WordPress Vulnerability Report � February 18, 2026

In this report, 190 vulnerabilities have been publicly disclosed. Security patches for 96 of these plugins and themes are now available. Please run these updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Currently, 94 plugin and theme vulnerabilities remain unpatched. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

WordPress Core

WordPress 6.9.1 was released on February 3, 2026, as a short-cycle maintenance update, addressing 49 bugs across WordPress Core and the Block Editor, including fixes affecting the editor, mail functionality, and classic themes. Sites with automatic background updates may already be updated. We recommend reviewing the details and updating as part of your regular maintenance cycle.

The next major WordPress release, version 7.0, is scheduled for April 9, 2026, during WordCamp Asia.

WordPress Plugins � 83 Patched / 75 Unpatched

Plugin:: ?????? ????? ??????? Persian WooCommerce SMS
Plugin Slug:: persian-woocommerce-sms
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-22352

Plugin:: Link Whisper Free
Plugin Slug:: link-whisper
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-22357

Plugin:: Real 3D Flipbook � 3D FlipBook, PDF FlipBook, PDF Viewer, PDF Embedder
Plugin Slug:: real3d-flipbook-lite
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Low
CVE:: 2026-25423

Plugin:: WP FullCalendar
Plugin Slug:: wp-fullcalendar
Installations: 9,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-22351

Plugin:: Chatbot for WordPress by Collect.chat ??
Plugin Slug:: collectchat
Installations: 7,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-0736

Plugin:: Image Gallery
Plugin Slug:: new-image-gallery
Installations: 4,000+
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-22345

Plugin:: Banner Management, Product Slider, Product Carousel for WooCommerce
Plugin Slug:: banner-management-for-woocommerce
Installations: 2,000+
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-22354

Plugin:: Cliengo � Chatbot
Plugin Slug:: cliengo
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-69388

Plugin:: Responsive Slideshow
Plugin Slug:: slider-responsive-slideshow
Installations: 2,000+
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-22346

Plugin:: OpenPix for WooCommerce
Plugin Slug:: openpix-for-woocommerce
Installations: 700+
Vulnerability:: Settings Change
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-15400

Plugin:: WooODT Lite � Delivery & pickup date time location for WooCommerce
Plugin Slug:: byconsole-woo-order-delivery-time
Installations: 600+
Vulnerability:: Bypass Vulnerability
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69401

Plugin:: iMoney
Plugin Slug:: imoney
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69392

Plugin:: Magic Login Mail or QR Code
Plugin Slug:: magic-login-mail
Installations: 100+
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-2144

Plugin:: RVCFDI para Woocommerce
Plugin Slug:: rvcfdi-para-woocommerce
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69386

Plugin:: Visitor Maps Extended Referer Field
Plugin Slug:: visitor-maps-extended-referer-field
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69389

Plugin:: Simple Retail Menus
Plugin Slug:: simple-retail-menus
Installations: 90+
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69387

Plugin:: Business Template Blocks for WPBakery (Visual Composer) Page Builder
Plugin Slug:: templates-and-addons-for-wpbakery-page-builder
Installations: 80+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69390

Plugin:: WPshop 2 � E-Commerce
Plugin Slug:: wpshop
Installations: 70+
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69383

Plugin:: OpenPOS Lite � Point of Sale for WooCommerce
Plugin Slug:: wpos-lite-version
Installations: 40+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1826

Plugin:: Microtango
Plugin Slug:: microtango
Installations: 30+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1821

Plugin:: Press3D
Plugin Slug:: press3d
Installations: 10+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1985

Plugin:: Allow HTML in Category Descriptions
Plugin Slug:: allow-html-in-category-descriptions
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-0693

Plugin:: AMP Enhancer – Compatibility Layer for Official AMP Plugin
Plugin Slug:: amp-enhancer
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-2027

Plugin:: Best-wp-google-map
Plugin Slug:: best-wp-google-map
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1096

Plugin:: BlueSnap Payment Gateway for WooCommerce
Plugin Slug:: bluesnap-payment-gateway-for-woocommerce
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-0692

Plugin:: Bookr
Plugin Slug:: bookr
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1932

Plugin:: Bravis Addons
Plugin Slug:: bravis-addons
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-69403

Plugin:: CallbackKiller service widget
Plugin Slug:: callbackkiller-service-widget
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1944

Plugin:: Category Image
Plugin Slug:: category-image
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-0815

Plugin:: Citations tools
Plugin Slug:: citations-tools
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1912

Plugin:: Cnvrse
Plugin Slug:: cnvrse
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69394

Plugin:: Easy Voice Mail
Plugin Slug:: easy-voice-mail
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1164

Plugin:: IDE Micro code-editor
Plugin Slug:: flask-micro
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1827

Plugin:: Flexi Product Slider and Grid for WooCommerce
Plugin Slug:: flexi-product-slider-grid
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-1988

Plugin:: HTML Shortcodes
Plugin Slug:: html-shortcodes
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1809

Plugin:: Invoct � PDF Invoices & Billing for WooCommerce
Plugin Slug:: kirilkirkov-pdf-invoice-manager
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1748

Plugin:: Link Hopper
Plugin Slug:: link-hopper
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-15483

Plugin:: BuddyHolis ListSearch
Plugin Slug:: listsearch
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1853

Plugin:: MDirector Newsletter
Plugin Slug:: mdirector-newsletter
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14852

Plugin:: midi-Synth
Plugin Slug:: midi-synth
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2026-1306

Plugin:: MMA Call Tracking
Plugin Slug:: mma-call-tracking
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1215

Plugin:: MailChimp Campaigns
Plugin Slug:: olalaweb-mailchimp-campaign-manager
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1303

Plugin:: Payment Page
Plugin Slug:: payment-page
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-0751

Plugin:: Percent to Infograph
Plugin Slug:: percent-to-infograph
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1939

Plugin:: personal-authors-category
Plugin Slug:: personal-authors-category
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-1754

Plugin:: PhotoStack Gallery
Plugin Slug:: photostack-gallery
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2026-2024

Plugin:: Post Slides
Plugin Slug:: post-slides
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-15491

Plugin:: Prime Listing Manager
Plugin Slug:: prime-listing-manager
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-14892

Plugin:: QuestionPro Surveys
Plugin Slug:: questionpro-surveys
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1901

Plugin:: Ravelry Designs Widget
Plugin Slug:: ravelry-designs-widget
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1903

Plugin:: Scheduler Widget
Plugin Slug:: scheduler-widget
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1987

Plugin:: SEATT: Simple Event Attendance
Plugin Slug:: simple-event-attendance
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1983

Plugin:: Simple Plyr
Plugin Slug:: simple-plyr
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1915

Plugin:: Simple Wp colorfull Accordion
Plugin Slug:: simple-wp-colorfull-accordion
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1904

Plugin:: Slideshow Wp
Plugin Slug:: slideshow-wp
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1885

Plugin:: Smart Forms
Plugin Slug:: smart-forms
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-2022

Plugin:: Sphere Manager
Plugin Slug:: sphere-manager
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1905

Plugin:: Sudoku Shortcode
Plugin Slug:: sudoku-shortcode
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Themesflat Elementor
Plugin Slug:: themesflat-elementor
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-69382

Plugin:: Timeline Event History
Plugin Slug:: timeline-event-history
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69384

Plugin:: Twitter posts to Blog
Plugin Slug:: twitter-posts-to-blog
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1786

Plugin:: ZoomifyWP Free
Plugin Slug:: tz-zoomifywp-free
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1187

Plugin:: UpMenu
Plugin Slug:: upmenu
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1910

Plugin:: User Language Switch
Plugin Slug:: user-language-switch
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-0735

Plugin:: User Language Switch
Plugin Slug:: user-language-switch
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-0745

Plugin:: Videospirecore Theme
Plugin Slug:: videospirecore
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-15096

Plugin:: WaMate Confirm
Plugin Slug:: wamate-confirm
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1833

Plugin:: WDES Responsive Popup
Plugin Slug:: wdes-responsive-popup
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1804

Plugin:: WooCommerce Bulk Product Editor
Plugin Slug:: woocommerce-quick-product-editor
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69381

Plugin:: WP eCommerce
Plugin Slug:: wp-e-commerce
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2026-1235

Plugin:: WP Quick Contact Us
Plugin Slug:: wp-quick-contact-us
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1394

Plugin:: WP Server Log Viewer
Plugin Slug:: wp-server-log-viewer
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2019-25315

Plugin:: Upload Files Anywhere
Plugin Slug:: wp-upload-files-anywhere
Vulnerability:: Arbitrary File Download
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69380

Plugin:: Upload Files Anywhere
Plugin Slug:: wp-upload-files-anywhere
Vulnerability:: Arbitrary File Deletion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69379

Plugin:: WPlyr Media Block
Plugin Slug:: wplyr-media-block
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-0724

Plugin:: Yoast Duplicate Post
Plugin Slug:: duplicate-post
Installations: 4,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.2.4
Severity Score:: Medium
CVE:: 2019-25314

Plugin:: Essential Addons for Elementor � Popular Elementor Templates & Widgets
Plugin Slug:: essential-addons-for-elementor-lite
Installations: 2,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.5.10
Severity Score:: Medium
CVE:: 2026-1512

Plugin:: Migration, Backup, Staging � WPvivid Backup & Migration
Plugin Slug:: wpvivid-backuprestore
Installations: 900,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 0.9.124
Severity Score:: Critical
CVE:: 2026-1357

Plugin:: Fluent Forms � Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder
Plugin Slug:: fluentform
Installations: 600,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.1.15
Severity Score:: Medium
CVE:: 2026-0996

Plugin:: Forminator Forms � Contact Form, Payment Form & Custom Form Builder
Plugin Slug:: forminator
Installations: 600,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.50.3
Severity Score:: Medium
CVE:: 2026-2002

Plugin:: Kadence Blocks � Page Builder Toolkit for Gutenberg Editor
Plugin Slug:: kadence-blocks
Installations: 600,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.6.0
Severity Score:: Medium

Plugin:: Ninja Forms � The Contact Form Builder That Grows With You
Plugin Slug:: ninja-forms
Installations: 600,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 3.14.1
Severity Score:: High
CVE:: 2026-2268

Plugin:: Converter for Media � Optimize images | Convert WebP & AVIF
Plugin Slug:: webp-converter-for-media
Installations: 500,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 6.5.2
Severity Score:: High
CVE:: 2026-1356

Plugin:: SureForms � Contact Form, Payment Form & Other Custom Form Builder
Plugin Slug:: sureforms
Installations: 400,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.2.2
Severity Score:: High

Plugin:: Backup Migration
Plugin Slug:: backup-backup
Installations: 100,000+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 1.4.0
Severity Score:: High
CVE:: 2023-7002

Plugin:: Beaver Builder Page Builder � Drag and Drop Website Builder
Plugin Slug:: beaver-builder-lite-version
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.10.0.6
Severity Score:: Medium
CVE:: 2026-1231

Plugin:: Gallery by FooGallery
Plugin Slug:: foogallery
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.1.10
Severity Score:: Medium
CVE:: 2025-15524

Plugin:: LatePoint � Calendar Booking Plugin for Appointments and Events
Plugin Slug:: latepoint
Installations: 100,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 5.2.6
Severity Score:: Medium
CVE:: 2025-14873

Plugin:: LatePoint � Calendar Booking Plugin for Appointments and Events
Plugin Slug:: latepoint
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 5.2.7
Severity Score:: Medium
CVE:: 2026-1537

Plugin:: LatePoint � Calendar Booking Plugin for Appointments and Events
Plugin Slug:: latepoint
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.2.6
Severity Score:: High
CVE:: 2026-0617

Plugin:: Modula Image Gallery � Photo Grid & Video Gallery
Plugin Slug:: modula-best-grid-gallery
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.13.7
Severity Score:: Medium
CVE:: 2026-1254

Plugin:: Mollie Payments for WooCommerce
Plugin Slug:: mollie-payments-for-woocommerce
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 8.1.2
Severity Score:: High
CVE:: 2025-68501

Plugin:: Customer Reviews for WooCommerce
Plugin Slug:: customer-reviews-woocommerce
Installations: 80,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.98.0
Severity Score:: High
CVE:: 2026-1316

Plugin:: SlimStat Analytics
Plugin Slug:: wp-slimstat
Installations: 80,000+
Vulnerability:: SQL Injection
Patched in Version:: 5.3.2
Severity Score:: High
CVE:: 2025-13431

Plugin:: Auto Featured Image (Auto Post Thumbnail)
Plugin Slug:: auto-post-thumbnail
Installations: 50,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 4.2.0
Severity Score:: Medium
CVE:: 2023-7073

Plugin:: Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers
Plugin Slug:: popup-builder-block
Installations: 50,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.2.1
Severity Score:: Medium
CVE:: 2025-14895

Plugin:: WP-Members Membership Plugin
Plugin Slug:: wp-members
Installations: 50,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.4.9
Severity Score:: Medium
CVE:: 2023-6733

Plugin:: Calculated Fields Form
Plugin Slug:: calculated-fields-form
Installations: 40,000+
Vulnerability:: Broken Access Control
Patched in Version:: 5.4.4.2
Severity Score:: Medium
CVE:: 2026-25368

Plugin:: Easy Social Feed � Social Photos Gallery and Post Feed for WordPress
Plugin Slug:: easy-facebook-likebox
Installations: 30,000+
Vulnerability:: Broken Access Control
Patched in Version:: 6.5.3
Severity Score:: Medium
CVE:: 2023-6883

Plugin:: Master Addons For Elementor � White Label, Free Widgets, Hover Effects, Conditions, & Animations
Plugin Slug:: master-addons
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.6.2
Severity Score:: High
CVE:: 2024-5542

Plugin:: WP Last Modified Info
Plugin Slug:: wp-last-modified-info
Installations: 30,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 1.9.6
Severity Score:: Medium
CVE:: 2025-14608

Plugin:: Jetpack CRM � Clients, Leads, Invoices, Billing, Email Marketing, & Automation
Plugin Slug:: zero-bs-crm
Installations: 30,000+
Vulnerability:: Local File Inclusion
Patched in Version:: 6.7.1
Severity Score:: High
CVE:: 2026-22356

Plugin:: Alt Text AI � Automatically generate image alt text for SEO and accessibility
Plugin Slug:: alttext-ai
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.10.18
Severity Score:: Medium
CVE:: 2026-25348

Plugin:: Custom Block Builder � Lazy Blocks
Plugin Slug:: lazy-blocks
Installations: 20,000+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 4.2.1
Severity Score:: High
CVE:: 2026-1560

Plugin:: MP3 Audio Player � Music Player, Podcast Player & Radio by Sonaar
Plugin Slug:: mp3-music-player-by-sonaar
Installations: 20,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 5.11
Severity Score:: Medium
CVE:: 2026-1249

Plugin:: New User Approve
Plugin Slug:: new-user-approve
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.2.1
Severity Score:: High
CVE:: 2025-69063

Plugin:: Secure Copy Content Protection and Content Locking
Plugin Slug:: secure-copy-content-protection
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.9.9
Severity Score:: High
CVE:: 2026-1320

Plugin:: The Events Calendar Shortcode & Block
Plugin Slug:: the-events-calendar-shortcode
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.1.3
Severity Score:: Medium
CVE:: 2026-1922

Plugin:: WCFM � Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible
Plugin Slug:: wc-frontend-manager
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 6.7.25
Severity Score:: High
CVE:: 2026-0845

Plugin:: WCFM Marketplace � Multivendor Marketplace for WooCommerce
Plugin Slug:: wc-multivendor-marketplace
Installations: 20,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 3.7.1
Severity Score:: Medium
CVE:: 2026-1722

Plugin:: wpForo Forum
Plugin Slug:: wpforo
Installations: 20,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 2.4.14
Severity Score:: High
CVE:: 2026-0910

Plugin:: WPZOOM Addons for Elementor � Starter Templates & Widgets
Plugin Slug:: wpzoom-elementor-addons
Installations: 20,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 1.3.3
Severity Score:: Medium
CVE:: 2026-2295

Plugin:: Passster � Password Protect Pages and Content
Plugin Slug:: content-protector
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.2.26
Severity Score:: Medium
CVE:: 2026-25036

Plugin:: MasterStudy LMS WordPress Plugin � for Online Courses and Education
Plugin Slug:: masterstudy-lms-learning-management-system
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.7.12
Severity Score:: Medium
CVE:: 2026-0559

Plugin:: Media Library Folders
Plugin Slug:: media-library-plus
Installations: 10,000+
Vulnerability:: Arbitrary Content Deletion
Patched in Version:: 8.3.7
Severity Score:: Medium
CVE:: 2026-2312

Plugin:: myCred � Points Management System For Gamification, Ranks, Badges, and Loyalty Program.
Plugin Slug:: mycred
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.9.7.4
Severity Score:: Medium
CVE:: 2026-0550

Plugin:: Open User Map
Plugin Slug:: open-user-map
Installations: 10,000+
Vulnerability:: Arbitrary File Download
Patched in Version:: 1.4.17
Severity Score:: Medium
CVE:: 2025-68002

Plugin:: Paid Membership Subscriptions � Effortless Memberships, Recurring Payments & Content Restriction
Plugin Slug:: paid-member-subscriptions
Installations: 10,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 2.16.9
Severity Score:: Medium
CVE:: 2025-68514

Plugin:: WCFM Membership � WooCommerce Memberships for Multivendor Marketplace
Plugin Slug:: wc-multivendor-membership
Installations: 10,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 2.11.9
Severity Score:: Medium
CVE:: 2025-15147

Plugin:: WP Data Access � No-Code App Builder with Tables, Forms, Charts & Maps
Plugin Slug:: wp-data-access
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.5.64
Severity Score:: Medium
CVE:: 2026-0557

Plugin:: RegistrationMagic � Custom Registration Forms, User Registration, Payment, and User Login
Plugin Slug:: custom-registration-form-builder-with-submission-manager
Installations: 9,000+
Vulnerability:: Broken Access Control
Patched in Version:: 6.0.7.2
Severity Score:: Medium
CVE:: 2026-0929

Plugin:: JS Help Desk � AI-Powered Support & Ticketing System
Plugin Slug:: js-support-ticket
Installations: 8,000+
Vulnerability:: SQL Injection
Patched in Version:: 3.0.2
Severity Score:: High
CVE:: 2026-24959

Plugin:: NEX-Forms � Ultimate Forms Plugin for WordPress
Plugin Slug:: nex-forms-express-wp-form-builder
Installations: 8,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 9.1.8
Severity Score:: High
CVE:: 2025-69326

Plugin:: EventPrime � Events Calendar, Bookings and Tickets
Plugin Slug:: eventprime-event-calendar-management
Installations: 7,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.2.8.5
Severity Score:: Medium
CVE:: 2026-1657

Plugin:: Download Manager Addons for Elementor
Plugin Slug:: wpdm-elementor
Installations: 7,000+
Vulnerability:: SQL Injection
Patched in Version:: 2.0.0
Severity Score:: Critical
CVE:: 2026-24956

Plugin:: YayCurrency � WooCommerce Multi-Currency Switcher
Plugin Slug:: yaycurrency
Installations: 7,000+
Vulnerability:: Arbitrary Content Deletion
Patched in Version:: 3.3.1
Severity Score:: High
CVE:: 2025-67994

Plugin:: Mail Mint � Newsletters, Email Marketing, Automation, WooCommerce Emails, Post Notification, and more
Plugin Slug:: mail-mint
Installations: 6,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.19.3
Severity Score:: High
CVE:: 2026-1258

Plugin:: FastDup � Fastest WordPress Migration & Duplicator
Plugin Slug:: fastdup
Installations: 5,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.7.2
Severity Score:: High
CVE:: 2026-1104

Plugin:: Simple File List
Plugin Slug:: simple-file-list
Installations: 5,000+
Vulnerability:: Arbitrary File Download
Patched in Version:: 6.1.16
Severity Score:: Medium
CVE:: 2026-24953

Plugin:: Name Directory
Plugin Slug:: name-directory
Installations: 3,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.32.1
Severity Score:: High
CVE:: 2026-1866

Plugin:: Paytium: Mollie payment forms & donations
Plugin Slug:: paytium
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.4
Severity Score:: Medium
CVE:: 2023-7287

Plugin:: Paytium: Mollie payment forms & donations
Plugin Slug:: paytium
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.4
Severity Score:: Medium
CVE:: 2023-7288

Plugin:: Paytium: Mollie payment forms & donations
Plugin Slug:: paytium
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.4
Severity Score:: Medium
CVE:: 2023-7289

Plugin:: Paytium: Mollie payment forms & donations
Plugin Slug:: paytium
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.4
Severity Score:: Medium
CVE:: 2023-7290

Plugin:: Paytium: Mollie payment forms & donations
Plugin Slug:: paytium
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.4
Severity Score:: Medium
CVE:: 2023-7292

Plugin:: Paytium: Mollie payment forms & donations
Plugin Slug:: paytium
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.4
Severity Score:: Medium
CVE:: 2023-7293

Plugin:: Accordion and Accordion Slider
Plugin Slug:: accordion-and-accordion-slider
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.4.6
Severity Score:: Medium
CVE:: 2026-0727

Plugin:: Easy Form Builder by WhiteStudio � Drag & Drop Form Builder
Plugin Slug:: easy-form-builder
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.9.4
Severity Score:: Medium
CVE:: 2025-14067

Plugin:: Modal Popup Box: A Flexible Pop Up Box Builder
Plugin Slug:: modal-popup-box
Installations: 2,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 1.6.2
Severity Score:: High
CVE:: 2025-68526

Plugin:: Visual Feedback, Review & AI Collaboration Tool For WordPress � Atarim
Plugin Slug:: atarim-visual-collaboration
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.2.2
Severity Score:: Medium
CVE:: 2025-67993

Plugin:: Booking and Rental Manager for Bike | Car | Resort | Appointment | Dress | Equipment
Plugin Slug:: booking-and-rental-manager-for-woocommerce
Installations: 1,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 2.6.0
Severity Score:: High
CVE:: 2025-69328

Plugin:: PDF for Elementor Forms + Drag And Drop Template Builder
Plugin Slug:: pdf-for-elementor-forms
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 6.5.0
Severity Score:: Medium
CVE:: 2026-22350

Plugin:: PDF for WPForms + Drag and Drop Template Builder
Plugin Slug:: pdf-for-wpforms
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 6.3.1
Severity Score:: Medium
CVE:: 2025-68534

Plugin:: Lucky Wheel Giveaway
Plugin Slug:: wp-lucky-wheel
Installations: 600+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 1.0.23
Severity Score:: Critical
CVE:: 2025-14541

Plugin:: Primer MyData for Woocommerce
Plugin Slug:: primer-mydata
Installations: 100+
Vulnerability:: Path Traversal
Patched in Version:: 4.2.9
Severity Score:: Medium
CVE:: 2025-69325

Plugin:: Activity Log for WordPress
Plugin Slug:: winterlock
Installations: 70+
Vulnerability:: Broken Access Control
Patched in Version:: 1.2.9
Severity Score:: Medium
CVE:: 2026-1671

Plugin:: Orbisius Random Name Generator
Plugin Slug:: orbisius-random-name-generator
Installations: 50+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.0.3
Severity Score:: Medium
CVE:: 2026-1893

Plugin:: Tune Library
Plugin Slug:: tune-library
Installations: 20+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.6.4
Severity Score:: Medium
CVE:: 2026-1401

Plugin:: BFG Tools � Extension Zipper
Plugin Slug:: bfg-tools-extension-zipper
Vulnerability:: Path Traversal
Patched in Version:: 1.0.8
Severity Score:: Medium
CVE:: 2025-13681

Plugin:: Fluent Forms Pro Add On Pack
Plugin Slug:: fluentformpro
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 6.1.13
Severity Score:: Medium
CVE:: 2026-0632

Plugin:: JetEngine
Plugin Slug:: jet-engine
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.8.1
Severity Score:: High
CVE:: 2025-68495

Plugin:: Miraculous Elementor
Plugin Slug:: miraculous-el
Vulnerability:: Broken Authentication
Patched in Version:: 2.0.8
Severity Score:: High
CVE:: 2025-67998

Plugin:: StickEasy Protected Contact Form
Plugin Slug:: stickeasy-protected-contact-form
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 1.0.2
Severity Score:: Medium
CVE:: 2025-13973

Plugin:: Truelysell Core
Plugin Slug:: truelysell-core
Vulnerability:: Privilege Escalation
Patched in Version:: 1.8.8
Severity Score:: Critical
CVE:: 2025-8572

Plugin:: Uni CPO (Premium)
Plugin Slug:: uni-woo-custom-product-options-premium
Vulnerability:: Broken Access Control
Patched in Version:: 4.9.61
Severity Score:: Medium
CVE:: 2025-13391

Plugin:: Whizz Plugins
Plugin Slug:: whizz-plugins
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.0
Severity Score:: High
CVE:: 2026-24955

Plugin:: WooCommerce Coming Soon Product with Countdown
Plugin Slug:: woo-coming-soon-product
Vulnerability:: Local File Inclusion
Patched in Version:: 5.1
Severity Score:: High
CVE:: 2025-68552

Plugin:: User Extra Fields
Plugin Slug:: wp-user-extra-fields
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 16.9
Severity Score:: High
CVE:: 2025-67991

WordPress Themes � 13 Patched / 19 Unpatched

Theme:: Diamond
Theme Slug:: diamond
Downloads: 37,609
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69391

Theme:: WordPress Dating Theme
Theme Slug:: DA10
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-22343

Theme:: Belletrist
Theme Slug:: belletrist
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69410

Theme:: Cartify – WooCommerce Gutenberg WordPress Theme
Theme Slug:: cartify
Vulnerability:: Arbitrary Content Deletion
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-69385

Theme:: Cobble
Theme Slug:: cobble
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69399

Theme:: Extreme Store
Theme Slug:: extremestore
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-69404

Theme:: Exzo
Theme Slug:: exzo
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69393

Theme:: FiveStar
Theme Slug:: fivestar
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-22344

Theme:: FreightCo
Theme Slug:: freightco
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69406

Theme:: Gable
Theme Slug:: gable
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69395

Theme:: HealthFirst
Theme Slug:: healthfirst
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69408

Theme:: Lorem Ipsum | Books & Media Store
Theme Slug:: lorem-ipsum-books-media-store
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-69405

Theme:: PJ | Life & Business Coaching
Theme Slug:: pj
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69409

Theme:: Plank
Theme Slug:: plank
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69398

Theme:: R&F
Theme Slug:: rf
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69402

Theme:: Splendour
Theme Slug:: splendour
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69396

Theme:: Struktur
Theme Slug:: struktur
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69407

Theme:: Tint
Theme Slug:: tint
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69397

Theme:: Yokoo
Theme Slug:: yokoo
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69400

Theme:: AdForest
Theme Slug:: adforest
Vulnerability:: Broken Authentication
Patched in Version:: 6.0.13
Severity Score:: Critical
CVE:: 2026-1729

Theme:: Diza
Theme Slug:: diza
Vulnerability:: Local File Inclusion
Patched in Version:: 1.3.16
Severity Score:: High
CVE:: 2025-68543

Theme:: Fana
Theme Slug:: fana
Vulnerability:: Local File Inclusion
Patched in Version:: 1.1.36
Severity Score:: High
CVE:: 2025-68539

Theme:: Ippsum
Theme Slug:: ippsum
Vulnerability:: PHP Object Injection
Patched in Version:: 1.2.1
Severity Score:: Critical
CVE:: 2025-68541

Theme:: Nestin
Theme Slug:: nestin
Vulnerability:: PHP Object Injection
Patched in Version:: 1.2.6
Severity Score:: Critical
CVE:: 2025-67996

Theme:: Nika
Theme Slug:: nika
Vulnerability:: Local File Inclusion
Patched in Version:: 1.2.15
Severity Score:: High
CVE:: 2025-68545

Theme:: CitiLights
Theme Slug:: noo-citilights
Vulnerability:: Broken Access Control
Patched in Version:: 3.7.2
Severity Score:: Medium
CVE:: 2026-25367

Theme:: PatioTime
Theme Slug:: patiotime
Vulnerability:: PHP Object Injection
Patched in Version:: 2.1
Severity Score:: Critical
CVE:: 2025-67995

Theme:: PatioTime
Theme Slug:: patiotime
Vulnerability:: Local File Inclusion
Patched in Version:: 2.1
Severity Score:: High
CVE:: 2025-67992

Theme:: Prestige
Theme Slug:: prestige
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.4.1
Severity Score:: High
CVE:: 2025-69330

Theme:: Prestige
Theme Slug:: prestige
Vulnerability:: PHP Object Injection
Patched in Version:: 1.4.1
Severity Score:: Critical
CVE:: 2025-69329

Theme:: Travelicious
Theme Slug:: travelicious
Vulnerability:: PHP Object Injection
Patched in Version:: 1.6.7
Severity Score:: Critical
CVE:: 2025-67997

Theme:: Zota
Theme Slug:: zota
Vulnerability:: Local File Inclusion
Patched in Version:: 1.3.15
Severity Score:: High
CVE:: 2025-68536