
- Severity Score:
- High
- CVE:
-
2026-4020
LeadConnector
- Plugin:
LeadConnector
- Plugin Slug:
- leadconnector
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 3.0.22
- Severity Score:
- Medium
- CVE:
-
2026-1890
Perfmatters
- Plugin:
Perfmatters
- Plugin Slug:
- perfmatters
- Vulnerability:
- Arbitrary File Deletion
- Patched in Version:
- 2.6.0
- Severity Score:
- High
- CVE:
-
2026-4350
ThemeREX Addons
- Plugin:
ThemeREX Addons
- Plugin Slug:
- trx_addons
- Vulnerability:
- Arbitrary File Upload
- Patched in Version:
- 2.38.5
- Severity Score:
- Critical
- CVE:
-
2026-1969
Ultimate Addons for WPBakery Page Builder
- Plugin:
Ultimate Addons for WPBakery Page Builder
- Plugin Slug:
- ultimate_vc_addons
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 3.21.4
- Severity Score:
- Medium
- CVE:
-
2026-34889
WordPress Themes � 1 Patched / 0 Unpatched
Oxygen
- Theme:
-
Oxygen
- Theme Slug:
- oxygen
- Downloads
- 403,225
- Vulnerability:
- Server Side Request Forgery (SSRF)
- Patched in Version:
- 6.0.9
- Severity Score:
- High
- CVE:
-
2025-12886