WordPress Vulnerability Report � November 26, 2025

In this report, 164 vulnerabilities have been publicly disclosed. Security patches for 89 of these plugins and themes are now available. Please run these updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Currently, 75 plugin and theme vulnerabilities remain unpatched. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

WordPress Core

WordPress 6.8.3 was released on September 30, 2025. This is a security release that features two fixes. As this is a security release, we recommend updating your sites immediately. For more information on WordPress 6.8.3, please visit the version page on the HelpHub site.

WordPress 6.9 Release Candidate 3 (RC3) is now available for testing. This version is still under development and should not be installed on production or mission-critical websites. Instead, test RC2 on a staging or test site. You can read more on the WordPress Core blog for details on how to download and test this release.

The final release of WordPress 6.9 is scheduled for December 2, 2025. For updates, testing information, and release announcements, visit the Make WordPress Core blog.

WordPress Plugins � 89 Patched / 74 Unpatched

Plugin:: Image Hover Effects Ultimate
Plugin Slug:: image-hover-effects-ultimate
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-5092

Plugin:: Enable SVG, WebP, and ICO Upload
Plugin Slug:: enable-svg-webp-ico-upload
Installations: 10,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-13069

Plugin:: Enable SVG, WebP, and ICO Upload
Plugin Slug:: enable-svg-webp-ico-upload
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12457

Plugin:: UiPress lite | Effortless custom dashboards, admin themes and pages
Plugin Slug:: uipress-lite
Installations: 10,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-10938

Plugin:: UiPress lite | Effortless custom dashboards, admin themes and pages
Plugin Slug:: uipress-lite
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11003

Plugin:: Gutenify � Visual Site Builder Blocks & Site Templates.
Plugin Slug:: gutenify
Installations: 6,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-8605

Plugin:: Gallery with thumbnail slider
Plugin Slug:: gallery-with-thumbnail-slider
Installations: 3,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-5092

Plugin:: ?????
Plugin Slug:: keydatas
Installations: 2,000+
Vulnerability:: Arbitrary File Download
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11973

Plugin:: Simple User Import Export
Plugin Slug:: a3-user-importer
Vulnerability:: CSV Injection
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13133

Plugin:: Ace Post Type Builder
Plugin Slug:: ace-post-type-builder
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13405

Plugin:: ACF Flexible Layouts Manager
Plugin Slug:: acf-flexible-layouts-manager
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12937

Plugin:: OrderConvo
Plugin Slug:: admin-and-client-message-after-order-for-woocommerce
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13389

Plugin:: OrderConvo
Plugin Slug:: admin-and-client-message-after-order-for-woocommerce
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13452

Plugin:: ArtiBot
Plugin Slug:: artibot
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-12078

Plugin:: Attention Bar
Plugin Slug:: attention-bar
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-12502

Plugin:: AudioTube
Plugin Slug:: audiotube
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11801

Plugin:: AuthorSure
Plugin Slug:: authorsure
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-13134

Plugin:: Autochat Automatic Conversation
Plugin Slug:: auyautochat-for-wp
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12043

Plugin:: BigBuy Dropshipping Connector for WooCommerce
Plugin Slug:: bigbuy-wc-dropshipping-connector
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12039

Plugin:: Bookme � Free Online Appointment Booking and Scheduling Plugin
Plugin Slug:: bookme-free-appointment-booking-system
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-13385

Plugin:: Restrictions for BuddyPress
Plugin Slug:: bp-restrict
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12391

Plugin:: BrightTALK WordPress Shortcode
Plugin Slug:: brighttalk-wp-shortcode
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11770

Plugin:: Bulma Shortcodes
Plugin Slug:: bulma-shortcodes
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11802

Plugin:: Category and Product Woocommerce Tabs
Plugin Slug:: category-and-product-woocommerce-tabs
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-13088

Plugin:: Chamber Dashboard Business Directory
Plugin Slug:: chamber-dashboard-business-directory
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13414

Plugin:: Coil Web Monetization
Plugin Slug:: coil-web-monetization
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-9625

Plugin:: CSV to SortTable
Plugin Slug:: csv-to-sorttable
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12823

Plugin:: Custom Post Type
Plugin Slug:: custom-post-type
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13142

Plugin:: Display Pages Shortcode
Plugin Slug:: display-pages-shortcode
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11763

Plugin:: Download Panel (Biggiko Team)
Plugin Slug:: download-panel
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12961

Plugin:: YouTube Subscribe
Plugin Slug:: easy-youtube-subscribe
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12025

Plugin:: everviz
Plugin Slug:: everviz
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11868

Plugin:: Flo Forms
Plugin Slug:: flo-forms
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-13159

Plugin:: HotelRunner Booking Widget
Plugin Slug:: hotelrunner
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13135

Plugin:: Inline frame � Iframe
Plugin Slug:: inline-frame-iframe
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12645

Plugin:: Islamic Phrases
Plugin Slug:: islamic-phrases
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11768

Plugin:: Just Highlight
Plugin Slug:: just-highlight
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13311

Plugin:: LightGallery WP
Plugin Slug:: lightgallerywp
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-5092

Plugin:: Like-it
Plugin Slug:: like-it
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-12404

Plugin:: Local Syndication
Plugin Slug:: local-syndication
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12962

Plugin:: Locker Content
Plugin Slug:: locker-content
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12525

Plugin:: Conditionnal Maintenance Mode for WordPress
Plugin Slug:: maintenance-mode-based-on-user-roles
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12586

Plugin:: Make Email Customizer for WooCommerce
Plugin Slug:: make-email-customizer-for-woocommerce
Vulnerability:: Settings Change
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-11237

Plugin:: Meta Display Block
Plugin Slug:: meta-display-block
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12088

Plugin:: Mstore Mobile App
Plugin Slug:: mstoreapp-mobile-app
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-11127

Plugin:: Multiple Roles per User
Plugin Slug:: multiple-roles-per-user
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-11620

Plugin:: Frontend File Manager
Plugin Slug:: nmedia-user-file-uploader
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13382

Plugin:: Peer Publish
Plugin Slug:: peer-publish
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12587

Plugin:: Drag & Drop Builder
Plugin Slug:: pie-forms-for-wp
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-12528

Plugin:: Pollcaster Shortcode Plugin
Plugin Slug:: pollcaster-shortcode
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12661

Plugin:: Premmerce Wholesale Pricing for WooCommerce
Plugin Slug:: premmerce-woocommerce-wholesale-pricing
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-12411

Plugin:: Project Honey Pot Spam Trap
Plugin Slug:: project-honey-pot-spam-trap
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-12406

Plugin:: ProjectList
Plugin Slug:: projectlist
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-13370

Plugin:: Realty Portal
Plugin Slug:: realty-portal
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-11985

Plugin:: Refund Request for WooCommerce
Plugin Slug:: refund-request-for-woocommerce
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12634

Plugin:: Shortcodes Bootstrap
Plugin Slug:: shortcodes-bootstrap
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11764

Plugin:: Social Images Widget
Plugin Slug:: social-images-widget
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13386

Plugin:: Stock Tools
Plugin Slug:: stock-tools
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11765

Plugin:: Surbma | MiniCRM Shortcode
Plugin Slug:: surbma-minicrm-shortcode
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11800

Plugin:: The Permalinks Cascade
Plugin Slug:: the-permalinks-cascade
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12372

Plugin:: Tips Shortcode
Plugin Slug:: tips-shortcode
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11767

Plugin:: Cryptocurrency (Token), Launchpad (Presale), ICO & IDO, Airdrop by TokenICO
Plugin Slug:: tokenico-cryptocurrency-token-launchpad-presale-ico-ido-airdrop
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11771

Plugin:: Cryptocurrency (Token), Launchpad (Presale), ICO & IDO, Airdrop by TokenICO
Plugin Slug:: tokenico-cryptocurrency-token-launchpad-presale-ico-ido-airdrop
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11773

Plugin:: Top Friends
Plugin Slug:: top-friends
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12827

Plugin:: Cryptocurrency Payment Gateway for WooCommerce
Plugin Slug:: triplea-cryptocurrency-payment-gateway-for-woocommerce
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12392

Plugin:: WP Twitter Auto Publish
Plugin Slug:: twitter-auto-publish
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-12079

Plugin:: Padlet Shortcode
Plugin Slug:: wallwisher-shortcode
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12660

Plugin:: Mstore Mobile App
Plugin Slug:: woo-mstoreapp-mobile-app
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-11127

Plugin:: WP Admin Microblog
Plugin Slug:: wp-admin-microblog
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12173

Plugin:: WP AUDIO GALLERY
Plugin Slug:: wp-audio-gallery
Vulnerability:: Arbitrary File Deletion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-13322

Plugin:: WP Company Info
Plugin Slug:: wp-company-info
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11826

Plugin:: Shortcode for Google Street View
Plugin Slug:: wp-google-street-view-shortcode
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11808

Plugin:: WPSite Shortcode
Plugin Slug:: wpsite-shortcode
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11803

Plugin:: Zweb Social Mobile
Plugin Slug:: zweb-social-mobile
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12032

Plugin:: Code Snippets
Plugin Slug:: code-snippets
Installations: 1,000,000+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 3.9.2
Severity Score:: High
CVE:: 2025-13035

Plugin:: W3 Total Cache
Plugin Slug:: w3-total-cache
Installations: 1,000,000+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 2.8.13
Severity Score:: Critical
CVE:: 2025-9501

Plugin:: Royal Addons for Elementor � Addons and Templates Kit for Elementor
Plugin Slug:: royal-elementor-addons
Installations: 600,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.7.1032
Severity Score:: Medium
CVE:: 2025-5092

Plugin:: Royal Addons for Elementor � Addons and Templates Kit for Elementor
Plugin Slug:: royal-elementor-addons
Installations: 600,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.7.1037
Severity Score:: Medium
CVE:: 2025-6251

Plugin:: YITH WooCommerce Wishlist
Plugin Slug:: yith-woocommerce-wishlist
Installations: 500,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.10.1
Severity Score:: Medium
CVE:: 2025-12777

Plugin:: YITH WooCommerce Wishlist
Plugin Slug:: yith-woocommerce-wishlist
Installations: 500,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 4.10.1
Severity Score:: Medium
CVE:: 2025-12427

Plugin:: SiteSEO � SEO Simplified
Plugin Slug:: siteseo
Installations: 400,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 1.3.3
Severity Score:: Medium
CVE:: 2025-13085

Plugin:: SiteSEO � SEO Simplified
Plugin Slug:: siteseo
Installations: 400,000+
Vulnerability:: Broken Authentication
Patched in Version:: 1.3.3
Severity Score:: Medium
CVE:: 2025-12814

Plugin:: Broken Link Checker by AIOSEO � Easily Fix/Monitor Internal and External links
Plugin Slug:: broken-link-checker-seo
Installations: 300,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.2.6
Severity Score:: Medium
CVE:: 2025-11734

Plugin:: SureForms � Contact Form, Payment Form & Other Custom Form Builder
Plugin Slug:: sureforms
Installations: 300,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.13.2
Severity Score:: Medium
CVE:: 2025-12535

Plugin:: WP Go Maps (formerly WP Google Maps)
Plugin Slug:: wp-google-maps
Installations: 300,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 9.0.48
Severity Score:: High
CVE:: 2025-11307

Plugin:: Post Type Switcher
Plugin Slug:: post-type-switcher
Installations: 200,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 4.0.1
Severity Score:: Medium
CVE:: 2025-12524

Plugin:: WP Migrate Lite � WordPress Migration Made Easy
Plugin Slug:: wp-migrate-db
Installations: 200,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 2.7.7
Severity Score:: High
CVE:: 2025-11427

Plugin:: AI Engine
Plugin Slug:: ai-engine
Installations: 100,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 3.1.9
Severity Score:: Medium
CVE:: 2025-8084

Plugin:: Element Pack Addons for Elementor
Plugin Slug:: bdthemes-element-pack-lite
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 8.3.5
Severity Score:: Medium
CVE:: 2025-13196

Plugin:: GiveWP � Donation Plugin and Fundraising Platform
Plugin Slug:: give
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.13.1
Severity Score:: High
CVE:: 2025-13206

Plugin:: Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories
Plugin Slug:: post-expirator
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.9.2
Severity Score:: Low
CVE:: 2025-13149

Plugin:: Responsive Lightbox & Gallery
Plugin Slug:: responsive-lightbox
Installations: 100,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 2.5.4
Severity Score:: Medium
CVE:: 2025-12359

Plugin:: VK All in One Expansion Unit
Plugin Slug:: vk-all-in-one-expansion-unit
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 9.112.2
Severity Score:: Medium
CVE:: 2025-11265

Plugin:: Booking for Appointments and Events Calendar � Amelia
Plugin Slug:: ameliabooking
Installations: 90,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 1.2.37
Severity Score:: Medium
CVE:: 2023-49282

Plugin:: Booking for Appointments and Events Calendar � Amelia
Plugin Slug:: ameliabooking
Installations: 90,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.2.36
Severity Score:: Critical
CVE:: 2025-12482

Plugin:: HT Mega � Absolute Addons For Elementor
Plugin Slug:: ht-mega-for-elementor
Installations: 80,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.0.1
Severity Score:: Medium
CVE:: 2025-13141

Plugin:: LearnPress � WordPress LMS Plugin
Plugin Slug:: learnpress
Installations: 80,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.3.0
Severity Score:: Medium
CVE:: 2025-11368

Plugin:: Email Subscribers & Newsletters � Powerful Email Marketing, Post Notification & Newsletter Plugin for WordPress & WooCommerce
Plugin Slug:: email-subscribers
Installations: 70,000+
Vulnerability:: Broken Access Control
Patched in Version:: 5.9.11
Severity Score:: Medium
CVE:: 2025-12349

Plugin:: FluentCRM � Email Newsletter, Automation, Email Marketing, Email Campaigns, Optins, Leads, and CRM Solution
Plugin Slug:: fluent-crm
Installations: 70,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.9.85
Severity Score:: Medium
CVE:: 2025-12935

Plugin:: Live sales notification for WooCommerce
Plugin Slug:: live-sales-notifications-for-woocommerce
Installations: 60,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.3.40
Severity Score:: High
CVE:: 2025-12955

Plugin:: Blog2Social: Social Media Auto Post & Scheduler
Plugin Slug:: blog2social
Installations: 50,000+
Vulnerability:: Broken Access Control
Patched in Version:: 8.7.1
Severity Score:: Medium
CVE:: 2025-13558

Plugin:: User Profile Builder � Beautiful User Registration Forms, User Profiles & User Role Editor
Plugin Slug:: profile-builder
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.14.9
Severity Score:: Medium
CVE:: 2025-13054

Plugin:: Pixel Manager for WooCommerce � Track Conversions and Analytics, Google Ads, TikTok and more
Plugin Slug:: woocommerce-google-adwords-conversion-tracking-tag
Installations: 50,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 1.49.3
Severity Score:: Medium
CVE:: 2025-12545

Plugin:: WP Duplicate Page
Plugin Slug:: wp-duplicate-page
Installations: 50,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.8
Severity Score:: Medium
CVE:: 2025-12481

Plugin:: OneClick Chat to Order
Plugin Slug:: oneclick-whatsapp-order
Installations: 40,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 1.0.9
Severity Score:: High
CVE:: 2025-13526

Plugin:: RTMKit
Plugin Slug:: rometheme-for-elementor
Installations: 40,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.6.6
Severity Score:: Medium
CVE:: 2025-8609

Plugin:: Giveaways and Contests by RafflePress � Get More Website Traffic, Email Subscribers, and Social Followers
Plugin Slug:: rafflepress
Installations: 30,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.12.21
Severity Score:: Medium
CVE:: 2025-66064

Plugin:: Giveaways and Contests by RafflePress � Get More Website Traffic, Email Subscribers, and Social Followers
Plugin Slug:: rafflepress
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.12.21
Severity Score:: High
CVE:: 2025-12484

Plugin:: Custom Order Numbers for WooCommerce
Plugin Slug:: custom-order-numbers-for-woocommerce
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.11.1
Severity Score:: Medium
CVE:: 2025-66071

Plugin:: Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings
Plugin Slug:: directorist
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 8.5.3
Severity Score:: Medium
CVE:: 2025-12174

Plugin:: New User Approve
Plugin Slug:: new-user-approve
Installations: 20,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 3.1.0
Severity Score:: Medium
CVE:: 2025-12770

Plugin:: Quiz Maker
Plugin Slug:: quiz-maker
Installations: 20,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 6.7.0.81
Severity Score:: Medium
CVE:: 2025-12426

Plugin:: PPOM � Product Addons & Custom Fields for WooCommerce
Plugin Slug:: woocommerce-product-addon
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 33.0.17
Severity Score:: Medium
CVE:: 2025-66069

Plugin:: WP Import � Ultimate CSV XML Importer for WordPress
Plugin Slug:: wp-ultimate-csv-importer
Installations: 20,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 7.34
Severity Score:: High
CVE:: 2025-13145

Plugin:: Classified Listing � AI-Powered Classified ads & Business Directory Plugin
Plugin Slug:: classified-listing
Installations: 10,000+
Vulnerability:: Content Spoofing
Patched in Version:: 5.0.4
Severity Score:: Medium
CVE:: 2025-7711

Plugin:: Legal Pages � Privacy Policy, Terms & Conditions, GDPR, CCPA, and Cookie Notice Generator
Plugin Slug:: legal-pages
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.4.7
Severity Score:: Medium
CVE:: 2025-66077

Plugin:: Photonic Gallery & Lightbox for Flickr, SmugMug & Others
Plugin Slug:: photonic
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.22
Severity Score:: Medium
CVE:: 2025-12691

Plugin:: UiPress lite | Effortless custom dashboards, admin themes and pages
Plugin Slug:: uipress-lite
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.5.09
Severity Score:: Medium
CVE:: 2025-11815

Plugin:: Checkout Files Upload for WooCommerce
Plugin Slug:: checkout-files-upload-woocommerce
Installations: 7,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.2.2
Severity Score:: High
CVE:: 2025-4212

Plugin:: Portfolio, Gallery, Product Catalog � Grid KIT Portfolio
Plugin Slug:: portfolio-wp
Installations: 7,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.2.2
Severity Score:: Medium
CVE:: 2025-5092

Plugin:: Icon List Block � Add Icon-Based Lists with Custom Styles
Plugin Slug:: icon-list-block
Installations: 5,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 1.2.2
Severity Score:: Medium
CVE:: 2025-12376

Plugin:: Import WP � Export and Import CSV and XML files to WordPress
Plugin Slug:: jc-importer
Installations: 5,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 2.14.18
Severity Score:: Medium
CVE:: 2025-12894

Plugin:: Return Refund and Exchange For WooCommerce
Plugin Slug:: woo-refund-and-exchange-lite
Installations: 5,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 4.5.6
Severity Score:: Medium
CVE:: 2025-12881

Plugin:: Team Members Showcase
Plugin Slug:: wps-team
Installations: 4,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.5.0
Severity Score:: High
CVE:: 2025-11560

Plugin:: Magical Products Display � Elementor WooCommerce Widgets | Product Sliders, Grids & AJAX Search
Plugin Slug:: magical-products-display
Installations: 3,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.1.30
Severity Score:: Medium
CVE:: 2025-12964

Plugin:: Property Hive
Plugin Slug:: propertyhive
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.1.13
Severity Score:: Medium
CVE:: 2025-66087

Plugin:: WP Directory Kit
Plugin Slug:: wpdirectorykit
Installations: 3,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.4.4
Severity Score:: Critical
CVE:: 2025-13138

Plugin:: Accordion Slider
Plugin Slug:: accordion-slider
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.9.14
Severity Score:: Medium
CVE:: 2025-66092

Plugin:: Extensions for Leaflet Map
Plugin Slug:: extensions-leaflet-map
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.9
Severity Score:: Medium
CVE:: 2025-66093

Plugin:: Groundhogg � CRM, Newsletters, and Marketing Automation
Plugin Slug:: groundhogg
Installations: 2,000+
Vulnerability:: SQL Injection
Patched in Version:: 4.2.7
Severity Score:: High
CVE:: 2025-12750

Plugin:: Groundhogg � CRM, Newsletters, and Marketing Automation
Plugin Slug:: groundhogg
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.2.6.1
Severity Score:: Medium
CVE:: 2025-64367

Plugin:: Vitepos � Point of Sale (POS) for WooCommerce
Plugin Slug:: vitepos-lite
Installations: 2,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 3.3.1
Severity Score:: Critical
CVE:: 2025-13156

Plugin:: Appointment Booking Calendar
Plugin Slug:: appointment-booking-calendar
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.3.97
Severity Score:: Medium
CVE:: 2025-13317

Plugin:: wModes � Catalog Mode, Product Pricing, Enquiry Forms & Promotions | for WooCommerce
Plugin Slug:: catalog-mode-pricing-enquiry-forms-promotions
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.3
Severity Score:: Medium
CVE:: 2025-12639

Plugin:: CBX Bookmark & Favorite
Plugin Slug:: cbxwpbookmark
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.0.2
Severity Score:: Medium
CVE:: 2025-66101

Plugin:: CP Contact Form with PayPal
Plugin Slug:: cp-contact-form-with-paypal
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.3.57
Severity Score:: High
CVE:: 2025-13384

Plugin:: GSheetConnector For Ninja Forms
Plugin Slug:: gsheetconnector-ninja-forms
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.0.2
Severity Score:: Medium
CVE:: 2025-13136

Plugin:: Tainacan
Plugin Slug:: tainacan
Installations: 1,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 1.0.1
Severity Score:: Medium
CVE:: 2025-12747

Plugin:: Tainacan
Plugin Slug:: tainacan
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.0.1
Severity Score:: High
CVE:: 2025-12746

Plugin:: TP WooCommerce Product Gallery
Plugin Slug:: tp-woocommerce-product-gallery
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.0
Severity Score:: Medium
CVE:: 2025-5092

Plugin:: Better Chat Support for Messenger
Plugin Slug:: better-chat-support
Installations: 800+
Vulnerability:: Broken Access Control
Patched in Version:: 1.2.19
Severity Score:: Medium
CVE:: 2025-66113

Plugin:: Booking Calendar Contact Form
Plugin Slug:: booking-calendar-contact-form
Installations: 600+
Vulnerability:: Broken Access Control
Patched in Version:: 1.2.61
Severity Score:: Medium
CVE:: 2025-13318

Plugin:: Show Variations as Single Products Woocommerce
Plugin Slug:: woo-show-single-variations-shop-category
Installations: 500+
Vulnerability:: Broken Access Control
Patched in Version:: 3.0
Severity Score:: Medium
CVE:: 2025-66114

Plugin:: Checkbox
Plugin Slug:: checkbox
Installations: 400+
Vulnerability:: Broken Access Control
Patched in Version:: 2.8.11
Severity Score:: Medium
CVE:: 2025-12170

Plugin:: ELEX WordPress HelpDesk & Customer Ticketing System
Plugin Slug:: elex-helpdesk-customer-support-ticket-system
Installations: 300+
Vulnerability:: Broken Access Control
Patched in Version:: 3.3.2
Severity Score:: Medium
CVE:: 2025-10054

Plugin:: ELEX WordPress HelpDesk & Customer Ticketing System
Plugin Slug:: elex-helpdesk-customer-support-ticket-system
Installations: 300+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 3.3.0
Severity Score:: Medium
CVE:: 2025-10039

Plugin:: ELEX WordPress HelpDesk & Customer Ticketing System
Plugin Slug:: elex-helpdesk-customer-support-ticket-system
Installations: 300+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 3.3.2
Severity Score:: Critical
CVE:: 2025-11456

Plugin:: ELEX WordPress HelpDesk & Customer Ticketing System
Plugin Slug:: elex-helpdesk-customer-support-ticket-system
Installations: 300+
Vulnerability:: Broken Access Control
Patched in Version:: 3.3.1
Severity Score:: Medium
CVE:: 2025-12169

Plugin:: Simple User Registration
Plugin Slug:: wp-registration
Installations: 300+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.7
Severity Score:: High
CVE:: 2025-12160

Plugin:: WP Delete Post Copies
Plugin Slug:: etruel-del-post-copies
Installations: 200+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.0.3
Severity Score:: Medium
CVE:: 2025-12066

Plugin:: WP Login and Register using JWT
Plugin Slug:: login-register-using-jwt
Installations: 200+
Vulnerability:: Broken Access Control
Patched in Version:: 3.1.0
Severity Score:: Medium
CVE:: 2025-12822

Plugin:: Time Slot � Booking and Appointment Scheduling
Plugin Slug:: timeslot
Installations: 200+
Vulnerability:: Broken Access Control
Patched in Version:: 1.4.8
Severity Score:: Medium
CVE:: 2025-12842

Plugin:: EchBay Admin Security
Plugin Slug:: echbay-admin-security
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.1
Severity Score:: High
CVE:: 2025-11885

Plugin:: WP Dropzone
Plugin Slug:: wp-dropzone
Installations: 100+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 1.1.1
Severity Score:: Critical
CVE:: 2025-12775

Plugin:: S2B AI Assistant � ChatBot, ChatGPT, OpenAI, Content & Image Generator
Plugin Slug:: s2b-ai-assistant
Installations: 70+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 1.7.9
Severity Score:: Critical
CVE:: 2025-12973