Nexcess.com Servers.com LiquidWeb.com

Line illustration showing a black application window on a red gradient background overlaid with a large exclamation point alert icon and three bugs.

WordPress Vulnerability Report � September 24, 2025

[email protected]

In this report, 354 vulnerabilities have been publicly disclosed. Security patches for 89 of these plugins and themes are now available, so please run those updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Additionally, there are 265 WordPress Core, plugin, and theme vulnerabilities, and no patch has been available yet. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

WordPress Core

Patchstack�s bug-bounty program recently disclosed two WordPress Core vulnerabilities. Both are assessed as low severity and require an attacker to have a compromised Contributor-level account on the site to exploit, making widespread abuse unlikely. No virtual patch is available or required; the WordPress Core security team is actively investigating and coordinating fixes.

Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58246

Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58674

WordPress Plugins � 85 Patched / 254 Unpatched

Plugin:: All in One SEO � Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic
Plugin Slug:: all-in-one-seo-pack
Installations: 3,000,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58649

Plugin:: All in One SEO � Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic
Plugin Slug:: all-in-one-seo-pack
Installations: 3,000,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58650

Plugin:: Sticky Header Effects for Elementor
Plugin Slug:: sticky-header-effects-for-elementor
Installations: 300,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58251

Plugin:: Nextend Social Login and Register
Plugin Slug:: nextend-facebook-connect
Installations: 200,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58031

Plugin:: TI WooCommerce Wishlist
Plugin Slug:: ti-woocommerce-wishlist
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58247

Plugin:: 3D FlipBook � PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery
Plugin Slug:: interactive-3d-flipbook-powered-physics-engine
Installations: 80,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58226

Plugin:: Jupiter X Core
Plugin Slug:: jupiterx-core
Installations: 80,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58264

Plugin:: Master Slider � Responsive Touch Slider
Plugin Slug:: master-slider
Installations: 70,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58025

Plugin:: Getwid � Gutenberg Blocks
Plugin Slug:: getwid
Installations: 50,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58252

Plugin:: Image Hover Effects � Elementor Addon
Plugin Slug:: image-hover-effects-addon-for-elementor
Installations: 50,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57939

Plugin:: Perfect Brands for WooCommerce
Plugin Slug:: perfect-woocommerce-brands
Installations: 50,000+
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-58686

Plugin:: Better Find and Replace � AI-Powered Suggestions
Plugin Slug:: real-time-auto-find-and-replace
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-53466

Plugin:: DethemeKit for Elementor
Plugin Slug:: dethemekit-for-elementor
Installations: 40,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57995

Plugin:: Page-list
Plugin Slug:: page-list
Installations: 40,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58030

Plugin:: Hubbub Lite � Fast, Reliable Social Sharing Buttons
Plugin Slug:: social-pug
Installations: 40,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58007

Plugin:: GutenKit � Page Builder Blocks, Patterns, and Templates for Gutenberg Block Editor
Plugin Slug:: gutenkit-blocks-addon
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57900

Plugin:: Gutentor � Gutenberg Blocks � Page Builder for Gutenberg Editor
Plugin Slug:: gutentor
Installations: 30,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58680

Plugin:: Ads by Quads � Adsense Ads, Banner Ads, Popup Ads
Plugin Slug:: quick-adsense-reloaded
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-53459

Plugin:: Trustpilot Reviews
Plugin Slug:: trustpilot-reviews
Installations: 30,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57997

Plugin:: WP Events Manager
Plugin Slug:: wp-events-manager
Installations: 30,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57987

Plugin:: Accordion � AI FAQ, Accordion, Tabs, Image Accordion, Product FAQ, FAQ Builder, FAQ Grid
Plugin Slug:: accordions
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58678

Plugin:: Geolocation IP Detection
Plugin Slug:: geoip-detect
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57993

Plugin:: Custom Block Builder � Lazy Blocks
Plugin Slug:: lazy-blocks
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58258

Plugin:: Quiz Maker
Plugin Slug:: quiz-maker
Installations: 20,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58014

Plugin:: Quiz Maker
Plugin Slug:: quiz-maker
Installations: 20,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58015

Plugin:: Uncanny Toolkit for LearnDash
Plugin Slug:: uncanny-learndash-toolkit
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57988

Plugin:: Registration, User Profile, Membership, Content Restriction, User Directory, and Frontend Post Submission � WP User Frontend
Plugin Slug:: wp-user-frontend
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58672

Plugin:: Registration, User Profile, Membership, Content Restriction, User Directory, and Frontend Post Submission � WP User Frontend
Plugin Slug:: wp-user-frontend
Installations: 20,000+
Vulnerability:: Content Injection
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58673

Plugin:: Blog Designer
Plugin Slug:: blog-designer
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57990

Plugin:: Passster � Password Protect Pages and Content
Plugin Slug:: content-protector
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57926

Plugin:: Translate WordPress with ConveyThis
Plugin Slug:: conveythis-translate
Installations: 10,000+
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-57919

Plugin:: Dashboard Notepad
Plugin Slug:: dashboard-notepad
Installations: 10,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57927

Plugin:: Gallery Lightbox
Plugin Slug:: gallery-lightbox-slider
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57966

Plugin:: FAQ / Accordion / Docs / KB � Helpie WordPress FAQ Accordion plugin
Plugin Slug:: helpie-faq
Installations: 10,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58659

Plugin:: Open User Map
Plugin Slug:: open-user-map
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57953

Plugin:: Portfolio for Elementor & Image Gallery | PowerFolio
Plugin Slug:: portfolio-elementor
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57932

Plugin:: Qubely � Advanced Gutenberg Blocks
Plugin Slug:: qubely
Installations: 10,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58249

Plugin:: Qubely � Advanced Gutenberg Blocks
Plugin Slug:: qubely
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58663

Plugin:: Team � Team Members Showcase Plugin
Plugin Slug:: tlp-team
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57975

Plugin:: WP Subtitle
Plugin Slug:: wp-subtitle
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57986

Plugin:: WPeMatico RSS Feed Fetcher
Plugin Slug:: wpematico
Installations: 10,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57937

Plugin:: Convert WordPress to app | AppMySite
Plugin Slug:: appmysite
Installations: 9,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58679

Plugin:: No External Links
Plugin Slug:: mihdan-no-external-links
Installations: 9,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-53451

Plugin:: WP Compress � Instant Performance & Speed Optimization
Plugin Slug:: wp-compress-image-optimizer
Installations: 9,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57899

Plugin:: WP Mailto Links � Protect Email Addresses
Plugin Slug:: wp-mailto-links
Installations: 9,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-53464

Plugin:: Awesome Support � WordPress HelpDesk & Support Plugin
Plugin Slug:: awesome-support
Installations: 8,000+
Vulnerability:: Deserialization of untrusted data
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-58662

Plugin:: Participants Database
Plugin Slug:: participants-database
Installations: 8,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58008

Plugin:: Project Management, Team Collaboration, Kanban Board, Gantt Charts, Task Manager and More � WP Project Manager
Plugin Slug:: wedevs-project-manager
Installations: 8,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58269

Plugin:: Poll Maker � Versus Polls, Anonymous Polls, Image Polls
Plugin Slug:: poll-maker
Installations: 7,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57954

Plugin:: CoDesigner � All in One Elementor WooCommerce Builder
Plugin Slug:: woolementor
Installations: 7,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57961

Plugin:: Flexible PDF Invoices for WooCommerce & WordPress
Plugin Slug:: flexible-invoices
Installations: 6,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-57977

Plugin:: Search Atlas SEO � Premier SEO Plugin for One-Click WP Publishing & Integrated AI Optimization
Plugin Slug:: metasync
Installations: 6,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58019

Plugin:: WP Social Widget
Plugin Slug:: wp-social-widget
Installations: 5,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57981

Plugin:: WPKoi Templates for Elementor
Plugin Slug:: wpkoi-templates-for-elementor
Installations: 5,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57999

Plugin:: WordPress Classifieds Plugin � Ad Directory & Listings by AWP Classifieds
Plugin Slug:: another-wordpress-classifieds-plugin
Installations: 4,000+
Vulnerability:: Content Injection
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57928

Plugin:: Mail Subscribe List
Plugin Slug:: mail-subscribe-list
Installations: 4,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58018

Plugin:: Post Carousel Slider for Elementor
Plugin Slug:: post-carousel-slider-for-elementor
Installations: 4,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57955

Plugin:: Simple JWT Login � Allows you to use JWT on REST endpoints.
Plugin Slug:: simple-jwt-login
Installations: 4,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58648

Plugin:: Ultimate Store Kit � Elementor powered WooCommerce Builder, 80+ Widgets and Template Builder
Plugin Slug:: ultimate-store-kit
Installations: 4,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58017

Plugin:: Cecabank WooCommerce Plugin
Plugin Slug:: cecabank-woocommerce
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58685

Plugin:: E-namad & Shamed Logo Manager
Plugin Slug:: e-namad-shamed-logo-manager
Installations: 3,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57998

Plugin:: Interact: Embed A Quiz On Your Site
Plugin Slug:: interact-quiz-embed
Installations: 3,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58675

Plugin:: Login-Logout
Plugin Slug:: login-logout
Installations: 3,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-53467

Plugin:: Plugin Ongkos Kirim JNE Tiki Sicepat Wahana J&T POS for Woocommerce
Plugin Slug:: ongkoskirim-id
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57949

Plugin:: Designil PDPA Thailand
Plugin Slug:: pdpa-thailand
Installations: 3,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58028

Plugin:: Piotnet Forms
Plugin Slug:: piotnetforms
Installations: 3,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57933

Plugin:: Podlove Subscribe button
Plugin Slug:: podlove-subscribe-button
Installations: 3,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58227

Plugin:: Text To Speech TTS Accessibility
Plugin Slug:: text-to-audio
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58664

Plugin:: CardCom Payment Gateway
Plugin Slug:: woo-cardcom-payment-gateway
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57976

Plugin:: Compact Archives
Plugin Slug:: compact-archives
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58001

Plugin:: Estonian Shipping Methods for WooCommerce
Plugin Slug:: estonian-shipping-methods-for-woocommerce
Installations: 2,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58656

Plugin:: Photo Gallery by Ays � Responsive Image Gallery
Plugin Slug:: gallery-photo-gallery
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57947

Plugin:: GD bbPress Tools
Plugin Slug:: gd-bbpress-tools
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58002

Plugin:: Import Markdown � Versatile Markdown Importer
Plugin Slug:: import-markdown
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57901

Plugin:: Sitekit
Plugin Slug:: sitekit
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58229

Plugin:: Quick View for WooCommerce
Plugin Slug:: woo-quickview
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58228

Plugin:: Bitly’s WordPress Plugin
Plugin Slug:: wp-bitly
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58231

Plugin:: Advance Portfolio Grid, Slider and Gallery � Showcase Projects, Images and Videos
Plugin Slug:: advance-portfolio-grid
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57982

Plugin:: Advanced Appointment Booking & Scheduling
Plugin Slug:: advanced-appointment-booking-scheduling
Installations: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57978

Plugin:: Append extensions on Pages
Plugin Slug:: append-extensions-on-pages
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57940

Plugin:: Append Link on Copy
Plugin Slug:: append-link-on-copy
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57941

Plugin:: AuthorSure
Plugin Slug:: authorsure
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57979

Plugin:: BP Disable Activation Reloaded
Plugin Slug:: bp-disable-activation-reloaded
Installations: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57983

Plugin:: CF7 Submissions � Securely Store Contact Form 7 Data and Attachments, Reply to the Sender and more
Plugin Slug:: cf7-submissions
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58016

Plugin:: Clariti
Plugin Slug:: clariti
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57991

Plugin:: Classic Widgets with Block-based Widgets
Plugin Slug:: classic-widgets-with-block-based-widgets
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58029

Plugin:: Content Mask
Plugin Slug:: content-mask
Installations: 1,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58011

Plugin:: Content Mask
Plugin Slug:: content-mask
Installations: 1,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: No Fix
Severity Score:: Low
CVE:: 2025-58012

Plugin:: CP Multi View Event Calendar
Plugin Slug:: cp-multi-view-calendar
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Low
CVE:: 2025-58009

Plugin:: Double the Donation � A workplace giving tool to help your fundraising efforts
Plugin Slug:: double-the-donation
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57929

Plugin:: Double the Donation � A workplace giving tool to help your fundraising efforts
Plugin Slug:: double-the-donation
Installations: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57930

Plugin:: Emergency Password Reset
Plugin Slug:: emergency-password-reset
Installations: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57942

Plugin:: Fastly
Plugin Slug:: fastly
Installations: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58199

Plugin:: Flexible FAQ
Plugin Slug:: flexible-faq
Installations: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58200

Plugin:: Force Update Translations
Plugin Slug:: force-update-translations
Installations: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58236

Plugin:: Genesis Club Lite
Plugin Slug:: genesis-club-lite
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58691

Plugin:: Connector Wizard (formerly LC Wizard)
Plugin Slug:: ghl-wizard
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58237

Plugin:: Hide WP Toolbar
Plugin Slug:: hide-wp-toolbar
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57969

Plugin:: HT Mega � Absolute Addons for WPBakery Page Builder
Plugin Slug:: ht-mega-for-wpbakery
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-53463

Plugin:: Beaf � Photo Comparison Block
Plugin Slug:: image-compare-block
Installations: 1,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-53461

Plugin:: Kama Click Counter
Plugin Slug:: kama-clic-counter
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58682

Plugin:: Last Updated Shortcode
Plugin Slug:: last-updated-shortcode
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58683

Plugin:: Logo Showcase � Responsive Logo Carousel, Grid, List & Ticker for WordPress
Plugin Slug:: logo-showcase
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58684

Plugin:: MakeStories (for Google Web Stories)
Plugin Slug:: makestories-helper
Installations: 1,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57984

Plugin:: MarketKing � Ultimate WooCommerce Multivendor Marketplace Solution
Plugin Slug:: marketking-multivendor-marketplace-for-woocommerce
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58702

Plugin:: Memberful � Membership Plugin
Plugin Slug:: memberful-wp
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58000

Plugin:: Frontend File Manager Plugin
Plugin Slug:: nmedia-user-file-uploader
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57921

Plugin:: PilotPress
Plugin Slug:: pilotpress
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58221

Plugin:: PilotPress
Plugin Slug:: pilotpress
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58238

Plugin:: Plugin Security Scanner
Plugin Slug:: plugin-security-scanner
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57950

Plugin:: Product Addons and Product Options With Custom Fields � WowAddons
Plugin Slug:: product-addons
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57958

Plugin:: Quantities and Units for WooCommerce
Plugin Slug:: quantities-and-units-for-woocommerce
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58917

Plugin:: Safety Exit
Plugin Slug:: safety-exit
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57980

Plugin:: SALESmanago & Leadoo
Plugin Slug:: salesmanago
Installations: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57970

Plugin:: SALESmanago & Leadoo
Plugin Slug:: salesmanago
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57971

Plugin:: SiteNarrator Text-to-Speech Widget
Plugin Slug:: sitespeaker-widget
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57951

Plugin:: Skimlinks Affiliate Marketing Tool
Plugin Slug:: skimlinks
Installations: 1,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57943

Plugin:: Skimlinks Affiliate Marketing Tool
Plugin Slug:: skimlinks
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57944

Plugin:: Skyword XMLRPC publishing
Plugin Slug:: skyword-plugin
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58703

Plugin:: Slightly troublesome permalink
Plugin Slug:: slightly-troublesome-permalink
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57959

Plugin:: SV Proven Expert
Plugin Slug:: sv-provenexpert
Installations: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58010

Plugin:: Travel Map
Plugin Slug:: travelmap-blog
Installations: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57960

Plugin:: Ultimate Watermark � Advanced Image Watermarking
Plugin Slug:: ultimate-watermark
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57985

Plugin:: Upcoming Events Lists
Plugin Slug:: upcoming-events-lists
Installations: 1,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57994

Plugin:: Draft � Tailwind CSS for WordPress.
Plugin Slug:: website-builder
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58033

Plugin:: Website Chat Button: Kommo integration
Plugin Slug:: website-chat-button-kommo-integration
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58666

Plugin:: WPB Quick View Popup for WooCommerce
Plugin Slug:: woocommerce-lightbox
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57967

Plugin:: WP Advanced PDF
Plugin Slug:: wp-advanced-pdf
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57945

Plugin:: Category Dropdown by GCS Design
Plugin Slug:: wp-category-dropdown
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58239

Plugin:: WP Compiler
Plugin Slug:: wp-compiler
Installations: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58032

Plugin:: WP Delete User Accounts
Plugin Slug:: wp-delete-user-accounts
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58704

Plugin:: Subresource Integrity (SRI) Manager
Plugin Slug:: wp-sri
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57936

Plugin:: Team Manager � Team Member Showcase with grid, slider, table Elementor widget & shortcode
Plugin Slug:: wp-team-manager
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58222

Plugin:: xili-tidy-tags
Plugin Slug:: xili-tidy-tags
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58240

Plugin:: ZoloBlocks � Gutenberg Block Editor Plugin with Advanced Blocks, Dynamic Content, Templates & Patterns
Plugin Slug:: zoloblocks
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58230

Plugin:: BMI Adult & Kid Calculator
Plugin Slug:: bmi-adultkid-calculator
Installations: 900+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-53469

Plugin:: Bot Block � Stop Spam Referrals in Google Analytics
Plugin Slug:: bot-block-stop-spam-google-analytics-referrals
Installations: 900+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57935

Plugin:: CashBill.pl � P?atno?ci WooCommerce
Plugin Slug:: cashbill-payment-method
Installations: 900+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-53455

Plugin:: Developer
Plugin Slug:: developer
Installations: 900+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57924

Plugin:: Highlight and Share � Social Text and Image Sharing
Plugin Slug:: highlight-and-share
Installations: 900+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58260

Plugin:: LWS Affiliation
Plugin Slug:: lws-affiliation
Installations: 900+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57934

Plugin:: Mail Baby SMTP
Plugin Slug:: mail-baby-smtp
Installations: 900+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57992

Plugin:: PlayerJS
Plugin Slug:: playerjs
Installations: 900+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58651

Plugin:: SEO Backlink Monitor
Plugin Slug:: seo-backlink-monitor
Installations: 900+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-53456

Plugin:: SEO Backlink Monitor
Plugin Slug:: seo-backlink-monitor
Installations: 900+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-53457

Plugin:: TOCHAT.BE
Plugin Slug:: tochat-be
Installations: 900+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57915

Plugin:: Ultimate WP Mail
Plugin Slug:: ultimate-wp-mail
Installations: 900+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-53454

Plugin:: WP System Information
Plugin Slug:: wp-system-info
Installations: 900+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57916

Plugin:: BuddyPress Notification Widget
Plugin Slug:: buddypress-notifications-widget
Installations: 800+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58263

Plugin:: Category Featured Images
Plugin Slug:: category-featured-images
Installations: 800+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58655

Plugin:: StylePress for Elementor
Plugin Slug:: full-site-builder-for-elementor
Installations: 800+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58254

Plugin:: Gianism
Plugin Slug:: gianism
Installations: 800+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58266

Plugin:: Image Editor by Pixo
Plugin Slug:: image-editor-by-pixo
Installations: 800+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58232

Plugin:: Pinterest Pinboard Widget
Plugin Slug:: pinterest-pinboard-widget
Installations: 800+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58248

Plugin:: Real Estate Manager � Property Listing and Agent Management
Plugin Slug:: real-estate-manager
Installations: 800+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58253

Plugin:: Events Manager � OpenStreetMaps
Plugin Slug:: stonehenge-em-osm
Installations: 800+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58265

Plugin:: xili-language
Plugin Slug:: xili-language
Installations: 800+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58654

Plugin:: Carousel Ultimate
Plugin Slug:: carousel
Installations: 700+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58652

Plugin:: JS Job Manager
Plugin Slug:: js-jobs
Installations: 700+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58234

Plugin:: Portfolio by BestWebSoft � Work and Projects Presentation Plugin for WordPress
Plugin Slug:: portfolio
Installations: 700+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58245

Plugin:: SQL Chart Builder
Plugin Slug:: sql-chart-builder
Installations: 700+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58233

Plugin:: Buckets
Plugin Slug:: buckets
Installations: 600+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57996

Plugin:: Easy Quotes
Plugin Slug:: easy-quotes
Installations: 600+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58681

Plugin:: Genealogical Tree � WordPress Family Tree
Plugin Slug:: genealogical-tree
Installations: 600+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58023

Plugin:: Shortcode
Plugin Slug:: shortcode
Installations: 600+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58022

Plugin:: SnapWidget Social Photo Feed Widget
Plugin Slug:: snapwidget-wp-instagram-widget
Installations: 600+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58241

Plugin:: Theater for WordPress
Plugin Slug:: theatre
Installations: 600+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58020

Plugin:: VikRestaurants Table Reservations and Take-Away
Plugin Slug:: vikrestaurants
Installations: 600+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57962

Plugin:: VikRestaurants Table Reservations and Take-Away
Plugin Slug:: vikrestaurants
Installations: 600+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-57968

Plugin:: WooMS
Plugin Slug:: wooms
Installations: 600+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57956

Plugin:: WooMS
Plugin Slug:: wooms
Installations: 600+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57957

Plugin:: WordPress Widgets Shortcode
Plugin Slug:: wp-widgets-shortcode
Installations: 600+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57989

Plugin:: AgreeMe Checkboxes For WooCommerce
Plugin Slug:: agreeme-checkboxes-for-woocommerce
Installations: 500+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57905

Plugin:: Card Elements for WPBakery
Plugin Slug:: card-elements-for-wpbakery
Installations: 500+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58220

Plugin:: Category Featured Images Extended
Plugin Slug:: category-featured-images-extended
Installations: 500+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57920

Plugin:: Env�os Coordinadora Woocommerce (Oficial) � WordPress plugin
Plugin Slug:: coordinadora
Installations: 500+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57922

Plugin:: DELUCKS SEO
Plugin Slug:: delucks-seo
Installations: 500+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-53570

Plugin:: WP Frontend Admin � Display WP Admin Pages in the Frontend
Plugin Slug:: display-admin-page-on-frontend
Installations: 500+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57898

Plugin:: Easy Hotel Booking � Powerful Hotel Booking Plugin
Plugin Slug:: easy-hotel
Installations: 500+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57938

Plugin:: Epeken All Kurir Plugin for Woocommerce Full Version
Plugin Slug:: epeken-all-kurir
Installations: 500+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57906

Plugin:: Front End Users
Plugin Slug:: front-end-only-users
Installations: 500+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58235

Plugin:: Heureka
Plugin Slug:: heureka
Installations: 500+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57907

Plugin:: Library Bookshelves
Plugin Slug:: library-bookshelves
Installations: 500+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57964

Plugin:: Maps for WP
Plugin Slug:: maps-for-wp
Installations: 500+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57952

Plugin:: NGG Smart Image Search
Plugin Slug:: ngg-smart-image-search
Installations: 500+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58027

Plugin:: payOS
Plugin Slug:: payos
Installations: 500+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57946

Plugin:: Behance Portfolio Manager
Plugin Slug:: portfolio-manager-powered-by-behance
Installations: 500+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57913

Plugin:: Product Time Countdown for WooCommerce
Plugin Slug:: product-countdown-for-woocommerce
Installations: 500+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57908

Plugin:: Tapfiliate
Plugin Slug:: tapfiliate
Installations: 500+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58689

Plugin:: UK Address Postcode Validation
Plugin Slug:: uk-address-postcode-validation
Installations: 500+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57923

Plugin:: Deliver via Shipos for WooCommerce
Plugin Slug:: wc-shipos-delivery
Installations: 500+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57914

Plugin:: JSM file_get_contents() Shortcode
Plugin Slug:: wp-file-get-contents
Installations: 500+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58653

Plugin:: WP Proposals
Plugin Slug:: wp-proposals
Installations: 500+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57965

Plugin:: Zoho Billing � Embed Payment Form
Plugin Slug:: zoho-subscriptions
Installations: 500+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57963

Plugin:: WP Gravity Forms Keap/Infusionsoft
Plugin Slug:: gf-infusionsoft
Installations: 400+
Vulnerability:: Open Redirection
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58006

Plugin:: Helpdesk Support Ticket System for WooCommerce
Plugin Slug:: support-ticket-system-for-woocommerce
Installations: 400+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57972

Plugin:: TZ Plus Gallery
Plugin Slug:: tz-plus-gallery
Installations: 400+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57974

Plugin:: Sales Count Manager for WooCommerce
Plugin Slug:: wc-sales-count-manager
Installations: 400+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57904

Plugin:: Additional Fees For WooCommerce Checkout (Free)
Plugin Slug:: woo-additional-fees-on-checkout-wordpress
Installations: 400+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57903

Plugin:: Goracash
Plugin Slug:: goracash
Installations: 300+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-53458

Plugin:: AnyClip Luminous Studio
Plugin Slug:: anyclip-media
Installations: 200+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57910

Plugin:: AnyClip Luminous Studio
Plugin Slug:: anyclip-media
Installations: 200+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58271

Plugin:: Easy Pricing Table WP
Plugin Slug:: easy-pricing-table-wp
Installations: 200+
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-53450

Plugin:: Form Generator for WordPress
Plugin Slug:: form-generator-powered-by-jotform
Installations: 200+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58665

Plugin:: immonex Kickstart Team
Plugin Slug:: immonex-kickstart-team
Installations: 200+
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-57925

Plugin:: VoucherPress
Plugin Slug:: voucherpress
Installations: 200+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58223

Plugin:: Auction Feed
Plugin Slug:: auction-feed
Installations: 100+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-58671

Plugin:: Editor Custom Color Palette
Plugin Slug:: editor-custom-color-palette
Installations: 100+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57909

Plugin:: Magento 2 WordPress Integration
Plugin Slug:: m2wp
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58669

Plugin:: Mavis HTTPS to HTTP Redirection
Plugin Slug:: mavis-https-to-http-redirect
Installations: 100+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-58261

Plugin:: NIX Anti-Spam Light
Plugin Slug:: nix-anti-spam-light
Installations: 100+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-58270

Plugin:: eZee Online Hotel Booking Engine
Plugin Slug:: online-booking-engine
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58661

Plugin:: Printcart Web to Print Product Designer for WooCommerce
Plugin Slug:: printcart-integration
Installations: 100+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57917

Plugin:: Proof Factor � Social Proof Notifications
Plugin Slug:: proof-factor-social-proof-notifications
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58658

Plugin:: Sweet Energy Efficiency
Plugin Slug:: sweet-energy-efficiency
Installations: 100+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-58262

Plugin:: Verowa Connect
Plugin Slug:: verowa-connect
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58257

Plugin:: LinkedInclude
Plugin Slug:: linkedinclude
Installations: 90+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-57918

Plugin:: Mobi2Go
Plugin Slug:: mobi2go
Installations: 90+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58646

Plugin:: GSheets Connector
Plugin Slug:: sheetlink
Installations: 90+
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-53465

Plugin:: Stock Message
Plugin Slug:: stock-message
Installations: 90+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-58267

Plugin:: WP Content Protection
Plugin Slug:: wp-content-protection
Installations: 90+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-58670

Plugin:: WPMK PDF Generator
Plugin Slug:: wpmk-pdf-generator
Installations: 90+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-58268

Plugin:: WordPress Adverts Plugin � Adverts Click Tracker
Plugin Slug:: adverts-click-tracker
Installations: 80+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57911

Plugin:: Current Age Plugin
Plugin Slug:: current-age
Installations: 80+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-58687

Plugin:: Grid
Plugin Slug:: grid
Installations: 80+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-58657

Plugin:: HORIZONTAL SLIDER
Plugin Slug:: horizontal-slider
Installations: 80+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-58676

Plugin:: ShrinkTheWeb (STW) Website Previews Plugin
Plugin Slug:: shrinktheweb-website-preview-plugin
Installations: 80+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-58677

Plugin:: Casengo Live Chat Support
Plugin Slug:: the-casengo-chat-widget
Installations: 80+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-58688

Plugin:: Show Pages List
Plugin Slug:: show-pages-list
Installations: 70+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58219

Plugin:: Simple Restaurant Menu
Plugin Slug:: simple-restaurant-menu
Installations: 70+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58647

Plugin:: Doliconnect
Plugin Slug:: doliconnect
Installations: 60+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-58690

Plugin:: RIS Version Switcher � Downgrade or Upgrade WP Versions Easily
Plugin Slug:: ris-version-switcher
Installations: 50+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57902

Plugin:: Wide Banner
Plugin Slug:: wide-banner
Installations: 50+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58919

Plugin:: DOAJ Export
Plugin Slug:: doaj-export
Installations: 40+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58256

Plugin:: Gravitate Automated Tester
Plugin Slug:: gravitate-automated-tester
Installations: 40+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58645

Plugin:: SAPO Feed
Plugin Slug:: sapo-feed
Installations: 40+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-53462

Plugin:: Bg Church Memos
Plugin Slug:: bg-church-memos
Installations: 30+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58242

Plugin:: Wp tabber widget
Plugin Slug:: wp-tabber-widget
Installations: 20+
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-53468

Plugin:: Custom Post Type Images
Plugin Slug:: custom-post-types-image
Installations: 10+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-58255

Plugin:: Dialogity Free Live Chat
Plugin Slug:: dialogity-website-chat
Installations: 10+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57912

Plugin:: Service Finder SMS System
Plugin Slug:: aone-sms
Vulnerability:: Broken Authentication
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-5955

Plugin:: Browser Sniff
Plugin Slug:: browser-sniff
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-9883

Plugin:: Custom Login And Signup Widget
Plugin Slug:: custom-login-and-signup-widget
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-9887

Plugin:: Directory Pro
Plugin Slug:: directory-pro
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-57948

Plugin:: Event Rocket
Plugin Slug:: event-rocket
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-53452

Plugin:: Printeers Print & Ship
Plugin Slug:: invition-print-ship
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58224

Plugin:: Javo Core
Plugin Slug:: javo-core
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58003

Plugin:: ListingPro Reviews
Plugin Slug:: listingpro-reviews
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58667

Plugin:: Miniorange OTP Verification with Firebase
Plugin Slug:: miniorange-firebase-sms-otp-verification
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-7665

Plugin:: Oshine Core
Plugin Slug:: oshine-core
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58660

Plugin:: osTicket WP Bridge
Plugin Slug:: osticket-wp-bridge
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-9882

Plugin:: Accordion FAQ
Plugin Slug:: pressapps-accordion-faq
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-58024

Plugin:: Robcore Netatmo
Plugin Slug:: robcore-netatmo
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-10652

Plugin:: Service Finder Booking
Plugin Slug:: sf-booking
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-5948

Plugin:: The Events Calendar
Plugin Slug:: the-events-calendar
Installations: 700,000+
Vulnerability:: Broken Access Control
Patched in Version:: 6.15.3
Severity Score:: Medium
CVE:: 2025-9808

Plugin:: Blocksy Companion
Plugin Slug:: blocksy-companion
Installations: 300,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.1.11
Severity Score:: Medium
CVE:: 2025-9565

Plugin:: SureForms � Drag and Drop Contact Form Builder � Multi-step Forms, Conversational Forms and more
Plugin Slug:: sureforms
Installations: 300,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.12.1
Severity Score:: Medium
CVE:: 2025-10489

Plugin:: Admin and Site Enhancements (ASE)
Plugin Slug:: admin-site-enhancements
Installations: 200,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 7.9.8
Severity Score:: Medium
CVE:: 2025-9487

Plugin:: Colibri Page Builder
Plugin Slug:: colibri-page-builder
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.0.334
Severity Score:: Medium
CVE:: 2025-59593

Plugin:: Download Manager
Plugin Slug:: download-manager
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.3.24
Severity Score:: High
CVE:: 2025-10146

Plugin:: Kubio AI Page Builder
Plugin Slug:: kubio
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.6.5
Severity Score:: Medium
CVE:: 2025-8487

Plugin:: Make Column Clickable for Elementor
Plugin Slug:: make-column-clickable-elementor
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.6.1
Severity Score:: Medium
CVE:: 2025-59592

Plugin:: Comments � wpDiscuz
Plugin Slug:: wpdiscuz
Installations: 80,000+
Vulnerability:: Broken Access Control
Patched in Version:: 7.6.34
Severity Score:: Medium
CVE:: 2025-59591

Plugin:: Media Library Assistant
Plugin Slug:: media-library-assistant
Installations: 70,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.29
Severity Score:: Medium
CVE:: 2025-59590

Plugin:: WP-Members Membership Plugin
Plugin Slug:: wp-members
Installations: 60,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.5.4.3
Severity Score:: Medium
CVE:: 2025-57973

Plugin:: Ajax Load More � Infinite Scroll
Plugin Slug:: ajax-load-more
Installations: 40,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 7.6.1
Severity Score:: Medium
CVE:: 2025-59582

Plugin:: Ibtana � WordPress Website Builder
Plugin Slug:: ibtana-visual-editor
Installations: 20,000+
Vulnerability:: Arbitrary Content Deletion
Patched in Version:: 1.2.5.4
Severity Score:: Medium
CVE:: 2025-59581

Plugin:: Quiz Maker
Plugin Slug:: quiz-maker
Installations: 20,000+
Vulnerability:: SQL Injection
Patched in Version:: 6.7.0.57
Severity Score:: Critical
CVE:: 2025-10042

Plugin:: WP Import � Ultimate CSV XML Importer for WordPress
Plugin Slug:: wp-ultimate-csv-importer
Installations: 20,000+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 7.29
Severity Score:: Critical
CVE:: 2025-10057

Plugin:: WP Import � Ultimate CSV XML Importer for WordPress
Plugin Slug:: wp-ultimate-csv-importer
Installations: 20,000+
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 7.28
Severity Score:: High
CVE:: 2025-10058

Plugin:: Blaze Demo Importer
Plugin Slug:: blaze-demo-importer
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.0.13
Severity Score:: Medium
CVE:: 2025-8446

Plugin:: MasterStudy LMS WordPress Plugin � for Online Courses and Education
Plugin Slug:: masterstudy-lms-learning-management-system
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.6.21
Severity Score:: Medium
CVE:: 2025-59576

Plugin:: MasterStudy LMS WordPress Plugin � for Online Courses and Education
Plugin Slug:: masterstudy-lms-learning-management-system
Installations: 10,000+
Vulnerability:: Race Condition
Patched in Version:: 3.6.21
Severity Score:: Medium
CVE:: 2025-59577

Plugin:: Internal Links Manager
Plugin Slug:: seo-automated-link-building
Installations: 10,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 3.0.2
Severity Score:: Medium
CVE:: 2025-9949

Plugin:: SupportCandy � Helpdesk & Customer Support Ticket System
Plugin Slug:: supportcandy
Installations: 10,000+
Vulnerability:: Broken Authentication
Patched in Version:: 3.3.8
Severity Score:: Medium
CVE:: 2025-10658

Plugin:: Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WP Legal Pages
Plugin Slug:: wplegalpages
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.4.4
Severity Score:: Medium
CVE:: 2025-8565

Plugin:: WP Travel Engine � Elementor Widgets | Create Travel Booking Website Using WordPress and Elementor
Plugin Slug:: wte-elementor-widgets
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.4.3
Severity Score:: Medium
CVE:: 2025-59574

Plugin:: Cozy Blocks � All-in-One Page Builder Blocks for Gutenberg and Full Site Editing (FSE)
Plugin Slug:: cozy-addons
Installations: 9,000+
Vulnerability:: Content Injection
Patched in Version:: 2.1.30
Severity Score:: Medium
CVE:: 2025-59573

Plugin:: WP Hotel Booking
Plugin Slug:: wp-hotel-booking
Installations: 8,000+
Vulnerability:: Content Injection
Patched in Version:: 2.2.3
Severity Score:: Medium
CVE:: 2025-8942

Plugin:: Ghost Kit � Page Builder Blocks, Motion Effects & Extensions
Plugin Slug:: ghostkit
Installations: 7,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.4.4
Severity Score:: Medium
CVE:: 2025-9992

Plugin:: Email Marketing, Email Automation, Newsletter & Cart Abandonment for WordPress and WooCommerce � Mail Mint
Plugin Slug:: mail-mint
Installations: 6,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.18.7
Severity Score:: High
CVE:: 2025-59570

Plugin:: CubeWP � All-in-One Dynamic Content Framework
Plugin Slug:: cubewp-framework
Installations: 5,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.1.27
Severity Score:: Medium
CVE:: 2025-59569

Plugin:: Termageddon: Cookie Consent & Privacy Compliance
Plugin Slug:: termageddon-usercentrics
Installations: 5,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.8.2
Severity Score:: Medium
CVE:: 2025-58026

Plugin:: Coupon Affiliates � Affiliate Plugin for WooCommerce
Plugin Slug:: woo-coupon-usage
Installations: 5,000+
Vulnerability:: Broken Access Control
Patched in Version:: 6.8.1
Severity Score:: Medium
CVE:: 2025-59567

Plugin:: Zoho Flow � Integrate 100+ plugins with 1000+ business apps, no-code workflow automation
Plugin Slug:: zoho-flow
Installations: 5,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.14.2
Severity Score:: Medium
CVE:: 2025-59568

Plugin:: Etsy Shop
Plugin Slug:: etsy-shop
Installations: 4,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.0.7
Severity Score:: High
CVE:: 2025-9115

Plugin:: Podlove Podcast Publisher
Plugin Slug:: podlove-podcasting-plugin-for-wordpress
Installations: 4,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 4.2.7
Severity Score:: Critical
CVE:: 2025-10147

Plugin:: Upsell Funnel Builder for WooCommerce � New Marketing Funnel Builder and Sales Funnel Builder tailored for your store.
Plugin Slug:: upsell-order-bump-offer-for-woocommerce
Installations: 3,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.0.8
Severity Score:: Medium
CVE:: 2025-59565

Plugin:: YouTube Showcase � Responsive YouTube Video Gallery Plugin for WordPress
Plugin Slug:: youtube-showcase
Installations: 3,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.5.1
Severity Score:: Medium
CVE:: 2025-58915

Plugin:: Academy LMS � WordPress LMS Plugin for Complete eLearning Solution
Plugin Slug:: academy
Installations: 2,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 3.3.5
Severity Score:: Medium
CVE:: 2025-59562

Plugin:: Advanced Views � Display Posts, Custom Fields, and More
Plugin Slug:: acf-views
Installations: 2,000+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 3.7.20
Severity Score:: High
CVE:: 2025-10380

Plugin:: Media Player Addons for Elementor � Audio and Video Widgets for Elementor
Plugin Slug:: media-player-addons-for-elementor
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.0.6
Severity Score:: Medium
CVE:: 2025-9203

Plugin:: Smart Blocks
Plugin Slug:: smart-blocks
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.5
Severity Score:: Medium
CVE:: 2025-59561

Plugin:: Payrexx Payment Gateway for WooCommerce
Plugin Slug:: woo-payrexx-gateway
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.1.6
Severity Score:: Medium
CVE:: 2025-59559

Plugin:: Password Reset with Code for WordPress REST API
Plugin Slug:: bdvs-password-reset
Installations: 1,000+
Vulnerability:: Other Vulnerability Type
Patched in Version:: 0.0.17
Severity Score:: High
CVE:: 2025-5305

Plugin:: Chained Quiz
Plugin Slug:: chained-quiz
Installations: 1,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 1.3.6
Severity Score:: Medium
CVE:: 2025-10493

Plugin:: Custom iFrame for Elementor � Embed Pdf, Maps, Videos, & Websites Easily
Plugin Slug:: custom-iframe
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.0.14
Severity Score:: Medium
CVE:: 2025-59553

Plugin:: Custom Login URL
Plugin Slug:: custom-login-url
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.0.3
Severity Score:: Medium
CVE:: 2025-58969

Plugin:: Easy Elementor Addons
Plugin Slug:: easy-elementor-addons
Installations: 1,000+
Vulnerability:: Local File Inclusion
Patched in Version:: 2.2.9
Severity Score:: High
CVE:: 2025-58973

Plugin:: GetResponse Forms by Optin Cat
Plugin Slug:: getresponse
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.6.1
Severity Score:: Medium
CVE:: 2025-59549

Plugin:: Markup Markdown
Plugin Slug:: markup-markdown
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.20.10
Severity Score:: Medium
CVE:: 2025-9540

Plugin:: Product Catalog Simple
Plugin Slug:: post-type-x
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.8.3
Severity Score:: Medium
CVE:: 2025-58992

Plugin:: Request a Quote Form Plugin � Price Quote Request Management Made Easy
Plugin Slug:: request-a-quote
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.5.1
Severity Score:: Medium
CVE:: 2025-58915

Plugin:: Revive.so � Bulk Rewrite and Republish Blog Posts
Plugin Slug:: revive-so
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.0.7
Severity Score:: Medium
CVE:: 2025-59551

Plugin:: Save as PDF Plugin by PDFCrowd
Plugin Slug:: save-as-pdf-by-pdfcrowd
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.5.3
Severity Score:: Medium
CVE:: 2025-59552

Plugin:: WPCasa
Plugin Slug:: wpcasa
Installations: 1,000+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 1.4.2
Severity Score:: Critical
CVE:: 2025-9321

Plugin:: WPComplete
Plugin Slug:: wpcomplete
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.9.5.3
Severity Score:: Medium
CVE:: 2025-58974

Plugin:: AffiliateWP � External Referral Links
Plugin Slug:: affiliatewp-external-referral-links
Installations: 900+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.2.2
Severity Score:: Medium
CVE:: 2025-53460

Plugin:: MaxiBlocks: 2300+ Patterns, 280+ Pages, 14.3K Icons & 100 Styles
Plugin Slug:: maxi-blocks
Installations: 900+
Vulnerability:: Broken Access Control
Patched in Version:: 2.1.4
Severity Score:: Medium
CVE:: 2025-58968

Plugin:: ClickWhale � Link Manager, Link Shortener and Click Tracker for Affiliate Links & Link Pages
Plugin Slug:: clickwhale
Installations: 800+
Vulnerability:: SQL Injection
Patched in Version:: 2.5.1
Severity Score:: High
CVE:: 2025-10002

Plugin:: Fusion Page Builder : Extension � Gallery
Plugin Slug:: fusion-extension-gallery
Installations: 700+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.7.7
Severity Score:: Medium
CVE:: 2025-58965

Plugin:: List Child Pages Shortcode
Plugin Slug:: list-child-pages-shortcode
Installations: 600+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.4.0
Severity Score:: Medium
CVE:: 2025-58021

Plugin:: Employee Spotlight � Team Member Showcase & Meet the Team Plugin
Plugin Slug:: employee-spotlight
Installations: 500+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.1.1
Severity Score:: Medium
CVE:: 2025-58915

Plugin:: Publitio
Plugin Slug:: publitio
Installations: 500+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 2.2.2
Severity Score:: Medium
CVE:: 2025-58962

Plugin:: Customer Support Ticket System & Helpdesk Plugin for WordPress
Plugin Slug:: wp-ticket
Installations: 500+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.0.1
Severity Score:: Medium
CVE:: 2025-58915

Plugin:: The Hack Repair Guy’s Plugin Archiver
Plugin Slug:: hackrepair-plugin-archiver
Installations: 400+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 3.1.1
Severity Score:: Medium
CVE:: 2025-10188

Plugin:: IP Based Login
Plugin Slug:: ip-based-login
Installations: 400+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.4.4
Severity Score:: Medium
CVE:: 2025-58960

Plugin:: StoreEngine � Powerful WordPress eCommerce Plugin for Payments, Memberships, Affiliates, Sales & More
Plugin Slug:: storeengine
Installations: 400+
Vulnerability:: Arbitrary File Download
Patched in Version:: 1.5.1
Severity Score:: Medium
CVE:: 2025-9215

Plugin:: StoreEngine � Powerful WordPress eCommerce Plugin for Payments, Memberships, Affiliates, Sales & More
Plugin Slug:: storeengine
Installations: 400+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 1.5.1
Severity Score:: High
CVE:: 2025-9216

Plugin:: Developer Loggers for Simple History
Plugin Slug:: developer-loggers-for-simple-history
Installations: 300+
Vulnerability:: Local File Inclusion
Patched in Version:: 0.5.1
Severity Score:: Medium
CVE:: 2025-10050

Plugin:: Secure Passkeys
Plugin Slug:: secure-passkeys
Installations: 300+
Vulnerability:: Broken Access Control
Patched in Version:: 1.2.2
Severity Score:: Medium
CVE:: 2025-10305

Plugin:: VPSUForm � No-Code Custom Form Builder � Contact Forms, Conversion Form & More
Plugin Slug:: v-form
Installations: 300+
Vulnerability:: Broken Access Control
Patched in Version:: 3.2.21
Severity Score:: Medium
CVE:: 2025-58957

Plugin:: User Sync
Plugin Slug:: user-sync
Installations: 200+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.0.3
Severity Score:: Medium
CVE:: 2025-9891

Plugin:: Appointmind
Plugin Slug:: appointmind
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.2.0
Severity Score:: Medium
CVE:: 2025-9851

Plugin:: Catch Dark Mode
Plugin Slug:: catch-dark-mode
Installations: 50+
Vulnerability:: Local File Inclusion
Patched in Version:: 2.0.1
Severity Score:: High
CVE:: 2025-10143

Plugin:: Draft List
Plugin Slug:: simple-draft-list
Installations: 50+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.6.1
Severity Score:: Medium
CVE:: 2025-10181

Plugin:: Social Media Shortcodes
Plugin Slug:: social-media-shortcodes
Installations: 50+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.2
Severity Score:: Medium
CVE:: 2025-10166

Plugin:: USS Upyun
Plugin Slug:: uss-upyun
Installations: 50+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.5.1
Severity Score:: Medium
CVE:: 2025-9629

Plugin:: Embed PDF for WPForms
Plugin Slug:: embed-pdf-wpforms
Installations: 40+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 1.1.6
Severity Score:: Critical
CVE:: 2025-10647

Plugin:: Productive Style � Optimisations & Content Publishing Support
Plugin Slug:: productive-style
Installations: 40+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.1.25
Severity Score:: Medium
CVE:: 2025-8394

Plugin:: Widget Options – Extended
Plugin Slug:: extended-widget-options
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.2.2
Severity Score:: Medium
CVE:: 2025-8902

Plugin:: Penci Filter Everything
Plugin Slug:: penci-filter-everything
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.7
Severity Score:: Medium
CVE:: 2025-59583

Plugin:: Penci Podcast
Plugin Slug:: penci-podcast
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.7
Severity Score:: Medium
CVE:: 2025-59584

Plugin:: Penci Portfolio
Plugin Slug:: penci-portfolio
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.6
Severity Score:: Medium
CVE:: 2025-59586

Plugin:: Penci Recipe
Plugin Slug:: penci-recipe
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.1
Severity Score:: Medium
CVE:: 2025-59585

Plugin:: Penci Shortcodes & Performance
Plugin Slug:: penci-shortcodes
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.1
Severity Score:: Medium
CVE:: 2025-59587

Plugin:: Uni CPO (Premium)
Plugin Slug:: uni-woo-custom-product-options-premium
Vulnerability:: Arbitrary File Upload
Patched in Version:: 4.9.55
Severity Score:: Critical
CVE:: 2025-10412

Plugin:: WorkScout-Core
Plugin Slug:: workscout-core
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.7.06
Severity Score:: High
CVE:: 2025-59572

Plugin:: WP Attractive Donations System
Plugin Slug:: wp-attractive-donations-system-easy-stripe-paypal-donations
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.29
Severity Score:: High
CVE:: 2025-58956

WordPress Themes � 4 Patched / 9 Unpatched

Theme:: Constructo
Theme Slug:: constructo
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-58244

Theme:: CouponXxL
Theme Slug:: couponxxl
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-58013

Theme:: DriCub
Theme Slug:: dricub-driving-school
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58004

Theme:: DriCub
Theme Slug:: dricub-driving-school
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58005

Theme:: Entrada
Theme Slug:: entrada
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58918

Theme:: Findgo
Theme Slug:: fingo
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-58250

Theme:: imEvent
Theme Slug:: imevent
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58243

Theme:: Nokri
Theme Slug:: nokri
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-58259

Theme:: WPLMS
Theme Slug:: wplms
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-58668

Theme:: Sydney
Theme Slug:: sydney
Downloads: 4,661,099
Vulnerability:: Broken Access Control
Patched in Version:: 2.57
Severity Score:: Medium
CVE:: 2025-8999

Theme:: Leblix
Theme Slug:: leblix
Vulnerability:: Local File Inclusion
Patched in Version:: 2.5
Severity Score:: High
CVE:: 2025-58995

Theme:: Soledad
Theme Slug:: soledad
Vulnerability:: Local File Inclusion
Patched in Version:: 8.6.9
Severity Score:: High
CVE:: 2025-59588

Theme:: Soledad
Theme Slug:: soledad
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 8.6.9
Severity Score:: Medium
CVE:: 2025-59589