WordPress Vulnerability Report � March 19, 2025

In this report, 173 vulnerabilities have been publicly disclosed. Security patches for 63 of these plugins and themes are available now, so run those updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Additionally, there are 110 plugin and theme vulnerabilities with no patch available yet. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

WordPress Core

WordPress 6.8 Beta 3 is ready for testing! This beta version of the WordPress software is under development. Please do not install, run, or test this version of WordPress on production or mission-critical websites. Instead, it is recommended you evaluate Beta 3 on a test server and site.

WordPress Plugins � 57 Patched / 105 Unpatched

Plugin:: Post Lockdown
Plugin Slug:: post-lockdown
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-1504

Plugin:: Picture Gallery � Frontend Image Uploads, AJAX Photo List
Plugin Slug:: picture-gallery
Installations: 400+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-26581

Plugin:: CRM and Lead Management by vcita
Plugin Slug:: crm-customer-relationship-management-by-vcita
Installations: 100+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-13703

Plugin:: WP Email Delivery
Plugin Slug:: wp-email-delivery
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High

Plugin:: Video Share VOD � Turnkey Video Site Builder Script
Plugin Slug:: video-share-vod
Installations: 70+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-26583

Plugin:: MicroPayments � Fans Paysite: Paid Creator Subscriptions, Digital Assets, Wallet
Plugin Slug:: paid-membership
Installations: 40+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-26579

Plugin:: amoCRM WebForm
Plugin Slug:: amocrm-webform
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-28870

Plugin:: Another Events Calendar
Plugin Slug:: another-events-calendar
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-26536

Plugin:: ArielBrailovsky-ViralAd
Plugin Slug:: arielbrailovsky-viralad
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-2107

Plugin:: AS English Admin
Plugin Slug:: as-english-admin
Vulnerability:: Open Redirection
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-28896

Plugin:: Awesome Surveys
Plugin Slug:: awesome-surveys
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-28878

Plugin:: Back To Top
Plugin Slug:: backtotop
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-28940

Plugin:: Bee Layer Slider
Plugin Slug:: bee-layer-slider
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-28879

Plugin:: binlayerpress
Plugin Slug:: binlayerpress
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-2076

Plugin:: Block Spam By Math Reloaded
Plugin Slug:: block-spam-by-math-reloaded
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-28872

Plugin:: Block Spam By Math Reloaded
Plugin Slug:: block-spam-by-math-reloaded
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-28871

Plugin:: W3Counter Free Real-Time Web Stats
Plugin Slug:: blog-stats-by-w3counter
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-28856

Plugin:: BlogBuzzTime for WP
Plugin Slug:: blogbuzztime-for-wp
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-2078

Plugin:: CC-IMG-Shortcode
Plugin Slug:: cc-img-shortcode
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-1559

Plugin:: Builder for Contact Form 7 by Webconstruct
Plugin Slug:: cf7-builder
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-28864

Plugin:: Contact Form 7 Select Box Editor Button
Plugin Slug:: contact-form-7-select-box-editor-button
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-28902

Plugin:: Contact Us By Lord Linus
Plugin Slug:: contact-us-by-lord-linus
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-1382

Plugin:: Coronavirus (COVID-19) Notice Message
Plugin Slug:: coronavirus-covid-19-notice-message
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-0629

Plugin:: Custom Dashboard Page
Plugin Slug:: custom-dashboard-page
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-28912

Plugin:: custom-field-list-widget
Plugin Slug:: custom-field-list-widget
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-23952

Plugin:: Custom top bar
Plugin Slug:: custom-top-bar
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-28895

Plugin:: Delete Original Image
Plugin Slug:: delete-original-image
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-28863

Plugin:: Display Template Name
Plugin Slug:: display-template-name
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-28927

Plugin:: Domain Theme
Plugin Slug:: domain-theme
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-28897

Plugin:: DP ALTerminator – Missing ALT manager
Plugin Slug:: dp-alterminator-missing-alt-manager
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-28943

Plugin:: Easy Image Display
Plugin Slug:: easy-image-display
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-28919

Plugin:: Email Keep
Plugin Slug:: email-keep
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-13826

Plugin:: Email Keep
Plugin Slug:: email-keep
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-13825

Plugin:: Featured Posts Grid
Plugin Slug:: featured-posts-grid
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-28905

Plugin:: Frontpage category filter
Plugin Slug:: frontpage-category-filter
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-28867

Plugin:: FTP Sync
Plugin Slug:: ftp-sync
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-28892

Plugin:: GetShop ecommerce
Plugin Slug:: getshop-ecommerce
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-54362

Plugin:: GetSocial
Plugin Slug:: getsocial
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-22283

Plugin:: GNUCommerce
Plugin Slug:: gnucommerce
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-26564

Plugin:: GNUPress
Plugin Slug:: gnupress
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-26565

Plugin:: Go To Top
Plugin Slug:: go-to-top
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-28922

Plugin:: Google News Editors Picks Feed Generator
Plugin Slug:: google-news-editors-picks-news-feeds
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-28860

Plugin:: In Stock Mailer for WooCommerce
Plugin Slug:: in-stock-mailer-for-woocommerce
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-26566

Plugin:: Insert Code
Plugin Slug:: insert-code
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-28932

Plugin:: Lava Ajax Search
Plugin Slug:: lava-ajax-search
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-28937

Plugin:: LinkedIn Lite
Plugin Slug:: linkedin-lite
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-23937

Plugin:: List Mixcloud
Plugin Slug:: list-mixcloud
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-28930

Plugin:: List of Posts from each Category plugin for WordPress
Plugin Slug:: list-posts-by-category
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-28894

Plugin:: Login Logger
Plugin Slug:: login-logger
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-28866

Plugin:: Lunar
Plugin Slug:: lunar-sell-photos-online
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-28936

Plugin:: MaxA/B
Plugin Slug:: maxab
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-28933

Plugin:: Members page only for logged in users
Plugin Slug:: members-page-only-for-logged-in-users
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-28901

Plugin:: PHP/MySQL CPU performance statistics
Plugin Slug:: mywebtonet-performancestats
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-22526

Plugin:: No Disposable Email
Plugin Slug:: no-disposable-email
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-28923

Plugin:: pixelstats
Plugin Slug:: pixelstats
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-2164

Plugin:: PluginPass
Plugin Slug:: pluginpass-pro-plugintheme-licensing
Vulnerability:: Arbitrary File Download
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-54291

Plugin:: Plugins Last Updated Column
Plugin Slug:: plugins-last-updated-column
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-28887

Plugin:: Portfolio and Projects
Plugin Slug:: portfolio-and-projects
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-13847

Plugin:: Post Read Time
Plugin Slug:: post-read-time
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-28926

Plugin:: price-calc
Plugin Slug:: price-calc
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-28891

Plugin:: Rankchecker.io Integration
Plugin Slug:: rankchecker-io-integration
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-28857

Plugin:: Comment Date and Gravatar remover
Plugin Slug:: remove-date-and-gravatar-under-comment
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-28862

Plugin:: Responsive Google Map
Plugin Slug:: responsive-google-map
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-28920

Plugin:: REST API TO MiniProgram
Plugin Slug:: rest-api-to-miniprogram
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-28886

Plugin:: S3Bubble Media Streaming
Plugin Slug:: s3bubble-amazon-web-services-oembed-media-streaming-support
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-13862

Plugin:: Schedule
Plugin Slug:: schedule
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-22523

Plugin:: Schedule
Plugin Slug:: schedule
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-13891

Plugin:: SEO Tools
Plugin Slug:: seo-automatic-seo-tools
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-13853

Plugin:: Simple Amazon Affiliate
Plugin Slug:: simple-amazon-affiliate
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-2077

Plugin:: Social Snap
Plugin Slug:: socialsnap
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-13615

Plugin:: Spam Byebye
Plugin Slug:: spam-byebye
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-28941

Plugin:: Tabbed Login Widget
Plugin Slug:: tabbed-login
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-28929

Plugin:: TabGarb Pro
Plugin Slug:: tabgarb
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-28900

Plugin:: TBTestimonials
Plugin Slug:: tb-testimonials
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-26584

Plugin:: ThemeEgg ToolKit
Plugin Slug:: themeegg-toolkit
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-28915

Plugin:: Featured Image Thumbnail Grid
Plugin Slug:: thumbnail-grid
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-28918

Plugin:: J�-J� Pagamentos for WooCommerce
Plugin Slug:: wc-ja-ja-pagamentos-multicaixa-express
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-51624

Plugin:: WP Add Active Class To Menu Item
Plugin Slug:: wp-add-active-class-to-menu-item
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-28913

Plugin:: WP Azure offload
Plugin Slug:: wp-azure-offload
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-22360

Plugin:: WP Bulk Post Duplicator
Plugin Slug:: wp-bulk-post-duplicator
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-28884

Plugin:: WP Compare Tables
Plugin Slug:: wp-compare-tables
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-28883

Plugin:: WP Crowdfunding
Plugin Slug:: wp-crowdfunding
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-1508

Plugin:: Hashtags
Plugin Slug:: wp-hashtags
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-28931

Plugin:: WP Hide Admin Bar
Plugin Slug:: wp-hide-admin-bar
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-28910

Plugin:: WP JobHunt
Plugin Slug:: wp-jobhunt
Vulnerability:: Broken Authentication
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2024-11286

Plugin:: WP JobHunt
Plugin Slug:: wp-jobhunt
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2024-11284

Plugin:: WP JobHunt
Plugin Slug:: wp-jobhunt
Vulnerability:: Broken Authentication
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-11283

Plugin:: WP Last Modified
Plugin Slug:: wp-last-modified
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-28907

Plugin:: WP Login Control
Plugin Slug:: wp-login-control
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-13836

Plugin:: Mobile Themes
Plugin Slug:: wp-mobile-themes
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-28881

Plugin:: WP No-Bot Question
Plugin Slug:: wp-no-bot-question
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-28909

Plugin:: WP Performance Pack
Plugin Slug:: wp-performance-pack
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-28938

Plugin:: wordpress login form to anywhere
Plugin Slug:: wp-show-login-form
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-28914

Plugin:: WP Simple Slideshow
Plugin Slug:: wp-simple-slideshow
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-26576

Plugin:: Skitter Slideshow
Plugin Slug:: wp-skitter-slideshow
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-28906

Plugin:: WP SVG Upload
Plugin Slug:: wp-svg-upload
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-11847

Plugin:: WP jQuery Persian Datepicker
Plugin Slug:: wpjqp-datepicker
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-28861

Plugin:: WPSchoolPress
Plugin Slug:: wpschoolpress
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-1668

Plugin:: WPSchoolPress
Plugin Slug:: wpschoolpress
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-1670

Plugin:: WPSchoolPress
Plugin Slug:: wpschoolpress
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-1669

Plugin:: WPSchoolPress
Plugin Slug:: wpschoolpress
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-1667

Plugin:: XV Random Quotes
Plugin Slug:: xv-random-quotes
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-13580

Plugin:: XV Random Quotes
Plugin Slug:: xv-random-quotes
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-13574

Plugin:: ZipList Recipe
Plugin Slug:: ziplist-recipe-plugin
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-28868

Plugin:: Zoorum Comments
Plugin Slug:: zoorum-comments
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-2163

Plugin:: WooCommerce
Plugin Slug:: woocommerce
Installations: 8,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 9.7.1
Severity Score:: Medium
CVE:: 2025-26762

Plugin:: All-in-One WP Migration and Backup
Plugin Slug:: all-in-one-wp-migration
Installations: 5,000,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 7.90
Severity Score:: High
CVE:: 2024-10942

Plugin:: Ad Inserter � Ad Manager & AdSense Ads
Plugin Slug:: ad-inserter
Installations: 300,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.8.1
Severity Score:: High
CVE:: 2025-22623

Plugin:: GDPR Cookie Compliance � Cookie Banner, Cookie Consent, Cookie Notice � CCPA, DSGVO, RGPD
Plugin Slug:: gdpr-cookie-compliance
Installations: 300,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.15.7
Severity Score:: Medium
CVE:: 2025-1622

Plugin:: Page Builder: Pagelayer � Drag and Drop website builder
Plugin Slug:: pagelayer
Installations: 300,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.0.0
Severity Score:: Medium
CVE:: 2025-2104

Plugin:: Page Builder: Pagelayer � Drag and Drop website builder
Plugin Slug:: pagelayer
Installations: 300,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.9.9
Severity Score:: Medium
CVE:: 2024-13430

Plugin:: Page Builder: Pagelayer � Drag and Drop website builder
Plugin Slug:: pagelayer
Installations: 300,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.9.9
Severity Score:: Medium
CVE:: 2025-1926

Plugin:: LoginPress | wp-login Custom Login Page Customizer
Plugin Slug:: loginpress
Installations: 200,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 4.0.0
Severity Score:: Medium
CVE:: 2025-1764

Plugin:: Download Manager
Plugin Slug:: download-manager
Installations: 100,000+
Vulnerability:: Path Traversal
Patched in Version:: 3.3.09
Severity Score:: Low
CVE:: 2025-1785

Plugin:: ShareThis Dashboard for Google Analytics
Plugin Slug:: googleanalytics
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.2.2
Severity Score:: Medium
CVE:: 2025-1507

Plugin:: HUSKY � Products Filter Professional for WooCommerce
Plugin Slug:: woocommerce-products-filter
Installations: 100,000+
Vulnerability:: Local File Inclusion
Patched in Version:: 1.3.6.5
Severity Score:: High
CVE:: 2025-26890

Plugin:: HUSKY � Products Filter Professional for WooCommerce
Plugin Slug:: woocommerce-products-filter
Installations: 100,000+
Vulnerability:: Local File Inclusion
Patched in Version:: 1.3.6.6
Severity Score:: High
CVE:: 2025-1661

Plugin:: ShopLentor � WooCommerce Builder for Elementor & Gutenberg +20 Modules � All in One Solution (formerly WooLentor)
Plugin Slug:: woolentor-addons
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.1.1
Severity Score:: Medium
CVE:: 2025-1527

Plugin:: Appointment Booking Calendar � Simply Schedule Appointments Booking Plugin
Plugin Slug:: simply-schedule-appointments
Installations: 50,000+
Vulnerability:: Content Injection
Patched in Version:: 1.6.8.7
Severity Score:: High
CVE:: 2025-1119

Plugin:: Uncanny Automator � Easy Automation, Integration, Webhooks & Workflow Builder Plugin
Plugin Slug:: uncanny-automator
Installations: 50,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 6.3
Severity Score:: Medium
CVE:: 2024-13838

Plugin:: WP Recipe Maker
Plugin Slug:: wp-recipe-maker
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 9.8.1
Severity Score:: Medium
CVE:: 2025-1503

Plugin:: DethemeKit for Elementor
Plugin Slug:: dethemekit-for-elementor
Installations: 40,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.1.10
Severity Score:: Medium
CVE:: 2025-1526

Plugin:: SecuPress Free � WordPress Security
Plugin Slug:: secupress
Installations: 40,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.3
Severity Score:: Medium
CVE:: 2024-43228

Plugin:: Logo Slider � Logo Showcase, Logo Carousel, Logo Gallery and Client Logo Presentation
Plugin Slug:: gs-logo-slider
Installations: 30,000+
Vulnerability:: Content Injection
Patched in Version:: 3.7.4
Severity Score:: High
CVE:: 2025-2262

Plugin:: InstaWP Connect � 1-click WP Staging & Migration
Plugin Slug:: instawp-connect
Installations: 20,000+
Vulnerability:: Local File Inclusion
Patched in Version:: 0.1.0.84
Severity Score:: High
CVE:: 2024-13913

Plugin:: WP Test Email
Plugin Slug:: wp-test-email
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.1.9
Severity Score:: High
CVE:: 2025-2325

Plugin:: Business Directory Plugin � Easy Listing Directories for WordPress
Plugin Slug:: business-directory-plugin
Installations: 10,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 6.4.15
Severity Score:: Medium
CVE:: 2024-13887

Plugin:: NEX-Forms � Ultimate Form Builder � Contact forms and much more
Plugin Slug:: nex-forms-express-wp-form-builder
Installations: 10,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 8.8.2
Severity Score:: Medium
CVE:: 2024-13498

Plugin:: Qubely � Advanced Gutenberg Blocks
Plugin Slug:: qubely
Installations: 10,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 1.8.14
Severity Score:: Medium
CVE:: 2024-13228

Plugin:: Review Schema � Review & Structure Data Schema Plugin
Plugin Slug:: review-schema
Installations: 10,000+
Vulnerability:: Local File Inclusion
Patched in Version:: 2.2.5
Severity Score:: High
CVE:: 2025-1707

Plugin:: Finale Lite � Sales Countdown Timer & Discount for WooCommerce
Plugin Slug:: finale-woocommerce-sales-countdown-timer-discount
Installations: 6,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.20.0
Severity Score:: Medium
CVE:: 2024-12589

Plugin:: WordPress form builder plugin for contact forms, surveys and quizzes � Tripetto
Plugin Slug:: tripetto
Installations: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 8.0.10
Severity Score:: Medium
CVE:: 2025-1530

Plugin:: WordPress form builder plugin for contact forms, surveys and quizzes � Tripetto
Plugin Slug:: tripetto
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 8.0.10
Severity Score:: High
CVE:: 2024-13497

Plugin:: Thumbnail carousel slider
Plugin Slug:: wp-responsive-thumbnail-slider
Installations: 2,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.0.5
Severity Score:: High
CVE:: 2019-25222

Plugin:: WPCOM Member
Plugin Slug:: wpcom-member
Installations: 2,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.7.7
Severity Score:: Critical
CVE:: 2025-2221

Plugin:: AppPresser � Mobile App Framework
Plugin Slug:: apppresser
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.4.11
Severity Score:: High
CVE:: 2025-1561

Plugin:: WPCS � WordPress Currency Switcher Professional
Plugin Slug:: currency-switcher
Installations: 1,000+
Vulnerability:: Content Injection
Patched in Version:: 1.2.0.5
Severity Score:: High
CVE:: 2025-2169

Plugin:: Event post
Plugin Slug:: event-post
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.9.9
Severity Score:: Medium
CVE:: 2025-26923

Plugin:: Omnipress
Plugin Slug:: omnipress
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.5.5
Severity Score:: Medium
CVE:: 2024-13407

Plugin:: Simple Photo Feed
Plugin Slug:: simple-photo-feed
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.4.1
Severity Score:: Medium
CVE:: 2025-27000

Plugin:: Church Admin
Plugin Slug:: church-admin
Installations: 900+
Vulnerability:: SQL Injection
Patched in Version:: 5.0.19
Severity Score:: Critical
CVE:: 2025-26941

Plugin:: Maintenance Notice
Plugin Slug:: maintenance-notice
Installations: 800+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.0.7
Severity Score:: Medium
CVE:: 2025-28859

Plugin:: WATI Chat and Notification
Plugin Slug:: wati-chat-and-notification
Installations: 700+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.1.5
Severity Score:: High
CVE:: 2025-28925

Plugin:: Skrill � WooCommerce
Plugin Slug:: official-skrill-woocommerce
Installations: 600+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.0.67
Severity Score:: Medium
CVE:: 2025-28876

Plugin:: Accounting for WooCommerce
Plugin Slug:: accounting-for-woocommerce
Installations: 500+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.6.9
Severity Score:: Medium
CVE:: 2025-26929

Plugin:: IP Based Login
Plugin Slug:: ip-based-login
Installations: 500+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.4.1
Severity Score:: Medium
CVE:: 2024-13118

Plugin:: IP Based Login
Plugin Slug:: ip-based-login
Installations: 500+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.4.1
Severity Score:: Medium
CVE:: 2024-12800

Plugin:: pipDisqus � Lightweight Disqus Comments
Plugin Slug:: pipdisqus
Installations: 400+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.7
Severity Score:: Medium
CVE:: 2025-28908

Plugin:: Formality
Plugin Slug:: formality
Installations: 200+
Vulnerability:: Local File Inclusion
Patched in Version:: 1.5.8
Severity Score:: High
CVE:: 2025-24690

Plugin:: WC Affiliate � A Complete WooCommerce Affiliate Plugin
Plugin Slug:: wc-affiliate
Installations: 100+
Vulnerability:: Broken Access Control
Patched in Version:: 2.6
Severity Score:: Medium
CVE:: 2024-12336

Plugin:: Appsero Helper
Plugin Slug:: appsero-helper
Installations: 60+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.3.3
Severity Score:: High
CVE:: 2024-13436

Plugin:: BP Email Assign Templates
Plugin Slug:: bp-email-assign-templates
Installations: 50+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.7
Severity Score:: Medium
CVE:: 2025-28875

Plugin:: BP Email Assign Templates
Plugin Slug:: bp-email-assign-templates
Installations: 50+
Vulnerability:: Other Vulnerability Type
Patched in Version:: 1.8
Severity Score:: Medium
CVE:: 2025-28874

Plugin:: WordPress Report Brute Force Attacks and Login Protection ReportAttacks Plugins
Plugin Slug:: reportattacks
Installations: 40+
Vulnerability:: SQL Injection
Patched in Version:: 2.33
Severity Score:: High
CVE:: 2025-2250