WordPress Vulnerability Report � December 24, 2025

In this report, 150 vulnerabilities have been publicly disclosed. Security patches for 124 of these plugins and themes are now available. Please run these updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Currently, 26 plugin and theme vulnerabilities remain unpatched. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

WordPress Core

WordPress 6.9 “Gene” was released on December 2, 2025. This release brings major upgrades to how teams collaborate and create. The new Notes feature adds block-level commenting for posts and pages, streamlining editorial reviews, while an expanded Command Palette helps power users navigate and operate across the dashboard even faster. The introduction of the Abilities API delivers a standardized, machine-readable permissions system that lays the groundwork for next-generation AI-powered and automated workflows. WordPress 6.9 also includes notable performance improvements for faster page loads, several new practical blocks, and more visual drag-and-drop tools to help creators build richer, more dynamic content.

Following a major release, you should not update live sites without first taking backups and testing the update in a non-production environment.

WordPress Plugins � 114 Patched / 26 Unpatched

Plugin:: Health Check & Troubleshooting
Plugin Slug:: health-check
Installations: 300,000+
Vulnerability:: Path Traversal
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-64253

Plugin:: Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings
Plugin Slug:: directorist
Installations: 20,000+
Vulnerability:: Open Redirection
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-64250

Plugin:: WCFM � Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible
Plugin Slug:: wc-frontend-manager
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Low
CVE:: 2025-54004

Plugin:: WCFM Marketplace � Multivendor Marketplace for WooCommerce
Plugin Slug:: wc-multivendor-marketplace
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-64631

Plugin:: Doubly � Cross Domain Copy Paste for WordPress
Plugin Slug:: doubly
Installations: 10,000+
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-14476

Plugin:: Read More & Accordion
Plugin Slug:: expand-maker
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-64247

Plugin:: Protect WP Admin
Plugin Slug:: protect-wp-admin
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-64249

Plugin:: Pretty Google Calendar
Plugin Slug:: pretty-google-calendar
Installations: 5,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12898

Plugin:: Meks Quick Plugin Disabler
Plugin Slug:: meks-quick-plugin-disabler
Installations: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-68083

Plugin:: Semrush Content Toolkit
Plugin Slug:: semrush-contentshake
Installations: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-68082

Plugin:: Yaad Sarig Payment Gateway For WC
Plugin Slug:: yaad-sarig-payment-gateway-for-wc
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-66131

Plugin:: FAPI Member
Plugin Slug:: fapi-member
Installations: 500+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-66132

Plugin:: JAY Login & Register
Plugin Slug:: jay-login-register
Installations: 40+
Vulnerability:: Broken Authentication
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-14440

Plugin:: Amazon affiliate lite
Plugin Slug:: afiliados-de-amazon-lite
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14734

Plugin:: Amazon affiliate lite
Plugin Slug:: afiliados-de-amazon-lite
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14735

Plugin:: URL Shortener
Plugin Slug:: exact-links
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-10738

Plugin:: F70 Lead Document Download
Plugin Slug:: f70-lead-document-download
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14633

Plugin:: HelloLeads CRM Form Shortcode
Plugin Slug:: hls-crm-form-shortcode
Vulnerability:: Settings Change
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12696

Plugin:: ?????? ????? ??????? ??? ???? ?? (????) payamito sms woocommerce
Plugin Slug:: payamito-sms-woocommerce
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-13077

Plugin:: Postem Ipsum
Plugin Slug:: postem-ipsum
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-14397

Plugin:: Quran Gateway
Plugin Slug:: quran-gateway
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14164

Plugin:: RESPONSIVE AND SWIPE SLIDER!
Plugin Slug:: responsive-and-swipe-slider
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14721

Plugin:: WooMulti
Plugin Slug:: woomulti
Vulnerability:: Arbitrary File Deletion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-12835

Plugin:: WP DB Booster
Plugin Slug:: wp-db-booster
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14168

Plugin:: WP3D Model Import Viewer
Plugin Slug:: wp3d-model-import-block
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-13094

Plugin:: WPS Visitor Counter
Plugin Slug:: wps-visitor-counter
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-9116

Plugin:: Elementor Website Builder � More Than Just a Page Builder
Plugin Slug:: elementor
Installations: 10,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.33.4
Severity Score:: Medium
CVE:: 2025-11220

Plugin:: WooCommerce
Plugin Slug:: woocommerce
Installations: 7,000,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 10.4.3
Severity Score:: Medium
CVE:: 2025-15033

Plugin:: Essential Addons for Elementor � Popular Elementor Templates & Widgets
Plugin Slug:: essential-addons-for-elementor-lite
Installations: 2,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.5.4
Severity Score:: Medium
CVE:: 2025-13977

Plugin:: Premium Addons for Elementor � Powerful Elementor Templates & Widgets
Plugin Slug:: premium-addons-for-elementor
Installations: 700,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 4.11.54
Severity Score:: Medium
CVE:: 2025-14163

Plugin:: Ninja Forms � The Contact Form Builder That Grows With You
Plugin Slug:: ninja-forms
Installations: 600,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 3.13.3
Severity Score:: High
CVE:: 2025-11924

Plugin:: Royal Addons for Elementor � Addons and Templates Kit for Elementor
Plugin Slug:: royal-elementor-addons
Installations: 600,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.7.1037
Severity Score:: Medium
CVE:: 2025-11363

Plugin:: Converter for Media � Optimize images | Convert WebP & AVIF
Plugin Slug:: webp-converter-for-media
Installations: 500,000+
Vulnerability:: Broken Access Control
Patched in Version:: 6.4.0
Severity Score:: Medium
CVE:: 2025-13750

Plugin:: Happy Addons for Elementor
Plugin Slug:: happy-elementor-addons
Installations: 400,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.20.4
Severity Score:: Medium
CVE:: 2025-14635

Plugin:: Photo Gallery, Sliders, Proofing and Themes � NextGEN Gallery
Plugin Slug:: nextgen-gallery
Installations: 400,000+
Vulnerability:: Local File Inclusion
Patched in Version:: 4.0.0
Severity Score:: High
CVE:: 2025-13641

Plugin:: Newsletter � Send awesome emails from WordPress
Plugin Slug:: newsletter
Installations: 300,000+
Vulnerability:: SQL Injection
Patched in Version:: 9.1.0
Severity Score:: High
CVE:: 2025-67999

Plugin:: Admin and Site Enhancements (ASE)
Plugin Slug:: admin-site-enhancements
Installations: 200,000+
Vulnerability:: Broken Access Control
Patched in Version:: 8.1.0
Severity Score:: Low
CVE:: 2025-64255

Plugin:: Gutenberg Essential Blocks � Page Builder for Gutenberg Blocks & Patterns
Plugin Slug:: essential-blocks
Installations: 200,000+
Vulnerability:: Broken Access Control
Patched in Version:: 5.7.3
Severity Score:: Medium
CVE:: 2025-11369

Plugin:: FileBird � WordPress Media Library Folders & File Manager
Plugin Slug:: filebird
Installations: 200,000+
Vulnerability:: Broken Access Control
Patched in Version:: 6.5.2
Severity Score:: Medium
CVE:: 2025-12900

Plugin:: Ultimate Member � User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
Plugin Slug:: ultimate-member
Installations: 200,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 2.11.1
Severity Score:: Medium
CVE:: 2025-12492

Plugin:: Ultimate Member � User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
Plugin Slug:: ultimate-member
Installations: 200,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.11.1
Severity Score:: Medium
CVE:: 2025-14081

Plugin:: Ultimate Member � User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
Plugin Slug:: ultimate-member
Installations: 200,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.11.1
Severity Score:: Medium
CVE:: 2025-13217

Plugin:: User Feedback � Create Interactive Feedback Form, User Surveys, and Polls in Seconds
Plugin Slug:: userfeedback-lite
Installations: 200,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.10.1
Severity Score:: High
CVE:: 2025-68496

Plugin:: Addon Elements for Elementor (formerly Elementor Addon Elements)
Plugin Slug:: addon-elements-for-elementor-page-builder
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.14.4
Severity Score:: Medium
CVE:: 2025-12537

Plugin:: FiboSearch � Ajax Search for WooCommerce
Plugin Slug:: ajax-search-for-woocommerce
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.32.1
Severity Score:: Medium
CVE:: 2025-14298

Plugin:: Prime Slider � Addons for Elementor
Plugin Slug:: bdthemes-prime-slider-lite
Installations: 100,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 4.1.0
Severity Score:: Medium
CVE:: 2025-14277

Plugin:: Beaver Builder Page Builder � Drag and Drop Website Builder
Plugin Slug:: beaver-builder-lite-version
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.9.4.2
Severity Score:: High
CVE:: 2025-12934

Plugin:: Colibri Page Builder
Plugin Slug:: colibri-page-builder
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.0.358
Severity Score:: Medium
CVE:: 2025-11747

Plugin:: Login Lockdown & Protection
Plugin Slug:: login-lockdown
Installations: 100,000+
Vulnerability:: Bypass Vulnerability
Patched in Version:: 2.15
Severity Score:: Medium
CVE:: 2025-11707

Plugin:: Image Gallery � Photo Grid & Video Gallery
Plugin Slug:: modula-best-grid-gallery
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.13.4
Severity Score:: Medium
CVE:: 2025-14003

Plugin:: Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories
Plugin Slug:: post-expirator
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.9.3
Severity Score:: Medium
CVE:: 2025-13741

Plugin:: HUSKY � Products Filter Professional for WooCommerce
Plugin Slug:: woocommerce-products-filter
Installations: 100,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 1.3.7.4
Severity Score:: Medium
CVE:: 2025-13110

Plugin:: Hummingbird Performance � Cache & Page Speed Optimization for Core Web Vitals | Critical CSS | Minify CSS | Defer CSS Javascript | CDN
Plugin Slug:: hummingbird-performance
Installations: 80,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 3.18.1
Severity Score:: High
CVE:: 2025-14437

Plugin:: LearnPress � WordPress LMS Plugin
Plugin Slug:: learnpress
Installations: 80,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.3.2
Severity Score:: Medium
CVE:: 2025-14387

Plugin:: LearnPress � WordPress LMS Plugin
Plugin Slug:: learnpress
Installations: 80,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.3.2
Severity Score:: Medium
CVE:: 2025-13956

Plugin:: Ninja Tables � Easy Data Table Builder
Plugin Slug:: ninja-tables
Installations: 80,000+
Vulnerability:: SQL Injection
Patched in Version:: 5.2.4
Severity Score:: High
CVE:: 2025-67519

Plugin:: OneSignal � Web Push Notifications
Plugin Slug:: onesignal-free-web-push-notifications
Installations: 80,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.6.2
Severity Score:: Medium
CVE:: 2025-13950

Plugin:: SlimStat Analytics
Plugin Slug:: wp-slimstat
Installations: 80,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.3.3
Severity Score:: High
CVE:: 2025-14151

Plugin:: Events Manager � Calendar, Bookings, Tickets, and more!
Plugin Slug:: events-manager
Installations: 70,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 7.2.3
Severity Score:: Medium
CVE:: 2025-12976

Plugin:: Appointment Booking Calendar � Simply Schedule Appointments Booking Plugin
Plugin Slug:: simply-schedule-appointments
Installations: 70,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.6.9.17
Severity Score:: Medium
CVE:: 2025-13754

Plugin:: User Registration & Membership � Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin
Plugin Slug:: user-registration
Installations: 60,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.4.7
Severity Score:: Medium
CVE:: 2025-13367

Plugin:: Auto Featured Image (Auto Post Thumbnail)
Plugin Slug:: auto-post-thumbnail
Installations: 50,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.2.2
Severity Score:: Medium
CVE:: 2025-13794

Plugin:: Booking Calendar
Plugin Slug:: booking
Installations: 50,000+
Vulnerability:: SQL Injection
Patched in Version:: 10.14.9
Severity Score:: Critical
CVE:: 2025-14383

Plugin:: Embed Any Document � Embed PDF, Word, PowerPoint and Excel Files
Plugin Slug:: embed-any-document
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.7.11
Severity Score:: Medium
CVE:: 2025-12885

Plugin:: Pixel Manager for WooCommerce � Track Conversions and Analytics, Google Ads, TikTok and more
Plugin Slug:: woocommerce-google-adwords-conversion-tracking-tag
Installations: 50,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 1.52.0
Severity Score:: Medium
CVE:: 2025-67564

Plugin:: WP Recipe Maker
Plugin Slug:: wp-recipe-maker
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 10.2.4
Severity Score:: Medium
CVE:: 2025-14385

Plugin:: Download Plugins and Themes in ZIP from Dashboard
Plugin Slug:: download-plugins-dashboard
Installations: 30,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.9.7
Severity Score:: Medium
CVE:: 2025-14399

Plugin:: Themify Portfolio Post
Plugin Slug:: themify-portfolio-post
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.1
Severity Score:: High
CVE:: 2025-67533

Plugin:: ThirstyAffiliates � Affiliate Links, Link Branding, Link Tracking & Marketing Plugin
Plugin Slug:: thirstyaffiliates
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.11.9
Severity Score:: Medium
CVE:: 2025-67537

Plugin:: MailerLite � WooCommerce integration
Plugin Slug:: woo-mailerlite
Installations: 30,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.1.4
Severity Score:: Medium

Plugin:: WP Social Ninja � Embed Social Feeds, User Reviews & Chat Widgets
Plugin Slug:: wp-social-reviews
Installations: 30,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.0.2
Severity Score:: Medium
CVE:: 2025-13880

Plugin:: WP Visitor Statistics (Real Time Traffic)
Plugin Slug:: wp-stats-manager
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 8.4
Severity Score:: Medium
CVE:: 2025-67983

Plugin:: Image Photo Gallery Final Tiles Grid
Plugin Slug:: final-tiles-grid-gallery-lite
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.6.8
Severity Score:: Medium
CVE:: 2025-14455

Plugin:: My Calendar � Accessible Event Manager
Plugin Slug:: my-calendar
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.6.17
Severity Score:: Medium
CVE:: 2025-67592

Plugin:: UsersWP � Front-end login form, User Registration, User Profile & Members Directory plugin for WP
Plugin Slug:: userswp
Installations: 20,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.2.49
Severity Score:: Medium
CVE:: 2025-67593

Plugin:: wpForo Forum
Plugin Slug:: wpforo
Installations: 20,000+
Vulnerability:: SQL Injection
Patched in Version:: 2.4.13
Severity Score:: Critical
CVE:: 2025-13126

Plugin:: Animation Addons for Elementor � GSAP Powered Elementor Addons & Website Templates
Plugin Slug:: animation-addons-for-elementor
Installations: 10,000+
Vulnerability:: Arbitrary Content Deletion
Patched in Version:: 2.4.6
Severity Score:: Medium
CVE:: 2025-67540

Plugin:: BA Book Everything
Plugin Slug:: ba-book-everything
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.8.15
Severity Score:: Medium
CVE:: 2025-14449

Plugin:: Better Messages � Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss
Plugin Slug:: bp-better-messages
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.10.3
Severity Score:: High
CVE:: 2025-14154

Plugin:: Business Directory Plugin � Easy Listing Directories for WordPress
Plugin Slug:: business-directory-plugin
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 6.4.20
Severity Score:: Medium
CVE:: 2025-64630

Plugin:: CC Child Pages
Plugin Slug:: cc-child-pages
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.1
Severity Score:: Medium
CVE:: 2025-13608

Plugin:: OpenID Connect Generic Client
Plugin Slug:: daggerhart-openid-connect-generic
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.10.1
Severity Score:: Medium
CVE:: 2025-13730

Plugin:: Demo Importer Plus
Plugin Slug:: demo-importer-plus
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.0.9
Severity Score:: High
CVE:: 2025-14364

Plugin:: FluentAuth � The Ultimate Authorization & Security Plugin for WordPress
Plugin Slug:: fluent-security
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.1.0
Severity Score:: Medium
CVE:: 2025-13728

Plugin:: Cookie Banner, Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy) : WP Cookie Consent
Plugin Slug:: gdpr-cookie-consent
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.0.8
Severity Score:: Medium
CVE:: 2025-14061

Plugin:: Cookie Banner, Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy) : WP Cookie Consent
Plugin Slug:: gdpr-cookie-consent
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.0.8
Severity Score:: Medium
CVE:: 2025-66133

Plugin:: Gutenverse Form � Contact Form Builder, Booking, Reservation, Subscribe for Block Editor
Plugin Slug:: gutenverse-form
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.3.2
Severity Score:: Medium
CVE:: 2025-68511

Plugin:: HandL UTM Grabber / Tracker
Plugin Slug:: handl-utm-grabber
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.8.1
Severity Score:: High
CVE:: 2025-13073

Plugin:: HTML Forms � Simple WordPress Forms Plugin
Plugin Slug:: html-forms
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.6.1
Severity Score:: High
CVE:: 2025-13861

Plugin:: HTML5 Audio Player � The Ultimate No-Code Podcast, MP3 & Audio Player
Plugin Slug:: html5-audio-player
Installations: 10,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 2.5.2
Severity Score:: High
CVE:: 2025-13999

Plugin:: JetWidgets For Elementor
Plugin Slug:: jetwidgets-for-elementor
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.0.21
Severity Score:: Medium
CVE:: 2025-8195

Plugin:: Lightweight Accordion
Plugin Slug:: lightweight-accordion
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.6.0
Severity Score:: Medium
CVE:: 2025-13740

Plugin:: Live Composer � Free WordPress Website Builder
Plugin Slug:: live-composer-page-builder
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.3
Severity Score:: Medium
CVE:: 2025-13537

Plugin:: myCred � Points Management System For Gamification, Ranks, Badges, and Loyalty Program.
Plugin Slug:: mycred
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.9.7.2
Severity Score:: Medium
CVE:: 2025-12361

Plugin:: Real 3D Flipbook � 3D FlipBook, PDF FlipBook, PDF Viewer, PDF Embedder
Plugin Slug:: real3d-flipbook-lite
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.16.4
Severity Score:: Medium
CVE:: 2025-68512

Plugin:: Membership Plugin � Restrict Content
Plugin Slug:: restrict-content
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.2.16
Severity Score:: Medium
CVE:: 2025-14000

Plugin:: WP-ShowHide
Plugin Slug:: wp-showhide
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.06
Severity Score:: Medium
CVE:: 2025-67541

Plugin:: RegistrationMagic � Custom Registration Forms, User Registration, Payment, and User Login
Plugin Slug:: custom-registration-form-builder-with-submission-manager
Installations: 9,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.0.6.8
Severity Score:: Medium
CVE:: 2025-13610

Plugin:: Tablesome Table � Contact Form DB � WPForms, CF7, Gravity, Forminator, Fluent
Plugin Slug:: tablesome
Installations: 9,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.1.35.2
Severity Score:: Medium
CVE:: 2025-68517

Plugin:: Tablesome Table � Contact Form DB � WPForms, CF7, Gravity, Forminator, Fluent
Plugin Slug:: tablesome
Installations: 9,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 1.1.35.2
Severity Score:: Medium
CVE:: 2025-68516

Plugin:: Multi-Step Checkout for WooCommerce
Plugin Slug:: wp-multi-step-checkout
Installations: 9,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.34
Severity Score:: Medium
CVE:: 2025-67542

Plugin:: Social Media Auto Publish
Plugin Slug:: social-media-auto-publish
Installations: 7,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.6.6
Severity Score:: High
CVE:: 2025-12076

Plugin:: Calendar
Plugin Slug:: calendar
Installations: 5,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.17
Severity Score:: Medium
CVE:: 2025-14548

Plugin:: Export WP Pages to HTML & PDF � Simply Create a Static Website
Plugin Slug:: export-wp-page-to-static-html
Installations: 5,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 5.0.0
Severity Score:: Critical
CVE:: 2025-11693

Plugin:: Booking calendar, Appointment Booking System
Plugin Slug:: booking-calendar
Installations: 4,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.2.31
Severity Score:: Medium
CVE:: 2025-67574

Plugin:: Watu Quiz
Plugin Slug:: watu
Installations: 4,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.4.5.1
Severity Score:: Medium
CVE:: 2025-67976

Plugin:: Filter & Grids
Plugin Slug:: ymc-smart-filter
Installations: 4,000+
Vulnerability:: SQL Injection
Patched in Version:: 3.2.1
Severity Score:: Critical
CVE:: 2025-10289

Plugin:: Document Library Lite
Plugin Slug:: document-library-lite
Installations: 3,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.2.0
Severity Score:: Medium
CVE:: 2025-67986

Plugin:: Document Library Lite
Plugin Slug:: document-library-lite
Installations: 3,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 1.2.0
Severity Score:: Medium
CVE:: 2025-67985

Plugin:: Sitewide Notice WP
Plugin Slug:: sitewide-notice-wp
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.4.2
Severity Score:: Medium
CVE:: 2025-67575

Plugin:: Easy Appointment Booking & Scheduling System � Webba Booking Calendar
Plugin Slug:: webba-booking-lite
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: 6.2.2
Severity Score:: Medium
CVE:: 2025-66530

Plugin:: WP Directory Kit
Plugin Slug:: wpdirectorykit
Installations: 3,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.4.8
Severity Score:: Critical
CVE:: 2025-13089

Plugin:: UseStrict’s Calendly Embedder
Plugin Slug:: cal-embedder-lite
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.2
Severity Score:: Medium
CVE:: 2025-67555

Plugin:: Easy Form Builder � WordPress plugin form builder: contact form, survey form, payment form, and custom form builder
Plugin Slug:: easy-form-builder
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.8.21
Severity Score:: Medium
CVE:: 2025-67577

Plugin:: Simple Link Directory
Plugin Slug:: simple-link-directory
Installations: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 8.8.4
Severity Score:: Medium
CVE:: 2025-67465

Plugin:: Simple Link Directory
Plugin Slug:: simple-link-directory
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: 8.8.4
Severity Score:: Medium
CVE:: 2025-67576

Plugin:: VK Google Job Posting Manager
Plugin Slug:: vk-google-job-posting-manager
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.2.23
Severity Score:: Medium
CVE:: 2025-68070

Plugin:: CWW Companion
Plugin Slug:: cww-companion
Installations: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.3.3
Severity Score:: Medium
CVE:: 2025-67473

Plugin:: WP to LinkedIn Auto Publish
Plugin Slug:: linkedin-auto-publish
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.9.9
Severity Score:: High
CVE:: 2025-12077

Plugin:: AI-Powered Business Directory and Classified Ads Listings � Listdom
Plugin Slug:: listdom
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 5.1.0
Severity Score:: Medium
CVE:: 2025-67560

Plugin:: Request a Quote Form Plugin � Price Quote Request Management Made Easy
Plugin Slug:: request-a-quote
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.5.4
Severity Score:: Medium
CVE:: 2025-64248

Plugin:: WPCOM Member
Plugin Slug:: wpcom-member
Installations: 1,000+
Vulnerability:: Broken Authentication
Patched in Version:: 1.7.17
Severity Score:: High
CVE:: 2025-14002

Plugin:: Zephyr Project Manager
Plugin Slug:: zephyr-project-manager
Installations: 1,000+
Vulnerability:: Arbitrary File Download
Patched in Version:: 3.3.204
Severity Score:: Medium
CVE:: 2025-12496

Plugin:: Highlight and Share � Social Text and Image Sharing
Plugin Slug:: highlight-and-share
Installations: 900+
Vulnerability:: Broken Access Control
Patched in Version:: 5.3.0
Severity Score:: Medium
CVE:: 2025-67586

Plugin:: WP eBay Product Feeds
Plugin Slug:: ebay-feeds-for-wordpress
Installations: 800+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.4.10
Severity Score:: Medium
CVE:: 2025-67557

Plugin:: Appointment Booking and Scheduler Plugin � Truebooker
Plugin Slug:: truebooker-appointment-booking
Installations: 600+
Vulnerability:: Broken Access Control
Patched in Version:: 1.1.1
Severity Score:: Medium
CVE:: 2025-67581

Plugin:: Easy Invoice � PDF Invoice Generator & Quote Builder
Plugin Slug:: easy-invoice
Installations: 500+
Vulnerability:: Local File Inclusion
Patched in Version:: 2.1.5
Severity Score:: Medium
CVE:: 2025-66115

Plugin:: Wbcom Designs � Private Community for BuddyPress
Plugin Slug:: lock-my-bp
Installations: 400+
Vulnerability:: Broken Access Control
Patched in Version:: 2.1.2
Severity Score:: Medium
CVE:: 2025-67582

Plugin:: Rencontre � Dating Site
Plugin Slug:: rencontre
Installations: 400+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.13.8
Severity Score:: Medium
CVE:: 2025-67558

Plugin:: Sweet Energy Efficiency
Plugin Slug:: sweet-energy-efficiency
Installations: 100+
Vulnerability:: Broken Access Control
Patched in Version:: 1.0.7
Severity Score:: Medium
CVE:: 2025-14618

Plugin:: Fox LMS � WordPress LMS Plugin
Plugin Slug:: fox-lms
Installations: 40+
Vulnerability:: Privilege Escalation
Patched in Version:: 1.0.5.2
Severity Score:: Critical
CVE:: 2025-14156

Plugin:: Simple Folio
Plugin Slug:: simple-folio
Installations: 40+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.1.1
Severity Score:: Medium
CVE:: 2025-64256

Plugin:: Photo Block � A Modern Image Block With Lightbox and Caption Support
Plugin Slug:: photo-block
Installations: 10+
Vulnerability:: Broken Access Control
Patched in Version:: 1.6.0
Severity Score:: Low
CVE:: 2025-64254