WordPress Vulnerability Report — March 12, 2025

Last week, 143 new vulnerabilities emerged in the WordPress ecosystem, including 129 plugins and 14 themes. 57 of the vulnerable plugins and themes remain unpatched, but Solid Security Pro users are protected by virtual patching from Patchstack.

Sarah Ulmer

Published:Mar 12, 2025

Filed Under:WordPress Vulnerability Report

Reading Time:26 min.

In this report, 143 vulnerabilities have been publicly disclosed. Security patches for 86 of these plugins and themes are available now, so run those updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Additionally, there are 57 plugin and theme vulnerabilities with no patch available yet. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

Along with poor user account security, vulnerable plugins and themes are among the top reasons why WordPress websites get hacked. Unfortunately, cyberattacks are increasing in volume and sophistication. They’re also increasingly aimed at small to mid-sized businesses.

1. WordPress Core
2. WordPress Plugins — 78 Patched / 51 Unpatched

2.1 SEO Plugin by Squirrly SEO
2.2 Master Slider – Responsive Touch Slider
2.3 Content Control – The Ultimate Content Restriction Plugin! Restrict Content, Create Conditional Blocks & More
2.4 All-in-One Addons for Elementor – WidgetKit
2.5 Wishlist for WooCommerce: Multi Wishlists Per Customer
2.6 SearchIQ – The Search Solution
2.7 Point Maker
2.8 Recently Purchased Products For Woo
2.9 Allow PHP Execute
2.10 Code Snippets CPT
2.11 Contact Us By Lord Linus
2.12 CS Framework
2.13 DesignThemes Core Features
2.14 Download HTML TinyMCE Button
2.15 URL Shortener | Conversion Tracking | AB Testing | WooCommerce
2.16 URL Shortener | Conversion Tracking | AB Testing | WooCommerce
2.17 WooMail
2.18 Email Keep
2.19 Email Keep
2.20 Ultimate Video Player
2.21 I Am Gloria
2.22 Hero Maps Premium
2.23 Hero Mega Menu – Responsive WordPress Menu Plugin
2.24 Hero Slider
2.25 InWave Jobs
2.26 Limit Bio
2.27 Limit Bio
2.28 Link My Posts
2.29 mEintopf
2.30 miniOrange Social Login and Register Pro Addon
2.31 My Quota
2.32 Ninja Pages
2.33 WP Online Contract
2.34 Passbeemedia Web Push Notification
2.35 Post Lockdown
2.36 Post Meta Data Manager
2.37 WooCommerce Recover Abandoned Cart
2.38 Razorpay Subscription Button Elementor Plugin
2.39 School Management
2.40 School Management
2.41 School Management
2.42 Shortcode Cleaner Lite
2.43 Simple Notification
2.44 SpotBot
2.45 WoWPth
2.46 WordPress Awesome Import & Export Plugin – Import & Export WordPress Data
2.47 WP Click Info
2.48 WP e-Customers Beta
2.49 WP-PManager
2.50 WP Real Estate Manager
2.51 Years Since
2.52 PixelYourSite – Your smart PIXEL (TAG) & API Manager
2.53 WP Shortcodes Plugin — Shortcodes Ultimate
2.54 Post SMTP – WP SMTP Plugin with Email Logs and Mobile App for Failure Notifications – Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES and more
2.55 Page Builder: Pagelayer – Drag and Drop website builder
2.56 Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
2.57 WP Activity Log
2.58 Admin and Site Enhancements (ASE)
2.59 bbPress
2.60 Cookie banner plugin for WordPress – Cookiebot CMP by Usercentrics
2.61 Download Manager
2.62 Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates
2.63 Advanced File Manager — Ultimate WordPress File Manager and Document Library Plugin
2.64 FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel
2.65 FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel
2.66 FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel
2.67 GiveWP – Donation Plugin and Fundraising Platform
2.68 SEO Plugin by Squirrly SEO
2.69 The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce
2.70 VK Blocks
2.71 HUSKY – Products Filter Professional for WooCommerce
2.72 HT Mega – Absolute Addons For Elementor
2.73 Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin
2.74 Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations
2.75 Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations
2.76 Print Invoice & Delivery Notes for WooCommerce
2.77 Co-Authors, Multiple Authors and Guest Authors in an Author Box with PublishPress Authors
2.78 RomethemeKit For Elementor
2.79 140+ Widgets | Xpro Addons For Elementor – FREE
2.80 Gallery by BestWebSoft – Customizable Image and Photo Galleries for WordPress
2.81 Qubely – Advanced Gutenberg Blocks
2.82 SupportCandy – Helpdesk & Customer Support Ticket System
2.83 UiPress lite | Effortless custom dashboards, admin themes and pages
2.84 WPGet API – Connect to any external REST API
2.85 Notibar – Notification Bar for WordPress
2.86 EventPrime – Events Calendar, Bookings and Tickets
2.87 Podlove Podcast Publisher
2.88 Product Input Fields for WooCommerce
2.89 Related Posts, Inline Related Posts, Contextual Related Posts, Related Content By PickPlugins
2.90 VikRentCar Car Rental Management System
2.91 WP Posts Carousel
2.92 Moving Media Library
2.93 Wallet System for WooCommerce
2.94 Wallet System for WooCommerce
2.95 SMTP by BestWebSoft
2.96 Eventer
2.97 teachPress
2.98 WP-Recall – Registration, Profile, Commerce & More
2.99 WP-Recall – Registration, Profile, Commerce & More
2.100 WP-Recall – Registration, Profile, Commerce & More
2.101 WP-Recall – Registration, Profile, Commerce & More
2.102 WPCOM Member
2.103 Spreadsheet Integration – Automate Google Sheets With WordPress, WooCommerce & Most Popular Form Plugins. Also, Display Google sheet as a Table.
2.104 WPCS – WordPress Currency Switcher Professional
2.105 Flexmls® IDX Plugin
2.106 Greek Multi Tool – Fix peralinks, accents, auto create menus and more
2.107 Simple Download Counter
2.108 Solace Extra
2.109 Ultimate WordPress Auction Plugin
2.110 m1.DownloadList
2.111 WordPress abandoned cart recovery and email marketing for WooCommerce by Recapture
2.112 Gallery Styles
2.113 Reservit Hotel
2.114 Multiple Shipping And Billing Address For Woocommerce
2.115 WPBookit
2.116 Appsero Helper
2.117 Platform.ly for WooCommerce
2.118 Aiomatic
2.119 Aiomatic
2.120 Animation Addons for Elementor Pro
2.121 CS Framework
2.122 Edd Google Sheet Connector Pro
2.123 Easy Digital Downloads Google Sheet Connector
2.124 Gtbabel
2.125 Javo Core
2.126 School Management
2.127 School Management
2.128 Social Share And Social Locker
2.129 WooCommerce Multi Currency – Currency Switcher

3. WordPress Themes — 8 Patched / 6 Unpatched

3.1 Sparkling
3.2 Homey
3.3 Lafka
3.4 Listingo
3.5 VEDA
3.6 Zass
3.7 Newscrunch
3.8 Newscrunch
3.9 VW Storefront
3.10 Flex Mag
3.11 Golo
3.12 Homey
3.13 Homey
3.14 JNews

Our WordPress Vulnerability Report covers the latest emerging WordPress plugin, theme, and core vulnerabilities. Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure of vulnerabilities is essential to keeping the WordPress community safe. Please share this report to help spread the word and make WordPress — and the web — more secure.

WordPress Core

WordPress 6.8 Beta 2 is ready for testing! This beta version of the WordPress software is under development. Please do not install, run, or test this version of WordPress on production or mission-critical websites. Instead, you should evaluate Beta 2 on a test server and site.

WordPress Plugins — 78 Patched / 51 Unpatched

Plugin:: SEO Plugin by Squirrly SEO
Plugin Slug:: squirrly-seo
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-24654

Plugin:: Master Slider – Responsive Touch Slider
Plugin Slug:: master-slider
Installations: 80,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-11731

Plugin:: Content Control – The Ultimate Content Restriction Plugin! Restrict Content, Create Conditional Blocks & More
Plugin Slug:: content-control
Installations: 40,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-11153

Plugin:: All-in-One Addons for Elementor – WidgetKit
Plugin Slug:: widgetkit-for-elementor
Installations: 10,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-10321

Plugin:: Wishlist for WooCommerce: Multi Wishlists Per Customer
Plugin Slug:: wish-list-for-woocommerce
Installations: 3,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-13774

Plugin:: SearchIQ – The Search Solution
Plugin Slug:: searchiq
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-13350

Plugin:: Point Maker
Plugin Slug:: point-maker
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-12815

Plugin:: Recently Purchased Products For Woo
Plugin Slug:: recently-purchased-products-for-woo
Installations: 60+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-1008

Plugin:: Allow PHP Execute
Plugin Slug:: allow-php-execute
Vulnerability:: Content Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-13890

Plugin:: Code Snippets CPT
Plugin Slug:: code-snippets-cpt
Vulnerability:: Content Injection
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-13895

Plugin:: Contact Us By Lord Linus
Plugin Slug:: contact-us-by-lord-linus
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-1382

Plugin:: CS Framework
Plugin Slug:: cs-framework
Vulnerability:: Arbitrary File Download
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-12036

Plugin:: DesignThemes Core Features
Plugin Slug:: designthemes-core-features
Vulnerability:: Arbitrary File Download
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-13471

Plugin:: Download HTML TinyMCE Button
Plugin Slug:: download-html-tinymce-button
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-1286

Plugin:: URL Shortener | Conversion Tracking | AB Testing | WooCommerce
Plugin Slug:: easy-broken-link-checker
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-1363

Plugin:: URL Shortener | Conversion Tracking | AB Testing | WooCommerce
Plugin Slug:: easy-broken-link-checker
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-1362

Plugin:: WooMail
Plugin Slug:: email-customizer-for-woocommerce-with-drag-drop-builder
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-13747

Plugin:: Email Keep
Plugin Slug:: email-keep
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-13826

Plugin:: Email Keep
Plugin Slug:: email-keep
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-13825

Plugin:: Ultimate Video Player
Plugin Slug:: fwduvp
Vulnerability:: Arbitrary File Download
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-10804

Plugin:: I Am Gloria
Plugin Slug:: gloria-assistant-by-webtronic-labs
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-0990

Plugin:: Hero Maps Premium
Plugin Slug:: hmapsprem
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-13781

Plugin:: Hero Mega Menu – Responsive WordPress Menu Plugin
Plugin Slug:: hmenu
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-13780

Plugin:: Hero Slider
Plugin Slug:: hslide
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-13809

Plugin:: InWave Jobs
Plugin Slug:: iwjob
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-1315

Plugin:: Limit Bio
Plugin Slug:: limit-bio
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-1436

Plugin:: Limit Bio
Plugin Slug:: limit-bio
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-13884

Plugin:: Link My Posts
Plugin Slug:: linkmyposts
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-13881

Plugin:: mEintopf
Plugin Slug:: meintopf
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-13876

Plugin:: miniOrange Social Login and Register Pro Addon
Plugin Slug:: miniorange-login-openid-pro
Vulnerability:: Broken Authentication
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-11087

Plugin:: My Quota
Plugin Slug:: my-quota
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-13880

Plugin:: Ninja Pages
Plugin Slug:: ninja-page-categories-and-tags
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-1454

Plugin:: WP Online Contract
Plugin Slug:: onlinecontract
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-0954

Plugin:: Passbeemedia Web Push Notification
Plugin Slug:: passbeemedia-web-push-notifications
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-13877

Plugin:: Post Lockdown
Plugin Slug:: post-lockdown
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-1504

Plugin:: Post Meta Data Manager
Plugin Slug:: post-meta-data-manager
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-13835

Plugin:: WooCommerce Recover Abandoned Cart
Plugin Slug:: rac
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-0956

Plugin:: Razorpay Subscription Button Elementor Plugin
Plugin Slug:: razorpay-subscription-button-elementor
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-13827

Plugin:: School Management
Plugin Slug:: school-management
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-12610

Plugin:: School Management
Plugin Slug:: school-management
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-12611

Plugin:: School Management
Plugin Slug:: school-management
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-9658

Plugin:: Shortcode Cleaner Lite
Plugin Slug:: shortcode-cleaner-lite
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-1481

Plugin:: Simple Notification
Plugin Slug:: simple-notification
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-13866

Plugin:: SpotBot
Plugin Slug:: spotbot
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-13878

Plugin:: WoWPth
Plugin Slug:: wowpth
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-1486

Plugin:: WordPress Awesome Import & Export Plugin – Import & Export WordPress Data
Plugin Slug:: wp-awesome-import-export
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-13232

Plugin:: WP Click Info
Plugin Slug:: wp-click-info
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-1401

Plugin:: WP e-Customers Beta
Plugin Slug:: wp-e-customers
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-13885

Plugin:: WP-PManager
Plugin Slug:: wp-programmmanager
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-13875

Plugin:: WP Real Estate Manager
Plugin Slug:: wp-realestate-manager
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-1515

Plugin:: Years Since
Plugin Slug:: years-since
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-12460

Plugin:: PixelYourSite – Your smart PIXEL (TAG) & API Manager
Plugin Slug:: pixelyoursite
Installations: 500,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 10.1.1.2
Severity Score:: Critical
CVE:: 2025-0769

Plugin:: WP Shortcodes Plugin — Shortcodes Ultimate
Plugin Slug:: shortcodes-ultimate
Installations: 500,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 7.3.4
Severity Score:: Medium
CVE:: 2025-0370

Plugin:: Post SMTP – WP SMTP Plugin with Email Logs and Mobile App for Failure Notifications – Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES and more
Plugin Slug:: post-smtp
Installations: 400,000+
Vulnerability:: SQL Injection
Patched in Version:: 3.1.3
Severity Score:: High
CVE:: 2024-13844

Plugin:: Page Builder: Pagelayer – Drag and Drop website builder
Plugin Slug:: pagelayer
Installations: 200,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.9.9
Severity Score:: Medium
CVE:: 2025-1926

Plugin:: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
Plugin Slug:: ultimate-member
Installations: 200,000+
Vulnerability:: SQL Injection
Patched in Version:: 2.10.1
Severity Score:: Critical
CVE:: 2025-1702

Plugin:: WP Activity Log
Plugin Slug:: wp-security-audit-log
Installations: 200,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 5.3.3
Severity Score:: High
CVE:: 2025-0767

Plugin:: Admin and Site Enhancements (ASE)
Plugin Slug:: admin-site-enhancements
Installations: 100,000+
Vulnerability:: Bypass Vulnerability
Patched in Version:: 7.6.10
Severity Score:: Medium
CVE:: 2024-13685

Plugin:: bbPress
Plugin Slug:: bbpress
Installations: 100,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.6.12
Severity Score:: Medium
CVE:: 2025-1435

Plugin:: Cookie banner plugin for WordPress – Cookiebot CMP by Usercentrics
Plugin Slug:: cookiebot
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.4.2
Severity Score:: Medium
CVE:: 2025-1666

Plugin:: Download Manager
Plugin Slug:: download-manager
Installations: 100,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 3.3.07
Severity Score:: Medium
CVE:: 2024-13126

Plugin:: Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates
Plugin Slug:: essential-blocks
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.3.2
Severity Score:: Medium
CVE:: 2025-1664

Plugin:: Advanced File Manager — Ultimate WordPress File Manager and Document Library Plugin
Plugin Slug:: file-manager-advanced
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.3.0
Severity Score:: Medium
CVE:: 2024-13805

Plugin:: FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel
Plugin Slug:: foogallery
Installations: 100,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 2.4.30
Severity Score:: Medium
CVE:: 2024-12114

Plugin:: FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel
Plugin Slug:: foogallery
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.4.30
Severity Score:: Medium
CVE:: 2024-12119

Plugin:: FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel
Plugin Slug:: foogallery
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.4.30
Severity Score:: High
CVE:: 2025-22624

Plugin:: GiveWP – Donation Plugin and Fundraising Platform
Plugin Slug:: give
Installations: 100,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 3.20.0
Severity Score:: Critical
CVE:: 2025-0912

Plugin:: SEO Plugin by Squirrly SEO
Plugin Slug:: squirrly-seo
Installations: 100,000+
Vulnerability:: SQL Injection
Patched in Version:: 12.4.06
Severity Score:: High
CVE:: 2025-1768

Plugin:: The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce
Plugin Slug:: the-plus-addons-for-elementor-page-builder
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.2.3
Severity Score:: Medium
CVE:: 2025-1287

Plugin:: VK Blocks
Plugin Slug:: vk-blocks
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.95.0.3
Severity Score:: Medium
CVE:: 2024-13635

Plugin:: HUSKY – Products Filter Professional for WooCommerce
Plugin Slug:: woocommerce-products-filter
Installations: 100,000+
Vulnerability:: Local File Inclusion
Patched in Version:: 1.3.6.6
Severity Score:: High
CVE:: 2025-1661

Plugin:: HT Mega – Absolute Addons For Elementor
Plugin Slug:: ht-mega-for-elementor
Installations: 90,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.8.3
Severity Score:: Medium
CVE:: 2025-1261

Plugin:: Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin
Plugin Slug:: simply-schedule-appointments
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.6.8.5
Severity Score:: High
CVE:: 2024-13431

Plugin:: Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations
Plugin Slug:: master-addons
Installations: 40,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.7.3
Severity Score:: Medium
CVE:: 2024-9618

Plugin:: Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations
Plugin Slug:: master-addons
Installations: 40,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.7.2
Severity Score:: Medium
CVE:: 2025-0433

Plugin:: Print Invoice & Delivery Notes for WooCommerce
Plugin Slug:: woocommerce-delivery-notes
Installations: 30,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 5.5.0
Severity Score:: Medium
CVE:: 2024-13640

Plugin:: Co-Authors, Multiple Authors and Guest Authors in an Author Box with PublishPress Authors
Plugin Slug:: publishpress-authors
Installations: 20,000+
Vulnerability:: SQL Injection
Patched in Version:: 4.7.4
Severity Score:: High
CVE:: 2025-26886

Plugin:: RomethemeKit For Elementor
Plugin Slug:: rometheme-for-elementor
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.5.4
Severity Score:: Medium
CVE:: 2024-10326

Plugin:: 140+ Widgets | Xpro Addons For Elementor – FREE
Plugin Slug:: xpro-elementor-addons
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.4.6.8
Severity Score:: Medium
CVE:: 2024-13649

Plugin:: Gallery by BestWebSoft – Customizable Image and Photo Galleries for WordPress
Plugin Slug:: gallery-plugin
Installations: 10,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 4.7.4
Severity Score:: High
CVE:: 2024-13906

Plugin:: Qubely – Advanced Gutenberg Blocks
Plugin Slug:: qubely
Installations: 10,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 1.8.14
Severity Score:: Medium
CVE:: 2024-13228

Plugin:: SupportCandy – Helpdesk & Customer Support Ticket System
Plugin Slug:: supportcandy
Installations: 10,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 3.3.1
Severity Score:: Medium
CVE:: 2024-13552

Plugin:: UiPress lite | Effortless custom dashboards, admin themes and pages
Plugin Slug:: uipress-lite
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.5.05
Severity Score:: High
CVE:: 2025-1309

Plugin:: WPGet API – Connect to any external REST API
Plugin Slug:: wpgetapi
Installations: 10,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 2.25.1
Severity Score:: Medium
CVE:: 2024-13857

Plugin:: Notibar – Notification Bar for WordPress
Plugin Slug:: notibar
Installations: 7,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.1.6
Severity Score:: Medium
CVE:: 2025-1672

Plugin:: EventPrime – Events Calendar, Bookings and Tickets
Plugin Slug:: eventprime-event-calendar-management
Installations: 5,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.0.7.4
Severity Score:: Medium
CVE:: 2024-13526

Plugin:: Podlove Podcast Publisher
Plugin Slug:: podlove-podcasting-plugin-for-wordpress
Installations: 5,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 4.2.3
Severity Score:: Medium
CVE:: 2025-1383

Plugin:: Product Input Fields for WooCommerce
Plugin Slug:: product-input-fields-for-woocommerce
Installations: 5,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 1.12.2
Severity Score:: High
CVE:: 2024-13359

Plugin:: Related Posts, Inline Related Posts, Contextual Related Posts, Related Content By PickPlugins
Plugin Slug:: related-post
Installations: 5,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.60
Severity Score:: High
CVE:: 2024-12634

Plugin:: VikRentCar Car Rental Management System
Plugin Slug:: vikrentcar
Installations: 4,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 1.4.3
Severity Score:: High
CVE:: 2024-11640

Plugin:: WP Posts Carousel
Plugin Slug:: wp-posts-carousel
Installations: 4,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.8
Severity Score:: Medium
CVE:: 2025-1491

Plugin:: Moving Media Library
Plugin Slug:: moving-media-library
Installations: 3,000+
Vulnerability:: Directory Traversal
Patched in Version:: 1.23
Severity Score:: Medium
CVE:: 2024-13897

Plugin:: Wallet System for WooCommerce
Plugin Slug:: wallet-system-for-woocommerce
Installations: 3,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.6.3
Severity Score:: Medium
CVE:: 2024-13682

Plugin:: Wallet System for WooCommerce
Plugin Slug:: wallet-system-for-woocommerce
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.6.3
Severity Score:: Medium
CVE:: 2024-13724

Plugin:: SMTP by BestWebSoft
Plugin Slug:: bws-smtp
Installations: 2,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 1.2.0
Severity Score:: High
CVE:: 2024-13908

Plugin:: Eventer
Plugin Slug:: eventer
Installations: 2,000+
Vulnerability:: SQL Injection
Patched in Version:: 3.9.9.3
Severity Score:: High
CVE:: 2025-0959

Plugin:: teachPress
Plugin Slug:: teachpress
Installations: 2,000+
Vulnerability:: SQL Injection
Patched in Version:: 9.0.8
Severity Score:: High
CVE:: 2025-1321

Plugin:: WP-Recall – Registration, Profile, Commerce & More
Plugin Slug:: wp-recall
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: 16.26.12
Severity Score:: Medium
CVE:: 2025-1322

Plugin:: WP-Recall – Registration, Profile, Commerce & More
Plugin Slug:: wp-recall
Installations: 2,000+
Vulnerability:: SQL Injection
Patched in Version:: 16.26.12
Severity Score:: Critical
CVE:: 2025-1323

Plugin:: WP-Recall – Registration, Profile, Commerce & More
Plugin Slug:: wp-recall
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: 16.26.12
Severity Score:: Medium
CVE:: 2025-1325

Plugin:: WP-Recall – Registration, Profile, Commerce & More
Plugin Slug:: wp-recall
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 16.26.12
Severity Score:: Medium
CVE:: 2025-1324

Plugin:: WPCOM Member
Plugin Slug:: wpcom-member
Installations: 2,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 1.7.6
Severity Score:: Critical
CVE:: 2025-1475

Plugin:: Spreadsheet Integration – Automate Google Sheets With WordPress, WooCommerce & Most Popular Form Plugins. Also, Display Google sheet as a Table.
Plugin Slug:: wpgsi
Installations: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 3.8.3
Severity Score:: Medium
CVE:: 2025-1463

Plugin:: WPCS – WordPress Currency Switcher Professional
Plugin Slug:: currency-switcher
Installations: 1,000+
Vulnerability:: Content Injection
Patched in Version:: 1.2.0.5
Severity Score:: High
CVE:: 2025-2169

Plugin:: Flexmls® IDX Plugin
Plugin Slug:: flexmls-idx
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.14.29
Severity Score:: Medium
CVE:: 2025-0863

Plugin:: Greek Multi Tool – Fix peralinks, accents, auto create menus and more
Plugin Slug:: greek-multi-tool
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.3.2
Severity Score:: High

Plugin:: Simple Download Counter
Plugin Slug:: simple-download-counter
Installations: 1,000+
Vulnerability:: Arbitrary File Download
Patched in Version:: 2.1
Severity Score:: Medium
CVE:: 2025-1730

Plugin:: Solace Extra
Plugin Slug:: solace-extra
Installations: 1,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 1.3.1
Severity Score:: High

Plugin:: Ultimate WordPress Auction Plugin
Plugin Slug:: ultimate-auction
Installations: 1,000+
Vulnerability:: Arbitrary Content Deletion
Patched in Version:: 4.3.0
Severity Score:: High
CVE:: 2025-0958

Plugin:: m1.DownloadList
Plugin Slug:: m1downloadlist
Installations: 500+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 0.20
Severity Score:: Medium
CVE:: 2025-26895

Plugin:: WordPress abandoned cart recovery and email marketing for WooCommerce by Recapture
Plugin Slug:: recapture-for-woocommerce
Installations: 500+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.0.44
Severity Score:: Medium
CVE:: 2025-26899

Plugin:: Gallery Styles
Plugin Slug:: gallery-styles
Installations: 300+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.5
Severity Score:: Medium
CVE:: 2025-1783

Plugin:: Reservit Hotel
Plugin Slug:: reservit-hotel
Installations: 300+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.0
Severity Score:: Medium
CVE:: 2024-9458

Plugin:: Multiple Shipping And Billing Address For Woocommerce
Plugin Slug:: different-shipping-and-billing-address-for-woocommerce
Installations: 200+
Vulnerability:: SQL Injection
Patched in Version:: 1.5
Severity Score:: Critical
CVE:: 2025-26875

Plugin:: WPBookit
Plugin Slug:: wpbookit
Installations: 70+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.0.2
Severity Score:: High
CVE:: 2025-26910

Plugin:: Appsero Helper
Plugin Slug:: appsero-helper
Installations: 50+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.3.3
Severity Score:: High
CVE:: 2024-13436

Plugin:: Platform.ly for WooCommerce
Plugin Slug:: platformly-for-woocommerce
Installations: 10+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 1.1.7
Severity Score:: Medium
CVE:: 2024-13904

Plugin:: Aiomatic
Plugin Slug:: aiomatic-automatic-ai-content-writer
Vulnerability:: Arbitrary File Upload
Patched in Version:: 2.3.9
Severity Score:: High
CVE:: 2024-13882

Plugin:: Aiomatic
Plugin Slug:: aiomatic-automatic-ai-content-writer
Vulnerability:: Broken Access Control
Patched in Version:: 2.3.7
Severity Score:: Medium
CVE:: 2024-13816

Plugin:: Animation Addons for Elementor Pro
Plugin Slug:: animation-addons-for-elementor-pro
Vulnerability:: Broken Access Control
Patched in Version:: 1.7
Severity Score:: High
CVE:: 2025-1639

Plugin:: CS Framework
Plugin Slug:: cs-framework
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 7.1
Severity Score:: High
CVE:: 2024-12035

Plugin:: Edd Google Sheet Connector Pro
Plugin Slug:: edd-google-sheet-connector-pro
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.4
Severity Score:: Medium
CVE:: 2023-2334

Plugin:: Easy Digital Downloads Google Sheet Connector
Plugin Slug:: gsheetconnector-easy-digital-downloads
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.6.6
Severity Score:: Medium
CVE:: 2023-2334

Plugin:: Gtbabel
Plugin Slug:: gtbabel
Vulnerability:: Privilege Escalation
Patched in Version:: 6.6.9
Severity Score:: High
CVE:: 2024-11638

Plugin:: Javo Core
Plugin Slug:: javo-core
Vulnerability:: Privilege Escalation
Patched in Version:: 3.0.0.266
Severity Score:: Critical
CVE:: 2025-0177

Plugin:: School Management
Plugin Slug:: school-management
Vulnerability:: SQL Injection
Patched in Version:: 93.0.0
Severity Score:: High
CVE:: 2024-12607

Plugin:: School Management
Plugin Slug:: school-management
Vulnerability:: SQL Injection
Patched in Version:: 93.0.0
Severity Score:: High
CVE:: 2024-12609

Plugin:: Social Share And Social Locker
Plugin Slug:: social-share-and-social-locker-arsocial
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.4.2
Severity Score:: Medium
CVE:: 2024-11189

Plugin:: WooCommerce Multi Currency – Currency Switcher
Plugin Slug:: woocommerce-multi-currency
Vulnerability:: SQL Injection
Patched in Version:: 2.3.7
Severity Score:: Critical
CVE:: 2024-13320

WordPress Themes — 8 Patched / 6 Unpatched

Theme:: Sparkling
Theme Slug:: sparkling
Downloads: 1,345,012
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-13423

Theme:: Homey
Theme Slug:: homey
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2024-12281

Theme:: Lafka
Theme Slug:: lafka
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-13811

Theme:: Listingo
Theme Slug:: listingo
Vulnerability:: Content Injection
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-13815

Theme:: VEDA
Theme Slug:: veda
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-13787

Theme:: Zass
Theme Slug:: zass
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-13810

Theme:: Newscrunch
Theme Slug:: newscrunch
Downloads: 177,662
Vulnerability:: Arbitrary File Upload
Patched in Version:: 1.8.4.1
Severity Score:: Critical
CVE:: 2025-1307

Theme:: Newscrunch
Theme Slug:: newscrunch
Downloads: 177,662
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.8.4.1
Severity Score:: High
CVE:: 2025-1306

Theme:: VW Storefront
Theme Slug:: vw-storefront
Downloads: 60,192
Vulnerability:: Broken Access Control
Patched in Version:: 1.0.0
Severity Score:: Medium
CVE:: 2024-13686

Theme:: Flex Mag
Theme Slug:: flex-mag
Vulnerability:: Broken Access Control
Patched in Version:: 3.6.0
Severity Score:: High
CVE:: 2024-13655

Theme:: Golo
Theme Slug:: golo
Vulnerability:: Broken Access Control
Patched in Version:: 1.6.11
Severity Score:: Critical
CVE:: 2024-12876

Theme:: Homey
Theme Slug:: homey
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.4.4
Severity Score:: Medium
CVE:: 2025-0748

Theme:: Homey
Theme Slug:: homey
Vulnerability:: Broken Authentication
Patched in Version:: 2.4.4
Severity Score:: High
CVE:: 2025-0749

Theme:: JNews
Theme Slug:: jnews
Vulnerability:: Broken Access Control
Patched in Version:: 11.6.7
Severity Score:: Medium
CVE:: 2024-8682

Solid Security is part of Solid Suite — The best foundation for WordPress websites.

Every WordPress site needs security, backups, and management tools. That’s Solid Suite — an integrated bundle of three plugins: Solid Security, Solid Backups, and Solid Central. You also get access to Solid Academy’s learning resources for WordPress professionals. Build your next WordPress website on a solid foundation with Solid Suite!

Get Solid Security

Author:

Sarah Ulmer

Sarah has been with SolidWP since 2015. Thanks to her deep connection to the brand, its products, and its users, Sarah was tapped as Solid’s primary Product Marketer in 2023. Sarah helps ensure that Solid’s product development team understands our users’ needs. When not at work, Sarah can be found at home with her husband, their three boys, and their dogs. Sarah enjoys long family walks, running with her lab, and watching her three boys play soccer. Sarah is originally from Texas and loves watching football games (Go Longhorns!)

Browse all of Sarah's articles

Sign up

Placeholder text

Thanks

Oops something went wrong, please try submitting again

Solid Suite

Protect

Repair

Manage

Free Plugins

Solid Suite

Academy

Solid Academy

Guides

Livestreams

Tutorials Academy

Resources

Blog

Vulnerability Report

Support

Documentation

Table of Contents

WordPress Core

WordPress Plugins — 78 Patched / 51 Unpatched

WordPress Themes — 8 Patched / 6 Unpatched