WordPress Vulnerability Report � February 25, 2026

In this report, 244 vulnerabilities have been publicly disclosed. Security patches for 164 of these plugins and themes are now available. Please run these updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Currently, 80 plugin and theme vulnerabilities remain unpatched. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

WordPress Core

WordPress 7.0 Beta 1 is now available for testing. As this is a pre-release version, it is intended for testing and development only and should not be installed on production or mission-critical sites. Organizations should use local or staging environments to evaluate compatibility and new features before the final rollout.

The full release of WordPress 7.0 is currently scheduled for April 9, 2026. You can find the complete release schedule and technical testing details in the official announcement.

WordPress Plugins � 156 Patched / 49 Unpatched

Plugin:: SiteGuard WP Plugin
Plugin Slug:: siteguard
Installations: 500,000+
Vulnerability:: Bypass Vulnerability
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-27411

Plugin:: Link Whisper Free
Plugin Slug:: link-whisper
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-22357

Plugin:: Wholesale Suite � B2B, Dynamic Pricing & WooCommerce Wholesale Prices
Plugin Slug:: woocommerce-wholesale-prices
Installations: 20,000+
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-27541

Plugin:: Banner Management, Product Slider, Product Carousel for WooCommerce
Plugin Slug:: banner-management-for-woocommerce
Installations: 2,000+
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-22354

Plugin:: Frontend File Manager Plugin
Plugin Slug:: nmedia-user-file-uploader
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-0829

Plugin:: Premmerce
Plugin Slug:: premmerce
Installations: 500+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-0555

Plugin:: Prodigy Commerce
Plugin Slug:: prodigy-commerce
Installations: 100+
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-0926

Plugin:: TalkJS
Plugin Slug:: talkjs
Installations: 50+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1055

Plugin:: Filestack
Plugin Slug:: filepicker-media-uploader
Installations: 20+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13959

Plugin:: Address Bar Ads
Plugin Slug:: address-bar-ads
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-1795

Plugin:: Advance Block Extend
Plugin Slug:: advance-block-extend
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1646

Plugin:: Applay – Shortcodes
Plugin Slug:: applay-shortcodes
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2026-22384

Plugin:: BlueSnap Payment Gateway for WooCommerce
Plugin Slug:: bluesnap-payment-gateway-for-woocommerce
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-0692

Plugin:: Clasifico Listing
Plugin Slug:: clasifico-listing
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-12882

Plugin:: Country Blocker for AdSense
Plugin Slug:: country-blocker-for-adsense
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13413

Plugin:: Dealia � Request a quote
Plugin Slug:: dealia-request-a-quote
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-2718

Plugin:: Dealia � Request a quote
Plugin Slug:: dealia-request-a-quote
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-2504

Plugin:: DesignThemes Booking Manager
Plugin Slug:: designthemes-booking-manager
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-27388

Plugin:: DesignThemes Directory Addon
Plugin Slug:: designthemes-directory-addon
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-27386

Plugin:: Directory Pro
Plugin Slug:: directory-pro
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-27396

Plugin:: Eagle Booking
Plugin Slug:: eagle-booking
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-27428

Plugin:: Easy Author Image
Plugin Slug:: easy-author-image
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1373

Plugin:: Geo Widget
Plugin Slug:: geowidget
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-1792

Plugin:: iXML
Plugin Slug:: ixml
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-14076

Plugin:: MP-Ukagaka
Plugin Slug:: mp-ukagaka
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-1643

Plugin:: News Element Elementor Blog Magazine
Plugin Slug:: news-element
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-2284

Plugin:: Page Title, Description & Open Graph Updater
Plugin Slug:: page-title-description-open-graph-updater
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13438

Plugin:: personal-authors-category
Plugin Slug:: personal-authors-category
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-1754

Plugin:: Profile Builder Pro
Plugin Slug:: profile-builder-pro
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2026-27413

Plugin:: Really Simple Security Pro
Plugin Slug:: really-simple-ssl-pro
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-27397

Plugin:: Remove Post Type Slug
Plugin Slug:: remove-post-type-slug
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14167

Plugin:: salavat counter
Plugin Slug:: salavat-counter
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1047

Plugin:: Slider Future
Plugin Slug:: slider-future
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2026-1405

Plugin:: Slidorion
Plugin Slug:: slidorion
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-2282

Plugin:: StyleBidet
Plugin Slug:: stylebidet
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-1796

Plugin:: Subitem AL Slider
Plugin Slug:: subitem-al-slider
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-1634

Plugin:: Super Simple Contact Form
Plugin Slug:: super-simple-contact-form
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-0753

Plugin:: Tennis Court Bookings
Plugin Slug:: tennis-court-bookings
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1044

Plugin:: Toret Manager
Plugin Slug:: toret-manager
Vulnerability:: Settings Change
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-0912

Plugin:: WeDesignTech Ultimate Booking Addon
Plugin Slug:: wedesigntech-ultimate-booking-addon
Vulnerability:: Broken Authentication
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2026-27389

Plugin:: WeDesignTech Ultimate Booking Addon
Plugin Slug:: wedesigntech-ultimate-booking-addon
Vulnerability:: Broken Authentication
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-27390

Plugin:: Whatsiplus Scheduled Notification for Woocommerce
Plugin Slug:: whatsiplus-scheduled-notification-for-woocommerce
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1455

Plugin:: Woocommerce Wholesale Lead Capture
Plugin Slug:: woocommerce-wholesale-lead-capture
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2026-27542

Plugin:: Woocommerce Wholesale Lead Capture
Plugin Slug:: woocommerce-wholesale-lead-capture
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2026-27540

Plugin:: WP AUDIO GALLERY
Plugin Slug:: wp-audio-gallery
Vulnerability:: Arbitrary File Download
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-13603

Plugin:: Client Testimonial Slider
Plugin Slug:: wp-client-testimonial
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-2716

Plugin:: LiquidPoll
Plugin Slug:: wp-poll
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-7134

Plugin:: xmlrpc attacks blocker
Plugin Slug:: xmlrpc-attacks-blocker
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-2502

Plugin:: XO Event Calendar
Plugin Slug:: xo-event-calendar
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-0556

Plugin:: Complianz � GDPR/CCPA Cookie Consent
Plugin Slug:: complianz-gdpr
Installations: 1,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 7.4.4
Severity Score:: Medium
CVE:: 2025-11185

Plugin:: Image Optimizer � Optimize Images and Convert to WebP or AVIF
Plugin Slug:: image-optimization
Installations: 1,000,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.7.2
Severity Score:: Medium
CVE:: 2026-25387

Plugin:: Breadcrumb NavXT
Plugin Slug:: breadcrumb-navxt
Installations: 800,000+
Vulnerability:: Broken Access Control
Patched in Version:: 7.5.1
Severity Score:: Medium
CVE:: 2025-13842

Plugin:: Easy Table of Contents
Plugin Slug:: easy-table-of-contents
Installations: 600,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.79
Severity Score:: Medium
CVE:: 2025-13738

Plugin:: Fluent Forms � Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder
Plugin Slug:: fluentform
Installations: 600,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.1.20
Severity Score:: Medium
CVE:: 2024-6703

Plugin:: Forminator Forms � Contact Form, Payment Form & Custom Form Builder
Plugin Slug:: forminator
Installations: 600,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.50.3
Severity Score:: Medium
CVE:: 2026-2002

Plugin:: Kadence Blocks � Page Builder Toolkit for Gutenberg Editor
Plugin Slug:: kadence-blocks
Installations: 600,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.6.2
Severity Score:: Medium
CVE:: 2026-2633

Plugin:: Kadence Blocks � Page Builder Toolkit for Gutenberg Editor
Plugin Slug:: kadence-blocks
Installations: 600,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 3.6.2
Severity Score:: Medium
CVE:: 2026-1857

Plugin:: BackWPup � WordPress Backup & Restore Plugin
Plugin Slug:: backwpup
Installations: 500,000+
Vulnerability:: Broken Access Control
Patched in Version:: 5.6.3
Severity Score:: High
CVE:: 2025-15041

Plugin:: PixelYourSite � Your smart PIXEL (TAG) & API Manager
Plugin Slug:: pixelyoursite
Installations: 500,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 11.2.0.2
Severity Score:: High
CVE:: 2026-27072

Plugin:: PixelYourSite � Your smart PIXEL (TAG) & API Manager
Plugin Slug:: pixelyoursite
Installations: 500,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 11.2.0.1
Severity Score:: High
CVE:: 2026-1841

Plugin:: Converter for Media � Optimize images | Convert WebP & AVIF
Plugin Slug:: webp-converter-for-media
Installations: 500,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 6.5.2
Severity Score:: High
CVE:: 2026-1356

Plugin:: Ally � Web Accessibility & Usability
Plugin Slug:: pojo-accessibility
Installations: 400,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.0.3
Severity Score:: Medium
CVE:: 2026-25386

Plugin:: SiteOrigin Widgets Bundle
Plugin Slug:: so-widgets-bundle
Installations: 400,000+
Vulnerability:: Content Injection
Patched in Version:: 1.71.0
Severity Score:: Medium
CVE:: 2026-2127

Plugin:: Formidable Forms � Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder
Plugin Slug:: formidable
Installations: 300,000+
Vulnerability:: Content Injection
Patched in Version:: 6.7.1
Severity Score:: Medium
CVE:: 2023-6830

Plugin:: PDF Invoices & Packing Slips for WooCommerce
Plugin Slug:: woocommerce-pdf-invoices-packing-slips
Installations: 300,000+
Vulnerability:: Broken Access Control
Patched in Version:: 5.7.0
Severity Score:: Medium
CVE:: 2026-1906

Plugin:: Popup Builder � Create highly converting, mobile friendly marketing popups.
Plugin Slug:: popup-builder
Installations: 200,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.4.3
Severity Score:: Medium
CVE:: 2025-13079

Plugin:: Ultimate Member � User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
Plugin Slug:: ultimate-member
Installations: 200,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.11.2
Severity Score:: High
CVE:: 2026-1404

Plugin:: Advanced Ads ��Ad Manager & AdSense
Plugin Slug:: advanced-ads
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.0.15
Severity Score:: Medium
CVE:: 2025-12884

Plugin:: Advanced Custom Fields: Font Awesome Field
Plugin Slug:: advanced-custom-fields-font-awesome
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.0.2
Severity Score:: Medium
CVE:: 2025-14983

Plugin:: Aruba HiSpeed Cache
Plugin Slug:: aruba-hispeed-cache
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.0.3
Severity Score:: Medium
CVE:: 2025-11725

Plugin:: Aruba HiSpeed Cache
Plugin Slug:: aruba-hispeed-cache
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.0.3
Severity Score:: High
CVE:: 2025-11706

Plugin:: Aruba HiSpeed Cache
Plugin Slug:: aruba-hispeed-cache
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.0.5
Severity Score:: Medium
CVE:: 2026-23545

Plugin:: Backup Migration
Plugin Slug:: backup-backup
Installations: 100,000+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 1.4.0
Severity Score:: High
CVE:: 2023-7002

Plugin:: Download Manager
Plugin Slug:: download-manager
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.3.47
Severity Score:: High
CVE:: 2026-1666

Plugin:: Brevo � Email, SMS, Web Push, Chat, and more.
Plugin Slug:: mailin
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.3.1
Severity Score:: Medium
CVE:: 2025-14799

Plugin:: The Plus Addons for Elementor � Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce
Plugin Slug:: the-plus-addons-for-elementor-page-builder
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 6.4.8
Severity Score:: Medium
CVE:: 2026-2386

Plugin:: VK All in One Expansion Unit
Plugin Slug:: vk-all-in-one-expansion-unit
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 9.112.4
Severity Score:: Medium
CVE:: 2025-11737

Plugin:: WP All Export � Drag & Drop Export to Any Custom CSV, XML & Excel
Plugin Slug:: wp-all-export
Installations: 100,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 1.4.15
Severity Score:: Low
CVE:: 2026-1582

Plugin:: Razorpay for WooCommerce
Plugin Slug:: woo-razorpay
Installations: 90,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.7.9
Severity Score:: Medium
CVE:: 2025-14294

Plugin:: Checkout Field Manager (Checkout Manager) for WooCommerce
Plugin Slug:: woocommerce-checkout-manager
Installations: 90,000+
Vulnerability:: Arbitrary Content Deletion
Patched in Version:: 7.8.6
Severity Score:: High
CVE:: 2025-13930

Plugin:: Checkout Field Manager (Checkout Manager) for WooCommerce
Plugin Slug:: woocommerce-checkout-manager
Installations: 90,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 7.8.2
Severity Score:: Medium
CVE:: 2025-12500

Plugin:: ShopLentor � All-in-One WooCommerce Growth & Store Enhancement Plugin
Plugin Slug:: woolentor-addons
Installations: 90,000+
Vulnerability:: Content Injection
Patched in Version:: 3.3.3
Severity Score:: High
CVE:: 2026-1714

Plugin:: Customer Reviews for WooCommerce
Plugin Slug:: customer-reviews-woocommerce
Installations: 80,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.98.0
Severity Score:: High
CVE:: 2026-1316

Plugin:: StatCounter � Free Real Time Visitor Stats
Plugin Slug:: official-statcounter-plugin-for-wordpress
Installations: 70,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.1.1
Severity Score:: Medium
CVE:: 2025-13048

Plugin:: Product Feed Manager for WooCommerce � CTX Feed � Support 220+ Shopping & Social Channels
Plugin Slug:: webappick-product-feed-for-woocommerce
Installations: 70,000+
Vulnerability:: Broken Access Control
Patched in Version:: 6.6.12
Severity Score:: High
CVE:: 2025-12975

Plugin:: Mailchimp List Subscribe Form
Plugin Slug:: mailchimp
Installations: 60,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.0.1
Severity Score:: Medium
CVE:: 2025-12172

Plugin:: Mesmerize Companion
Plugin Slug:: mesmerize-companion
Installations: 60,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.6.162
Severity Score:: Medium
CVE:: 2025-12027

Plugin:: ACF Photo Gallery Field
Plugin Slug:: navz-photo-gallery
Installations: 60,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.1
Severity Score:: Medium
CVE:: 2025-12081

Plugin:: WP Maps � Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters
Plugin Slug:: wp-google-map-plugin
Installations: 60,000+
Vulnerability:: Local File Inclusion
Patched in Version:: 4.8.7
Severity Score:: High
CVE:: 2025-12062

Plugin:: Zarinpal Gateway
Plugin Slug:: zarinpal-woocommerce-payment-gateway
Installations: 60,000+
Vulnerability:: Broken Access Control
Patched in Version:: 5.0.17
Severity Score:: High
CVE:: 2026-2592

Plugin:: Auto Featured Image (Auto Post Thumbnail)
Plugin Slug:: auto-post-thumbnail
Installations: 50,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 4.2.0
Severity Score:: Medium
CVE:: 2023-7073

Plugin:: Blog2Social: Social Media Auto Post & Scheduler
Plugin Slug:: blog2social
Installations: 50,000+
Vulnerability:: Broken Access Control
Patched in Version:: 8.7.5
Severity Score:: Medium
CVE:: 2026-1942

Plugin:: Booking Calendar
Plugin Slug:: booking
Installations: 50,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 10.14.15
Severity Score:: Medium
CVE:: 2026-2230

Plugin:: Printful Integration for WooCommerce
Plugin Slug:: printful-shipping-for-woocommerce
Installations: 50,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 2.2.12
Severity Score:: Medium
CVE:: 2025-12375

Plugin:: Advanced AJAX Product Filters
Plugin Slug:: woocommerce-ajax-filters
Installations: 50,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 3.1.9.7
Severity Score:: High
CVE:: 2026-1426

Plugin:: Super Page Cache
Plugin Slug:: wp-cloudflare-page-cache
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.2.3
Severity Score:: High
CVE:: 2026-1843

Plugin:: WP-Members Membership Plugin
Plugin Slug:: wp-members
Installations: 50,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.4.9
Severity Score:: Medium
CVE:: 2023-6733

Plugin:: RSS Aggregator � RSS Import, News Feeds, Feed to Post, and Autoblogging
Plugin Slug:: wp-rss-aggregator
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.0.11
Severity Score:: High
CVE:: 2026-1216

Plugin:: YayMail � WooCommerce Email Customizer
Plugin Slug:: yaymail
Installations: 50,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.3.3
Severity Score:: Low
CVE:: 2026-1938

Plugin:: YayMail � WooCommerce Email Customizer
Plugin Slug:: yaymail
Installations: 50,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.3.3
Severity Score:: Low
CVE:: 2026-1831

Plugin:: YayMail � WooCommerce Email Customizer
Plugin Slug:: yaymail
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.3.3
Severity Score:: Medium
CVE:: 2026-1943

Plugin:: YayMail � WooCommerce Email Customizer
Plugin Slug:: yaymail
Installations: 50,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.3.3
Severity Score:: High
CVE:: 2026-1937

Plugin:: Calculated Fields Form
Plugin Slug:: calculated-fields-form
Installations: 40,000+
Vulnerability:: Broken Access Control
Patched in Version:: 5.4.4.2
Severity Score:: Medium
CVE:: 2026-25368

Plugin:: Easy SVG Support
Plugin Slug:: easy-svg
Installations: 40,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.1
Severity Score:: Medium
CVE:: 2025-12451

Plugin:: OneClick Chat to Order
Plugin Slug:: oneclick-whatsapp-order
Installations: 40,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.1.0
Severity Score:: Low
CVE:: 2025-14270

Plugin:: Simple Membership
Plugin Slug:: simple-membership
Installations: 40,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.7.1
Severity Score:: Medium
CVE:: 2026-1461

Plugin:: Shield: Blocks Bots, Protects Users, and Prevents Security Breaches
Plugin Slug:: wp-simple-firewall
Installations: 40,000+
Vulnerability:: SQL Injection
Patched in Version:: 21.0.10
Severity Score:: Critical
CVE:: 2026-0722

Plugin:: Shield: Blocks Bots, Protects Users, and Prevents Security Breaches
Plugin Slug:: wp-simple-firewall
Installations: 40,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 21.0.10
Severity Score:: High
CVE:: 2026-0561

Plugin:: Shield: Blocks Bots, Protects Users, and Prevents Security Breaches
Plugin Slug:: wp-simple-firewall
Installations: 40,000+
Vulnerability:: Broken Access Control
Patched in Version:: 21.0.10
Severity Score:: Medium
CVE:: 2025-14427

Plugin:: Image Hotspot by DevVN
Plugin Slug:: devvn-image-hotspot
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.0
Severity Score:: Medium
CVE:: 2025-14445

Plugin:: Easy Social Feed � Social Photos Gallery and Post Feed for WordPress
Plugin Slug:: easy-facebook-likebox
Installations: 30,000+
Vulnerability:: Broken Access Control
Patched in Version:: 6.5.3
Severity Score:: Medium
CVE:: 2023-6883

Plugin:: Master Addons For Elementor � White Label, Free Widgets, Hover Effects, Conditions, & Animations
Plugin Slug:: master-addons
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.1.2
Severity Score:: Medium
CVE:: 2026-2486

Plugin:: SEO Plugin by Squirrly SEO
Plugin Slug:: squirrly-seo
Installations: 30,000+
Vulnerability:: Broken Access Control
Patched in Version:: 12.4.15
Severity Score:: Medium
CVE:: 2025-14342

Plugin:: Product Addons for Woocommerce � Product Options with Custom Fields
Plugin Slug:: woo-custom-product-addons
Installations: 30,000+
Vulnerability:: Arbitrary Code Execution
Patched in Version:: 3.1.1
Severity Score:: High
CVE:: 2026-2296

Plugin:: WP 404 Auto Redirect to Similar Post
Plugin Slug:: wp-404-auto-redirect-to-similar-post
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.0.6
Severity Score:: Medium
CVE:: 2025-12037

Plugin:: Jetpack CRM � Clients, Leads, Invoices, Billing, Email Marketing, & Automation
Plugin Slug:: zero-bs-crm
Installations: 30,000+
Vulnerability:: Local File Inclusion
Patched in Version:: 6.7.1
Severity Score:: High
CVE:: 2026-22356

Plugin:: Apollo13 Framework Extensions
Plugin Slug:: apollo13-framework-extensions
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.9.9
Severity Score:: Medium
CVE:: 2025-13617

Plugin:: Image Photo Gallery Final Tiles Grid
Plugin Slug:: final-tiles-grid-gallery-lite
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.6.11
Severity Score:: Medium
CVE:: 2026-25375

Plugin:: Kali Forms � Contact Form & Drag-and-Drop Builder
Plugin Slug:: kali-forms
Installations: 20,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 2.4.9
Severity Score:: Medium
CVE:: 2026-1860

Plugin:: MP3 Audio Player � Music Player, Podcast Player & Radio by Sonaar
Plugin Slug:: mp3-music-player-by-sonaar
Installations: 20,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 5.11
Severity Score:: Medium
CVE:: 2026-1219

Plugin:: Quiz Maker
Plugin Slug:: quiz-maker
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.7.1.8
Severity Score:: Medium
CVE:: 2026-2384

Plugin:: Secure Copy Content Protection and Content Locking
Plugin Slug:: secure-copy-content-protection
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.9.9
Severity Score:: High
CVE:: 2026-1320

Plugin:: Smartsupp � live chat, AI shopping assistant and chatbots
Plugin Slug:: smartsupp-live-chat
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.9.2
Severity Score:: Medium
CVE:: 2025-12448

Plugin:: Video Conferencing with Zoom
Plugin Slug:: video-conferencing-with-zoom-api
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.6.6
Severity Score:: High
CVE:: 2026-1368

Plugin:: WP Customer Reviews
Plugin Slug:: wp-customer-reviews
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.7.6
Severity Score:: High
CVE:: 2025-14452

Plugin:: WP Import � Ultimate CSV XML Importer for WordPress
Plugin Slug:: wp-ultimate-csv-importer
Installations: 20,000+
Vulnerability:: SQL Injection
Patched in Version:: 7.38
Severity Score:: High
CVE:: 2026-1317

Plugin:: wpForo Forum
Plugin Slug:: wpforo
Installations: 20,000+
Vulnerability:: SQL Injection
Patched in Version:: 2.4.15
Severity Score:: Critical
CVE:: 2026-1581

Plugin:: wpForo Forum
Plugin Slug:: wpforo
Installations: 20,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 2.4.14
Severity Score:: High
CVE:: 2026-0910

Plugin:: Web Accessibility by accessiBe
Plugin Slug:: accessibe
Installations: 10,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 2.12
Severity Score:: Medium
CVE:: 2025-13113

Plugin:: Business Directory Plugin � Easy Listing Directories for WordPress
Plugin Slug:: business-directory-plugin
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 6.4.21
Severity Score:: Medium
CVE:: 2026-1656

Plugin:: Business Directory Plugin � Easy Listing Directories for WordPress
Plugin Slug:: business-directory-plugin
Installations: 10,000+
Vulnerability:: SQL Injection
Patched in Version:: 6.4.22
Severity Score:: Critical
CVE:: 2026-2576

Plugin:: Classified Listing � AI-Powered Classified ads & Business Directory Plugin
Plugin Slug:: classified-listing
Installations: 10,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 5.3.5
Severity Score:: Medium
CVE:: 2026-23546

Plugin:: Cookie Banner for GDPR / CCPA � WPLP Cookie Consent
Plugin Slug:: gdpr-cookie-consent
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.1.3
Severity Score:: High
CVE:: 2025-11754

Plugin:: Groups
Plugin Slug:: groups
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.11.0
Severity Score:: Medium
CVE:: 2026-0549

Plugin:: Open User Map
Plugin Slug:: open-user-map
Installations: 10,000+
Vulnerability:: Arbitrary File Download
Patched in Version:: 1.4.17
Severity Score:: Medium
CVE:: 2025-68002

Plugin:: Membership Plugin � Restrict Content
Plugin Slug:: restrict-content
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.2.19
Severity Score:: Medium
CVE:: 2026-1304

Plugin:: Two Factor (2FA) Authentication via Email
Plugin Slug:: two-factor-2fa-via-email
Installations: 10,000+
Vulnerability:: Broken Authentication
Patched in Version:: 1.9.9
Severity Score:: Medium
CVE:: 2025-13587

Plugin:: URL Shortify � Simple and Easy URL Shortener
Plugin Slug:: url-shortify
Installations: 10,000+
Vulnerability:: Open Redirection
Patched in Version:: 1.12.2
Severity Score:: Medium
CVE:: 2026-1277

Plugin:: URL Shortify � Simple and Easy URL Shortener
Plugin Slug:: url-shortify
Installations: 10,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 1.12.4
Severity Score:: Medium
CVE:: 2026-25385

Plugin:: User Submitted Posts � Enable Users to Submit Posts from the Front End
Plugin Slug:: user-submitted-posts
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 20260217
Severity Score:: Medium
CVE:: 2026-2126

Plugin:: Product Table and List Builder for WooCommerce Lite
Plugin Slug:: wc-product-table-lite
Installations: 10,000+
Vulnerability:: SQL Injection
Patched in Version:: 4.6.3
Severity Score:: Critical
CVE:: 2026-2232

Plugin:: WP Compress � Instant Performance & Speed Optimization
Plugin Slug:: wp-compress-image-optimizer
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 6.60.29
Severity Score:: Medium
CVE:: 2026-25370

Plugin:: YaMaps for WordPress Plugin
Plugin Slug:: yamaps
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 0.6.41
Severity Score:: Medium
CVE:: 2025-14851

Plugin:: Album and Image Gallery Plus Lightbox
Plugin Slug:: album-and-image-gallery-plus-lightbox
Installations: 9,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.1.8
Severity Score:: Medium
CVE:: 2025-13612

Plugin:: RegistrationMagic � Custom Registration Forms, User Registration, Payment, and User Login
Plugin Slug:: custom-registration-form-builder-with-submission-manager
Installations: 9,000+
Vulnerability:: Broken Access Control
Patched in Version:: 6.0.7.0
Severity Score:: Medium
CVE:: 2025-14444

Plugin:: RegistrationMagic � Custom Registration Forms, User Registration, Payment, and User Login
Plugin Slug:: custom-registration-form-builder-with-submission-manager
Installations: 9,000+
Vulnerability:: Broken Access Control
Patched in Version:: 6.0.7.2
Severity Score:: Medium
CVE:: 2026-0929

Plugin:: s2Member � Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions
Plugin Slug:: s2member
Installations: 9,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 260215
Severity Score:: Critical
CVE:: 2026-1994

Plugin:: s2Member � Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions
Plugin Slug:: s2member
Installations: 9,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 260101
Severity Score:: Medium
CVE:: 2025-13732

Plugin:: Tablesome Table � Contact Form DB � WPForms, CF7, Gravity, Forminator, Fluent
Plugin Slug:: tablesome
Installations: 9,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 1.2.2
Severity Score:: High
CVE:: 2025-12845

Plugin:: EventPrime � Events Calendar, Bookings and Tickets
Plugin Slug:: eventprime-event-calendar-management
Installations: 7,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.2.8.5
Severity Score:: Medium
CVE:: 2026-1655

Plugin:: EventPrime � Events Calendar, Bookings and Tickets
Plugin Slug:: eventprime-event-calendar-management
Installations: 7,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 4.2.8.4
Severity Score:: Medium
CVE:: 2026-25389

Plugin:: EventPrime � Events Calendar, Bookings and Tickets
Plugin Slug:: eventprime-event-calendar-management
Installations: 7,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.2.8.5
Severity Score:: Medium
CVE:: 2026-1657

Plugin:: Event Booking Manager for WooCommerce
Plugin Slug:: mage-eventpress
Installations: 7,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 5.1.2
Severity Score:: Critical
CVE:: 2026-23549

Plugin:: Mail Mint � Newsletters, Email Marketing, Automation, WooCommerce Emails, Post Notification, and more
Plugin Slug:: mail-mint
Installations: 6,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.19.5
Severity Score:: High
CVE:: 2026-23541

Plugin:: Orderable � WordPress Restaurant Online Ordering System and Food Ordering Plugin
Plugin Slug:: orderable
Installations: 6,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.20.1
Severity Score:: High
CVE:: 2026-0974

Plugin:: Cart All In One For WooCommerce
Plugin Slug:: woo-cart-all-in-one
Installations: 6,000+
Vulnerability:: Content Injection
Patched in Version:: 1.1.22
Severity Score:: High
CVE:: 2026-2019

Plugin:: Popup Box � Easily Create WordPress Popups
Plugin Slug:: popup-box
Installations: 5,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.2.13
Severity Score:: Medium
CVE:: 2025-12122

Plugin:: Nelio A/B Testing � AB Tests and Heatmaps for Better Conversion Optimization
Plugin Slug:: nelio-ab-testing
Installations: 4,000+
Vulnerability:: SQL Injection
Patched in Version:: 8.2.5
Severity Score:: High
CVE:: 2026-25378

Plugin:: Import Eventbrite Events
Plugin Slug:: import-eventbrite-events
Installations: 3,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.7.5
Severity Score:: High
CVE:: 2024-12422

Plugin:: Paytium: Mollie payment forms & donations
Plugin Slug:: paytium
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.4
Severity Score:: Medium
CVE:: 2023-7287

Plugin:: Paytium: Mollie payment forms & donations
Plugin Slug:: paytium
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.4
Severity Score:: Medium
CVE:: 2023-7288

Plugin:: Paytium: Mollie payment forms & donations
Plugin Slug:: paytium
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.4
Severity Score:: Medium
CVE:: 2023-7289

Plugin:: Paytium: Mollie payment forms & donations
Plugin Slug:: paytium
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.4
Severity Score:: Medium
CVE:: 2023-7290

Plugin:: Paytium: Mollie payment forms & donations
Plugin Slug:: paytium
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.4
Severity Score:: High
CVE:: 2023-7291

Plugin:: Paytium: Mollie payment forms & donations
Plugin Slug:: paytium
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.4
Severity Score:: Medium
CVE:: 2023-7292

Plugin:: Paytium: Mollie payment forms & donations
Plugin Slug:: paytium
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.4
Severity Score:: Medium
CVE:: 2023-7293

Plugin:: Paytium: Mollie payment forms & donations
Plugin Slug:: paytium
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.4
Severity Score:: High
CVE:: 2023-7294

Plugin:: Tickera � Sell Tickets & Manage Events
Plugin Slug:: tickera-event-ticketing-system
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.5.6.5
Severity Score:: Medium
CVE:: 2025-12356

Plugin:: WP-DownloadManager
Plugin Slug:: wp-downloadmanager
Installations: 3,000+
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 1.69.1
Severity Score:: Medium
CVE:: 2026-2426

Plugin:: WP-DownloadManager
Plugin Slug:: wp-downloadmanager
Installations: 3,000+
Vulnerability:: Arbitrary File Download
Patched in Version:: 1.69.1
Severity Score:: Low
CVE:: 2026-2419

Plugin:: Academy LMS � WordPress LMS Plugin for Complete eLearning Solution
Plugin Slug:: academy
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.5.4
Severity Score:: Medium
CVE:: 2026-25372

Plugin:: Frontend Post Submission Manager Lite � Frontend Posting WordPress Plugin
Plugin Slug:: frontend-post-submission-manager-lite
Installations: 2,000+
Vulnerability:: Open Redirection
Patched in Version:: 1.2.8
Severity Score:: Medium
CVE:: 2026-1296

Plugin:: IMGspider � ????????
Plugin Slug:: imgspider
Installations: 2,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 2.3.11
Severity Score:: Critical
CVE:: 2024-6318

Plugin:: Simple Ajax Chat � Add a Fast, Secure Chat Box
Plugin Slug:: simple-ajax-chat
Installations: 2,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 20260217
Severity Score:: Medium
CVE:: 2026-3075

Plugin:: Virusdie � One-click website security
Plugin Slug:: virusdie
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.1.8
Severity Score:: Medium
CVE:: 2025-14864

Plugin:: WP-Lister Lite for eBay
Plugin Slug:: wp-lister-for-ebay
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.8.6
Severity Score:: Medium
CVE:: 2026-25384

Plugin:: WowRevenue � Product Bundles & Bulk Discounts
Plugin Slug:: revenue
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.1.4
Severity Score:: High
CVE:: 2026-2001

Plugin:: WP Event Aggregator: Import Eventbrite events, Meetup events, social events and any iCal Events into Event Calendar
Plugin Slug:: wp-event-aggregator
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.9.0
Severity Score:: Medium
CVE:: 2026-1941

Plugin:: Taskbuilder � Project & Task Management with Kanban
Plugin Slug:: taskbuilder
Installations: 800+
Vulnerability:: Broken Access Control
Patched in Version:: 5.0.3
Severity Score:: Medium
CVE:: 2026-1640

Plugin:: Taskbuilder � Project & Task Management with Kanban
Plugin Slug:: taskbuilder
Installations: 800+
Vulnerability:: SQL Injection
Patched in Version:: 5.0.3
Severity Score:: High
CVE:: 2026-1639

Plugin:: Dam Spam
Plugin Slug:: dam-spam
Installations: 700+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.0.9
Severity Score:: Medium
CVE:: 2026-2112

Plugin:: My Tickets � Accessible Event Ticketing
Plugin Slug:: my-tickets
Installations: 700+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 2.1.1
Severity Score:: High
CVE:: 2026-27406

Plugin:: WP Plugin Info Card
Plugin Slug:: wp-plugin-info-card
Installations: 600+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 6.3.0
Severity Score:: Medium
CVE:: 2026-2023

Plugin:: Build App Online
Plugin Slug:: build-app-online
Installations: 500+
Vulnerability:: Privilege Escalation
Patched in Version:: 1.0.23
Severity Score:: High
CVE:: 2023-7264

Plugin:: Library Management System
Plugin Slug:: library-management-system
Installations: 300+
Vulnerability:: SQL Injection
Patched in Version:: 3.3
Severity Score:: Critical
CVE:: 2025-12707

Plugin:: Order Splitter for WooCommerce
Plugin Slug:: woo-order-splitter
Installations: 300+
Vulnerability:: Broken Access Control
Patched in Version:: 5.3.6
Severity Score:: Medium
CVE:: 2025-12075

Plugin:: Bookster � WordPress Appointment Booking Plugin
Plugin Slug:: bookster
Installations: 200+
Vulnerability:: SQL Injection
Patched in Version:: 2.2.0
Severity Score:: High
CVE:: 2025-8781

Plugin:: Display During Conditional Shortcode
Plugin Slug:: display-during-conditional-shortcode
Installations: 200+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3
Severity Score:: Medium
CVE:: 2025-6460

Plugin:: IDonate � Blood Donation, Request And Donor Management System
Plugin Slug:: idonate
Installations: 90+
Vulnerability:: Privilege Escalation
Patched in Version:: 2.1.0
Severity Score:: High
CVE:: 2025-4521

Plugin:: Video Share VOD � Turnkey Video Site Builder Script
Plugin Slug:: video-share-vod
Installations: 80+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.7.12
Severity Score:: Medium
CVE:: 2025-13727

Plugin:: Private Comment
Plugin Slug:: private-comment
Installations: 60+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 0.0.5
Severity Score:: Medium
CVE:: 2026-2281

Plugin:: Frontend User Notes
Plugin Slug:: frontend-user-notes
Installations: 50+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 2.1.1
Severity Score:: Medium
CVE:: 2025-12071

Plugin:: Activity Log for WordPress
Plugin Slug:: winterlock
Installations: 50+
Vulnerability:: Broken Access Control
Patched in Version:: 1.2.9
Severity Score:: Medium
CVE:: 2026-1671

Plugin:: Community Events
Plugin Slug:: community-events
Installations: 30+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.5.8
Severity Score:: Medium
CVE:: 2026-1649

Plugin:: Keybase.io Verification
Plugin Slug:: wp-keybase-verification
Installations: 30+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.4.6
Severity Score:: Medium
CVE:: 2026-1072

Plugin:: InteractiveCalculator for WordPress
Plugin Slug:: interactivecalculator
Installations: 20+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.0.4
Severity Score:: Medium
CVE:: 2026-1807

Plugin:: Rent Fetch
Plugin Slug:: rentfetch
Installations: 20+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 0.32.7
Severity Score:: High
CVE:: 2026-1931

Plugin:: WPNakama � Team and multi-Client Collaboration, Editorial and Project Management
Plugin Slug:: wpnakama
Installations: 10+
Vulnerability:: SQL Injection
Patched in Version:: 0.6.6
Severity Score:: Critical
CVE:: 2026-2495

Plugin:: Ads Pro
Plugin Slug:: ap-plugin-scripteo
Vulnerability:: Broken Access Control
Patched in Version:: 5.1
Severity Score:: Medium
CVE:: 2026-25388

Plugin:: ARForms Form Builder
Plugin Slug:: arforms-form-builder
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.5.9
Severity Score:: High
CVE:: 2023-6828

Plugin:: Lizza LMS Pro
Plugin Slug:: lizza-lms-pro
Vulnerability:: Privilege Escalation
Patched in Version:: 1.0.4
Severity Score:: Critical
CVE:: 2025-13563

Plugin:: tagDiv Composer
Plugin Slug:: td-composer
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.1
Severity Score:: High
CVE:: 2024-5212

Plugin:: Truelysell Core
Plugin Slug:: truelysell-core
Vulnerability:: Privilege Escalation
Patched in Version:: 1.8.8
Severity Score:: Critical
CVE:: 2025-8572

Plugin:: Uni CPO (Premium)
Plugin Slug:: uni-woo-custom-product-options-premium
Vulnerability:: Broken Access Control
Patched in Version:: 4.9.61
Severity Score:: Medium
CVE:: 2025-13391

Plugin:: Wolmart Core
Plugin Slug:: wolmart-core
Vulnerability:: SQL Injection
Patched in Version:: 1.9.7
Severity Score:: Critical
CVE:: 2025-69337

WordPress Themes � 8 Patched / 31 Unpatched

Theme:: Drift
Theme Slug:: drift
Downloads: 30,869
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12116

Theme:: Mega Store Woocommerce
Theme Slug:: mega-store-woocommerce
Downloads: 42,273
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14357

Theme:: NewsBlogger
Theme Slug:: newsblogger
Downloads: 155,250
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12821

Theme:: Renden
Theme Slug:: renden
Downloads: 328,852
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12117

Theme:: A-Mart
Theme Slug:: a-mart
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-22361

Theme:: Blabber
Theme Slug:: blabber
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-22378

Theme:: Buyent
Theme Slug:: buyent
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-13851

Theme:: Coworking
Theme Slug:: coworking
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-22367

Theme:: Dentario
Theme Slug:: dentario
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2026-27439

Theme:: Fooddy
Theme Slug:: fooddy
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-22373

Theme:: Gustavo
Theme Slug:: gustavo
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-22371

Theme:: Impacto Patronus
Theme Slug:: impacto-patronus
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-22375

Theme:: Ironfit
Theme Slug:: ironfit
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-22369

Theme:: Isida
Theme Slug:: isida
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-22372

Theme:: Jude
Theme Slug:: jude
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-22366

Theme:: Kingler
Theme Slug:: kingler
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2026-27438

Theme:: Marveland
Theme Slug:: marveland
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-22370

Theme:: Netmix
Theme Slug:: netmix
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-22379

Theme:: Parkivia
Theme Slug:: parkivia
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-22376

Theme:: PawFriends – Pet Shop and Veterinary WordPress Theme
Theme Slug:: pawfriends
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-22383

Theme:: PawFriends – Pet Shop and Veterinary WordPress Theme
Theme Slug:: pawfriends
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-22381

Theme:: Photolia
Theme Slug:: photolia
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-22362

Theme:: Redy
Theme Slug:: redy
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-22368

Theme:: Rhodos
Theme Slug:: rhodos
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-22363

Theme:: Saveo
Theme Slug:: saveo
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-22377

Theme:: SevenTrees
Theme Slug:: seventrees
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-22364

Theme:: Soleng
Theme Slug:: soleng
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-22365

Theme:: Tennis Club
Theme Slug:: tennis-sportclub
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2026-27437

Theme:: UnlimHost
Theme Slug:: unlimhost
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-22380

Theme:: Valenti
Theme Slug:: valenti
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-23544

Theme:: Zio Alberto
Theme Slug:: zioalberto
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-22374

Theme:: Context Blog
Theme Slug:: context-blog
Downloads: 84,231
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 1.2.6
Severity Score:: Medium
CVE:: 2025-12074

Theme:: Shopire
Theme Slug:: shopire
Downloads: 89,293
Vulnerability:: Broken Access Control
Patched in Version:: 1.0.58
Severity Score:: Medium
CVE:: 2025-13091

Theme:: Spa and Salon
Theme Slug:: spa-and-salon
Downloads: 165,530
Vulnerability:: Broken Access Control
Patched in Version:: 1.3.3
Severity Score:: Medium
CVE:: 2026-25374

Theme:: Grand Restaurant
Theme Slug:: grandrestaurant
Vulnerability:: PHP Object Injection
Patched in Version:: 7.0.11
Severity Score:: Critical
CVE:: 2026-23542

Theme:: Ippsum
Theme Slug:: ippsum
Vulnerability:: PHP Object Injection
Patched in Version:: 1.2.1
Severity Score:: Critical
CVE:: 2025-68541

Theme:: CitiLights
Theme Slug:: noo-citilights
Vulnerability:: Broken Access Control
Patched in Version:: 3.7.2
Severity Score:: Medium
CVE:: 2026-25367

Theme:: Sweet Date
Theme Slug:: sweetdate
Vulnerability:: PHP Object Injection
Patched in Version:: 4.0.1
Severity Score:: Critical
CVE:: 2026-27417

Theme:: Wiguard
Theme Slug:: wiguard
Vulnerability:: Arbitrary File Upload
Patched in Version:: 2.0.1
Severity Score:: Critical
CVE:: 2025-68549