WordPress Vulnerability Report � March 25, 2026

In this report, 331 vulnerabilities have been publicly disclosed. Security patches for 211 of these plugins and themes are now available. Please run these updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Currently, 120 plugin and theme vulnerabilities remain unpatched. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

WordPress Core

WordPress 6.9.4 is now available, addressing 10 security issues and a bug that affected template file loading on a limited number of sites. Because this is a security release, it is recommended that you update your sites immediately.

Also, WordPress 7.0 RC1 is ready for download and testing! As this is a pre-release version, it is intended for testing and development only and should not be installed on production or mission-critical sites. Organizations should use local or staging environments to evaluate compatibility and new features before the final rollout.

WordPress 7.0 is scheduled for release on April 9, 2026.

WordPress Plugins � 162 Patched / 113 Unpatched

Plugin:: StoreCustomizer � A plugin to Customize all WooCommerce Pages
Plugin Slug:: woocustomizer
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-27046

Plugin:: Product Slider, Product Grid, Product Masonry
Plugin Slug:: woocommerce-products-slider
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-25455

Plugin:: WPCargo Track & Trace
Plugin Slug:: wpcargo
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-25401

Plugin:: Booking calendar, Appointment Booking System
Plugin Slug:: booking-calendar
Installations: 4,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-25435

Plugin:: Coinbase Commerce � Crypto Gateway for WooCommerce
Plugin Slug:: commerce-coinbase-for-woocommerce
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-25396

Plugin:: CP Multi View Events Calendar
Plugin Slug:: cp-multi-view-calendar
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-25465

Plugin:: Nexa Blocks � Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE
Plugin Slug:: nexa-blocks
Installations: 1,000+
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2026-25429

Plugin:: TotalPoll for Polls and Contests
Plugin Slug:: totalpoll-lite
Installations: 1,000+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2026-27044

Plugin:: Gutenberg Blocks � Unlimited blocks For Gutenberg
Plugin Slug:: unlimited-blocks
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-25438

Plugin:: GZSEO
Plugin Slug:: gzseo
Installations: 600+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-25437

Plugin:: ViaBill � WooCommerce
Plugin Slug:: viabill-woocommerce
Installations: 500+
Vulnerability:: Settings Change
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-25469

Plugin:: Vertex Addons for Elementor
Plugin Slug:: addons-for-elementor-builder
Installations: 400+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-25398

Plugin:: Product Rearrange for WooCommerce
Plugin Slug:: products-rearrange-woocommerce
Installations: 400+
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2026-31920

Plugin:: Product Rearrange for WooCommerce
Plugin Slug:: products-rearrange-woocommerce
Installations: 400+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-31921

Plugin:: Remoji � Post/Comment Reaction and Enhancement
Plugin Slug:: remoji
Installations: 400+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-25452

Plugin:: Automated FedEx live/manual rates with shipping labels � HPOS supported
Plugin Slug:: a2z-fedex-shipping
Installations: 200+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-25456

Plugin:: Widget Wrangler
Plugin Slug:: widget-wrangler
Installations: 200+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2026-25447

Plugin:: File Uploader for WooCommerce
Plugin Slug:: file-uploader-for-woocommerce
Installations: 100+
Vulnerability:: Path Traversal
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-25397

Plugin:: Admin Safety Guard � Login Security & 2FA
Plugin Slug:: admin-safety-guard
Installations: 10+
Vulnerability:: Broken Authentication
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-25471

Plugin:: Ad Short
Plugin Slug:: ad-short
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-4067

Plugin:: Add Google Social Profiles to Knowledge Graph Box
Plugin Slug:: add-google-social-profiles-to-knowledge-graph-box
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1393

Plugin:: ACPT (Pro) – Custom Post Types Plugin for WordPress
Plugin Slug:: advanced-custom-post-type
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2026-25470

Plugin:: Alfie
Plugin Slug:: alfie-the-productfeedtool-wp-plugin
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-4069

Plugin:: Any Post Slider
Plugin Slug:: any-post-slider
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1899

Plugin:: App Builder
Plugin Slug:: app-builder
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-2375

Plugin:: Reward Video Ad for WordPress
Plugin Slug:: applixir
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-2424

Plugin:: Appmax
Plugin Slug:: appmax
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3641

Plugin:: Ave Core
Plugin Slug:: ave-core
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-25460

Plugin:: Build App Online
Plugin Slug:: build-app-online
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3651

Plugin:: Canto
Plugin Slug:: canto
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3335

Plugin:: CMS Commander
Plugin Slug:: cms-commander-client
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-3334

Plugin:: Comment SPAM Wiper
Plugin Slug:: comment-spam-wiper
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3353

Plugin:: Company Posts for LinkedIn
Plugin Slug:: company-posts-for-linkedin
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1935

Plugin:: Content Syndication Toolkit
Plugin Slug:: content-syndication-toolkit
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-3478

Plugin:: Curly Core
Plugin Slug:: curly-core
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-27047

Plugin:: e-shot
Plugin Slug:: e-shot-form-builder
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3546

Plugin:: Easy Image Gallery
Plugin Slug:: easy-image-gallery
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-2540

Plugin:: Ecover Builder For Dummies
Plugin Slug:: ecover-builder-for-dummies
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-4077

Plugin:: Ed’s Font Awesome
Plugin Slug:: eds-font-awesome
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-2496

Plugin:: Ed’s Social Share
Plugin Slug:: eds-social-share
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-2501

Plugin:: ElementCamp
Plugin Slug:: element-camp
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-2503

Plugin:: Expire Users
Plugin Slug:: expire-users
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-4261

Plugin:: Fonts Manager | Custom Fonts
Plugin Slug:: fonts-manager-custom-fonts
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2026-1800

Plugin:: FuseDesk
Plugin Slug:: fusedesk
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1914

Plugin:: fyyd podcast shortcodes
Plugin Slug:: fyyd-podcast-shortcodes
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-4084

Plugin:: Go Night Pro
Plugin Slug:: go-night-pro
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1886

Plugin:: Hr Press Lite
Plugin Slug:: hr-press-lite
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-2720

Plugin:: Integration with Hubspot Forms
Plugin Slug:: integration-with-hubspot-forms
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1908

Plugin:: Invelity Product Feeds
Plugin Slug:: invelity-products-feeds
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-14037

Plugin:: itsukaita
Plugin Slug:: itsukaita
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-2427

Plugin:: iVysilani Shortcode
Plugin Slug:: ivysilani-shortcode
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1851

Plugin:: Jobica Core
Plugin Slug:: jobica-core
Vulnerability:: Broken Authentication
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2026-27049

Plugin:: Linksy Search and Replace
Plugin Slug:: linksy-search-and-replace
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-2941

Plugin:: Listeo Core
Plugin Slug:: listeo-core
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-25461

Plugin:: Lobot Slider Administrator
Plugin Slug:: lobot-slider-administrator
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3331

Plugin:: login_register
Plugin Slug:: login-register
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1503

Plugin:: Mandatory Field
Plugin Slug:: mandatory-fields
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1278

Plugin:: MimeTypes Link Icons
Plugin Slug:: mimetypes-link-icons
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-1313

Plugin:: MinhNhut Link Gateway
Plugin Slug:: minhnhut-link-gateway
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3333

Plugin:: Modern Events Calendar
Plugin Slug:: modern-events-calendar
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-32583

Plugin:: Multi Functional Flexi Lightbox
Plugin Slug:: multi-functional-flexi-lightbox
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3347

Plugin:: Multi Post Carousel by Category
Plugin Slug:: multi-post-carousel
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1275

Plugin:: myLinksDump
Plugin Slug:: mylinksdump
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-2279

Plugin:: Neos Connector for Fakturama
Plugin Slug:: neos-connector-for-fakturama
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-4143

Plugin:: Outgrow
Plugin Slug:: outgrow
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1889

Plugin:: Paypal Shortcodes
Plugin Slug:: paypal-shortcodes
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3617

Plugin:: PQ Addons � Creative Elementor Widgets
Plugin Slug:: peacefulqode-elementzplus-widgets
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1397

Plugin:: Performance Monitor
Plugin Slug:: performance-monitor
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-1648

Plugin:: Post Flagger
Plugin Slug:: post-flagger
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1854

Plugin:: Post Snippits
Plugin Slug:: post-snippits
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-2723

Plugin:: Post Affiliate Pro
Plugin Slug:: postaffiliatepro
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-2290

Plugin:: Pre* Party Resource Hints
Plugin Slug:: pre-party-browser-hints
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-4087

Plugin:: Punnel � Landing Page Builder
Plugin Slug:: punnel-landing-page-builder
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3645

Plugin:: Quentn WP
Plugin Slug:: quentn-wp
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2026-2468

Plugin:: Redirect countdown
Plugin Slug:: redirect-countdown
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1390

Plugin:: REST API TO MiniProgram
Plugin Slug:: rest-api-to-miniprogram
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3460

Plugin:: Review Map by RevuKangaroo
Plugin Slug:: review-map-by-revukangaroo
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-4161

Plugin:: Ricerca � advanced search
Plugin Slug:: ricerca-smart-search
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-2837

Plugin:: WooCommerce Infinite Scroll
Plugin Slug:: sb-woocommerce-infinite-scroll
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-27045

Plugin:: Schema Shortcode
Plugin Slug:: schema-shortcode
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1575

Plugin:: Sheets2Table
Plugin Slug:: sheets2table
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3619

Plugin:: Sherk Custom Post Type Displays
Plugin Slug:: sherk-custom-post-type-displays
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3554

Plugin:: Weaver Show Posts
Plugin Slug:: show-posts
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-2121

Plugin:: Show Posts list
Plugin Slug:: show-posts-shortcodes
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-4022

Plugin:: Simple Football Scoreboard
Plugin Slug:: simple-football-score-board
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1891

Plugin:: Smarter Analytics
Plugin Slug:: smarter-analytics
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3570

Plugin:: Speedup Optimization
Plugin Slug:: speedup-optimization
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-4127

Plugin:: SR WP Minify HTML
Plugin Slug:: sr-wp-minify-html
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1392

Plugin:: Survey
Plugin Slug:: survey
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1247

Plugin:: Task Manager
Plugin Slug:: task-manager
Vulnerability:: Arbitrary File Download
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-2351

Plugin:: Text Toggle
Plugin Slug:: text-toggle
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3997

Plugin:: The Aisle Core
Plugin Slug:: theaisle-core
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-27048

Plugin:: Tour & Activity Operator Plugin for TourCMS
Plugin Slug:: tour-operator-plugin
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1806

Plugin:: Tutor LMS Pro
Plugin Slug:: tutor-pro
Vulnerability:: Broken Authentication
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-25406

Plugin:: Twitter Feeds
Plugin Slug:: twitter-feeds
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1911

Plugin:: Unlimited Elements for Elementor (Premium)
Plugin Slug:: unlimited-elements-for-elementor-premium
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2026-27041

Plugin:: Vagaro Booking Widget
Plugin Slug:: vagaro-booking-widget
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-3003

Plugin:: Wikilookup
Plugin Slug:: wikilookup
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3354

Plugin:: WishList Member X
Plugin Slug:: wishlist-member-x
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-25445

Plugin:: WishList Member X
Plugin Slug:: wishlist-member-x
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2026-25446

Plugin:: WZone
Plugin Slug:: woozone
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-27039

Plugin:: WZone
Plugin Slug:: woozone
Vulnerability:: Arbitrary File Deletion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-27040

Plugin:: WordPress PayPal Donation
Plugin Slug:: wordpress-paypal-donation
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-4072

Plugin:: WP-Chatbot for Messenger
Plugin Slug:: wp-chatbot
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3506

Plugin:: WP Games Embed
Plugin Slug:: wp-games-embed
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3996

Plugin:: WP NG Weather
Plugin Slug:: wp-ng-weather
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1822

Plugin:: WP Posts Re-order
Plugin Slug:: wp-posts-re-order
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1378

Plugin:: WP Random Button
Plugin Slug:: wp-random-button
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-4086

Plugin:: WPBookit Pro
Plugin Slug:: wpbookit-pro
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2026-25413

Plugin:: WPBookit Pro
Plugin Slug:: wpbookit-pro
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-25414

Plugin:: WPFAQBlock
Plugin Slug:: wpfaqblock
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1093

Plugin:: Writeprint Stylometry
Plugin Slug:: writeprint-stylometry
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-3512

Plugin:: Xhanch � My Advanced Settings
Plugin Slug:: xhanch-my-advanced-settings
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3332

Plugin:: Yoast SEO � Advanced SEO with real-time guidance and built-in AI
Plugin Slug:: wordpress-seo
Installations: 10,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 27.2
Severity Score:: Medium
CVE:: 2026-3427

Plugin:: WPForms � Easy Form Builder for WordPress � Contact Forms, Payment Forms, Surveys, & More
Plugin Slug:: wpforms-lite
Installations: 6,000,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 1.9.9.2
Severity Score:: Medium
CVE:: 2026-25339

Plugin:: Yoast Duplicate Post
Plugin Slug:: duplicate-post
Installations: 4,000,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.6
Severity Score:: Medium
CVE:: 2026-1217

Plugin:: Autoptimize
Plugin Slug:: autoptimize
Installations: 900,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.1.15
Severity Score:: Medium
CVE:: 2026-2430

Plugin:: Autoptimize
Plugin Slug:: autoptimize
Installations: 900,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.1.15
Severity Score:: Medium
CVE:: 2026-2352

Plugin:: Royal Addons for Elementor � Addons and Templates Kit for Elementor
Plugin Slug:: royal-elementor-addons
Installations: 600,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.7.1050
Severity Score:: Medium
CVE:: 2026-2373

Plugin:: Photo Gallery, Sliders, Proofing and Themes � NextGEN Gallery
Plugin Slug:: nextgen-gallery
Installations: 400,000+
Vulnerability:: Local File Inclusion
Patched in Version:: 4.0.5
Severity Score:: High
CVE:: 2026-1463

Plugin:: Post SMTP � Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App
Plugin Slug:: post-smtp
Installations: 400,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.9.0
Severity Score:: High
CVE:: 2026-3090

Plugin:: Post SMTP � Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App
Plugin Slug:: post-smtp
Installations: 400,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.9.0
Severity Score:: Medium
CVE:: 2026-2559

Plugin:: WP Go Maps (formerly WP Google Maps)
Plugin Slug:: wp-google-maps
Installations: 300,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 10.0.06
Severity Score:: Medium
CVE:: 2026-4268

Plugin:: Download Manager
Plugin Slug:: download-manager
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.3.50
Severity Score:: Medium
CVE:: 2026-2571

Plugin:: LatePoint � Calendar Booking Plugin for Appointments and Events
Plugin Slug:: latepoint
Installations: 100,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 5.2.7
Severity Score:: Medium
CVE:: 2026-32533

Plugin:: Tutor LMS � eLearning and online course solution
Plugin Slug:: tutor
Installations: 100,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 3.9.5
Severity Score:: Medium
CVE:: 2025-32223

Plugin:: JetFormBuilder � Dynamic Blocks Form Builder
Plugin Slug:: jetformbuilder
Installations: 90,000+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 3.5.6.2
Severity Score:: Critical
CVE:: 2026-32525

Plugin:: SlimStat Analytics
Plugin Slug:: wp-slimstat
Installations: 80,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.4.0
Severity Score:: High
CVE:: 2026-1238

Plugin:: Online Scheduling and Appointment Booking System � Bookly
Plugin Slug:: bookly-responsive-appointment-booking-tool
Installations: 70,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 26.8
Severity Score:: High
CVE:: 2026-32540

Plugin:: EmailKit � Email Customizer for WooCommerce & WP
Plugin Slug:: emailkit
Installations: 70,000+
Vulnerability:: Path Traversal
Patched in Version:: 1.6.4
Severity Score:: Medium
CVE:: 2026-3474

Plugin:: SMTP Mailer
Plugin Slug:: smtp-mailer
Installations: 70,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 1.1.25
Severity Score:: High
CVE:: 2026-32538

Plugin:: Contextual Related Posts
Plugin Slug:: contextual-related-posts
Installations: 60,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.2.2
Severity Score:: Medium
CVE:: 2026-32565

Plugin:: Woody Code Snippets � Insert PHP, CSS, JS, and Header/Footer Scripts
Plugin Slug:: insert-php
Installations: 60,000+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 2.7.2
Severity Score:: Critical
CVE:: 2026-25366

Plugin:: Appointment Booking Calendar � Simply Schedule Appointments Booking Plugin
Plugin Slug:: simply-schedule-appointments
Installations: 60,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.6.10.2
Severity Score:: Critical
CVE:: 2026-3658

Plugin:: User Registration & Membership � Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder
Plugin Slug:: user-registration
Installations: 60,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 5.1.3
Severity Score:: High
CVE:: 2026-32488

Plugin:: Visual Portfolio, Photo Gallery & Post Grid
Plugin Slug:: visual-portfolio
Installations: 60,000+
Vulnerability:: Local File Inclusion
Patched in Version:: 3.5.2
Severity Score:: High
CVE:: 2026-32537

Plugin:: Dokan: AI Powered WooCommerce Multivendor Marketplace Solution � Build Your Own Amazon, eBay, Etsy
Plugin Slug:: dokan-lite
Installations: 40,000+
Vulnerability:: Broken Authentication
Patched in Version:: 4.2.5
Severity Score:: High
CVE:: 2026-24359

Plugin:: Mixed Media Gallery Blocks
Plugin Slug:: simply-gallery-block
Installations: 40,000+
Vulnerability:: Arbitrary Code Execution
Patched in Version:: 3.3.2.1
Severity Score:: Critical
CVE:: 2026-25345

Plugin:: Master Addons For Elementor � Widgets, Extensions, Theme Builder, Popup Builder & Template Kits
Plugin Slug:: master-addons
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.1.4
Severity Score:: Medium
CVE:: 2026-32462

Plugin:: PPWP � Password Protect Pages
Plugin Slug:: password-protect-page
Installations: 30,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.9.16
Severity Score:: Medium
CVE:: 2026-32562

Plugin:: Ultimate Post Kit Addons for Elementor
Plugin Slug:: ultimate-post-kit
Installations: 30,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.0.22
Severity Score:: Medium
CVE:: 2026-24362

Plugin:: Print Invoice & Delivery Notes for WooCommerce
Plugin Slug:: woocommerce-delivery-notes
Installations: 30,000+
Vulnerability:: Broken Access Control
Patched in Version:: 6.0.0
Severity Score:: High
CVE:: 2026-25317

Plugin:: Booster for WooCommerce � PDF Invoices, Abandoned Cart, Variation Swatches & 100+ Tools
Plugin Slug:: woocommerce-jetpack
Installations: 30,000+
Vulnerability:: Broken Access Control
Patched in Version:: 7.11.3
Severity Score:: Medium
CVE:: 2026-32586

Plugin:: WP Custom Admin Interface
Plugin Slug:: wp-custom-admin-interface
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 7.43
Severity Score:: Medium
CVE:: 2026-32521

Plugin:: Kali Forms � Contact Form & Drag-and-Drop Builder
Plugin Slug:: kali-forms
Installations: 20,000+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 2.4.10
Severity Score:: Critical
CVE:: 2026-3584

Plugin:: New User Approve
Plugin Slug:: new-user-approve
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.2.4
Severity Score:: Medium
CVE:: 2026-25390

Plugin:: Post Snippets � Custom WordPress Code Snippets Customizer
Plugin Slug:: post-snippets
Installations: 20,000+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 4.0.13
Severity Score:: High
CVE:: 2026-25001

Plugin:: Co-Authors, Multiple Authors and Guest Authors in an Author Box with PublishPress Authors
Plugin Slug:: publishpress-authors
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.11.0
Severity Score:: High
CVE:: 2026-25309

Plugin:: Thim Kit for Elementor � Pre-built Templates & Widgets for Elementor
Plugin Slug:: thim-elementor-kit
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.3.8
Severity Score:: Medium
CVE:: 2026-1870

Plugin:: Wicked Folders � Folder Organizer for Pages, Posts, and Custom Post Types
Plugin Slug:: wicked-folders
Installations: 20,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 4.1.1
Severity Score:: Medium
CVE:: 2026-1883

Plugin:: User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration
Plugin Slug:: wp-user-frontend
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.2.9
Severity Score:: High
CVE:: 2026-32485

Plugin:: User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration
Plugin Slug:: wp-user-frontend
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.2.9
Severity Score:: Medium
CVE:: 2026-2233

Plugin:: Lead Form Builder & Contact Form
Plugin Slug:: lead-form-builder
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.2
Severity Score:: High
CVE:: 2026-32532

Plugin:: Five Star Restaurant Reservations � WordPress Booking Plugin
Plugin Slug:: restaurant-reservations
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.7.10
Severity Score:: Medium
CVE:: 2026-25327

Plugin:: Membership Plugin � Restrict Content
Plugin Slug:: restrict-content
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.2.23
Severity Score:: High
CVE:: 2026-32546

Plugin:: Membership Plugin � Restrict Content
Plugin Slug:: restrict-content
Installations: 10,000+
Vulnerability:: Broken Authentication
Patched in Version:: 3.2.25
Severity Score:: Medium
CVE:: 2026-4136

Plugin:: Review Schema � Review & Structure Data Schema Plugin
Plugin Slug:: review-schema
Installations: 10,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 2.2.7
Severity Score:: Medium
CVE:: 2026-25344

Plugin:: PublishPress Revisions: Duplicate Posts, Submit, Approve and Schedule Content Changes
Plugin Slug:: revisionary
Installations: 10,000+
Vulnerability:: SQL Injection
Patched in Version:: 3.7.24
Severity Score:: Critical
CVE:: 2026-32539

Plugin:: Code Embed
Plugin Slug:: simple-embed-code
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.5.2
Severity Score:: Medium
CVE:: 2026-2512

Plugin:: Subscriptions for WooCommerce
Plugin Slug:: subscriptions-for-woocommerce
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.9.3
Severity Score:: Medium
CVE:: 2026-1926

Plugin:: Team � Team Members Showcase Plugin
Plugin Slug:: tlp-team
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 5.0.12
Severity Score:: High
CVE:: 2026-25026

Plugin:: weForms � Easy Drag & Drop Contact Form Builder For WordPress
Plugin Slug:: weforms
Installations: 10,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 1.6.27
Severity Score:: High
CVE:: 2026-32484

Plugin:: Spam Protect for Contact Form 7
Plugin Slug:: wp-contact-form-7-spam-blocker
Installations: 10,000+
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 1.2.10
Severity Score:: Medium
CVE:: 2026-32496

Plugin:: WP REST Cache
Plugin Slug:: wp-rest-cache
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2026.1.1
Severity Score:: High
CVE:: 2026-25347

Plugin:: WPVulnerability
Plugin Slug:: wpvulnerability
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.2.1.1
Severity Score:: Medium
CVE:: 2026-24376

Plugin:: YML for Yandex Market
Plugin Slug:: yml-for-yandex-market
Installations: 10,000+
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 5.3.0
Severity Score:: Medium
CVE:: 2026-32567

Plugin:: Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms
Plugin Slug:: cf7-mailchimp
Installations: 9,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.2.3
Severity Score:: Medium
CVE:: 2026-25430

Plugin:: Contact Form Email
Plugin Slug:: contact-form-to-email
Installations: 9,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.3.64
Severity Score:: Medium
CVE:: 2026-32483

Plugin:: RegistrationMagic � Custom Registration Forms, User Registration, Payment, and User Login
Plugin Slug:: custom-registration-form-builder-with-submission-manager
Installations: 9,000+
Vulnerability:: Broken Access Control
Patched in Version:: 6.0.7.7
Severity Score:: High
CVE:: 2026-32498

Plugin:: Event Booking Manager for WooCommerce
Plugin Slug:: mage-eventpress
Installations: 8,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.1.5
Severity Score:: High
CVE:: 2026-25361

Plugin:: ReviewX � Multi-Criteria Reviews for WooCommerce with Google Reviews & Schema
Plugin Slug:: reviewx
Installations: 8,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 2.3.0
Severity Score:: Medium
CVE:: 2025-10734

Plugin:: ReviewX � Multi-Criteria Reviews for WooCommerce with Google Reviews & Schema
Plugin Slug:: reviewx
Installations: 8,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 2.3.0
Severity Score:: Medium
CVE:: 2025-10731

Plugin:: WP TripAdvisor Review Slider
Plugin Slug:: wp-tripadvisor-review-slider
Installations: 8,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 14.2
Severity Score:: Medium
CVE:: 2026-32490

Plugin:: Image Alt Text Manager � Bulk & Dynamic Alt Tags For image SEO Optimization + AI
Plugin Slug:: alt-manager
Installations: 7,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.8.3
Severity Score:: Medium
CVE:: 2026-3350

Plugin:: EventPrime � Events Calendar, Bookings and Tickets
Plugin Slug:: eventprime-event-calendar-management
Installations: 7,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.2.8.4
Severity Score:: High
CVE:: 2026-25312

Plugin:: EventPrime � Events Calendar, Bookings and Tickets
Plugin Slug:: eventprime-event-calendar-management
Installations: 7,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 4.2.8.1
Severity Score:: Critical
CVE:: 2026-24378

Plugin:: JS Help Desk � AI-Powered Support & Ticketing System
Plugin Slug:: js-support-ticket
Installations: 7,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 3.0.4
Severity Score:: Medium
CVE:: 2026-32535

Plugin:: JS Help Desk � AI-Powered Support & Ticketing System
Plugin Slug:: js-support-ticket
Installations: 7,000+
Vulnerability:: SQL Injection
Patched in Version:: 3.0.4
Severity Score:: High
CVE:: 2026-32534

Plugin:: NEX-Forms � Ultimate Forms Plugin for WordPress
Plugin Slug:: nex-forms-express-wp-form-builder
Installations: 7,000+
Vulnerability:: Broken Access Control
Patched in Version:: 9.1.10
Severity Score:: Medium
CVE:: 2026-1948

Plugin:: NEX-Forms � Ultimate Forms Plugin for WordPress
Plugin Slug:: nex-forms-express-wp-form-builder
Installations: 7,000+
Vulnerability:: Broken Access Control
Patched in Version:: 9.1.10
Severity Score:: High
CVE:: 2026-1947

Plugin:: WP Review Slider
Plugin Slug:: wp-facebook-reviews
Installations: 7,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 14.0
Severity Score:: Medium
CVE:: 2026-32491

Plugin:: WPBot � AI ChatBot for Live Support, Lead Generation, AI Services
Plugin Slug:: chatbot
Installations: 6,000+
Vulnerability:: SQL Injection
Patched in Version:: 7.8.0
Severity Score:: Critical
CVE:: 2026-32499

Plugin:: Get Use APIs � JSON Content Importer
Plugin Slug:: json-content-importer
Installations: 6,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.10
Severity Score:: Medium
CVE:: 2025-15363

Plugin:: OOPSpam Anti-Spam: Spam Protection for WordPress Forms & Comments (No CAPTCHA)
Plugin Slug:: oopspam-anti-spam
Installations: 6,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.2.63
Severity Score:: High
CVE:: 2026-32544

Plugin:: ProfileGrid � User Profiles, Groups and Communities
Plugin Slug:: profilegrid-user-profiles-groups-and-communities
Installations: 6,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.9.8.2
Severity Score:: Medium
CVE:: 2026-25417

Plugin:: WowStore � Store Builder & Product Blocks for WooCommerce
Plugin Slug:: product-blocks
Installations: 5,000+
Vulnerability:: SQL Injection
Patched in Version:: 4.4.4
Severity Score:: Critical
CVE:: 2026-2579

Plugin:: User Verification by PickPlugins
Plugin Slug:: user-verification
Installations: 5,000+
Vulnerability:: Broken Authentication
Patched in Version:: 2.0.46
Severity Score:: Medium
CVE:: 2026-32497

Plugin:: Fraud Prevention For WooCommerce and EDD
Plugin Slug:: woo-blocker-lite-prevent-fake-orders-and-blacklist-fraud-customers
Installations: 5,000+
Vulnerability:: Arbitrary Content Deletion
Patched in Version:: 2.3.4
Severity Score:: High
CVE:: 2026-25443

Plugin:: ElementInvader Addons for Elementor
Plugin Slug:: elementinvader-addons-for-elementor
Installations: 4,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.4.3
Severity Score:: High
CVE:: 2026-25007

Plugin:: Nelio A/B Testing � AB Tests and Heatmaps for Better Conversion Optimization
Plugin Slug:: nelio-ab-testing
Installations: 4,000+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 8.2.8
Severity Score:: Critical
CVE:: 2026-32573

Plugin:: RSFirewall!
Plugin Slug:: rsfirewall
Installations: 4,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.1.46
Severity Score:: High
CVE:: 2026-25341

Plugin:: Abandoned Cart Recovery for WooCommerce
Plugin Slug:: woo-abandoned-cart-recovery
Installations: 4,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.1.11
Severity Score:: High
CVE:: 2026-32526

Plugin:: WPJAM Basic
Plugin Slug:: wpjam-basic
Installations: 4,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 6.9.2.1
Severity Score:: Critical
CVE:: 2026-32523

Plugin:: WP Telegram Widget and Join Link
Plugin Slug:: wptelegram-widget
Installations: 4,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.2.14
Severity Score:: High
CVE:: 2026-23807

Plugin:: JS Archive List
Plugin Slug:: jquery-archive-list-widget
Installations: 3,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 6.2.0
Severity Score:: High
CVE:: 2026-32513

Plugin:: Kargo Takip
Plugin Slug:: kargo-takip-turkiye
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: 0.2.4
Severity Score:: Medium
CVE:: 2026-25365

Plugin:: WP Terms Popup � Terms and Conditions and Privacy Policy WordPress Popups
Plugin Slug:: wp-terms-popup
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.11.0
Severity Score:: High
CVE:: 2026-32495

Plugin:: Bit SMTP � Easy SMTP Solution with Email Logs
Plugin Slug:: bit-smtp
Installations: 2,000+
Vulnerability:: Broken Authentication
Patched in Version:: 1.2.3
Severity Score:: Critical
CVE:: 2026-32519

Plugin:: Comments Import & Export
Plugin Slug:: comments-import-export-woocommerce
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.5.0
Severity Score:: High
CVE:: 2026-32441

Plugin:: Info Cards � Add Text and Media in Card Layouts
Plugin Slug:: info-cards
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.8
Severity Score:: Medium
CVE:: 2026-4120

Plugin:: KiviCare � Clinic & Patient Management System (EHR)
Plugin Slug:: kivicare-clinic-management-system
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.0.0
Severity Score:: High
CVE:: 2026-25383

Plugin:: KiviCare � Clinic & Patient Management System (EHR)
Plugin Slug:: kivicare-clinic-management-system
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.0.0
Severity Score:: Medium
CVE:: 2026-25034

Plugin:: KiviCare � Clinic & Patient Management System (EHR)
Plugin Slug:: kivicare-clinic-management-system
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.1.3
Severity Score:: High
CVE:: 2026-2992

Plugin:: KiviCare � Clinic & Patient Management System (EHR)
Plugin Slug:: kivicare-clinic-management-system
Installations: 2,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 4.1.3
Severity Score:: Critical
CVE:: 2026-2991

Plugin:: Photo Engine (Media Organizer & Lightroom)
Plugin Slug:: wplr-sync
Installations: 2,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 6.5.0
Severity Score:: Critical
CVE:: 2026-32524

Plugin:: avalex � Automatisch sichere Rechtstexte
Plugin Slug:: avalex
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.1.4
Severity Score:: Medium
CVE:: 2026-25462

Plugin:: Booking and Rental Manager for Bike | Car | Resort | Appointment | Dress | Equipment
Plugin Slug:: booking-and-rental-manager-for-woocommerce
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.6.1
Severity Score:: Medium
CVE:: 2026-23972

Plugin:: Contact List � Online Staff Directory & Address Book
Plugin Slug:: contact-list
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.0.19
Severity Score:: Medium
CVE:: 2026-3516

Plugin:: Contest Gallery � Upload & Vote Photos, Media, Sell with PayPal & Stripe
Plugin Slug:: contest-gallery
Installations: 1,000+
Vulnerability:: Broken Authentication
Patched in Version:: 28.1.3
Severity Score:: Critical
CVE:: 2026-25035

Plugin:: Flexmls� IDX Plugin
Plugin Slug:: flexmls-idx
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.15.10
Severity Score:: High
CVE:: 2026-25369

Plugin:: Injection Guard
Plugin Slug:: injection-guard
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.0
Severity Score:: High
CVE:: 2026-3368

Plugin:: WowOptin: Next-Gen Popup Maker � Create Stunning Popups and Optins for Lead Generation
Plugin Slug:: optin
Installations: 1,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 1.4.30
Severity Score:: High
CVE:: 2026-4302

Plugin:: WP Easy Pay � Payment and Donation form Builder for Square
Plugin Slug:: wp-easy-pay
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.2.12
Severity Score:: Medium
CVE:: 2026-32587

Plugin:: bBlocks � Essential Gutenberg Blocks & Patterns Collection
Plugin Slug:: b-blocks
Installations: 700+
Vulnerability:: Broken Access Control
Patched in Version:: 2.0.30
Severity Score:: Medium
CVE:: 2026-32489

Plugin:: My Tickets � Accessible Event Ticketing
Plugin Slug:: my-tickets
Installations: 700+
Vulnerability:: Bypass Vulnerability
Patched in Version:: 2.1.2
Severity Score:: Medium
CVE:: 2026-32492

Plugin:: Premmerce Redirect Manager
Plugin Slug:: premmerce-redirect-manager
Installations: 600+
Vulnerability:: Broken Access Control
Patched in Version:: 1.0.13
Severity Score:: Medium
CVE:: 2026-32541

Plugin:: VikRestaurants Table Reservations and Take-Away
Plugin Slug:: vikrestaurants
Installations: 600+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.5.3
Severity Score:: High
CVE:: 2026-25025

Plugin:: WP Courses LMS � Online Courses Builder, eLearning Courses, Courses Solution, Education Courses
Plugin Slug:: wp-courses
Installations: 600+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.2.27
Severity Score:: Medium
CVE:: 2026-31914

Plugin:: RepairBuddy � Repair Shop CRM & Booking Plugin for WordPress
Plugin Slug:: computer-repair-shop
Installations: 400+
Vulnerability:: Broken Access Control
Patched in Version:: 4.1133
Severity Score:: Medium
CVE:: 2026-3567

Plugin:: Taboola Pixel
Plugin Slug:: taboola-pixel
Installations: 400+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.1.5
Severity Score:: High
CVE:: 2026-32545

Plugin:: Advanced Reporting & Statistics for WooCommerce � Orders, Products & Customers Reporting
Plugin Slug:: webd-woocommerce-advanced-reporting-statistics
Installations: 400+
Vulnerability:: SQL Injection
Patched in Version:: 4.1.4
Severity Score:: Critical
CVE:: 2026-24993

Plugin:: Keep Backup Daily
Plugin Slug:: keep-backup-daily
Installations: 300+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.1.3
Severity Score:: Medium
CVE:: 2026-3577

Plugin:: Keep Backup Daily
Plugin Slug:: keep-backup-daily
Installations: 300+
Vulnerability:: Path Traversal
Patched in Version:: 2.1.3
Severity Score:: Low
CVE:: 2026-3339

Plugin:: CM Custom Reports � Flexible reporting to track what matters most
Plugin Slug:: cm-custom-reports
Installations: 200+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.2.8
Severity Score:: Medium
CVE:: 2026-2432

Plugin:: Helpdesk Support Ticket System for WooCommerce
Plugin Slug:: support-ticket-system-for-woocommerce
Installations: 200+
Vulnerability:: Broken Access Control
Patched in Version:: 2.1.3
Severity Score:: High
CVE:: 2026-23977

Plugin:: ilGhera Carta Docente for WooCommerce
Plugin Slug:: wc-carta-docente
Installations: 200+
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 1.5.1
Severity Score:: Medium
CVE:: 2026-2421

Plugin:: Image Slider by Ays- Responsive Slider and Carousel
Plugin Slug:: ays-slider
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.7.2
Severity Score:: High
CVE:: 2026-32494

Plugin:: WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms
Plugin Slug:: cf7-insightly
Installations: 100+
Vulnerability:: Broken Access Control
Patched in Version:: 1.1.6
Severity Score:: Medium
CVE:: 2026-32527

Plugin:: Contact Manager
Plugin Slug:: contact-manager
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 9.1.1
Severity Score:: High
CVE:: 2026-32517

Plugin:: Creator LMS � Online Courses and eLearning Plugin
Plugin Slug:: creatorlms
Installations: 100+
Vulnerability:: Privilege Escalation
Patched in Version:: 1.1.19
Severity Score:: High
CVE:: 2026-32530

Plugin:: FAQ Builder AYS
Plugin Slug:: faq-builder-ays
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.8.3
Severity Score:: High
CVE:: 2026-25346

Plugin:: LearnPress � Sepay Payment
Plugin Slug:: learnpress-sepay-payment
Installations: 100+
Vulnerability:: Broken Authentication
Patched in Version:: 4.0.1
Severity Score:: High
CVE:: 2026-25002

Plugin:: Petitioner
Plugin Slug:: petitioner
Installations: 100+
Vulnerability:: Broken Access Control
Patched in Version:: 0.7.4
Severity Score:: Medium
CVE:: 2026-32514

Plugin:: Product File Upload for WooCommerce
Plugin Slug:: products-file-upload-for-woocommerce
Installations: 100+
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 2.2.5
Severity Score:: Medium
CVE:: 2026-25328

Plugin:: RewardsWP � Loyalty Points & Referral Program for WooCommerce
Plugin Slug:: rewardswp
Installations: 100+
Vulnerability:: Privilege Escalation
Patched in Version:: 1.0.5
Severity Score:: Critical
CVE:: 2026-32520

Plugin:: Add Custom Fields to Media
Plugin Slug:: add-custom-fields-to-media
Installations: 90+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.0.4
Severity Score:: Medium
CVE:: 2026-4068

Plugin:: Draft List
Plugin Slug:: simple-draft-list
Installations: 80+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.6.3
Severity Score:: Medium
CVE:: 2026-4006

Plugin:: Filestack WP Upload
Plugin Slug:: filestack-upload
Installations: 60+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.0.0
Severity Score:: High
CVE:: 2024-11462

Plugin:: Activity Log for WordPress
Plugin Slug:: winterlock
Installations: 60+
Vulnerability:: Broken Access Control
Patched in Version:: 1.2.8
Severity Score:: Medium
CVE:: 2026-24987

Plugin:: Instant Popup Builder � Powerful Popup Maker for Opt-ins, Email Newsletters & Lead Generation
Plugin Slug:: instant-popup-builder
Installations: 30+
Vulnerability:: Content Injection
Patched in Version:: 1.1.8
Severity Score:: Medium
CVE:: 2026-3475

Plugin:: Scoreboard for HTML5 Games Lite
Plugin Slug:: scoreboard-for-html5-game-lite
Installations: 20+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3
Severity Score:: Medium
CVE:: 2026-4083

Plugin:: [CR]Paid Link Manager
Plugin Slug:: crpaid-link-manager
Installations: 10+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 0.6
Severity Score:: High
CVE:: 2026-1780

Plugin:: RockPress
Plugin Slug:: ft-rockpress
Installations: 10+
Vulnerability:: Broken Access Control
Patched in Version:: 1.0.18
Severity Score:: Medium
CVE:: 2026-3550

Plugin:: WP Cost Estimation & Payment Forms Builder
Plugin Slug:: WP_Estimation_Form
Vulnerability:: Broken Access Control
Patched in Version:: 10.3.0
Severity Score:: High
CVE:: 2026-24363

Plugin:: Addon Jobsearch Chat
Plugin Slug:: addon-jobsearch-chat
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.1
Severity Score:: High
CVE:: 2026-25376

Plugin:: Addon Jobsearch Chat
Plugin Slug:: addon-jobsearch-chat
Vulnerability:: SQL Injection
Patched in Version:: 3.1
Severity Score:: Critical
CVE:: 2026-25377

Plugin:: SUMO Affiliates Pro
Plugin Slug:: affs
Vulnerability:: PHP Object Injection
Patched in Version:: 11.4.0
Severity Score:: Critical
CVE:: 2026-24989

Plugin:: Aimogen Pro
Plugin Slug:: aimogen-pro
Vulnerability:: Privilege Escalation
Patched in Version:: 2.7.6
Severity Score:: Critical
CVE:: 2026-4038

Plugin:: Elated Listing
Plugin Slug:: eltd-listing
Vulnerability:: Broken Access Control
Patched in Version:: 1.5
Severity Score:: Medium
CVE:: 2026-24972

Plugin:: XStore Core
Plugin Slug:: et-core-plugin
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.6.5
Severity Score:: High
CVE:: 2026-25306

Plugin:: Fusion Builder
Plugin Slug:: fusion-builder
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.15.0
Severity Score:: High
CVE:: 2026-32542

Plugin:: Gyan Elements
Plugin Slug:: gyan-elements
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.2.2
Severity Score:: High
CVE:: 2026-23979

Plugin:: Green Downloads
Plugin Slug:: halfdata-paypal-green-downloads
Vulnerability:: Arbitrary File Upload
Patched in Version:: 2.09
Severity Score:: Critical
CVE:: 2026-32536

Plugin:: Ultimate Membership Pro
Plugin Slug:: indeed-membership-pro
Vulnerability:: Broken Authentication
Patched in Version:: 13.7.1
Severity Score:: High
CVE:: 2026-25357

Plugin:: Jobica Core
Plugin Slug:: jobica-core
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.4.2
Severity Score:: High
CVE:: 2026-24979

Plugin:: Jobica Core
Plugin Slug:: jobica-core
Vulnerability:: PHP Object Injection
Patched in Version:: 1.4.2
Severity Score:: High
CVE:: 2026-24978

Plugin:: Lumise Product Designer
Plugin Slug:: lumise
Vulnerability:: SQL Injection
Patched in Version:: 2.0.9
Severity Score:: Critical
CVE:: 2026-25371

Plugin:: Miraculous Core Plugin
Plugin Slug:: miraculouscore
Vulnerability:: SQL Injection
Patched in Version:: 2.1.2
Severity Score:: High
CVE:: 2026-32516

Plugin:: Motta Addons
Plugin Slug:: motta-addons
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.6.1
Severity Score:: High
CVE:: 2026-25033

Plugin:: NaturaLife Extensions
Plugin Slug:: naturalife-extensions
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.2
Severity Score:: High
CVE:: 2026-25018

Plugin:: NaturaLife Extensions
Plugin Slug:: naturalife-extensions
Vulnerability:: Local File Inclusion
Patched in Version:: 2.2
Severity Score:: High
CVE:: 2026-25017

Plugin:: Organici Library
Plugin Slug:: noo-organici-library
Vulnerability:: SQL Injection
Patched in Version:: 2.1.3
Severity Score:: High
CVE:: 2026-24977

Plugin:: Organici Library
Plugin Slug:: noo-organici-library
Vulnerability:: PHP Object Injection
Patched in Version:: 2.1.3
Severity Score:: High
CVE:: 2026-24976

Plugin:: Organici Library
Plugin Slug:: noo-organici-library
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.1.3
Severity Score:: High
CVE:: 2026-24975

Plugin:: Visionary Core
Plugin Slug:: noo-visionary-core
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.5.0
Severity Score:: High
CVE:: 2026-24980

Plugin:: Visionary Core
Plugin Slug:: noo-visionary-core
Vulnerability:: PHP Object Injection
Patched in Version:: 1.5.0
Severity Score:: High
CVE:: 2026-24981

Plugin:: Phox Hosting
Plugin Slug:: phox-host
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.9
Severity Score:: High
CVE:: 2026-25013

Plugin:: Salon Booking System Pro
Plugin Slug:: salon-booking-plugin-pro
Vulnerability:: Broken Authentication
Patched in Version:: 10.30.12
Severity Score:: High
CVE:: 2026-25334

Plugin:: tagDiv Opt-In Builder
Plugin Slug:: td-subscription
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.7.4
Severity Score:: High
CVE:: 2025-53222

Plugin:: The Grid
Plugin Slug:: the-grid
Vulnerability:: Broken Access Control
Patched in Version:: 2.8.0
Severity Score:: High
CVE:: 2026-24369

Plugin:: The Grid
Plugin Slug:: the-grid
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.8.0
Severity Score:: Medium
CVE:: 2026-24370

Plugin:: UpSolution Core
Plugin Slug:: us-core
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 8.42
Severity Score:: High
CVE:: 2026-24983

Plugin:: WooCommerce Support Ticket System
Plugin Slug:: woocommerce-support-ticket-system
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 18.5
Severity Score:: High
CVE:: 2026-32522

Plugin:: WP Configurator Pro
Plugin Slug:: wp-configurator-pro
Vulnerability:: Broken Access Control
Patched in Version:: 3.8.0
Severity Score:: High
CVE:: 2026-32501

Plugin:: JobSearch
Plugin Slug:: wp-jobsearch
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.2.2
Severity Score:: High
CVE:: 2026-32493

WordPress Themes � 49 Patched / 7 Unpatched

Theme:: Apicona
Theme Slug:: apicona
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-25400

Theme:: Jannah
Theme Slug:: jannah
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-25464

Theme:: Kentha
Theme Slug:: kentha
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-25442

Theme:: Mixtape
Theme Slug:: mixtape
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-25457

Theme:: Moments
Theme Slug:: moments
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-25458

Theme:: Photography
Theme Slug:: photography
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-27043

Theme:: The League
Theme Slug:: the-league
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-25454

Theme:: Education Zone
Theme Slug:: education-zone
Downloads: 483,880
Vulnerability:: Broken Access Control
Patched in Version:: 1.3.9
Severity Score:: Medium
CVE:: 2026-25009

Theme:: Ona
Theme Slug:: ona
Downloads: 243,101
Vulnerability:: Arbitrary File Upload
Patched in Version:: 1.24
Severity Score:: Critical
CVE:: 2026-32482

Theme:: Archicon
Theme Slug:: archicon
Vulnerability:: PHP Object Injection
Patched in Version:: 1.7
Severity Score:: Medium
CVE:: 2026-32506

Theme:: Borgholm
Theme Slug:: borgholm-marketing-agency-theme
Vulnerability:: PHP Object Injection
Patched in Version:: 1.6
Severity Score:: Critical
CVE:: 2026-32502

Theme:: Car Dealer
Theme Slug:: cardealer
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.6.8
Severity Score:: High
CVE:: 2026-24391

Theme:: Feedy
Theme Slug:: feedy
Vulnerability:: Local File Inclusion
Patched in Version:: 2.1.5
Severity Score:: High
CVE:: 2026-25380

Theme:: Gaea
Theme Slug:: gaea
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.8
Severity Score:: High
CVE:: 2026-32518

Theme:: Goldish
Theme Slug:: goldish
Vulnerability:: PHP Object Injection
Patched in Version:: 3.47
Severity Score:: Critical
CVE:: 2026-25030

Theme:: Golo
Theme Slug:: golo
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.7.5
Severity Score:: High
CVE:: 2026-23973

Theme:: Gracey
Theme Slug:: gracey
Vulnerability:: PHP Object Injection
Patched in Version:: 1.4
Severity Score:: Medium
CVE:: 2026-32509

Theme:: Halstein
Theme Slug:: halstein
Vulnerability:: PHP Object Injection
Patched in Version:: 1.8
Severity Score:: Medium
CVE:: 2026-32508

Theme:: IdealAuto
Theme Slug:: idealauto
Vulnerability:: Local File Inclusion
Patched in Version:: 3.8.6
Severity Score:: High
CVE:: 2026-25382

Theme:: Jaroti
Theme Slug:: jaroti
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.4.8
Severity Score:: High
CVE:: 2026-25304

Theme:: Kamperen
Theme Slug:: kamperen
Vulnerability:: PHP Object Injection
Patched in Version:: 1.3
Severity Score:: Medium
CVE:: 2026-32510

Theme:: Kiddy
Theme Slug:: kiddy
Vulnerability:: Local File Inclusion
Patched in Version:: 2.0.9
Severity Score:: High
CVE:: 2026-32505

Theme:: KIDZ
Theme Slug:: kidz
Vulnerability:: PHP Object Injection
Patched in Version:: 5.25
Severity Score:: Critical
CVE:: 2026-25029

Theme:: Kunco
Theme Slug:: kunco
Vulnerability:: Local File Inclusion
Patched in Version:: 1.4.5
Severity Score:: High
CVE:: 2026-32531

Theme:: Boutique
Theme Slug:: kute-boutique
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.4.6
Severity Score:: High
CVE:: 2026-25342

Theme:: Leroux
Theme Slug:: leroux
Vulnerability:: PHP Object Injection
Patched in Version:: 1.4
Severity Score:: Medium
CVE:: 2026-32507

Theme:: Loobek
Theme Slug:: loobek
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.5.2
Severity Score:: High
CVE:: 2026-25349

Theme:: LoveDate
Theme Slug:: lovedate
Vulnerability:: Local File Inclusion
Patched in Version:: 3.8.6
Severity Score:: High
CVE:: 2026-25381

Theme:: Meloo
Theme Slug:: meloo
Vulnerability:: PHP Object Injection
Patched in Version:: 2.8.2
Severity Score:: High
CVE:: 2026-25358

Theme:: MetaMax
Theme Slug:: metamax
Vulnerability:: Local File Inclusion
Patched in Version:: 1.1.5
Severity Score:: High
CVE:: 2026-32500

Theme:: Miraculous
Theme Slug:: miraculous
Vulnerability:: Broken Access Control
Patched in Version:: 2.1.2
Severity Score:: High
CVE:: 2026-32515

Theme:: Miti
Theme Slug:: miti
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.5.3
Severity Score:: High
CVE:: 2026-25350

Theme:: Molla
Theme Slug:: molla
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.5.19
Severity Score:: High
CVE:: 2026-32529

Theme:: MyDecor
Theme Slug:: mydecor
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.5.9
Severity Score:: High
CVE:: 2026-25352

Theme:: MyMedi
Theme Slug:: mymedi
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.7.7
Severity Score:: High
CVE:: 2026-25351

Theme:: CitiLights
Theme Slug:: noo-citilights
Vulnerability:: PHP Object Injection
Patched in Version:: 3.7.2
Severity Score:: High
CVE:: 2026-24974

Theme:: CitiLights
Theme Slug:: noo-citilights
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.7.2
Severity Score:: High
CVE:: 2026-24973

Theme:: Jobmonster
Theme Slug:: noo-jobmonster
Vulnerability:: SQL Injection
Patched in Version:: 4.8.4
Severity Score:: Critical
CVE:: 2026-25340

Theme:: Nooni
Theme Slug:: nooni
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.5.1
Severity Score:: High
CVE:: 2026-25353

Theme:: Pelicula
Theme Slug:: pelicula-video-production-and-movie-theme
Vulnerability:: PHP Object Injection
Patched in Version:: 1.10
Severity Score:: Critical
CVE:: 2026-32512

Theme:: Pendulum
Theme Slug:: pendulum
Vulnerability:: PHP Object Injection
Patched in Version:: 3.1.5
Severity Score:: High
CVE:: 2026-25359

Theme:: Reebox
Theme Slug:: reebox
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.4.8
Severity Score:: High
CVE:: 2026-25354

Theme:: Ricky
Theme Slug:: ricky
Vulnerability:: PHP Object Injection
Patched in Version:: 2.31
Severity Score:: Critical
CVE:: 2026-25032

Theme:: Riode
Theme Slug:: riode
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.6.29
Severity Score:: High
CVE:: 2026-32528

Theme:: Sanzo
Theme Slug:: sanzo
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.4.3
Severity Score:: Medium
CVE:: 2026-25355

Theme:: Scape
Theme Slug:: scape
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 1.5.16
Severity Score:: High
CVE:: 2026-31913

Theme:: St�l
Theme Slug:: stal
Vulnerability:: PHP Object Injection
Patched in Version:: 1.7
Severity Score:: Medium
CVE:: 2026-32511

Theme:: StreamVid
Theme Slug:: streamvid
Vulnerability:: Local File Inclusion
Patched in Version:: 6.8.6
Severity Score:: High
CVE:: 2026-25379

Theme:: Tasty Daily
Theme Slug:: tastydaily
Vulnerability:: PHP Object Injection
Patched in Version:: 1.27
Severity Score:: Critical
CVE:: 2026-25031

Theme:: Traveler
Theme Slug:: traveler
Vulnerability:: PHP Object Injection
Patched in Version:: 3.2.8.1
Severity Score:: Critical
CVE:: 2026-25449

Theme:: Trendustry
Theme Slug:: trendustry
Vulnerability:: Local File Inclusion
Patched in Version:: 1.1.5
Severity Score:: High
CVE:: 2026-32503

Theme:: Vayvo
Theme Slug:: vayvo-progression
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.8
Severity Score:: High
CVE:: 2026-25373

Theme:: Vex
Theme Slug:: vex
Vulnerability:: PHP Object Injection
Patched in Version:: 1.2.9
Severity Score:: High
CVE:: 2026-25360

Theme:: VintWood
Theme Slug:: vintwood
Vulnerability:: Local File Inclusion
Patched in Version:: 1.1.9
Severity Score:: High
CVE:: 2026-32504

Theme:: WoodMart
Theme Slug:: woodmart
Vulnerability:: PHP Object Injection
Patched in Version:: 8.3.9
Severity Score:: High
CVE:: 2026-23971

Theme:: Yobazar
Theme Slug:: yobazar
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.6.7
Severity Score:: High
CVE:: 2026-25356