WordPress Vulnerability Report � March 18, 2026

In this report, 159 vulnerabilities have been publicly disclosed. Security patches for 113 of these Core, plugins, and themes are now available. Please run these updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Currently, 46 plugin and theme vulnerabilities remain unpatched. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

WordPress Core

WordPress 6.9.4 is now available, addressing 10 security issues and a bug that affected template file loading on a limited number of sites. Because this is a security release,�it is recommended that you update your sites immediately.

Also, WordPress 7.0 Beta 5 is ready for download and testing! As this is a pre-release version, it is intended for�testing and development only�and should not be installed on production or mission-critical sites. Organizations should use local or staging environments to evaluate compatibility and new features before the final rollout.

WordPress 7.0 is scheduled for release on April 9, 2026.

Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.9.2
Severity Score:: Medium

Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 6.9.2
Severity Score:: Medium

Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.9.2
Severity Score:: Medium

Vulnerability:: XML External Entity (XXE)
Patched in Version:: 6.9.4
Severity Score:: Medium

Vulnerability:: Broken Access Control
Patched in Version:: 6.9.4
Severity Score:: Medium
CVE:: CVE-2026-3906

Vulnerability:: Broken Access Control
Patched in Version:: 6.9.2
Severity Score:: Medium

WordPress Plugins � 100 Patched / 30 Unpatched

Plugin:: WP ULike � Like & Dislike Buttons for Engagement and Feedback
Plugin Slug:: wp-ulike
Installations: 70,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-2358

Plugin:: StoreCustomizer � A plugin to Customize all WooCommerce Pages
Plugin Slug:: woocustomizer
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-27046

Plugin:: WPCafe � Restaurant Menu, Online Food Ordering and Reservation Booking Solution
Plugin Slug:: wp-cafe
Installations: 6,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2026-27071

Plugin:: Addi � Cuotas que se adaptan a ti
Plugin Slug:: buy-now-pay-later-addi
Installations: 2,000+
Vulnerability:: Broken Authentication
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-27073

Plugin:: TotalPoll for Polls and Contests
Plugin Slug:: totalpoll-lite
Installations: 1,000+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2026-27044

Plugin:: ViaBill � WooCommerce
Plugin Slug:: viabill-woocommerce
Installations: 500+
Vulnerability:: Settings Change
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-25469

Plugin:: Photo Contest | Competition | Video Contest
Plugin Slug:: totalcontest-lite
Installations: 300+
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-0677

Plugin:: Mobile App Editor � WordPress to Android App Builder
Plugin Slug:: mobile-app-editor
Installations: 40+
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2026-27067

Plugin:: Admin Safety Guard � Login Security & 2FA
Plugin Slug:: admin-safety-guard
Installations: 10+
Vulnerability:: Broken Authentication
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-25471

Plugin:: ACPT (Pro) – Custom Post Types Plugin for WordPress
Plugin Slug:: advanced-custom-post-type
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2026-25470

Plugin:: BuilderPress
Plugin Slug:: builderpress
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2026-27065

Plugin:: Curly Core
Plugin Slug:: curly-core
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-27047

Plugin:: Darna Framework
Plugin Slug:: darna-framework
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-27088

Plugin:: DukaPress
Plugin Slug:: dukapress
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-2466

Plugin:: Everest Forms Pro
Plugin Slug:: everest-forms-pro
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-27070

Plugin:: Handmade Framework
Plugin Slug:: handmade-framework
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-22520

Plugin:: Jobica Core
Plugin Slug:: jobica-core
Vulnerability:: Broken Authentication
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2026-27049

Plugin:: Legacy Admin
Plugin Slug:: legacy-admin
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-22524

Plugin:: MetForm Pro
Plugin Slug:: metform-pro
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2026-24611

Plugin:: Modern Events Calendar
Plugin Slug:: modern-events-calendar
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-32583

Plugin:: Penci Soledad Data Migrator
Plugin Slug:: penci-data-migrator
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-27054

Plugin:: WooCommerce Infinite Scroll
Plugin Slug:: sb-woocommerce-infinite-scroll
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-27045

Plugin:: The Aisle Core
Plugin Slug:: theaisle-core
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-27048

Plugin:: UiPress lite
Plugin Slug:: uipress-lite
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-27091

Plugin:: Ultra WordPress Admin
Plugin Slug:: ultra-admin
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-22523

Plugin:: Unlimited Elements for Elementor (Premium)
Plugin Slug:: unlimited-elements-for-elementor-premium
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2026-27041

Plugin:: Wolverine Framework
Plugin Slug:: wolverine-framework
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-27087

Plugin:: WZone
Plugin Slug:: woozone
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-27039

Plugin:: WZone
Plugin Slug:: woozone
Vulnerability:: Arbitrary File Deletion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-27040

Plugin:: WP App Bar
Plugin Slug:: wp-app-bar
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-1074

Plugin:: WooCommerce
Plugin Slug:: woocommerce
Installations: 7,000,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 10.5.3
Severity Score:: Medium
CVE:: 2026-3589

Plugin:: Really Simple Security � Simple and Performant Security (formerly Really Simple SSL)
Plugin Slug:: really-simple-ssl
Installations: 3,000,000+
Vulnerability:: Broken Access Control
Patched in Version:: 9.5.8
Severity Score:: Medium
CVE:: 2026-32461

Plugin:: MC4WP: Mailchimp for WordPress
Plugin Slug:: mailchimp-for-wp
Installations: 1,000,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.12.0
Severity Score:: Medium
CVE:: 2026-1781

Plugin:: The Events Calendar
Plugin Slug:: the-events-calendar
Installations: 700,000+
Vulnerability:: Arbitrary File Download
Patched in Version:: 6.15.17.1
Severity Score:: High
CVE:: 2026-3585

Plugin:: Royal Addons for Elementor � Addons and Templates Kit for Elementor
Plugin Slug:: royal-elementor-addons
Installations: 600,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 1.7.1050
Severity Score:: High
CVE:: 2025-13067

Plugin:: Meta Box
Plugin Slug:: meta-box
Installations: 500,000+
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 5.11.2
Severity Score:: High
CVE:: 2025-14675

Plugin:: PixelYourSite � Your smart PIXEL (TAG) & API Manager
Plugin Slug:: pixelyoursite
Installations: 500,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 11.2.0.1
Severity Score:: High
CVE:: 2026-1841

Plugin:: Ally � Web Accessibility & Usability
Plugin Slug:: pojo-accessibility
Installations: 500,000+
Vulnerability:: SQL Injection
Patched in Version:: 4.1.0
Severity Score:: Critical
CVE:: 2026-2413

Plugin:: Checkout Field Editor (Checkout Manager) for WooCommerce
Plugin Slug:: woo-checkout-field-editor-pro
Installations: 500,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.1.8
Severity Score:: High
CVE:: 2026-3231

Plugin:: Admin Menu Editor
Plugin Slug:: admin-menu-editor
Installations: 400,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.15
Severity Score:: Medium
CVE:: 2026-32456

Plugin:: Happy Addons for Elementor
Plugin Slug:: happy-elementor-addons
Installations: 400,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 3.21.1
Severity Score:: Medium
CVE:: 2026-2917

Plugin:: Happy Addons for Elementor
Plugin Slug:: happy-elementor-addons
Installations: 400,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.21.1
Severity Score:: Medium
CVE:: 2026-2918

Plugin:: Formidable Forms � Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder
Plugin Slug:: formidable
Installations: 300,000+
Vulnerability:: Broken Authentication
Patched in Version:: 6.29
Severity Score:: Medium
CVE:: 2026-2888

Plugin:: Formidable Forms � Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder
Plugin Slug:: formidable
Installations: 300,000+
Vulnerability:: Broken Access Control
Patched in Version:: 6.29
Severity Score:: High
CVE:: 2026-2890

Plugin:: ExactMetrics � Google Analytics Dashboard for WordPress (Website Stats Plugin)
Plugin Slug:: google-analytics-dashboard-for-wp
Installations: 300,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 9.0.3
Severity Score:: Critical
CVE:: 2026-1993

Plugin:: ExactMetrics � Google Analytics Dashboard for WordPress (Website Stats Plugin)
Plugin Slug:: google-analytics-dashboard-for-wp
Installations: 300,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 9.0.3
Severity Score:: High
CVE:: 2026-1992

Plugin:: Unlimited Elements For Elementor
Plugin Slug:: unlimited-elements-for-elementor
Installations: 300,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.6
Severity Score:: High
CVE:: 2026-2724

Plugin:: Dear Flipbook � PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer
Plugin Slug:: 3d-flipbook-dflip-lite
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.4.27
Severity Score:: Medium
CVE:: 2026-2569

Plugin:: LatePoint � Calendar Booking Plugin for Appointments and Events
Plugin Slug:: latepoint
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.2.8
Severity Score:: High
CVE:: 2026-2324

Plugin:: My Sticky Bar � Floating Notification Bar & Sticky Header (formerly myStickymenu)
Plugin Slug:: mystickymenu
Installations: 100,000+
Vulnerability:: SQL Injection
Patched in Version:: 2.8.7
Severity Score:: Critical
CVE:: 2026-3657

Plugin:: Social Icons Widget & Block � Social Media Icons & Share Buttons
Plugin Slug:: social-icons-widget-by-wpzoom
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.5.9
Severity Score:: Medium
CVE:: 2026-4063

Plugin:: Tutor LMS � eLearning and online course solution
Plugin Slug:: tutor
Installations: 100,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 3.9.5
Severity Score:: Medium
CVE:: 2025-32223

Plugin:: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content � ProfilePress
Plugin Slug:: wp-user-avatar
Installations: 100,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 4.16.12
Severity Score:: High
CVE:: 2026-3453

Plugin:: LearnPress � WordPress LMS Plugin for Create and Sell Online Courses
Plugin Slug:: learnpress
Installations: 80,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.3.3
Severity Score:: Medium
CVE:: 2026-3226

Plugin:: GetGenie � AI Content Writer with Keyword Research & SEO Tracking Tools
Plugin Slug:: getgenie
Installations: 70,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.3.3
Severity Score:: Medium
CVE:: 2026-2257

Plugin:: GetGenie � AI Content Writer with Keyword Research & SEO Tracking Tools
Plugin Slug:: getgenie
Installations: 70,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 4.3.3
Severity Score:: Medium
CVE:: 2026-2879

Plugin:: Appointment Booking Calendar � Simply Schedule Appointments Booking Plugin
Plugin Slug:: simply-schedule-appointments
Installations: 60,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.6.10.0
Severity Score:: High
CVE:: 2026-3045

Plugin:: Appointment Booking Calendar � Simply Schedule Appointments Booking Plugin
Plugin Slug:: simply-schedule-appointments
Installations: 60,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 1.6.10.0
Severity Score:: Medium
CVE:: 2026-1704

Plugin:: Appointment Booking Calendar � Simply Schedule Appointments Booking Plugin
Plugin Slug:: simply-schedule-appointments
Installations: 60,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.6.9.29
Severity Score:: Critical
CVE:: 2026-1708

Plugin:: Ultra Addons for Contact Form 7
Plugin Slug:: ultimate-addons-for-contact-form-7
Installations: 60,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.5.37
Severity Score:: Medium
CVE:: 2026-32460

Plugin:: WP Maps � Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters
Plugin Slug:: wp-google-map-plugin
Installations: 60,000+
Vulnerability:: SQL Injection
Patched in Version:: 4.9.2
Severity Score:: Critical
CVE:: 2026-3222

Plugin:: Advanced Product Fields (Product Addons) for WooCommerce
Plugin Slug:: advanced-product-fields-for-woocommerce
Installations: 50,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.6.19
Severity Score:: Medium
CVE:: 2026-32457

Plugin:: RTMKit
Plugin Slug:: rometheme-for-elementor
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.0
Severity Score:: High
CVE:: 2025-12473

Plugin:: RSS Aggregator � RSS Import, News Feeds, Feed to Post, and Autoblogging
Plugin Slug:: wp-rss-aggregator
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.0.12
Severity Score:: High
CVE:: 2026-2433

Plugin:: Calculated Fields Form
Plugin Slug:: calculated-fields-form
Installations: 40,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.4.5.1
Severity Score:: Medium
CVE:: 2026-3986

Plugin:: Dokan: AI Powered WooCommerce Multivendor Marketplace Solution � Build Your Own Amazon, eBay, Etsy
Plugin Slug:: dokan-lite
Installations: 40,000+
Vulnerability:: Broken Authentication
Patched in Version:: 4.2.5
Severity Score:: High
CVE:: 2026-24359

Plugin:: Modular DS: Monitor, update, and backup multiple websites
Plugin Slug:: modular-connector
Installations: 40,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.6.0
Severity Score:: Medium
CVE:: 2026-3903

Plugin:: Master Addons For Elementor � Widgets, Extensions, Theme Builder, Popup Builder & Template Kits
Plugin Slug:: master-addons
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.1.4
Severity Score:: Medium
CVE:: 2026-32462

Plugin:: NextScripts: Social Networks Auto-Poster
Plugin Slug:: social-networks-auto-poster-facebook-twitter-g
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.4.7
Severity Score:: Medium
CVE:: 2026-3228

Plugin:: Website LLMs.txt
Plugin Slug:: website-llms-txt
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 8.2.7
Severity Score:: High
CVE:: 2026-27068

Plugin:: Gutena Forms � Contact Form, Survey Form, Feedback Form, Booking Form, and Custom Form Builder
Plugin Slug:: gutena-forms
Installations: 20,000+
Vulnerability:: Settings Change
Patched in Version:: 1.6.1
Severity Score:: Medium
CVE:: 2026-1753

Plugin:: Post Snippets � Custom WordPress Code Snippets Customizer
Plugin Slug:: post-snippets
Installations: 20,000+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 4.0.13
Severity Score:: High
CVE:: 2026-25001

Plugin:: Thim Kit for Elementor � Pre-built Templates & Widgets for Elementor
Plugin Slug:: thim-elementor-kit
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.3.8
Severity Score:: Medium
CVE:: 2026-1870

Plugin:: Wicked Folders � Folder Organizer for Pages, Posts, and Custom Post Types
Plugin Slug:: wicked-folders
Installations: 20,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 4.1.1
Severity Score:: Medium
CVE:: 2026-1883

Plugin:: User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration
Plugin Slug:: wp-user-frontend
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.2.9
Severity Score:: Medium
CVE:: 2026-2233

Plugin:: User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration
Plugin Slug:: wp-user-frontend
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.2.6
Severity Score:: Medium
CVE:: 2026-24364

Plugin:: Job Postings
Plugin Slug:: job-postings
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.8.1
Severity Score:: High
CVE:: 2026-23806

Plugin:: Lead Form Builder & Contact Form
Plugin Slug:: lead-form-builder
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.2
Severity Score:: High
CVE:: 2026-1454

Plugin:: Subscriptions for WooCommerce
Plugin Slug:: subscriptions-for-woocommerce
Installations: 10,000+
Vulnerability:: Bypass Vulnerability
Patched in Version:: 1.9.0
Severity Score:: High
CVE:: 2026-24372

Plugin:: weForms � Easy Drag & Drop Contact Form Builder For WordPress
Plugin Slug:: weforms
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.6.28
Severity Score:: Medium
CVE:: 2026-2707

Plugin:: Xagio SEO � AI Powered SEO
Plugin Slug:: xagio-seo
Installations: 10,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 7.1.0.31
Severity Score:: Critical
CVE:: 2026-24968

Plugin:: RegistrationMagic � Custom Registration Forms, User Registration, Payment, and User Login
Plugin Slug:: custom-registration-form-builder-with-submission-manager
Installations: 9,000+
Vulnerability:: Broken Authentication
Patched in Version:: 6.0.7.2
Severity Score:: High
CVE:: 2026-24373

Plugin:: RegistrationMagic � Custom Registration Forms, User Registration, Payment, and User Login
Plugin Slug:: custom-registration-form-builder-with-submission-manager
Installations: 9,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 6.0.7.2
Severity Score:: Medium
CVE:: 2025-15520

Plugin:: EventPrime � Events Calendar, Bookings and Tickets
Plugin Slug:: eventprime-event-calendar-management
Installations: 7,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.2.7.0
Severity Score:: High
CVE:: 2025-69358

Plugin:: NEX-Forms � Ultimate Forms Plugin for WordPress
Plugin Slug:: nex-forms-express-wp-form-builder
Installations: 7,000+
Vulnerability:: Broken Access Control
Patched in Version:: 9.1.10
Severity Score:: Medium
CVE:: 2026-1948

Plugin:: Reading progressbar
Plugin Slug:: reading-progress-bar
Installations: 6,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.1
Severity Score:: Medium
CVE:: 2026-2687

Plugin:: UpsellWP � WooCommerce Upsell and Related Products Offers
Plugin Slug:: checkout-upsell-and-order-bumps
Installations: 5,000+
Vulnerability:: SQL Injection
Patched in Version:: 2.2.5
Severity Score:: High
CVE:: 2026-32459

Plugin:: WOLF � WordPress Posts Bulk Editor and Manager Professional
Plugin Slug:: bulk-editor
Installations: 4,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.0.9
Severity Score:: High
CVE:: 2026-32458

Plugin:: Responsive Blocks � Page Builder for Blocks & Patterns
Plugin Slug:: responsive-block-editor-addons
Installations: 4,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.2.1
Severity Score:: Medium
CVE:: 2026-32543

Plugin:: JS Archive List
Plugin Slug:: jquery-archive-list-widget
Installations: 3,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 6.2.0
Severity Score:: High
CVE:: 2026-2020

Plugin:: Name Directory
Plugin Slug:: name-directory
Installations: 3,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.33.0
Severity Score:: High
CVE:: 2026-3178

Plugin:: Simple Ajax Chat � Add a Fast, Secure Chat Box
Plugin Slug:: simple-ajax-chat
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 20260301
Severity Score:: High
CVE:: 2026-2987

Plugin:: Timetics � Appointment Booking Calendar & Scheduling System
Plugin Slug:: timetics
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.0.52
Severity Score:: Medium
CVE:: 2025-15473

Plugin:: Contest Gallery � Upload & Vote Photos, Media, Sell with PayPal & Stripe
Plugin Slug:: contest-gallery
Installations: 1,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 28.1.2.2
Severity Score:: Medium
CVE:: 2026-24964

Plugin:: Flexmls� IDX Plugin
Plugin Slug:: flexmls-idx
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.15.10
Severity Score:: High
CVE:: 2026-25369

Plugin:: Active Products Tables for WooCommerce. Use constructor to create tables�
Plugin Slug:: profit-products-tables-for-woocommerce
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.0.8
Severity Score:: Medium
CVE:: 2026-32450

Plugin:: WP Easy Pay � Payment and Donation form Builder for Square
Plugin Slug:: wp-easy-pay
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.2.12
Severity Score:: Medium
CVE:: 2026-32587

Plugin:: MDTF � Meta Data and Taxonomies Filter
Plugin Slug:: wp-meta-data-filter-and-taxonomy-filter
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.6
Severity Score:: Medium
CVE:: 2026-32455

Plugin:: Booktics � Booking Calendar for Appointments and Service Businesses
Plugin Slug:: booktics
Installations: 600+
Vulnerability:: Broken Access Control
Patched in Version:: 1.0.17
Severity Score:: Medium
CVE:: 2026-1919

Plugin:: Booktics � Booking Calendar for Appointments and Service Businesses
Plugin Slug:: booktics
Installations: 600+
Vulnerability:: Broken Access Control
Patched in Version:: 1.0.17
Severity Score:: Medium
CVE:: 2026-1920

Plugin:: Datalogics Ecommerce Delivery � Datalogics
Plugin Slug:: datalogics
Installations: 400+
Vulnerability:: Privilege Escalation
Patched in Version:: 2.6.60
Severity Score:: Critical
CVE:: 2026-2631

Plugin:: PitchPrint
Plugin Slug:: pitchprint
Installations: 400+
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 11.2.0
Severity Score:: High
CVE:: 2026-22448

Plugin:: CM Custom Reports � Flexible reporting to track what matters most
Plugin Slug:: cm-custom-reports
Installations: 200+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.2.8
Severity Score:: High
CVE:: 2026-2431

Plugin:: Guest posting / Frontend Posting / Front Editor � WP Front User Submit
Plugin Slug:: front-editor
Installations: 200+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 5.0.6
Severity Score:: Medium
CVE:: 2026-1867

Plugin:: Court Reservation � Manage Your Court Bookings Online
Plugin Slug:: court-reservation
Installations: 100+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.10.9
Severity Score:: Medium
CVE:: 2026-1508

Plugin:: LearnPress � Sepay Payment
Plugin Slug:: learnpress-sepay-payment
Installations: 100+
Vulnerability:: Broken Authentication
Patched in Version:: 4.0.1
Severity Score:: High
CVE:: 2026-25002

Plugin:: Pix for WooCommerce
Plugin Slug:: payment-gateway-pix-for-woocommerce
Installations: 100+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 1.6.0
Severity Score:: Critical
CVE:: 2026-3891

Plugin:: Primer MyData for Woocommerce
Plugin Slug:: primer-mydata
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.2.2
Severity Score:: High
CVE:: 2024-11809

Plugin:: Paid Videochat Turnkey Site � HTML5 PPV Live Webcams
Plugin Slug:: ppv-live-webcams
Installations: 30+
Vulnerability:: Privilege Escalation
Patched in Version:: 7.3.21
Severity Score:: High
CVE:: 2025-8899

Plugin:: ZIP Code Based Content Protection
Plugin Slug:: zip-code-based-content-protection
Installations: 10+
Vulnerability:: SQL Injection
Patched in Version:: 1.0.3
Severity Score:: Critical
CVE:: 2025-14353

Plugin:: Divi Booster
Plugin Slug:: divi-booster
Vulnerability:: PHP Object Injection
Patched in Version:: 5.0.2
Severity Score:: Critical
CVE:: 2026-2626

Plugin:: Elated Listing
Plugin Slug:: eltd-listing
Vulnerability:: Broken Access Control
Patched in Version:: 1.5
Severity Score:: Medium
CVE:: 2026-24972

Plugin:: Fusion Builder
Plugin Slug:: fusion-builder
Vulnerability:: Broken Access Control
Patched in Version:: 3.15.0
Severity Score:: Medium
CVE:: 2026-32452

Plugin:: Fusion Builder
Plugin Slug:: fusion-builder
Vulnerability:: Broken Access Control
Patched in Version:: 3.15.0
Severity Score:: Medium
CVE:: 2026-32451

Plugin:: Avada Core
Plugin Slug:: fusion-core
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.15.0
Severity Score:: Medium
CVE:: 2026-32454

Plugin:: Avada Core
Plugin Slug:: fusion-core
Vulnerability:: Broken Access Control
Patched in Version:: 5.15.0
Severity Score:: Medium
CVE:: 2026-32453

Plugin:: Gravity Forms
Plugin Slug:: gravityforms
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.9.29
Severity Score:: Medium
CVE:: 2026-3492

Plugin:: JetBooking
Plugin Slug:: jet-booking
Vulnerability:: SQL Injection
Patched in Version:: 4.0.3.1
Severity Score:: Critical
CVE:: 2026-3496

Plugin:: Jobica Core
Plugin Slug:: jobica-core
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.4.2
Severity Score:: High
CVE:: 2026-24979

Plugin:: Jobica Core
Plugin Slug:: jobica-core
Vulnerability:: PHP Object Injection
Patched in Version:: 1.4.2
Severity Score:: High
CVE:: 2026-24978

Plugin:: MetForm Pro
Plugin Slug:: metform-pro
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.9.7
Severity Score:: High
CVE:: 2026-1261

Plugin:: Organici Library
Plugin Slug:: noo-organici-library
Vulnerability:: SQL Injection
Patched in Version:: 2.1.3
Severity Score:: High
CVE:: 2026-24977

Plugin:: Organici Library
Plugin Slug:: noo-organici-library
Vulnerability:: PHP Object Injection
Patched in Version:: 2.1.3
Severity Score:: High
CVE:: 2026-24976

Plugin:: Organici Library
Plugin Slug:: noo-organici-library
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.1.3
Severity Score:: High
CVE:: 2026-24975

Plugin:: Visionary Core
Plugin Slug:: noo-visionary-core
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.5.0
Severity Score:: High
CVE:: 2026-24980

Plugin:: Visionary Core
Plugin Slug:: noo-visionary-core
Vulnerability:: PHP Object Injection
Patched in Version:: 1.5.0
Severity Score:: High
CVE:: 2026-24981

Plugin:: PixelYourSite PRO
Plugin Slug:: pixelyoursite-pro
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 12.4.0.3
Severity Score:: High
CVE:: 2026-1844

Plugin:: tagDiv Composer
Plugin Slug:: td-composer
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.4.3
Severity Score:: High
CVE:: 2025-50001

Plugin:: tagDiv Opt-In Builder
Plugin Slug:: td-subscription
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.7.4
Severity Score:: High
CVE:: 2025-53222

Plugin:: Tutor LMS Pro
Plugin Slug:: tutor-pro
Vulnerability:: Broken Authentication
Patched in Version:: 3.9.6
Severity Score:: Critical
CVE:: 2026-0953

WordPress Themes � 7 Patched / 16 Unpatched

Theme:: Amfissa
Theme Slug:: amfissa
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-27079

Theme:: Beelove
Theme Slug:: beelove
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2026-22507

Theme:: Belfort
Theme Slug:: belfort
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-27075

Theme:: Buisson
Theme Slug:: buisson
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2026-27084

Theme:: Deston
Theme Slug:: deston
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-27080

Theme:: Emaurri
Theme Slug:: emaurri
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-27078

Theme:: Golo
Theme Slug:: golo
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2026-27051

Theme:: Jannah
Theme Slug:: jannah
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-25464

Theme:: Love Story
Theme Slug:: lovestory
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2026-27082

Theme:: LuxeDrive
Theme Slug:: luxedrive
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-27076

Theme:: Melody
Theme Slug:: melodyschool
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-22510

Theme:: MultiOffice
Theme Slug:: multioffice
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-27077

Theme:: Photography
Theme Slug:: photography
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-27043

Theme:: Rosebud
Theme Slug:: rosebud
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-27081

Theme:: Work & Travel Company
Theme Slug:: work-travel-company
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2026-27083

Theme:: Zorka
Theme Slug:: zorka
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69096

Theme:: Astra
Theme Slug:: astra
Downloads: 21,720,242
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.12.4
Severity Score:: Medium
CVE:: 2026-3534

Theme:: News Magazine X
Theme Slug:: news-magazine-x
Downloads: 76,558
Vulnerability:: Broken Access Control
Patched in Version:: 1.2.51
Severity Score:: High
CVE:: 2026-24382

Theme:: Energox
Theme Slug:: energox
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 1.3
Severity Score:: High
CVE:: 2026-24970

Theme:: Instant VA
Theme Slug:: instantva
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 1.0.2
Severity Score:: High
CVE:: 2026-24969

Theme:: CitiLights
Theme Slug:: noo-citilights
Vulnerability:: PHP Object Injection
Patched in Version:: 3.7.2
Severity Score:: High
CVE:: 2026-24974

Theme:: CitiLights
Theme Slug:: noo-citilights
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.7.2
Severity Score:: High
CVE:: 2026-24973

Theme:: Search & Go
Theme Slug:: searchgo
Vulnerability:: Privilege Escalation
Patched in Version:: 2.8.1
Severity Score:: Critical
CVE:: 2026-24971