WordPress Vulnerability Report � April 22, 2026

In this report, 216 vulnerabilities have been publicly disclosed. Security patches for 187 of these plugins and themes are now available. Please run these updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Currently, 29 plugin and theme vulnerabilities remain unpatched. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

WordPress Core

WordPress 6.9.4 is available, addressing 10 security issues and a template loading bug. Immediate updates are recommended for all production sites.

WordPress 7.0 Release Candidate 2 (RC2) is now ready for testing via the Beta Tester plugin, direct download, WP-CLI, or WordPress Playground. As a pre-release version, it should only be evaluated in staging or local environments.

WordPress Plugins � 159 Patched / 28 Unpatched

Plugin:: Pz-LinkCard
Plugin Slug:: pz-linkcard
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-2434

Plugin:: WCFM Marketplace � Multivendor Marketplace for WooCommerce
Plugin Slug:: wc-multivendor-marketplace
Installations: 10,000+
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-63029

Plugin:: Smart Online Order for Clover
Plugin Slug:: clover-online-orders
Installations: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-15635

Plugin:: Accept Cryptocurrencies with Plisio
Plugin Slug:: plisio-payment-gateway-for-woocommerce
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-6372

Plugin:: Quick Interest Slider
Plugin Slug:: quick-interest-slider
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-5694

Plugin:: Livemesh Addons for Elementor
Plugin Slug:: addons-for-elementor
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-1620

Plugin:: Livemesh Addons for Elementor
Plugin Slug:: addons-for-elementor
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1572

Plugin:: Canto
Plugin Slug:: canto
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-6441

Plugin:: CMS f�r Motorrad Werkst�tten
Plugin Slug:: cms-fuer-motorrad-werkstaetten
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-6451

Plugin:: Coachific Shortcode
Plugin Slug:: coachific-shortcode
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-4005

Plugin:: Custom New User Notification
Plugin Slug:: custom-new-user-notification
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3551

Plugin:: e-shot
Plugin Slug:: e-shot-form-builder
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3642

Plugin:: Inquiry form to posts or pages
Plugin Slug:: inquiry-form-to-posts-or-pages
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-6293

Plugin:: Katalogportal-pdf-sync Widget
Plugin Slug:: katalogportal-pdf-sync
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3649

Plugin:: Login as User
Plugin Slug:: one-click-login-as-user
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-5617

Plugin:: Accessibility Suite
Plugin Slug:: online-accessibility
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-3773

Plugin:: OPEN-BRAIN
Plugin Slug:: open-brain
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3995

Plugin:: OPEN-BRAIN
Plugin Slug:: open-brain
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-4091

Plugin:: Accessibly – WordPress Website Accessibility
Plugin Slug:: otm-accessibly
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-3643

Plugin:: Petje.af
Plugin Slug:: petje-af
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-4002

Plugin:: Riaxe Product Customizer
Plugin Slug:: riaxe-product-customizer
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2026-3599

Plugin:: Riaxe Product Customizer
Plugin Slug:: riaxe-product-customizer
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3595

Plugin:: Riaxe Product Customizer
Plugin Slug:: riaxe-product-customizer
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2026-3596

Plugin:: VI: Include Post By
Plugin Slug:: vi-include-post-by
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-5717

Plugin:: Visa Acceptance Solutions
Plugin Slug:: visa-acceptance-solutions
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2026-3461

Plugin:: WM JqMath
Plugin Slug:: wm-jqmath
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3998

Plugin:: WP Circliful
Plugin Slug:: wp-circliful
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3659

Plugin:: Power Charts
Plugin Slug:: wpgo-power-charts-lite
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-4011

Plugin:: Advanced Custom Fields (ACF�)
Plugin Slug:: advanced-custom-fields
Installations: 2,000,000+
Vulnerability:: Broken Access Control
Patched in Version:: 6.7.1
Severity Score:: Medium
CVE:: 2026-4812

Plugin:: ManageWP Worker
Plugin Slug:: worker
Installations: 1,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.9.32
Severity Score:: High
CVE:: 2026-39463

Plugin:: Fluent Forms � Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder
Plugin Slug:: fluentform
Installations: 700,000+
Vulnerability:: Broken Authentication
Patched in Version:: 6.2.0
Severity Score:: Medium
CVE:: 2026-4160

Plugin:: Royal Addons for Elementor � Addons and Templates Kit for Elementor
Plugin Slug:: royal-elementor-addons
Installations: 600,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.7.1057
Severity Score:: Medium
CVE:: 2026-5162

Plugin:: WP Statistics � Simple, privacy-friendly Google Analytics alternative
Plugin Slug:: wp-statistics
Installations: 600,000+
Vulnerability:: Broken Access Control
Patched in Version:: 14.16.5
Severity Score:: Medium
CVE:: 2026-3488

Plugin:: WP Statistics � Simple, privacy-friendly Google Analytics alternative
Plugin Slug:: wp-statistics
Installations: 600,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 14.16.5
Severity Score:: High
CVE:: 2026-5231

Plugin:: BackWPup � WordPress Backup & Restore Plugin
Plugin Slug:: backwpup
Installations: 500,000+
Vulnerability:: Local File Inclusion
Patched in Version:: 5.6.7
Severity Score:: High
CVE:: 2026-6227

Plugin:: Meta Box
Plugin Slug:: meta-box
Installations: 500,000+
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 5.11.2
Severity Score:: Medium
CVE:: 2026-39468

Plugin:: Slider, Gallery, and Carousel by MetaSlider � Image Slider, Video Slider
Plugin Slug:: ml-slider
Installations: 500,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 3.107.0
Severity Score:: High
CVE:: 2026-39467

Plugin:: Slider, Gallery, and Carousel by MetaSlider � Image Slider, Video Slider
Plugin Slug:: ml-slider
Installations: 500,000+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 3.107.0
Severity Score:: Critical
CVE:: 2026-39465

Plugin:: WP Shortcodes Plugin � Shortcodes Ultimate
Plugin Slug:: shortcodes-ultimate
Installations: 400,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 7.5.0
Severity Score:: Medium
CVE:: 2026-3885

Plugin:: Page Builder Gutenberg Blocks � CoBlocks
Plugin Slug:: coblocks
Installations: 300,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.1.17
Severity Score:: Medium
CVE:: 2026-4801

Plugin:: ShortPixel Image Optimizer � Optimize Images, Convert WebP & AVIF
Plugin Slug:: shortpixel-image-optimiser
Installations: 300,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 6.4.4
Severity Score:: High
CVE:: 2026-39471

Plugin:: Unlimited Elements For Elementor
Plugin Slug:: unlimited-elements-for-elementor
Installations: 300,000+
Vulnerability:: Arbitrary File Download
Patched in Version:: 2.0.7
Severity Score:: High
CVE:: 2026-4659

Plugin:: PDF Invoices & Packing Slips for WooCommerce
Plugin Slug:: woocommerce-pdf-invoices-packing-slips
Installations: 300,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 5.9.0
Severity Score:: High
CVE:: 2026-39472

Plugin:: CMP � Coming Soon & Maintenance Plugin by NiteoThemes
Plugin Slug:: cmp-coming-soon-maintenance
Installations: 200,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 4.1.17
Severity Score:: High
CVE:: 2026-6518

Plugin:: Optimole � Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization
Plugin Slug:: optimole-wp
Installations: 200,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.2.3
Severity Score:: High
CVE:: 2026-5217

Plugin:: Optimole � Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization
Plugin Slug:: optimole-wp
Installations: 200,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.2.4
Severity Score:: High
CVE:: 2026-5226

Plugin:: Post Duplicator
Plugin Slug:: post-duplicator
Installations: 200,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 3.0.11
Severity Score:: High
CVE:: 2026-39474

Plugin:: JetBackup � Backup, Restore & Migrate
Plugin Slug:: backup
Installations: 100,000+
Vulnerability:: Path Traversal
Patched in Version:: 3.1.20.3
Severity Score:: Medium
CVE:: 2026-4853

Plugin:: Everest Forms � Contact Form, Payment Form, Quiz, Survey & Custom Form Builder
Plugin Slug:: everest-forms
Installations: 100,000+
Vulnerability:: Directory Traversal
Patched in Version:: 3.4.5
Severity Score:: High
CVE:: 2026-5478

Plugin:: Anti-Malware Security and Brute-Force Firewall
Plugin Slug:: gotmls
Installations: 100,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 4.23.88
Severity Score:: High
CVE:: 2026-39478

Plugin:: Kubio AI Page Builder
Plugin Slug:: kubio
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.7.3
Severity Score:: Medium
CVE:: 2026-5427

Plugin:: LatePoint � Calendar Booking Plugin for Appointments and Events
Plugin Slug:: latepoint
Installations: 100,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 5.4.0
Severity Score:: Medium
CVE:: 2026-5234

Plugin:: Modula Image Gallery � Photo Grid & Video Gallery
Plugin Slug:: modula-best-grid-gallery
Installations: 100,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 2.14.19
Severity Score:: High
CVE:: 2026-39481

Plugin:: Tutor LMS � eLearning and online course solution
Plugin Slug:: tutor
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.9.8
Severity Score:: Medium
CVE:: 2026-40743

Plugin:: Tutor LMS � eLearning and online course solution
Plugin Slug:: tutor
Installations: 100,000+
Vulnerability:: SQL Injection
Patched in Version:: 3.9.9
Severity Score:: High
CVE:: 2026-6080

Plugin:: Tutor LMS � eLearning and online course solution
Plugin Slug:: tutor
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.9.9
Severity Score:: Medium
CVE:: 2026-5502

Plugin:: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content � ProfilePress
Plugin Slug:: wp-user-avatar
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.16.13
Severity Score:: Medium
CVE:: 2026-4949

Plugin:: Download Monitor
Plugin Slug:: download-monitor
Installations: 90,000+
Vulnerability:: Arbitrary File Download
Patched in Version:: 5.1.10
Severity Score:: Medium
CVE:: 2026-39489

Plugin:: Email Encoder � Protect Email Addresses and Phone Numbers
Plugin Slug:: email-encoder-bundle
Installations: 90,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.3.4
Severity Score:: Medium
CVE:: 2024-7083

Plugin:: Email Encoder � Protect Email Addresses and Phone Numbers
Plugin Slug:: email-encoder-bundle
Installations: 90,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.4.5
Severity Score:: Medium
CVE:: 2026-2840

Plugin:: ShopLentor � All-in-One WooCommerce Growth & Store Enhancement Plugin
Plugin Slug:: woolentor-addons
Installations: 90,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.3.6
Severity Score:: Medium
CVE:: 2026-4059

Plugin:: Customer Reviews for WooCommerce
Plugin Slug:: customer-reviews-woocommerce
Installations: 80,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.102.0
Severity Score:: High
CVE:: 2026-3355

Plugin:: Customer Reviews for WooCommerce
Plugin Slug:: customer-reviews-woocommerce
Installations: 80,000+
Vulnerability:: Broken Authentication
Patched in Version:: 5.104.0
Severity Score:: Medium
CVE:: 2026-4664

Plugin:: 3D FlipBook � PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery
Plugin Slug:: interactive-3d-flipbook-powered-physics-engine
Installations: 80,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.16.18
Severity Score:: Medium
CVE:: 2026-1314

Plugin:: Jupiter X Core
Plugin Slug:: jupiterx-core
Installations: 80,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.14.2
Severity Score:: High
CVE:: 2026-39490

Plugin:: Jupiter X Core
Plugin Slug:: jupiterx-core
Installations: 80,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.14.2
Severity Score:: Medium
CVE:: 2026-39491

Plugin:: LearnPress � WordPress LMS Plugin for Create and Sell Online Courses
Plugin Slug:: learnpress
Installations: 80,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.3.3
Severity Score:: Critical
CVE:: 2026-4365

Plugin:: OneSignal � Web Push Notifications
Plugin Slug:: onesignal-free-web-push-notifications
Installations: 70,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.8.1
Severity Score:: Low
CVE:: 2026-3155

Plugin:: Germanized for WooCommerce
Plugin Slug:: woocommerce-germanized
Installations: 70,000+
Vulnerability:: Content Injection
Patched in Version:: 3.20.6
Severity Score:: Medium
CVE:: 2026-2582

Plugin:: wpDataTables � WordPress Data Table, Dynamic Tables & Table Charts Plugin
Plugin Slug:: wpdatatables
Installations: 70,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.5.0.5
Severity Score:: Medium
CVE:: 2026-5721

Plugin:: Contextual Related Posts
Plugin Slug:: contextual-related-posts
Installations: 60,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.2.2
Severity Score:: Medium
CVE:: 2026-2986

Plugin:: Drag and Drop Multiple File Upload for Contact Form 7
Plugin Slug:: drag-and-drop-multiple-file-upload-contact-form-7
Installations: 60,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 1.3.9.7
Severity Score:: High
CVE:: 2026-5718

Plugin:: Drag and Drop Multiple File Upload for Contact Form 7
Plugin Slug:: drag-and-drop-multiple-file-upload-contact-form-7
Installations: 60,000+
Vulnerability:: Arbitrary File Download
Patched in Version:: 1.3.9.7
Severity Score:: High
CVE:: 2026-5710

Plugin:: User Registration & Membership � Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder
Plugin Slug:: user-registration
Installations: 60,000+
Vulnerability:: Open Redirection
Patched in Version:: 5.1.5
Severity Score:: Medium
CVE:: 2026-6203

Plugin:: Product Filter for WooCommerce by WBW
Plugin Slug:: woo-product-filter
Installations: 60,000+
Vulnerability:: SQL Injection
Patched in Version:: 3.1.3
Severity Score:: Critical
CVE:: 2026-3830

Plugin:: Product Filter for WooCommerce by WBW
Plugin Slug:: woo-product-filter
Installations: 60,000+
Vulnerability:: SQL Injection
Patched in Version:: 3.1.3
Severity Score:: Critical
CVE:: 2026-39494

Plugin:: WP Maps � Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters
Plugin Slug:: wp-google-map-plugin
Installations: 60,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.8.8
Severity Score:: Medium
CVE:: 2025-13364

Plugin:: Advanced Product Fields (Product Addons) for WooCommerce
Plugin Slug:: advanced-product-fields-for-woocommerce
Installations: 50,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 1.6.20
Severity Score:: High
CVE:: 2026-39499

Plugin:: Categories Images
Plugin Slug:: categories-images
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.3.2
Severity Score:: Medium
CVE:: 2026-2505

Plugin:: Better Find and Replace � AI-Powered Suggestions
Plugin Slug:: real-time-auto-find-and-replace
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.8.0
Severity Score:: Medium
CVE:: 2026-3369

Plugin:: YayMail � WooCommerce Email Customizer
Plugin Slug:: yaymail
Installations: 50,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 4.3.4
Severity Score:: High
CVE:: 2026-39498

Plugin:: BetterDocs � Knowledge Base Docs & FAQ Solution for Elementor & Block Editor
Plugin Slug:: betterdocs
Installations: 40,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.3.9
Severity Score:: Medium
CVE:: 2026-3875

Plugin:: Easy Digital Downloads � eCommerce Payments and Subscriptions made easy
Plugin Slug:: easy-digital-downloads
Installations: 40,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.6.6
Severity Score:: High
CVE:: 2026-39503

Plugin:: Quiz and Survey Master (QSM) � Easy Quiz and Survey Maker
Plugin Slug:: quiz-master-next
Installations: 40,000+
Vulnerability:: Content Injection
Patched in Version:: 11.1.1
Severity Score:: Medium
CVE:: 2026-5797

Plugin:: Post Grid Gutenberg Blocks for News, Magazines, Blog Websites � PostX
Plugin Slug:: ultimate-post
Installations: 40,000+
Vulnerability:: Broken Access Control
Patched in Version:: 5.0.6
Severity Score:: Medium
CVE:: 2026-0718

Plugin:: Form Maker by 10Web � Mobile-Friendly Drag & Drop Contact Form Builder
Plugin Slug:: form-maker
Installations: 30,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.15.41
Severity Score:: High
CVE:: 2026-3330

Plugin:: Form Maker by 10Web � Mobile-Friendly Drag & Drop Contact Form Builder
Plugin Slug:: form-maker
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.15.41
Severity Score:: High
CVE:: 2026-4388

Plugin:: Form Maker by 10Web � Mobile-Friendly Drag & Drop Contact Form Builder
Plugin Slug:: form-maker
Installations: 30,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.15.38
Severity Score:: Critical
CVE:: 2025-15441

Plugin:: Website LLMs.txt
Plugin Slug:: website-llms-txt
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 8.2.7
Severity Score:: Medium
CVE:: 2026-6712

Plugin:: Website LLMs.txt
Plugin Slug:: website-llms-txt
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 8.2.7
Severity Score:: Medium
CVE:: 2026-6711

Plugin:: WP YouTube Lyte
Plugin Slug:: wp-youtube-lyte
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.7.30
Severity Score:: Medium
CVE:: 2026-3299

Plugin:: Social Slider Feed
Plugin Slug:: instagram-slider-widget
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.3.3
Severity Score:: High
CVE:: 2026-39507

Plugin:: Smart Post Show � Post Grid, Post Carousel & Slider, and List Category Posts
Plugin Slug:: post-carousel
Installations: 20,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 3.0.13
Severity Score:: High
CVE:: 2026-3017

Plugin:: UsersWP � Front-end login form, User Registration, User Profile & Members Directory plugin for WP
Plugin Slug:: userswp
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.2.61
Severity Score:: Medium
CVE:: 2026-5742

Plugin:: Payment Gateway for Redsys & WooCommerce Lite
Plugin Slug:: woo-redsys-gateway-light
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 7.0.1
Severity Score:: High
CVE:: 2026-40741

Plugin:: Payment Gateway for Redsys & WooCommerce Lite
Plugin Slug:: woo-redsys-gateway-light
Installations: 20,000+
Vulnerability:: Bypass Vulnerability
Patched in Version:: 7.0.1
Severity Score:: High
CVE:: 2026-5050

Plugin:: wpForo Forum
Plugin Slug:: wpforo
Installations: 20,000+
Vulnerability:: Directory Traversal
Patched in Version:: 3.0.6
Severity Score:: High
CVE:: 2026-6248

Plugin:: wpForo Forum
Plugin Slug:: wpforo
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.0.0
Severity Score:: Medium
CVE:: 2026-4666

Plugin:: wpForo Forum
Plugin Slug:: wpforo
Installations: 20,000+
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 3.0.3
Severity Score:: High
CVE:: 2026-5809

Plugin:: WPZOOM Addons for Elementor � Starter Templates & Widgets
Plugin Slug:: wpzoom-elementor-addons
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.5
Severity Score:: High
CVE:: 2026-39597

Plugin:: Content Blocks (Custom Post Widget)
Plugin Slug:: custom-post-widget
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.4.1
Severity Score:: Medium
CVE:: 2026-0894

Plugin:: WP Customer Area
Plugin Slug:: customer-area
Installations: 10,000+
Vulnerability:: Arbitrary File Download
Patched in Version:: 8.3.5
Severity Score:: High
CVE:: 2026-3464

Plugin:: Easy Appointments
Plugin Slug:: easy-appointments
Installations: 10,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 3.12.22
Severity Score:: High
CVE:: 2026-2262

Plugin:: Easy Appointments
Plugin Slug:: easy-appointments
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.12.22
Severity Score:: High
CVE:: 2026-39513

Plugin:: EMC � Easily Embed Calendly Scheduling
Plugin Slug:: embed-calendly-scheduling
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.5
Severity Score:: Medium
CVE:: 2026-0868

Plugin:: GeoDirectory � WP Business Directory Plugin and Classified Listings Directory
Plugin Slug:: geodirectory
Installations: 10,000+
Vulnerability:: SQL Injection
Patched in Version:: 2.8.154
Severity Score:: Critical
CVE:: 2026-39512

Plugin:: MasterStudy LMS WordPress Plugin � for Online Courses and Education
Plugin Slug:: masterstudy-lms-learning-management-system
Installations: 10,000+
Vulnerability:: SQL Injection
Patched in Version:: 3.7.26
Severity Score:: High
CVE:: 2026-4817

Plugin:: Paid Membership Subscriptions � Effortless Memberships, Recurring Payments & Content Restriction
Plugin Slug:: paid-member-subscriptions
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.0.0
Severity Score:: High
CVE:: 2026-39514

Plugin:: Royal WordPress Backup, Restore & Migration Plugin � Backup WordPress Sites Safely
Plugin Slug:: royal-backup-reset
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.0.17
Severity Score:: High
CVE:: 2026-4305

Plugin:: Eventin � Event Calendar, Event Registration, Tickets & Booking (AI Powered)
Plugin Slug:: wp-event-solution
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.1.9
Severity Score:: Medium
CVE:: 2026-4109

Plugin:: WP Photo Album Plus
Plugin Slug:: wp-photo-album-plus
Installations: 10,000+
Vulnerability:: SQL Injection
Patched in Version:: 9.1.08.002
Severity Score:: Critical
CVE:: 2026-39511

Plugin:: YML for Yandex Market
Plugin Slug:: yml-for-yandex-market
Installations: 10,000+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 5.0.26
Severity Score:: High
CVE:: 2025-14545

Plugin:: WCAPF � Ajax Product Filter for WooCommerce
Plugin Slug:: wc-ajax-product-filter
Installations: 9,000+
Vulnerability:: SQL Injection
Patched in Version:: 4.3.0
Severity Score:: Critical
CVE:: 2026-3396

Plugin:: AcyMailing � An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress
Plugin Slug:: acymailing
Installations: 7,000+
Vulnerability:: Broken Access Control
Patched in Version:: 10.8.2
Severity Score:: High
CVE:: 2026-3614

Plugin:: EventPrime � Events Calendar, Bookings and Tickets
Plugin Slug:: eventprime-event-calendar-management
Installations: 7,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 4.3.0.1
Severity Score:: High
CVE:: 2026-39518

Plugin:: ActivityPub
Plugin Slug:: activitypub
Installations: 6,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 8.0.2
Severity Score:: High
CVE:: 2026-4338

Plugin:: Nexi XPay
Plugin Slug:: cartasi-x-pay
Installations: 6,000+
Vulnerability:: Broken Access Control
Patched in Version:: 8.3.2
Severity Score:: Medium
CVE:: 2025-15565

Plugin:: FluentBoards � Project Management, Task Management, Goal Tracking, Kanban Board, and, Team Collaboration
Plugin Slug:: fluent-boards
Installations: 6,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 1.91.3
Severity Score:: High
CVE:: 2026-40784

Plugin:: Youzify � BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress
Plugin Slug:: youzify
Installations: 6,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.7
Severity Score:: Medium
CVE:: 2026-1559

Plugin:: Booking Activities
Plugin Slug:: booking-activities
Installations: 4,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.17.0
Severity Score:: Medium
CVE:: 2026-39525

Plugin:: Notification for Telegram
Plugin Slug:: notification-for-telegram
Installations: 4,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.5.1
Severity Score:: High
CVE:: 2026-40732

Plugin:: Responsive Blocks � Page Builder for Blocks & Patterns
Plugin Slug:: responsive-block-editor-addons
Installations: 4,000+
Vulnerability:: Open Redirection
Patched in Version:: 2.2.1
Severity Score:: Medium
CVE:: 2026-6675

Plugin:: WpStream � Live Streaming, Video on Demand, Pay Per View
Plugin Slug:: wpstream
Installations: 4,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 4.11.2
Severity Score:: Medium
CVE:: 2026-39527

Plugin:: Basic Google Maps Placemarks
Plugin Slug:: basic-google-maps-placemarks
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.10.8
Severity Score:: Medium
CVE:: 2026-3581

Plugin:: Events Calendar for GeoDirectory
Plugin Slug:: events-for-geodirectory
Installations: 3,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 2.3.26
Severity Score:: High
CVE:: 2026-39532

Plugin:: Image Source Control Lite � Show Image Credits and Captions
Plugin Slug:: image-source-control-isc
Installations: 3,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.9.2
Severity Score:: Medium
CVE:: 2026-4852

Plugin:: SpeakOut! Email Petitions
Plugin Slug:: speakout
Installations: 3,000+
Vulnerability:: SQL Injection
Patched in Version:: 4.6.5.1
Severity Score:: Critical
CVE:: 2026-39530

Plugin:: WP Directory Kit
Plugin Slug:: wpdirectorykit
Installations: 3,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.5.1
Severity Score:: Critical
CVE:: 2026-39531

Plugin:: Groundhogg � CRM, Newsletters, and Marketing Automation
Plugin Slug:: groundhogg
Installations: 2,000+
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 4.4.1
Severity Score:: High
CVE:: 2026-40727

Plugin:: Prismatic
Plugin Slug:: prismatic
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.7.4
Severity Score:: High
CVE:: 2026-3876

Plugin:: Shipment Tracker for Woocommerce
Plugin Slug:: shipment-tracker-for-woocommerce
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.5.3.3
Severity Score:: Medium
CVE:: 2026-39540

Plugin:: MyRewards
Plugin Slug:: woorewards
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: 5.7.4
Severity Score:: Medium
CVE:: 2026-40786

Plugin:: Video Gallery � YouTube Gallery & Responsive Video Playlist
Plugin Slug:: youtube-showcase
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.5.2
Severity Score:: Medium
CVE:: 2025-15636

Plugin:: Barcode Scanner (+Mobile App) � Inventory manager, Order fulfillment system, POS (Point of Sale)
Plugin Slug:: barcode-scanner-lite-pos-to-manage-products-inventory-and-orders
Installations: 1,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 1.12.0
Severity Score:: Critical
CVE:: 2026-4880

Plugin:: Mini Ajax Cart for WooCommerce
Plugin Slug:: mini-ajax-woo-cart
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.5
Severity Score:: Medium
CVE:: 2026-6370

Plugin:: WP Docs
Plugin Slug:: wp-docs
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.3.0
Severity Score:: Medium
CVE:: 2026-3878

Plugin:: DirectoryPress � Business Directory And Classified Ad Listing
Plugin Slug:: directorypress
Installations: 900+
Vulnerability:: SQL Injection
Patched in Version:: 3.6.27
Severity Score:: Critical
CVE:: 2026-3489

Plugin:: InPost Gallery
Plugin Slug:: inpost-gallery
Installations: 800+
Vulnerability:: SQL Injection
Patched in Version:: 2.1.5
Severity Score:: Critical
CVE:: 2026-39574

Plugin:: bBlocks � Essential Gutenberg Blocks & Patterns Collection
Plugin Slug:: b-blocks
Installations: 700+
Vulnerability:: Privilege Escalation
Patched in Version:: 2.0.32
Severity Score:: High
CVE:: 2026-39579

Plugin:: WP Sessions Time Monitoring Full Automatic
Plugin Slug:: activitytime
Installations: 600+
Vulnerability:: SQL Injection
Patched in Version:: 1.1.5
Severity Score:: High
CVE:: 2026-39581

Plugin:: List View Google Calendar
Plugin Slug:: list-view-google-calendar
Installations: 500+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 7.4.4
Severity Score:: Medium
CVE:: 2026-2396

Plugin:: Webling
Plugin Slug:: webling
Installations: 500+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.9.1
Severity Score:: Medium
CVE:: 2026-1263

Plugin:: RepairBuddy � Repair Shop CRM & Booking Plugin for WordPress
Plugin Slug:: computer-repair-shop
Installations: 400+
Vulnerability:: Broken Access Control
Patched in Version:: 4.1133
Severity Score:: Medium
CVE:: 2026-39584

Plugin:: Flipbox Addon for Elementor
Plugin Slug:: ultimate-flipbox-addon-for-elementor
Installations: 300+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.1.2
Severity Score:: Medium
CVE:: 2026-6048

Plugin:: BuddyPress Groupblog
Plugin Slug:: bp-groupblog
Installations: 50+
Vulnerability:: Privilege Escalation
Patched in Version:: 1.9.4
Severity Score:: High
CVE:: 2026-5144

Plugin:: Age Verification & Identity Verification by Token of Trust
Plugin Slug:: token-of-trust
Installations: 40+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.32.4
Severity Score:: High
CVE:: 2026-2834

Plugin:: Ultra Addons for WPForms
Plugin Slug:: ultra-addons-for-wpforms
Installations: 40+
Vulnerability:: Broken Access Control
Patched in Version:: 1.0.12
Severity Score:: Medium
CVE:: 2026-39594

Plugin:: Hostel
Plugin Slug:: hostel
Installations: 30+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.1.7
Severity Score:: High
CVE:: 2026-1838

Plugin:: HAPPY � Helpdesk Support Ticket System
Plugin Slug:: happy-helpdesk-support-ticket-system
Installations: 10+
Vulnerability:: Broken Access Control
Patched in Version:: 1.0.11
Severity Score:: Medium
CVE:: 2026-39593

Plugin:: Surbma | Booking.com Shortcode
Plugin Slug:: surbma-bookingcom-shortcode
Installations: 10+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.1.1
Severity Score:: Medium
CVE:: 2026-1607

Plugin:: WholeSale Products Dynamic Pricing Management WooCommerce
Plugin Slug:: wholesale-products-dynamic-pricing-management-woocommerce
Installations: 10+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.0
Severity Score:: Medium
CVE:: 2026-4479

Plugin:: Academy LMS Pro
Plugin Slug:: academy-pro
Vulnerability:: Arbitrary File Upload
Patched in Version:: 3.5.2
Severity Score:: High
CVE:: 2026-39598

Plugin:: Accordion and Accordion Slider
Plugin Slug:: accordion-and-accordion-slider
Vulnerability:: Backdoor
Patched in Version:: 1.4.6.1
Severity Score:: Critical

Plugin:: Album and Image Gallery plus Lightbox
Plugin Slug:: album-and-image-gallery-plus-lightbox
Vulnerability:: Backdoor
Patched in Version:: 2.1.8.1
Severity Score:: Critical

Plugin:: Blog Designer – Post and Widget
Plugin Slug:: blog-designer-for-post-and-widget
Vulnerability:: Backdoor
Patched in Version:: 2.7.7.1
Severity Score:: Critical

Plugin:: Career Section
Plugin Slug:: career-section
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 1.7
Severity Score:: High
CVE:: 2025-14868

Plugin:: Countdown Timer Ultimate
Plugin Slug:: countdown-timer-ultimate
Vulnerability:: Backdoor
Patched in Version:: 2.6.9.1
Severity Score:: Critical

Plugin:: Featured Post Creative
Plugin Slug:: featured-post-creative
Vulnerability:: Backdoor
Patched in Version:: 1.5.7.1
Severity Score:: Critical

Plugin:: Fusion Builder
Plugin Slug:: fusion-builder
Vulnerability:: Content Injection
Patched in Version:: 3.15.2
Severity Score:: Medium
CVE:: 2026-1509

Plugin:: Fusion Builder
Plugin Slug:: fusion-builder
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 3.15.2
Severity Score:: Medium
CVE:: 2026-1541

Plugin:: Gravity SMTP
Plugin Slug:: gravitysmtp
Vulnerability:: Broken Access Control
Patched in Version:: 2.1.5
Severity Score:: High
CVE:: 2026-4162

Plugin:: Video gallery and Player
Plugin Slug:: html5-videogallery-plus-player
Vulnerability:: Backdoor
Patched in Version:: 2.8.7.1
Severity Score:: Critical

Plugin:: JetEngine
Plugin Slug:: jet-engine
Vulnerability:: SQL Injection
Patched in Version:: 3.8.6.2
Severity Score:: Critical
CVE:: 2026-4352

Plugin:: Client Portal (Pro)
Plugin Slug:: leco-client-portal
Vulnerability:: Arbitrary File Download
Patched in Version:: 5.6.3
Severity Score:: Medium
CVE:: 2026-40724

Plugin:: Meta slider and carousel with lightbox
Plugin Slug:: meta-slider-and-carousel-with-lightbox
Vulnerability:: Backdoor
Patched in Version:: 2.0.8.1
Severity Score:: Critical

Plugin:: MetForm Pro
Plugin Slug:: metform-pro
Vulnerability:: Broken Access Control
Patched in Version:: 3.9.8
Severity Score:: Medium
CVE:: 2026-1782

Plugin:: Popup Anything
Plugin Slug:: popup-anything-on-click
Vulnerability:: Backdoor
Patched in Version:: 2.9.1.1
Severity Score:: Critical

Plugin:: Portfolio and Projects
Plugin Slug:: portfolio-and-projects
Vulnerability:: Backdoor
Patched in Version:: 1.5.6.1
Severity Score:: Critical

Plugin:: Post grid and filter ultimate
Plugin Slug:: post-grid-and-filter-ultimate
Vulnerability:: Backdoor
Patched in Version:: 1.7.4.1
Severity Score:: Critical

Plugin:: WP responsive FAQ with category
Plugin Slug:: sp-faq
Vulnerability:: Backdoor
Patched in Version:: 3.9.5.1
Severity Score:: Critical

Plugin:: WP News and Scrolling Widgets
Plugin Slug:: sp-news-and-widget
Vulnerability:: Backdoor
Patched in Version:: 5.0.6.1
Severity Score:: Critical

Plugin:: WowShipping Pro
Plugin Slug:: table-rate-shipping-pro
Vulnerability:: Backdoor
Patched in Version:: 1.0.8
Severity Score:: Critical

Plugin:: Post Ticker Ultimate
Plugin Slug:: ticker-ultimate
Vulnerability:: Backdoor
Patched in Version:: 1.7.6.1
Severity Score:: Critical

Plugin:: Timeline and History slider
Plugin Slug:: timeline-and-history-slider
Vulnerability:: Backdoor
Patched in Version:: 2.4.5.1
Severity Score:: Critical

Plugin:: User Registration Stripe
Plugin Slug:: user-registration-stripe
Vulnerability:: Broken Access Control
Patched in Version:: 1.3.15
Severity Score:: High
CVE:: 2026-40726

Plugin:: Userpro
Plugin Slug:: userpro
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 5.1.11
Severity Score:: Medium
CVE:: 2025-53444

Plugin:: Product Pricing Table by WooBeWoo
Plugin Slug:: woo-product-pricing-tables
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.1.1
Severity Score:: High
CVE:: 2026-1852

Plugin:: WooCommerce Product Filters
Plugin Slug:: woocommerce-product-filters
Vulnerability:: PHP Object Injection
Patched in Version:: 2.0.6
Severity Score:: Critical
CVE:: 2026-40725

Plugin:: WP Blog and Widget
Plugin Slug:: wp-blog-and-widgets
Vulnerability:: Backdoor
Patched in Version:: 2.6.6.1
Severity Score:: Critical

Plugin:: WP Featured Content and Slider
Plugin Slug:: wp-featured-content-and-slider
Vulnerability:: Backdoor
Patched in Version:: 1.7.6.1
Severity Score:: Critical

Plugin:: WP Logo Showcase Responsive Slider and Carousel
Plugin Slug:: wp-logo-showcase-responsive-slider-slider
Vulnerability:: Backdoor
Patched in Version:: 3.8.7.1
Severity Score:: Critical

Plugin:: WP Responsive Recent Post Slider/Carousel
Plugin Slug:: wp-responsive-recent-post-slider
Vulnerability:: Backdoor
Patched in Version:: 3.7.1.1
Severity Score:: Critical

Plugin:: WP Slick Slider and Image Carousel
Plugin Slug:: wp-slick-slider-and-image-carousel
Vulnerability:: Backdoor
Patched in Version:: 3.7.8.2
Severity Score:: Critical

Plugin:: Team Slider and Team Grid Showcase plus Team Carousel
Plugin Slug:: wp-team-showcase-and-slider
Vulnerability:: Backdoor
Patched in Version:: 2.8.6.1
Severity Score:: Critical

Plugin:: Testimonial Grid and Testimonial Slider plus Carousel with Rotator Widget
Plugin Slug:: wp-testimonial-with-widget
Vulnerability:: Backdoor
Patched in Version:: 3.5.6.1
Severity Score:: Critical