WordPress Vulnerability Report � December 10, 2025

In this report, 170 vulnerabilities have been publicly disclosed. Security patches for 79 of these plugins and themes are now available. Please run these updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Currently, 91 plugin and theme vulnerabilities remain unpatched. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

WordPress Core

WordPress 6.9 “Gene” was released on December 2, 2025. This release brings major upgrades to how teams collaborate and create. The new Notes feature adds block-level commenting for posts and pages, streamlining editorial reviews, while an expanded Command Palette helps power users navigate and operate across the dashboard even faster. The introduction of the Abilities API delivers a standardized, machine-readable permissions system that lays the groundwork for next-generation AI-powered and automated workflows. WordPress 6.9 also includes notable performance improvements for faster page loads, several new practical blocks, and more visual drag-and-drop tools to help creators build richer, more dynamic content.

Following a major release, you should not update live sites without first taking backups and testing the update in a non-production environment.

WordPress Plugins � 77 Patched / 91 Unpatched

Plugin:: Happy Addons for Elementor
Plugin Slug:: happy-elementor-addons
Installations: 400,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-63077

Plugin:: Yandex.Metrica
Plugin Slug:: wp-yandex-metrika
Installations: 60,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-63063

Plugin:: WP Ultimate Review
Plugin Slug:: wp-ultimate-review
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-63057

Plugin:: Contact Form by BestWebSoft � Advanced WP Contact Form Builder for WordPress
Plugin Slug:: contact-form-plugin
Installations: 40,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-63056

Plugin:: Master Addons For Elementor � White Label, Free Widgets, Hover Effects, Conditions, & Animations
Plugin Slug:: master-addons
Installations: 40,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-63055

Plugin:: Custom Field Template
Plugin Slug:: custom-field-template
Installations: 30,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-63058

Plugin:: Xpro Addons � 140+ Widgets for Elementor
Plugin Slug:: xpro-elementor-addons
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-63044

Plugin:: Page View Count
Plugin Slug:: page-views-count
Installations: 20,000+
Vulnerability:: Settings Change
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-63034

Plugin:: Make Section & Column Clickable For Elementor
Plugin Slug:: make-section-column-clickable-elementor
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-63033

Plugin:: Order Delivery Date for WooCommerce
Plugin Slug:: order-delivery-date-for-woocommerce
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-63024

Plugin:: Xagio SEO � AI Powered SEO
Plugin Slug:: xagio-seo
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-63025

Plugin:: Paysera Payment Gateway for WooCommerce
Plugin Slug:: woo-payment-gateway-paysera
Installations: 8,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-63015

Plugin:: WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting
Plugin Slug:: erp
Installations: 7,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-63008

Plugin:: WP Google Analytics Events � No-Code Custom Event Tracking for Google Analytics
Plugin Slug:: wp-google-analytics-events
Installations: 6,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-63009

Plugin:: WP AI CoPilot � AI content writer plugin, ChatGPT WordPress, GPT-3/4 , Ai assistance
Plugin Slug:: ai-co-pilot-for-wp
Installations: 4,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62994

Plugin:: WP AI CoPilot � AI content writer plugin, ChatGPT WordPress, GPT-3/4 , Ai assistance
Plugin Slug:: ai-co-pilot-for-wp
Installations: 4,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62998

Plugin:: Arconix Shortcodes
Plugin Slug:: arconix-shortcodes
Installations: 4,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13835

Plugin:: Custom Layouts � Post + Product grids made easy
Plugin Slug:: custom-layouts
Installations: 4,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62996

Plugin:: MultiParcels Shipping For WooCommerce
Plugin Slug:: multiparcels-shipping-for-woocommerce
Installations: 4,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62995

Plugin:: Shopping Cart & eCommerce Store
Plugin Slug:: wp-easycart
Installations: 4,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62997

Plugin:: Ergonet Cache
Plugin Slug:: ergonet-varnish-cache
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62867

Plugin:: Eupago Gateway For Woocommerce
Plugin Slug:: eupago-gateway-for-woocommerce
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62870

Plugin:: Social Photo Fetcher
Plugin Slug:: facebook-photo-fetcher
Installations: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62872

Plugin:: Gravitec.net � Web Push Notifications
Plugin Slug:: gravitec-net-web-push-notifications
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62869

Plugin:: Just TinyMCE Custom Styles
Plugin Slug:: just-tinymce-styles
Installations: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62871

Plugin:: Media Library Downloader
Plugin Slug:: media-library-downloader
Installations: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62734

Plugin:: Post Cloner
Plugin Slug:: post-cloner
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62865

Plugin:: WP Flashy Marketing Automation
Plugin Slug:: wp-flashy-marketing-automation
Installations: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62873

Plugin:: Add Custom Codes � Insert Header, Footer, Custom PHP Snippets, CSS, Javascript
Plugin Slug:: add-custom-codes
Installations: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62739

Plugin:: Feeds for TikTok � Display Video Feeds in Grid Layouts
Plugin Slug:: b-tiktok-feed
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-66110

Plugin:: Custom Sidebars by ProteusThemes
Plugin Slug:: custom-sidebars-by-proteusthemes
Installations: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62733

Plugin:: Formstack Online Forms
Plugin Slug:: formstack
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62738

Plugin:: Image Cleanup
Plugin Slug:: image-cleanup
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62736

Plugin:: Image Cleanup
Plugin Slug:: image-cleanup
Installations: 1,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62737

Plugin:: SMTP Mail
Plugin Slug:: smtp-mail
Installations: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62762

Plugin:: User Spam Remover
Plugin Slug:: user-spam-remover
Installations: 1,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62735

Plugin:: WP-CRM System � Manage Clients and Projects
Plugin Slug:: wp-crm-system
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62740

Plugin:: Gutenverse News � Advanced News Magazine Blog Gutenberg Blocks Addons
Plugin Slug:: gutenverse-news
Installations: 800+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62090

Plugin:: Generic Elements
Plugin Slug:: generic-elements-for-elementor
Installations: 600+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62082

Plugin:: g-FFL Cockpit
Plugin Slug:: g-ffl-cockpit
Installations: 400+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12720

Plugin:: Search, Filters & Merchandising for WooCommerce
Plugin Slug:: instantsearch-for-woocommerce
Installations: 200+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12091

Plugin:: Torod � The smart shipping and delivery portal for e-shops and retailers
Plugin Slug:: torod
Installations: 70+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12373

Plugin:: Actionwear products sync
Plugin Slug:: actionwear-products-sync
Installations: 60+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49350

Plugin:: Flex QR Code Generator
Plugin Slug:: flex-qr-code-generator
Installations: 50+
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-12673

Plugin:: Hype
Plugin Slug:: pico
Installations: 50+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49348

Plugin:: Application Passwords
Plugin Slug:: application-passwords
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-13308

Plugin:: ARK Related Posts
Plugin Slug:: ark-relatedpost
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13684

Plugin:: Broken Link Manager
Plugin Slug:: broken-link-manager
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-12629

Plugin:: Canadian Nutrition Facts Label
Plugin Slug:: canadian-nutrition-facts-label
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12715

Plugin:: Clikstats
Plugin Slug:: clikstats
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-13513

Plugin:: Hello Accessibility � Easy One-Click Accessibility Toolbar That Truly Matters
Plugin Slug:: codeconfig-accessibility
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13358

Plugin:: CryptX
Plugin Slug:: cryptx
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13739

Plugin:: CSS3 Buttons
Plugin Slug:: css3-buttons
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13907

Plugin:: CSV Sumotto
Plugin Slug:: csv-sumotto
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-13894

Plugin:: Cute News Ticker
Plugin Slug:: cute-news-ticker
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13656

Plugin:: DB Access
Plugin Slug:: db-access
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-13000

Plugin:: dream gallery
Plugin Slug:: dream-gallery
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-13621

Plugin:: Extra Post Images
Plugin Slug:: extra-post-images
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13856

Plugin:: FitVids for WordPress
Plugin Slug:: fitvids-for-wordpress
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12124

Plugin:: Helloprint
Plugin Slug:: helloprint
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13666

Plugin:: Jabbernotification
Plugin Slug:: jabberbenachrichtigung
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-13622

Plugin:: List Attachments Shortcode
Plugin Slug:: list-attachments-shortcode
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12717

Plugin:: Listar � Directory Listing & Classifieds
Plugin Slug:: listar-directory-listing
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12574

Plugin:: Listar � Directory Listing & Classifieds
Plugin Slug:: listar-directory-listing
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12577

Plugin:: Live CSS Preview
Plugin Slug:: live-css-preview
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12354

Plugin:: myLCO
Plugin Slug:: mylco
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-13626

Plugin:: Nouri.sh Newsletter
Plugin Slug:: newsletters-from-rss-to-email-newsletters-using-nourish
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-13515

Plugin:: Payaza
Plugin Slug:: payaza
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12355

Plugin:: Post Grid and Gutenberg Blocks
Plugin Slug:: post-grid
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-63043

Plugin:: PostGallery
Plugin Slug:: postgallery
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-13543

Plugin:: Projectopia
Plugin Slug:: projectopia-core
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-59133

Plugin:: Projectopia
Plugin Slug:: projectopia-core
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12876

Plugin:: RevInsite
Plugin Slug:: revinsite
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13863

Plugin:: Social Feed Gallery Portfolio
Plugin Slug:: social-feed-gallery-portfolio
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13896

Plugin:: WordPress eCommerce Plugin � Studiocart
Plugin Slug:: studiocart
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-14015

Plugin:: Thai Lottery Widget
Plugin Slug:: thai-lottery-widget
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13678

Plugin:: Time Sheets
Plugin Slug:: time-sheets
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2013-6880

Plugin:: Time Sheets
Plugin Slug:: time-sheets
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-10055

Plugin:: TR Timthumb
Plugin Slug:: tr-timthumb
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13899

Plugin:: Trail Manager
Plugin Slug:: trail-manager
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13682

Plugin:: Twitscription
Plugin Slug:: twitscription
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-13623

Plugin:: Ultra Skype Button
Plugin Slug:: ultra-skype-button
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13898

Plugin:: User Generator and Importer
Plugin Slug:: user-importer-and-generator
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-12879

Plugin:: User Verification
Plugin Slug:: user-verification
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-12374

Plugin:: Voidek Employee Portal
Plugin Slug:: voidek-employee-portal
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12093

Plugin:: WebP Express
Plugin Slug:: webp-express
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11379

Plugin:: Weekly Planner
Plugin Slug:: weekly-planner
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12186

Plugin:: Live Sales Notification for Woocommerce – Woomotiv
Plugin Slug:: woomotiv
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-13137

Plugin:: WP Landing Page
Plugin Slug:: wp-landing-page
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13629

Plugin:: WP-SOS-Donate
Plugin Slug:: wp-sos-donate
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-13625

Plugin:: Yet Another WebClap for WordPress
Plugin Slug:: yet-another-webclap-for-wordpress
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13857

Plugin:: Starter Templates � AI-Powered Templates for Elementor & Gutenberg
Plugin Slug:: astra-sites
Installations: 2,000,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 4.4.42
Severity Score:: Critical
CVE:: 2025-13065

Plugin:: Custom Post Type UI
Plugin Slug:: custom-post-type-ui
Installations: 1,000,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.18.1
Severity Score:: Medium
CVE:: 2025-12826

Plugin:: Autoptimize
Plugin Slug:: autoptimize
Installations: 900,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.1.14
Severity Score:: Medium
CVE:: 2025-13401

Plugin:: Widgets for Google Reviews
Plugin Slug:: wp-reviews-plugin-for-google
Installations: 800,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 13.2.5
Severity Score:: High
CVE:: 2025-12510

Plugin:: Fluent Forms � Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder
Plugin Slug:: fluentform
Installations: 600,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 6.1.8
Severity Score:: Medium
CVE:: 2025-13748

Plugin:: Post SMTP � Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App
Plugin Slug:: post-smtp
Installations: 400,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.6.2
Severity Score:: Medium
CVE:: 2025-67563

Plugin:: Post SMTP � Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App
Plugin Slug:: post-smtp
Installations: 400,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.6.2
Severity Score:: Medium
CVE:: 2025-12887

Plugin:: PDF Invoices & Packing Slips for WooCommerce
Plugin Slug:: woocommerce-pdf-invoices-packing-slips
Installations: 300,000+
Vulnerability:: Broken Access Control
Patched in Version:: 5.0.0
Severity Score:: Medium
CVE:: 2025-67589

Plugin:: SureMail � SMTP and Email Logs Plugin with Amazon SES, Postmark, and Other Providers
Plugin Slug:: suremails
Installations: 200,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 1.9.1
Severity Score:: Critical
CVE:: 2025-13516

Plugin:: Advanced Custom Fields: Extended
Plugin Slug:: acf-extended
Installations: 100,000+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 0.9.2
Severity Score:: Critical
CVE:: 2025-13486

Plugin:: Backup Migration
Plugin Slug:: backup-backup
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.0.0
Severity Score:: High
CVE:: 2025-12394

Plugin:: Beaver Builder Page Builder � Drag and Drop Website Builder
Plugin Slug:: beaver-builder-lite-version
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.9.4.1
Severity Score:: Medium
CVE:: 2025-12782

Plugin:: Beaver Builder Page Builder � Drag and Drop Website Builder
Plugin Slug:: beaver-builder-lite-version
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.9.4.1
Severity Score:: Medium
CVE:: 2025-11726

Plugin:: Kadence WooCommerce Email Designer
Plugin Slug:: kadence-woocommerce-email-designer
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.5.18
Severity Score:: High
CVE:: 2025-13387

Plugin:: Image Gallery � Photo Grid & Video Gallery
Plugin Slug:: modula-best-grid-gallery
Installations: 100,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 2.13.3
Severity Score:: Medium
CVE:: 2025-13646

Plugin:: Image Gallery � Photo Grid & Video Gallery
Plugin Slug:: modula-best-grid-gallery
Installations: 100,000+
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 2.13.3
Severity Score:: Medium
CVE:: 2025-13645

Plugin:: Rich Shortcodes for Google Reviews
Plugin Slug:: widget-google-reviews
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.8.1
Severity Score:: High
CVE:: 2025-12499

Plugin:: HUSKY � Products Filter Professional for WooCommerce
Plugin Slug:: woocommerce-products-filter
Installations: 100,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 1.3.7.3
Severity Score:: Medium
CVE:: 2025-13109

Plugin:: 10Web Booster � Website speed optimization, Cache & Page Speed optimizer
Plugin Slug:: tenweb-speed-optimizer
Installations: 90,000+
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 2.32.11
Severity Score:: Critical
CVE:: 2025-13377

Plugin:: WP 2FA � Two-factor authentication for WordPress
Plugin Slug:: wp-2fa
Installations: 90,000+
Vulnerability:: Bypass Vulnerability
Patched in Version:: 3.0.0
Severity Score:: Medium
CVE:: 2025-12628

Plugin:: ShopEngine Elementor WooCommerce Builder Addon � All in One WooCommerce Solution
Plugin Slug:: shopengine
Installations: 80,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 4.8.6
Severity Score:: Medium
CVE:: 2025-12358

Plugin:: Wp Social Login and Register Social Counter
Plugin Slug:: wp-social
Installations: 60,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.1.4
Severity Score:: Medium
CVE:: 2025-13620

Plugin:: Tag, Category, and Taxonomy Manager � AI Autotagger with OpenAI
Plugin Slug:: simple-tags
Installations: 50,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.41.0
Severity Score:: Medium
CVE:: 2025-13354

Plugin:: Tag, Category, and Taxonomy Manager � AI Autotagger with OpenAI
Plugin Slug:: simple-tags
Installations: 50,000+
Vulnerability:: SQL Injection
Patched in Version:: 3.41.0
Severity Score:: High
CVE:: 2025-13359

Plugin:: FunnelKit � Funnel Builder for WooCommerce Checkout
Plugin Slug:: funnel-builder
Installations: 40,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.13.1.3
Severity Score:: Medium
CVE:: 2025-66067

Plugin:: Cost Calculator Builder
Plugin Slug:: cost-calculator-builder
Installations: 30,000+
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 3.6.4
Severity Score:: High
CVE:: 2025-12529

Plugin:: Envo Extra
Plugin Slug:: envo-extra
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.9.12
Severity Score:: Medium
CVE:: 2025-66066

Plugin:: Timetable and Event Schedule by MotoPress
Plugin Slug:: mp-timetable
Installations: 30,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 2.4.16
Severity Score:: Medium
CVE:: 2025-12954

Plugin:: WP Social Ninja � Embed Social Feeds, User Reviews & Chat Widgets
Plugin Slug:: wp-social-reviews
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.0.0
Severity Score:: High
CVE:: 2025-13007

Plugin:: All-in-One Video Gallery
Plugin Slug:: all-in-one-video-gallery
Installations: 20,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 4.6.4
Severity Score:: Critical
CVE:: 2025-12966

Plugin:: Quiz Maker
Plugin Slug:: quiz-maker
Installations: 20,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 6.7.0.83
Severity Score:: Medium
CVE:: 2025-67595

Plugin:: Thim Kit for Elementor � Pre-built Templates & Widgets for Elementor
Plugin Slug:: thim-elementor-kit
Installations: 20,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 1.3.4
Severity Score:: Medium
CVE:: 2025-67594

Plugin:: Visualizer: Tables and Charts Manager for WordPress
Plugin Slug:: visualizer
Installations: 20,000+
Vulnerability:: SQL Injection
Patched in Version:: 3.11.13
Severity Score:: High
CVE:: 2025-12483

Plugin:: Frontend Admin by DynamiApps
Plugin Slug:: acf-frontend-form-element
Installations: 10,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 3.28.21
Severity Score:: Critical
CVE:: 2025-13342

Plugin:: BlockArt Blocks � Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library
Plugin Slug:: blockart-blocks
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.2.14
Severity Score:: Medium
CVE:: 2025-13697

Plugin:: Business Directory Plugin � Easy Listing Directories for WordPress
Plugin Slug:: business-directory-plugin
Installations: 10,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 6.4.20
Severity Score:: Medium
CVE:: 2025-67596

Plugin:: Nexter Extension � Site Enhancements Toolkit
Plugin Slug:: nexter-extension
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.4.2
Severity Score:: Medium
CVE:: 2025-13731

Plugin:: Export All Posts, Products, Orders, Refunds & Users
Plugin Slug:: wp-ultimate-exporter
Installations: 10,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.20
Severity Score:: Medium
CVE:: 2025-13606

Plugin:: Tablesome Table � Contact Form DB � WPForms, CF7, Gravity, Forminator, Fluent
Plugin Slug:: tablesome
Installations: 9,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.1.35.1
Severity Score:: Medium
CVE:: 2025-66526

Plugin:: GSheetConnector For WPForms
Plugin Slug:: gsheetconnector-wpforms
Installations: 8,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.0.1
Severity Score:: Medium
CVE:: 2025-67570

Plugin:: Event Booking Manager for WooCommerce
Plugin Slug:: mage-eventpress
Installations: 8,000+
Vulnerability:: Broken Access Control
Patched in Version:: 5.0.5
Severity Score:: Medium
CVE:: 2025-66083

Plugin:: weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot
Plugin Slug:: wedocs
Installations: 5,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.1.15
Severity Score:: Medium
CVE:: 2025-12505

Plugin:: WPKoi Templates for Elementor
Plugin Slug:: wpkoi-templates-for-elementor
Installations: 5,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.4.5
Severity Score:: Medium
CVE:: 2025-64274

Plugin:: Chartify � WordPress Chart Plugin
Plugin Slug:: chart-builder
Installations: 4,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 3.6.4
Severity Score:: Medium
CVE:: 2025-66529

Plugin:: SMS Alert Order Notifications � WooCommerce
Plugin Slug:: sms-alert
Installations: 4,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.8.9
Severity Score:: Medium
CVE:: 2025-66086

Plugin:: VikRentCar Car Rental Management System
Plugin Slug:: vikrentcar
Installations: 4,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.4.5
Severity Score:: High
CVE:: 2025-13724

Plugin:: WC Vendors � WooCommerce Multivendor, WooCommerce Marketplace, Product Vendors
Plugin Slug:: wc-vendors
Installations: 4,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.6.4.1
Severity Score:: Medium
CVE:: 2025-12130

Plugin:: Thank You Page Customizer for WooCommerce � Increase Your Sales
Plugin Slug:: woo-thank-you-page-customizer
Installations: 4,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.1.9
Severity Score:: Medium
CVE:: 2025-66528

Plugin:: Salon Booking System � Free Version
Plugin Slug:: salon-booking-system
Installations: 3,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 10.30.4
Severity Score:: Medium
CVE:: 2025-66531

Plugin:: WP Directory Kit
Plugin Slug:: wpdirectorykit
Installations: 3,000+
Vulnerability:: Broken Authentication
Patched in Version:: 1.4.5
Severity Score:: Critical
CVE:: 2025-13390

Plugin:: WP Directory Kit
Plugin Slug:: wpdirectorykit
Installations: 3,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.4.7
Severity Score:: High
CVE:: 2025-13090

Plugin:: Advanced FAQ Manager
Plugin Slug:: advanced-faq-manager
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.5.3
Severity Score:: Medium
CVE:: 2025-67556

Plugin:: Auto Alt Text
Plugin Slug:: auto-alt-text
Installations: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.5.3
Severity Score:: Medium
CVE:: 2025-62866

Plugin:: Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms
Plugin Slug:: cf7-salesforce
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.4.7
Severity Score:: Medium
CVE:: 2025-67468

Plugin:: CSSIgniter Shortcodes
Plugin Slug:: cssigniter-shortcodes
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.4.2
Severity Score:: Medium
CVE:: 2025-13448

Plugin:: FluentCart A New Era of eCommerce � Faster, Lighter, and Simpler
Plugin Slug:: fluent-cart
Installations: 2,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.3.2
Severity Score:: High
CVE:: 2025-13495

Plugin:: Photo Gallery by Ays � Responsive Image Gallery
Plugin Slug:: gallery-photo-gallery
Installations: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 6.4.9
Severity Score:: Medium
CVE:: 2025-13685

Plugin:: PDF Thumbnail Generator
Plugin Slug:: pdf-thumbnail-generator
Installations: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.5
Severity Score:: Medium
CVE:: 2025-67469

Plugin:: Portfolio and Projects
Plugin Slug:: portfolio-and-projects
Installations: 2,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 1.5.6
Severity Score:: Medium
CVE:: 2025-67470

Plugin:: Tableberg � Simple Gutenberg Table Block
Plugin Slug:: tableberg
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: 0.6.10
Severity Score:: Medium
CVE:: 2025-66096

Plugin:: Email Marketing Plugin � WP Email Capture
Plugin Slug:: wp-email-capture
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.12.5
Severity Score:: Medium
CVE:: 2025-67578

Plugin:: Constant Contact + WooCommerce
Plugin Slug:: constant-contact-woocommerce
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.4.2
Severity Score:: Medium
CVE:: 2025-67580

Plugin:: MxChat � AI Chatbot for WordPress
Plugin Slug:: mxchat-basic
Installations: 900+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 2.5.6
Severity Score:: Medium
CVE:: 2025-12585

Plugin:: My Tickets � Accessible Event Ticketing
Plugin Slug:: my-tickets
Installations: 700+
Vulnerability:: Broken Access Control
Patched in Version:: 2.1.1
Severity Score:: Medium
CVE:: 2025-64257

Plugin:: My auctions allegro
Plugin Slug:: my-auctions-allegro-free-edition
Installations: 600+
Vulnerability:: Local File Inclusion
Patched in Version:: 3.6.33
Severity Score:: High
CVE:: 2025-12851

Plugin:: My auctions allegro
Plugin Slug:: my-auctions-allegro-free-edition
Installations: 600+
Vulnerability:: SQL Injection
Patched in Version:: 3.6.33
Severity Score:: Critical
CVE:: 2025-12850

Plugin:: ELEX WordPress HelpDesk & Customer Ticketing System
Plugin Slug:: elex-helpdesk-customer-support-ticket-system
Installations: 300+
Vulnerability:: Privilege Escalation
Patched in Version:: 3.3.3
Severity Score:: High
CVE:: 2025-13534

Plugin:: Guest posting / Frontend Posting / Front Editor � WP Front User Submit
Plugin Slug:: front-editor
Installations: 200+
Vulnerability:: Open Redirection
Patched in Version:: 5.0.0
Severity Score:: Medium
CVE:: 2025-12569