WordPress Vulnerability Report

WordPress Vulnerability Report — January 15, 2025

This last week, 374 new plugin and theme vulnerabilities emerged in the WordPress ecosystem. 248 of the vulnerable plugins and themes remain unpatched, but Solid Security Pro users are protected by virtual patching from Patchstack.

Sarah

Published:Jan 15, 2025

Filed Under:WordPress Vulnerability Report

Reading Time:66 min.

In this report, 374 vulnerabilities have been publicly disclosed. Security patches for 126 of these plugins and themes are available now, so run those updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Additionally, there are 248 plugin and theme vulnerabilities with no patch available yet. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

Along with poor user account security, vulnerable plugins and themes are among the top reasons why WordPress websites get hacked. Unfortunately, cyberattacks are increasing in volume and sophistication. They’re also increasingly aimed at small to mid-sized businesses.

Our WordPress Vulnerability Report covers the latest emerging WordPress plugin, theme, and core vulnerabilities. Each vulnerability will have a severity rating of LowMediumHigh, or Critical. Responsible disclosure of vulnerabilities is essential to keeping the WordPress community safe. Please share this report to help spread the word and make WordPress — and the web — more secure.

WordPress Core

WordPress 6.7.1 is available! This minor release features 16 bug fixes throughout Core and the Block Editor.

No new core vulnerabilities were disclosed this week.

WordPress Plugins — 123 Patched / 219 Unpatched

Smart Custom Fields

Plugin:
Smart Custom Fields
Plugin Slug:
smart-custom-fields
Installations
50,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-22308
The vulnerability has not been patched. You should deactivate the plugin.

Link Whisper Free

Plugin:
Link Whisper Free
Plugin Slug:
link-whisper
Installations
30,000+
Vulnerability:
Sensitive Data Exposure
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-22306
The vulnerability has not been patched. You should deactivate the plugin.

WP Visitor Statistics (Real Time Traffic)

Plugin:
WP Visitor Statistics (Real Time Traffic)
Plugin Slug:
wp-stats-manager
Installations
30,000+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-22304
The vulnerability has not been patched. You should deactivate the plugin.

Thim Elementor Kit

Plugin:
Thim Elementor Kit
Plugin Slug:
thim-elementor-kit
Installations
20,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-22312
The vulnerability has not been patched. You should deactivate the plugin.

Duplicate Post, Page and Any Custom Post

Plugin:
Duplicate Post, Page and Any Custom Post
Plugin Slug:
duplicate-pp
Installations
10,000+
Vulnerability:
Sensitive Data Exposure
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-12538
The vulnerability has not been patched. You should deactivate the plugin.

TemplatesNext ToolKit

Plugin:
TemplatesNext ToolKit
Plugin Slug:
templatesnext-toolkit
Installations
10,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-22310
The vulnerability has not been patched. You should deactivate the plugin.

WP FullCalendar

Plugin:
WP FullCalendar
Plugin Slug:
wp-fullcalendar
Installations
10,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-22261
The vulnerability has not been patched. You should deactivate the plugin.

CoDesigner – All in One Elementor WooCommerce Builder

Plugin:
CoDesigner – All in One Elementor WooCommerce Builder
Plugin Slug:
woolementor
Installations
9,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-22788
The vulnerability has not been patched. You should deactivate the plugin.

Hash Elements

Plugin:
Hash Elements
Plugin Slug:
hash-elements
Installations
6,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-22296
The vulnerability has not been patched. You should deactivate the plugin.

PayU CommercePro Plugin

Plugin:
PayU CommercePro Plugin
Plugin Slug:
payu-india
Installations
6,000+
Vulnerability:
Privilege Escalation
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2024-12264
The vulnerability has not been patched. You should deactivate the plugin.

CubeWP Forms – All-in-One Form Builder

Plugin:
CubeWP Forms – All-in-One Form Builder
Plugin Slug:
cubewp-forms
Installations
4,000+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-51651
The vulnerability has not been patched. You should deactivate the plugin.

Widgetize Pages Light

Plugin:
Widgetize Pages Light
Plugin Slug:
widgetize-pages-light
Installations
4,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-22313
The vulnerability has not been patched. You should deactivate the plugin.

Food Store – Online Food Delivery & Pickup

Plugin:
Food Store – Online Food Delivery & Pickup
Plugin Slug:
food-store
Installations
2,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-22314
The vulnerability has not been patched. You should deactivate the plugin.

School Management System – WPSchoolPress

Plugin:
School Management System – WPSchoolPress
Plugin Slug:
wpschoolpress
Installations
2,000+
Vulnerability:
SQL Injection
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-12332
The vulnerability has not been patched. You should deactivate the plugin.

Post Grid Master – Custom Post Types, Taxonomies & Ajax Filter Everything with Infinite Scroll, Load More, Pagination & Shortcode Builder

Plugin:
Post Grid Master – Custom Post Types, Taxonomies & Ajax Filter Everything with Infinite Scroll, Load More, Pagination & Shortcode Builder
Plugin Slug:
ajax-filter-posts
Installations
1,000+
Vulnerability:
Local File Inclusion
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2024-11642
The vulnerability has not been patched. You should deactivate the plugin.

Bold pagos en linea

Plugin:
Bold pagos en linea
Plugin Slug:
bold-pagos-en-linea
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-22793
The vulnerability has not been patched. You should deactivate the plugin.

Hero Banner Ultimate

Plugin:
Hero Banner Ultimate
Plugin Slug:
hero-banner-ultimate
Installations
1,000+
Vulnerability:
Local File Inclusion
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-22305
The vulnerability has not been patched. You should deactivate the plugin.

Typing Text

Plugin:
Typing Text
Plugin Slug:
typing-text
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-22315
The vulnerability has not been patched. You should deactivate the plugin.

Ukrposhta

Plugin:
Ukrposhta
Plugin Slug:
woo-ukrposhta
Installations
800+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-12049
The vulnerability has not been patched. You should deactivate the plugin.

Build App Online

Plugin:
Build App Online
Plugin Slug:
build-app-online
Installations
700+
Vulnerability:
Local File Inclusion
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2024-49649
The vulnerability has not been patched. You should deactivate the plugin.

CLUEVO LMS, E-Learning Platform

Plugin:
CLUEVO LMS, E-Learning Platform
Plugin Slug:
cluevo-lms
Installations
700+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-11328
The vulnerability has not been patched. You should deactivate the plugin.

WordLift – AI powered SEO – Schema

Plugin:
WordLift – AI powered SEO – Schema
Plugin Slug:
wordlift
Installations
600+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-12176
The vulnerability has not been patched. You should deactivate the plugin.

SMSA Shipping (official)

Plugin:
SMSA Shipping (official)
Plugin Slug:
smsa-shipping-official
Installations
500+
Vulnerability:
Arbitrary File Deletion
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-49249
The vulnerability has not been patched. You should deactivate the plugin.

WP Youtube Gallery

Plugin:
WP Youtube Gallery
Plugin Slug:
wp-youtube-gallery
Installations
500+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-12590
The vulnerability has not been patched. You should deactivate the plugin.

Chatroll Live Chat

Plugin:
Chatroll Live Chat
Plugin Slug:
chatroll-live-chat
Installations
400+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-12464
The vulnerability has not been patched. You should deactivate the plugin.

Deliver via Shipos for WooCommerce

Plugin:
Deliver via Shipos for WooCommerce
Plugin Slug:
wc-shipos-delivery
Installations
400+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-12222
The vulnerability has not been patched. You should deactivate the plugin.

SimplyRETS Real Estate IDX

Plugin:
SimplyRETS Real Estate IDX
Plugin Slug:
simply-rets
Installations
300+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-12491
The vulnerability has not been patched. You should deactivate the plugin.

ThePerfectWedding.nl Widget

Plugin:
ThePerfectWedding.nl Widget
Plugin Slug:
theperfectweddingnl-widget
Installations
300+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-12322
The vulnerability has not been patched. You should deactivate the plugin.

Rezgo Online Booking

Plugin:
Rezgo Online Booking
Plugin Slug:
rezgo
Installations
200+
Vulnerability:
Local File Inclusion
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-53800
The vulnerability has not been patched. You should deactivate the plugin.

Course Booking System

Plugin:
Course Booking System
Plugin Slug:
course-booking-system
Installations
100+
Vulnerability:
SQL Injection
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2025-22785
The vulnerability has not been patched. You should deactivate the plugin.

Horoscope And Tarot

Plugin:
Horoscope And Tarot
Plugin Slug:
horoscope-and-tarot
Installations
100+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-11337
The vulnerability has not been patched. You should deactivate the plugin.

Neon Product Designer

Plugin:
Neon Product Designer
Plugin Slug:
neon-product-designer-for-woocommerce
Installations
100+
Vulnerability:
SQL Injection
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-22799
The vulnerability has not been patched. You should deactivate the plugin.

WR Price List Manager For Woocommerce

Plugin:
WR Price List Manager For Woocommerce
Plugin Slug:
wr-price-list-for-woocommerce
Installations
100+
Vulnerability:
Remote Code Execution (RCE)
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2025-22782
The vulnerability has not been patched. You should deactivate the plugin.

YOGO Booking

Plugin:
YOGO Booking
Plugin Slug:
yogo-booking
Installations
100+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-12462
The vulnerability has not been patched. You should deactivate the plugin.

Responsive jQuery Slider

Plugin:
Responsive jQuery Slider
Plugin Slug:
responsive-jquery-slider
Installations
80+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-22798
The vulnerability has not been patched. You should deactivate the plugin.

WooCommerce Digital Content Delivery (incl. DRM) – FlickRocket

Plugin:
WooCommerce Digital Content Delivery (incl. DRM) – FlickRocket
Plugin Slug:
woocommerce-digital-content-delivery-with-drm-flickrocket
Installations
80+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-12438
The vulnerability has not been patched. You should deactivate the plugin.

ARS Affiliate Page Plugin

Plugin:
ARS Affiliate Page Plugin
Plugin Slug:
ars-affiliate-page
Installations
70+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-12098
The vulnerability has not been patched. You should deactivate the plugin.

Gallery and Lightbox

Plugin:
Gallery and Lightbox
Plugin Slug:
gallery-and-lightbox
Installations
70+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-22797
The vulnerability has not been patched. You should deactivate the plugin.

Infility Global

Plugin:
Infility Global
Plugin Slug:
infility-global
Installations
60+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-11496
The vulnerability has not been patched. You should deactivate the plugin.

Chative Live chat and Chatbot

Plugin:
Chative Live chat and Chatbot
Plugin Slug:
chative-live-chat-and-chatbot
Installations
50+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-12541
The vulnerability has not been patched. You should deactivate the plugin.

1003 Mortgage Application

Plugin:
1003 Mortgage Application
Plugin Slug:
1003-mortgage-application
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-22592
The vulnerability has not been patched. You should deactivate the plugin.

1003 Mortgage Application

Plugin:
1003 Mortgage Application
Plugin Slug:
1003-mortgage-application
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-22591
The vulnerability has not been patched. You should deactivate the plugin.

3DVieweronline

Plugin:
3DVieweronline
Plugin Slug:
3dvieweronline-wp
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-12514
The vulnerability has not been patched. You should deactivate the plugin.

4ECPS Web Forms

Plugin:
4ECPS Web Forms
Plugin Slug:
4ecps-webforms
Vulnerability:
Arbitrary File Upload
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2025-22504
The vulnerability has not been patched. You should deactivate the plugin.

Accordion Slider Lite

Plugin:
Accordion Slider Lite
Plugin Slug:
accordion-slider-lite
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-11892
The vulnerability has not been patched. You should deactivate the plugin.

AddFunc Mobile Detect

Plugin:
AddFunc Mobile Detect
Plugin Slug:
addfunc-mobile-detect
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-22550
The vulnerability has not been patched. You should deactivate the plugin.

Affiliate Disclosure Statement

Plugin:
Affiliate Disclosure Statement
Plugin Slug:
affiliate-disclosure-statement
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-22552
The vulnerability has not been patched. You should deactivate the plugin.

Elementor AI Addons

Plugin:
Elementor AI Addons
Plugin Slug:
ai-addons-for-elementor
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-12140
The vulnerability has not been patched. You should deactivate the plugin.

AI Scribe

Plugin:
AI Scribe
Plugin Slug:
ai-scribe-the-chatgpt-powered-seo-content-creation-wizard
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-12606
The vulnerability has not been patched. You should deactivate the plugin.

AI Scribe

Plugin:
AI Scribe
Plugin Slug:
ai-scribe-the-chatgpt-powered-seo-content-creation-wizard
Vulnerability:
SQL Injection
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-12473
The vulnerability has not been patched. You should deactivate the plugin.

AI Scribe

Plugin:
AI Scribe
Plugin Slug:
ai-scribe-the-chatgpt-powered-seo-content-creation-wizard
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-12605
The vulnerability has not been patched. You should deactivate the plugin.

Aklamator INfeed

Plugin:
Aklamator INfeed
Plugin Slug:
aklamator-infeed
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-12731
The vulnerability has not been patched. You should deactivate the plugin.

Aklamator INfeed

Plugin:
Aklamator INfeed
Plugin Slug:
aklamator-infeed
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-12717
The vulnerability has not been patched. You should deactivate the plugin.

Alpha Price Table For Elementor

Plugin:
Alpha Price Table For Elementor
Plugin Slug:
alpha-price-table-for-elementor
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-22500
The vulnerability has not been patched. You should deactivate the plugin.

Arcade Ready

Plugin:
Arcade Ready
Plugin Slug:
arcadeready
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-22581
The vulnerability has not been patched. You should deactivate the plugin.

Asgard Security Scanner

Plugin:
Asgard Security Scanner
Plugin Slug:
asgard
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-12715
The vulnerability has not been patched. You should deactivate the plugin.

Background Control

Plugin:
Background Control
Plugin Slug:
background-control
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-22784
The vulnerability has not been patched. You should deactivate the plugin.

Backlink Monitoring Manager

Plugin:
Backlink Monitoring Manager
Plugin Slug:
backlink-monitoring-manager
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-12714
The vulnerability has not been patched. You should deactivate the plugin.

Better User Shortcodes

Plugin:
Better User Shortcodes
Plugin Slug:
better-user-shortcodes
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-22594
The vulnerability has not been patched. You should deactivate the plugin.

Biltorvet Dealer Tools

Plugin:
Biltorvet Dealer Tools
Plugin Slug:
biltorvet-dealer-tools
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-22580
The vulnerability has not been patched. You should deactivate the plugin.

Bizapp for WooCommerce

Plugin:
Bizapp for WooCommerce
Plugin Slug:
bizapp-for-woocommerce
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-11378
The vulnerability has not been patched. You should deactivate the plugin.

Booking and Rental Manager

Plugin:
Booking and Rental Manager
Plugin Slug:
booking-and-rental-manager-for-woocommerce
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-12412
The vulnerability has not been patched. You should deactivate the plugin.

BP Profile Shortcodes Extra

Plugin:
BP Profile Shortcodes Extra
Plugin Slug:
bp-profile-shortcodes-extra
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-22817
The vulnerability has not been patched. You should deactivate the plugin.

BU Section Editing

Plugin:
BU Section Editing
Plugin Slug:
bu-section-editing
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-12736
The vulnerability has not been patched. You should deactivate the plugin.

Candifly

Plugin:
Candifly
Plugin Slug:
candifly
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-12440
The vulnerability has not been patched. You should deactivate the plugin.

Chat Support for Viber

Plugin:
Chat Support for Viber
Plugin Slug:
chat-viber
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-12457
The vulnerability has not been patched. You should deactivate the plugin.

ClickDesigns

Plugin:
ClickDesigns
Plugin Slug:
clickdesigns
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-12559
The vulnerability has not been patched. You should deactivate the plugin.

Common Ninja

Plugin:
Common Ninja
Plugin Slug:
common-ninja
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-11382
The vulnerability has not been patched. You should deactivate the plugin.

Contact Form Master – by Edmon

Plugin:
Contact Form Master – by Edmon
Plugin Slug:
contact-form-master
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-12587
The vulnerability has not been patched. You should deactivate the plugin.

Custom DataBase Tables

Plugin:
Custom DataBase Tables
Plugin Slug:
custom-database-tables
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-22539
The vulnerability has not been patched. You should deactivate the plugin.

Dominion – Domain Checker for WPBakery

Plugin:
Dominion – Domain Checker for WPBakery
Plugin Slug:
dominion-domain-checker-wpbakery-addon
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-12520
The vulnerability has not been patched. You should deactivate the plugin.

Donation Block For PayPal

Plugin:
Donation Block For PayPal
Plugin Slug:
donations-block
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-22525
The vulnerability has not been patched. You should deactivate the plugin.

S3Player – WooCommerce & Elementor Integration

Plugin:
S3Player – WooCommerce & Elementor Integration
Plugin Slug:
drm-protected-video-streaming
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-22818
The vulnerability has not been patched. You should deactivate the plugin.

Admin debug wordpress – enable debug

Plugin:
Admin debug wordpress – enable debug
Plugin Slug:
dzs-enable-debug
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-22503
The vulnerability has not been patched. You should deactivate the plugin.

eDoc Easy Tables

Plugin:
eDoc Easy Tables
Plugin Slug:
edoc-easy-tables
Vulnerability:
SQL Injection
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-22519
The vulnerability has not been patched. You should deactivate the plugin.

Emailing Subscription

Plugin:
Emailing Subscription
Plugin Slug:
email-suscripcion
Vulnerability:
SQL Injection
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2025-22540
The vulnerability has not been patched. You should deactivate the plugin.

Enable Accessibility

Plugin:
Enable Accessibility
Plugin Slug:
enable-accessibility
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-9208
The vulnerability has not been patched. You should deactivate the plugin.

Essential WP Real Estate

Plugin:
Essential WP Real Estate
Plugin Slug:
essential-wp-real-estate
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-13318
The vulnerability has not been patched. You should deactivate the plugin.

WP Delete Post Copies

Plugin:
WP Delete Post Copies
Plugin Slug:
etruel-del-post-copies
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-22541
The vulnerability has not been patched. You should deactivate the plugin.

FAT Event Lite

Plugin:
FAT Event Lite
Plugin Slug:
fat-event-lite
Vulnerability:
Local File Inclusion
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-22508
The vulnerability has not been patched. You should deactivate the plugin.

Featured Page Widget

Plugin:
Featured Page Widget
Plugin Slug:
featured-page-widget
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-22569
The vulnerability has not been patched. You should deactivate the plugin.

Files Download Delay

Plugin:
Files Download Delay
Plugin Slug:
files-download-delay
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-12493
The vulnerability has not been patched. You should deactivate the plugin.

Formaloo Form Maker

Plugin:
Formaloo Form Maker
Plugin Slug:
formaloo-form-builder
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-11934
The vulnerability has not been patched. You should deactivate the plugin.

GatorMail SmartForms

Plugin:
GatorMail SmartForms
Plugin Slug:
gatormail-smart-forms
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-11386
The vulnerability has not been patched. You should deactivate the plugin.

GDY Modular Content

Plugin:
GDY Modular Content
Plugin Slug:
gdy-modular-content
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-12153
The vulnerability has not been patched. You should deactivate the plugin.

Genesis Style Shortcodes

Plugin:
Genesis Style Shortcodes
Plugin Slug:
genesis-style-shortcodes
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-22823
The vulnerability has not been patched. You should deactivate the plugin.

Geo Content

Plugin:
Geo Content
Plugin Slug:
geo-targetly-geo-content
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-11887
The vulnerability has not been patched. You should deactivate the plugin.

Google Maps Travel Route

Plugin:
Google Maps Travel Route
Plugin Slug:
google-maps-travel-route
Vulnerability:
SQL Injection
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-22537
The vulnerability has not been patched. You should deactivate the plugin.

Grid Accordion Lite

Plugin:
Grid Accordion Lite
Plugin Slug:
grid-accordion-lite
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-11874
The vulnerability has not been patched. You should deactivate the plugin.

GS Insever Portfolio

Plugin:
GS Insever Portfolio
Plugin Slug:
gs-instagram-portfolio
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-12249
The vulnerability has not been patched. You should deactivate the plugin.

Help Scout

Plugin:
Help Scout
Plugin Slug:
help-scout
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-22512
The vulnerability has not been patched. You should deactivate the plugin.

Homey Login Register

Plugin:
Homey Login Register
Plugin Slug:
homey-login-register
Vulnerability:
Privilege Escalation
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2024-51888
The vulnerability has not been patched. You should deactivate the plugin.

Host PHP Info

Plugin:
Host PHP Info
Plugin Slug:
host-php-info
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-12535
The vulnerability has not been patched. You should deactivate the plugin.

Huurkalender WP

Plugin:
Huurkalender WP
Plugin Slug:
huurkalender-wp
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-22528
The vulnerability has not been patched. You should deactivate the plugin.

???? ???? ?? ????

Plugin:
???? ???? ?? ????
Plugin Slug:
iamport-payment
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-22530
The vulnerability has not been patched. You should deactivate the plugin.

Icons Enricher

Plugin:
Icons Enricher
Plugin Slug:
icons-enricher
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-22573
The vulnerability has not been patched. You should deactivate the plugin.

ICS Button

Plugin:
ICS Button
Plugin Slug:
ics-button
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-22574
The vulnerability has not been patched. You should deactivate the plugin.

iframe to embed

Plugin:
iframe to embed
Plugin Slug:
iframe-to-embed
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-22545
The vulnerability has not been patched. You should deactivate the plugin.

Inline Tweets

Plugin:
Inline Tweets
Plugin Slug:
inline-tweets
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-22570
The vulnerability has not been patched. You should deactivate the plugin.

Instabot

Plugin:
Instabot
Plugin Slug:
instabot
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-22571
The vulnerability has not been patched. You should deactivate the plugin.

CF Internal Link Shortcode

Plugin:
CF Internal Link Shortcode
Plugin Slug:
internal-link-shortcode
Vulnerability:
SQL Injection
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2024-12404
The vulnerability has not been patched. You should deactivate the plugin.

JK Html To Pdf

Plugin:
JK Html To Pdf
Plugin Slug:
jk-html-to-pdf
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-22547
The vulnerability has not been patched. You should deactivate the plugin.

jQuery TwentyTwenty

Plugin:
jQuery TwentyTwenty
Plugin Slug:
js-twentytwenty
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-22546
The vulnerability has not been patched. You should deactivate the plugin.

Justified Image Gallery

Plugin:
Justified Image Gallery
Plugin Slug:
justified-image-gallery
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-22518
The vulnerability has not been patched. You should deactivate the plugin.

KNR Author List Widget

Plugin:
KNR Author List Widget
Plugin Slug:
knr-author-list-widget
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-22514
The vulnerability has not been patched. You should deactivate the plugin.

Laika Pedigree Tree

Plugin:
Laika Pedigree Tree
Plugin Slug:
laika-pedigree-tree
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-22593
The vulnerability has not been patched. You should deactivate the plugin.

LazyLoad Background Images

Plugin:
LazyLoad Background Images
Plugin Slug:
lazyload-background-images
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-12327
The vulnerability has not been patched. You should deactivate the plugin.

ldap_login_password_and_role_manager

Plugin:
ldap_login_password_and_role_manager
Plugin Slug:
ldap-login-password-and-role-manager
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-22548
The vulnerability has not been patched. You should deactivate the plugin.

linkID

Plugin:
linkID
Plugin Slug:
linkid
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-12542
The vulnerability has not been patched. You should deactivate the plugin.

List Pages at Depth

Plugin:
List Pages at Depth
Plugin Slug:
list-pages-at-depth
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-22517
The vulnerability has not been patched. You should deactivate the plugin.

Live Flight Radar

Plugin:
Live Flight Radar
Plugin Slug:
live-flight-radar
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-22824
The vulnerability has not been patched. You should deactivate the plugin.

Financial Stocks & Crypto Market Data Plugin

Plugin:
Financial Stocks & Crypto Market Data Plugin
Plugin Slug:
live-stock-prices-for-wordpress
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-11690
The vulnerability has not been patched. You should deactivate the plugin.

LucidLMS

Plugin:
LucidLMS
Plugin Slug:
lucidlms
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-22498
The vulnerability has not been patched. You should deactivate the plugin.

WhatsApp click to chat

Plugin:
WhatsApp click to chat
Plugin Slug:
manycontacts-bar
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-11686
The vulnerability has not been patched. You should deactivate the plugin.

Marketplace Items

Plugin:
Marketplace Items
Plugin Slug:
marketplace-items
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-12437
The vulnerability has not been patched. You should deactivate the plugin.

Muslim Prayer Time-Salah/Iqamah

Plugin:
Muslim Prayer Time-Salah/Iqamah
Plugin Slug:
masjidal
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-12515
The vulnerability has not been patched. You should deactivate the plugin.

mcjh button shortcode

Plugin:
mcjh button shortcode
Plugin Slug:
mcjh-button-shortcode
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-22558
The vulnerability has not been patched. You should deactivate the plugin.

Member Access

Plugin:
Member Access
Plugin Slug:
member-access
Vulnerability:
Sensitive Data Exposure
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-11290
The vulnerability has not been patched. You should deactivate the plugin.

Metadata SEO

Plugin:
Metadata SEO
Plugin Slug:
metadata-seo
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-22516
The vulnerability has not been patched. You should deactivate the plugin.

Meteor Slides

Plugin:
Meteor Slides
Plugin Slug:
meteor-slides
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-12073
The vulnerability has not been patched. You should deactivate the plugin.

MIMO Woocommerce Order Tracking

Plugin:
MIMO Woocommerce Order Tracking
Plugin Slug:
mimo-woocommerce-order-tracking
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-5769
The vulnerability has not been patched. You should deactivate the plugin.

Mind Doodle Visual Sitemaps & Tasks

Plugin:
Mind Doodle Visual Sitemaps & Tasks
Plugin Slug:
mind-doodle-sitemap
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-22544
The vulnerability has not been patched. You should deactivate the plugin.

MindValley Super PageMash

Plugin:
MindValley Super PageMash
Plugin Slug:
mindvalley-pagemash
Vulnerability:
SQL Injection
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-22502
The vulnerability has not been patched. You should deactivate the plugin.

Muzaara Google Ads Report

Plugin:
Muzaara Google Ads Report
Plugin Slug:
muzaara-adwords-optimize-dashboard
Vulnerability:
Sensitive Data Exposure
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-12159
The vulnerability has not been patched. You should deactivate the plugin.

NC Wishlist for Woocommerce

Plugin:
NC Wishlist for Woocommerce
Plugin Slug:
nc-wishlist-for-woocommerce
Vulnerability:
SQL Injection
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-22505
The vulnerability has not been patched. You should deactivate the plugin.

Newsletter2Go

Plugin:
Newsletter2Go
Plugin Slug:
newsletter2go
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-12618
The vulnerability has not been patched. You should deactivate the plugin.

PayGreen Payment Gateway

Plugin:
PayGreen Payment Gateway
Plugin Slug:
paygreen-payment-gateway
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-11810
The vulnerability has not been patched. You should deactivate the plugin.

Perfect Portal Widgets

Plugin:
Perfect Portal Widgets
Plugin Slug:
perfect-portal-widgets
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-12527
The vulnerability has not been patched. You should deactivate the plugin.

PIXNET

Plugin:
PIXNET
Plugin Slug:
pixnet
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-11338
The vulnerability has not been patched. You should deactivate the plugin.

Post And Page Reactions

Plugin:
Post And Page Reactions
Plugin Slug:
post-and-page-reactions
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-22568
The vulnerability has not been patched. You should deactivate the plugin.

PostLists

Plugin:
PostLists
Plugin Slug:
postlists
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-10815
The vulnerability has not been patched. You should deactivate the plugin.

Prayer Times Anywhere

Plugin:
Prayer Times Anywhere
Plugin Slug:
prayer-times-anywhere
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-22590
The vulnerability has not been patched. You should deactivate the plugin.

Pretty Url

Plugin:
Pretty Url
Plugin Slug:
pretty-url
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-22563
The vulnerability has not been patched. You should deactivate the plugin.

Qr Code and Barcode Scanner Reader

Plugin:
Qr Code and Barcode Scanner Reader
Plugin Slug:
qr-code-and-barcode-scanner-reader
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-22819
The vulnerability has not been patched. You should deactivate the plugin.

Quote Tweet

Plugin:
Quote Tweet
Plugin Slug:
quote-tweet
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-22589
The vulnerability has not been patched. You should deactivate the plugin.

ResAds

Plugin:
ResAds
Plugin Slug:
resads
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-12122
The vulnerability has not been patched. You should deactivate the plugin.

Responsive FlipBook

Plugin:
Responsive FlipBook
Plugin Slug:
responsive-flipbook
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-11929
The vulnerability has not been patched. You should deactivate the plugin.

RightMessage WP

Plugin:
RightMessage WP
Plugin Slug:
rightmessage
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-12445
The vulnerability has not been patched. You should deactivate the plugin.

RRAddons for Elementor

Plugin:
RRAddons for Elementor
Plugin Slug:
rrdevs-for-elementor
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-11915
The vulnerability has not been patched. You should deactivate the plugin.

School Management System – SakolaWP

Plugin:
School Management System – SakolaWP
Plugin Slug:
sakolawp-lite
Vulnerability:
Privilege Escalation
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2024-12470
The vulnerability has not been patched. You should deactivate the plugin.

Same but Different – Related Posts by Taxonomy

Plugin:
Same but Different – Related Posts by Taxonomy
Plugin Slug:
same-but-different
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-11363
The vulnerability has not been patched. You should deactivate the plugin.

Saoshyant Page Builder

Plugin:
Saoshyant Page Builder
Plugin Slug:
saoshyant-page-builder
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-22560
The vulnerability has not been patched. You should deactivate the plugin.

Scan External Links

Plugin:
Scan External Links
Plugin Slug:
scan-external-links
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-22583
The vulnerability has not been patched. You should deactivate the plugin.

Searchie

Plugin:
Searchie
Plugin Slug:
searchie
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-12819
The vulnerability has not been patched. You should deactivate the plugin.

Sell Digital Downloads

Plugin:
Sell Digital Downloads
Plugin Slug:
sell-digital-downloads
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-22826
The vulnerability has not been patched. You should deactivate the plugin.

Sell Media

Plugin:
Sell Media
Plugin Slug:
sell-media
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-11777
The vulnerability has not been patched. You should deactivate the plugin.

Sellsy

Plugin:
Sellsy
Plugin Slug:
sellsy
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-12592
The vulnerability has not been patched. You should deactivate the plugin.

SEO LAT Auto Post

Plugin:
SEO LAT Auto Post
Plugin Slug:
seo-beginner-auto-post
Vulnerability:
Remote Code Execution (RCE)
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2024-12252
The vulnerability has not been patched. You should deactivate the plugin.

SEO Bulk Editor

Plugin:
SEO Bulk Editor
Plugin Slug:
seo-bulk-editor
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-22587
The vulnerability has not been patched. You should deactivate the plugin.

seo-keywords

Plugin:
seo-keywords
Plugin Slug:
seo-keywords
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-12126
The vulnerability has not been patched. You should deactivate the plugin.

Show Google Analytics widget

Plugin:
Show Google Analytics widget
Plugin Slug:
show-google-analytics-widget
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-22515
The vulnerability has not been patched. You should deactivate the plugin.

Simple Add Pages or Posts

Plugin:
Simple Add Pages or Posts
Plugin Slug:
simple-add-pages-or-posts
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-12288
The vulnerability has not been patched. You should deactivate the plugin.

Simple Photo Sphere

Plugin:
Simple Photo Sphere
Plugin Slug:
simple-photo-sphere
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-22532
The vulnerability has not been patched. You should deactivate the plugin.

SingSong

Plugin:
SingSong
Plugin Slug:
singsong
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-22522
The vulnerability has not been patched. You should deactivate the plugin.

Site PIN

Plugin:
Site PIN
Plugin Slug:
site-pin
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-22576
The vulnerability has not been patched. You should deactivate the plugin.

Slides & Presentations

Plugin:
Slides & Presentations
Plugin Slug:
slide
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-22511
The vulnerability has not been patched. You should deactivate the plugin.

Slides & Presentations

Plugin:
Slides & Presentations
Plugin Slug:
slide
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-22534
The vulnerability has not been patched. You should deactivate the plugin.

Slider Pro Lite

Plugin:
Slider Pro Lite
Plugin Slug:
slider-pro-lite
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-11899
The vulnerability has not been patched. You should deactivate the plugin.

Smart Agenda

Plugin:
Smart Agenda
Plugin Slug:
smart-agenda-prise-de-rendez-vous-en-ligne
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-22506
The vulnerability has not been patched. You should deactivate the plugin.

SmartEmailing.cz

Plugin:
SmartEmailing.cz
Plugin Slug:
smartemailing
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-12261
The vulnerability has not been patched. You should deactivate the plugin.

Smoothness Slider Shortcode

Plugin:
Smoothness Slider Shortcode
Plugin Slug:
smoothness-slider-shortcode
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-22555
The vulnerability has not been patched. You should deactivate the plugin.

Social Rocket

Plugin:
Social Rocket
Plugin Slug:
social-rocket
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-9702
The vulnerability has not been patched. You should deactivate the plugin.

Social Rocket

Plugin:
Social Rocket
Plugin Slug:
social-rocket
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-9697
The vulnerability has not been patched. You should deactivate the plugin.

Spacer

Plugin:
Spacer
Plugin Slug:
spacer
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Low
CVE:
2024-10527
The vulnerability has not been patched. You should deactivate the plugin.

Legacy ePlayer

Plugin:
Legacy ePlayer
Plugin Slug:
sportspress-tv
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-22572
The vulnerability has not been patched. You should deactivate the plugin.

ST Gallery WP

Plugin:
ST Gallery WP
Plugin Slug:
st-gallery-wp
Vulnerability:
Settings Change
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-22543
The vulnerability has not been patched. You should deactivate the plugin.

SweepWidget Contests, Giveaways, Photo Contests, Competitions

Plugin:
SweepWidget Contests, Giveaways, Photo Contests, Competitions
Plugin Slug:
sweepwidget
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-11756
The vulnerability has not been patched. You should deactivate the plugin.

Tabs Shortcode

Plugin:
Tabs Shortcode
Plugin Slug:
tabs-shortcode
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-11606
The vulnerability has not been patched. You should deactivate the plugin.

Themes Coder

Plugin:
Themes Coder
Plugin Slug:
tc-ecommerce
Vulnerability:
Insecure Direct Object References (IDOR)
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2024-12402
The vulnerability has not been patched. You should deactivate the plugin.

TCBD Auto Refresher

Plugin:
TCBD Auto Refresher
Plugin Slug:
tcbd-auto-refresher
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-12519
The vulnerability has not been patched. You should deactivate the plugin.

Timeline Designer

Plugin:
Timeline Designer
Plugin Slug:
timeline-designer
Vulnerability:
SQL Injection
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-11437
The vulnerability has not been patched. You should deactivate the plugin.

Toggles Shortcode and Widget

Plugin:
Toggles Shortcode and Widget
Plugin Slug:
toggles-shortcode-and-widget
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-12207
The vulnerability has not been patched. You should deactivate the plugin.

TRUSTist REVIEWer

Plugin:
TRUSTist REVIEWer
Plugin Slug:
trustist-reviewer
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-22567
The vulnerability has not been patched. You should deactivate the plugin.

TubePress.NET

Plugin:
TubePress.NET
Plugin Slug:
tubepressnet
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-22559
The vulnerability has not been patched. You should deactivate the plugin.

Ultimate Image Hover Effects

Plugin:
Ultimate Image Hover Effects
Plugin Slug:
ultimate-image-hover-effects
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-22585
The vulnerability has not been patched. You should deactivate the plugin.

Popup – MailChimp, GetResponse and ActiveCampaign Intergrations

Plugin:
Popup – MailChimp, GetResponse and ActiveCampaign Intergrations
Plugin Slug:
ultimate-popup-creator
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-12158
The vulnerability has not been patched. You should deactivate the plugin.

Unlimited Theme Addon For Elementor and WooCommerce

Plugin:
Unlimited Theme Addon For Elementor and WooCommerce
Plugin Slug:
unlimited-theme-addons
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-12116
The vulnerability has not been patched. You should deactivate the plugin.

Uptime Robot

Plugin:
Uptime Robot
Plugin Slug:
uptime-robot
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-22582
The vulnerability has not been patched. You should deactivate the plugin.

Urdu Formatter – Shamil

Plugin:
Urdu Formatter – Shamil
Plugin Slug:
urdu-formatter-shamil
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-22531
The vulnerability has not been patched. You should deactivate the plugin.

Video Embed Optimizer

Plugin:
Video Embed Optimizer
Plugin Slug:
video-embed-optimizer
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-22554
The vulnerability has not been patched. You should deactivate the plugin.

ViewMedica 9

Plugin:
ViewMedica 9
Plugin Slug:
viewmedica
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-12291
The vulnerability has not been patched. You should deactivate the plugin.

ViewMedica 9

Plugin:
ViewMedica 9
Plugin Slug:
viewmedica
Vulnerability:
SQL Injection
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-12170
The vulnerability has not been patched. You should deactivate the plugin.

Virtual Bot

Plugin:
Virtual Bot
Plugin Slug:
virtual-bot
Vulnerability:
SQL Injection
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2025-22542
The vulnerability has not been patched. You should deactivate the plugin.

Virtual Bot

Plugin:
Virtual Bot
Plugin Slug:
virtual-bot
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-22538
The vulnerability has not been patched. You should deactivate the plugin.

VR Views

Plugin:
VR Views
Plugin Slug:
vr-views
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-22820
The vulnerability has not been patched. You should deactivate the plugin.

WC1C

Plugin:
WC1C
Plugin Slug:
wc1c-main
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-11375
The vulnerability has not been patched. You should deactivate the plugin.

WE Blocks

Plugin:
WE Blocks
Plugin Slug:
we-blocks
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-22529
The vulnerability has not been patched. You should deactivate the plugin.

Binary MLM Woocommerce

Plugin:
Binary MLM Woocommerce
Plugin Slug:
woo-binary-mlm
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-12383
The vulnerability has not been patched. You should deactivate the plugin.

Woocommerce check pincode/zipcode for shipping

Plugin:
Woocommerce check pincode/zipcode for shipping
Plugin Slug:
woocommerce-check-pincode-zipcode-for-shipping
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-12218
The vulnerability has not been patched. You should deactivate the plugin.

Scanventory

Plugin:
Scanventory
Plugin Slug:
woocommerce-inventory-management
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-22588
The vulnerability has not been patched. You should deactivate the plugin.

WOOEXIM

Plugin:
WOOEXIM
Plugin Slug:
wooexim
Vulnerability:
SQL Injection
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-22533
The vulnerability has not been patched. You should deactivate the plugin.

Live Sales Notification for Woocommerce – Woomotiv

Plugin:
Live Sales Notification for Woocommerce – Woomotiv
Plugin Slug:
woomotiv
Vulnerability:
SQL Injection
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2024-12416
The vulnerability has not been patched. You should deactivate the plugin.

Able Player

Plugin:
Able Player
Plugin Slug:
wp-able-player
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-22577
The vulnerability has not been patched. You should deactivate the plugin.

Bitly

Plugin:
Bitly
Plugin Slug:
wp-bitly
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-12616
The vulnerability has not been patched. You should deactivate the plugin.

WP Cookie

Plugin:
WP Cookie
Plugin Slug:
wp-cookie
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-22578
The vulnerability has not been patched. You should deactivate the plugin.

wp custom countdown

Plugin:
wp custom countdown
Plugin Slug:
wp-custom-countdown
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-22822
The vulnerability has not been patched. You should deactivate the plugin.

Title Experiments Free

Plugin:
Title Experiments Free
Plugin Slug:
wp-experiments-free
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-22561
The vulnerability has not been patched. You should deactivate the plugin.

Title Experiments Free

Plugin:
Title Experiments Free
Plugin Slug:
wp-experiments-free
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-22562
The vulnerability has not been patched. You should deactivate the plugin.

WP Github

Plugin:
WP Github
Plugin Slug:
wp-github
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-22549
The vulnerability has not been patched. You should deactivate the plugin.

WP Header Notification

Plugin:
WP Header Notification
Plugin Slug:
wp-header-notification
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-22579
The vulnerability has not been patched. You should deactivate the plugin.

wp Hosting Performance Check

Plugin:
wp Hosting Performance Check
Plugin Slug:
wp-hosting-performance-check
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-22521
The vulnerability has not been patched. You should deactivate the plugin.

WP Joomag

Plugin:
WP Joomag
Plugin Slug:
wp-joomag
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-22827
The vulnerability has not been patched. You should deactivate the plugin.

Mailing Group Listserv

Plugin:
Mailing Group Listserv
Plugin Slug:
wp-mailing-group
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-22595
The vulnerability has not been patched. You should deactivate the plugin.

Mailing Group Listserv

Plugin:
Mailing Group Listserv
Plugin Slug:
wp-mailing-group
Vulnerability:
SQL Injection
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-22527
The vulnerability has not been patched. You should deactivate the plugin.

WP Music Player

Plugin:
WP Music Player
Plugin Slug:
wp-music-player
Vulnerability:
SQL Injection
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-22536
The vulnerability has not been patched. You should deactivate the plugin.

WP SPID Italia

Plugin:
WP SPID Italia
Plugin Slug:
wp-spid-italia
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-11758
The vulnerability has not been patched. You should deactivate the plugin.

WPEX Replace DB Urls

Plugin:
WPEX Replace DB Urls
Plugin Slug:
wpex-replace
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-22586
The vulnerability has not been patched. You should deactivate the plugin.

WPListCal

Plugin:
WPListCal
Plugin Slug:
wplistcal
Vulnerability:
SQL Injection
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-22535
The vulnerability has not been patched. You should deactivate the plugin.

News Publisher Autopilot

Plugin:
News Publisher Autopilot
Plugin Slug:
wpm-news-api
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-22557
The vulnerability has not been patched. You should deactivate the plugin.

WPMU Prefill Post

Plugin:
WPMU Prefill Post
Plugin Slug:
wpmu-prefill-post
Vulnerability:
SQL Injection
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-22507
The vulnerability has not been patched. You should deactivate the plugin.

Custom Product Tabs for WooCommerce

Plugin:
Custom Product Tabs for WooCommerce
Plugin Slug:
yikes-inc-easy-custom-woocommerce-product-tabs
Vulnerability:
PHP Object Injection
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-11465
The vulnerability has not been patched. You should deactivate the plugin.

Yumpu ePaper publishing

Plugin:
Yumpu ePaper publishing
Plugin Slug:
yumpu-epaper-publishing
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-12621
The vulnerability has not been patched. You should deactivate the plugin.

UpdraftPlus: WP Backup & Migration Plugin

Plugin:
UpdraftPlus: WP Backup & Migration Plugin
Plugin Slug:
updraftplus
Installations
3,000,000+
Vulnerability:
PHP Object Injection
Patched in Version:
1.24.12
Severity Score:
High
CVE:
2024-10957
The vulnerability has been patched, so you should update to version 1.24.12.

W3 Total Cache

Plugin:
W3 Total Cache
Plugin Slug:
w3-total-cache
Installations
1,000,000+
Vulnerability:
Sensitive Data Exposure
Patched in Version:
2.8.2
Severity Score:
Medium
CVE:
2024-12008
The vulnerability has been patched, so you should update to version 2.8.2.

W3 Total Cache

Plugin:
W3 Total Cache
Plugin Slug:
w3-total-cache
Installations
1,000,000+
Vulnerability:
Broken Access Control
Patched in Version:
2.8.2
Severity Score:
Medium
CVE:
2024-12006
The vulnerability has been patched, so you should update to version 2.8.2.

W3 Total Cache

Plugin:
W3 Total Cache
Plugin Slug:
w3-total-cache
Installations
1,000,000+
Vulnerability:
Broken Access Control
Patched in Version:
2.8.2
Severity Score:
Medium
CVE:
2024-12365
The vulnerability has been patched, so you should update to version 2.8.2.

Page Builder by SiteOrigin

Plugin:
Page Builder by SiteOrigin
Plugin Slug:
siteorigin-panels
Installations
600,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.31.1
Severity Score:
Medium
CVE:
2024-12240
The vulnerability has been patched, so you should update to version 2.31.1.

PixelYourSite – Your smart PIXEL (TAG) & API Manager

Plugin:
PixelYourSite – Your smart PIXEL (TAG) & API Manager
Plugin Slug:
pixelyoursite
Installations
500,000+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
10.0.2
Severity Score:
Medium
CVE:
2025-22300
The vulnerability has been patched, so you should update to version 10.0.2.

Royal Elementor Addons and Templates

Plugin:
Royal Elementor Addons and Templates
Plugin Slug:
royal-elementor-addons
Installations
500,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.7.1007
Severity Score:
High
CVE:
2025-0393
The vulnerability has been patched, so you should update to version 1.7.1007.

Happy Addons for Elementor

Plugin:
Happy Addons for Elementor
Plugin Slug:
happy-elementor-addons
Installations
400,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
3.15.2
Severity Score:
Medium
CVE:
2024-12852
The vulnerability has been patched, so you should update to version 3.15.2.

Post SMTP – WordPress SMTP Plugin with Email Logs and Mobile App for Failure Notifications – Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES and more

Plugin:
Post SMTP – WordPress SMTP Plugin with Email Logs and Mobile App for Failure Notifications – Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES and more
Plugin Slug:
post-smtp
Installations
400,000+
Vulnerability:
Broken Access Control
Patched in Version:
2.9.12
Severity Score:
Medium
CVE:
2025-22800
The vulnerability has been patched, so you should update to version 2.9.12.

InfiniteWP Client

Plugin:
InfiniteWP Client
Plugin Slug:
iwp-client
Installations
200,000+
Vulnerability:
Directory Traversal
Patched in Version:
1.13.1
Severity Score:
Medium
CVE:
2024-10585
The vulnerability has been patched, so you should update to version 1.13.1.

Post Duplicator

Plugin:
Post Duplicator
Plugin Slug:
post-duplicator
Installations
200,000+
Vulnerability:
Broken Access Control
Patched in Version:
2.37
Severity Score:
Medium
CVE:
2024-12472
The vulnerability has been patched, so you should update to version 2.37.

Orbit Fox by ThemeIsle

Plugin:
Orbit Fox by ThemeIsle
Plugin Slug:
themeisle-companion
Installations
200,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.10.44
Severity Score:
Medium
CVE:
2024-13183
The vulnerability has been patched, so you should update to version 2.10.44.

Orbit Fox by ThemeIsle

Plugin:
Orbit Fox by ThemeIsle
Plugin Slug:
themeisle-companion
Installations
200,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.10.44
Severity Score:
Medium
CVE:
2025-0311
The vulnerability has been patched, so you should update to version 2.10.44.

GiveWP – Donation Plugin and Fundraising Platform

Plugin:
GiveWP – Donation Plugin and Fundraising Platform
Plugin Slug:
give
Installations
100,000+
Vulnerability:
PHP Object Injection
Patched in Version:
3.19.4
Severity Score:
Critical
CVE:
2025-22777
The vulnerability has been patched, so you should update to version 3.19.4.

Modula Image Gallery

Plugin:
Modula Image Gallery
Plugin Slug:
modula-best-grid-gallery
Installations
100,000+
Vulnerability:
Arbitrary File Upload
Patched in Version:
2.11.11
Severity Score:
Critical
CVE:
2024-12853
The vulnerability has been patched, so you should update to version 2.11.11.

Pods – Custom Content Types and Fields

Plugin:
Pods – Custom Content Types and Fields
Plugin Slug:
pods
Installations
100,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
3.2.8.1
Severity Score:
Medium
CVE:
2024-11849
The vulnerability has been patched, so you should update to version 3.2.8.1.

Jupiter X Core

Plugin:
Jupiter X Core
Plugin Slug:
jupiterx-core
Installations
90,000+
Vulnerability:
Broken Access Control
Patched in Version:
4.8.6
Severity Score:
Medium
CVE:
2024-12316
The vulnerability has been patched, so you should update to version 4.8.6.

Jupiter X Core

Plugin:
Jupiter X Core
Plugin Slug:
jupiterx-core
Installations
90,000+
Vulnerability:
Broken Access Control
Patched in Version:
4.8.6
Severity Score:
Medium
CVE:
2024-12033
The vulnerability has been patched, so you should update to version 4.8.6.

WP Booking Calendar

Plugin:
WP Booking Calendar
Plugin Slug:
booking
Installations
50,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
10.9.3
Severity Score:
Medium
CVE:
2024-13323
The vulnerability has been patched, so you should update to version 10.9.3.

Category Posts Widget

Plugin:
Category Posts Widget
Plugin Slug:
category-posts
Installations
50,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
4.9.18
Severity Score:
Medium
CVE:
2024-9638
The vulnerability has been patched, so you should update to version 4.9.18.

Photo Gallery, Images, Slider in Rbs Image Gallery

Plugin:
Photo Gallery, Images, Slider in Rbs Image Gallery
Plugin Slug:
robo-gallery
Installations
50,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
3.2.22
Severity Score:
Medium
CVE:
2024-10102
The vulnerability has been patched, so you should update to version 3.2.22.

Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates)

Plugin:
Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates)
Plugin Slug:
sina-extension-for-elementor
Installations
50,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
3.6.0
Severity Score:
Medium
CVE:
2024-12624
The vulnerability has been patched, so you should update to version 3.6.0.

Greenshift – animation and page builder blocks

Plugin:
Greenshift – animation and page builder blocks
Plugin Slug:
greenshift-animation-and-page-builder-blocks
Installations
40,000+
Vulnerability:
Broken Access Control
Patched in Version:
9.0.1
Severity Score:
Medium
CVE:
2024-6155
The vulnerability has been patched, so you should update to version 9.0.1.

Themesflat Addons For Elementor

Plugin:
Themesflat Addons For Elementor
Plugin Slug:
themesflat-addons-for-elementor
Installations
40,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.2.5
Severity Score:
Medium
CVE:
2024-12205
The vulnerability has been patched, so you should update to version 2.2.5.

HTML5 Video Player – mp4 Video Player Plugin and Block

Plugin:
HTML5 Video Player – mp4 Video Player Plugin and Block
Plugin Slug:
html5-video-player
Installations
30,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.5.36
Severity Score:
Medium
CVE:
2024-13156
The vulnerability has been patched, so you should update to version 2.5.36.

SureForms – Drag and Drop Form Builder for WordPress

Plugin:
SureForms – Drag and Drop Form Builder for WordPress
Plugin Slug:
sureforms
Installations
30,000+
Vulnerability:
Broken Access Control
Patched in Version:
1.2.3
Severity Score:
Medium
CVE:
2024-12713
The vulnerability has been patched, so you should update to version 1.2.3.

WordPress File Upload

Plugin:
WordPress File Upload
Plugin Slug:
wp-file-upload
Installations
20,000+
Vulnerability:
Remote Code Execution (RCE)
Patched in Version:
4.25.0
Severity Score:
Critical
CVE:
2024-11613
The vulnerability has been patched, so you should update to version 4.25.0.

WordPress File Upload

Plugin:
WordPress File Upload
Plugin Slug:
wp-file-upload
Installations
20,000+
Vulnerability:
Path Traversal
Patched in Version:
4.24.14
Severity Score:
High
CVE:
2024-9939
The vulnerability has been patched, so you should update to version 4.24.14.

WordPress File Upload

Plugin:
WordPress File Upload
Plugin Slug:
wp-file-upload
Installations
20,000+
Vulnerability:
Remote Code Execution (RCE)
Patched in Version:
4.24.14
Severity Score:
Critical
CVE:
2024-11635
The vulnerability has been patched, so you should update to version 4.24.14.

WordPress File Upload

Plugin:
WordPress File Upload
Plugin Slug:
wp-file-upload
Installations
20,000+
Vulnerability:
Broken Access Control
Patched in Version:
4.25.0
Severity Score:
Medium
CVE:
2024-12719
The vulnerability has been patched, so you should update to version 4.25.0.

140+ Widgets | Xpro Addons For Elementor – FREE

Plugin:
140+ Widgets | Xpro Addons For Elementor – FREE
Plugin Slug:
xpro-elementor-addons
Installations
20,000+
Vulnerability:
Sensitive Data Exposure
Patched in Version:
1.4.6.3
Severity Score:
Medium
CVE:
2024-12584
The vulnerability has been patched, so you should update to version 1.4.6.3.

Passster – Password Protect Pages and Content

Plugin:
Passster – Password Protect Pages and Content
Plugin Slug:
content-protector
Installations
10,000+
Vulnerability:
Sensitive Data Exposure
Patched in Version:
4.2.11
Severity Score:
Medium
CVE:
2024-11282
The vulnerability has been patched, so you should update to version 4.2.11.

Export Import Menus

Plugin:
Export Import Menus
Plugin Slug:
export-import-menus
Installations
10,000+
Vulnerability:
Broken Access Control
Patched in Version:
1.9.2
Severity Score:
Medium
CVE:
2024-10866
The vulnerability has been patched, so you should update to version 1.9.2.

Ultimate Gift Cards for WooCommerce – Create WooCommerce Gift Cards, Gift Vouchers, Redeem & Manage Digital Gift Coupons. Offer Gift Certificates, Schedule Gift Cards, and Use Advance Coupons With Personalized Templates

Plugin:
Ultimate Gift Cards for WooCommerce – Create WooCommerce Gift Cards, Gift Vouchers, Redeem & Manage Digital Gift Coupons. Offer Gift Certificates, Schedule Gift Cards, and Use Advance Coupons With Personalized Templates
Plugin Slug:
woo-gift-cards-lite
Installations
7,000+
Vulnerability:
Broken Access Control
Patched in Version:
3.0.7
Severity Score:
Medium
CVE:
2024-11423
The vulnerability has been patched, so you should update to version 3.0.7.

Author Avatars List/Block

Plugin:
Author Avatars List/Block
Plugin Slug:
author-avatars
Installations
6,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.1.24
Severity Score:
Medium
CVE:
2025-22804
The vulnerability has been patched, so you should update to version 2.1.24.

Auto iFrame

Plugin:
Auto iFrame
Plugin Slug:
auto-iframe
Installations
5,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.0
Severity Score:
Medium
CVE:
2024-10151
The vulnerability has been patched, so you should update to version 2.0.

ElementInvader Addons for Elementor

Plugin:
ElementInvader Addons for Elementor
Plugin Slug:
elementinvader-addons-for-elementor
Installations
5,000+
Vulnerability:
Local File Inclusion
Patched in Version:
1.2.7
Severity Score:
High
CVE:
2025-22786
The vulnerability has been patched, so you should update to version 1.2.7.

SMS Alert Order Notifications – WooCommerce

Plugin:
SMS Alert Order Notifications – WooCommerce
Plugin Slug:
sms-alert
Installations
5,000+
Vulnerability:
Broken Access Control
Patched in Version:
3.7.7
Severity Score:
High
CVE:
2024-11725
The vulnerability has been patched, so you should update to version 3.7.7.

Shopping Cart & eCommerce Store

Plugin:
Shopping Cart & eCommerce Store
Plugin Slug:
wp-easycart
Installations
5,000+
Vulnerability:
Broken Access Control
Patched in Version:
5.7.9
Severity Score:
Medium
CVE:
2024-12712
The vulnerability has been patched, so you should update to version 5.7.9.

Booking calendar, Appointment Booking System

Plugin:
Booking calendar, Appointment Booking System
Plugin Slug:
booking-calendar
Installations
4,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
3.2.20
Severity Score:
High
CVE:
2024-12077
The vulnerability has been patched, so you should update to version 3.2.20.

Garden Gnome Package

Plugin:
Garden Gnome Package
Plugin Slug:
garden-gnome-package
Installations
4,000+
Vulnerability:
Arbitrary File Upload
Patched in Version:
2.4.0
Severity Score:
Critical
CVE:
2024-12854
The vulnerability has been patched, so you should update to version 2.4.0.

Quill Forms | The Best Typeform Alternative | Create Conversational Multi Step Form, Survey, Quiz, Cost Estimation or Donation Form on WordPress

Plugin:
Quill Forms | The Best Typeform Alternative | Create Conversational Multi Step Form, Survey, Quiz, Cost Estimation or Donation Form on WordPress
Plugin Slug:
quillforms
Installations
4,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
4.0.0
Severity Score:
Medium
CVE:
2024-11826
The vulnerability has been patched, so you should update to version 4.0.0.

RSVP and Event Management

Plugin:
RSVP and Event Management
Plugin Slug:
rsvp
Installations
4,000+
Vulnerability:
Broken Access Control
Patched in Version:
2.7.14
Severity Score:
Medium
CVE:
2024-12711
The vulnerability has been patched, so you should update to version 2.7.14.

News Ticker Widget for Elementor

Plugin:
News Ticker Widget for Elementor
Plugin Slug:
news-ticker-widget-for-elementor
Installations
3,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.3.3
Severity Score:
Medium
CVE:
2025-22812
The vulnerability has been patched, so you should update to version 1.3.3.

Property Hive

Plugin:
Property Hive
Plugin Slug:
propertyhive
Installations
3,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.1.1
Severity Score:
High
CVE:
2024-12585
The vulnerability has been patched, so you should update to version 2.1.1.

SKT Page Builder

Plugin:
SKT Page Builder
Plugin Slug:
skt-builder
Installations
3,000+
Vulnerability:
Arbitrary File Upload
Patched in Version:
4.8
Severity Score:
Critical
CVE:
2024-12848
The vulnerability has been patched, so you should update to version 4.8.

SpeakOut! Email Petitions

Plugin:
SpeakOut! Email Petitions
Plugin Slug:
speakout
Installations
3,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
4.5.0
Severity Score:
Medium
CVE:
2025-22309
The vulnerability has been patched, so you should update to version 4.5.0.

MyBookTable Bookstore by Stormhill Media

Plugin:
MyBookTable Bookstore by Stormhill Media
Plugin Slug:
mybooktable
Installations
2,000+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
3.5.4
Severity Score:
Medium
CVE:
2025-22301
The vulnerability has been patched, so you should update to version 3.5.4.

WC Price History

Plugin:
WC Price History
Plugin Slug:
wc-price-history
Installations
2,000+
Vulnerability:
PHP Object Injection
Patched in Version:
2.1.5
Severity Score:
High
CVE:
2025-22510
The vulnerability has been patched, so you should update to version 2.1.5.

WPBITS Addons For Elementor Page Builder

Plugin:
WPBITS Addons For Elementor Page Builder
Plugin Slug:
wpbits-addons-for-elementor
Installations
2,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.6
Severity Score:
Medium
CVE:
2025-22316
The vulnerability has been patched, so you should update to version 1.6.

WP Wand – AI Writer, AI Content Generator & AI Assistant by ChatGPT, OpenAI | Generate SEO Friendly AI Blog Post & Article with 20X Speed

Plugin:
WP Wand – AI Writer, AI Content Generator & AI Assistant by ChatGPT, OpenAI | Generate SEO Friendly AI Blog Post & Article with 20X Speed
Plugin Slug:
ai-content-generation
Installations
1,000+
Vulnerability:
Broken Access Control
Patched in Version:
1.2.6
Severity Score:
Medium
CVE:
2025-22302
The vulnerability has been patched, so you should update to version 1.2.6.

Black Widgets For Elementor

Plugin:
Black Widgets For Elementor
Plugin Slug:
black-widgets
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.3.9
Severity Score:
Medium
CVE:
2025-22806
The vulnerability has been patched, so you should update to version 1.3.9.

ChatBot Conversational Forms

Plugin:
ChatBot Conversational Forms
Plugin Slug:
conversational-forms
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.4.3
Severity Score:
Medium
CVE:
2025-22813
The vulnerability has been patched, so you should update to version 1.4.3.

JoomSport – for Sports: Team & League, Football, Hockey & more

Plugin:
JoomSport – for Sports: Team & League, Football, Hockey & more
Plugin Slug:
joomsport-sports-league-results-management
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
5.6.18
Severity Score:
High
CVE:
2024-12633
The vulnerability has been patched, so you should update to version 5.6.18.

MT Addons for Elementor

Plugin:
MT Addons for Elementor
Plugin Slug:
mt-addons-for-elementor
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.0.7
Severity Score:
Medium
CVE:
2025-22811
The vulnerability has been patched, so you should update to version 1.0.7.

PDF Catalog Woocommerce

Plugin:
PDF Catalog Woocommerce
Plugin Slug:
pdf-catalog-woocommerce
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
3.0
Severity Score:
Medium
CVE:
2025-22809
The vulnerability has been patched, so you should update to version 3.0.

MDTF – Meta Data and Taxonomies Filter

Plugin:
MDTF – Meta Data and Taxonomies Filter
Plugin Slug:
wp-meta-data-filter-and-taxonomy-filter
Installations
1,000+
Vulnerability:
SQL Injection
Patched in Version:
1.3.3.6
Severity Score:
High
CVE:
2024-12030
The vulnerability has been patched, so you should update to version 1.3.3.6.

WordPress Webinar Plugin – WebinarPress

Plugin:
WordPress Webinar Plugin – WebinarPress
Plugin Slug:
wp-webinarsystem
Installations
1,000+
Vulnerability:
Broken Access Control
Patched in Version:
1.33.25
Severity Score:
Critical
CVE:
2024-11270
The vulnerability has been patched, so you should update to version 1.33.25.

The Ultimate WordPress Toolkit – WP Extended

Plugin:
The Ultimate WordPress Toolkit – WP Extended
Plugin Slug:
wpextended
Installations
1,000+
Vulnerability:
Remote Code Execution (RCE)
Patched in Version:
3.0.12
Severity Score:
Critical
CVE:
2024-11816
The vulnerability has been patched, so you should update to version 3.0.12.

The Ultimate WordPress Toolkit – WP Extended

Plugin:
The Ultimate WordPress Toolkit – WP Extended
Plugin Slug:
wpextended
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
3.0.12
Severity Score:
Medium
CVE:
2024-11916
The vulnerability has been patched, so you should update to version 3.0.12.

Custom Field For WP Job Manager

Plugin:
Custom Field For WP Job Manager
Plugin Slug:
custom-field-for-wp-job-manager
Installations
900+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.4
Severity Score:
High
CVE:
2025-22294
The vulnerability has been patched, so you should update to version 1.4.

MAS Elementor

Plugin:
MAS Elementor
Plugin Slug:
mas-addons-for-elementor
Installations
800+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.1.8
Severity Score:
Medium
CVE:
2024-12328
The vulnerability has been patched, so you should update to version 1.1.8.

Advanced Product Information for WooCommerce

Plugin:
Advanced Product Information for WooCommerce
Plugin Slug:
woo-advanced-product-information
Installations
800+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.1.5
Severity Score:
Medium
CVE:
2025-22803
The vulnerability has been patched, so you should update to version 1.1.5.

??? ??? ??? ?????

Plugin:
??? ??? ??? ?????
Plugin Slug:
formafzar
Installations
600+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.1
Severity Score:
Medium
CVE:
2025-22524
The vulnerability has been patched, so you should update to version 2.1.

F4 Post Tree

Plugin:
F4 Post Tree
Plugin Slug:
f4-tree
Installations
500+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.1.19
Severity Score:
High
CVE:
2025-22499
The vulnerability has been patched, so you should update to version 1.1.19.

Tock Widget

Plugin:
Tock Widget
Plugin Slug:
tock-widget
Installations
500+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
1.2
Severity Score:
High
CVE:
2025-22520
The vulnerability has been patched, so you should update to version 1.2.

Trackserver

Plugin:
Trackserver
Plugin Slug:
trackserver
Installations
500+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
5.0.3
Severity Score:
Medium
CVE:
2024-12505
The vulnerability has been patched, so you should update to version 5.0.3.

Service Box

Plugin:
Service Box
Plugin Slug:
service-boxs
Installations
400+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.0
Severity Score:
Medium
CVE:
2024-12699
The vulnerability has been patched, so you should update to version 2.0.

Skill Bars

Plugin:
Skill Bars
Plugin Slug:
skillbars
Installations
400+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.3
Severity Score:
Medium
CVE:
2025-22805
The vulnerability has been patched, so you should update to version 1.3.

WP Mailster

Plugin:
WP Mailster
Plugin Slug:
wp-mailster
Installations
400+
Vulnerability:
Sensitive Data Exposure
Patched in Version:
1.8.18.0
Severity Score:
Medium
CVE:
2025-22303
The vulnerability has been patched, so you should update to version 1.8.18.0.

Zephyr Admin Theme

Plugin:
Zephyr Admin Theme
Plugin Slug:
zephyr-modern-admin-theme
Installations
400+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
1.5.0
Severity Score:
High
CVE:
2025-22814
The vulnerability has been patched, so you should update to version 1.5.0.

BWD Elementor Addons (2500+ presets, Meet The Team, Lottie, Lord Icon, Masking, Woocommerce, Theme Builder, Products, Blogs, CV, Contact Form 7 Styler, Header, Slider, Hero Section)

Plugin:
BWD Elementor Addons (2500+ presets, Meet The Team, Lottie, Lord Icon, Masking, Woocommerce, Theme Builder, Products, Blogs, CV, Contact Form 7 Styler, Header, Slider, Hero Section)
Plugin Slug:
bwd-elementor-addons
Installations
300+
Vulnerability:
Sensitive Data Exposure
Patched in Version:
4.3.19
Severity Score:
Medium
CVE:
2024-12532
The vulnerability has been patched, so you should update to version 4.3.19.

Coupon Plugin

Plugin:
Coupon Plugin
Plugin Slug:
coupon-lite
Installations
300+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.2.2
Severity Score:
Medium
CVE:
2024-12516
The vulnerability has been patched, so you should update to version 1.2.2.

Responsive Flickr Slideshow

Plugin:
Responsive Flickr Slideshow
Plugin Slug:
mobile-friendly-flickr-slideshow
Installations
300+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.6.1
Severity Score:
Medium
CVE:
2025-22807
The vulnerability has been patched, so you should update to version 2.6.1.

Solar Wizard Lite

Plugin:
Solar Wizard Lite
Plugin Slug:
solar-wizard-lite
Installations
300+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.2.5
Severity Score:
Medium
CVE:
2024-11764
The vulnerability has been patched, so you should update to version 1.2.5.

Transporters.io

Plugin:
Transporters.io
Plugin Slug:
transportersio
Installations
300+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.1.2
Severity Score:
High
CVE:
2024-12557
The vulnerability has been patched, so you should update to version 2.1.2.

Bootstrap Blocks for WP Editor v2

Plugin:
Bootstrap Blocks for WP Editor v2
Plugin Slug:
wp-editor-bootstrap-blocks
Installations
300+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.5.1
Severity Score:
Medium
CVE:
2024-12495
The vulnerability has been patched, so you should update to version 2.5.1.

Free WooCommerce Theme 99fy Extension

Plugin:
Free WooCommerce Theme 99fy Extension
Plugin Slug:
99fy-core
Installations
200+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.2.9
Severity Score:
Medium
CVE:
2025-22801
The vulnerability has been patched, so you should update to version 1.2.9.

CC Canadian Mortgage Calculator

Plugin:
CC Canadian Mortgage Calculator
Plugin Slug:
cc-canadian-mortgage-calculator
Installations
200+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.1.1
Severity Score:
Medium
CVE:
2024-11383
The vulnerability has been patched, so you should update to version 2.1.1.

Slotti Ajanvaraus

Plugin:
Slotti Ajanvaraus
Plugin Slug:
slotti-ajanvaraus
Installations
200+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.0.0
Severity Score:
Medium
CVE:
2024-12521
The vulnerability has been patched, so you should update to version 2.0.0.

Store credit / Gift cards for woocommerce

Plugin:
Store credit / Gift cards for woocommerce
Plugin Slug:
store-credit-for-woocommerce
Installations
100+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.0.49.47
Severity Score:
High
CVE:
2024-11369
The vulnerability has been patched, so you should update to version 1.0.49.47.

Boot-Modal

Plugin:
Boot-Modal
Plugin Slug:
boot-modal
Installations
90+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.10
Severity Score:
Medium
CVE:
2025-22551
The vulnerability has been patched, so you should update to version 1.10.

WPBookit

Plugin:
WPBookit
Plugin Slug:
wpbookit
Installations
90+
Vulnerability:
Privilege Escalation
Patched in Version:
1.6.6
Severity Score:
Critical
CVE:
2024-10215
The vulnerability has been patched, so you should update to version 1.6.6.

Norse Rune Oracle Plugin

Plugin:
Norse Rune Oracle Plugin
Plugin Slug:
norse-runes-oracle
Installations
80+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
1.4.3
Severity Score:
High
CVE:
2025-22556
The vulnerability has been patched, so you should update to version 1.4.3.

Shipping via Planzer for WooCommerce

Plugin:
Shipping via Planzer for WooCommerce
Plugin Slug:
wc-planzer-shipping
Installations
80+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.0.26
Severity Score:
High
CVE:
2024-12337
The vulnerability has been patched, so you should update to version 1.0.26.

Error Log Viewer By WP Guru

Plugin:
Error Log Viewer By WP Guru
Plugin Slug:
error-log-viewer-wp
Installations
70+
Vulnerability:
Arbitrary File Download
Patched in Version:
1.0.4
Severity Score:
High
CVE:
2024-12849
The vulnerability has been patched, so you should update to version 1.0.4.

Timeline Pro

Plugin:
Timeline Pro
Plugin Slug:
timeline-pro
Installations
70+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.4
Severity Score:
Medium
CVE:
2025-22584
The vulnerability has been patched, so you should update to version 1.4.

App Embed

Plugin:
App Embed
Plugin Slug:
appizy-app-embed
Installations
50+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.4.0
Severity Score:
Medium
CVE:
2024-11749
The vulnerability has been patched, so you should update to version 2.4.0.

Compare Products for WooCommerce

Plugin:
Compare Products for WooCommerce
Plugin Slug:
woocommerce-compare-products
Installations
50+
Vulnerability:
PHP Object Injection
Patched in Version:
3.2.2
Severity Score:
Critical
CVE:
2024-12313
The vulnerability has been patched, so you should update to version 3.2.2.

SEMA API

Plugin:
SEMA API
Plugin Slug:
sema-api
Installations
40+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
5.30
Severity Score:
High
CVE:
2024-12285
The vulnerability has been patched, so you should update to version 5.30.

Surbma | Premium WP

Plugin:
Surbma | Premium WP
Plugin Slug:
surbma-premium-wp
Installations
20+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
10.0
Severity Score:
Medium
CVE:
2025-22808
The vulnerability has been patched, so you should update to version 10.0.

Booking Calendar Pro (WpDevArt)

Plugin:
Booking Calendar Pro (WpDevArt)
Plugin Slug:
booking-calendar-pro
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
11.2.20
Severity Score:
High
CVE:
2024-12077
The vulnerability has been patched, so you should update to version 11.2.20.

Cost Calculator Builder Pro

Plugin:
Cost Calculator Builder Pro
Plugin Slug:
cost-calculator-builder-pro
Vulnerability:
SQL Injection
Patched in Version:
3.2.16
Severity Score:
Critical
CVE:
2024-11939
The vulnerability has been patched, so you should update to version 3.2.16.

Croma Music

Plugin:
Croma Music
Plugin Slug:
croma-music
Vulnerability:
Broken Access Control
Patched in Version:
3.6.1
Severity Score:
High
CVE:
2024-12202
The vulnerability has been patched, so you should update to version 3.6.1.

Gift Cards for WooCommerce Pro

Plugin:
Gift Cards for WooCommerce Pro
Plugin Slug:
gift-cards-for-woocommerce-pro
Vulnerability:
Broken Access Control
Patched in Version:
2.9.2
Severity Score:
High
CVE:
2024-11423
The vulnerability has been patched, so you should update to version 2.9.2.

Tourmaster

Plugin:
Tourmaster
Plugin Slug:
tourmaster
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
5.3.4
Severity Score:
High
CVE:
2024-11356
The vulnerability has been patched, so you should update to version 5.3.4.

WordPress Themes — 3 Patched / 29 Unpatched

my money

Theme:
my money
Theme Slug:
my-money
Downloads
20,130
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-49269
The vulnerability has not been patched. You should switch themes.

Power Mag

Theme:
Power Mag
Theme Slug:
power-mag
Downloads
13,803
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-22816
The vulnerability has not been patched. You should switch themes.

StorePress

Theme:
StorePress
Theme Slug:
storepress
Downloads
53,724
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-22821
The vulnerability has not been patched. You should switch themes.

Aports – Single Property WordPress Theme

Theme:
Aports – Single Property WordPress Theme
Theme Slug:
aports
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-43334
The vulnerability has not been patched. You should switch themes.

Boliin – Resort & Hotel Booking WordPress Theme

Theme:
Boliin – Resort & Hotel Booking WordPress Theme
Theme Slug:
boliin
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-43334
The vulnerability has not been patched. You should switch themes.

Constix – Construction Factory & Industrial WordPress Theme

Theme:
Constix – Construction Factory & Industrial WordPress Theme
Theme Slug:
constix
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-43334
The vulnerability has not been patched. You should switch themes.

Conult – Consulting Business WordPress Themes

Theme:
Conult – Consulting Business WordPress Themes
Theme Slug:
conult
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-43334
The vulnerability has not been patched. You should switch themes.

Fioxen

Theme:
Fioxen
Theme Slug:
fioxen
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-43334
The vulnerability has not been patched. You should switch themes.

TheFude – Crowdfunding & Charity WordPress Theme

Theme:
TheFude – Crowdfunding & Charity WordPress Theme
Theme Slug:
fude
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-43334
The vulnerability has not been patched. You should switch themes.

Gowilds – Travel & Tour Booking WordPress Theme

Theme:
Gowilds – Travel & Tour Booking WordPress Theme
Theme Slug:
gowilds
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-43334
The vulnerability has not been patched. You should switch themes.

Halpes

Theme:
Halpes
Theme Slug:
halpes
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-43334
The vulnerability has not been patched. You should switch themes.

Homey

Theme:
Homey
Theme Slug:
homey
Vulnerability:
Privilege Escalation
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2024-51800
The vulnerability has not been patched. You should switch themes.

Js O3 Lite

Theme:
Js O3 Lite
Theme Slug:
js-o3-lite
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-22792
The vulnerability has not been patched. You should switch themes.

Lestin – Directory Listing WordPress Theme

Theme:
Lestin – Directory Listing WordPress Theme
Theme Slug:
lestin
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-43334
The vulnerability has not been patched. You should switch themes.

Modins – Insurance & Finance WordPress Theme

Theme:
Modins – Insurance & Finance WordPress Theme
Theme Slug:
modins
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-43334
The vulnerability has not been patched. You should switch themes.

moseter

Theme:
moseter
Theme Slug:
moseter
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-22790
The vulnerability has not been patched. You should switch themes.

my depressive

Theme:
my depressive
Theme Slug:
my-depressive
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-49269
The vulnerability has not been patched. You should switch themes.

my engine

Theme:
my engine
Theme Slug:
my-engine
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-49269
The vulnerability has not been patched. You should switch themes.

offset writing

Theme:
offset writing
Theme Slug:
offset-writing
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-22791
The vulnerability has not been patched. You should switch themes.

Orgarium – Agriculture & Organic Farm WordPress Theme

Theme:
Orgarium – Agriculture & Organic Farm WordPress Theme
Theme Slug:
orgarium
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-43334
The vulnerability has not been patched. You should switch themes.

Paroti

Theme:
Paroti
Theme Slug:
paroti
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-43334
The vulnerability has not been patched. You should switch themes.

Pisole – Digital Creative Agency WordPress Theme

Theme:
Pisole – Digital Creative Agency WordPress Theme
Theme Slug:
pisole
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-43334
The vulnerability has not been patched. You should switch themes.

polka dots

Theme:
polka dots
Theme Slug:
polka-dots
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-22789
The vulnerability has not been patched. You should switch themes.

Qempo

Theme:
Qempo
Theme Slug:
qempo
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-43334
The vulnerability has not been patched. You should switch themes.

Qizon – Crowdfunding & Charity WordPress Theme

Theme:
Qizon – Crowdfunding & Charity WordPress Theme
Theme Slug:
qizon
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-43334
The vulnerability has not been patched. You should switch themes.

Sominx – Creative Business Agency WordPress Theme

Theme:
Sominx – Creative Business Agency WordPress Theme
Theme Slug:
sominx
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-43334
The vulnerability has not been patched. You should switch themes.

Tevily – Travel & Tour Booking WordPress Theme

Theme:
Tevily – Travel & Tour Booking WordPress Theme
Theme Slug:
tevily
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-43334
The vulnerability has not been patched. You should switch themes.

welowe

Theme:
welowe
Theme Slug:
welowe
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-43334
The vulnerability has not been patched. You should switch themes.

Zilom

Theme:
Zilom
Theme Slug:
zilom
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-43334
The vulnerability has not been patched. You should switch themes.

AdForest

Theme:
AdForest
Theme Slug:
adforest
Vulnerability:
Privilege Escalation
Patched in Version:
5.1.7
Severity Score:
Critical
CVE:
2024-11350
The vulnerability has been patched, so you should update to version 5.1.7.

AdForest

Theme:
AdForest
Theme Slug:
adforest
Vulnerability:
Broken Access Control
Patched in Version:
5.1.8
Severity Score:
High
CVE:
2024-12855
The vulnerability has been patched, so you should update to version 5.1.8.

Aurum

Theme:
Aurum
Theme Slug:
aurum-minimalist-shopping-theme
Vulnerability:
Broken Access Control
Patched in Version:
4.0.3
Severity Score:
Medium
CVE:
2024-12781
The vulnerability has been patched, so you should update to version 4.0.3.

Solid Security is part of Solid Suite — The best foundation for WordPress websites.

Every WordPress site needs security, backups, and management tools. That’s Solid Suite — an integrated bundle of three plugins: Solid Security, Solid Backups, and Solid Central. You also get access to Solid Academy’s learning resources for WordPress professionals. Build your next WordPress website on a solid foundation with Solid Suite!

Get Solid Security

Author:

Sarah

Sarah has been with StellarWP since 2024. As our marketing generalist, she spends her day writing content and completing projects for SolidWP, LearnDash, and The Events Calendar. In her free time, Sarah can be found playing pickleball, enjoying coffee at a local coffee shop, and spending time with her husband.

Browse all of Sarah's articles

Author:

Sarah

Sarah has been with StellarWP since 2024. As our marketing generalist, she spends her day writing content and completing projects for SolidWP, LearnDash, and The Events Calendar. In her free time, Sarah can be found playing pickleball, enjoying coffee at a local coffee shop, and spending time with her husband.

Browse all of Sarah's articles