WordPress Vulnerability Report � December 17, 2025

In this report, 293 vulnerabilities have been publicly disclosed. Security patches for 158 of these plugins and themes are now available. Please run these updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Currently, 135 plugin and theme vulnerabilities remain unpatched. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

WordPress Core

WordPress 6.9 “Gene” was released on December 2, 2025. This release brings major upgrades to how teams collaborate and create. The new Notes feature adds block-level commenting for posts and pages, streamlining editorial reviews, while an expanded Command Palette helps power users navigate and operate across the dashboard even faster. The introduction of the Abilities API delivers a standardized, machine-readable permissions system that lays the groundwork for next-generation AI-powered and automated workflows. WordPress 6.9 also includes notable performance improvements for faster page loads, several new practical blocks, and more visual drag-and-drop tools to help creators build richer, more dynamic content.

Following a major release, you should not update live sites without first taking backups and testing the update in a non-production environment.

WordPress Plugins � 141 Patched / 133 Unpatched

Plugin:: Health Check & Troubleshooting
Plugin Slug:: health-check
Installations: 300,000+
Vulnerability:: Path Traversal
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-64253

Plugin:: Custom Field Template
Plugin Slug:: custom-field-template
Installations: 30,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-63058

Plugin:: Brevo for WooCommerce
Plugin Slug:: woocommerce-sendinblue-newsletter-subscription
Installations: 30,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-66128

Plugin:: Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings
Plugin Slug:: directorist
Installations: 20,000+
Vulnerability:: Open Redirection
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-64250

Plugin:: Page View Count
Plugin Slug:: page-views-count
Installations: 20,000+
Vulnerability:: Settings Change
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-63034

Plugin:: Pochipp
Plugin Slug:: pochipp
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-66129

Plugin:: WCFM � Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible
Plugin Slug:: wc-frontend-manager
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Low
CVE:: 2025-54004

Plugin:: WCFM Marketplace � Multivendor Marketplace for WooCommerce
Plugin Slug:: wc-multivendor-marketplace
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-64631

Plugin:: Business Directory Plugin � Easy Listing Directories for WordPress
Plugin Slug:: business-directory-plugin
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-64630

Plugin:: Read More & Accordion
Plugin Slug:: expand-maker
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-64247

Plugin:: Cookie Banner, Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy) : WP Cookie Consent
Plugin Slug:: gdpr-cookie-consent
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-66133

Plugin:: King Addons for Elementor � 4,000+ ready Elementor sections, 650+ templates, 70+ FREE widgets for Elementor
Plugin Slug:: king-addons
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-7960

Plugin:: Protect WP Admin
Plugin Slug:: protect-wp-admin
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-64249

Plugin:: WP User Manager � User Profile Builder & Membership
Plugin Slug:: wp-user-manager
Installations: 10,000+
Vulnerability:: Arbitrary File Deletion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-13320

Plugin:: Blaze Demo Importer
Plugin Slug:: blaze-demo-importer
Installations: 9,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-13334

Plugin:: Essential Real Estate
Plugin Slug:: essential-real-estate
Installations: 8,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-66127

Plugin:: Essential Real Estate
Plugin Slug:: essential-real-estate
Installations: 8,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-68071

Plugin:: Easy Property Listings
Plugin Slug:: easy-property-listings
Installations: 5,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-64242

Plugin:: WP AI CoPilot � AI content writer plugin, ChatGPT WordPress, GPT-3/4 , Ai assistance
Plugin Slug:: ai-co-pilot-for-wp
Installations: 4,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62998

Plugin:: Accessibility by AudioEye
Plugin Slug:: accessibility-by-audioeye
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-64246

Plugin:: Eupago Gateway For Woocommerce
Plugin Slug:: eupago-gateway-for-woocommerce
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62870

Plugin:: Social Photo Fetcher
Plugin Slug:: facebook-photo-fetcher
Installations: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62872

Plugin:: Freshchat
Plugin Slug:: freshchat
Installations: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-64240

Plugin:: Import external attachments
Plugin Slug:: import-external-attachments
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-64245

Plugin:: Just TinyMCE Custom Styles
Plugin Slug:: just-tinymce-styles
Installations: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62871

Plugin:: Meks Quick Plugin Disabler
Plugin Slug:: meks-quick-plugin-disabler
Installations: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-68083

Plugin:: RTL Tester
Plugin Slug:: rtl-tester
Installations: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-64239

Plugin:: Semrush Content Toolkit
Plugin Slug:: semrush-contentshake
Installations: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-68082

Plugin:: Fix Media Library
Plugin Slug:: wow-media-library-fix
Installations: 2,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-66126

Plugin:: WP Coupons and Deals � Click to Copy Coupons
Plugin Slug:: wp-coupons-and-deals
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-64241

Plugin:: WP Flashy Marketing Automation
Plugin Slug:: wp-flashy-marketing-automation
Installations: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62873

Plugin:: WP Views Counter
Plugin Slug:: wpecounter
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-66130

Plugin:: Yaad Sarig Payment Gateway For WC
Plugin Slug:: yaad-sarig-payment-gateway-for-wc
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-66131

Plugin:: Ultimate WordPress Auction Plugin
Plugin Slug:: ultimate-auction
Installations: 1,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-66125

Plugin:: Ultimate WordPress Auction Plugin
Plugin Slug:: ultimate-auction
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-68084

Plugin:: Leaky Paywall
Plugin Slug:: leaky-paywall
Installations: 700+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-66124

Plugin:: Restrict Elementor Widgets, Columns and Sections
Plugin Slug:: restrict-elementor-widgets
Installations: 600+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-64244

Plugin:: Easy Notify Lite
Plugin Slug:: easy-notify-lite
Installations: 500+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14446

Plugin:: FAPI Member
Plugin Slug:: fapi-member
Installations: 500+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-66132

Plugin:: Accept Stripe Payments Using Contact Form 7
Plugin Slug:: accept-stripe-payments-using-contact-form-7
Installations: 200+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-12834

Plugin:: Product Filtering by Categories, Tags, Price Range for WooCommerce � Filter Plus
Plugin Slug:: filter-plus
Installations: 100+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13314

Plugin:: Flex QR Code Generator
Plugin Slug:: flex-qr-code-generator
Installations: 40+
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-12673

Plugin:: Animated Pixel Marquee Creator
Plugin Slug:: animated-pixel-marquee-creator
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14062

Plugin:: AnnunciFunebri Impresa
Plugin Slug:: annuncifunebri-onoranza
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14447

Plugin:: App Landing Template Blocks for WPBakery (Visual Composer) Page Builder
Plugin Slug:: app-template-blocks-for-wpbakery-page-builder
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14119

Plugin:: Application Passwords
Plugin Slug:: application-passwords
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-13308

Plugin:: Ayo Shortcodes
Plugin Slug:: ayo-shortcodes
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14143

Plugin:: Better Elementor Addons
Plugin Slug:: better-elementor-addons
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12830

Plugin:: Hide Email Address
Plugin Slug:: bg-hide-email-address
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13884

Plugin:: BMLT WordPress Plugin
Plugin Slug:: bmlt-wordpress-satellite-plugin
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14162

Plugin:: BUKAZU Search widget
Plugin Slug:: bukazu-search-widget
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13840

Plugin:: Buttoner for Elementor
Plugin Slug:: buttoner-elementor
Vulnerability:: Settings Change
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-68085

Plugin:: Campay Woocommerce Payment Gateway
Plugin Slug:: campay-api
Vulnerability:: Broken Authentication
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12883

Plugin:: Coder for Elementor
Plugin Slug:: coder-elementor
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-66147

Plugin:: Coding Blocks
Plugin Slug:: coding-blocks
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14158

Plugin:: ?????
Plugin Slug:: comments-secretary
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-13988

Plugin:: Contact Form 7 with ChatWork
Plugin Slug:: contact-form-7-with-chatwork
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13975

Plugin:: CountDown With Image or Video Background
Plugin Slug:: countdown_with_background
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68054

Plugin:: CSV Sumotto
Plugin Slug:: csv-sumotto
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-13894

Plugin:: CSV to SortTable
Plugin Slug:: csv-to-sorttable
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-13070

Plugin:: Custom Admin Menu
Plugin Slug:: custom-admin-menu
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-13071

Plugin:: Custom Frames
Plugin Slug:: custom-frames
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13705

Plugin:: Data Visualizer
Plugin Slug:: data-visualizer
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13961

Plugin:: DebateMaster
Plugin Slug:: debatemaster
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14035

Plugin:: Devs CRM
Plugin Slug:: devs-crm
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13093

Plugin:: Devs CRM
Plugin Slug:: devs-crm
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13092

Plugin:: Directory Pro
Plugin Slug:: directory-pro
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-64243

Plugin:: Donation
Plugin Slug:: donation
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-13001

Plugin:: Resource Library for Logged In Users
Plugin Slug:: doubledome-resource-link-library
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14354

Plugin:: Category Dropdown List
Plugin Slug:: dropdown-category-list
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-14132

Plugin:: Easy Map Creator
Plugin Slug:: easy-map-creator
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13846

Plugin:: Easy Theme Options
Plugin Slug:: easy-theme-options
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14367

Plugin:: Eyewear prescription form
Plugin Slug:: eyewear-prescription-form
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14366

Plugin:: Flow-Flow Social Stream
Plugin Slug:: flow-flow-social-streams
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13866

Plugin:: Multi Uploader for Gravity Forms
Plugin Slug:: gf-multi-uploader
Vulnerability:: Arbitrary File Deletion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-14344

Plugin:: GPXpress
Plugin Slug:: gpxpress
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13960

Plugin:: Grider for Elementor
Plugin Slug:: grider-elementor
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-66161

Plugin:: Huger for Elementor
Plugin Slug:: huger-elementor
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-68088

Plugin:: IMAQ CORE
Plugin Slug:: imaq-core
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13363

Plugin:: Infility Global
Plugin Slug:: infility-global
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-12968

Plugin:: Kirim.Email WooCommerce Integration
Plugin Slug:: kirimemail-woocommerce-integration
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14165

Plugin:: Laser
Plugin Slug:: laser
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-66164

Plugin:: Like DisLike Voting
Plugin Slug:: like-dislike-voting
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-14129

Plugin:: Listar � Directory Listing & Classifieds
Plugin Slug:: listar-directory-listing
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12574

Plugin:: LJUsers
Plugin Slug:: ljusers
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13839

Plugin:: Visitor Logic Lite
Plugin Slug:: logic-pro
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-14044

Plugin:: Lottier for Elementor
Plugin Slug:: lottier-elementor
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-66166

Plugin:: Lottier
Plugin Slug:: lottier-gutenberg
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-66167

Plugin:: Lottier for WPBakery
Plugin Slug:: lottier-wpbakery
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-66165

Plugin:: LS Google Map Router
Plugin Slug:: ls-gmap-route
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13850

Plugin:: LT Unleashed
Plugin Slug:: lt-unleashed
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-13886

Plugin:: Lucky Draw Contests
Plugin Slug:: lucky-draw
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14462

Plugin:: Masker for Elementor
Plugin Slug:: masker-elementor
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-66163

Plugin:: Modalier for Elementor
Plugin Slug:: modalier-elementor
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-68087

Plugin:: myLCO
Plugin Slug:: mylco
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-13626

Plugin:: NewStatPress
Plugin Slug:: newstatpress
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13747

Plugin:: Complag
Plugin Slug:: omplag
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-14125

Plugin:: Paypal Payment Shortcode
Plugin Slug:: paypal-payments-shortcode
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13966

Plugin:: Popover Windows
Plugin Slug:: popover-windows
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14395

Plugin:: Popover Windows
Plugin Slug:: popover-windows
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14394

Plugin:: Purchase and Expense Manager
Plugin Slug:: purchase-and-expense-manager
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13987

Plugin:: Quick Testimonials
Plugin Slug:: quick-testimonials
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14378

Plugin:: Rabbit Hole
Plugin Slug:: rabbit-hole
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13366

Plugin:: Reformer for Elementor
Plugin Slug:: reformer-elementor
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-68086

Plugin:: Reviews Sorted
Plugin Slug:: reviews-sorted
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13969

Plugin:: Shortcode Ajax
Plugin Slug:: shortcode-ajax
Vulnerability:: Content Injection
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14539

Plugin:: Simple Nivo Slider
Plugin Slug:: simple-nivo-slider
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13889

Plugin:: Simple post listing
Plugin Slug:: simple-post-listing
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12650

Plugin:: Simple Theme Changer
Plugin Slug:: simple-theme-changer
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14392

Plugin:: Simple Theme Changer
Plugin Slug:: simple-theme-changer
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14391

Plugin:: SimplyConvert
Plugin Slug:: simplyconvert
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14048

Plugin:: Solutions Ad Manager
Plugin Slug:: solutions-ad-manager
Vulnerability:: Open Redirection
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14451

Plugin:: Spoter for Elementor
Plugin Slug:: spoter-elementor
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-66162

Plugin:: SurveyFunnel
Plugin Slug:: surveyfunnel-lite
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13006

Plugin:: SurveyFunnel
Plugin Slug:: surveyfunnel-lite
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12417

Plugin:: xPromoter
Plugin Slug:: top_bar_promoter
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68053

Plugin:: Truefy Embed
Plugin Slug:: truefy-embed
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14161

Plugin:: TWW Protein Calculator
Plugin Slug:: twwc-protein
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13971

Plugin:: URL Media Uploader
Plugin Slug:: url-media-uploader
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14045

Plugin:: Userback
Plugin Slug:: userback
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14540

Plugin:: Video Merchant
Plugin Slug:: video-merchant
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-14390

Plugin:: VigLink SpotLight By ShortCode
Plugin Slug:: viglink-spotlight-by-shortcode
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13843

Plugin:: Vimeo SimpleGallery
Plugin Slug:: vimeo-simplegallery
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14170

Plugin:: WatchTowerHQ
Plugin Slug:: watchtowerhq
Vulnerability:: Arbitrary File Download
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-13972

Plugin:: Live Sales Notification for Woocommerce – Woomotiv
Plugin Slug:: woomotiv
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-13137

Plugin:: WP Dropzone
Plugin Slug:: wp-dropzone
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13989

Plugin:: WP Flot
Plugin Slug:: wp-flot
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13906

Plugin:: WP Job Portal
Plugin Slug:: wp-job-portal
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14467

Plugin:: WP Job Portal
Plugin Slug:: wp-job-portal
Vulnerability:: Arbitrary File Download
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14293

Plugin:: WPGancio
Plugin Slug:: wpgancio
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13904

Plugin:: Wpik WordPress Basic Ajax Form
Plugin Slug:: wpik-wordpress-basic-ajax-form
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14393

Plugin:: WPLG Default Mail From
Plugin Slug:: wplg-default-mail-from
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-14138

Plugin:: Zenost Shortcodes
Plugin Slug:: zenost-shortcodes
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13885

Plugin:: Elementor Website Builder � More Than Just a Page Builder
Plugin Slug:: elementor
Installations: 10,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.33.4
Severity Score:: Medium
CVE:: 2025-11220

Plugin:: Starter Templates � AI-Powered Templates for Elementor & Gutenberg
Plugin Slug:: astra-sites
Installations: 2,000,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 4.4.42
Severity Score:: Critical
CVE:: 2025-13065

Plugin:: Custom Post Type UI
Plugin Slug:: custom-post-type-ui
Installations: 1,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.18.2
Severity Score:: Medium
CVE:: 2025-14056

Plugin:: Redux Framework
Plugin Slug:: redux-framework
Installations: 1,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.5.9
Severity Score:: Medium
CVE:: 2025-9488

Plugin:: Widgets for Google Reviews
Plugin Slug:: wp-reviews-plugin-for-google
Installations: 800,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 13.2.2
Severity Score:: Medium
CVE:: 2025-9436

Plugin:: Widgets for Google Reviews
Plugin Slug:: wp-reviews-plugin-for-google
Installations: 800,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 13.2.5
Severity Score:: High
CVE:: 2025-12510

Plugin:: Fluent Forms � Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder
Plugin Slug:: fluentform
Installations: 600,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 6.1.8
Severity Score:: Medium
CVE:: 2025-13748

Plugin:: Broken Link Checker by AIOSEO � Easily Fix/Monitor Internal and External links
Plugin Slug:: broken-link-checker-seo
Installations: 300,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.2.7
Severity Score:: High
CVE:: 2025-67962

Plugin:: Newsletter � Send awesome emails from WordPress
Plugin Slug:: newsletter
Installations: 300,000+
Vulnerability:: SQL Injection
Patched in Version:: 9.1.0
Severity Score:: High
CVE:: 2025-67999

Plugin:: Admin and Site Enhancements (ASE)
Plugin Slug:: admin-site-enhancements
Installations: 200,000+
Vulnerability:: Broken Access Control
Patched in Version:: 8.1.0
Severity Score:: Low
CVE:: 2025-64255

Plugin:: FileBird � WordPress Media Library Folders & File Manager
Plugin Slug:: filebird
Installations: 200,000+
Vulnerability:: Broken Access Control
Patched in Version:: 6.5.2
Severity Score:: Medium
CVE:: 2025-12900

Plugin:: GenerateBlocks
Plugin Slug:: generateblocks
Installations: 200,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 2.2.0
Severity Score:: Medium
CVE:: 2025-12512

Plugin:: Popup Builder � Create highly converting, mobile friendly marketing popups.
Plugin Slug:: popup-builder
Installations: 200,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.4.2
Severity Score:: Medium
CVE:: 2025-9856

Plugin:: a3 Lazy Load
Plugin Slug:: a3-lazy-load
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.7.6
Severity Score:: Medium
CVE:: 2025-9873

Plugin:: Addon Elements for Elementor (formerly Elementor Addon Elements)
Plugin Slug:: addon-elements-for-elementor-page-builder
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.14.4
Severity Score:: Medium
CVE:: 2025-12537

Plugin:: Beaver Builder Page Builder � Drag and Drop Website Builder
Plugin Slug:: beaver-builder-lite-version
Installations: 100,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 2.9.4.1
Severity Score:: Medium
CVE:: 2025-12558

Plugin:: Colibri Page Builder
Plugin Slug:: colibri-page-builder
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.0.342
Severity Score:: Medium
CVE:: 2025-11376

Plugin:: Image Gallery � Photo Grid & Video Gallery
Plugin Slug:: modula-best-grid-gallery
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.13.4
Severity Score:: Medium
CVE:: 2025-14003

Plugin:: Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories
Plugin Slug:: post-expirator
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.9.3
Severity Score:: Medium
CVE:: 2025-13741

Plugin:: TI WooCommerce Wishlist
Plugin Slug:: ti-woocommerce-wishlist
Installations: 100,000+
Vulnerability:: Content Injection
Patched in Version:: 2.11.0
Severity Score:: Medium
CVE:: 2025-9207

Plugin:: Rich Shortcodes for Google Reviews
Plugin Slug:: widget-google-reviews
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.8.1
Severity Score:: High
CVE:: 2025-12499

Plugin:: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content � ProfilePress
Plugin Slug:: wp-user-avatar
Installations: 100,000+
Vulnerability:: Content Injection
Patched in Version:: 4.16.8
Severity Score:: Medium
CVE:: 2025-13642

Plugin:: YITH WooCommerce Quick View
Plugin Slug:: yith-woocommerce-quick-view
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.7.1
Severity Score:: Medium
CVE:: 2025-8617

Plugin:: MailerLite � Signup forms (official)
Plugin Slug:: official-mailerlite-sign-up-forms
Installations: 90,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.7.17
Severity Score:: Medium
CVE:: 2025-13993

Plugin:: 10Web Booster � Website speed optimization, Cache & Page Speed optimizer
Plugin Slug:: tenweb-speed-optimizer
Installations: 90,000+
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 2.32.11
Severity Score:: Critical
CVE:: 2025-13377

Plugin:: LearnPress � WordPress LMS Plugin
Plugin Slug:: learnpress
Installations: 80,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.3.2
Severity Score:: Medium
CVE:: 2025-13956

Plugin:: List category posts
Plugin Slug:: list-category-posts
Installations: 80,000+
Vulnerability:: SQL Injection
Patched in Version:: 0.92.0
Severity Score:: High
CVE:: 2025-10163

Plugin:: Ninja Tables � Easy Data Table Builder
Plugin Slug:: ninja-tables
Installations: 80,000+
Vulnerability:: SQL Injection
Patched in Version:: 5.2.4
Severity Score:: High
CVE:: 2025-67519

Plugin:: OneSignal � Web Push Notifications
Plugin Slug:: onesignal-free-web-push-notifications
Installations: 80,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.6.2
Severity Score:: Medium
CVE:: 2025-13950

Plugin:: Brizy � Page Builder
Plugin Slug:: brizy
Installations: 70,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 2.7.17
Severity Score:: Medium
CVE:: 2025-0969

Plugin:: Email Subscribers & Newsletters � Powerful Email Marketing, Post Notification & Newsletter Plugin for WordPress & WooCommerce
Plugin Slug:: email-subscribers
Installations: 70,000+
Vulnerability:: Broken Access Control
Patched in Version:: 5.9.11
Severity Score:: Medium
CVE:: 2025-12348

Plugin:: Events Manager � Calendar, Bookings, Tickets, and more!
Plugin Slug:: events-manager
Installations: 70,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 7.2.2.3
Severity Score:: Medium
CVE:: 2025-12407

Plugin:: Events Manager � Calendar, Bookings, Tickets, and more!
Plugin Slug:: events-manager
Installations: 70,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 7.2.2.3
Severity Score:: Medium
CVE:: 2025-12408

Plugin:: Ultra Addons for Contact Form 7
Plugin Slug:: ultimate-addons-for-contact-form-7
Installations: 60,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.5.34
Severity Score:: Medium
CVE:: 2025-14356

Plugin:: User Registration & Membership � Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin
Plugin Slug:: user-registration
Installations: 60,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.4.7
Severity Score:: Medium
CVE:: 2025-13367

Plugin:: Advanced Product Fields (Product Addons) for WooCommerce
Plugin Slug:: advanced-product-fields-for-woocommerce
Installations: 50,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.6.18
Severity Score:: Medium
CVE:: 2025-13924

Plugin:: Auto Featured Image (Auto Post Thumbnail)
Plugin Slug:: auto-post-thumbnail
Installations: 50,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.2.2
Severity Score:: Medium
CVE:: 2025-13794

Plugin:: Pixel Manager for WooCommerce � Track Conversions and Analytics, Google Ads, TikTok and more
Plugin Slug:: woocommerce-google-adwords-conversion-tracking-tag
Installations: 50,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 1.52.0
Severity Score:: Medium
CVE:: 2025-67564

Plugin:: WP Recipe Maker
Plugin Slug:: wp-recipe-maker
Installations: 50,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 10.2.3
Severity Score:: Medium

Plugin:: RSS Aggregator by Feedzy � Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator
Plugin Slug:: feedzy-rss-feeds
Installations: 40,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 5.1.2
Severity Score:: Medium
CVE:: 2025-11467

Plugin:: FunnelKit � Funnel Builder for WooCommerce Checkout
Plugin Slug:: funnel-builder
Installations: 40,000+
Vulnerability:: SQL Injection
Patched in Version:: 3.13.1.6
Severity Score:: Critical
CVE:: 2025-14169

Plugin:: InstaWP Connect � 1-click WP Staging & Migration
Plugin Slug:: instawp-connect
Installations: 40,000+
Vulnerability:: Broken Access Control
Patched in Version:: 0.1.2.0
Severity Score:: Medium
CVE:: 2025-66068

Plugin:: Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery
Plugin Slug:: simply-gallery-block
Installations: 40,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.3.1
Severity Score:: Medium
CVE:: 2025-14288

Plugin:: HT Slider For Elementor
Plugin Slug:: ht-slider-for-elementor
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.7.5
Severity Score:: Medium
CVE:: 2025-14278

Plugin:: Login Security, FireWall, Malware removal by CleanTalk
Plugin Slug:: security-malware-firewall
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.169
Severity Score:: High
CVE:: 2025-13604

Plugin:: Themify Portfolio Post
Plugin Slug:: themify-portfolio-post
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.1
Severity Score:: High
CVE:: 2025-67533

Plugin:: ThirstyAffiliates � Affiliate Links, Link Branding, Link Tracking & Marketing Plugin
Plugin Slug:: thirstyaffiliates
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.11.9
Severity Score:: Medium
CVE:: 2025-67537

Plugin:: WP Visitor Statistics (Real Time Traffic)
Plugin Slug:: wp-stats-manager
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 8.4
Severity Score:: Medium
CVE:: 2025-67983

Plugin:: All-in-One Video Gallery
Plugin Slug:: all-in-one-video-gallery
Installations: 20,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 4.6.4
Severity Score:: Critical
CVE:: 2025-12966

Plugin:: Livemesh SiteOrigin Widgets
Plugin Slug:: livemesh-siteorigin-widgets
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.9.2
Severity Score:: Medium
CVE:: 2025-8780

Plugin:: My Calendar � Accessible Event Manager
Plugin Slug:: my-calendar
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.6.17
Severity Score:: Medium
CVE:: 2025-67592

Plugin:: Secure Copy Content Protection and Content Locking
Plugin Slug:: secure-copy-content-protection
Installations: 20,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 4.9.3
Severity Score:: Medium
CVE:: 2025-14442

Plugin:: Secure Copy Content Protection and Content Locking
Plugin Slug:: secure-copy-content-protection
Installations: 20,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 4.9.3
Severity Score:: Medium
CVE:: 2025-14159

Plugin:: UsersWP � Front-end login form, User Registration, User Profile & Members Directory plugin for WP
Plugin Slug:: userswp
Installations: 20,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.2.49
Severity Score:: Medium
CVE:: 2025-67593

Plugin:: WP Webhooks � Automate repetitive tasks by creating powerful automation workflows directly within WordPress
Plugin Slug:: wp-webhooks
Installations: 20,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 3.3.9
Severity Score:: Critical
CVE:: 2025-66074

Plugin:: 404 Solution
Plugin Slug:: 404-solution
Installations: 10,000+
Vulnerability:: SQL Injection
Patched in Version:: 3.1.1
Severity Score:: High
CVE:: 2025-14477

Plugin:: Store Locator WordPress
Plugin Slug:: agile-store-locator
Installations: 10,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.6.3
Severity Score:: High
CVE:: 2025-67516

Plugin:: Animation Addons for Elementor � GSAP Powered Elementor Addons & Website Templates
Plugin Slug:: animation-addons-for-elementor
Installations: 10,000+
Vulnerability:: Arbitrary Content Deletion
Patched in Version:: 2.4.6
Severity Score:: Medium
CVE:: 2025-67540

Plugin:: CC Child Pages
Plugin Slug:: cc-child-pages
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.1
Severity Score:: Medium
CVE:: 2025-13608

Plugin:: Reviews Widget for Google, Yelp & Recommendations
Plugin Slug:: fb-reviews-widget
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.6
Severity Score:: High
CVE:: 2025-12705

Plugin:: FluentAuth � The Ultimate Authorization & Security Plugin for WordPress
Plugin Slug:: fluent-security
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.1.0
Severity Score:: Medium
CVE:: 2025-13728

Plugin:: HandL UTM Grabber / Tracker
Plugin Slug:: handl-utm-grabber
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.8.1
Severity Score:: High
CVE:: 2025-13073

Plugin:: Head Meta Data
Plugin Slug:: head-meta-data
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 20251118
Severity Score:: Medium
CVE:: 2025-66081

Plugin:: JetWidgets For Elementor
Plugin Slug:: jetwidgets-for-elementor
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.0.21
Severity Score:: Medium
CVE:: 2025-8195

Plugin:: Lightweight Accordion
Plugin Slug:: lightweight-accordion
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.6.0
Severity Score:: Medium
CVE:: 2025-13740

Plugin:: Marquee Addons for Elementor � Advanced Elements & Modern Motion Widgets
Plugin Slug:: marquee-addons-for-elementor
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.0.0
Severity Score:: Medium
CVE:: 2025-8199

Plugin:: myCred � Points Management System For Gamification, Ranks, Badges, and Loyalty Program.
Plugin Slug:: mycred
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.9.7.1
Severity Score:: Medium
CVE:: 2025-12362

Plugin:: WP-ShowHide
Plugin Slug:: wp-showhide
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.06
Severity Score:: Medium
CVE:: 2025-67541

Plugin:: WPeMatico RSS Feed Fetcher
Plugin Slug:: wpematico
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.8.13
Severity Score:: Medium
CVE:: 2025-13031

Plugin:: rtMedia for WordPress, BuddyPress and bbPress
Plugin Slug:: buddypress-media
Installations: 9,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.7.4
Severity Score:: Low
CVE:: 2025-9218

Plugin:: RegistrationMagic � Custom Registration Forms, User Registration, Payment, and User Login
Plugin Slug:: custom-registration-form-builder-with-submission-manager
Installations: 9,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.0.6.8
Severity Score:: Medium
CVE:: 2025-13610

Plugin:: All-in-One Addons for Elementor � WidgetKit
Plugin Slug:: widgetkit-for-elementor
Installations: 9,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.5.7
Severity Score:: Medium
CVE:: 2025-8779

Plugin:: Multi-Step Checkout for WooCommerce
Plugin Slug:: wp-multi-step-checkout
Installations: 9,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.34
Severity Score:: Medium
CVE:: 2025-67542

Plugin:: BSK PDF Manager
Plugin Slug:: bsk-pdf-manager
Installations: 8,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.7.2
Severity Score:: Medium
CVE:: 2025-4970

Plugin:: Foxtool All-in-One: Contact chat button, Custom login, Media optimize images
Plugin Slug:: foxtool
Installations: 8,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.5.3
Severity Score:: Medium
CVE:: 2025-13408

Plugin:: Booking calendar, Appointment Booking System
Plugin Slug:: booking-calendar
Installations: 4,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.2.31
Severity Score:: Medium
CVE:: 2025-67574

Plugin:: Watu Quiz
Plugin Slug:: watu
Installations: 4,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.4.5.1
Severity Score:: Medium
CVE:: 2025-67976

Plugin:: WPGraphQL Smart Cache
Plugin Slug:: wpgraphql-smart-cache
Installations: 4,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 2.0.1
Severity Score:: High

Plugin:: Document Library Lite
Plugin Slug:: document-library-lite
Installations: 3,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.2.0
Severity Score:: Medium
CVE:: 2025-67986

Plugin:: Document Library Lite
Plugin Slug:: document-library-lite
Installations: 3,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 1.2.0
Severity Score:: Medium
CVE:: 2025-67985

Plugin:: Magical Posts Display � Elementor Advanced Posts widgets
Plugin Slug:: magical-posts-display
Installations: 3,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.2.55
Severity Score:: Medium
CVE:: 2025-12965

Plugin:: Sitewide Notice WP
Plugin Slug:: sitewide-notice-wp
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.4.2
Severity Score:: Medium
CVE:: 2025-67575

Plugin:: Easy Appointment Booking & Scheduling System � Webba Booking Calendar
Plugin Slug:: webba-booking-lite
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: 6.2.2
Severity Score:: Medium
CVE:: 2025-66530

Plugin:: WPMasterToolKit (WPMTK) � All in one plugin
Plugin Slug:: wpmastertoolkit
Installations: 3,000+
Vulnerability:: Arbitrary Code Execution
Patched in Version:: 2.13.1
Severity Score:: High
CVE:: 2025-14166

Plugin:: UseStrict’s Calendly Embedder
Plugin Slug:: cal-embedder-lite
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.2
Severity Score:: Medium
CVE:: 2025-67555

Plugin:: Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms
Plugin Slug:: cf7-salesforce
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.4.7
Severity Score:: Medium
CVE:: 2025-67468

Plugin:: Easy Form Builder � WordPress plugin form builder: contact form, survey form, payment form, and custom form builder
Plugin Slug:: easy-form-builder
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.8.21
Severity Score:: Medium
CVE:: 2025-67577

Plugin:: Simple Download Counter
Plugin Slug:: simple-download-counter
Installations: 2,000+
Vulnerability:: Arbitrary File Download
Patched in Version:: 2.2.3
Severity Score:: Medium
CVE:: 2025-13677

Plugin:: Simple Link Directory
Plugin Slug:: simple-link-directory
Installations: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 8.8.4
Severity Score:: Medium
CVE:: 2025-67465

Plugin:: Simple Link Directory
Plugin Slug:: simple-link-directory
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: 8.8.4
Severity Score:: Medium
CVE:: 2025-67576

Plugin:: Tableberg � Simple Gutenberg Table Block
Plugin Slug:: tableberg
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: 0.6.10
Severity Score:: Medium
CVE:: 2025-66096

Plugin:: Trinity Audio � Text to Speech AI audio player to convert content into audio
Plugin Slug:: trinity-audio
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: 5.24
Severity Score:: Medium
CVE:: 2025-67466

Plugin:: VK Google Job Posting Manager
Plugin Slug:: vk-google-job-posting-manager
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.2.23
Severity Score:: Medium
CVE:: 2025-68070

Plugin:: Email Marketing Plugin � WP Email Capture
Plugin Slug:: wp-email-capture
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.12.5
Severity Score:: Medium
CVE:: 2025-67578

Plugin:: CWW Companion
Plugin Slug:: cww-companion
Installations: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.3.3
Severity Score:: Medium
CVE:: 2025-67473

Plugin:: Enter Addons � Ultimate Template Builder for Elementor
Plugin Slug:: enteraddons
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.2.8
Severity Score:: Medium
CVE:: 2025-8687

Plugin:: Hippoo Mobile App for WooCommerce
Plugin Slug:: hippoo
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.7.2
Severity Score:: Medium
CVE:: 2025-12655

Plugin:: Hippoo Mobile App for WooCommerce
Plugin Slug:: hippoo
Installations: 1,000+
Vulnerability:: Arbitrary File Download
Patched in Version:: 1.7.2
Severity Score:: High
CVE:: 2025-13339

Plugin:: AI-Powered Business Directory and Classified Ads Listings � Listdom
Plugin Slug:: listdom
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 5.1.0
Severity Score:: Medium
CVE:: 2025-67560

Plugin:: Media File Rename, Unused File Cleaner & CSV Export Import � Add Alt for Image SEO � Media Library Tools
Plugin Slug:: media-library-tools
Installations: 1,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.7.0
Severity Score:: High
CVE:: 2025-67520

Plugin:: Nelio Popups
Plugin Slug:: nelio-popups
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.1
Severity Score:: Medium
CVE:: 2025-66111

Plugin:: Request a Quote Form Plugin � Price Quote Request Management Made Easy
Plugin Slug:: request-a-quote
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.5.4
Severity Score:: Medium
CVE:: 2025-64248

Plugin:: Highlight and Share � Social Text and Image Sharing
Plugin Slug:: highlight-and-share
Installations: 900+
Vulnerability:: Broken Access Control
Patched in Version:: 5.3.0
Severity Score:: Medium
CVE:: 2025-67586

Plugin:: WP eBay Product Feeds
Plugin Slug:: ebay-feeds-for-wordpress
Installations: 800+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.4.10
Severity Score:: Medium
CVE:: 2025-67557

Plugin:: VikRentItems Flexible Rental Management System
Plugin Slug:: vikrentitems
Installations: 700+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.2.1
Severity Score:: High
CVE:: 2025-14049

Plugin:: Header Footer Script Adder � Insert Code in Header, Body & Footer
Plugin Slug:: header-and-footer-script-adder
Installations: 600+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.6
Severity Score:: Medium
CVE:: 2025-12109

Plugin:: Appointment Booking and Scheduler Plugin � Truebooker
Plugin Slug:: truebooker-appointment-booking
Installations: 600+
Vulnerability:: Broken Access Control
Patched in Version:: 1.1.1
Severity Score:: Medium
CVE:: 2025-67581

Plugin:: Easy Invoice � PDF Invoice Generator & Quote Builder
Plugin Slug:: easy-invoice
Installations: 500+
Vulnerability:: Local File Inclusion
Patched in Version:: 2.1.5
Severity Score:: Medium
CVE:: 2025-66115

Plugin:: Employee Spotlight � Team Member Showcase & Meet the Team Plugin
Plugin Slug:: employee-spotlight
Installations: 400+
Vulnerability:: Broken Access Control
Patched in Version:: 5.1.4
Severity Score:: Medium
CVE:: 2025-13403

Plugin:: Wbcom Designs � Private Community for BuddyPress
Plugin Slug:: lock-my-bp
Installations: 400+
Vulnerability:: Broken Access Control
Patched in Version:: 2.1.2
Severity Score:: Medium
CVE:: 2025-67582

Plugin:: PDF for Contact Form 7 + Drag and Drop Template Builder
Plugin Slug:: pdf-for-contact-form-7
Installations: 400+
Vulnerability:: Broken Access Control
Patched in Version:: 6.3.4
Severity Score:: Medium
CVE:: 2025-14074

Plugin:: Rencontre � Dating Site
Plugin Slug:: rencontre
Installations: 300+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.13.8
Severity Score:: Medium
CVE:: 2025-67558

Plugin:: Design Import/Export � Styles, Templates, Template Parts and Patterns
Plugin Slug:: design-import-export
Installations: 200+
Vulnerability:: SQL Injection
Patched in Version:: 2.3
Severity Score:: High
CVE:: 2025-14050

Plugin:: Image Slider by Ays- Responsive Slider and Carousel
Plugin Slug:: ays-slider
Installations: 100+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.7.1
Severity Score:: Medium
CVE:: 2025-14454

Plugin:: BuddyTask
Plugin Slug:: buddytask
Installations: 100+
Vulnerability:: Broken Access Control
Patched in Version:: 1.4.0
Severity Score:: Medium
CVE:: 2025-14064

Plugin:: Emplibot � AI Content Writer with Keyword Research, Infographics, and Linking | SEO Optimized | Fully Automated
Plugin Slug:: emplibot
Installations: 100+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 1.1.0
Severity Score:: Medium
CVE:: 2025-11970

Plugin:: Upcoming for Calendly
Plugin Slug:: upcoming-for-calendly
Installations: 100+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.2.5
Severity Score:: Medium
CVE:: 2025-14160

Plugin:: AI Feeds
Plugin Slug:: ai-feeds
Installations: 50+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.0.23
Severity Score:: Medium
CVE:: 2025-14030

Plugin:: Guest Support
Plugin Slug:: guest-support
Installations: 40+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 1.3.0
Severity Score:: Medium
CVE:: 2025-13660

Plugin:: Simple Folio
Plugin Slug:: simple-folio
Installations: 40+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.1.1
Severity Score:: Medium
CVE:: 2025-64256

Plugin:: Divelogs Widget
Plugin Slug:: divelogs-widget
Installations: 20+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.6
Severity Score:: Medium
CVE:: 2025-13962

Plugin:: FX Currency Converter
Plugin Slug:: fx-currency-converter
Installations: 20+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 0.2.1
Severity Score:: Medium
CVE:: 2025-13963

Plugin:: MediaCommander � Bring Folders to Media, Posts, and Pages
Plugin Slug:: mediacommander
Installations: 20+
Vulnerability:: Broken Access Control
Patched in Version:: 2.4.0
Severity Score:: Medium
CVE:: 2025-14508

Plugin:: Player Leaderboard
Plugin Slug:: player-leaderboard
Installations: 20+
Vulnerability:: Local File Inclusion
Patched in Version:: 1.0.3
Severity Score:: High
CVE:: 2025-12824

Plugin:: HAPPY � Helpdesk Support Ticket System
Plugin Slug:: happy-helpdesk-support-ticket-system
Installations: 10+
Vulnerability:: Broken Access Control
Patched in Version:: 1.0.10
Severity Score:: Medium
CVE:: 2025-14581

Plugin:: Mailgun Subscriptions
Plugin Slug:: mailgun-subscriptions
Installations: 10+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.2
Severity Score:: Medium
CVE:: 2025-11876

Plugin:: Photo Block � A Better Responsive Image Block With Lightbox and Caption Support
Plugin Slug:: photo-block
Installations: 10+
Vulnerability:: Broken Access Control
Patched in Version:: 1.6.0
Severity Score:: Low
CVE:: 2025-64254