WordPress Vulnerability Report � January 14, 2026

In this report, 282 vulnerabilities have been publicly disclosed. Security patches for 120 of these plugins and themes are now available. Please run these updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Currently, 162 plugin and theme vulnerabilities remain unpatched. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

WordPress Core

WordPress 6.9 “Gene” was released on December 2, 2025, adding Notes for block-level comments, an expanded Command Palette, and the new Abilities API to standardize permissions for future automation. It also includes performance improvements and new blocks and design tools to support faster, more flexible site building.

After any major release, don�t update live sites until you�ve taken backups and tested in a non-production environment.

WordPress Plugins � 106 Patched / 127 Unpatched

Plugin:: Cookies and Content Security Policy
Plugin Slug:: cookies-and-content-security-policy
Installations: 10,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-63019

Plugin:: Responsive Pricing Table
Plugin Slug:: dk-pricr-responsive-pricing-table
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-15058

Plugin:: Responsive Pricing Table
Plugin Slug:: dk-pricr-responsive-pricing-table
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13418

Plugin:: Yoco Payments
Plugin Slug:: yoco-payment-gateway
Installations: 10,000+
Vulnerability:: Arbitrary File Download
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-13801

Plugin:: Block Slider � Responsive Image Slider, Video Slider & Post Slider
Plugin Slug:: block-slider
Installations: 4,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-22522

Plugin:: Campaign Monitor for WordPress
Plugin Slug:: forms-for-campaign-monitor
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-0674

Plugin:: Image Slider Slideshow
Plugin Slug:: image-slider-slideshow
Installations: 3,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-22489

Plugin:: NextGEN Download Gallery
Plugin Slug:: nextgen-download-gallery
Installations: 3,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-0675

Plugin:: aBlocks � Gutenberg Blocks, User Dashboard Builder, Popup Builder, Form Builder & Animation Builder
Plugin Slug:: ablocks
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12449

Plugin:: Speed Kit
Plugin Slug:: baqend
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-22487

Plugin:: BD Courier Order Ratio Checker
Plugin Slug:: bd-courier-order-ratio-checker
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-22481

Plugin:: Dashboard Welcome for Beaver Builder
Plugin Slug:: dashboard-welcome-for-beaver-builder
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-22488

Plugin:: Easy Form Builder by WhiteStudio � Drag & Drop Form Builder
Plugin Slug:: easy-form-builder
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-22472

Plugin:: GA4WP � Analytics Dashboard for the Website
Plugin Slug:: ga-for-wp
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-22517

Plugin:: IMGspider � ????????
Plugin Slug:: imgspider
Installations: 2,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-22482

Plugin:: teachPress
Plugin Slug:: teachpress
Installations: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-22483

Plugin:: Blockons � Gutenberg blocks for WordPress and WooCommerce websites
Plugin Slug:: blockons
Installations: 800+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-14360

Plugin:: X Addons for Elementor
Plugin Slug:: x-addons-elementor
Installations: 700+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-22518

Plugin:: Re Gallery � Responsive Image & Photo Gallery
Plugin Slug:: regallery
Installations: 400+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-22486

Plugin:: HBLPAY Payment Gateway for WooCommerce
Plugin Slug:: hblpay-payment-gateway-for-woocommerce
Installations: 300+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-14875

Plugin:: Page Keys
Plugin Slug:: page-keys
Installations: 80+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-15000

Plugin:: Money Space
Plugin Slug:: money-space
Installations: 70+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-13371

Plugin:: AI BotKit � AI Chatbot & Live Chat for WordPress (No-Code)
Plugin Slug:: ai-botkit-for-lead-generation
Installations: 40+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13887

Plugin:: Reviewify � Review Discounts & Photo/Video Reviews for WooCommerce
Plugin Slug:: review-for-discount
Installations: 40+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-14070

Plugin:: FireStorm Professional Real Estate Plugin
Plugin Slug:: fs-real-estate-plugin
Installations: 10+
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-22470

Plugin:: 1180px Shortcodes
Plugin Slug:: 1180px-shortcodes
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14114

Plugin:: WP Virtual Assistant
Plugin Slug:: VirtualAssistant
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-22725

Plugin:: WP Attractive Donations System – Easy Stripe & Paypal donations
Plugin Slug:: WP_AttractiveDonationsSystem
Vulnerability:: Arbitrary Content Deletion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-22715

Plugin:: AA Block country
Plugin Slug:: aa-block-country
Vulnerability:: Bypass Vulnerability
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13694

Plugin:: Accordion Slider PRO
Plugin Slug:: accordion_slider_pro
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-49066

Plugin:: ACF to REST API
Plugin Slug:: acf-to-rest-api
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12030

Plugin:: AD Sliding FAQ
Plugin Slug:: ad-sliding-faq
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14122

Plugin:: AH Shortcodes
Plugin Slug:: ah-shortcodes
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14109

Plugin:: AS Password Field In Default Registration Form
Plugin Slug:: as-password-field-in-default-registration-form
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-14996

Plugin:: Autogen Headers Menu
Plugin Slug:: autogen-headers-menu
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13704

Plugin:: Awesome Hotel Booking
Plugin Slug:: awesome-hotel-booking
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14352

Plugin:: WP Page Permalink Extension
Plugin Slug:: change-wp-page-permalinks
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14172

Plugin:: Contact Form vCard Generator
Plugin Slug:: contact-form-vcard-generator
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13717

Plugin:: Contact Us Simple Form
Plugin Slug:: contact-us-simple-form
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14028

Plugin:: Cool YT Player
Plugin Slug:: cool-yt-player
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13849

Plugin:: CountDown With Image or Video Background
Plugin Slug:: countdown-with-background
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-27002

Plugin:: Curved Text
Plugin Slug:: curved-text
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13854

Plugin:: Debt.com Business in a Box
Plugin Slug:: debtcom-business-in-a-box
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13852

Plugin:: DZS Video Gallery
Plugin Slug:: dzs-videogallery
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-49049

Plugin:: Easy GitHub Gist Shortcodes
Plugin Slug:: easy-github-gist-shortcodes
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14147

Plugin:: EDD Download Info
Plugin Slug:: edd-download-info
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14121

Plugin:: Email Customizer for WooCommerce
Plugin Slug:: email-customizer-for-woocommerce
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13974

Plugin:: Entry Views
Plugin Slug:: entry-views
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13729

Plugin:: Famous – Responsive Image And Video Grid Gallery WordPress Plugin
Plugin Slug:: famous_grid_image_and_video_gallery
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-27004

Plugin:: Felan Framework
Plugin Slug:: felan-framework
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-23993

Plugin:: Felan Framework
Plugin Slug:: felan-framework
Vulnerability:: Broken Authentication
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-23504

Plugin:: Flashcard
Plugin Slug:: flashcard
Vulnerability:: Arbitrary File Download
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14867

Plugin:: ShareThis Dashboard for Google Analytics
Plugin Slug:: googleanalytics
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12540

Plugin:: Handmade Framework
Plugin Slug:: handmade-framework
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-22521

Plugin:: Header and Footer Scripts
Plugin Slug:: header-and-footer-scripts
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11453

Plugin:: HelpDesk contact form
Plugin Slug:: helpdesk-contact-form
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13657

Plugin:: JNews – Frontend Submit
Plugin Slug:: jnews-frontend-submit
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68904

Plugin:: Latest Tabs
Plugin Slug:: kento-latest-tabs
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14999

Plugin:: Key Figures
Plugin Slug:: key-figures
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14792

Plugin:: Latest Registered Users
Plugin Slug:: latest-registered-users
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-13493

Plugin:: HTML5 Video Player
Plugin Slug:: lbg-vp2-html5-bottom
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-27005

Plugin:: HTML5 Video Player with Playlist & Multiple Skins
Plugin Slug:: lbg-vp2-html5-rightside
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-32123

Plugin:: Image&Video FullScreen Background
Plugin Slug:: lbg_fullscreen_fullwidth_slider
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-47666

Plugin:: Lesson Plan Book
Plugin Slug:: lesson-plan-book
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-13893

Plugin:: ListingHub
Plugin Slug:: listinghub
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-12551

Plugin:: Magic Responsive Slider and Carousel WordPress
Plugin Slug:: magic_carousel
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-49043

Plugin:: Magic Slider
Plugin Slug:: magic_slider
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-48094

Plugin:: Mamurjor Employee Info
Plugin Slug:: mamurjor-employee-info
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13990

Plugin:: Menu Card
Plugin Slug:: menu-card
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13862

Plugin:: MG AdvancedOptions
Plugin Slug:: mg-advancedoptions
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-13892

Plugin:: Moosend Landing Pages
Plugin Slug:: moosend-landing-pages
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13496

Plugin:: Mstoic Shortcodes
Plugin Slug:: mstoic-shortcodes
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14144

Plugin:: MTCaptcha
Plugin Slug:: mtcaptcha
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13520

Plugin:: Multi-column Tag Map
Plugin Slug:: multi-column-tag-map
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14057

Plugin:: My Album Gallery
Plugin Slug:: my-album-gallery
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14796

Plugin:: My Album Gallery
Plugin Slug:: my-album-gallery
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14453

Plugin:: Nearby Now Reviews
Plugin Slug:: nearby-now-reviews
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13853

Plugin:: Newsletter Email Subscribe
Plugin Slug:: newsletter-email-subscribe
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14904

Plugin:: Niche Hero
Plugin Slug:: niche-hero
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14145

Plugin:: nK Themes Helper
Plugin Slug:: nk-themes-helper
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-22726

Plugin:: NS Ie Compatibility Fixer
Plugin Slug:: ns-ie-compatibility-fixer
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14845

Plugin:: Optional Email
Plugin Slug:: optional-email
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-15018

Plugin:: PhotoFade
Plugin Slug:: photofade
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13847

Plugin:: Post Like Dislike
Plugin Slug:: post-like-dislike
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-14130

Plugin:: PullQuote
Plugin Slug:: pullquote
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13903

Plugin:: Pure WC Variation Swatches
Plugin Slug:: pure-wc-variations-swatches
Vulnerability:: Settings Change
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12820

Plugin:: QR Code Tag for WC
Plugin Slug:: qr-code-tag-for-wc-from-goaskle-com
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14626

Plugin:: Quote Comments
Plugin Slug:: quote-comments
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14370

Plugin:: Rankology SEO and Analytics Tool
Plugin Slug:: rankology-seo-and-analytics-tool
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Low
CVE:: 2025-12958

Plugin:: Real Estate Pro
Plugin Slug:: real-estate-pro
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-13504

Plugin:: REHub Framework
Plugin Slug:: rehub-framework
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-14358

Plugin:: Shabat Keeper
Plugin Slug:: shabat-keeper
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-13701

Plugin:: Simcast
Plugin Slug:: simcast
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14077

Plugin:: Simple User Meta Editor
Plugin Slug:: simple-user-meta-editor
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14888

Plugin:: Smart App Banners
Plugin Slug:: smart-app-banners
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13841

Plugin:: Snillrik Restaurant
Plugin Slug:: snillrik-restaurant-menu
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14112

Plugin:: Starred Review
Plugin Slug:: starred-review
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-14118

Plugin:: Sticky Action Buttons
Plugin Slug:: sticky-action-buttons
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14465

Plugin:: STM Gallery 1.9
Plugin Slug:: stm-gallery
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13848

Plugin:: Stumble! for WordPress
Plugin Slug:: stumble-for-wordpress
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-14128

Plugin:: Stylish Order Form Builder
Plugin Slug:: stylish-order-form-builder
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13531

Plugin:: Super Interactive Maps
Plugin Slug:: super-interactive-maps
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-49045

Plugin:: SVG Map Plugin
Plugin Slug:: svg-map-by-saedi
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-13519

Plugin:: Testimonial Master
Plugin Slug:: testimonial-master
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-14127

Plugin:: The Tooltip
Plugin Slug:: the-tooltip
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13908

Plugin:: Top Position Google Finance
Plugin Slug:: top-position-google-finance
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-13895

Plugin:: xPromoter
Plugin Slug:: top_bar_promoter
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-49046

Plugin:: twinklesmtp
Plugin Slug:: twinklesmtp
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14887

Plugin:: Unify
Plugin Slug:: unify
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13529

Plugin:: User Activity Log
Plugin Slug:: user-activity-log
Vulnerability:: Settings Change
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-11877

Plugin:: Viitor Button Shortcodes
Plugin Slug:: viitor-shortcodes
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14113

Plugin:: Wish To Go
Plugin Slug:: wish-to-go
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14053

Plugin:: Premmerce WooCommerce Customers Manager
Plugin Slug:: woo-customers-manager
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-13369

Plugin:: Piraeus Bank WooCommerce Payment Gateway
Plugin Slug:: woo-payment-gateway-for-piraeus-bank
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14460

Plugin:: WooCommerce Orders & Customers Exporter
Plugin Slug:: woocommerce-orders-ei
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-22713

Plugin:: Woodpecker for WordPress
Plugin Slug:: woodpecker
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13967

Plugin:: Workreap (theme’s plugin)
Plugin Slug:: workreap
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-22728

Plugin:: WP Status Notifier
Plugin Slug:: wp-change-status-notifier
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13521

Plugin:: Client Testimonial Slider
Plugin Slug:: wp-client-testimonial
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13897

Plugin:: WP Enable WebP
Plugin Slug:: wp-enable-webp
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-15158

Plugin:: WP Js List Pages Shortcodes
Plugin Slug:: wp-js-list-pages-shortcodes
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14110

Plugin:: WP Lead Capturing Pages
Plugin Slug:: wp-lead-capture
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-49050

Plugin:: WP Lead Capturing Pages
Plugin Slug:: wp-lead-capture
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-49055

Plugin:: WP Recipe Manager
Plugin Slug:: wp-recipe-manager
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13667

Plugin:: WP Widget Changer
Plugin Slug:: wp-widget-changer
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-14131

Plugin:: WP Popup Magic
Plugin Slug:: wppopupmagic
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13900

Plugin:: xShare
Plugin Slug:: xshare
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13527

Plugin:: Essential Addons for Elementor � Popular Elementor Templates & Widgets
Plugin Slug:: essential-addons-for-elementor-lite
Installations: 2,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.5.4
Severity Score:: Medium
CVE:: 2025-69092

Plugin:: The Events Calendar
Plugin Slug:: the-events-calendar
Installations: 700,000+
Vulnerability:: Broken Access Control
Patched in Version:: 6.15.13
Severity Score:: Medium
CVE:: 2025-69352

Plugin:: Fluent Forms � Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder
Plugin Slug:: fluentform
Installations: 600,000+
Vulnerability:: Broken Access Control
Patched in Version:: 6.1.8
Severity Score:: Medium
CVE:: 2025-13722

Plugin:: Forminator Forms � Contact Form, Payment Form & Custom Form Builder
Plugin Slug:: forminator
Installations: 600,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.49.2
Severity Score:: Medium
CVE:: 2025-14782

Plugin:: Jeg Kit for Elementor � Powerful Addons for Elementor, Widgets & Templates for WordPress
Plugin Slug:: jeg-elementor-kit
Installations: 400,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.0.2
Severity Score:: Medium
CVE:: 2025-14275

Plugin:: Templately � Elementor & Gutenberg Template Library: 6500+ Free & Pro Ready Templates And Cloud!
Plugin Slug:: templately
Installations: 400,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.4.9
Severity Score:: Medium
CVE:: 2026-0831

Plugin:: Download Manager
Plugin Slug:: download-manager
Installations: 100,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 3.3.41
Severity Score:: High
CVE:: 2025-15364

Plugin:: GiveWP � Donation Plugin and Fundraising Platform
Plugin Slug:: give
Installations: 100,000+
Vulnerability:: Content Injection
Patched in Version:: 4.13.2
Severity Score:: Medium
CVE:: 2025-66533

Plugin:: Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories
Plugin Slug:: post-expirator
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.9.4
Severity Score:: Medium
CVE:: 2025-14718

Plugin:: Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories
Plugin Slug:: post-expirator
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.9.4
Severity Score:: Medium
CVE:: 2025-69361

Plugin:: Tutor LMS � eLearning and online course solution
Plugin Slug:: tutor
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.9.4
Severity Score:: Medium
CVE:: 2025-13628

Plugin:: Tutor LMS � eLearning and online course solution
Plugin Slug:: tutor
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.9.4
Severity Score:: Medium
CVE:: 2025-13934

Plugin:: Tutor LMS � eLearning and online course solution
Plugin Slug:: tutor
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.9.4
Severity Score:: Medium
CVE:: 2025-13679

Plugin:: AMP for WP � Accelerated Mobile Pages
Plugin Slug:: accelerated-mobile-pages
Installations: 90,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.1.11
Severity Score:: Medium
CVE:: 2026-0627

Plugin:: AMP for WP � Accelerated Mobile Pages
Plugin Slug:: accelerated-mobile-pages
Installations: 90,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.1.10
Severity Score:: Medium
CVE:: 2025-14468

Plugin:: Depicter � Popup & Slider Builder
Plugin Slug:: depicter
Installations: 90,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.7.0
Severity Score:: Medium
CVE:: 2025-11370

Plugin:: Depicter � Popup & Slider Builder
Plugin Slug:: depicter
Installations: 90,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.0.5
Severity Score:: Medium
CVE:: 2025-68558

Plugin:: Folders � Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager
Plugin Slug:: folders
Installations: 90,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.1.6
Severity Score:: Medium
CVE:: 2025-12640

Plugin:: Customer Reviews for WooCommerce
Plugin Slug:: customer-reviews-woocommerce
Installations: 80,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.94.0
Severity Score:: Medium
CVE:: 2025-14891

Plugin:: Jupiter X Core
Plugin Slug:: jupiterx-core
Installations: 80,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 4.11.0
Severity Score:: High
CVE:: 2025-50004

Plugin:: LearnPress � WordPress LMS Plugin
Plugin Slug:: learnpress
Installations: 80,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 4.3.2.2
Severity Score:: Medium
CVE:: 2025-14802

Plugin:: LearnPress � WordPress LMS Plugin
Plugin Slug:: learnpress
Installations: 80,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.3.2.1
Severity Score:: Medium
CVE:: 2025-13964

Plugin:: Ninja Tables � Easy Data Table Builder
Plugin Slug:: ninja-tables
Installations: 80,000+
Vulnerability:: SQL Injection
Patched in Version:: 5.2.5
Severity Score:: High
CVE:: 2025-69351

Plugin:: WooCommerce Square
Plugin Slug:: woocommerce-square
Installations: 80,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 5.1.2
Severity Score:: High
CVE:: 2025-13457

Plugin:: SlimStat Analytics
Plugin Slug:: wp-slimstat
Installations: 80,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.3.4
Severity Score:: High
CVE:: 2025-15057

Plugin:: SlimStat Analytics
Plugin Slug:: wp-slimstat
Installations: 80,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.3.5
Severity Score:: High
CVE:: 2025-15055

Plugin:: Appointment Booking Calendar � Simply Schedule Appointments Booking Plugin
Plugin Slug:: simply-schedule-appointments
Installations: 70,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 1.6.9.6
Severity Score:: Medium
CVE:: 2025-11723

Plugin:: Clearfy Cache � WordPress optimization plugin, Minify HTML, CSS & JS, Defer
Plugin Slug:: clearfy
Installations: 60,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.4.1
Severity Score:: Medium
CVE:: 2025-13749

Plugin:: Drag and Drop Multiple File Upload for Contact Form 7
Plugin Slug:: drag-and-drop-multiple-file-upload-contact-form-7
Installations: 60,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 1.3.9.3
Severity Score:: Critical
CVE:: 2025-14842

Plugin:: Post and Page Builder by BoldGrid � Visual Drag and Drop Editor
Plugin Slug:: post-and-page-builder
Installations: 60,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.27.10
Severity Score:: Medium
CVE:: 2025-69345

Plugin:: User Registration & Membership � Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin
Plugin Slug:: user-registration
Installations: 60,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 4.4.9
Severity Score:: Medium
CVE:: 2025-14976

Plugin:: Table Field Add-on for ACF and SCF
Plugin Slug:: advanced-custom-fields-table-field
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.31
Severity Score:: Medium
CVE:: 2025-12067

Plugin:: Blog2Social: Social Media Auto Post & Scheduler
Plugin Slug:: blog2social
Installations: 50,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 8.7.3
Severity Score:: Medium
CVE:: 2025-14943

Plugin:: Booking Calendar
Plugin Slug:: booking
Installations: 50,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 10.14.11
Severity Score:: Medium
CVE:: 2025-14146

Plugin:: EmailKit � Email Customizer for WooCommerce & WP
Plugin Slug:: emailkit
Installations: 50,000+
Vulnerability:: Arbitrary File Download
Patched in Version:: 1.6.2
Severity Score:: Medium
CVE:: 2025-14059

Plugin:: Tag, Category, and Taxonomy Manager � AI Autotagger with OpenAI
Plugin Slug:: simple-tags
Installations: 50,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.42.0
Severity Score:: Medium
CVE:: 2025-14371

Plugin:: WP-Members Membership Plugin
Plugin Slug:: wp-members
Installations: 50,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 3.5.4.5
Severity Score:: Medium
CVE:: 2025-12648

Plugin:: WP Table Builder � Drag & Drop Table Builder
Plugin Slug:: wp-table-builder
Installations: 50,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.0.20
Severity Score:: Medium
CVE:: 2025-13753

Plugin:: BetterDocs � Knowledge Base Documentation & FAQ Solution for Elementor & Block Editor
Plugin Slug:: betterdocs
Installations: 40,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 4.3.4
Severity Score:: Medium
CVE:: 2025-14980

Plugin:: Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers
Plugin Slug:: popup-builder-block
Installations: 40,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.2.1
Severity Score:: Medium
CVE:: 2025-14441

Plugin:: Quiz and Survey Master (QSM) � Easy Quiz and Survey Maker
Plugin Slug:: quiz-master-next
Installations: 40,000+
Vulnerability:: Broken Access Control
Patched in Version:: 10.3.2
Severity Score:: Medium
CVE:: 2025-9637

Plugin:: Quiz and Survey Master (QSM) � Easy Quiz and Survey Maker
Plugin Slug:: quiz-master-next
Installations: 40,000+
Vulnerability:: Broken Access Control
Patched in Version:: 10.3.2
Severity Score:: Medium
CVE:: 2025-9294

Plugin:: BulletProof Security
Plugin Slug:: bulletproof-security
Installations: 30,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 7.0
Severity Score:: High
CVE:: 2025-67931

Plugin:: Link Whisper Free
Plugin Slug:: link-whisper
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 0.8.9
Severity Score:: High
CVE:: 2025-67927

Plugin:: Docket Cache � Object Cache Accelerator
Plugin Slug:: docket-cache
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 24.07.05
Severity Score:: Medium
CVE:: 2026-22492

Plugin:: Icegram Engage � Popups, Optins, CTAs & lot more�
Plugin Slug:: icegram
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.1.36
Severity Score:: Medium
CVE:: 2025-68507

Plugin:: Quiz Maker
Plugin Slug:: quiz-maker
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.7.0.89
Severity Score:: Medium
CVE:: 2025-14579

Plugin:: Brevo for WooCommerce
Plugin Slug:: woocommerce-sendinblue-newsletter-subscription
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.0.50
Severity Score:: High
CVE:: 2025-14436

Plugin:: Frontend Admin by DynamiApps
Plugin Slug:: acf-frontend-form-element
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.28.24
Severity Score:: High
CVE:: 2025-14937

Plugin:: Frontend Admin by DynamiApps
Plugin Slug:: acf-frontend-form-element
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.28.26
Severity Score:: Critical
CVE:: 2025-14741

Plugin:: Frontend Admin by DynamiApps
Plugin Slug:: acf-frontend-form-element
Installations: 10,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 3.28.26
Severity Score:: Critical
CVE:: 2025-14736

Plugin:: AffiliateX � Amazon Affiliate Plugin
Plugin Slug:: affiliatex
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.4.0
Severity Score:: Medium
CVE:: 2025-69346

Plugin:: Bit Form � Custom Contact Form, Multi Step, Conversational Form & Payment Form builder
Plugin Slug:: bit-form
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.21.7
Severity Score:: Medium
CVE:: 2025-14901

Plugin:: Bulk Auto Image Alt Text (Alt tag, Alt attribute) optimizer (image SEO)
Plugin Slug:: bulk-image-alt-text-with-yoast
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.2.2
Severity Score:: Medium
CVE:: 2025-15019

Plugin:: Demo Importer Plus
Plugin Slug:: demo-importer-plus
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.0.9
Severity Score:: Medium
CVE:: 2025-69091

Plugin:: Easy Media Download
Plugin Slug:: easy-media-download
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.1.12
Severity Score:: Medium
CVE:: 2025-69169

Plugin:: Fluent Support � Helpdesk & Customer Support Ticket System
Plugin Slug:: fluent-support
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.10.5
Severity Score:: Medium
CVE:: 2025-67926

Plugin:: Form Vibes � Database Manager for Forms
Plugin Slug:: form-vibes
Installations: 10,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.5
Severity Score:: High
CVE:: 2025-13409

Plugin:: GamiPress � Gamification plugin to reward points, achievements, badges & ranks in WordPress
Plugin Slug:: gamipress
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 7.6.2
Severity Score:: Medium
CVE:: 2025-13812

Plugin:: Gutenverse Form � Contact Form Builder, Booking, Reservation, Subscribe for Block Editor
Plugin Slug:: gutenverse-form
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.4.0
Severity Score:: Medium
CVE:: 2025-14984

Plugin:: MasterStudy LMS WordPress Plugin � for Online Courses and Education
Plugin Slug:: masterstudy-lms-learning-management-system
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.7.7
Severity Score:: Medium
CVE:: 2025-13766

Plugin:: ShopMagic � email automation
Plugin Slug:: shopmagic-for-woocommerce
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.7.3
Severity Score:: Medium
CVE:: 2025-69093

Plugin:: Team � Team Members Showcase Plugin
Plugin Slug:: tlp-team
Installations: 10,000+
Vulnerability:: SQL Injection
Patched in Version:: 5.0.11
Severity Score:: Critical
CVE:: 2025-14124

Plugin:: Japanized for WooCommerce
Plugin Slug:: woocommerce-for-japan
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.8.0
Severity Score:: Medium
CVE:: 2025-14886

Plugin:: Eventin � Event Manager, Event Booking, Calendar, Tickets and Registration Plugin (AI Powered)
Plugin Slug:: wp-event-solution
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.0.52
Severity Score:: High
CVE:: 2025-14657

Plugin:: WP Photo Album Plus
Plugin Slug:: wp-photo-album-plus
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 9.1.05.009
Severity Score:: High
CVE:: 2025-14835

Plugin:: Xagio SEO � AI Powered SEO
Plugin Slug:: xagio-seo
Installations: 10,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 7.1.0.31
Severity Score:: Medium
CVE:: 2025-14438

Plugin:: NEX-Forms � Ultimate Forms Plugin for WordPress
Plugin Slug:: nex-forms-express-wp-form-builder
Installations: 8,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 9.1.8
Severity Score:: Medium
CVE:: 2025-14803

Plugin:: UiChemy � Figma Converter for Elementor, Gutenberg and Bricks
Plugin Slug:: uichemy
Installations: 8,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.4.3
Severity Score:: Medium
CVE:: 2025-69362

Plugin:: MediaPress
Plugin Slug:: mediapress
Installations: 5,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.6.3
Severity Score:: Medium
CVE:: 2026-22519

Plugin:: weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot
Plugin Slug:: wedocs
Installations: 5,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 2.1.16
Severity Score:: Medium
CVE:: 2025-14574

Plugin:: BuddyPress Xprofile Custom Field Types
Plugin Slug:: bp-xprofile-custom-field-types
Installations: 4,000+
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 1.3.0
Severity Score:: High
CVE:: 2025-14997

Plugin:: FastDup � Fastest WordPress Migration & Duplicator
Plugin Slug:: fastdup
Installations: 4,000+
Vulnerability:: Path Traversal
Patched in Version:: 2.7.1
Severity Score:: Medium
CVE:: 2026-0604

Plugin:: FlexTable � Data Table Sync with Google Sheets
Plugin Slug:: sheets-to-wp-table-live-sync
Installations: 4,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.19.2
Severity Score:: Medium
CVE:: 2025-9543

Plugin:: Better Business Reviews � Trustpilot WordPress Plugin
Plugin Slug:: better-business-reviews
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: 0.1.2
Severity Score:: Medium
CVE:: 2025-69354

Plugin:: The Events Calendar Countdown Addon
Plugin Slug:: countdown-for-the-events-calendar
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.4.16
Severity Score:: Medium
CVE:: 2025-69348

Plugin:: Bulk Page Generator � LPagery
Plugin Slug:: lpagery
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.4.10
Severity Score:: Medium
CVE:: 2026-22490

Plugin:: Responsive Addons for Elementor � Free Elementor Addons Plugin and Elementor Templates
Plugin Slug:: responsive-addons-for-elementor
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.0.9
Severity Score:: Medium
CVE:: 2025-69363

Plugin:: Spiffy Calendar
Plugin Slug:: spiffy-calendar
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: 5.0.8
Severity Score:: Medium
CVE:: 2025-68523

Plugin:: Tickera � Sell Tickets & Manage Events
Plugin Slug:: tickera-event-ticketing-system
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.5.6.5
Severity Score:: Medium
CVE:: 2025-69355

Plugin:: RSS Feed Widget
Plugin Slug:: rss-feed-widget
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.0.3
Severity Score:: Medium
CVE:: 2025-69349

Plugin:: Appointment Booking Calendar � WP Timetics Booking Plugin
Plugin Slug:: timetics
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.0.37
Severity Score:: Medium
CVE:: 2025-5919

Plugin:: Accordions � Responsive Accordion & FAQ Plugin for WordPress
Plugin Slug:: accordions-wp
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.0.4
Severity Score:: Medium
CVE:: 2025-69350

Plugin:: CBX Bookmark & Favorite
Plugin Slug:: cbxwpbookmark
Installations: 1,000+
Vulnerability:: SQL Injection
Patched in Version:: 2.0.5
Severity Score:: High
CVE:: 2025-13652

Plugin:: Proxy & VPN Blocker
Plugin Slug:: proxy-vpn-blocker
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.5.4
Severity Score:: Medium
CVE:: 2025-69353

Plugin:: ForumWP � Forum & Discussion Board
Plugin Slug:: forumwp
Installations: 900+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.1.7
Severity Score:: Medium
CVE:: 2025-13746

Plugin:: Taskbuilder � WordPress Project Management & Task Management
Plugin Slug:: taskbuilder
Installations: 800+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.0.0
Severity Score:: High
CVE:: 2025-67933

Plugin:: IndieWeb
Plugin Slug:: indieweb
Installations: 600+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.0.0
Severity Score:: Medium
CVE:: 2025-14893

Plugin:: WP Google Street View (with 360� virtual tour) & Google maps + Local SEO
Plugin Slug:: wp-google-street-view
Installations: 400+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.1.9
Severity Score:: Medium
CVE:: 2026-0563

Plugin:: Recras
Plugin Slug:: recras
Installations: 300+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.4.2
Severity Score:: Medium
CVE:: 2025-13497

Plugin:: URL Image Importer
Plugin Slug:: url-image-importer
Installations: 300+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.0.8
Severity Score:: Medium
CVE:: 2025-14120

Plugin:: Guest posting / Frontend Posting / Front Editor � WP Front User Submit
Plugin Slug:: front-editor
Installations: 200+
Vulnerability:: Broken Access Control
Patched in Version:: 5.0.1
Severity Score:: Medium
CVE:: 2025-13419

Plugin:: miniOrange OTP Verification and SMS Notification for WooCommerce
Plugin Slug:: miniorange-sms-order-notification-otp-verification
Installations: 100+
Vulnerability:: Broken Access Control
Patched in Version:: 4.3.9
Severity Score:: Medium
CVE:: 2025-14948

Plugin:: ilGhera Support System for WooCommerce
Plugin Slug:: wc-support-system
Installations: 100+
Vulnerability:: Broken Access Control
Patched in Version:: 1.2.7
Severity Score:: Medium
CVE:: 2025-14034

Plugin:: Creator LMS � The LMS for Creators, Coaches, and Trainers
Plugin Slug:: creatorlms
Installations: 80+
Vulnerability:: Broken Access Control
Patched in Version:: 1.1.13
Severity Score:: Medium
CVE:: 2025-69359

Plugin:: eHive Search
Plugin Slug:: ehive-search
Installations: 50+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.5.1
Severity Score:: High
CVE:: 2025-67930

Plugin:: FS Registration Password
Plugin Slug:: registration-password
Installations: 40+
Vulnerability:: Privilege Escalation
Patched in Version:: 2.0.1
Severity Score:: Critical
CVE:: 2025-15001

Plugin:: iPaymu Payment Gateway for WooCommerce
Plugin Slug:: ipaymu-for-woocommerce
Installations: 10+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 2.0.3
Severity Score:: High
CVE:: 2026-0656

Plugin:: Page Expire Popup/Redirection for WordPress
Plugin Slug:: page-expire-popup
Installations: 10+
Vulnerability:: SQL Injection
Patched in Version:: 1.1
Severity Score:: High
CVE:: 2025-14153

Plugin:: Automotive Listings
Plugin Slug:: automotive
Vulnerability:: SQL Injection
Patched in Version:: 18.7
Severity Score:: Critical
CVE:: 2025-67928

Plugin:: JetEngine
Plugin Slug:: jet-engine
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.7.8
Severity Score:: High
CVE:: 2025-67923

Plugin:: Listeo Core
Plugin Slug:: listeo-core
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.19
Severity Score:: High
CVE:: 2025-67932

Plugin:: TheGem Theme Elements (for WPBakery)
Plugin Slug:: thegem-elements
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.11.1
Severity Score:: Medium
CVE:: 2025-69360

Plugin:: TheGem Theme Elements (for Elementor)
Plugin Slug:: thegem-elements-elementor
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.11.1
Severity Score:: Medium
CVE:: 2025-69357

Plugin:: TheGem Theme Elements (for Elementor)
Plugin Slug:: thegem-elements-elementor
Vulnerability:: Local File Inclusion
Patched in Version:: 5.11.1
Severity Score:: High
CVE:: 2025-69356

Plugin:: Woffice Core
Plugin Slug:: woffice-core
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 5.4.31
Severity Score:: Medium
CVE:: 2025-67919

WordPress Themes � 14 Patched / 35 Unpatched

Theme:: AeroLand
Theme Slug:: aeroland
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-14429

Theme:: Amuli
Theme Slug:: amuli
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-50003

Theme:: Anarkali
Theme Slug:: anarkali
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-47474

Theme:: Athens
Theme Slug:: athens
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-49994

Theme:: Atlas
Theme Slug:: atlas
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-22509

Theme:: AutoParts
Theme Slug:: autoparts
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-22331

Theme:: Barberry
Theme Slug:: barberry
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68908

Theme:: Brook
Theme Slug:: brook
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-14430

Theme:: Consult Aid
Theme Slug:: consultaid
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-67617

Theme:: DeepDigital
Theme Slug:: deepdigital
Vulnerability:: Content Injection
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-22469

Theme:: Depot
Theme Slug:: depot
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-54003

Theme:: Drone
Theme Slug:: drone
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-49249

Theme:: Electron
Theme Slug:: electron
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-5805

Theme:: Energia
Theme Slug:: energia
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-50002

Theme:: Melania
Theme Slug:: melania
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-22324

Theme:: Mella
Theme Slug:: mella
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-67616

Theme:: Mitech
Theme Slug:: mitech
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-22708

Theme:: Myour
Theme Slug:: myour
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-67615

Theme:: Navian
Theme Slug:: navian
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-14431

Theme:: OchaHouse
Theme Slug:: ochahouse
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-12550

Theme:: Oshine
Theme Slug:: oshin
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-14359

Theme:: Promo
Theme Slug:: promo
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-22325

Theme:: Racquet
Theme Slug:: racquet
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69369

Theme:: Reprizo
Theme Slug:: reprizo
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-22326

Theme:: Right Way
Theme Slug:: rightway
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-22330

Theme:: Rozy – Flower Shop
Theme Slug:: rozy
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-12549

Theme:: Search & Go
Theme Slug:: search-and-go
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69005

Theme:: TheNa
Theme Slug:: thena
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-67614

Theme:: Moody
Theme Slug:: tm-moody
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-22707

Theme:: Typify
Theme Slug:: typify
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-22712

Theme:: VideoPro
Theme Slug:: videopro
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-58913

Theme:: xSmart
Theme Slug:: xsmart
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-54002

Theme:: xSmart
Theme Slug:: xsmart
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-50007

Theme:: xSmart
Theme Slug:: xsmart
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-50006

Theme:: Zorka
Theme Slug:: zorka
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-0676

Theme:: Phlox
Theme Slug:: phlox
Downloads: 1,711,142
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.17.11
Severity Score:: Medium
CVE:: 2025-4776

Theme:: Corpkit
Theme Slug:: corpkit
Vulnerability:: Local File Inclusion
Patched in Version:: 2.0.1
Severity Score:: High
CVE:: 2025-67925

Theme:: Corpkit
Theme Slug:: corpkit
Vulnerability:: Arbitrary File Upload
Patched in Version:: 2.0.1
Severity Score:: Critical
CVE:: 2025-67924

Theme:: Curly
Theme Slug:: curly
Vulnerability:: Local File Inclusion
Patched in Version:: 3.3
Severity Score:: High
CVE:: 2025-67936

Theme:: Grand Restaurant
Theme Slug:: grandrestaurant
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 7.0.9
Severity Score:: High
CVE:: 2025-67922

Theme:: Hendon
Theme Slug:: hendon
Vulnerability:: Local File Inclusion
Patched in Version:: 1.7
Severity Score:: High
CVE:: 2025-67937

Theme:: Jobify
Theme Slug:: jobify
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.3.1
Severity Score:: High
CVE:: 2025-67916

Theme:: Lobo
Theme Slug:: lobo
Vulnerability:: SQL Injection
Patched in Version:: 2.8.6
Severity Score:: High
CVE:: 2025-67921

Theme:: Neo Ocular
Theme Slug:: neoocular
Vulnerability:: Local File Inclusion
Patched in Version:: 1.2
Severity Score:: High
CVE:: 2025-67920

Theme:: Optimize
Theme Slug:: optimizewp
Vulnerability:: Local File Inclusion
Patched in Version:: 2.4
Severity Score:: High
CVE:: 2025-67935

Theme:: Photography
Theme Slug:: photography
Vulnerability:: Local File Inclusion
Patched in Version:: 7.7.5
Severity Score:: High
CVE:: 2025-68510

Theme:: Traveler
Theme Slug:: traveler
Vulnerability:: Broken Access Control
Patched in Version:: 3.2.7
Severity Score:: Medium
CVE:: 2025-67917

Theme:: Wellspring
Theme Slug:: wellspring
Vulnerability:: Local File Inclusion
Patched in Version:: 2.8
Severity Score:: High
CVE:: 2025-67934

Theme:: Woffice
Theme Slug:: woffice
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.4.31
Severity Score:: High
CVE:: 2025-67918