WordPress Vulnerability Report — February 19, 2025

This last week, 230 new plugin and theme vulnerabilities emerged in the WordPress ecosystem. 95 of the vulnerable plugins and themes remain unpatched, but Solid Security Pro users are protected by virtual patching from Patchstack.

Sarah

Published:Feb 19, 2025

Filed Under:WordPress Vulnerability Report

Reading Time:42 min.

In this report, 230 vulnerabilities have been publicly disclosed. Security patches for 135 of these plugins and themes are available now, so run those updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Additionally, there are 95 plugin and theme vulnerabilities with no patch available yet. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

Along with poor user account security, vulnerable plugins and themes are among the top reasons why WordPress websites get hacked. Unfortunately, cyberattacks are increasing in volume and sophistication. They’re also increasingly aimed at small to mid-sized businesses.

1. WordPress Core
2. WordPress Plugins — 123 Patched / 91 Unpatched

2.1 Easy MLS Listings Import
2.2 Gumlet Video
2.3 Actionwear products sync
2.4 Filled In
2.5 1 Click WordPress Migration
2.6 1 Click WordPress Migration
2.7 Aparat Responsive
2.8 Apus Framework
2.9 Naver Syndication V2
2.10 BigBuy Dropshipping Connector for WooCommerce
2.11 Book a Room
2.12 Bootstrap collapse
2.13 WooODT Lite
2.14 CalendApp
2.15 CATS Job Listings
2.16 Chalet-Montagne.com Tools
2.17 Simple Documentation
2.18 DL Leadback
2.19 DX-auto-publish
2.20 Easy Amazon Product Information
2.21 Ebook Downloader
2.22 Embed Google Map
2.23 Events Planner
2.24 Font Awesome WP
2.25 WP-FormAssembly
2.26 GetBookingsWP
2.27 Glance That
2.28 Global Meta Keyword & Description
2.29 Google Drive WP Media
2.30 IE CSS3 Support
2.31 Keap Official Opt-in Forms
2.32 Library Bookshelves
2.33 magayo Lottery Results
2.34 Mortgage Calculator / Loan Calculator
2.35 My Login Logout Plugin
2.36 Easy Quiz Maker
2.37 Open Hours
2.38 Option Editor
2.39 Page/Post Specific Social Share Buttons
2.40 Pallet Packaging for WooCommerce
2.41 WP PHPList
2.42 Post Sync
2.43 Post Thumbs
2.44 Prezi Embedder
2.45 pushBIZ
2.46 R3W InstaFeed
2.47 Rapid Cache
2.48 Reaction Buttons
2.49 Related Posts Line-up-Exactly by Milliard
2.50 Reset
2.51 Rise Blocks
2.52 Mobile
2.53 RSS Filter
2.54 Sensly Online Presence
2.55 ShipEngine Shipping Quotes
2.56 sidebarTabs
2.57 Simple catalogue
2.58 Simple Charts
2.59 Simple Pricing Tables For WPBakery Page Builder
2.60 Simple Responsive Menu
2.61 Simple Signup Form
2.62 Simple Video Management System
2.63 Small Package Quotes – Purolator Edition
2.64 Spiritual Gifts Survey
2.65 Stray Random Quotes
2.66 Themes Coder
2.67 Team Builder
2.68 TinyMCE Advanced qTranslate fix editor problems
2.69 Track Logins
2.70 TTT Crop
2.71 Tube Video Ads Lite
2.72 VR-Frases
2.73 Wibiya Toolbar
2.74 Wise Forms
2.75 File Uploads Addon for WooCommerce
2.76 WordPress Activity-o-meter
2.77 WP-Asambleas
2.78 WP-BibTeX
2.79 WP Extra Fields
2.80 FoodBakery
2.81 FoodBakery
2.82 FoodBakery
2.83 FoodBakery
2.84 WP Html Page Sitemap
2.85 WP Job Board Pro
2.86 WP Pricing Table
2.87 OWL Carousel Slider
2.88 WPMovieLibrary
2.89 Mortgage Lead Capture System
2.90 Elfsight Yottie Lite
2.91 Zarinpal Paid Download
2.92 Rank Math SEO – AI SEO Tools to Dominate SEO Rankings
2.93 Rank Math SEO – AI SEO Tools to Dominate SEO Rankings
2.94 ElementsKit Elementor addons
2.95 Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider
2.96 Forminator Forms – Contact Form, Payment Form & Custom Form Builder
2.97 Post SMTP – WordPress SMTP Plugin with Email Logs and Mobile App for Failure Notifications – Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES and more
2.98 WP Ghost (Hide My WP Ghost) – Security & Firewall
2.99 WP Activity Log
2.100 Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
2.101 Everest Forms – Contact Forms, Quiz, Survey, Newsletter & Payment Form Builder for WordPress
2.102 Widget Options – The #1 WordPress Widget & Block Control Plugin
2.103 HT Mega – Absolute Addons For Elementor
2.104 Brizy – Page Builder
2.105 Brizy – Page Builder
2.106 Stream
2.107 Spotlight Social Feeds – Block, Shortcode, and Widget
2.108 WP Booking Calendar
2.109 DethemeKit for Elementor
2.110 DethemeKit for Elementor
2.111 FULL – Cliente
2.112 BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net
2.113 Security & Malware scan by CleanTalk
2.114 Analytify – Google Analytics Dashboard For WordPress (GA4 analytics made easy)
2.115 Ecwid by Lightspeed Ecommerce Shopping Cart
2.116 Read More & Accordion
2.117 HurryTimer – An Scarcity and Urgency Countdown Timer for WordPress & WooCommerce
2.118 Custom Block Builder – Lazy Blocks
2.119 Responsive Plus – Starter Templates, Advanced Features and Customizer Settings for Responsive Theme.
2.120 Welcart e-Commerce
2.121 GeoDirectory – WP Business Directory Plugin and Classified Listings Directory
2.122 Maps Plugin using Google Maps for WordPress – WP Google Map
2.123 Media Library Folders
2.124 Qubely – Advanced Gutenberg Blocks
2.125 s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions
2.126 Team – Team Members Showcase Plugin
2.127 Export All Posts, Products, Orders, Refunds & Users
2.128 Chat Widget: Customer Support Button with SMS Call Button, Click to Chat Messenger, Live Chat Support Chat Button – Bit Assist
2.129 Chat Widget: Customer Support Button with SMS Call Button, Click to Chat Messenger, Live Chat Support Chat Button – Bit Assist
2.130 Chat Widget: Customer Support Button with SMS Call Button, Click to Chat Messenger, Live Chat Support Chat Button – Bit Assist
2.131 WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts
2.132 WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts
2.133 Customer Email Verification for WooCommerce
2.134 Customer Email Verification for WooCommerce
2.135 JS Help Desk – The Ultimate Help Desk & Support Plugin
2.136 ProfileGrid – User Profiles, Groups and Communities
2.137 ProfileGrid – User Profiles, Groups and Communities
2.138 Return Refund and Exchange For WooCommerce – Return Management System, RMA Exchange, Wallet And Cancel Order Features
2.139 Return Refund and Exchange For WooCommerce – Return Management System, RMA Exchange, Wallet And Cancel Order Features
2.140 Affiliate Links: WordPress Plugin for Link Cloaking and Link Management
2.141 CM Search And Replace – Optimize content edits with a powerful search and replace tool
2.142 Super Testimonials
2.143 Leyka
2.144 Majestic Support – The Leading-Edge Help Desk & Customer Support Plugin
2.145 Majestic Support – The Leading-Edge Help Desk & Customer Support Plugin
2.146 Active Products Tables for WooCommerce. Use constructor to create tables
2.147 SKT Blocks – Gutenberg based Page Builder
2.148 Timeline Block – Timeline block plugin for WordPress
2.149 Vitepos – Point of sale (POS) plugin for WooCommerce
2.150 WP Airbnb Review Slider
2.151 Calculator Builder – Create an Online Calculator
2.152 DirectoryPress Frontend
2.153 Flexible Wishlist for WooCommerce – Ecommerce Wishlist & Save for later
2.154 iNET Webkit
2.155 Oliver POS – A WooCommerce Point of Sale (POS)
2.156 Simple Google Calendar Outlook Events Widget
2.157 SuperSaaS – online appointment scheduling
2.158 The Ultimate WordPress Toolkit – WP Extended
2.159 aBlocks – WordPress Gutenberg Blocks
2.160 Marketing Automation
2.161 Waymark
2.162 All-Images.ai – IA Image Bank and Custom Image creation
2.163 Give – Divi Donation Modules
2.164 Houzez Property Feed
2.165 NGG Smart Image Search
2.166 aDirectory – WordPress Directory Listing Plugin
2.167 AForms Eats
2.168 Keep Backup Daily
2.169 SpeedSize Image & Video AI-Optimizer
2.170 Easy Elementor Addons
2.171 Scratch & Win – Giveaways and Contests. Boost subscribers, traffic, repeat visits, referrals, sales and more
2.172 Web Stories Enhancer – Level Up Your Web Stories
2.173 WooCommerce Pricing – Product Pricing
2.174 WP Abstracts
2.175 what3words Address Field
2.176 Content Snippet Manager
2.177 Threepress
2.178 Admire Extra
2.179 CM Map Locations – Visualize and share your locations in a few clicks
2.180 Distance Based Shipping Calculator
2.181 Distance Based Shipping Calculator
2.182 Easy Booked – Appointment Booking and Scheduling Management System for WordPress
2.183 LTL Freight Quotes – Worldwide Express Edition
2.184 LTL Freight Quotes – Worldwide Express Edition
2.185 Magic the Gathering Card Tooltips
2.186 StaffList
2.187 Liveticker (by stklcode)
2.188 WPSyncSheets Lite For WPForms – WPForms Google Spreadsheet Addon
2.189 Shopwarden – Automated WooCommerce monitoring & testing
2.190 FuseDesk
2.191 LTL Freight Quotes – FreightQuote Edition
2.192 LTL Freight Quotes – FreightQuote Edition
2.193 MemorialDay
2.194 Vertex Addons for Elementor
2.195 Discover the Best Woocommerce Product Brands Plugin for WordPress – Woocommerce Brands Plugin
2.196 LTL Freight Quotes – Estes Edition
2.197 LTL Freight Quotes – XPO Edition
2.198 Small Package Quotes – UPS Edition
2.199 LTL Freight Quotes – For Customers of FedEx Freight
2.200 Simple Certain Time to Show Content
2.201 Responsive Modal Builder for High Conversion – Easy Popups
2.202 Chaty Pro
2.203 ConvertPlus
2.204 Fusion Builder
2.205 Gallery
2.206 Global Gallery – WordPress Responsive Gallery
2.207 K Elements
2.208 LTL Freight Quotes – Unishippers Edition
2.209 LTL Freight Quotes – Unishippers Edition
2.210 LTL Freight Quotes – Unishippers Edition
2.211 Notif Bell
2.212 Tourmaster
2.213 Uncode Core
2.214 WP Table Manager

3. WordPress Themes — 12 Patched / 4 Unpatched

3.1 Campress
3.2 Puzzles
3.3 Puzzles
3.4 Puzzles
3.5 Uncode
3.6 Uncode
3.7 Uncode
3.8 Avada
3.9 CarSpot
3.10 Click Mag
3.11 Listivo – Classified Ads
3.12 PressMart
3.13 Real Estate 7
3.14 Zox News
3.15 ZoxPress
3.16 ZoxPress

Our WordPress Vulnerability Report covers the latest emerging WordPress plugin, theme, and core vulnerabilities. Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure of vulnerabilities is essential to keeping the WordPress community safe. Please share this report to help spread the word and make WordPress — and the web — more secure.

WordPress Core

WordPress 6.7.2 is now available! This minor release includes 35 bug fixes, addressing issues affecting multiple components including the block editor, HTML API, and Customize.

WordPress Plugins — 123 Patched / 91 Unpatched

Plugin:: Easy MLS Listings Import
Plugin Slug:: easy-mls-listings-import
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-12525

Plugin:: Gumlet Video
Plugin Slug:: gumlet-video
Installations: 90+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-13576

Plugin:: Actionwear products sync
Plugin Slug:: actionwear-products-sync
Installations: 50+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-13535

Plugin:: Filled In
Plugin Slug:: filled-in
Installations: 50+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-22628

Plugin:: 1 Click WordPress Migration
Plugin Slug:: 1-click-migration
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-13609

Plugin:: 1 Click WordPress Migration
Plugin Slug:: 1-click-migration
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-13555

Plugin:: Aparat Responsive
Plugin Slug:: aparat-responsive
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-26558

Plugin:: Apus Framework
Plugin Slug:: apus-framework
Vulnerability:: Settings Change
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-12296

Plugin:: Naver Syndication V2
Plugin Slug:: badr-naver-syndication
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-26552

Plugin:: BigBuy Dropshipping Connector for WooCommerce
Plugin Slug:: bigbuy-wc-dropshipping-connector
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-13538

Plugin:: Book a Room
Plugin Slug:: book-a-room
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-13437

Plugin:: Bootstrap collapse
Plugin Slug:: bootstrap-collapse
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-26551

Plugin:: WooODT Lite
Plugin Slug:: byconsole-woo-order-delivery-time
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-13540

Plugin:: CalendApp
Plugin Slug:: calendapp
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-13669

Plugin:: CATS Job Listings
Plugin Slug:: cats-job-listings
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-13577

Plugin:: Chalet-Montagne.com Tools
Plugin Slug:: chalet-montagne-com-tools
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-12586

Plugin:: Simple Documentation
Plugin Slug:: client-documentation
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-26578

Plugin:: DL Leadback
Plugin Slug:: dl-leadback
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-26585

Plugin:: DX-auto-publish
Plugin Slug:: dx-auto-publish
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-26577

Plugin:: Easy Amazon Product Information
Plugin Slug:: easy-amazon-product-information
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-26568

Plugin:: Ebook Downloader
Plugin Slug:: ebook-downloader
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2024-13435

Plugin:: Embed Google Map
Plugin Slug:: embed-google-map
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-26539

Plugin:: Events Planner
Plugin Slug:: events-planner
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-26586

Plugin:: Font Awesome WP
Plugin Slug:: font-awesome-wp
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-26567

Plugin:: WP-FormAssembly
Plugin Slug:: formassembly-web-forms
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-13501

Plugin:: GetBookingsWP
Plugin Slug:: get-bookings-wp
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-13677

Plugin:: Glance That
Plugin Slug:: glance-that
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-26570

Plugin:: Global Meta Keyword & Description
Plugin Slug:: global-meta-keyword-and-description
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-26550

Plugin:: Google Drive WP Media
Plugin Slug:: google-drive-wp-media
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-26574

Plugin:: IE CSS3 Support
Plugin Slug:: ie-css3-support
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-26589

Plugin:: Keap Official Opt-in Forms
Plugin Slug:: infusionsoft-official-opt-in-forms
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-13725

Plugin:: Library Bookshelves
Plugin Slug:: library-bookshelves
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-13464

Plugin:: magayo Lottery Results
Plugin Slug:: magayo-lottery-results
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-13522

Plugin:: Mortgage Calculator / Loan Calculator
Plugin Slug:: mortgage-loan-calculator
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-0805

Plugin:: My Login Logout Plugin
Plugin Slug:: my-loginlogout
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-26547

Plugin:: Easy Quiz Maker
Plugin Slug:: n-media-wp-simple-quiz
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-13456

Plugin:: Open Hours
Plugin Slug:: open-hours
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-12813

Plugin:: Option Editor
Plugin Slug:: option-editor
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-13852

Plugin:: Page/Post Specific Social Share Buttons
Plugin Slug:: pagepost-specific-social-share-buttons
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-26580

Plugin:: Pallet Packaging for WooCommerce
Plugin Slug:: pallet-packaging-for-woocommerce
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-22285

Plugin:: WP PHPList
Plugin Slug:: phplist-form-integration
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-26572

Plugin:: Post Sync
Plugin Slug:: post-sync
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-13634

Plugin:: Post Thumbs
Plugin Slug:: post-thumbs
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-26569

Plugin:: Prezi Embedder
Plugin Slug:: prezi-embedder
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-26538

Plugin:: pushBIZ
Plugin Slug:: pushbiz
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-13629

Plugin:: R3W InstaFeed
Plugin Slug:: r3w-instafeed
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-13678

Plugin:: Rapid Cache
Plugin Slug:: rapid-cache
Vulnerability:: Content Spoofing
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-12314

Plugin:: Reaction Buttons
Plugin Slug:: reaction-buttons
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-13848

Plugin:: Related Posts Line-up-Exactly by Milliard
Plugin Slug:: related-posts-line-up-exactry-by-milliard
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-26545

Plugin:: Reset
Plugin Slug:: reset
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-13684

Plugin:: Rise Blocks
Plugin Slug:: rise-blocks
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-0506

Plugin:: Mobile
Plugin Slug:: rocket-wp-mobile
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-26563

Plugin:: RSS Filter
Plugin Slug:: rss-filter
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-26562

Plugin:: Sensly Online Presence
Plugin Slug:: sensly-online-presence
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-13493

Plugin:: ShipEngine Shipping Quotes
Plugin Slug:: shipengine-shipping-quotes
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2024-13531

Plugin:: sidebarTabs
Plugin Slug:: sidebartabs
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-26587

Plugin:: Simple catalogue
Plugin Slug:: simple-catalogue
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-13633

Plugin:: Simple Charts
Plugin Slug:: simple-charts
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-13581

Plugin:: Simple Pricing Tables For WPBakery Page Builder
Plugin Slug:: simple-pricing-tables-vc-extension
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-13582

Plugin:: Simple Responsive Menu
Plugin Slug:: simple-responsive-menu
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-26543

Plugin:: Simple Signup Form
Plugin Slug:: simple-signup-form
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-13595

Plugin:: Simple Video Management System
Plugin Slug:: simple-video-management-system
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-0692

Plugin:: Small Package Quotes – Purolator Edition
Plugin Slug:: small-package-quotes-purolator-edition
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2024-13532

Plugin:: Spiritual Gifts Survey
Plugin Slug:: spiritual-gifts-survey
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-0688

Plugin:: Stray Random Quotes
Plugin Slug:: stray-quotes
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-13570

Plugin:: Themes Coder
Plugin Slug:: tc-ecommerce
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2024-13726

Plugin:: Team Builder
Plugin Slug:: team-display
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-13687

Plugin:: TinyMCE Advanced qTranslate fix editor problems
Plugin Slug:: tinymce-advanced-qtranslate-fix-editor-problems
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-26582

Plugin:: Track Logins
Plugin Slug:: track-logins
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-13608

Plugin:: TTT Crop
Plugin Slug:: ttt-crop
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-26588

Plugin:: Tube Video Ads Lite
Plugin Slug:: tube-video-ads-lite
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-13625

Plugin:: VR-Frases
Plugin Slug:: vr-frases
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-13626

Plugin:: Wibiya Toolbar
Plugin Slug:: wibiya
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-26571

Plugin:: Wise Forms
Plugin Slug:: wise-forms
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-13603

Plugin:: File Uploads Addon for WooCommerce
Plugin Slug:: woo-addon-uploads
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-13622

Plugin:: WordPress Activity-o-meter
Plugin Slug:: wordpress-activity-o-meter
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-13668

Plugin:: WP-Asambleas
Plugin Slug:: wp-asambleas
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-13579

Plugin:: WP-BibTeX
Plugin Slug:: wp-bibtex
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-13578

Plugin:: WP Extra Fields
Plugin Slug:: wp-extra-fields
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-13632

Plugin:: FoodBakery
Plugin Slug:: wp-foodbakery
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-0180

Plugin:: FoodBakery
Plugin Slug:: wp-foodbakery
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-0181

Plugin:: FoodBakery
Plugin Slug:: wp-foodbakery
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-13010

Plugin:: FoodBakery
Plugin Slug:: wp-foodbakery
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2024-13011

Plugin:: WP Html Page Sitemap
Plugin Slug:: wp-html-page-sitemap
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-26549

Plugin:: WP Job Board Pro
Plugin Slug:: wp-job-board-pro
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2024-12213

Plugin:: WP Pricing Table
Plugin Slug:: wp-pricing-table
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-13628

Plugin:: OWL Carousel Slider
Plugin Slug:: wp-touch-slider
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-13627

Plugin:: WPMovieLibrary
Plugin Slug:: wpmovielibrary
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-13624

Plugin:: Mortgage Lead Capture System
Plugin Slug:: wprequal
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-0796

Plugin:: Elfsight Yottie Lite
Plugin Slug:: yottie-lite
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-26561

Plugin:: Zarinpal Paid Download
Plugin Slug:: zarinpal-paid-downloads
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2024-13544

Plugin:: Rank Math SEO – AI SEO Tools to Dominate SEO Rankings
Plugin Slug:: seo-by-rank-math
Installations: 3,000,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.0.236
Severity Score:: Medium
CVE:: 2024-13229

Plugin:: Rank Math SEO – AI SEO Tools to Dominate SEO Rankings
Plugin Slug:: seo-by-rank-math
Installations: 3,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.0.236
Severity Score:: Medium
CVE:: 2024-13227

Plugin:: ElementsKit Elementor addons
Plugin Slug:: elementskit-lite
Installations: 1,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.4.1
Severity Score:: Medium
CVE:: 2025-1005

Plugin:: Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider
Plugin Slug:: ml-slider
Installations: 600,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 3.95.0
Severity Score:: Critical
CVE:: 2025-26763

Plugin:: Forminator Forms – Contact Form, Payment Form & Custom Form Builder
Plugin Slug:: forminator
Installations: 500,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.38.3
Severity Score:: Medium
CVE:: 2024-7052

Plugin:: Post SMTP – WordPress SMTP Plugin with Email Logs and Mobile App for Failure Notifications – Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES and more
Plugin Slug:: post-smtp
Installations: 400,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.1.0
Severity Score:: High
CVE:: 2025-0521

Plugin:: WP Ghost (Hide My WP Ghost) – Security & Firewall
Plugin Slug:: hide-my-wp
Installations: 200,000+
Vulnerability:: Bypass Vulnerability
Patched in Version:: 5.4.01
Severity Score:: Medium
CVE:: 2024-13794

Plugin:: WP Activity Log
Plugin Slug:: wp-security-audit-log
Installations: 200,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.3.0
Severity Score:: High
CVE:: 2025-0924

Plugin:: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
Plugin Slug:: wp-user-avatar
Installations: 200,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.15.20
Severity Score:: Medium
CVE:: 2024-13119

Plugin:: Everest Forms – Contact Forms, Quiz, Survey, Newsletter & Payment Form Builder for WordPress
Plugin Slug:: everest-forms
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.0.8.1
Severity Score:: Medium
CVE:: 2024-13125

Plugin:: Widget Options – The #1 WordPress Widget & Block Control Plugin
Plugin Slug:: widget-options
Installations: 100,000+
Vulnerability:: Arbitrary Code Execution
Patched in Version:: 4.1.1
Severity Score:: Critical
CVE:: 2025-22630

Plugin:: HT Mega – Absolute Addons For Elementor
Plugin Slug:: ht-mega-for-elementor
Installations: 90,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.8.2
Severity Score:: Medium
CVE:: 2024-12599

Plugin:: Brizy – Page Builder
Plugin Slug:: brizy
Installations: 80,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.6.9
Severity Score:: Medium
CVE:: 2024-10322

Plugin:: Brizy – Page Builder
Plugin Slug:: brizy
Installations: 80,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 2.6.5
Severity Score:: Critical
CVE:: 2024-10960

Plugin:: Stream
Plugin Slug:: stream
Installations: 70,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 4.1.0
Severity Score:: Medium
CVE:: 2024-13879

Plugin:: Spotlight Social Feeds – Block, Shortcode, and Widget
Plugin Slug:: spotlight-social-photo-feeds
Installations: 60,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 1.7.2
Severity Score:: Medium
CVE:: 2025-26758

Plugin:: WP Booking Calendar
Plugin Slug:: booking
Installations: 50,000+
Vulnerability:: Broken Access Control
Patched in Version:: 10.10.1
Severity Score:: Medium
CVE:: 2024-13821

Plugin:: DethemeKit for Elementor
Plugin Slug:: dethemekit-for-elementor
Installations: 40,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.1.9
Severity Score:: Medium
CVE:: 2025-26772

Plugin:: DethemeKit for Elementor
Plugin Slug:: dethemekit-for-elementor
Installations: 40,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 2.1.9
Severity Score:: Medium
CVE:: 2025-0661

Plugin:: FULL – Cliente
Plugin Slug:: full-customer
Installations: 40,000+
Vulnerability:: Local File Inclusion
Patched in Version:: 3.1.27
Severity Score:: High
CVE:: 2025-26757

Plugin:: BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net
Plugin Slug:: woo-bulk-editor
Installations: 40,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.1.4.5
Severity Score:: Medium
CVE:: 2025-26775

Plugin:: Security & Malware scan by CleanTalk
Plugin Slug:: security-malware-firewall
Installations: 30,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 2.150
Severity Score:: Critical
CVE:: 2024-13365

Plugin:: Analytify – Google Analytics Dashboard For WordPress (GA4 analytics made easy)
Plugin Slug:: wp-analytify
Installations: 30,000+
Vulnerability:: Broken Access Control
Patched in Version:: 5.5.1
Severity Score:: Medium
CVE:: 2025-26773

Plugin:: Ecwid by Lightspeed Ecommerce Shopping Cart
Plugin Slug:: ecwid-shopping-cart
Installations: 20,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 6.12.28
Severity Score:: Medium
CVE:: 2024-13795

Plugin:: Read More & Accordion
Plugin Slug:: expand-maker
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.4.3
Severity Score:: Medium
CVE:: 2024-13639

Plugin:: HurryTimer – An Scarcity and Urgency Countdown Timer for WordPress & WooCommerce
Plugin Slug:: hurrytimer
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.12.0
Severity Score:: Medium
CVE:: 2024-13735

Plugin:: Custom Block Builder – Lazy Blocks
Plugin Slug:: lazy-blocks
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.8.3
Severity Score:: High
CVE:: 2024-12878

Plugin:: Responsive Plus – Starter Templates, Advanced Features and Customizer Settings for Responsive Theme.
Plugin Slug:: responsive-add-ons
Installations: 20,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 3.1.5
Severity Score:: Medium
CVE:: 2024-13834

Plugin:: Welcart e-Commerce
Plugin Slug:: usc-e-shop
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.11.10
Severity Score:: High
CVE:: 2025-0511

Plugin:: GeoDirectory – WP Business Directory Plugin and Classified Listings Directory
Plugin Slug:: geodirectory
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.8.98
Severity Score:: Medium
CVE:: 2024-13506

Plugin:: Maps Plugin using Google Maps for WordPress – WP Google Map
Plugin Slug:: gmap-embed
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.9.4
Severity Score:: Medium
CVE:: 2024-13208

Plugin:: Media Library Folders
Plugin Slug:: media-library-plus
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 8.3.1
Severity Score:: Medium
CVE:: 2025-0935

Plugin:: Qubely – Advanced Gutenberg Blocks
Plugin Slug:: qubely
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.8.13
Severity Score:: Medium
CVE:: 2025-26767

Plugin:: s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions
Plugin Slug:: s2member
Installations: 10,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 250214
Severity Score:: Critical
CVE:: 2024-12562

Plugin:: Team – Team Members Showcase Plugin
Plugin Slug:: tlp-team
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 5.0.0
Severity Score:: Medium
CVE:: 2024-13439

Plugin:: Export All Posts, Products, Orders, Refunds & Users
Plugin Slug:: wp-ultimate-exporter
Installations: 10,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 2.10
Severity Score:: High
CVE:: 2024-12315

Plugin:: Chat Widget: Customer Support Button with SMS Call Button, Click to Chat Messenger, Live Chat Support Chat Button – Bit Assist
Plugin Slug:: bit-assist
Installations: 9,000+
Vulnerability:: Path Traversal
Patched in Version:: 1.5.3
Severity Score:: Medium
CVE:: 2025-0822

Plugin:: Chat Widget: Customer Support Button with SMS Call Button, Click to Chat Messenger, Live Chat Support Chat Button – Bit Assist
Plugin Slug:: bit-assist
Installations: 9,000+
Vulnerability:: Path Traversal
Patched in Version:: 1.5.3
Severity Score:: Medium
CVE:: 2024-13791

Plugin:: Chat Widget: Customer Support Button with SMS Call Button, Click to Chat Messenger, Live Chat Support Chat Button – Bit Assist
Plugin Slug:: bit-assist
Installations: 9,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.5.3
Severity Score:: High
CVE:: 2025-0821

Plugin:: WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts
Plugin Slug:: wedevs-project-manager
Installations: 8,000+
Vulnerability:: SQL Injection
Patched in Version:: 2.6.18
Severity Score:: High
CVE:: 2024-13500

Plugin:: WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts
Plugin Slug:: wedevs-project-manager
Installations: 8,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.6.18
Severity Score:: Medium
CVE:: 2024-13752

Plugin:: Customer Email Verification for WooCommerce
Plugin Slug:: emails-verification-for-woocommerce
Installations: 7,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 2.9.5
Severity Score:: Medium
CVE:: 2024-13525

Plugin:: Customer Email Verification for WooCommerce
Plugin Slug:: emails-verification-for-woocommerce
Installations: 7,000+
Vulnerability:: Broken Authentication
Patched in Version:: 2.9.6
Severity Score:: High
CVE:: 2024-13528

Plugin:: JS Help Desk – The Ultimate Help Desk & Support Plugin
Plugin Slug:: js-support-ticket
Installations: 7,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 2.8.9
Severity Score:: High
CVE:: 2024-13606

Plugin:: ProfileGrid – User Profiles, Groups and Communities
Plugin Slug:: profilegrid-user-profiles-groups-and-communities
Installations: 7,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 5.9.4.3
Severity Score:: Medium
CVE:: 2024-13740

Plugin:: ProfileGrid – User Profiles, Groups and Communities
Plugin Slug:: profilegrid-user-profiles-groups-and-communities
Installations: 7,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 5.9.4.3
Severity Score:: Medium
CVE:: 2024-13741

Plugin:: Return Refund and Exchange For WooCommerce – Return Management System, RMA Exchange, Wallet And Cancel Order Features
Plugin Slug:: woo-refund-and-exchange-lite
Installations: 5,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 4.4.6
Severity Score:: Medium
CVE:: 2024-13692

Plugin:: Return Refund and Exchange For WooCommerce – Return Management System, RMA Exchange, Wallet And Cancel Order Features
Plugin Slug:: woo-refund-and-exchange-lite
Installations: 5,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 4.4.6
Severity Score:: Medium
CVE:: 2024-13641

Plugin:: Affiliate Links: WordPress Plugin for Link Cloaking and Link Management
Plugin Slug:: affiliate-links
Installations: 4,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 3.1.0
Severity Score:: High
CVE:: 2024-13556

Plugin:: CM Search And Replace – Optimize content edits with a powerful search and replace tool
Plugin Slug:: cm-on-demand-search-and-replace
Installations: 4,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.4.6
Severity Score:: High
CVE:: 2025-24758

Plugin:: Super Testimonials
Plugin Slug:: super-testimonial
Installations: 3,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.0.2
Severity Score:: High
CVE:: 2024-13704

Plugin:: Leyka
Plugin Slug:: leyka
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.31.9
Severity Score:: Medium
CVE:: 2025-26766

Plugin:: Majestic Support – The Leading-Edge Help Desk & Customer Support Plugin
Plugin Slug:: majestic-support
Installations: 2,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 1.0.6
Severity Score:: Medium
CVE:: 2024-13601

Plugin:: Majestic Support – The Leading-Edge Help Desk & Customer Support Plugin
Plugin Slug:: majestic-support
Installations: 2,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 1.0.6
Severity Score:: High
CVE:: 2024-13600

Plugin:: Active Products Tables for WooCommerce. Use constructor to create tables
Plugin Slug:: profit-products-tables-for-woocommerce
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.0.6.7
Severity Score:: High
CVE:: 2025-0864

Plugin:: SKT Blocks – Gutenberg based Page Builder
Plugin Slug:: skt-blocks
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.8
Severity Score:: Medium
CVE:: 2025-26771

Plugin:: Timeline Block – Timeline block plugin for WordPress
Plugin Slug:: timeline-block-block
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.1.3
Severity Score:: Medium
CVE:: 2025-26754

Plugin:: Vitepos – Point of sale (POS) plugin for WooCommerce
Plugin Slug:: vitepos-lite
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.1.4
Severity Score:: Medium
CVE:: 2025-26750

Plugin:: WP Airbnb Review Slider
Plugin Slug:: wp-airbnb-review-slider
Installations: 2,000+
Vulnerability:: SQL Injection
Patched in Version:: 4.0
Severity Score:: High
CVE:: 2025-26755

Plugin:: Calculator Builder – Create an Online Calculator
Plugin Slug:: calculator-builder
Installations: 1,000+
Vulnerability:: Local File Inclusion
Patched in Version:: 1.6.3
Severity Score:: High
CVE:: 2025-26760

Plugin:: DirectoryPress Frontend
Plugin Slug:: directorypress-frontend
Installations: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.8.0
Severity Score:: Medium
CVE:: 2024-10581

Plugin:: Flexible Wishlist for WooCommerce – Ecommerce Wishlist & Save for later
Plugin Slug:: flexible-wishlist
Installations: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.2.27
Severity Score:: Medium
CVE:: 2024-13718

Plugin:: iNET Webkit
Plugin Slug:: inet-webkit
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.2.3
Severity Score:: Medium
CVE:: 2025-22629

Plugin:: Oliver POS – A WooCommerce Point of Sale (POS)
Plugin Slug:: oliver-pos
Installations: 1,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 2.4.2.4
Severity Score:: Critical
CVE:: 2024-13513

Plugin:: Simple Google Calendar Outlook Events Widget
Plugin Slug:: simple-google-icalendar-widget
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.6.0
Severity Score:: Medium
CVE:: 2025-22497

Plugin:: SuperSaaS – online appointment scheduling
Plugin Slug:: supersaas-appointment-scheduling
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.1.13
Severity Score:: Medium
CVE:: 2025-0862

Plugin:: The Ultimate WordPress Toolkit – WP Extended
Plugin Slug:: wpextended
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.0.14
Severity Score:: Medium
CVE:: 2024-13554

Plugin:: aBlocks – WordPress Gutenberg Blocks
Plugin Slug:: ablocks
Installations: 900+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.6.2
Severity Score:: Medium
CVE:: 2024-13465

Plugin:: Marketing Automation
Plugin Slug:: marketing-automation
Installations: 800+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.2.6.9
Severity Score:: High
CVE:: 2025-22631

Plugin:: Waymark
Plugin Slug:: waymark
Installations: 800+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.5.1
Severity Score:: Medium
CVE:: 2025-26770

Plugin:: All-Images.ai – IA Image Bank and Custom Image creation
Plugin Slug:: all-images-ai
Installations: 600+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 1.0.5
Severity Score:: High
CVE:: 2024-13714

Plugin:: Give – Divi Donation Modules
Plugin Slug:: give-donation-modules-for-divi
Installations: 600+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 2.0.1
Severity Score:: Medium
CVE:: 2025-22633

Plugin:: Houzez Property Feed
Plugin Slug:: houzez-property-feed
Installations: 600+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.4.22
Severity Score:: Medium
CVE:: 2025-0808

Plugin:: NGG Smart Image Search
Plugin Slug:: ngg-smart-image-search
Installations: 500+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.3.2
Severity Score:: Medium
CVE:: 2024-13658

Plugin:: aDirectory – WordPress Directory Listing Plugin
Plugin Slug:: adirectory
Installations: 400+
Vulnerability:: Broken Access Control
Patched in Version:: 2.3.5
Severity Score:: Medium
CVE:: 2024-13541

Plugin:: AForms Eats
Plugin Slug:: aforms-eats
Installations: 400+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 1.3.2
Severity Score:: Medium
CVE:: 2024-13539

Plugin:: Keep Backup Daily
Plugin Slug:: keep-backup-daily
Installations: 400+
Vulnerability:: Arbitrary File Download
Patched in Version:: 2.1.1
Severity Score:: Medium
CVE:: 2025-26779

Plugin:: SpeedSize Image & Video AI-Optimizer
Plugin Slug:: speedsize-ai-image-optimizer
Installations: 400+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.5.2
Severity Score:: Medium
CVE:: 2024-13438

Plugin:: Easy Elementor Addons
Plugin Slug:: easy-elementor-addons
Installations: 300+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.1.6
Severity Score:: Medium
CVE:: 2025-26761

Plugin:: Scratch & Win – Giveaways and Contests. Boost subscribers, traffic, repeat visits, referrals, sales and more
Plugin Slug:: scratch-win-giveaways-for-website-facebook
Installations: 300+
Vulnerability:: Broken Access Control
Patched in Version:: 2.9.0
Severity Score:: Medium
CVE:: 2024-13316

Plugin:: Web Stories Enhancer – Level Up Your Web Stories
Plugin Slug:: web-stories-enhancer
Installations: 300+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.4
Severity Score:: Medium
CVE:: 2024-13575

Plugin:: WooCommerce Pricing – Product Pricing
Plugin Slug:: woo-pricing-table
Installations: 300+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.1.0
Severity Score:: High
CVE:: 2025-22632

Plugin:: WP Abstracts
Plugin Slug:: wp-abstracts-manuscripts-manager
Installations: 300+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.7.4
Severity Score:: High
CVE:: 2024-12386

Plugin:: what3words Address Field
Plugin Slug:: 3-word-address-validation-field
Installations: 200+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 4.0.16
Severity Score:: High
CVE:: 2025-26768

Plugin:: Content Snippet Manager
Plugin Slug:: content-snippet-manager
Installations: 200+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.1.6
Severity Score:: High
CVE:: 2025-26759

Plugin:: Threepress
Plugin Slug:: threepress
Installations: 200+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.7.2
Severity Score:: Medium
CVE:: 2024-13395

Plugin:: Admire Extra
Plugin Slug:: admire-extra
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.7
Severity Score:: Medium
CVE:: 2024-13665

Plugin:: CM Map Locations – Visualize and share your locations in a few clicks
Plugin Slug:: cm-map-locations
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.9
Severity Score:: High
CVE:: 2025-24758

Plugin:: Distance Based Shipping Calculator
Plugin Slug:: distance-based-shipping-calculator
Installations: 100+
Vulnerability:: Settings Change
Patched in Version:: 2.0.23
Severity Score:: Medium
CVE:: 2025-26764

Plugin:: Distance Based Shipping Calculator
Plugin Slug:: distance-based-shipping-calculator
Installations: 100+
Vulnerability:: Broken Access Control
Patched in Version:: 2.0.23
Severity Score:: Medium
CVE:: 2025-26765

Plugin:: Easy Booked – Appointment Booking and Scheduling Management System for WordPress
Plugin Slug:: easy-booked
Installations: 100+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.4.6
Severity Score:: Medium
CVE:: 2025-22634

Plugin:: LTL Freight Quotes – Worldwide Express Edition
Plugin Slug:: ltl-freight-quotes-worldwide-express-edition
Installations: 100+
Vulnerability:: Broken Access Control
Patched in Version:: 5.0.21
Severity Score:: Medium
CVE:: 2025-22291

Plugin:: LTL Freight Quotes – Worldwide Express Edition
Plugin Slug:: ltl-freight-quotes-worldwide-express-edition
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.0.22
Severity Score:: High
CVE:: 2025-22286

Plugin:: Magic the Gathering Card Tooltips
Plugin Slug:: magic-the-gathering-card-tooltips
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.6.0
Severity Score:: High
CVE:: 2025-26756

Plugin:: StaffList
Plugin Slug:: stafflist
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.2.4
Severity Score:: High
CVE:: 2024-13749

Plugin:: Liveticker (by stklcode)
Plugin Slug:: stklcode-liveticker
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.2.3
Severity Score:: Medium
CVE:: 2024-13701

Plugin:: WPSyncSheets Lite For WPForms – WPForms Google Spreadsheet Addon
Plugin Slug:: wpsyncsheets-wpforms
Installations: 100+
Vulnerability:: Broken Access Control
Patched in Version:: 1.6.1
Severity Score:: Medium
CVE:: 2024-12164

Plugin:: Shopwarden – Automated WooCommerce monitoring & testing
Plugin Slug:: shopwarden
Installations: 80+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.0.12
Severity Score:: High
CVE:: 2024-13315

Plugin:: FuseDesk
Plugin Slug:: fusedesk
Installations: 70+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.7
Severity Score:: Medium
CVE:: 2024-13459

Plugin:: LTL Freight Quotes – FreightQuote Edition
Plugin Slug:: ltl-freight-quotes-freightquote-edition
Installations: 60+
Vulnerability:: Broken Access Control
Patched in Version:: 2.3.12
Severity Score:: Medium
CVE:: 2025-22287

Plugin:: LTL Freight Quotes – FreightQuote Edition
Plugin Slug:: ltl-freight-quotes-freightquote-edition
Installations: 60+
Vulnerability:: SQL Injection
Patched in Version:: 2.3.12
Severity Score:: Critical
CVE:: 2025-22290

Plugin:: MemorialDay
Plugin Slug:: memorialday
Installations: 60+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.1.0
Severity Score:: High
CVE:: 2024-13523

Plugin:: Vertex Addons for Elementor
Plugin Slug:: addons-for-elementor-builder
Installations: 50+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.0
Severity Score:: Medium
CVE:: 2025-26769

Plugin:: Discover the Best Woocommerce Product Brands Plugin for WordPress – Woocommerce Brands Plugin
Plugin Slug:: gs-woo-brands
Installations: 40+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.3
Severity Score:: Medium
CVE:: 2024-11746

Plugin:: LTL Freight Quotes – Estes Edition
Plugin Slug:: ltl-freight-quotes-estes-edition
Installations: 40+
Vulnerability:: SQL Injection
Patched in Version:: 3.3.8
Severity Score:: Critical
CVE:: 2024-13488

Plugin:: LTL Freight Quotes – XPO Edition
Plugin Slug:: ltl-freight-quotes-xpo-edition
Installations: 40+
Vulnerability:: SQL Injection
Patched in Version:: 4.3.8
Severity Score:: Critical
CVE:: 2024-13490

Plugin:: Small Package Quotes – UPS Edition
Plugin Slug:: small-package-quotes-ups-edition
Installations: 30+
Vulnerability:: SQL Injection
Patched in Version:: 4.5.17
Severity Score:: Critical
CVE:: 2024-13475

Plugin:: LTL Freight Quotes – For Customers of FedEx Freight
Plugin Slug:: ltl-freight-quotes-fedex-freight-edition
Installations: 20+
Vulnerability:: SQL Injection
Patched in Version:: 3.4.2
Severity Score:: Critical
CVE:: 2024-13480

Plugin:: Simple Certain Time to Show Content
Plugin Slug:: simple-certain-time-to-show-content
Installations: 20+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.1
Severity Score:: High
CVE:: 2024-10152

Plugin:: Responsive Modal Builder for High Conversion – Easy Popups
Plugin Slug:: easy-popups
Installations: 10+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.5.1
Severity Score:: High
CVE:: 2025-26774

Plugin:: Chaty Pro
Plugin Slug:: chaty-pro
Vulnerability:: Arbitrary File Upload
Patched in Version:: 3.3.4
Severity Score:: Critical
CVE:: 2025-26776

Plugin:: ConvertPlus
Plugin Slug:: convertplug
Vulnerability:: Broken Access Control
Patched in Version:: 3.5.31
Severity Score:: High
CVE:: 2024-13800

Plugin:: Fusion Builder
Plugin Slug:: fusion-builder
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 3.11.14
Severity Score:: High
CVE:: 2024-13345

Plugin:: Gallery
Plugin Slug:: gallery
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.2.2
Severity Score:: Medium
CVE:: 2025-26778

Plugin:: Global Gallery – WordPress Responsive Gallery
Plugin Slug:: global-gallery
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 9.1.6
Severity Score:: Medium
CVE:: 2024-13814

Plugin:: K Elements
Plugin Slug:: k-elements
Vulnerability:: Privilege Escalation
Patched in Version:: 5.4.0
Severity Score:: Critical
CVE:: 2024-56000

Plugin:: LTL Freight Quotes – Unishippers Edition
Plugin Slug:: ltl-freight-quotes-unishippers-edition
Vulnerability:: SQL Injection
Patched in Version:: 2.5.9
Severity Score:: Critical
CVE:: 2024-13477

Plugin:: LTL Freight Quotes – Unishippers Edition
Plugin Slug:: ltl-freight-quotes-unishippers-edition
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.5.9
Severity Score:: High
CVE:: 2025-22284

Plugin:: LTL Freight Quotes – Unishippers Edition
Plugin Slug:: ltl-freight-quotes-unishippers-edition
Vulnerability:: Broken Access Control
Patched in Version:: 2.5.9
Severity Score:: Medium
CVE:: 2025-22289

Plugin:: Notif Bell
Plugin Slug:: notif-bell
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 0.9.9
Severity Score:: Medium
CVE:: 2025-22496

Plugin:: Tourmaster
Plugin Slug:: tourmaster
Vulnerability:: SQL Injection
Patched in Version:: 5.3.7
Severity Score:: High
CVE:: 2024-13369

Plugin:: Uncode Core
Plugin Slug:: uncode-core
Vulnerability:: Content Injection
Patched in Version:: 2.9.1.7
Severity Score:: Medium
CVE:: 2024-13689

Plugin:: WP Table Manager
Plugin Slug:: wp-table-manager
Vulnerability:: Directory Traversal
Patched in Version:: 4.1.4
Severity Score:: Medium
CVE:: 2024-13374

WordPress Themes — 12 Patched / 4 Unpatched

Theme:: Campress
Theme Slug:: campress
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-10763

Theme:: Puzzles
Theme Slug:: puzzles
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2024-13770

Theme:: Puzzles
Theme Slug:: puzzles
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-0837

Theme:: Puzzles
Theme Slug:: puzzles
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-13769

Theme:: Uncode
Theme Slug:: uncode
Downloads: 2,247
Vulnerability:: Arbitrary File Download
Patched in Version:: 2.9.1.7
Severity Score:: Medium
CVE:: 2024-13691

Theme:: Uncode
Theme Slug:: uncode
Downloads: 2,247
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.9.1.7
Severity Score:: Medium
CVE:: 2024-13667

Theme:: Uncode
Theme Slug:: uncode
Downloads: 2,247
Vulnerability:: Arbitrary File Download
Patched in Version:: 2.9.1.7
Severity Score:: High
CVE:: 2024-13681

Theme:: Avada
Theme Slug:: avada
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 7.11.14
Severity Score:: High
CVE:: 2024-13346

Theme:: CarSpot
Theme Slug:: carspot
Vulnerability:: Broken Authentication
Patched in Version:: 2.4.4
Severity Score:: Critical
CVE:: 2024-12860

Theme:: Click Mag
Theme Slug:: click-mag
Vulnerability:: Broken Access Control
Patched in Version:: 3.7.0
Severity Score:: High
CVE:: 2024-13656

Theme:: Listivo – Classified Ads
Theme Slug:: listivo
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.3.68
Severity Score:: High
CVE:: 2024-13867

Theme:: PressMart
Theme Slug:: pressmart
Vulnerability:: Content Injection
Patched in Version:: 1.2.17
Severity Score:: Medium
CVE:: 2024-13797

Theme:: Real Estate 7
Theme Slug:: realestate-7
Vulnerability:: Privilege Escalation
Patched in Version:: 3.5.1
Severity Score:: Critical
CVE:: 2024-13421

Theme:: Zox News
Theme Slug:: zox-news
Vulnerability:: Broken Access Control
Patched in Version:: 3.17.1
Severity Score:: Medium
CVE:: 2024-13643

Theme:: ZoxPress
Theme Slug:: zoxpress
Vulnerability:: Broken Access Control
Patched in Version:: 2.12.1
Severity Score:: High
CVE:: 2024-13654

Theme:: ZoxPress
Theme Slug:: zoxpress
Vulnerability:: Broken Access Control
Patched in Version:: 2.12.1
Severity Score:: High
CVE:: 2024-13653

Solid Security is part of Solid Suite — The best foundation for WordPress websites.

Every WordPress site needs security, backups, and management tools. That’s Solid Suite — an integrated bundle of three plugins: Solid Security, Solid Backups, and Solid Central. You also get access to Solid Academy’s learning resources for WordPress professionals. Build your next WordPress website on a solid foundation with Solid Suite!

Get Solid Security

Author:

Sarah

Sarah has been with StellarWP since 2024. As our marketing generalist, she spends her day writing content and completing projects for SolidWP, LearnDash, and The Events Calendar. In her free time, Sarah can be found playing pickleball, enjoying coffee at a local coffee shop, and spending time with her husband.

Browse all of Sarah's articles

Sign up

Placeholder text

Thanks

Oops something went wrong, please try submitting again

Solid Suite

Protect

Repair

Manage

Free Plugins

Solid Suite

Academy

Solid Academy

Guides

Livestreams

Tutorials Academy

Resources

Blog

Vulnerability Report

Support

Documentation

Table of Contents

WordPress Core

WordPress Plugins — 123 Patched / 91 Unpatched