WordPress Vulnerability Report � April 1, 2026

In this report, 225 vulnerabilities have been publicly disclosed. Security patches for 134 of these plugins and themes are now available. Please run these updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Currently, 91 plugin and theme vulnerabilities remain unpatched. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

WordPress Core

WordPress 6.9.4 is available, addressing 10 security issues and a template loading bug. Immediate updates are recommended for all production sites.

WordPress 7.0 Release Candidate 2 (RC2) is now ready for testing via the Beta Tester plugin, direct download, WP-CLI, or WordPress Playground. As a pre-release version, it should only be evaluated in staging or local environments.

WordPress 7.0 is scheduled for release on April 9, 2026.

WordPress Plugins � 113 Patched / 90 Unpatched

Plugin:: WPCargo Track & Trace
Plugin Slug:: wpcargo
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-25401

Plugin:: MimeTypes Link Icons
Plugin Slug:: mimetypes-link-icons
Installations: 8,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-1313

Plugin:: Coinbase Commerce � Crypto Gateway for WooCommerce
Plugin Slug:: commerce-coinbase-for-woocommerce
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-25396

Plugin:: SurveyJS: Drag & Drop Form Builder
Plugin Slug:: surveyjs
Installations: 500+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-2440

Plugin:: File Uploader for WooCommerce
Plugin Slug:: file-uploader-for-woocommerce
Installations: 100+
Vulnerability:: Path Traversal
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-25397

Plugin:: Any Post Slider
Plugin Slug:: any-post-slider
Installations: 60+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1899

Plugin:: FuseDesk
Plugin Slug:: fusedesk
Installations: 60+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1914

Plugin:: WPFAQBlock� FAQ & Accordion Plugin For Gutenberg
Plugin Slug:: wpfaqblock
Installations: 10+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1093

Plugin:: Ad Short
Plugin Slug:: ad-short
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-4067

Plugin:: Add Google Social Profiles to Knowledge Graph Box
Plugin Slug:: add-google-social-profiles-to-knowledge-graph-box
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1393

Plugin:: Alfie
Plugin Slug:: alfie-the-productfeedtool-wp-plugin
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-4069

Plugin:: App Builder
Plugin Slug:: app-builder
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-2375

Plugin:: Reward Video Ad for WordPress
Plugin Slug:: applixir
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-2424

Plugin:: Appmax
Plugin Slug:: appmax
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3641

Plugin:: ARForms Form Builder
Plugin Slug:: arforms-form-builder
Vulnerability:: Content Injection
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-13785

Plugin:: Build App Online
Plugin Slug:: build-app-online
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3651

Plugin:: Canto
Plugin Slug:: canto
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3335

Plugin:: CMS Commander
Plugin Slug:: cms-commander-client
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-3334

Plugin:: Comment Genius
Plugin Slug:: comment-genius
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-1647

Plugin:: Comment SPAM Wiper
Plugin Slug:: comment-spam-wiper
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3353

Plugin:: Company Posts for LinkedIn
Plugin Slug:: company-posts-for-linkedin
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1935

Plugin:: Content Syndication Toolkit
Plugin Slug:: content-syndication-toolkit
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-3478

Plugin:: e-shot
Plugin Slug:: e-shot-form-builder
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3546

Plugin:: Easy Image Gallery
Plugin Slug:: easy-image-gallery
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-4766

Plugin:: Ecover Builder For Dummies
Plugin Slug:: ecover-builder-for-dummies
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-4077

Plugin:: Ed’s Font Awesome
Plugin Slug:: eds-font-awesome
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-2496

Plugin:: Ed’s Social Share
Plugin Slug:: eds-social-share
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-2501

Plugin:: ElementCamp
Plugin Slug:: element-camp
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-2503

Plugin:: Expire Users
Plugin Slug:: expire-users
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-4261

Plugin:: Fonts Manager | Custom Fonts
Plugin Slug:: fonts-manager-custom-fonts
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2026-1800

Plugin:: fyyd podcast shortcodes
Plugin Slug:: fyyd-podcast-shortcodes
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-4084

Plugin:: Go Night Pro
Plugin Slug:: go-night-pro
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1886

Plugin:: Hr Press Lite
Plugin Slug:: hr-press-lite
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-2720

Plugin:: Integration with Hubspot Forms
Plugin Slug:: integration-with-hubspot-forms
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1908

Plugin:: Invelity Product Feeds
Plugin Slug:: invelity-products-feeds
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-14037

Plugin:: itsukaita
Plugin Slug:: itsukaita
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-2427

Plugin:: iVysilani Shortcode
Plugin Slug:: ivysilani-shortcode
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1851

Plugin:: Linksy Search and Replace
Plugin Slug:: linksy-search-and-replace
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-2941

Plugin:: Lobot Slider Administrator
Plugin Slug:: lobot-slider-administrator
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3331

Plugin:: login_register
Plugin Slug:: login-register
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1503

Plugin:: Mandatory Field
Plugin Slug:: mandatory-fields
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1278

Plugin:: MinhNhut Link Gateway
Plugin Slug:: minhnhut-link-gateway
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3333

Plugin:: Multi Functional Flexi Lightbox
Plugin Slug:: multi-functional-flexi-lightbox
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3347

Plugin:: Multi Post Carousel by Category
Plugin Slug:: multi-post-carousel
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1275

Plugin:: myLinksDump
Plugin Slug:: mylinksdump
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-2279

Plugin:: Neos Connector for Fakturama
Plugin Slug:: neos-connector-for-fakturama
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-4143

Plugin:: Outgrow
Plugin Slug:: outgrow
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1889

Plugin:: Paypal Shortcodes
Plugin Slug:: paypal-shortcodes
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3617

Plugin:: PQ Addons � Creative Elementor Widgets
Plugin Slug:: peacefulqode-elementzplus-widgets
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1397

Plugin:: Performance Monitor
Plugin Slug:: performance-monitor
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-1648

Plugin:: Post Flagger
Plugin Slug:: post-flagger
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1854

Plugin:: Post Snippits
Plugin Slug:: post-snippits
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-2723

Plugin:: Post Affiliate Pro
Plugin Slug:: postaffiliatepro
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-2290

Plugin:: Pre* Party Resource Hints
Plugin Slug:: pre-party-browser-hints
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-4087

Plugin:: Punnel � Landing Page Builder
Plugin Slug:: punnel-landing-page-builder
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3645

Plugin:: Quentn WP
Plugin Slug:: quentn-wp
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2026-2468

Plugin:: Redirect countdown
Plugin Slug:: redirect-countdown
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1390

Plugin:: REST API TO MiniProgram
Plugin Slug:: rest-api-to-miniprogram
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3460

Plugin:: Review Map by RevuKangaroo
Plugin Slug:: review-map-by-revukangaroo
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-4161

Plugin:: rexCrawler
Plugin Slug:: rexcrawler
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-2277

Plugin:: Ricerca � advanced search
Plugin Slug:: ricerca-smart-search
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-2837

Plugin:: Schema Shortcode
Plugin Slug:: schema-shortcode
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1575

Plugin:: Sheets2Table
Plugin Slug:: sheets2table
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3619

Plugin:: Sherk Custom Post Type Displays
Plugin Slug:: sherk-custom-post-type-displays
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3554

Plugin:: Weaver Show Posts
Plugin Slug:: show-posts
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-2121

Plugin:: Show Posts list
Plugin Slug:: show-posts-shortcodes
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-4022

Plugin:: Simple Football Scoreboard
Plugin Slug:: simple-football-score-board
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1891

Plugin:: Smarter Analytics
Plugin Slug:: smarter-analytics
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3570

Plugin:: Speedup Optimization
Plugin Slug:: speedup-optimization
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-4127

Plugin:: SR WP Minify HTML
Plugin Slug:: sr-wp-minify-html
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1392

Plugin:: Survey
Plugin Slug:: survey
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1247

Plugin:: Task Manager
Plugin Slug:: task-manager
Vulnerability:: Arbitrary File Download
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-2351

Plugin:: Task Manager
Plugin Slug:: task-manager
Vulnerability:: Content Injection
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-4004

Plugin:: Text Toggle
Plugin Slug:: text-toggle
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3997

Plugin:: Tour & Activity Operator Plugin for TourCMS
Plugin Slug:: tour-operator-plugin
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1806

Plugin:: Tutor LMS Pro
Plugin Slug:: tutor-pro
Vulnerability:: Broken Authentication
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-25406

Plugin:: Twitter Feeds
Plugin Slug:: twitter-feeds
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1911

Plugin:: Shortcodes Blocks Creator Ultimate
Plugin Slug:: ultimate-shortcodes-creator
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-12166

Plugin:: Shortcodes Blocks Creator Ultimate
Plugin Slug:: ultimate-shortcodes-creator
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-12167

Plugin:: Vagaro Booking Widget
Plugin Slug:: vagaro-booking-widget
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-3003

Plugin:: Wikilookup
Plugin Slug:: wikilookup
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3354

Plugin:: WordPress PayPal Donation
Plugin Slug:: wordpress-paypal-donation
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-4072

Plugin:: WP Games Embed
Plugin Slug:: wp-games-embed
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3996

Plugin:: WP NG Weather
Plugin Slug:: wp-ng-weather
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1822

Plugin:: WP Posts Re-order
Plugin Slug:: wp-posts-re-order
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1378

Plugin:: WP Random Button
Plugin Slug:: wp-random-button
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-4086

Plugin:: WP-WebAuthn
Plugin Slug:: wp-webauthn
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-13910

Plugin:: WPBookit Pro
Plugin Slug:: wpbookit-pro
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2026-25413

Plugin:: WPBookit Pro
Plugin Slug:: wpbookit-pro
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-25414

Plugin:: Xhanch � My Advanced Settings
Plugin Slug:: xhanch-my-advanced-settings
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3332

Plugin:: Elementor Website Builder � more than just a page builder
Plugin Slug:: elementor
Installations: 10,000,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 3.35.8
Severity Score:: Medium
CVE:: 2026-1206

Plugin:: Yoast SEO � Advanced SEO with real-time guidance and built-in AI
Plugin Slug:: wordpress-seo
Installations: 10,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 27.2
Severity Score:: Medium
CVE:: 2026-3427

Plugin:: WPForms � Easy Form Builder for WordPress � Contact Forms, Payment Forms, Surveys, & More
Plugin Slug:: wpforms-lite
Installations: 6,000,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 1.9.9.2
Severity Score:: Medium
CVE:: 2026-25339

Plugin:: Complianz � GDPR/CCPA Cookie Consent
Plugin Slug:: complianz-gdpr
Installations: 1,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 7.4.5
Severity Score:: Medium
CVE:: 2026-2389

Plugin:: Smart Slider 3
Plugin Slug:: smart-slider-3
Installations: 800,000+
Vulnerability:: Arbitrary File Download
Patched in Version:: 3.5.1.34
Severity Score:: Medium
CVE:: 2026-3098

Plugin:: Ninja Forms � The Contact Form Builder That Grows With You
Plugin Slug:: ninja-forms
Installations: 600,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 3.14.2
Severity Score:: Medium
CVE:: 2026-1307

Plugin:: SureForms � Contact Form, Payment Form & Other Custom Form Builder
Plugin Slug:: sureforms
Installations: 500,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.6.0
Severity Score:: High
CVE:: 2026-4987

Plugin:: Page Builder: Pagelayer � Drag and Drop website builder
Plugin Slug:: pagelayer
Installations: 400,000+
Vulnerability:: Content Injection
Patched in Version:: 2.0.8
Severity Score:: Medium
CVE:: 2026-2442

Plugin:: ShortPixel Image Optimizer � Optimize Images, Convert WebP & AVIF
Plugin Slug:: shortpixel-image-optimiser
Installations: 300,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.4.4
Severity Score:: Medium
CVE:: 2026-4335

Plugin:: Ultimate Member � User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
Plugin Slug:: ultimate-member
Installations: 200,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 2.11.3
Severity Score:: High
CVE:: 2026-4248

Plugin:: LatePoint � Calendar Booking Plugin for Appointments and Events
Plugin Slug:: latepoint
Installations: 100,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 5.2.7
Severity Score:: Medium
CVE:: 2026-32533

Plugin:: Booking for Appointments and Events Calendar � Amelia
Plugin Slug:: ameliabooking
Installations: 90,000+
Vulnerability:: Broken Authentication
Patched in Version:: 9.2
Severity Score:: High
CVE:: 2026-2931

Plugin:: Download Monitor
Plugin Slug:: download-monitor
Installations: 90,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 5.1.8
Severity Score:: Medium
CVE:: 2026-3124

Plugin:: JetFormBuilder � Dynamic Blocks Form Builder
Plugin Slug:: jetformbuilder
Installations: 90,000+
Vulnerability:: Arbitrary File Download
Patched in Version:: 3.5.6.3
Severity Score:: High
CVE:: 2026-4373

Plugin:: JetFormBuilder � Dynamic Blocks Form Builder
Plugin Slug:: jetformbuilder
Installations: 90,000+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 3.5.6.2
Severity Score:: Critical
CVE:: 2026-32525

Plugin:: Import and export users and customers
Plugin Slug:: import-users-from-csv-with-meta
Installations: 80,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 2.0
Severity Score:: High
CVE:: 2026-3629

Plugin:: Jupiter X Core
Plugin Slug:: jupiterx-core
Installations: 80,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.14.2
Severity Score:: High
CVE:: 2026-3533

Plugin:: LearnPress � WordPress LMS Plugin for Create and Sell Online Courses
Plugin Slug:: learnpress
Installations: 80,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.3.3
Severity Score:: Medium
CVE:: 2026-3225

Plugin:: Conditional Menus
Plugin Slug:: conditional-menus
Installations: 60,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.2.7
Severity Score:: Medium
CVE:: 2026-1032

Plugin:: Woody Code Snippets � Insert PHP, CSS, JS, and Header/Footer Scripts
Plugin Slug:: insert-php
Installations: 60,000+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 2.7.2
Severity Score:: Critical
CVE:: 2026-25366

Plugin:: User Registration & Membership � Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder
Plugin Slug:: user-registration
Installations: 60,000+
Vulnerability:: Broken Access Control
Patched in Version:: 5.1.5
Severity Score:: Medium
CVE:: 2026-4056

Plugin:: User Registration & Membership � Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder
Plugin Slug:: user-registration
Installations: 60,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 5.1.3
Severity Score:: High
CVE:: 2026-32488

Plugin:: Product Filter for WooCommerce by WBW
Plugin Slug:: woo-product-filter
Installations: 60,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.1.3
Severity Score:: Medium
CVE:: 2026-3138

Plugin:: WP Maps � Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters
Plugin Slug:: wp-google-map-plugin
Installations: 60,000+
Vulnerability:: SQL Injection
Patched in Version:: 4.9.2
Severity Score:: Critical
CVE:: 2026-2580

Plugin:: Blog2Social: Social Media Auto Post & Scheduler
Plugin Slug:: blog2social
Installations: 50,000+
Vulnerability:: Broken Access Control
Patched in Version:: 8.8.3
Severity Score:: Medium
CVE:: 2026-4331

Plugin:: Sina Extension for Elementor
Plugin Slug:: sina-extension-for-elementor
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.7.1
Severity Score:: Medium
CVE:: 2025-6229

Plugin:: Smart Custom Fields
Plugin Slug:: smart-custom-fields
Installations: 50,000+
Vulnerability:: Broken Access Control
Patched in Version:: 5.0.7
Severity Score:: Medium
CVE:: 2026-4066

Plugin:: Quiz and Survey Master (QSM) � Easy Quiz and Survey Maker
Plugin Slug:: quiz-master-next
Installations: 40,000+
Vulnerability:: SQL Injection
Patched in Version:: 11.0.0
Severity Score:: High
CVE:: 2026-2412

Plugin:: Mixed Media Gallery Blocks
Plugin Slug:: simply-gallery-block
Installations: 40,000+
Vulnerability:: Arbitrary Code Execution
Patched in Version:: 3.3.2.1
Severity Score:: Critical
CVE:: 2026-25345

Plugin:: Blackhole for Bad Bots
Plugin Slug:: blackhole-bad-bots
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.8.1
Severity Score:: High
CVE:: 2026-4329

Plugin:: LeadConnector
Plugin Slug:: leadconnector
Installations: 30,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.0.22
Severity Score:: Medium
CVE:: 2026-1890

Plugin:: PPWP � Password Protect Pages
Plugin Slug:: password-protect-page
Installations: 30,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.9.16
Severity Score:: Medium
CVE:: 2026-32562

Plugin:: WPGraphQL
Plugin Slug:: wp-graphql
Installations: 30,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.10
Severity Score:: Medium
CVE:: 2026-33290

Plugin:: WP Lightbox 2
Plugin Slug:: wp-lightbox-2
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.0.7
Severity Score:: Medium
CVE:: 2026-1430

Plugin:: Fluent Booking � The Ultimate Appointments Scheduling, Events Booking, Events Calendar Solution
Plugin Slug:: fluent-booking
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.05
Severity Score:: High
CVE:: 2026-2231

Plugin:: Ibtana � WordPress Website Builder
Plugin Slug:: ibtana-visual-editor
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.2.5.8
Severity Score:: Medium
CVE:: 2026-1834

Plugin:: Quads Ads Manager for Google AdSense
Plugin Slug:: quick-adsense-reloaded
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.99
Severity Score:: Medium
CVE:: 2026-2595

Plugin:: Twentig Supercharged Block Editor � Blocks, Patterns, Starter Sites, Portfolio
Plugin Slug:: twentig
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0
Severity Score:: Medium
CVE:: 2026-2602

Plugin:: User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration
Plugin Slug:: wp-user-frontend
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.2.9
Severity Score:: High
CVE:: 2026-32485

Plugin:: Frontend Admin by DynamiApps
Plugin Slug:: acf-frontend-form-element
Installations: 10,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 3.28.32
Severity Score:: High
CVE:: 2026-3328

Plugin:: Kali Forms � Contact Form & Drag-and-Drop Builder
Plugin Slug:: kali-forms
Installations: 10,000+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 2.4.10
Severity Score:: Critical
CVE:: 2026-3584

Plugin:: King Addons for Elementor � 80+ Elementor Widgets, 4 000+ Elementor Templates, WooCommerce, Mega Menu, Popup Builder
Plugin Slug:: king-addons
Installations: 10,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 51.1.51
Severity Score:: Medium
CVE:: 2025-13997

Plugin:: Lead Form Builder & Contact Form
Plugin Slug:: lead-form-builder
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.2
Severity Score:: High
CVE:: 2026-32532

Plugin:: Responsive Plus � Elementor Templates & Starter Sites
Plugin Slug:: responsive-add-ons
Installations: 10,000+
Vulnerability:: Arbitrary Code Execution
Patched in Version:: 3.4.3
Severity Score:: Medium
CVE:: 2025-15488

Plugin:: Five Star Restaurant Reservations � WordPress Booking Plugin
Plugin Slug:: restaurant-reservations
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.7.10
Severity Score:: Medium
CVE:: 2026-25327

Plugin:: Review Schema � Review & Structure Data Schema Plugin
Plugin Slug:: review-schema
Installations: 10,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 2.2.7
Severity Score:: Medium
CVE:: 2026-25344

Plugin:: WP DSGVO Tools (GDPR)
Plugin Slug:: shapepress-dsgvo
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.1.39
Severity Score:: Critical
CVE:: 2026-4283

Plugin:: Team � Team Members Showcase Plugin
Plugin Slug:: tlp-team
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 5.0.12
Severity Score:: High
CVE:: 2026-25026

Plugin:: weForms � Easy Drag & Drop Contact Form Builder For WordPress
Plugin Slug:: weforms
Installations: 10,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 1.6.27
Severity Score:: High
CVE:: 2026-32484

Plugin:: WP REST Cache
Plugin Slug:: wp-rest-cache
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2026.1.1
Severity Score:: High
CVE:: 2026-25347

Plugin:: YML for Yandex Market
Plugin Slug:: yml-for-yandex-market
Installations: 10,000+
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 5.3.0
Severity Score:: Medium
CVE:: 2026-32567

Plugin:: Contact Form Email
Plugin Slug:: contact-form-to-email
Installations: 9,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.3.64
Severity Score:: Medium
CVE:: 2026-32483

Plugin:: ReviewX � Multi-Criteria Reviews for WooCommerce with Google Reviews & Schema
Plugin Slug:: reviewx
Installations: 8,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 2.3.0
Severity Score:: Medium
CVE:: 2025-10734

Plugin:: ReviewX � Multi-Criteria Reviews for WooCommerce with Google Reviews & Schema
Plugin Slug:: reviewx
Installations: 8,000+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 2.3.0
Severity Score:: High
CVE:: 2025-10679

Plugin:: ReviewX � Multi-Criteria Reviews for WooCommerce with Google Reviews & Schema
Plugin Slug:: reviewx
Installations: 8,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 2.3.0
Severity Score:: Medium
CVE:: 2025-10731

Plugin:: ReviewX � Multi-Criteria Reviews for WooCommerce with Google Reviews & Schema
Plugin Slug:: reviewx
Installations: 8,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 2.2.12
Severity Score:: Medium
CVE:: 2025-10736

Plugin:: WP Job Portal � AI-Powered Recruitment System for Company or Job Board website
Plugin Slug:: wp-job-portal
Installations: 8,000+
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 2.5.0
Severity Score:: High
CVE:: 2026-4758

Plugin:: WP Job Portal � AI-Powered Recruitment System for Company or Job Board website
Plugin Slug:: wp-job-portal
Installations: 8,000+
Vulnerability:: SQL Injection
Patched in Version:: 2.4.9
Severity Score:: Critical
CVE:: 2026-4306

Plugin:: WP TripAdvisor Review Slider
Plugin Slug:: wp-tripadvisor-review-slider
Installations: 8,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 14.2
Severity Score:: Medium
CVE:: 2026-32490

Plugin:: JS Help Desk � AI-Powered Support & Ticketing System
Plugin Slug:: js-support-ticket
Installations: 7,000+
Vulnerability:: SQL Injection
Patched in Version:: 3.0.5
Severity Score:: Critical
CVE:: 2026-2511

Plugin:: JS Help Desk � AI-Powered Support & Ticketing System
Plugin Slug:: js-support-ticket
Installations: 7,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 3.0.4
Severity Score:: Medium
CVE:: 2026-32535

Plugin:: WP Review Slider
Plugin Slug:: wp-facebook-reviews
Installations: 7,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 14.0
Severity Score:: Medium
CVE:: 2026-32491

Plugin:: OOPSpam Anti-Spam: Spam Protection for WordPress Forms & Comments (No CAPTCHA)
Plugin Slug:: oopspam-anti-spam
Installations: 6,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.2.63
Severity Score:: High
CVE:: 2026-32544

Plugin:: PeproDev Ultimate Invoice
Plugin Slug:: pepro-ultimate-invoice
Installations: 6,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 2.2.6
Severity Score:: Medium
CVE:: 2026-2343

Plugin:: ProfileGrid � User Profiles, Groups and Communities
Plugin Slug:: profilegrid-user-profiles-groups-and-communities
Installations: 6,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.9.8.2
Severity Score:: Medium
CVE:: 2026-25417

Plugin:: Nelio A/B Testing � AB Tests and Heatmaps for Better Conversion Optimization
Plugin Slug:: nelio-ab-testing
Installations: 5,000+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 8.2.8
Severity Score:: Critical
CVE:: 2026-32573

Plugin:: User Verification by PickPlugins
Plugin Slug:: user-verification
Installations: 5,000+
Vulnerability:: Broken Authentication
Patched in Version:: 2.0.46
Severity Score:: Medium
CVE:: 2026-32497

Plugin:: Masteriyo LMS � Online Course Builder for eLearning, LMS & Education
Plugin Slug:: learning-management-system
Installations: 4,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 2.1.7
Severity Score:: High
CVE:: 2026-4484

Plugin:: RSFirewall!
Plugin Slug:: rsfirewall
Installations: 4,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.1.46
Severity Score:: High
CVE:: 2026-25341

Plugin:: Shared Files � Frontend File Upload Form & Secure File Sharing
Plugin Slug:: shared-files
Installations: 4,000+
Vulnerability:: Arbitrary File Download
Patched in Version:: 1.7.58
Severity Score:: Medium
CVE:: 2025-15433

Plugin:: WP Telegram Widget and Join Link
Plugin Slug:: wptelegram-widget
Installations: 4,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.2.14
Severity Score:: High
CVE:: 2026-23807

Plugin:: ElementInvader Addons for Elementor
Plugin Slug:: elementinvader-addons-for-elementor
Installations: 3,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.4.3
Severity Score:: High
CVE:: 2026-25007

Plugin:: KiviCare � Clinic & Patient Management System (EHR)
Plugin Slug:: kivicare-clinic-management-system
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.0.0
Severity Score:: High
CVE:: 2026-25383

Plugin:: KiviCare � Clinic & Patient Management System (EHR)
Plugin Slug:: kivicare-clinic-management-system
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.0.0
Severity Score:: Medium
CVE:: 2026-25034

Plugin:: Simple Download Counter
Plugin Slug:: simple-download-counter
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.3.1
Severity Score:: Medium
CVE:: 2026-4278

Plugin:: Booking and Rental Manager for Bike | Car | Resort | Appointment | Dress | Equipment
Plugin Slug:: booking-and-rental-manager-for-woocommerce
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.6.1
Severity Score:: Medium
CVE:: 2026-23972

Plugin:: Contest Gallery � Upload & Vote Photos, Media, Sell with PayPal & Stripe
Plugin Slug:: contest-gallery
Installations: 1,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 28.1.6
Severity Score:: High
CVE:: 2026-4021

Plugin:: Contest Gallery � Upload & Vote Photos, Media, Sell with PayPal & Stripe
Plugin Slug:: contest-gallery
Installations: 1,000+
Vulnerability:: Broken Authentication
Patched in Version:: 28.1.3
Severity Score:: Critical
CVE:: 2026-25035

Plugin:: Injection Guard
Plugin Slug:: injection-guard
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.0
Severity Score:: High
CVE:: 2026-3368

Plugin:: WowOptin: Next-Gen Popup Maker � Create Stunning Popups and Optins for Lead Generation
Plugin Slug:: optin
Installations: 1,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 1.4.30
Severity Score:: High
CVE:: 2026-4302

Plugin:: bBlocks � Essential Gutenberg Blocks & Patterns Collection
Plugin Slug:: b-blocks
Installations: 700+
Vulnerability:: Broken Access Control
Patched in Version:: 2.0.30
Severity Score:: Medium
CVE:: 2026-32489

Plugin:: The Ultimate WordPress Toolkit � WP Extended
Plugin Slug:: wpextended
Installations: 700+
Vulnerability:: Privilege Escalation
Patched in Version:: 3.2.5
Severity Score:: High
CVE:: 2026-4314

Plugin:: Truebooker � Appointment Booking and Scheduler System
Plugin Slug:: truebooker-appointment-booking
Installations: 600+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 1.1.5
Severity Score:: Medium
CVE:: 2026-1797

Plugin:: VikRestaurants Table Reservations and Take-Away
Plugin Slug:: vikrestaurants
Installations: 600+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.5.3
Severity Score:: High
CVE:: 2026-25025

Plugin:: WP Courses LMS � Online Courses Builder, eLearning Courses, Courses Solution, Education Courses
Plugin Slug:: wp-courses
Installations: 600+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.2.27
Severity Score:: Medium
CVE:: 2026-31914

Plugin:: Vertex Addons for Elementor
Plugin Slug:: addons-for-elementor-builder
Installations: 400+
Vulnerability:: Broken Access Control
Patched in Version:: 1.7.0
Severity Score:: Medium
CVE:: 2026-25398

Plugin:: FormLift for Infusionsoft Web Forms
Plugin Slug:: formlift
Installations: 400+
Vulnerability:: Broken Access Control
Patched in Version:: 7.5.22
Severity Score:: Medium
CVE:: 2026-4281

Plugin:: Helpdesk Support Ticket System for WooCommerce
Plugin Slug:: support-ticket-system-for-woocommerce
Installations: 200+
Vulnerability:: Broken Access Control
Patched in Version:: 2.1.3
Severity Score:: High
CVE:: 2026-23977

Plugin:: Contact Manager
Plugin Slug:: contact-manager
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 9.1.1
Severity Score:: High
CVE:: 2026-32517

Plugin:: DSGVO snippet for Leaflet Map and its Extensions
Plugin Slug:: dsgvo-leaflet-map
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.4
Severity Score:: Medium
CVE:: 2026-4389

Plugin:: Video & Photo Gallery for Ultimate Member
Plugin Slug:: gallery-for-ultimate-member
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.1.2
Severity Score:: High
CVE:: 2024-12162

Plugin:: Product File Upload for WooCommerce
Plugin Slug:: products-file-upload-for-woocommerce
Installations: 100+
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 2.2.5
Severity Score:: Medium
CVE:: 2026-25328

Plugin:: Filestack WP Upload
Plugin Slug:: filestack-upload
Installations: 60+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.0.0
Severity Score:: High
CVE:: 2024-11462

Plugin:: Debugger & Troubleshooter
Plugin Slug:: debugger-troubleshooter
Installations: 40+
Vulnerability:: Privilege Escalation
Patched in Version:: 1.4.0
Severity Score:: Critical
CVE:: 2026-5130

Plugin:: BWL Advanced FAQ Manager Lite
Plugin Slug:: bwl-advanced-faq-manager-lite
Installations: 30+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.1.2
Severity Score:: Medium
CVE:: 2026-4075

Plugin:: QC SEO Help for llms.txt, AI Analytics, AI Content Writer, Subtitle to Article
Plugin Slug:: seo-help
Installations: 30+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.1.4
Severity Score:: High
CVE:: 2024-12156

Plugin:: FloristPress for Woo � Customize your eCommerce store for your Florist
Plugin Slug:: bakkbone-florist-companion
Installations: 10+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 7.8.3
Severity Score:: High
CVE:: 2026-1986