In this report, 225 vulnerabilities have been publicly disclosed. Security patches for 102 of these plugins and themes are now available. Please run these updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.
Currently, 123 plugin and theme vulnerabilities remain unpatched. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.
WordPress Core
WordPress 6.9 “Gene” was released on December 2, 2025, adding Notes for block-level comments, an expanded Command Palette, and the new Abilities API to standardize permissions for future automation. It also includes performance improvements and new blocks and design tools to support faster, more flexible site building.
After any major release, don�t update live sites until you�ve taken backups and tested in a non-production environment.
WordPress Plugins � 89 Patched / 118 Unpatched
Ecwid by Lightspeed Ecommerce Shopping Cart
- Plugin Slug:
- ecwid-shopping-cart
- Installations
- 20,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2026-24580
GeoDirectory � WP Business Directory Plugin and Classified Listings Directory
- Plugin Slug:
- geodirectory
- Installations
- 10,000+
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2026-24549
Kama Thumbnail
- Plugin:
-
Kama Thumbnail
- Plugin Slug:
- kama-thumbnail
- Installations
- 10,000+
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2026-24521
Responsive Contact Form Builder & Lead Generation Plugin
- Plugin Slug:
- lead-form-builder
- Installations
- 10,000+
- Vulnerability:
- Sensitive Data Exposure
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2025-68046
Web Push Notifications � Webpushr
- Plugin Slug:
- webpushr-web-push-notifications
- Installations
- 10,000+
- Vulnerability:
- Sensitive Data Exposure
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2026-24536
Eventin � Event Manager, Event Booking, Calendar, Tickets and Registration Plugin (AI Powered)
- Plugin:
-
Eventin � Event Manager, Event Booking, Calendar, Tickets and Registration Plugin (AI Powered)
- Plugin Slug:
- wp-event-solution
- Installations
- 10,000+
- Vulnerability:
- PHP Object Injection
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
-
2025-68047
CLP Varnish Cache
- Plugin:
-
CLP Varnish Cache
- Plugin Slug:
- clp-varnish-cache
- Installations
- 9,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2026-24525
Tablesome Table � Contact Form DB � WPForms, CF7, Gravity, Forminator, Fluent
- Plugin Slug:
- tablesome
- Installations
- 9,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2026-24524
WP FullCalendar
- Plugin:
-
WP FullCalendar
- Plugin Slug:
- wp-fullcalendar
- Installations
- 9,000+
- Vulnerability:
- Sensitive Data Exposure
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2026-24523
WP Subscribe
- Plugin:
-
WP Subscribe
- Plugin Slug:
- wp-subscribe
- Installations
- 9,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2026-24522
Booter � Bots & Crawlers Manager
- Plugin:
-
Booter � Bots & Crawlers Manager
- Plugin Slug:
- booter-bots-crawlers-manager
- Installations
- 8,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2026-24534
Download After Email � Subscribe & Download Form Plugin
- Plugin Slug:
- download-after-email
- Installations
- 7,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2026-24541
HD Quiz
- Plugin:
-
HD Quiz
- Plugin Slug:
- hd-quiz
- Installations
- 7,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2026-24544
Materialis Companion
- Plugin:
-
Materialis Companion
- Plugin Slug:
- materialis-companion
- Installations
- 7,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2026-24543
WP BackItUp Community Edition
- Plugin:
-
WP BackItUp Community Edition
- Plugin Slug:
- wp-backitup
- Installations
- 7,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2025-68039
WP Term Order
- Plugin:
-
WP Term Order
- Plugin Slug:
- wp-term-order
- Installations
- 7,000+
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2026-24542
Monetag Official Plugin
- Plugin:
-
Monetag Official Plugin
- Plugin Slug:
- monetag-official
- Installations
- 6,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2026-24551
BOX NOW Delivery
- Plugin:
-
BOX NOW Delivery
- Plugin Slug:
- box-now-delivery
- Installations
- 5,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2026-24571
Cloudinary � Deliver Images and Videos at Scale
- Plugin Slug:
- cloudinary-image-management-and-manipulation-in-the-cloud-cdn
- Installations
- 5,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2026-24560
Easy Property Listings
- Plugin:
-
Easy Property Listings
- Plugin Slug:
- easy-property-listings
- Installations
- 5,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2025-68072
Edwiser Bridge � WordPress Moodle Integration
- Plugin Slug:
- edwiser-bridge
- Installations
- 5,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2026-24570
Nelio Content � Editorial Calendar & Social Media Auto-Posting
- Plugin Slug:
- nelio-content
- Installations
- 5,000+
- Vulnerability:
- SQL Injection
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
-
2026-24572
Fraud Prevention For WooCommerce and EDD
- Plugin Slug:
- woo-blocker-lite-prevent-fake-orders-and-blacklist-fraud-customers
- Installations
- 5,000+
- Vulnerability:
- Sensitive Data Exposure
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2026-24553
WP Travel � Ultimate Travel Booking System, Tour Management Engine
- Plugin Slug:
- wp-travel
- Installations
- 5,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2026-24568
Ai Image Alt Text Generator for WP
- Plugin Slug:
- ai-image-alt-text-generator-for-wp
- Installations
- 4,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2026-24579
Pie Register � User Registration, Profiles & Content Restriction
- Plugin Slug:
- pie-register
- Installations
- 2,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2026-24577
Ryviu � Product Reviews for WooCommerce
- Plugin Slug:
- ryviu
- Installations
- 2,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2026-24562
Admin login URL Change
- Plugin:
-
Admin login URL Change
- Plugin Slug:
- admin-login-url-change
- Installations
- 1,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2026-24578
Anything Order by Terms
- Plugin:
-
Anything Order by Terms
- Plugin Slug:
- anything-order-by-terms
- Installations
- 1,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2026-24567
Contact Form 7 GetResponse Extension
- Plugin Slug:
- contact-form-7-getresponse-extension
- Installations
- 1,000+
- Vulnerability:
- Sensitive Data Exposure
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2026-24557
iNET Webkit
- Plugin:
-
iNET Webkit
- Plugin Slug:
- inet-webkit
- Installations
- 1,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2026-24566
Send Notifications from Woocommerce, Form Plugins and More!
- Plugin Slug:
- notifier
- Installations
- 1,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2025-68020
SEO Booster
- Plugin:
-
SEO Booster
- Plugin Slug:
- seo-booster
- Installations
- 1,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2025-68019
SiteLock Security � WP Hardening, Login Security & Malware Scans
- Plugin Slug:
- sitelock
- Installations
- 1,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2026-24532
UX Flat
- Plugin:
-
UX Flat
- Plugin Slug:
- ux-flat
- Installations
- 1,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2026-24576
WebP Conversion
- Plugin:
-
WebP Conversion
- Plugin Slug:
- webp-conversion
- Installations
- 1,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2026-24530
Order Notification for WooCommerce � Get Audio Alert on new Orders
- Plugin Slug:
- woc-order-alert
- Installations
- 1,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- No Fix
- Severity Score:
- Critical
- CVE:
-
2025-68018
Nova Blocks by Pixelgrade
- Plugin:
-
Nova Blocks by Pixelgrade
- Plugin Slug:
- nova-blocks
- Installations
- 900+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2026-24528
Omnipress
- Plugin:
-
Omnipress
- Plugin Slug:
- omnipress
- Installations
- 900+
- Vulnerability:
- Local File Inclusion
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
-
2026-24538
Email Inquiry & Cart Options for WooCommerce
- Plugin Slug:
- woocommerce-email-inquiry-cart-options
- Installations
- 900+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2026-24526
Blockons � Gutenberg blocks for WordPress and WooCommerce websites
- Plugin Slug:
- blockons
- Installations
- 800+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2026-24550
Quick Restaurant Reservations
- Plugin:
-
Quick Restaurant Reservations
- Plugin Slug:
- quick-restaurant-reservations
- Installations
- 600+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2026-24529
Accordion � Add Horizontal / Vertical Accordion in WP
- Plugin Slug:
- b-accordion
- Installations
- 500+
- Vulnerability:
- Sensitive Data Exposure
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2026-24565
Textmetrics
- Plugin:
-
Textmetrics
- Plugin Slug:
- webtexttool
- Installations
- 500+
- Vulnerability:
- Content Injection
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2026-24564
My Post Order
- Plugin:
-
My Post Order
- Plugin Slug:
- my-posts-order
- Installations
- 400+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
-
2025-68004
Table of Contents Creator
- Plugin:
-
Table of Contents Creator
- Plugin Slug:
- table-of-contents-creator
- Installations
- 400+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
-
2025-68836
iRobots.txt SEO
- Plugin:
-
iRobots.txt SEO
- Plugin Slug:
- irobotstxt-seo
- Installations
- 300+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
-
2025-68840
ravpage
- Plugin:
-
ravpage
- Plugin Slug:
- ravpage
- Installations
- 300+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
-
2025-68835
amr cron manager
- Plugin:
-
amr cron manager
- Plugin Slug:
- amr-cron-manager
- Installations
- 200+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
-
2025-68848
ArtPlacer Widget
- Plugin:
-
ArtPlacer Widget
- Plugin Slug:
- artplacer-widget
- Installations
- 200+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2026-24555
ExpressTechSoftwares Addon for MemberPress and Discord
- Plugin Slug:
- expresstechsoftwares-memberpress-discord-add-on
- Installations
- 200+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
-
2025-68838
LifePress
- Plugin:
-
LifePress
- Plugin Slug:
- lifepress
- Installations
- 200+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2026-24563
Paid Downloads
- Plugin:
-
Paid Downloads
- Plugin Slug:
- paid-downloads
- Installations
- 100+
- Vulnerability:
- SQL Injection
- Patched in Version:
- No Fix
- Severity Score:
- Critical
- CVE:
-
2025-68857
wpCAS
- Plugin:
-
wpCAS
- Plugin Slug:
- wpcas
- Installations
- 100+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
-
2025-68858
Bookingor � Booking System for Appointment Calendar, Meeting Scheduler & WooCommerce Bookings
- Plugin:
-
Bookingor � Booking System for Appointment Calendar, Meeting Scheduler & WooCommerce Bookings
- Plugin Slug:
- bookingor
- Installations
- 80+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2025-12573
Dinatur
- Plugin:
-
Dinatur
- Plugin Slug:
- dinatur
- Installations
- 80+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
-
2025-68866
LazyTasks � Project & Task Management with Collaboration, Kanban and Gantt Chart
- Plugin Slug:
- lazytasks-project-task-management
- Installations
- 70+
- Vulnerability:
- Privilege Escalation
- Patched in Version:
- No Fix
- Severity Score:
- Critical
- CVE:
-
2025-68869
ABG Rich Pins
- Plugin:
-
ABG Rich Pins
- Plugin Slug:
- abg-rich-pins
- Installations
- 50+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2026-24558
APPExperts � Mobile App Builder for WordPress | WooCommerce to iOS and Android Apps
- Plugin Slug:
- appexperts
- Installations
- 40+
- Vulnerability:
- SQL Injection
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
-
2025-68881
Scalenut
- Plugin:
-
Scalenut
- Plugin Slug:
- scalenut
- Installations
- 40+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
-
2025-68882
ShoutOut
- Plugin:
-
ShoutOut
- Plugin Slug:
- shoutout
- Installations
- 40+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
-
2025-68894
Administrative Shortcodes
- Plugin:
Administrative Shortcodes
- Plugin Slug:
- administrative-shortcodes
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2026-1099
Administrative Shortcodes
- Plugin:
Administrative Shortcodes
- Plugin Slug:
- administrative-shortcodes
- Vulnerability:
- Local File Inclusion
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
-
2026-1257
AdminQuickbar
- Plugin:
AdminQuickbar
- Plugin Slug:
- adminquickbar
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2025-14630
Alchemist Ajax Upload
- Plugin:
Alchemist Ajax Upload
- Plugin Slug:
- alchemist-ajax-upload
- Vulnerability:
- Broken Access Control
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2025-14629
Alpha Blocks
- Plugin:
Alpha Blocks
- Plugin Slug:
- alpha-blocks
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2025-14985
Canto Testimonials
- Plugin:
Canto Testimonials
- Plugin Slug:
- canto-testimonials
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2026-1095
CM CSS Columns
- Plugin:
CM CSS Columns
- Plugin Slug:
- cm-css-columns
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2026-1098
Cookie consent for developers
- Plugin:
Cookie consent for developers
- Plugin Slug:
- cookie-consent-for-developers
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2026-1084
Coven Core
- Plugin:
Coven Core
- Plugin Slug:
- coven-core
- Vulnerability:
- SQL Injection
- Patched in Version:
- No Fix
- Severity Score:
- Critical
- CVE:
-
2025-69295
Directorist Booking
- Plugin:
Directorist Booking
- Plugin Slug:
- directorist-booking
- Vulnerability:
- SQL Injection
- Patched in Version:
- No Fix
- Severity Score:
- Critical
- CVE:
-
2026-22336
Directorist Social Login
- Plugin:
Directorist Social Login
- Plugin Slug:
- directorist-social-login
- Vulnerability:
- Privilege Escalation
- Patched in Version:
- No Fix
- Severity Score:
- Critical
- CVE:
-
2026-22337
E-xact Hosted Payment
- Plugin:
E-xact Hosted Payment
- Plugin Slug:
- e-xact-hosted-payment
- Vulnerability:
- Arbitrary File Deletion
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
-
2025-14829
Easy Theme Options
- Plugin:
Easy Theme Options
- Plugin Slug:
- easy-theme-options
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
-
2025-68839
Final User
- Plugin:
Final User
- Plugin Slug:
- final-user
- Vulnerability:
- Privilege Escalation
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
-
2025-69293
Final User
- Plugin:
Final User
- Plugin Slug:
- final-user
- Vulnerability:
- Broken Access Control
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
-
2025-69187
fitness-trainer
- Plugin:
fitness-trainer
- Plugin Slug:
- fitness-trainer
- Vulnerability:
- Broken Access Control
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
-
2025-69188
GZSEO
- Plugin:
GZSEO
- Plugin Slug:
- gzseo
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2025-14941
Hospital Doctor Directory
- Plugin:
Hospital Doctor Directory
- Plugin Slug:
- hospital-doctor-directory
- Vulnerability:
- Broken Access Control
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
-
2025-68057
Hospital Doctor Directory
- Plugin:
Hospital Doctor Directory
- Plugin Slug:
- hospital-doctor-directory
- Vulnerability:
- Broken Access Control
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
-
2025-69186
Hospital Doctor Directory
- Plugin:
Hospital Doctor Directory
- Plugin Slug:
- hospital-doctor-directory
- Vulnerability:
- Privilege Escalation
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
-
2025-69183
Hotel Listing
- Plugin:
Hotel Listing
- Plugin Slug:
- hotel-listing
- Vulnerability:
- Broken Access Control
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
-
2025-68059
Hotel Listing
- Plugin:
Hotel Listing
- Plugin Slug:
- hotel-listing
- Vulnerability:
- Broken Access Control
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
-
2025-69185
Institutions Directory
- Plugin:
Institutions Directory
- Plugin Slug:
- institutions-directory
- Vulnerability:
- Broken Access Control
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
-
2025-68058
Institutions Directory
- Plugin:
Institutions Directory
- Plugin Slug:
- institutions-directory
- Vulnerability:
- Broken Access Control
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
-
2025-69184
Institutions Directory
- Plugin:
Institutions Directory
- Plugin Slug:
- institutions-directory
- Vulnerability:
- Privilege Escalation
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
-
2025-69182
Integrate Google Drive
- Plugin:
Integrate Google Drive
- Plugin Slug:
- integrate-google-drive
- Vulnerability:
- Broken Access Control
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2026-24540
JavaScript Notifier
- Plugin:
JavaScript Notifier
- Plugin Slug:
- javascript-notifier
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2026-1191
JobBank
- Plugin:
JobBank
- Plugin Slug:
- jobbank
- Vulnerability:
- Broken Access Control
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
-
2025-69189
JustClick registration plugin
- Plugin:
JustClick registration plugin
- Plugin Slug:
- justclick-subscriber
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
-
2025-13676
Kalrav AI Agent
- Plugin:
Kalrav AI Agent
- Plugin Slug:
- kalrav-ai-agent
- Vulnerability:
- Arbitrary File Upload
- Patched in Version:
- No Fix
- Severity Score:
- Critical
- CVE:
-
2025-13374
Lawyer Directory
- Plugin:
Lawyer Directory
- Plugin Slug:
- lawyer-directory
- Vulnerability:
- Broken Access Control
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
-
2025-69181
ListingHub
- Plugin:
ListingHub
- Plugin Slug:
- listinghub
- Vulnerability:
- Broken Access Control
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
-
2025-69191
Login Page Editor
- Plugin:
Login Page Editor
- Plugin Slug:
- login-page-editor
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2026-1088
Meta-box GalleryMeta
- Plugin:
Meta-box GalleryMeta
- Plugin Slug:
- meta-box-gallerymeta
- Vulnerability:
- Broken Access Control
- Patched in Version:
- No Fix
- Severity Score:
- Low
- CVE:
-
2026-0687
Meta-box GalleryMeta
- Plugin:
Meta-box GalleryMeta
- Plugin Slug:
- meta-box-gallerymeta
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2026-1302
Moderate Selected Posts
- Plugin:
Moderate Selected Posts
- Plugin Slug:
- moderate-selected-posts
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2025-14907
Postalicious
- Plugin:
Postalicious
- Plugin Slug:
- postalicious
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2026-1266
Radio Player
- Plugin:
Radio Player
- Plugin Slug:
- radio-player
- Vulnerability:
- Server Side Request Forgery (SSRF)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2026-24548
Real Estate Pro
- Plugin:
Real Estate Pro
- Plugin Slug:
- real-estate-pro
- Vulnerability:
- Broken Access Control
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
-
2025-69192
Responsive Header
- Plugin:
Responsive Header
- Plugin Slug:
- responsive-header
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2026-1300
Set Bulk Post Categories
- Plugin:
Set Bulk Post Categories
- Plugin Slug:
- set-bulk-post-categories
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2026-1081
Simple Crypto Shortcodes
- Plugin:
Simple Crypto Shortcodes
- Plugin Slug:
- simple-crypto-shortcodes
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2025-14903
Star Review Manager
- Plugin:
Star Review Manager
- Plugin Slug:
- star-review-manager
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2026-1076
ThemeRuby Multi Authors
- Plugin:
ThemeRuby Multi Authors
- Plugin Slug:
- themeruby-multi-authors
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2026-1097
Ultra Portfolio
- Plugin:
Ultra Portfolio
- Plugin Slug:
- ultra-portfolio
- Vulnerability:
- SQL Injection
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
-
2025-69180
Alex User Counter
- Plugin:
Alex User Counter
- Plugin Slug:
- user-counter
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2026-1070
Viet contact
- Plugin:
Viet contact
- Plugin Slug:
- viet-contact
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2026-1045
VK Google Job Posting Manager
- Plugin:
VK Google Job Posting Manager
- Plugin Slug:
- vk-google-job-posting-manager
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2025-12836
Wise Analytics
- Plugin:
Wise Analytics
- Plugin Slug:
- wise-analytics
- Vulnerability:
- Broken Access Control
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2025-14609
WishList Member X
- Plugin:
WishList Member X
- Plugin Slug:
- wishlist-member-x
- Vulnerability:
- Broken Access Control
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2026-24575
Wizit Gateway for WooCommerce
- Plugin:
Wizit Gateway for WooCommerce
- Plugin Slug:
- wizit-gateway-for-woocommerce
- Vulnerability:
- Broken Access Control
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2025-14843
WP-ClanWars
- Plugin:
WP-ClanWars
- Plugin Slug:
- wp-clanwars
- Vulnerability:
- SQL Injection
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
-
2026-0806
WP Hello Bar
- Plugin:
WP Hello Bar
- Plugin Slug:
- wp-hello-bar
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2026-1042
WP Membership
- Plugin:
WP Membership
- Plugin Slug:
- wp-membership
- Vulnerability:
- Privilege Escalation
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
-
2025-69292
WP Membership
- Plugin:
WP Membership
- Plugin Slug:
- wp-membership
- Vulnerability:
- Broken Access Control
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
-
2025-69193
WP Youtube Video Gallery
- Plugin:
WP Youtube Video Gallery
- Plugin Slug:
- wp-youtube-video-gallery
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2025-14906
ZT Captcha
- Plugin:
ZT Captcha
- Plugin Slug:
- zt-captcha
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2026-1075
The Events Calendar
- Plugin:
-
The Events Calendar
- Plugin Slug:
- the-events-calendar
- Installations
- 700,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 6.15.13.1
- Severity Score:
- Medium
- CVE:
-
2025-15043
MetForm � Contact Form, Survey, Quiz, & Custom Form Builder for Elementor
- Plugin Slug:
- metform
- Installations
- 600,000+
- Vulnerability:
- Broken Authentication
- Patched in Version:
- 4.1.1
- Severity Score:
- Low
- CVE:
-
2026-0633
Happy Addons for Elementor
- Plugin:
-
Happy Addons for Elementor
- Plugin Slug:
- happy-elementor-addons
- Installations
- 400,000+
- Vulnerability:
- SQL Injection
- Patched in Version:
- 3.20.6
- Severity Score:
- High
- CVE:
-
2025-68999
Custom Fonts � Host Your Fonts Locally
- Plugin Slug:
- custom-fonts
- Installations
- 300,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 2.1.17
- Severity Score:
- Medium
- CVE:
-
2025-14351
Newsletter � Send awesome emails from WordPress
- Plugin Slug:
- newsletter
- Installations
- 300,000+
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- 9.1.1
- Severity Score:
- Medium
- CVE:
-
2026-1051
WP Go Maps (formerly WP Google Maps)
- Plugin Slug:
- wp-google-maps
- Installations
- 300,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 10.0.05
- Severity Score:
- Medium
- CVE:
-
2026-0593
Photo Gallery by 10Web � Mobile-Friendly Image Gallery
- Plugin Slug:
- photo-gallery
- Installations
- 200,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 1.8.37
- Severity Score:
- Medium
- CVE:
-
2026-1036
Advanced Custom Fields: Extended
- Plugin:
-
Advanced Custom Fields: Extended
- Plugin Slug:
- acf-extended
- Installations
- 100,000+
- Vulnerability:
- Privilege Escalation
- Patched in Version:
- 0.9.2.2
- Severity Score:
- Critical
- CVE:
-
2025-14533
Beaver Builder Page Builder � Drag and Drop Website Builder
- Plugin Slug:
- beaver-builder-lite-version
- Installations
- 100,000+
- Vulnerability:
- Arbitrary Code Execution
- Patched in Version:
- 2.9.4.2
- Severity Score:
- High
- CVE:
-
2025-69319
BuddyPress
- Plugin:
-
BuddyPress
- Plugin Slug:
- buddypress
- Installations
- 100,000+
- Vulnerability:
- Arbitrary Code Execution
- Patched in Version:
- 14.3.4
- Severity Score:
- High
- CVE:
-
2024-11976
Schema & Structured Data for WP & AMP
- Plugin Slug:
- schema-and-structured-data-for-wp
- Installations
- 100,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 1.54.1
- Severity Score:
- Medium
- CVE:
-
2025-14069
Tutor LMS � eLearning and online course solution
- Plugin Slug:
- tutor
- Installations
- 100,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 3.9.5
- Severity Score:
- Medium
- CVE:
-
2026-0548
LearnPress � WordPress LMS Plugin for Create and Sell Online Courses
- Plugin Slug:
- learnpress
- Installations
- 80,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 4.3.2.5
- Severity Score:
- Medium
- CVE:
-
2025-14798
Koko Analytics � Privacy+Friendly statistics for WordPress
- Plugin Slug:
- koko-analytics
- Installations
- 60,000+
- Vulnerability:
- SQL Injection
- Patched in Version:
- 2.1.3
- Severity Score:
- Medium
- CVE:
-
2026-22850
Appointment Booking Calendar � Simply Schedule Appointments Booking Plugin
- Plugin Slug:
- simply-schedule-appointments
- Installations
- 60,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 1.6.9.17
- Severity Score:
- Medium
- CVE:
-
2025-69315
User Registration & Membership � Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin
- Plugin Slug:
- user-registration
- Installations
- 60,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 4.4.7
- Severity Score:
- High
- CVE:
-
2025-67956
Uncanny Automator � Easy Automation, Integration, Webhooks & Workflow Builder Plugin
- Plugin Slug:
- uncanny-automator
- Installations
- 50,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 7.0.0
- Severity Score:
- Medium
- CVE:
-
2025-15522
RSS Aggregator � RSS Import, News Feeds, Feed to Post, and Autoblogging
- Plugin Slug:
- wp-rss-aggregator
- Installations
- 50,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 5.0.11
- Severity Score:
- Medium
- CVE:
-
2025-14745
Dokan: AI Powered WooCommerce Multivendor Marketplace Solution � Build Your Own Amazon, eBay, Etsy
- Plugin:
-
Dokan: AI Powered WooCommerce Multivendor Marketplace Solution � Build Your Own Amazon, eBay, Etsy
- Plugin Slug:
- dokan-lite
- Installations
- 40,000+
- Vulnerability:
- Privilege Escalation
- Patched in Version:
- 4.2.5
- Severity Score:
- High
- CVE:
-
2025-14977
NotificationX � FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner & Floating Notification Bar
- Plugin Slug:
- notificationx
- Installations
- 40,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 3.2.1
- Severity Score:
- Medium
- CVE:
-
2026-0554
NotificationX � FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner & Floating Notification Bar
- Plugin Slug:
- notificationx
- Installations
- 40,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 3.2.1
- Severity Score:
- High
- CVE:
-
2025-15380
Post Grid Gutenberg Blocks for News, Magazines, Blog Websites � PostX
- Plugin Slug:
- ultimate-post
- Installations
- 40,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 5.0.4
- Severity Score:
- High
- CVE:
-
2025-69313
MailerLite � WooCommerce integration
- Plugin Slug:
- woo-mailerlite
- Installations
- 30,000+
- Vulnerability:
- SQL Injection
- Patched in Version:
- 3.1.3
- Severity Score:
- Critical
- CVE:
-
2025-67945
Xpro Addons � 140+ Widgets for Elementor
- Plugin Slug:
- xpro-elementor-addons
- Installations
- 30,000+
- Vulnerability:
- Arbitrary File Upload
- Patched in Version:
- 1.4.20
- Severity Score:
- Critical
- CVE:
-
2025-69312
All-in-One Video Gallery
- Plugin:
-
All-in-One Video Gallery
- Plugin Slug:
- all-in-one-video-gallery
- Installations
- 20,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 4.7.1
- Severity Score:
- Medium
- CVE:
-
2025-15516
All-in-One Video Gallery
- Plugin:
-
All-in-One Video Gallery
- Plugin Slug:
- all-in-one-video-gallery
- Installations
- 20,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 4.7.1
- Severity Score:
- Medium
- CVE:
-
2025-14947
Image Photo Gallery Final Tiles Grid
- Plugin Slug:
- final-tiles-grid-gallery-lite
- Installations
- 20,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 3.6.10
- Severity Score:
- Medium
- CVE:
-
2025-15466
UPI QR Code Payment Gateway for WooCommerce
- Plugin Slug:
- upi-qr-code-payment-for-woocommerce
- Installations
- 20,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 1.6.1
- Severity Score:
- Medium
- CVE:
-
2025-67969
Demo Importer Plus
- Plugin:
-
Demo Importer Plus
- Plugin Slug:
- demo-importer-plus
- Installations
- 10,000+
- Vulnerability:
- Remote Code Execution (RCE)
- Patched in Version:
- 2.0.10
- Severity Score:
- High
- CVE:
-
2025-14478
FlatPM � Ad Manager, AdSense and Custom Code
- Plugin Slug:
- flatpm-wp
- Installations
- 10,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 3.2.3
- Severity Score:
- Medium
- CVE:
-
2026-0690
Head Meta Data
- Plugin:
-
Head Meta Data
- Plugin Slug:
- head-meta-data
- Installations
- 10,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 20260105
- Severity Score:
- Medium
- CVE:
-
2026-0608
LA-Studio Element Kit for Elementor
- Plugin Slug:
- lastudio-element-kit
- Installations
- 10,000+
- Vulnerability:
- Backdoor
- Patched in Version:
- 1.6.0
- Severity Score:
- Critical
- CVE:
-
2026-0920
Nexter Extension � Site Enhancements Toolkit
- Plugin Slug:
- nexter-extension
- Installations
- 10,000+
- Vulnerability:
- PHP Object Injection
- Patched in Version:
- 4.4.7
- Severity Score:
- Critical
- CVE:
-
2026-0726
Recipe Card Blocks Lite
- Plugin:
-
Recipe Card Blocks Lite
- Plugin Slug:
- recipe-card-blocks-by-wpzoom
- Installations
- 10,000+
- Vulnerability:
- SQL Injection
- Patched in Version:
- 3.4.13
- Severity Score:
- High
- CVE:
-
2025-14973
WP DSGVO Tools (GDPR)
- Plugin:
-
WP DSGVO Tools (GDPR)
- Plugin Slug:
- shapepress-dsgvo
- Installations
- 10,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 3.1.37
- Severity Score:
- Medium
- CVE:
-
2026-0914
User Submitted Posts � Enable Users to Submit Posts from the Front End
- Plugin Slug:
- user-submitted-posts
- Installations
- 10,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 20260110
- Severity Score:
- High
- CVE:
-
2026-0800
weMail � Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation
- Plugin Slug:
- wemail
- Installations
- 10,000+
- Vulnerability:
- Sensitive Data Exposure
- Patched in Version:
- 2.0.8
- Severity Score:
- Medium
- CVE:
-
2025-14348
WPO365 | SEAMLESS WORDPRESS + MICROSOFT INTEGRATION (WPO365 | LOGIN)
- Plugin Slug:
- wpo365-login
- Installations
- 10,000+
- Vulnerability:
- Server Side Request Forgery (SSRF)
- Patched in Version:
- 40.1
- Severity Score:
- Medium
- CVE:
-
2025-67961
RegistrationMagic � Custom Registration Forms, User Registration, Payment, and User Login
- Plugin Slug:
- custom-registration-form-builder-with-submission-manager
- Installations
- 9,000+
- Vulnerability:
- Privilege Escalation
- Patched in Version:
- 6.0.7.2
- Severity Score:
- Critical
- CVE:
-
2025-15403
Nexter Gutenberg Blocks � Website Builder & 1000+ Starter Templates
- Plugin Slug:
- the-plus-addons-for-block-editor
- Installations
- 9,000+
- Vulnerability:
- Sensitive Data Exposure
- Patched in Version:
- 4.6.4
- Severity Score:
- Medium
- CVE:
-
2026-24377
Automatic Featured Images from Videos
- Plugin Slug:
- automatic-featured-images-from-videos
- Installations
- 8,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 1.2.8
- Severity Score:
- Medium
- CVE:
-
2026-24535
WP Job Portal � AI-Powered Recruitment System for Company or Job Board website
- Plugin Slug:
- wp-job-portal
- Installations
- 8,000+
- Vulnerability:
- Insecure Direct Object References (IDOR)
- Patched in Version:
- 2.4.4
- Severity Score:
- Medium
- CVE:
-
2026-24379
Points and Rewards for WooCommerce � Create Loyalty Programs, Reward Customer Purchases, User Badges, Gamification
- Plugin Slug:
- points-and-rewards-for-woocommerce
- Installations
- 7,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 2.9.6
- Severity Score:
- Medium
- CVE:
-
2026-24581
Protecci�n de datos � RGPD
- Plugin:
-
Protecci�n de datos � RGPD
- Plugin Slug:
- proteccion-datos-rgpd
- Installations
- 7,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 0.69
- Severity Score:
- Medium
- CVE:
-
2026-24539
Poll, Survey & Quiz Maker Plugin by Opinion Stage
- Plugin Slug:
- social-polls-by-opinionstage
- Installations
- 7,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 19.6.25
- Severity Score:
- High
Integration for HubSpot and Contact Form 7, WPForms, Elementor, Ninja Forms
- Plugin Slug:
- cf7-hubspot
- Installations
- 5,000+
- Vulnerability:
- Sensitive Data Exposure
- Patched in Version:
- 1.4.4
- Severity Score:
- Medium
- CVE:
-
2026-24559
FluentBoards � Project Management, Task Management, Goal Tracking, Kanban Board, and, Team Collaboration
- Plugin Slug:
- fluent-boards
- Installations
- 5,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 1.9.1.2
- Severity Score:
- Medium
- CVE:
-
2026-24561
Media Library File Size
- Plugin:
-
Media Library File Size
- Plugin Slug:
- media-library-file-size
- Installations
- 5,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 1.6.8
- Severity Score:
- Medium
- CVE:
-
2026-24569
weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot
- Plugin Slug:
- wedocs
- Installations
- 5,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 2.1.17
- Severity Score:
- Medium
- CVE:
-
2025-13921
Booking Activities
- Plugin:
-
Booking Activities
- Plugin Slug:
- booking-activities
- Installations
- 4,000+
- Vulnerability:
- Privilege Escalation
- Patched in Version:
- 1.16.45
- Severity Score:
- High
- CVE:
-
2025-67953
Nelio A/B Testing � AB Tests and Heatmaps for Better Conversion Optimization
- Plugin Slug:
- nelio-ab-testing
- Installations
- 4,000+
- Vulnerability:
- Arbitrary Code Execution
- Patched in Version:
- 8.2.0
- Severity Score:
- Critical
- CVE:
-
2025-67944
Tabby Checkout
- Plugin:
-
Tabby Checkout
- Plugin Slug:
- tabby-checkout
- Installations
- 4,000+
- Vulnerability:
- Sensitive Data Exposure
- Patched in Version:
- 5.9.1
- Severity Score:
- High
- CVE:
-
2025-68035
AIKTP
Frontis Blocks � Block Library for the Block Editor
- Plugin Slug:
- frontis-blocks
- Installations
- 3,000+
- Vulnerability:
- Server Side Request Forgery (SSRF)
- Patched in Version:
- 1.1.7
- Severity Score:
- High
- CVE:
-
2026-0807
Frontis Blocks � Block Library for the Block Editor
- Plugin Slug:
- frontis-blocks
- Installations
- 3,000+
- Vulnerability:
- Server Side Request Forgery (SSRF)
- Patched in Version:
- 1.1.6
- Severity Score:
- High
- CVE:
-
2025-68030
Gallery PhotoBlocks
- Plugin:
-
Gallery PhotoBlocks
- Plugin Slug:
- photoblocks-grid-gallery
- Installations
- 3,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 1.3.3
- Severity Score:
- Medium
- CVE:
-
2026-24389
Salon Booking System � Free Version
- Plugin Slug:
- salon-booking-system
- Installations
- 3,000+
- Vulnerability:
- Sensitive Data Exposure
- Patched in Version:
- 10.30.4
- Severity Score:
- Medium
- CVE:
-
2025-67954
Same Category Posts
- Plugin:
-
Same Category Posts
- Plugin Slug:
- same-category-posts
- Installations
- 3,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 1.1.20
- Severity Score:
- Medium
- CVE:
-
2025-14797
WP Directory Kit
- Plugin:
-
WP Directory Kit
- Plugin Slug:
- wpdirectorykit
- Installations
- 3,000+
- Vulnerability:
- Sensitive Data Exposure
- Patched in Version:
- 1.5.0
- Severity Score:
- Medium
- CVE:
-
2025-13920
Academy LMS � WordPress LMS Plugin for Complete eLearning Solution
- Plugin Slug:
- academy
- Installations
- 2,000+
- Vulnerability:
- Privilege Escalation
- Patched in Version:
- 3.5.1
- Severity Score:
- Critical
- CVE:
-
2025-15521
Hydra Booking � Appointment Scheduling & Booking Calendar
- Plugin Slug:
- hydra-booking
- Installations
- 2,000+
- Vulnerability:
- Privilege Escalation
- Patched in Version:
- 1.1.33
- Severity Score:
- High
- CVE:
-
2025-68027
KiviCare � Clinic & Patient Management System (EHR)
- Plugin Slug:
- kivicare-clinic-management-system
- Installations
- 2,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 3.6.16
- Severity Score:
- Medium
- CVE:
-
2026-0927
Wallet System for WooCommerce � Digital Wallet, Buy Now Pay Later (BNPL), Instant Cashback, Referral program, Partial & Subscription Payments
- Plugin Slug:
- wallet-system-for-woocommerce
- Installations
- 2,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 2.7.3
- Severity Score:
- Medium
- CVE:
-
2025-14450
ElementCamp
- Plugin:
-
ElementCamp
- Plugin Slug:
- element-camp
- Installations
- 1,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 2.3.6
- Severity Score:
- Medium
- CVE:
-
2026-24556
Friendly Functions for Welcart
- Plugin:
-
Friendly Functions for Welcart
- Plugin Slug:
- friendly-functions-for-welcart
- Installations
- 1,000+
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- 1.2.6
- Severity Score:
- Medium
- CVE:
-
2026-1208
JobWP � Job Board, Job Listing, Career Page and Recruitment Plugin
- Plugin Slug:
- jobwp
- Installations
- 1,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 2.4.6
- Severity Score:
- High
- CVE:
-
2025-69318
GDPR CCPA Compliance & Cookie Consent Banner
- Plugin Slug:
- ninja-gdpr-compliance
- Installations
- 1,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 2.7.5
- Severity Score:
- Medium
- CVE:
-
2025-68073
Quick Contact Form
- Plugin:
-
Quick Contact Form
- Plugin Slug:
- quick-contact-form
- Installations
- 1,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 8.2.7
- Severity Score:
- Medium
- CVE:
-
2025-12718
Broadstreet
- Plugin:
-
Broadstreet
- Plugin Slug:
- broadstreet
- Installations
- 700+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 1.52.2
- Severity Score:
- High
- CVE:
-
2025-69311
My auctions allegro
- Plugin:
-
My auctions allegro
- Plugin Slug:
- my-auctions-allegro-free-edition
- Installations
- 600+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 3.6.33
- Severity Score:
- High
- CVE:
-
2025-67943
TaxCloud for WooCommerce
- Plugin:
-
TaxCloud for WooCommerce
- Plugin Slug:
- simple-sales-tax
- Installations
- 500+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 8.4.0
- Severity Score:
- Medium
- CVE:
-
2025-67958
PeachPay � Payments & Express Checkout for WooCommerce (supports Stripe, PayPal, Square, Authorize.net)
- Plugin Slug:
- peachpay-for-woocommerce
- Installations
- 400+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 1.119.9
- Severity Score:
- Medium
- CVE:
-
2025-14978
TableOn � WordPress Posts Table Filterable�
- Plugin Slug:
- posts-table-filterable
- Installations
- 300+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 1.0.4.3
- Severity Score:
- High
- CVE:
-
2025-69316
Thim Blocks
- Plugin:
-
Thim Blocks
- Plugin Slug:
- thim-blocks
- Installations
- 300+
- Vulnerability:
- Arbitrary File Download
- Patched in Version:
- 1.0.2
- Severity Score:
- Medium
- CVE:
-
2025-13725
Link Invoice Payment for WooCommerce
- Plugin Slug:
- invoice-payment-for-woocommerce
- Installations
- 200+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 2.8.1
- Severity Score:
- Medium
- CVE:
-
2025-14971
Creator LMS � The LMS for Creators, Coaches, and Trainers
- Plugin Slug:
- creatorlms
- Installations
- 100+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 1.1.13
- Severity Score:
- High
- CVE:
-
2025-15347
Melapress Role Editor
- Plugin:
-
Melapress Role Editor
- Plugin Slug:
- melapress-role-editor
- Installations
- 50+
- Vulnerability:
- Privilege Escalation
- Patched in Version:
- 1.2.0
- Severity Score:
- High
- CVE:
-
2025-14866
AdForest Elementor
- Plugin:
AdForest Elementor
- Plugin Slug:
- adforest-elementor
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 3.0.12
- Severity Score:
- High
- CVE:
-
2025-67947
Homey Core
- Plugin:
Homey Core
- Plugin Slug:
- homey-core
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 2.4.4
- Severity Score:
- High
- CVE:
-
2025-67964
Kentha Elementor Widgets
- Plugin:
Kentha Elementor Widgets
- Plugin Slug:
- kentha-elementor
- Vulnerability:
- Local File Inclusion
- Patched in Version:
- 3.1
- Severity Score:
- High
- CVE:
-
2026-24390
Lawyer Directory
- Plugin:
Lawyer Directory
- Plugin Slug:
- lawyer-directory
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 1.3.4
- Severity Score:
- High
- CVE:
-
2025-67967
Lawyer Directory
- Plugin:
Lawyer Directory
- Plugin Slug:
- lawyer-directory
- Vulnerability:
- Privilege Escalation
- Patched in Version:
- 1.3.4
- Severity Score:
- High
- CVE:
-
2025-67966
Listivo Core
- Plugin:
Listivo Core
- Plugin Slug:
- listivo-core
- Vulnerability:
- Local File Inclusion
- Patched in Version:
- 2.3.78
- Severity Score:
- High
- CVE:
-
2025-67957
Movie Booking
- Plugin:
Movie Booking
- Plugin Slug:
- movie-booking
- Vulnerability:
- Arbitrary File Deletion
- Patched in Version:
- 1.1.6
- Severity Score:
- High
- CVE:
-
2025-67963
MyHome Core
- Plugin:
MyHome Core
- Plugin Slug:
- myhome-core
- Vulnerability:
- Local File Inclusion
- Patched in Version:
- 4.1.1
- Severity Score:
- High
- CVE:
-
2025-67955
Real Homes CRM
- Plugin:
Real Homes CRM
- Plugin Slug:
- realhomes-crm
- Vulnerability:
- Arbitrary File Upload
- Patched in Version:
- 1.0.1
- Severity Score:
- Critical
- CVE:
-
2025-67968
Schedula � Smart Appointment Booking
- Plugin Slug:
- schedula-smart-appointment-booking
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 1.1
- Severity Score:
- Medium
- CVE:
-
2025-67970
WorkScout-Core
- Plugin:
WorkScout-Core
- Plugin Slug:
- workscout-core
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 1.7.07
- Severity Score:
- High
- CVE:
-
2025-67960
YouTube Feed Pro
- Plugin:
YouTube Feed Pro
- Plugin Slug:
- youtube-feed-pro
- Vulnerability:
- Arbitrary File Download
- Patched in Version:
- 2.6.1
- Severity Score:
- High
- CVE:
-
2025-12002
WordPress Themes � 13 Patched / 5 Unpatched
EcoBlue
- Theme:
EcoBlue
- Theme Slug:
- ecoblue
- Vulnerability:
- Local File Inclusion
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
-
2026-22338
Enfold
- Theme:
Enfold
- Theme Slug:
- enfold
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2025-68900
Listihub
- Theme:
Listihub
- Theme Slug:
- listihub
- Vulnerability:
- Broken Access Control
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
-
2025-69190
PeakShops
- Theme:
PeakShops
- Theme Slug:
- peakshops
- Vulnerability:
- PHP Object Injection
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
-
2025-69294
Prowess
- Theme:
Prowess
- Theme Slug:
- prowess
- Vulnerability:
- Local File Inclusion
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
-
2026-24531
AdForest
- Theme:
AdForest
- Theme Slug:
- adforest
- Vulnerability:
- Local File Inclusion
- Patched in Version:
- 6.0.12
- Severity Score:
- High
- CVE:
-
2025-67946
CarSpot
- Theme:
CarSpot
- Theme Slug:
- carspot
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 2.4.6
- Severity Score:
- High
- CVE:
-
2025-69317
Craft
- Theme:
Craft
- Theme Slug:
- craftcoffee
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 2.3.7
- Severity Score:
- High
- CVE:
-
2025-68538
DotLife
- Theme:
DotLife
- Theme Slug:
- dotlife
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 4.9.5
- Severity Score:
- High
- CVE:
-
2025-68520
Grand Magazine
- Theme:
Grand Magazine
- Theme Slug:
- grandmagazine
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 3.5.8
- Severity Score:
- High
- CVE:
-
2025-69320
Grand Spa
- Theme:
Grand Spa
- Theme Slug:
- grandspa
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 3.5.6
- Severity Score:
- High
- CVE:
-
2025-69321
Grand Tour
- Theme:
Grand Tour
- Theme Slug:
- grandtour
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 5.6.2
- Severity Score:
- High
- CVE:
-
2025-67952
Hostiko
- Theme:
Hostiko
- Theme Slug:
- hostiko
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 94.3.6
- Severity Score:
- High
- CVE:
-
2025-67949
Hoteller
- Theme:
Hoteller
- Theme Slug:
- hoteller
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 6.8.9
- Severity Score:
- High
- CVE:
-
2025-68518
PeakShops
- Theme:
PeakShops
- Theme Slug:
- peakshops
- Vulnerability:
- Local File Inclusion
- Patched in Version:
- 1.5.9
- Severity Score:
- High
- CVE:
-
2025-69322
Traveler
- Theme:
Traveler
- Theme Slug:
- traveler
- Vulnerability:
- SQL Injection
- Patched in Version:
- 3.2.8
- Severity Score:
- High
- CVE:
-
2026-24367
Werkstatt
- Theme:
Werkstatt
- Theme Slug:
- werkstatt
- Vulnerability:
- Local File Inclusion
- Patched in Version:
- 4.8.3
- Severity Score:
- High
- CVE:
-
2025-69314
WorkScout
- Theme:
WorkScout
- Theme Slug:
- workscout
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 4.1.08
- Severity Score:
- High
- CVE:
-
2025-67959