WordPress Vulnerability Report � April 15, 2026

In this report, 185 vulnerabilities have been publicly disclosed. Security patches for 169 of these plugins and themes are now available. Please run these updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Currently, 16 plugin vulnerabilities remain unpatched. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

WordPress Core

WordPress 6.9.4 is available, addressing 10 security issues and a template loading bug. Immediate updates are recommended for all production sites.

WordPress 7.0 Release Candidate 2 (RC2) is now ready for testing via the Beta Tester plugin, direct download, WP-CLI, or WordPress Playground. As a pre-release version, it should only be evaluated in staging or local environments.

WordPress Plugins � 145 Patched / 16 Unpatched

Plugin:: AM LottiePlayer
Plugin Slug:: am-lottieplayer
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-1794

Plugin:: Attendance Manager
Plugin Slug:: attendance-manager
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-3781

Plugin:: Columns by BestWebSoft
Plugin Slug:: columns-bws
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3618

Plugin:: DSGVO Google Web Fonts GDPR
Plugin Slug:: dsgvo-google-web-fonts-gdpr
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2026-3535

Plugin:: Gerador de Certificados � DevApps
Plugin Slug:: gerador-de-certificados-devapps
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-4808

Plugin:: Inquiry form to posts or pages
Plugin Slug:: inquiry-form-to-posts-or-pages
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-5169

Plugin:: Pinterest Site Verification plugin using Meta Tag
Plugin Slug:: pinterest-site-verification
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3142

Plugin:: pz-frontend-manager
Plugin Slug:: pz-frontend-manager
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3477

Plugin:: Quran Translations
Plugin Slug:: quran-translations-by-edc
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-4141

Plugin:: Riaxe Product Customizer
Plugin Slug:: riaxe-product-customizer
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3594

Plugin:: Sports Club Management
Plugin Slug:: sports-club-management
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-4871

Plugin:: Wavr
Plugin Slug:: wavr
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-5506

Plugin:: Whole Enquiry Cart for WooCommerce
Plugin Slug:: whole-cart-enquiry
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-2838

Plugin:: IDPay Payment Gateway for Woocommerce
Plugin Slug:: woo-idpay-gateway
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-34891

Plugin:: WowPress
Plugin Slug:: wowpress
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-5508

Plugin:: WP Blockade
Plugin Slug:: wp-blockade
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3480

Plugin:: Elementor Website Builder � more than just a page builder
Plugin Slug:: elementor
Installations: 10,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.35.6
Severity Score:: Medium
CVE:: 2025-14732

Plugin:: ManageWP Worker
Plugin Slug:: worker
Installations: 1,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.9.32
Severity Score:: High
CVE:: 2026-39463

Plugin:: WP-Optimize � Cache, Compress images, Minify & Clean database to boost page speed & performance
Plugin Slug:: wp-optimize
Installations: 1,000,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.5.1
Severity Score:: Medium
CVE:: 2026-2712

Plugin:: Smart Slider 3
Plugin Slug:: smart-slider-3
Installations: 800,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.5.1.34
Severity Score:: Medium
CVE:: 2026-4065

Plugin:: Kadence Blocks � Page Builder Toolkit for Gutenberg Editor
Plugin Slug:: kadence-blocks
Installations: 600,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.6.4
Severity Score:: High
CVE:: 2026-2826

Plugin:: Kadence Blocks � Page Builder Toolkit for Gutenberg Editor
Plugin Slug:: kadence-blocks
Installations: 600,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.6.4
Severity Score:: Medium
CVE:: 2026-2826

Plugin:: BackWPup � WordPress Backup & Restore Plugin
Plugin Slug:: backwpup
Installations: 500,000+
Vulnerability:: Local File Inclusion
Patched in Version:: 5.6.7
Severity Score:: High
CVE:: 2026-6227

Plugin:: Meta Box
Plugin Slug:: meta-box
Installations: 500,000+
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 5.11.2
Severity Score:: Medium
CVE:: 2026-39468

Plugin:: Ocean Extra
Plugin Slug:: ocean-extra
Installations: 500,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.5.4
Severity Score:: Medium
CVE:: 2026-34903

Plugin:: YITH WooCommerce Wishlist
Plugin Slug:: yith-woocommerce-wishlist
Installations: 500,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 4.13.0
Severity Score:: Medium
CVE:: 2026-4432

Plugin:: Page Builder: Pagelayer � Drag and Drop website builder
Plugin Slug:: pagelayer
Installations: 400,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.9
Severity Score:: Medium
CVE:: 2026-2509

Plugin:: Cart Abandonment Recovery for WooCommerce � Recover Lost Sales with Automated Emails
Plugin Slug:: woo-cart-abandonment-recovery
Installations: 300,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 2.1.0
Severity Score:: High
CVE:: 2026-39470

Plugin:: MW WP Form
Plugin Slug:: mw-wp-form
Installations: 200,000+
Vulnerability:: Directory Traversal
Patched in Version:: 5.1.2
Severity Score:: High
CVE:: 2026-5436

Plugin:: Optimole � Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization
Plugin Slug:: optimole-wp
Installations: 200,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.2.3
Severity Score:: High
CVE:: 2026-5217

Plugin:: Optimole � Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization
Plugin Slug:: optimole-wp
Installations: 200,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.2.4
Severity Score:: High
CVE:: 2026-5226

Plugin:: Post Duplicator
Plugin Slug:: post-duplicator
Installations: 200,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 3.0.11
Severity Score:: High
CVE:: 2026-39474

Plugin:: Ultimate Member � User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
Plugin Slug:: ultimate-member
Installations: 200,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.11.2
Severity Score:: Medium
CVE:: 2025-15064

Plugin:: Aruba HiSpeed Cache
Plugin Slug:: aruba-hispeed-cache
Installations: 100,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 3.0.5
Severity Score:: Medium
CVE:: 2026-1924

Plugin:: Element Pack � Widgets, Templates & Addons for Elementor
Plugin Slug:: bdthemes-element-pack-lite
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 8.5.0
Severity Score:: Medium
CVE:: 2026-4655

Plugin:: Prime Slider � Addons for Elementor
Plugin Slug:: bdthemes-prime-slider-lite
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.1.11
Severity Score:: Medium
CVE:: 2026-4341

Plugin:: Beaver Builder Page Builder � Drag and Drop Website Builder
Plugin Slug:: beaver-builder-lite-version
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.10.1.2
Severity Score:: Medium
CVE:: 2026-2481

Plugin:: Download Manager
Plugin Slug:: download-manager
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.3.52
Severity Score:: Medium
CVE:: 2026-4057

Plugin:: Download Manager
Plugin Slug:: download-manager
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.3.53
Severity Score:: Medium
CVE:: 2026-5357

Plugin:: Everest Forms � Contact Form, Payment Form, Quiz, Survey & Custom Form Builder
Plugin Slug:: everest-forms
Installations: 100,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 3.4.4
Severity Score:: Critical
CVE:: 2026-3296

Plugin:: LatePoint � Calendar Booking Plugin for Appointments and Events
Plugin Slug:: latepoint
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.3.1
Severity Score:: Medium
CVE:: 2026-4785

Plugin:: MainWP Child Reports
Plugin Slug:: mainwp-child-reports
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.3
Severity Score:: Medium
CVE:: 2026-4299

Plugin:: The Plus Addons for Elementor � Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce
Plugin Slug:: the-plus-addons-for-elementor-page-builder
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.4.10
Severity Score:: Medium
CVE:: 2026-3311

Plugin:: Tutor LMS � eLearning and online course solution
Plugin Slug:: tutor
Installations: 100,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 3.9.8
Severity Score:: Medium
CVE:: 2026-3371

Plugin:: Tutor LMS � eLearning and online course solution
Plugin Slug:: tutor
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.9.8
Severity Score:: Medium
CVE:: 2026-3358

Plugin:: Tutor LMS � eLearning and online course solution
Plugin Slug:: tutor
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.9.8
Severity Score:: High
CVE:: 2026-3360

Plugin:: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content � ProfilePress
Plugin Slug:: wp-user-avatar
Installations: 100,000+
Vulnerability:: Content Injection
Patched in Version:: 4.16.12
Severity Score:: Medium
CVE:: 2026-3309

Plugin:: Booking for Appointments and Events Calendar � Amelia
Plugin Slug:: ameliabooking
Installations: 90,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 2.2
Severity Score:: High
CVE:: 2026-5465

Plugin:: BackupBliss � Backup & Migration with Free Cloud Storage
Plugin Slug:: backup-backup
Installations: 90,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 2.1.2
Severity Score:: High
CVE:: 2026-39480

Plugin:: BackupBliss � Backup & Migration with Free Cloud Storage
Plugin Slug:: backup-backup
Installations: 90,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.1.0
Severity Score:: Medium
CVE:: 2025-14944

Plugin:: Download Monitor
Plugin Slug:: download-monitor
Installations: 90,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 5.1.11
Severity Score:: Medium
CVE:: 2026-4401

Plugin:: Strong Testimonials
Plugin Slug:: strong-testimonials
Installations: 90,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.2.22
Severity Score:: Medium
CVE:: 2026-3239

Plugin:: ShopLentor � All-in-One WooCommerce Growth & Store Enhancement Plugin
Plugin Slug:: woolentor-addons
Installations: 90,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.3.6
Severity Score:: Medium
CVE:: 2026-4059

Plugin:: Hustle � Email Marketing, Lead Generation, Optins, Popups
Plugin Slug:: wordpress-popup
Installations: 90,000+
Vulnerability:: Broken Access Control
Patched in Version:: 7.8.11
Severity Score:: Medium
CVE:: 2026-2263

Plugin:: Customer Reviews for WooCommerce
Plugin Slug:: customer-reviews-woocommerce
Installations: 80,000+
Vulnerability:: Broken Authentication
Patched in Version:: 5.104.0
Severity Score:: Medium
CVE:: 2026-4664

Plugin:: Jupiter X Core
Plugin Slug:: jupiterx-core
Installations: 80,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.14.2
Severity Score:: Medium
CVE:: 2026-39491

Plugin:: LearnPress � WordPress LMS Plugin for Create and Sell Online Courses
Plugin Slug:: learnpress
Installations: 80,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.3.4
Severity Score:: Medium
CVE:: 2026-4333

Plugin:: List category posts
Plugin Slug:: list-category-posts
Installations: 80,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 0.95.0
Severity Score:: Medium
CVE:: 2026-3005

Plugin:: Product Feed PRO for WooCommerce by AdTribes � Product Feeds for WooCommerce
Plugin Slug:: woo-product-feed-pro
Installations: 80,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 13.5.2.2
Severity Score:: High
CVE:: 2026-3499

Plugin:: Advanced Contact form 7 DB
Plugin Slug:: advanced-cf7-db
Installations: 70,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.1.0
Severity Score:: Medium
CVE:: 2026-0811

Plugin:: Advanced Contact form 7 DB
Plugin Slug:: advanced-cf7-db
Installations: 70,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.1.0
Severity Score:: Medium
CVE:: 2026-0814

Plugin:: Online Scheduling and Appointment Booking System � Bookly
Plugin Slug:: bookly-responsive-appointment-booking-tool
Installations: 70,000+
Vulnerability:: Content Injection
Patched in Version:: 27.1
Severity Score:: Medium
CVE:: 2026-2519

Plugin:: Greenshift � animation and page builder blocks
Plugin Slug:: greenshift-animation-and-page-builder-blocks
Installations: 70,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 12.9.0
Severity Score:: Medium
CVE:: 2026-4895

Plugin:: Media Library Assistant
Plugin Slug:: media-library-assistant
Installations: 70,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.35
Severity Score:: Medium
CVE:: 2026-34897

Plugin:: Media Library Assistant
Plugin Slug:: media-library-assistant
Installations: 70,000+
Vulnerability:: SQL Injection
Patched in Version:: 3.35
Severity Score:: High
CVE:: 2026-34885

Plugin:: Product Feed Manager for WooCommerce � CTX Feed � Support 220+ Shopping & Social Channels
Plugin Slug:: webappick-product-feed-for-woocommerce
Installations: 70,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 6.6.27
Severity Score:: High
CVE:: 2026-39434

Plugin:: Appointment Booking Calendar � Simply Schedule Appointments Booking Plugin
Plugin Slug:: simply-schedule-appointments
Installations: 60,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.6.9.29
Severity Score:: Critical
CVE:: 2026-39493

Plugin:: User Registration & Membership � Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder
Plugin Slug:: user-registration
Installations: 60,000+
Vulnerability:: Open Redirection
Patched in Version:: 5.1.5
Severity Score:: Medium
CVE:: 2026-6203

Plugin:: User Registration & Membership � Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder
Plugin Slug:: user-registration
Installations: 60,000+
Vulnerability:: SQL Injection
Patched in Version:: 5.1.3
Severity Score:: High
CVE:: 2026-1865

Plugin:: Product Filter for WooCommerce by WBW
Plugin Slug:: woo-product-filter
Installations: 60,000+
Vulnerability:: SQL Injection
Patched in Version:: 3.1.3
Severity Score:: Critical
CVE:: 2026-39494

Plugin:: WP Maps � Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters
Plugin Slug:: wp-google-map-plugin
Installations: 60,000+
Vulnerability:: SQL Injection
Patched in Version:: 4.9.2
Severity Score:: Critical
CVE:: 2026-39492

Plugin:: Popup Box � Create Countdown, Coupon, Video, Contact Form Popups
Plugin Slug:: ays-popup-box
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.5.0
Severity Score:: High
CVE:: 2025-15611

Plugin:: Blog2Social: Social Media Auto Post & Scheduler
Plugin Slug:: blog2social
Installations: 50,000+
Vulnerability:: Broken Authentication
Patched in Version:: 8.8.4
Severity Score:: Medium
CVE:: 2026-4330

Plugin:: Robo Gallery � Photo & Image Slider
Plugin Slug:: robo-gallery
Installations: 40,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.1.4
Severity Score:: Medium
CVE:: 2026-4300

Plugin:: BEAR � Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net
Plugin Slug:: woo-bulk-editor
Installations: 40,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.1.6
Severity Score:: Medium
CVE:: 2026-1673

Plugin:: BEAR � Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net
Plugin Slug:: woo-bulk-editor
Installations: 40,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.1.6
Severity Score:: Medium
CVE:: 2026-1672

Plugin:: LightPress Lightbox
Plugin Slug:: wp-jquery-lightbox
Installations: 40,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.3.5
Severity Score:: Medium
CVE:: 2026-4379

Plugin:: Form Maker by 10Web � Mobile-Friendly Drag & Drop Contact Form Builder
Plugin Slug:: form-maker
Installations: 30,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.15.39
Severity Score:: Critical
CVE:: 2026-39502

Plugin:: Link Whisper Free
Plugin Slug:: link-whisper
Installations: 30,000+
Vulnerability:: Settings Change
Patched in Version:: 0.9.1
Severity Score:: Medium
CVE:: 2026-1900

Plugin:: PowerPress Podcasting plugin by Blubrry
Plugin Slug:: powerpress
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 11.15.16
Severity Score:: Medium
CVE:: 2026-2988

Plugin:: Ultimate FAQ Accordion Plugin
Plugin Slug:: ultimate-faqs
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.4.8
Severity Score:: Medium
CVE:: 2026-4336

Plugin:: Visitor Traffic Real Time Statistics
Plugin Slug:: visitors-traffic-real-time-statistics
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 8.5
Severity Score:: High
CVE:: 2026-2936

Plugin:: AddFunc Head & Footer Code
Plugin Slug:: addfunc-head-footer-code
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.4
Severity Score:: Medium
CVE:: 2026-2305

Plugin:: Smart Post Show � Post Grid, Post Carousel & Slider, and List Category Posts
Plugin Slug:: post-carousel
Installations: 20,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 3.0.13
Severity Score:: High
CVE:: 2026-3017

Plugin:: Simple Social Media Share Buttons � Social Sharing for Everyone
Plugin Slug:: simple-social-buttons
Installations: 20,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 6.2.1
Severity Score:: High
CVE:: 2026-34904

Plugin:: UsersWP � Front-end login form, User Registration, User Profile & Members Directory plugin for WP
Plugin Slug:: userswp
Installations: 20,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 1.2.59
Severity Score:: Medium
CVE:: 2026-4979

Plugin:: UsersWP � Front-end login form, User Registration, User Profile & Members Directory plugin for WP
Plugin Slug:: userswp
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.2.59
Severity Score:: Medium
CVE:: 2026-4977

Plugin:: UsersWP � Front-end login form, User Registration, User Profile & Members Directory plugin for WP
Plugin Slug:: userswp
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.2.61
Severity Score:: Medium
CVE:: 2026-5742

Plugin:: WP Visitor Statistics (Real Time Traffic)
Plugin Slug:: wp-stats-manager
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 8.5
Severity Score:: Medium
CVE:: 2026-4303

Plugin:: wpForo Forum
Plugin Slug:: wpforo
Installations: 20,000+
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 3.0.3
Severity Score:: High
CVE:: 2026-5809

Plugin:: wpForo Forum
Plugin Slug:: wpforo
Installations: 20,000+
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 2.4.17
Severity Score:: High
CVE:: 2026-3666

Plugin:: BlockArt Blocks � Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library
Plugin Slug:: blockart-blocks
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.3.0
Severity Score:: Medium
CVE:: 2026-3498

Plugin:: Charitable � Donation Plugin for WordPress � Fundraising with Recurring Donations & More
Plugin Slug:: charitable
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.8.10
Severity Score:: Medium
CVE:: 2026-3177

Plugin:: Easy Appointments
Plugin Slug:: easy-appointments
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.12.22
Severity Score:: High
CVE:: 2026-39513

Plugin:: GeoDirectory � WP Business Directory Plugin and Classified Listings Directory
Plugin Slug:: geodirectory
Installations: 10,000+
Vulnerability:: SQL Injection
Patched in Version:: 2.8.154
Severity Score:: Critical
CVE:: 2026-39512

Plugin:: LifterLMS � WP LMS for eLearning, Online Courses, & Quizzes
Plugin Slug:: lifterlms
Installations: 10,000+
Vulnerability:: SQL Injection
Patched in Version:: 9.2.2
Severity Score:: Medium
CVE:: 2026-5207

Plugin:: OSM � OpenStreetMap
Plugin Slug:: osm
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.1.16
Severity Score:: Medium
CVE:: 2026-4429

Plugin:: Royal WordPress Backup, Restore & Migration Plugin � Backup WordPress Sites Safely
Plugin Slug:: royal-backup-reset
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.0.17
Severity Score:: High
CVE:: 2026-4305

Plugin:: Widgets for Social Photo Feed
Plugin Slug:: social-photo-feed-widget
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.8.0
Severity Score:: High
CVE:: 2026-5425

Plugin:: Under Construction, Coming Soon & Maintenance Mode
Plugin Slug:: under-construction-maintenance-mode
Installations: 10,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.1.2
Severity Score:: High
CVE:: 2026-34896

Plugin:: Product Table and List Builder for WooCommerce Lite
Plugin Slug:: wc-product-table-lite
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.6.4
Severity Score:: High
CVE:: 2026-34902

Plugin:: Eventin � Event Calendar, Event Registration, Tickets & Booking (AI Powered)
Plugin Slug:: wp-event-solution
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.1.9
Severity Score:: Medium
CVE:: 2026-4109

Plugin:: WP Photo Album Plus
Plugin Slug:: wp-photo-album-plus
Installations: 10,000+
Vulnerability:: SQL Injection
Patched in Version:: 9.1.08.002
Severity Score:: Critical
CVE:: 2026-39511

Plugin:: YML for Yandex Market
Plugin Slug:: yml-for-yandex-market
Installations: 10,000+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 5.0.26
Severity Score:: High
CVE:: 2025-14545

Plugin:: WCAPF � Ajax Product Filter for WooCommerce
Plugin Slug:: wc-ajax-product-filter
Installations: 9,000+
Vulnerability:: SQL Injection
Patched in Version:: 4.3.0
Severity Score:: Critical
CVE:: 2026-3396

Plugin:: Awesome Support � WordPress HelpDesk & Support Plugin
Plugin Slug:: awesome-support
Installations: 7,000+
Vulnerability:: Broken Authentication
Patched in Version:: 6.3.8
Severity Score:: Medium
CVE:: 2026-4654

Plugin:: ActivityPub
Plugin Slug:: activitypub
Installations: 6,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 8.0.2
Severity Score:: High
CVE:: 2026-4338

Plugin:: GeekyBot � AI Copilot, Chatbot, WooCommerce Lead Gen & Zero-Prompt Content
Plugin Slug:: geeky-bot
Installations: 6,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.2.1
Severity Score:: Critical
CVE:: 2026-39519

Plugin:: WPFunnels � Funnel Builder for WooCommerce with Checkout & One Click Upsell
Plugin Slug:: wpfunnels
Installations: 6,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.8.0
Severity Score:: Medium
CVE:: 2026-0626

Plugin:: Booking Activities
Plugin Slug:: booking-activities
Installations: 4,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.17.0
Severity Score:: Medium
CVE:: 2026-39525

Plugin:: Masteriyo LMS � Online Course Builder for eLearning, LMS & Education
Plugin Slug:: learning-management-system
Installations: 4,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.1.6
Severity Score:: High
CVE:: 2026-39524

Plugin:: Masteriyo LMS � Online Course Builder for eLearning, LMS & Education
Plugin Slug:: learning-management-system
Installations: 4,000+
Vulnerability:: Broken Authentication
Patched in Version:: 2.1.8
Severity Score:: Medium
CVE:: 2026-5167

Plugin:: AWP Classifieds
Plugin Slug:: another-wordpress-classifieds-plugin
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.4.5
Severity Score:: High
CVE:: 2026-39533

Plugin:: Majestic Support � The Leading-Edge Help Desk & Customer Support Plugin
Plugin Slug:: majestic-support
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.1.3
Severity Score:: Medium
CVE:: 2026-40778

Plugin:: MStore API � Create Native Android & iOS Apps On The Cloud
Plugin Slug:: mstore-api
Installations: 3,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 4.18.4
Severity Score:: Medium
CVE:: 2026-3568

Plugin:: SpeakOut! Email Petitions
Plugin Slug:: speakout
Installations: 3,000+
Vulnerability:: SQL Injection
Patched in Version:: 4.6.5.1
Severity Score:: Critical
CVE:: 2026-39530

Plugin:: WP Directory Kit
Plugin Slug:: wpdirectorykit
Installations: 3,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.5.1
Severity Score:: Critical
CVE:: 2026-39531

Plugin:: WP Directory Kit
Plugin Slug:: wpdirectorykit
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.5.1
Severity Score:: High
CVE:: 2026-39534

Plugin:: Extensions for Leaflet Map
Plugin Slug:: extensions-leaflet-map
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.15
Severity Score:: Medium
CVE:: 2026-5451

Plugin:: Timetics � Appointment Booking & Scheduling
Plugin Slug:: timetics
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.0.54
Severity Score:: High
CVE:: 2026-39432

Plugin:: Event Tickets Manager for WooCommerce
Plugin Slug:: event-tickets-manager-for-woocommerce
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.5.4
Severity Score:: High
CVE:: 2026-34898

Plugin:: iControlWP
Plugin Slug:: worpit-admin-dashboard-plugin
Installations: 1,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 5.5.4
Severity Score:: Critical
CVE:: 2026-34901

Plugin:: SQL Chart Builder
Plugin Slug:: sql-chart-builder
Installations: 600+
Vulnerability:: SQL Injection
Patched in Version:: 2.3.8
Severity Score:: Critical
CVE:: 2026-4079

Plugin:: Webling
Plugin Slug:: webling
Installations: 500+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.9.1
Severity Score:: Medium
CVE:: 2026-1263

Plugin:: Datalogics Ecommerce Delivery � Datalogics
Plugin Slug:: datalogics
Installations: 400+
Vulnerability:: Privilege Escalation
Patched in Version:: 2.6.63
Severity Score:: Critical
CVE:: 2026-39583

Plugin:: Post Blocks & Tools
Plugin Slug:: bnm-blocks
Installations: 300+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.1
Severity Score:: Medium
CVE:: 2026-5711

Plugin:: TableOn � WordPress Posts Table Filterable�
Plugin Slug:: posts-table-filterable
Installations: 300+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.0.5
Severity Score:: Medium
CVE:: 2026-3513

Plugin:: WP BASE Booking of Appointments, Services and Events
Plugin Slug:: wp-base-booking-of-appointments-services-and-events
Installations: 200+
Vulnerability:: Privilege Escalation
Patched in Version:: 6.0.0
Severity Score:: High
CVE:: 2026-39587

Plugin:: Text to Speech � TTSWP
Plugin Slug:: text-to-speech-tts
Installations: 100+
Vulnerability:: Bypass Vulnerability
Patched in Version:: 1.9.9
Severity Score:: High
CVE:: 2026-1233

Plugin:: LTL Freight Quotes � Worldwide Express Edition
Plugin Slug:: ltl-freight-quotes-worldwide-express-edition
Installations: 90+
Vulnerability:: Broken Access Control
Patched in Version:: 5.2.2
Severity Score:: Medium
CVE:: 2026-34899

Plugin:: Ziggeo
Plugin Slug:: ziggeo
Installations: 80+
Vulnerability:: Broken Access Control
Patched in Version:: 3.1.2
Severity Score:: Medium
CVE:: 2026-4124

Plugin:: BuddyPress Groupblog
Plugin Slug:: bp-groupblog
Installations: 50+
Vulnerability:: Privilege Escalation
Patched in Version:: 1.9.4
Severity Score:: High
CVE:: 2026-5144

Plugin:: WP-BusinessDirectory � Business directory plugin for WordPress
Plugin Slug:: wp-businessdirectory
Installations: 40+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 4.0.1
Severity Score:: Critical
CVE:: 2026-39591

Plugin:: Advanced Members for ACF
Plugin Slug:: advanced-members
Installations: 30+
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 1.2.6
Severity Score:: High
CVE:: 2026-3243

Plugin:: PrivateContent Free
Plugin Slug:: privatecontent-free
Installations: 20+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.0
Severity Score:: Medium
CVE:: 2026-4025

Plugin:: ProSolution WP Client
Plugin Slug:: prosolution-wp-client
Installations: 20+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 2.0.0
Severity Score:: Critical
CVE:: 2026-2942

Plugin:: Experto Dashboard for WooCommerce
Plugin Slug:: experto-custom-dashboard
Installations: 10+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.0.5
Severity Score:: Medium
CVE:: 2026-3574

Plugin:: Investi
Plugin Slug:: investi
Installations: 10+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.0.27
Severity Score:: Medium
CVE:: 2026-3600

Plugin:: LTL Freight Quotes � R+L Carriers Edition
Plugin Slug:: ltl-freight-quotes-rl-edition
Installations: 10+
Vulnerability:: Broken Access Control
Patched in Version:: 3.3.14
Severity Score:: Medium
CVE:: 2026-3646

Plugin:: Magic Conversation For Gravity Forms
Plugin Slug:: magic-conversation-for-gravity-forms
Installations: 10+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.0.98
Severity Score:: Medium
CVE:: 2026-1396

Plugin:: Surbma | Booking.com Shortcode
Plugin Slug:: surbma-bookingcom-shortcode
Installations: 10+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.1.1
Severity Score:: Medium
CVE:: 2026-1607

Plugin:: WholeSale Products Dynamic Pricing Management WooCommerce
Plugin Slug:: wholesale-products-dynamic-pricing-management-woocommerce
Installations: 10+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.0
Severity Score:: Medium
CVE:: 2026-4479

Plugin:: WPAMS
Plugin Slug:: apartment-management
Vulnerability:: Arbitrary Content Deletion
Patched in Version:: 49.5.3
Severity Score:: Medium
CVE:: 2026-39433

Plugin:: Blocksy Companion Pro
Plugin Slug:: blocksy-companion-pro
Vulnerability:: SQL Injection
Patched in Version:: 2.1.29
Severity Score:: Critical
CVE:: 2026-39596

Plugin:: Bricksforge
Plugin Slug:: bricksforge
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 3.1.8.5
Severity Score:: High
CVE:: 2026-34888

Plugin:: Gravity Forms
Plugin Slug:: gravityforms
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.9.31
Severity Score:: High
CVE:: 2026-4394

Plugin:: Gravity Forms
Plugin Slug:: gravityforms
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.9.31
Severity Score:: High
CVE:: 2026-4406

Plugin:: Gravity SMTP
Plugin Slug:: gravitysmtp
Vulnerability:: Broken Access Control
Patched in Version:: 2.1.5
Severity Score:: High
CVE:: 2026-4162

Plugin:: Integrio Core
Plugin Slug:: integrio-core
Vulnerability:: Local File Inclusion
Patched in Version:: 1.2.8
Severity Score:: High
CVE:: 2026-34894

Plugin:: Listeo Core
Plugin Slug:: listeo-core
Vulnerability:: Arbitrary File Upload
Patched in Version:: 2.0.28
Severity Score:: Medium
CVE:: 2025-14938

Plugin:: Mikado Core
Plugin Slug:: mikado-core
Vulnerability:: Local File Inclusion
Patched in Version:: 1.7.2
Severity Score:: High
CVE:: 2026-39537

Plugin:: Smart Slider 3 PRO
Plugin Slug:: nextend-smart-slider3-pro
Vulnerability:: Backdoor
Patched in Version:: 3.5.1.36
Severity Score:: Critical

Plugin:: Ninja Forms File Uploads Extension
Plugin Slug:: ninja-forms-uploads
Vulnerability:: Arbitrary File Upload
Patched in Version:: 3.3.27
Severity Score:: Critical
CVE:: 2026-0740

Plugin:: pdfl.io
Plugin Slug:: pdfl-io
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.0.6
Severity Score:: Medium
CVE:: 2026-4073

Plugin:: Perfmatters
Plugin Slug:: perfmatters
Vulnerability:: Directory Traversal
Patched in Version:: 2.6.0
Severity Score:: High
CVE:: 2026-4351

Plugin:: Quick Playground
Plugin Slug:: quick-playground
Vulnerability:: Arbitrary File Upload
Patched in Version:: 1.3.2
Severity Score:: Critical
CVE:: 2026-1830

Plugin:: Softlab Core
Plugin Slug:: softlab-core
Vulnerability:: Local File Inclusion
Patched in Version:: 1.2.11
Severity Score:: High
CVE:: 2026-34895

Plugin:: Solene Core
Plugin Slug:: solene-core
Vulnerability:: Local File Inclusion
Patched in Version:: 2.3.4
Severity Score:: High
CVE:: 2026-39523

Plugin:: Thegov Core
Plugin Slug:: thegov-core
Vulnerability:: Local File Inclusion
Patched in Version:: 2.0.23
Severity Score:: High
CVE:: 2026-34893

Plugin:: Users manager � PN
Plugin Slug:: userspn
Vulnerability:: Privilege Escalation
Patched in Version:: 1.1.20
Severity Score:: Critical
CVE:: 2026-4003

Plugin:: MultiLoca
Plugin Slug:: woocommerce-multi-locations-inventory-management
Vulnerability:: Privilege Escalation
Patched in Version:: 4.2.16
Severity Score:: High
CVE:: 2026-39546

WordPress Themes � 24 Patched / 0 Unpatched

Theme:: Alloggio – Hotel Booking
Theme Slug:: alloggio
Vulnerability:: PHP Object Injection
Patched in Version:: 2.1.3
Severity Score:: High
CVE:: 2026-39539

Theme:: Aperitif
Theme Slug:: aperitif
Vulnerability:: PHP Object Injection
Patched in Version:: 1.6.1
Severity Score:: High
CVE:: 2026-39550

Theme:: Aperitif
Theme Slug:: aperitif
Vulnerability:: Local File Inclusion
Patched in Version:: 1.6
Severity Score:: High
CVE:: 2026-39549

Theme:: Askka
Theme Slug:: askka
Vulnerability:: PHP Object Injection
Patched in Version:: 1.4
Severity Score:: High
CVE:: 2026-39555

Theme:: Blueprint
Theme Slug:: blueprint
Vulnerability:: Local File Inclusion
Patched in Version:: 1.1.5
Severity Score:: High
CVE:: 2026-39552

Theme:: Fidalgo
Theme Slug:: fidalgo
Vulnerability:: PHP Object Injection
Patched in Version:: 1.3
Severity Score:: High
CVE:: 2026-39554

Theme:: Getaway
Theme Slug:: getaway
Vulnerability:: Local File Inclusion
Patched in Version:: 1.8
Severity Score:: High
CVE:: 2026-39547

Theme:: Hiroshi
Theme Slug:: hiroshi
Vulnerability:: PHP Object Injection
Patched in Version:: 1.6
Severity Score:: High
CVE:: 2026-39560

Theme:: Konsept
Theme Slug:: konsept
Vulnerability:: PHP Object Injection
Patched in Version:: 2.0
Severity Score:: High
CVE:: 2026-39556

Theme:: Malm�
Theme Slug:: malmo
Vulnerability:: Local File Inclusion
Patched in Version:: 2.3
Severity Score:: High
CVE:: 2026-39558

Theme:: Micdrop
Theme Slug:: micdrop
Vulnerability:: PHP Object Injection
Patched in Version:: 1.4
Severity Score:: High
CVE:: 2026-39580

Theme:: Mildhill
Theme Slug:: mildhill
Vulnerability:: PHP Object Injection
Patched in Version:: 1.6
Severity Score:: High
CVE:: 2026-39573

Theme:: Mr. SEO
Theme Slug:: mrseo
Vulnerability:: Local File Inclusion
Patched in Version:: 2.1
Severity Score:: High
CVE:: 2026-39568

Theme:: NeoBeat
Theme Slug:: neobeat
Vulnerability:: PHP Object Injection
Patched in Version:: 1.8
Severity Score:: High
CVE:: 2026-39557

Theme:: Playroom
Theme Slug:: playroom
Vulnerability:: PHP Object Injection
Patched in Version:: 1.5
Severity Score:: High
CVE:: 2026-39577

Theme:: Sant�
Theme Slug:: sante
Vulnerability:: PHP Object Injection
Patched in Version:: 1.6
Severity Score:: High
CVE:: 2026-39567

Theme:: SingleMalt
Theme Slug:: singlemalt
Vulnerability:: PHP Object Injection
Patched in Version:: 1.6
Severity Score:: High
CVE:: 2026-39576

Theme:: Solene
Theme Slug:: solene
Vulnerability:: Local File Inclusion
Patched in Version:: 3.4.1
Severity Score:: High
CVE:: 2026-39522

Theme:: T�bel
Theme Slug:: tobel
Vulnerability:: PHP Object Injection
Patched in Version:: 1.9
Severity Score:: High
CVE:: 2026-39551

Theme:: Uppercase
Theme Slug:: uppercase
Vulnerability:: Local File Inclusion
Patched in Version:: 1.2.2
Severity Score:: High
CVE:: 2026-39559

Theme:: Valiance
Theme Slug:: valiance
Vulnerability:: PHP Object Injection
Patched in Version:: 1.3
Severity Score:: High
CVE:: 2026-39578

Theme:: WaveRide
Theme Slug:: waveride
Vulnerability:: Local File Inclusion
Patched in Version:: 1.5
Severity Score:: High
CVE:: 2026-39553

Theme:: Hitek
Theme Slug:: xts-hitek
Vulnerability:: Local File Inclusion
Patched in Version:: 1.8.3
Severity Score:: High
CVE:: 2026-39582

Theme:: Zermatt
Theme Slug:: zermatt
Vulnerability:: PHP Object Injection
Patched in Version:: 1.7
Severity Score:: High
CVE:: 2026-39545