WordPress Vulnerability Report � February 12, 2025

In this report, 155 vulnerabilities have been publicly disclosed. Security patches for 54 of these plugins and themes are available now, so run those updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Additionally, there are 101 plugin and theme vulnerabilities with no patch available yet. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

WordPress Core

WordPress 6.7.2 is now available! This minor release includes�35 bug fixes, addressing issues affecting multiple components including the block editor, HTML API, and Customize.

WordPress Plugins � 51 Patched / 100 Unpatched

Plugin:: WP Project Manager � Task, team, and project management plugin featuring kanban board and gantt charts
Plugin Slug:: wedevs-project-manager
Installations: 8,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-22649

Plugin:: Payment Forms for Paystack
Plugin Slug:: payment-forms-for-paystack
Installations: 3,000+
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-22652

Plugin:: Eventer
Plugin Slug:: eventer
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-11133

Plugin:: Eventer
Plugin Slug:: eventer
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-11133

Plugin:: Eventer
Plugin Slug:: eventer
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-11133

Plugin:: Blog, Posts and Category Filter for Elementor
Plugin Slug:: blog-posts-and-category-for-elementor
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-22648

Plugin:: Vayu Blocks � Gutenberg Blocks for WordPress & WooCommerce
Plugin Slug:: vayu-blocks
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-22644

Plugin:: Job Board Manager
Plugin Slug:: job-board-manager
Installations: 500+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-22679

Plugin:: Paytm Payment Donation
Plugin Slug:: paytm-donation
Installations: 300+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-22640

Plugin:: Stylish Google Sheet Reader 4.0 � Seamlessly Embed Google Sheets as Responsive Data Tables
Plugin Slug:: stylish-google-sheet-reader
Installations: 300+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-22651

Plugin:: Music Press Pro
Plugin Slug:: music-press-pro
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-22653

Plugin:: Image Rotator
Plugin Slug:: appten-image-rotator
Installations: 90+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-25089

Plugin:: All push notification for WP
Plugin Slug:: all-push-notification
Installations: 70+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-25092

Plugin:: Print PDF Generator and Publisher
Plugin Slug:: nopeamedia
Installations: 50+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-22637

Plugin:: AIO Performance Profiler, Monitor, Optimize, Compress & Debug
Plugin Slug:: all-in-one-performance-accelerator
Installations: 20+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-22647

Plugin:: Appointment Buddy Widget By Accrete
Plugin Slug:: appointment-buddy-online-appointment-booking-by-accrete
Installations: 20+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-25099

Plugin:: Notification Bar � Top Bar � Easy Sticky Notification Bar | FM Notification Bar
Plugin Slug:: fm-notification-bar
Installations: 20+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-22641

Plugin:: Auto SEO
Plugin Slug:: auto-seo
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-25147

Plugin:: Banner Garden
Plugin Slug:: banner-garden
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-0368

Plugin:: BookPress � For Book Authors
Plugin Slug:: book-press
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-25168

Plugin:: Breaking News Ticker
Plugin Slug:: breaking-news-ticker
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-25094

Plugin:: Builder Shortcode Extras
Plugin Slug:: builder-shortcode-extras
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-13841

Plugin:: Child Themes Helper
Plugin Slug:: child-themes-helper
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-25093

Plugin:: Custom Comment Notifications
Plugin Slug:: custom-comment-notifications
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-25154

Plugin:: Custom Links On Admin Dashboard Toolbar
Plugin Slug:: customize-wpadmin
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-25135

Plugin:: CWD � Stealth Links
Plugin Slug:: cwd-stealth-links
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-22655

Plugin:: Easy Chart Builder for WordPress
Plugin Slug:: easy-chart-builder
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-25077

Plugin:: Easy Related Posts
Plugin Slug:: easy-related-posts
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-25123

Plugin:: Easy WP Tiles
Plugin Slug:: easy-wp-tiles
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-25073

Plugin:: Embed RSS
Plugin Slug:: embed-rss
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-25081

Plugin:: External Video For Everybody
Plugin Slug:: external-video-for-everybody
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-25097

Plugin:: Facilita Form Tracker
Plugin Slug:: facilita-form-tracker
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-25128

Plugin:: Status Updater
Plugin Slug:: fb-status-updater
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-25124

Plugin:: FlexIDX Home Search
Plugin Slug:: flexidx-home-search
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-25082

Plugin:: Fyrebox Quizzes
Plugin Slug:: fyrebox-shortcode
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-25125

Plugin:: Giga Messenger � Express
Plugin Slug:: giga-messenger-bots
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-13328

Plugin:: GlobalQuran
Plugin Slug:: globalquran
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-25143

Plugin:: Glossy
Plugin Slug:: glossy
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-13325

Plugin:: URL-Preview-Box
Plugin Slug:: good-url-preview-box
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-25104

Plugin:: Google Earth Embed
Plugin Slug:: google-earth-tours
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-25078

Plugin:: Graceful Email Obfuscation
Plugin Slug:: graceful-email-obfuscation
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-25076

Plugin:: iBuildApp
Plugin Slug:: ibuildapp
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-13326

Plugin:: Indeed API
Plugin Slug:: indeed-api
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-25103

Plugin:: Infusionsoft Analytics
Plugin Slug:: infusionsoft-web-tracker
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-25145

Plugin:: InLocation
Plugin Slug:: inlocation
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-25166

Plugin:: JustRows free
Plugin Slug:: justrows-free
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-13330

Plugin:: Event Kikfyre
Plugin Slug:: kikfyre-events-calendar-tickets
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-25110

Plugin:: Kona Gallery Block
Plugin Slug:: kona-instagram-feed-for-gutenberg
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-25080

Plugin:: Legull
Plugin Slug:: legull
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-13352

Plugin:: LikeBot
Plugin Slug:: likebot
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-0522

Plugin:: Link to URL / Post
Plugin Slug:: link-to-url-post
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-25116

Plugin:: Links in Captions
Plugin Slug:: links-in-captions
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-25098

Plugin:: Login-box
Plugin Slug:: login-box
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-25149

Plugin:: Munk Sites
Plugin Slug:: munk-sites
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-25101

Plugin:: Musicbox
Plugin Slug:: musicbox
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-13327

Plugin:: NextGen Cooliris Gallery
Plugin Slug:: nextgen-cooliris-gallery
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-25091

Plugin:: OneStore Sites
Plugin Slug:: onestore-sites
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-25107

Plugin:: On Page SEO + Whatsapp Chat Button
Plugin Slug:: ops-robots-txt
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-25138

Plugin:: Optimate Ads
Plugin Slug:: optimate-ads
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-25136

Plugin:: Pop Up
Plugin Slug:: popup-seo-optimized
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-25105

Plugin:: Quote Comments
Plugin Slug:: quote-comments
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-25156

Plugin:: Read More Copy Link
Plugin Slug:: read-more-copy-link
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-25148

Plugin:: Responsive iframe
Plugin Slug:: responsive-iframe
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-12768

Plugin:: ReverbNation Widgets
Plugin Slug:: reverbnation-widgets
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-25095

Plugin:: RSS in Page
Plugin Slug:: rss-in-page
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-25096

Plugin:: Show notice or message on admin area
Plugin Slug:: show-notice-or-message-on-admin-area
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-25075

Plugin:: Simple Add Pages or Posts
Plugin Slug:: simple-add-pages-or-posts
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-13850

Plugin:: Simple Auto Tag
Plugin Slug:: simple-auto-tag
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-25153

Plugin:: Simple Select All Text Box
Plugin Slug:: simple-select-all-text-box
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-25079

Plugin:: Simple User Profile
Plugin Slug:: simple-user-profile
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-25140

Plugin:: Slide Banners
Plugin Slug:: slide-banners
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-25120

Plugin:: Smart Countdown FX
Plugin Slug:: smart-countdown-fx
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-25117

Plugin:: Smart DoFollow
Plugin Slug:: smart-dofollow
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-25152

Plugin:: Songkick Concerts and Festivals
Plugin Slug:: songkick-concerts-and-festivals
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-25146

Plugin:: Starter Templates by FancyWP
Plugin Slug:: starter-templates
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-25106

Plugin:: Style Tweaker
Plugin Slug:: style-tweaker
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-25160

Plugin:: Theasys
Plugin Slug:: theasys
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-25144

Plugin:: Theme Options Z
Plugin Slug:: theme-options-z
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-25121

Plugin:: TransFinanz
Plugin Slug:: transfinanz
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-13332

Plugin:: Vignette Ads
Plugin Slug:: vignete-ads
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-25071

Plugin:: VR-Frases
Plugin Slug:: vr-frases
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-22636

Plugin:: WizShop
Plugin Slug:: wizshop
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-25122

Plugin:: WP Admin Custom Page
Plugin Slug:: wp-admin-custom-page
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-25072

Plugin:: WP Custom Post RSS Feed
Plugin Slug:: wp-custom-post-rss-feed
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-25139

Plugin:: WP Directorybox Manager
Plugin Slug:: wp-directorybox-manager
Vulnerability:: Broken Authentication
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-0316

Plugin:: WP Dream Carousel
Plugin Slug:: wp-dream-carousel
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-13331

Plugin:: WP Email Newsletter
Plugin Slug:: wp-email-newsletter
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-13098

Plugin:: WP Finance
Plugin Slug:: wp-finance
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-13097

Plugin:: WP Finance
Plugin Slug:: wp-finance
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-13096

Plugin:: FoodBakery
Plugin Slug:: wp-foodbakery
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-0181

Plugin:: FoodBakery
Plugin Slug:: wp-foodbakery
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-13010

Plugin:: FoodBakery
Plugin Slug:: wp-foodbakery
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2024-13011

Plugin:: WP Keyword Monitor
Plugin Slug:: wp-keyword-monitor
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-25088

Plugin:: WP Projects Portfolio
Plugin Slug:: wp-projects-portfolio
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-13115

Plugin:: WP Projects Portfolio
Plugin Slug:: wp-projects-portfolio
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-13114

Plugin:: WP SimpleWeather
Plugin Slug:: wp-simpleweather
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-25085

Plugin:: WP Social Stream
Plugin Slug:: wp-social-stream
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-25074

Plugin:: WP Spell Check
Plugin Slug:: wp-spell-check
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-25111

Plugin:: WP doodlez
Plugin Slug:: wpdoodlez
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-25159

Plugin:: ZMSEO
Plugin Slug:: zmseo
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-25126

Plugin:: WPForms � Easy Form Builder for WordPress � Contact Forms, Payment Forms, Surveys, & More
Plugin Slug:: wpforms-lite
Installations: 6,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.9.3.2
Severity Score:: Medium
CVE:: 2024-13403

Plugin:: Qi Addons For Elementor
Plugin Slug:: qi-addons-for-elementor
Installations: 200,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.8.8
Severity Score:: Medium
CVE:: 2024-13699

Plugin:: Orbit Fox by ThemeIsle
Plugin Slug:: themeisle-companion
Installations: 200,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.10.45
Severity Score:: Medium
CVE:: 2025-22659

Plugin:: The Plus Addons for Elementor � Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce
Plugin Slug:: the-plus-addons-for-elementor-page-builder
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.2.0
Severity Score:: Medium
CVE:: 2024-11829

Plugin:: Import any XML, CSV or Excel File to WordPress
Plugin Slug:: wp-all-import
Installations: 100,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 3.8.0
Severity Score:: Medium
CVE:: 2024-9661

Plugin:: Import any XML, CSV or Excel File to WordPress
Plugin Slug:: wp-all-import
Installations: 100,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 3.8.0
Severity Score:: High
CVE:: 2024-9664

Plugin:: HT Mega � Absolute Addons For Elementor
Plugin Slug:: ht-mega-for-elementor
Installations: 90,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.8.2
Severity Score:: Medium
CVE:: 2024-12599

Plugin:: HT Mega � Absolute Addons For Elementor
Plugin Slug:: ht-mega-for-elementor
Installations: 90,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.7.7
Severity Score:: Medium
CVE:: 2024-12597

Plugin:: Post and Page Builder by BoldGrid � Visual Drag and Drop Editor
Plugin Slug:: post-and-page-builder
Installations: 70,000+
Vulnerability:: Path Traversal
Patched in Version:: 1.27.7
Severity Score:: Medium
CVE:: 2025-0859

Plugin:: Dynamic Conditions
Plugin Slug:: dynamicconditions
Installations: 60,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.7.5
Severity Score:: Medium
CVE:: 2025-22642

Plugin:: DSGVO All in one for WP
Plugin Slug:: dsgvo-all-in-one-for-wp
Installations: 20,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 4.7
Severity Score:: Medium
CVE:: 2024-13356

Plugin:: CURCY � Multi Currency for WooCommerce � The best free currency exchange plugin � Run smoothly on WooCommerce 9.x
Plugin Slug:: woo-multi-currency
Installations: 20,000+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 2.2.6
Severity Score:: High
CVE:: 2024-13487

Plugin:: Better Messages � Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss
Plugin Slug:: bp-better-messages
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.7.0
Severity Score:: Medium
CVE:: 2024-13612

Plugin:: EAN Barcode Generator for WooCommerce: UPC, ISBN & GTIN Inventory
Plugin Slug:: ean-for-woocommerce
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 5.4.0
Severity Score:: Medium
CVE:: 2025-22673

Plugin:: GeoDirectory � WP Business Directory Plugin and Classified Listings Directory
Plugin Slug:: geodirectory
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.8.98
Severity Score:: Medium
CVE:: 2024-13506

Plugin:: Sensei LMS � Online Courses, Quizzes, & Learning
Plugin Slug:: sensei-lms
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.24.4
Severity Score:: Medium
CVE:: 2025-0466

Plugin:: VikBooking Hotel Booking Engine & PMS
Plugin Slug:: vikbooking
Installations: 8,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.7.3
Severity Score:: Medium
CVE:: 2025-22670

Plugin:: JS Help Desk � The Ultimate Help Desk & Support Plugin
Plugin Slug:: js-support-ticket
Installations: 7,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 2.8.9
Severity Score:: Medium
CVE:: 2024-13607

Plugin:: WP Job Portal � A Complete Recruitment System for Company or Job Board website
Plugin Slug:: wp-job-portal
Installations: 7,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 2.2.7
Severity Score:: Medium
CVE:: 2024-13372

Plugin:: Survey Maker
Plugin Slug:: survey-maker
Installations: 6,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.1.3.6
Severity Score:: Medium
CVE:: 2025-22664

Plugin:: B Slider- Gutenberg Slider Block for WP
Plugin Slug:: b-slider
Installations: 5,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.1.24
Severity Score:: Medium
CVE:: 2024-13514

Plugin:: Product Blocks for WooCommerce
Plugin Slug:: product-blocks-for-woocommerce
Installations: 5,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0
Severity Score:: Medium
CVE:: 2025-22674

Plugin:: aThemes Addons for Elementor
Plugin Slug:: athemes-addons-for-elementor-lite
Installations: 3,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.0.9
Severity Score:: Medium
CVE:: 2025-22646

Plugin:: Medical Addon for Elementor
Plugin Slug:: medical-addon-for-elementor
Installations: 2,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 1.6.3
Severity Score:: Medium
CVE:: 2024-12046

Plugin:: SendPulse Email Marketing Newsletter
Plugin Slug:: sendpulse-email-marketing-newsletter
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.1.6
Severity Score:: Medium
CVE:: 2025-22662

Plugin:: WordPress form builder plugin for contact forms, surveys and quizzes � Tripetto
Plugin Slug:: tripetto
Installations: 2,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 8.0.9
Severity Score:: Medium
CVE:: 2024-13829

Plugin:: Directory Listings WordPress plugin � uListing
Plugin Slug:: ulisting
Installations: 2,000+
Vulnerability:: SQL Injection
Patched in Version:: 2.1.7
Severity Score:: Critical
CVE:: 2025-25150

Plugin:: Directory Listings WordPress plugin � uListing
Plugin Slug:: ulisting
Installations: 2,000+
Vulnerability:: SQL Injection
Patched in Version:: 2.1.7
Severity Score:: High
CVE:: 2025-25151

Plugin:: SuperSaaS � online appointment scheduling
Plugin Slug:: supersaas-appointment-scheduling
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.1.13
Severity Score:: Medium
CVE:: 2025-0862

Plugin:: RapidLoad AI � Optimize Web Vitals Automatically
Plugin Slug:: unusedcss
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.4.5
Severity Score:: Medium
CVE:: 2025-22665

Plugin:: Include Mastodon Feed
Plugin Slug:: include-mastodon-feed
Installations: 800+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.9.10
Severity Score:: Medium
CVE:: 2025-22660

Plugin:: Product Table For WooCommerce
Plugin Slug:: product-table-for-woocommerce
Installations: 600+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.2.4
Severity Score:: Medium
CVE:: 2025-22638

Plugin:: Alert Box Block � Display notice/alerts in the front end.
Plugin Slug:: alert-box-block
Installations: 400+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.1.1
Severity Score:: Medium
CVE:: 2025-22675

Plugin:: Uix Shortcodes
Plugin Slug:: uix-shortcodes
Installations: 400+
Vulnerability:: Broken Access Control
Patched in Version:: 2.0.4
Severity Score:: Medium
CVE:: 2025-22677

Plugin:: Disable Elementor Editor Translation
Plugin Slug:: disable-elementor-editor-translation
Installations: 300+
Vulnerability:: Broken Access Control
Patched in Version:: 1.0.3
Severity Score:: Medium
CVE:: 2025-22671

Plugin:: Listings for Appfolio
Plugin Slug:: listings-for-appfolio
Installations: 300+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.2.1
Severity Score:: High
CVE:: 2025-22658

Plugin:: Export Order, Product, Customer & Coupon for WooCommerce to Google Sheets
Plugin Slug:: wpsyncsheets-woocommerce
Installations: 300+
Vulnerability:: Broken Access Control
Patched in Version:: 1.9
Severity Score:: Medium
CVE:: 2025-22667