WordPress Vulnerability Report � December 31, 2025

In this report, 139 vulnerabilities have been publicly disclosed. Security patches for 66 of these plugins and themes are now available. Please run these updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Currently, 73 plugin and theme vulnerabilities remain unpatched. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

WordPress Core

WordPress 6.9 “Gene” was released on December 2, 2025. This release brings major upgrades to how teams collaborate and create. The new Notes feature adds block-level commenting for posts and pages, streamlining editorial reviews, while an expanded Command Palette helps power users navigate and operate across the dashboard even faster. The introduction of the Abilities API delivers a standardized, machine-readable permissions system that lays the groundwork for next-generation AI-powered and automated workflows. WordPress 6.9 also includes notable performance improvements for faster page loads, several new practical blocks, and more visual drag-and-drop tools to help creators build richer, more dynamic content.

Following a major release, you should not update live sites without first taking backups and testing the update in a non-production environment.

WordPress Plugins � 62 Patched / 68 Unpatched

Plugin:: Shortcodes and extra features for Phlox theme
Plugin Slug:: auxin-elements
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-69016

Plugin:: Crowdsignal Forms
Plugin Slug:: crowdsignal-forms
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Low
CVE:: 2025-69015

Plugin:: Comments � wpDiscuz
Plugin Slug:: wpdiscuz
Installations: 80,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-68997

Plugin:: Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers
Plugin Slug:: popup-builder-block
Installations: 40,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-69026

Plugin:: Custom Field Template
Plugin Slug:: custom-field-template
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-68607

Plugin:: Event Organiser
Plugin Slug:: event-organiser
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-69012

Plugin:: Accept Donations with PayPal & Stripe
Plugin Slug:: easy-paypal-donation
Installations: 10,000+
Vulnerability:: Open Redirection
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-68602

Plugin:: Link Library
Plugin Slug:: link-library
Installations: 10,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-68600

Plugin:: Five Star Restaurant Reservations � WordPress Booking Plugin
Plugin Slug:: restaurant-reservations
Installations: 10,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-68601

Plugin:: Widgets for Social Photo Feed
Plugin Slug:: social-photo-feed-widget
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-68595

Plugin:: Themebeez Toolkit
Plugin Slug:: themebeez-toolkit
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-69010

Plugin:: Blog Filter Post Filtering
Plugin Slug:: blog-filter
Installations: 8,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-69033

Plugin:: Poll, Survey & Quiz Maker Plugin by Opinion Stage
Plugin Slug:: social-polls-by-opinionstage
Installations: 7,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-68594

Plugin:: Project Manager � AI-Powered Project & Task Manager with Kanban Board & Gantt Chart
Plugin Slug:: wedevs-project-manager
Installations: 7,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-68040

Plugin:: Youzify � BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress
Plugin Slug:: youzify
Installations: 6,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-69014

Plugin:: Simple File List
Plugin Slug:: simple-file-list
Installations: 5,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-68591

Plugin:: WP Telegram Widget and Join Link
Plugin Slug:: wptelegram-widget
Installations: 5,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-68589

Plugin:: Custom Related Posts
Plugin Slug:: custom-related-posts
Installations: 4,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68033

Plugin:: TS Poll � Survey, Versus Poll, Image Poll, Video Poll
Plugin Slug:: poll-wp
Installations: 4,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-68588

Plugin:: Cooked � Recipe Management
Plugin Slug:: cooked
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-68586

Plugin:: Wallet System for WooCommerce � Digital Wallet, Buy Now Pay Later (BNPL), Instant Cashback, Referral program, Partial & Subscription Payments
Plugin Slug:: wallet-system-for-woocommerce
Installations: 3,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-68029

Plugin:: Fast User Switching
Plugin Slug:: fast-user-switching
Installations: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-68583

Plugin:: FlippingBook
Plugin Slug:: flippingbook
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-69019

Plugin:: Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor � Funnelforms Free
Plugin Slug:: funnelforms-free
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-68582

Plugin:: Newsletters
Plugin Slug:: newsletters-lite
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-69020

Plugin:: Discussion Board � WordPress Forum Plugin
Plugin Slug:: wp-discussion-board
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-69023

Plugin:: YITH Slider for page builders
Plugin Slug:: yith-slider-for-page-builders
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-68581

Plugin:: BBP Core � Advanced bbPress Forum Management with Voting, Private Replies & Elementor
Plugin Slug:: bbp-core
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-68572

Plugin:: GLS Shipping for WooCommerce
Plugin Slug:: gls-shipping-for-woocommerce
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68011

Plugin:: Heateor Social Login WordPress
Plugin Slug:: heateor-social-login
Installations: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-68998

Plugin:: Netgsm
Plugin Slug:: netgsm
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68010

Plugin:: Product Delivery Date for WooCommerce � Lite
Plugin Slug:: product-delivery-date-for-woocommerce-lite
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-69027

Plugin:: RestroPress � Online Food Ordering System
Plugin Slug:: restropress
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-69017

Plugin:: Slider Templates
Plugin Slug:: slider-templates
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-68009

Plugin:: Booking Ultra Pro Appointments Booking Calendar Plugin
Plugin Slug:: booking-ultra-pro
Installations: 500+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-68006

Plugin:: HR Management Lite
Plugin Slug:: hr-management-lite
Installations: 300+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-69022

Plugin:: AM Events
Plugin Slug:: am-events
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-69006

Plugin:: File Uploader for WooCommerce
Plugin Slug:: file-uploader-for-woocommerce
Installations: 100+
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-13329

Plugin:: Gift Hunt
Plugin Slug:: gift-hunt
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-67631

Plugin:: Inboxify Sign Up Form
Plugin Slug:: inboxify-sign-up-form
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-69008

Plugin:: Mobile builder
Plugin Slug:: mobile-builder
Installations: 100+
Vulnerability:: Broken Authentication
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-68860

Plugin:: Popping Sidebars and Widgets Light
Plugin Slug:: popping-sidebars-and-widgets-light
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-69007

Plugin:: Plugin Optimizer � Speed Up Your WordPress Like Never Before
Plugin Slug:: plugin-optimizer
Installations: 80+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68861

Plugin:: CookieHint WP
Plugin Slug:: cookiehint-wp
Installations: 70+
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68870

Plugin:: Flaming Password Reset
Plugin Slug:: flaming-password-reset
Installations: 70+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-68875

Plugin:: Wp Text Slider Widget
Plugin Slug:: wp-text-slider-widget
Installations: 70+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-68868

Plugin:: Advanced Custom CSS
Plugin Slug:: advanced-custom-css
Installations: 60+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68878

Plugin:: CedCommerce Integration for Good Market
Plugin Slug:: ced-good-market-integration
Installations: 60+
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68877

Plugin:: Content Grid Slider
Plugin Slug:: content-grid-slider
Installations: 60+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68879

Plugin:: PRIMER by chlo�digital
Plugin Slug:: primer-by-chloedigital
Installations: 60+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68873

Plugin:: Visitor Stats Widget
Plugin Slug:: visitor-stats-widget
Installations: 60+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68874

Plugin:: Invelity SPS connect
Plugin Slug:: invelity-sps-connect
Installations: 50+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68876

Plugin:: Scroll rss excerpt
Plugin Slug:: scroll-rss-excerpt
Installations: 50+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68892

Plugin:: WP App Bar
Plugin Slug:: wp-app-bar
Installations: 50+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68891

Plugin:: IF AS Shortcode
Plugin Slug:: if-as-shortcode
Installations: 10+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-68897

Plugin:: Attachments Handler
Plugin Slug:: attachments-handler
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-12581

Plugin:: Cool Tag Cloud
Plugin Slug:: cool-tag-cloud
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-69011

Plugin:: Flex Store Users
Plugin Slug:: flex-store-user
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-13619

Plugin:: Overstock Affiliate Links
Plugin Slug:: overstock-affiliate-links
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-13624

Plugin:: Product Loops for WooCommerce
Plugin Slug:: product-loops
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-68994

Plugin:: Responsive Posts Carousel Pro
Plugin Slug:: responsive-posts-carousel-pro
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68996

Plugin:: Share, Print and PDF Products for WooCommerce
Plugin Slug:: share-print-pdf-woocommerce
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-68993

Plugin:: Testimonial Slider
Plugin Slug:: testimonial
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-68000

Plugin:: Userpro
Plugin Slug:: userpro
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68608

Plugin:: WooMulti
Plugin Slug:: woomulti
Vulnerability:: Arbitrary File Deletion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-12835

Plugin:: WP Hallo Welt
Plugin Slug:: wp-hallo-welt
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-13365

Plugin:: WP JobHunt
Plugin Slug:: wp-jobhunt
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-7733

Plugin:: WP JobHunt
Plugin Slug:: wp-jobhunt
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-7782

Plugin:: WooCommerce
Plugin Slug:: woocommerce
Installations: 7,000,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 10.4.3
Severity Score:: Medium
CVE:: 2025-15033

Plugin:: Premium Addons for Elementor � Powerful Elementor Templates & Widgets
Plugin Slug:: premium-addons-for-elementor
Installations: 700,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 4.11.54
Severity Score:: Medium
CVE:: 2025-14163

Plugin:: PixelYourSite � Your smart PIXEL (TAG) & API Manager
Plugin Slug:: pixelyoursite
Installations: 500,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 11.1.5.1
Severity Score:: Medium
CVE:: 2025-14280

Plugin:: Happy Addons for Elementor
Plugin Slug:: happy-elementor-addons
Installations: 400,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.20.4
Severity Score:: Medium
CVE:: 2025-14635

Plugin:: Astra Widgets
Plugin Slug:: astra-widgets
Installations: 200,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.2.17
Severity Score:: Medium
CVE:: 2025-68497

Plugin:: User Feedback � Create Interactive Feedback Form, User Surveys, and Polls in Seconds
Plugin Slug:: userfeedback-lite
Installations: 200,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.10.1
Severity Score:: High
CVE:: 2025-68496

Plugin:: Advanced Ads ��Ad Manager & AdSense
Plugin Slug:: advanced-ads
Installations: 100,000+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 2.0.15
Severity Score:: Critical
CVE:: 2025-13592

Plugin:: Beaver Builder Page Builder � Drag and Drop Website Builder
Plugin Slug:: beaver-builder-lite-version
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.9.4.2
Severity Score:: High
CVE:: 2025-12934

Plugin:: GiveWP � Donation Plugin and Fundraising Platform
Plugin Slug:: give
Installations: 100,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 4.13.2
Severity Score:: Medium
CVE:: 2025-67467

Plugin:: Popup Box � Create Countdown, Coupon, Video, Contact Form Popups
Plugin Slug:: ays-popup-box
Installations: 50,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 6.0.8
Severity Score:: Medium
CVE:: 2025-69021

Plugin:: Interactive Content � H5P
Plugin Slug:: h5p
Installations: 40,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.16.2
Severity Score:: Medium
CVE:: 2025-68505

Plugin:: All-in-one Sticky Floating Contact Form, Call, Click to Chat, and 50+ Social Icon Tabs � My Sticky Elements
Plugin Slug:: mystickyelements
Installations: 40,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.3.4
Severity Score:: Medium
CVE:: 2025-68995

Plugin:: Stratum Widgets for Elementor
Plugin Slug:: stratum
Installations: 30,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.6.2
Severity Score:: Medium
CVE:: 2025-69013

Plugin:: Print Invoice & Delivery Notes for WooCommerce
Plugin Slug:: woocommerce-delivery-notes
Installations: 30,000+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 5.9.0
Severity Score:: Critical
CVE:: 2025-13773

Plugin:: Brave � Create Popup, Optins, Lead Generation, Survey, Sticky Elements & Interactive Content
Plugin Slug:: brave-popup-builder
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 0.8.4
Severity Score:: Medium
CVE:: 2025-68508

Plugin:: Docket Cache � Object Cache Accelerator
Plugin Slug:: docket-cache
Installations: 20,000+
Vulnerability:: Local File Inclusion
Patched in Version:: 24.07.04
Severity Score:: High
CVE:: 2025-68506

Plugin:: Bold Timeline Lite
Plugin Slug:: bold-timeline-lite
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.2.8
Severity Score:: Medium
CVE:: 2025-68513

Plugin:: Ocean Modal Window
Plugin Slug:: ocean-modal-window
Installations: 10,000+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 2.3.3
Severity Score:: Critical
CVE:: 2025-13307

Plugin:: PhastPress
Plugin Slug:: phastpress
Installations: 10,000+
Vulnerability:: Arbitrary File Download
Patched in Version:: 3.8
Severity Score:: High
CVE:: 2025-14388

Plugin:: Plugin Organizer
Plugin Slug:: plugin-organizer
Installations: 10,000+
Vulnerability:: SQL Injection
Patched in Version:: 10.2.4
Severity Score:: High
CVE:: 2025-13417

Plugin:: Membership Plugin � Restrict Content
Plugin Slug:: restrict-content
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.2.16
Severity Score:: Medium
CVE:: 2025-14000

Plugin:: URL Shortify � Simple, Powerful and Easy URL Shortener Plugin For WordPress
Plugin Slug:: url-shortify
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.11.4
Severity Score:: High
CVE:: 2025-13355

Plugin:: URL Shortify � Simple, Powerful and Easy URL Shortener Plugin For WordPress
Plugin Slug:: url-shortify
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.11.3
Severity Score:: High
CVE:: 2025-12684

Plugin:: weForms � Easy Drag & Drop Contact Form Builder For WordPress
Plugin Slug:: weforms
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.6.26
Severity Score:: Medium
CVE:: 2025-69028

Plugin:: YaMaps for WordPress Plugin
Plugin Slug:: yamaps
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 0.6.40
Severity Score:: Medium
CVE:: 2025-13958

Plugin:: Tablesome Table � Contact Form DB � WPForms, CF7, Gravity, Forminator, Fluent
Plugin Slug:: tablesome
Installations: 9,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.1.35.2
Severity Score:: Medium
CVE:: 2025-68517

Plugin:: Tablesome Table � Contact Form DB � WPForms, CF7, Gravity, Forminator, Fluent
Plugin Slug:: tablesome
Installations: 9,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 1.1.35.2
Severity Score:: Medium
CVE:: 2025-68516

Plugin:: Brands for WooCommerce
Plugin Slug:: brands-for-woocommerce
Installations: 6,000+
Vulnerability:: SQL Injection
Patched in Version:: 3.8.6.4
Severity Score:: High
CVE:: 2025-68519

Plugin:: Integration for HubSpot and Contact Form 7, WPForms, Elementor, Ninja Forms
Plugin Slug:: cf7-hubspot
Installations: 6,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.4.3
Severity Score:: High
CVE:: 2025-68590

Plugin:: Calendar
Plugin Slug:: calendar
Installations: 5,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.17
Severity Score:: Medium
CVE:: 2025-14548

Plugin:: CubeWP Framework
Plugin Slug:: cubewp-framework
Installations: 4,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.1.28
Severity Score:: High
CVE:: 2025-68036

Plugin:: WpStream � Live Streaming, Video on Demand, Pay Per View
Plugin Slug:: wpstream
Installations: 4,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.9.6
Severity Score:: Medium
CVE:: 2025-68522

Plugin:: WpStream � Live Streaming, Video on Demand, Pay Per View
Plugin Slug:: wpstream
Installations: 4,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.9.6
Severity Score:: Medium
CVE:: 2025-68521

Plugin:: Academy LMS � WordPress LMS Plugin for Complete eLearning Solution
Plugin Slug:: academy
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.4.1
Severity Score:: Medium
CVE:: 2025-68527

Plugin:: Advanced Classifieds & Directory Pro
Plugin Slug:: advanced-classifieds-and-directory-pro
Installations: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 3.3.0
Severity Score:: Medium
CVE:: 2025-68580

Plugin:: Auto Listings � Car Listings & Car Dealership Plugin for WordPress
Plugin Slug:: auto-listings
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.7.2
Severity Score:: Medium
CVE:: 2025-69089

Plugin:: Category Icon
Plugin Slug:: category-icon
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.0.3
Severity Score:: Medium
CVE:: 2025-68525

Plugin:: Vimeotheque � Vimeo WordPress Plugin & Video Gallery
Plugin Slug:: codeflavors-vimeo-video-post-lite
Installations: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.3.6
Severity Score:: Medium
CVE:: 2025-68584

Plugin:: Frontend Post Submission Manager Lite � Frontend Posting WordPress Plugin
Plugin Slug:: frontend-post-submission-manager-lite
Installations: 2,000+
Vulnerability:: Arbitrary Content Deletion
Patched in Version:: 1.2.7
Severity Score:: Medium
CVE:: 2025-14913

Plugin:: FV Simpler SEO
Plugin Slug:: fv-all-in-one-seo-pack
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.9.7
Severity Score:: Medium
CVE:: 2025-68579

Plugin:: Combo Offers WooCommerce
Plugin Slug:: woo-combo-offers
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.3
Severity Score:: Medium
CVE:: 2025-69088

Plugin:: WP Document Revisions
Plugin Slug:: wp-document-revisions
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.8.0
Severity Score:: Low
CVE:: 2025-68585

Plugin:: MapSVG � Vector maps, Image maps, Google Maps
Plugin Slug:: mapsvg-lite-interactive-vector-maps
Installations: 1,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 8.7.4
Severity Score:: Critical
CVE:: 2025-68562

Plugin:: Poptics � Popup Builder, Email Opt-ins, Exit-Intent & WooCommerce Popups Sales
Plugin Slug:: poptics
Installations: 1,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 1.0.21
Severity Score:: Medium
CVE:: 2025-69025

Plugin:: Print Anywhere & Create PDFs of Order Receipts, Invoices, Labels & More.
Plugin Slug:: print-google-cloud-print-gcp-woocommerce
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.7.1
Severity Score:: Medium
CVE:: 2025-69024

Plugin:: SALESmanago & Leadoo
Plugin Slug:: salesmanago
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.9.1
Severity Score:: Medium
CVE:: 2025-68571

Plugin:: WC Builder � WooCommerce Page Builder for WPBakery
Plugin Slug:: wc-builder
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.2.1
Severity Score:: Medium
CVE:: 2025-68533

Plugin:: ContentStudio
Plugin Slug:: contentstudio
Installations: 900+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 1.4.0
Severity Score:: Critical
CVE:: 2025-67910

Plugin:: Membership For WooCommerce � WordPress Membership Plugin, Restrict Content, Build Online Communities, Paywall & Content Dripping
Plugin Slug:: membership-for-woocommerce
Installations: 900+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 3.0.4
Severity Score:: High
CVE:: 2025-67909

Plugin:: Subscribe to Unlock Lite � Opt In Content Locker Plugin for WordPress
Plugin Slug:: subscribe-to-unlock-lite
Installations: 500+
Vulnerability:: Local File Inclusion
Patched in Version:: 1.3.1
Severity Score:: High
CVE:: 2025-68563