WordPress Security

WordPress Vulnerability Report — April 16, 2025

Since last week, 374 new vulnerabilities emerged in the WordPress ecosystem, including 359 plugins and 15 themes. 284 of the vulnerable plugins and themes remain unpatched, but Solid Security Pro users are protected by virtual patching from Patchstack.

Avatar photo
Sarah Ulmer

Published:Apr 16, 2025

Filed Under:WordPress Security

Reading Time:67 min.

In this report, 374 vulnerabilities have been publicly disclosed. Security patches for 90 of these plugins and themes are available now, so run those updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Additionally, there are 284 plugin and theme vulnerabilities, and no patch has been available yet. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

Along with poor user account security, vulnerable plugins and themes are among the top reasons why WordPress websites get hacked. Unfortunately, cyberattacks are increasing in volume and sophistication. They’re also increasingly aimed at small to mid-sized businesses.

Our WordPress Vulnerability Report covers the latest emerging WordPress plugin, theme, and core vulnerabilities. Each vulnerability will have a severity rating of LowMediumHigh, or Critical. Responsible disclosure of vulnerabilities is essential to keeping the WordPress community safe. Please share this report to help spread the word and make WordPress — and the web — more secure.

WordPress Core

WordPress 6.8 “Cecil” is here! Launched April 15, 2025, it honors jazz legend Cecil Taylor, whose pioneering piano fused chaos and harmony. Explore its bold features with the same experimental spirit.

Plus, WordCamp Europe 2025 lands in Basel, Switzerland, June 5-7! Connect with WordPress enthusiasts, developers, and pros for three days of learning, networking, and collaboration with the global community.

No new core vulnerabilities were disclosed this week.

WordPress Plugins — 87 Patched / 272 Unpatched

Ally – Web Accessibility & Usability

Plugin:
Ally – Web Accessibility & Usability
Plugin Slug:
pojo-accessibility
Installations
200,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-32640
The vulnerability has not been patched. You should deactivate the plugin.

WP Table Builder – WordPress Table Plugin

Plugin:
WP Table Builder – WordPress Table Plugin
Plugin Slug:
wp-table-builder
Installations
60,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32598
The vulnerability has not been patched. You should deactivate the plugin.

MapGeo – Interactive Geo Maps

Plugin:
MapGeo – Interactive Geo Maps
Plugin Slug:
interactive-geo-maps
Installations
30,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32525
The vulnerability has not been patched. You should deactivate the plugin.

PowerPress Podcasting plugin by Blubrry

Plugin:
PowerPress Podcasting plugin by Blubrry
Plugin Slug:
powerpress
Installations
30,000+
Vulnerability:
Server Side Request Forgery (SSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-32691
The vulnerability has not been patched. You should deactivate the plugin.

Asgaros Forum

Plugin:
Asgaros Forum
Plugin Slug:
asgaros-forum
Installations
10,000+
Vulnerability:
Bypass Vulnerability
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-32227
The vulnerability has not been patched. You should deactivate the plugin.

Flo Forms – Easy Drag & Drop Form Builder

Plugin:
Flo Forms – Easy Drag & Drop Form Builder
Plugin Slug:
flo-forms
Installations
10,000+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-32213
The vulnerability has not been patched. You should deactivate the plugin.

Ray Enterprise Translation

Plugin:
Ray Enterprise Translation
Plugin Slug:
lingotek-translation
Installations
10,000+
Vulnerability:
Local File Inclusion
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-31030
The vulnerability has not been patched. You should deactivate the plugin.

Motors – Car Dealership & Classified Listings Plugin

Plugin:
Motors – Car Dealership & Classified Listings Plugin
Plugin Slug:
motors-car-dealership-classified-listings
Installations
10,000+
Vulnerability:
Local File Inclusion
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32654
The vulnerability has not been patched. You should deactivate the plugin.

Arconix FAQ

Plugin:
Arconix FAQ
Plugin Slug:
arconix-faq
Installations
8,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32531
The vulnerability has not been patched. You should deactivate the plugin.

Ultimate Bootstrap Elements for Elementor

Plugin:
Ultimate Bootstrap Elements for Elementor
Plugin Slug:
ultimate-bootstrap-elements-for-elementor
Installations
7,000+
Vulnerability:
Local File Inclusion
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32672
The vulnerability has not been patched. You should deactivate the plugin.

EventON – Events Calendar

Plugin:
EventON – Events Calendar
Plugin Slug:
eventon-lite
Installations
6,000+
Vulnerability:
Local File Inclusion
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32614
The vulnerability has not been patched. You should deactivate the plugin.

Cool Flipbox – Shortcode & Gutenberg Block

Plugin:
Cool Flipbox – Shortcode & Gutenberg Block
Plugin Slug:
flip-boxes
Installations
6,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32521
The vulnerability has not been patched. You should deactivate the plugin.

Specia Companion

Plugin:
Specia Companion
Plugin Slug:
specia-companion
Installations
6,000+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-32212
The vulnerability has not been patched. You should deactivate the plugin.

Survey Maker

Plugin:
Survey Maker
Plugin Slug:
survey-maker
Installations
6,000+
Vulnerability:
Bypass Vulnerability
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-32275
The vulnerability has not been patched. You should deactivate the plugin.

License For Envato

Plugin:
License For Envato
Plugin Slug:
license-envato
Installations
5,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32566
The vulnerability has not been patched. You should deactivate the plugin.

Widgetize Pages Light

Plugin:
Widgetize Pages Light
Plugin Slug:
widgetize-pages-light
Installations
4,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32117
The vulnerability has not been patched. You should deactivate the plugin.

Piotnet Forms

Plugin:
Piotnet Forms
Plugin Slug:
piotnetforms
Installations
3,000+
Vulnerability:
Path Traversal
Patched in Version:
No Fix
Severity Score:
Low
CVE:
2025-32205
The vulnerability has not been patched. You should deactivate the plugin.

Simple Spoiler

Plugin:
Simple Spoiler
Plugin Slug:
simple-spoiler
Installations
3,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-31020
The vulnerability has not been patched. You should deactivate the plugin.

Wallet System for WooCommerce

Plugin:
Wallet System for WooCommerce
Plugin Slug:
wallet-system-for-woocommerce
Installations
3,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32530
The vulnerability has not been patched. You should deactivate the plugin.

WooCommerce – Payphone Gateway

Plugin:
WooCommerce – Payphone Gateway
Plugin Slug:
wc-payphone-gateway
Installations
3,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32523
The vulnerability has not been patched. You should deactivate the plugin.

Insert or Embed Articulate Content into WordPress

Plugin:
Insert or Embed Articulate Content into WordPress
Plugin Slug:
insert-or-embed-articulate-content-into-wordpress
Installations
2,000+
Vulnerability:
Arbitrary File Upload
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2025-32202
The vulnerability has not been patched. You should deactivate the plugin.

Solace Extra

Plugin:
Solace Extra
Plugin Slug:
solace-extra
Installations
2,000+
Vulnerability:
Arbitrary File Upload
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2025-32652
The vulnerability has not been patched. You should deactivate the plugin.

RestroPress – Online Food Ordering System

Plugin:
RestroPress – Online Food Ordering System
Plugin Slug:
restropress
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32553
The vulnerability has not been patched. You should deactivate the plugin.

Ultimate WP Mail

Plugin:
Ultimate WP Mail
Plugin Slug:
ultimate-wp-mail
Installations
1,000+
Vulnerability:
Open Redirection
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-32694
The vulnerability has not been patched. You should deactivate the plugin.

WordPress Webinar Plugin – WebinarPress

Plugin:
WordPress Webinar Plugin – WebinarPress
Plugin Slug:
wp-webinarsystem
Installations
1,000+
Vulnerability:
Open Redirection
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-32693
The vulnerability has not been patched. You should deactivate the plugin.

WP-Hijri

Plugin:
WP-Hijri
Plugin Slug:
wp-hijri
Installations
900+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32560
The vulnerability has not been patched. You should deactivate the plugin.

Database Toolset

Plugin:
Database Toolset
Plugin Slug:
database-toolset
Installations
800+
Vulnerability:
Arbitrary File Deletion
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32633
The vulnerability has not been patched. You should deactivate the plugin.

FraudLabs Pro for WooCommerce

Plugin:
FraudLabs Pro for WooCommerce
Plugin Slug:
fraudlabs-pro-for-woocommerce
Installations
800+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32659
The vulnerability has not been patched. You should deactivate the plugin.

JS Job Manager

Plugin:
JS Job Manager
Plugin Slug:
js-jobs
Installations
800+
Vulnerability:
Arbitrary File Upload
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2025-32660
The vulnerability has not been patched. You should deactivate the plugin.

JS Job Manager

Plugin:
JS Job Manager
Plugin Slug:
js-jobs
Installations
800+
Vulnerability:
Local File Inclusion
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32627
The vulnerability has not been patched. You should deactivate the plugin.

Mergado Pack

Plugin:
Mergado Pack
Plugin Slug:
mergado-marketing-pack
Installations
800+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32669
The vulnerability has not been patched. You should deactivate the plugin.

Nepali Date Utilities

Plugin:
Nepali Date Utilities
Plugin Slug:
nepali-date-utilities
Installations
800+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32664
The vulnerability has not been patched. You should deactivate the plugin.

Waymark

Plugin:
Waymark
Plugin Slug:
waymark
Installations
800+
Vulnerability:
Server Side Request Forgery (SSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-32487
The vulnerability has not been patched. You should deactivate the plugin.

Waymark

Plugin:
Waymark
Plugin Slug:
waymark
Installations
800+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-32495
The vulnerability has not been patched. You should deactivate the plugin.

Broadstreet

Plugin:
Broadstreet
Plugin Slug:
broadstreet
Installations
700+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-32211
The vulnerability has not been patched. You should deactivate the plugin.

Doppler Forms

Plugin:
Doppler Forms
Plugin Slug:
doppler-form
Installations
700+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32620
The vulnerability has not been patched. You should deactivate the plugin.

Doppler Forms

Plugin:
Doppler Forms
Plugin Slug:
doppler-form
Installations
700+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32667
The vulnerability has not been patched. You should deactivate the plugin.

MapSVG – Vector maps, Image maps, Google Maps

Plugin:
MapSVG – Vector maps, Image maps, Google Maps
Plugin Slug:
mapsvg-lite-interactive-vector-maps
Installations
700+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-32683
The vulnerability has not been patched. You should deactivate the plugin.

MapSVG – Vector maps, Image maps, Google Maps

Plugin:
MapSVG – Vector maps, Image maps, Google Maps
Plugin Slug:
mapsvg-lite-interactive-vector-maps
Installations
700+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-32684
The vulnerability has not been patched. You should deactivate the plugin.

Movylo Marketing Automation

Plugin:
Movylo Marketing Automation
Plugin Slug:
movylo-widget
Installations
700+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32608
The vulnerability has not been patched. You should deactivate the plugin.

Accessibility Suite by Ability, Inc

Plugin:
Accessibility Suite by Ability, Inc
Plugin Slug:
online-accessibility
Installations
700+
Vulnerability:
SQL Injection
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32650
The vulnerability has not been patched. You should deactivate the plugin.

Accessibility Suite by Ability, Inc

Plugin:
Accessibility Suite by Ability, Inc
Plugin Slug:
online-accessibility
Installations
700+
Vulnerability:
Arbitrary File Upload
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-32215
The vulnerability has not been patched. You should deactivate the plugin.

Build App Online

Plugin:
Build App Online
Plugin Slug:
build-app-online
Installations
600+
Vulnerability:
Local File Inclusion
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2025-32577
The vulnerability has not been patched. You should deactivate the plugin.

Question Answer

Plugin:
Question Answer
Plugin Slug:
question-answer
Installations
600+
Vulnerability:
PHP Object Injection
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32647
The vulnerability has not been patched. You should deactivate the plugin.

Question Answer

Plugin:
Question Answer
Plugin Slug:
question-answer
Installations
600+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32646
The vulnerability has not been patched. You should deactivate the plugin.

Request Call Back

Plugin:
Request Call Back
Plugin Slug:
request-call-back
Installations
600+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-32483
The vulnerability has not been patched. You should deactivate the plugin.

Canonical Attachments

Plugin:
Canonical Attachments
Plugin Slug:
canonical-attachments
Installations
500+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32543
The vulnerability has not been patched. You should deactivate the plugin.

Interactive US Map

Plugin:
Interactive US Map
Plugin Slug:
interactive-us-map
Installations
500+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32661
The vulnerability has not been patched. You should deactivate the plugin.

Job Board Manager

Plugin:
Job Board Manager
Plugin Slug:
job-board-manager
Installations
500+
Vulnerability:
PHP Object Injection
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32144
The vulnerability has not been patched. You should deactivate the plugin.

Review Stream

Plugin:
Review Stream
Plugin Slug:
review-stream
Installations
500+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-32680
The vulnerability has not been patched. You should deactivate the plugin.

RS Elements Elementor Addon

Plugin:
RS Elements Elementor Addon
Plugin Slug:
rselements-lite
Installations
500+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-26745
The vulnerability has not been patched. You should deactivate the plugin.

User Registration Using Contact Form 7

Plugin:
User Registration Using Contact Form 7
Plugin Slug:
user-registration-using-contact-form-7
Installations
500+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-32679
The vulnerability has not been patched. You should deactivate the plugin.

Wishlist

Plugin:
Wishlist
Plugin Slug:
wishlist
Installations
500+
Vulnerability:
SQL Injection
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32618
The vulnerability has not been patched. You should deactivate the plugin.

WP Show Stats

Plugin:
WP Show Stats
Plugin Slug:
wp-show-stats
Installations
500+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-32678
The vulnerability has not been patched. You should deactivate the plugin.

Anant Addons for Elementor

Plugin:
Anant Addons for Elementor
Plugin Slug:
anant-addons-for-elementor
Installations
400+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2025-32641
The vulnerability has not been patched. You should deactivate the plugin.

Coming Soon Countdown

Plugin:
Coming Soon Countdown
Plugin Slug:
coming-soon-countdown
Installations
400+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32578
The vulnerability has not been patched. You should deactivate the plugin.

DeBounce Email Validator

Plugin:
DeBounce Email Validator
Plugin Slug:
debounce-io-email-validator
Installations
400+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32580
The vulnerability has not been patched. You should deactivate the plugin.

Duplicate Title Checker

Plugin:
Duplicate Title Checker
Plugin Slug:
duplicate-title-checker
Installations
400+
Vulnerability:
SQL Injection
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32558
The vulnerability has not been patched. You should deactivate the plugin.

Epeken All Kurir Plugin for Woocommerce Full Version

Plugin:
Epeken All Kurir Plugin for Woocommerce Full Version
Plugin Slug:
epeken-all-kurir
Installations
400+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32673
The vulnerability has not been patched. You should deactivate the plugin.

Projectopia – WordPress Project Management

Plugin:
Projectopia – WordPress Project Management
Plugin Slug:
projectopia-core
Installations
400+
Vulnerability:
Privilege Escalation
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2025-32648
The vulnerability has not been patched. You should deactivate the plugin.

SERPed.net

Plugin:
SERPed.net
Plugin Slug:
serped-net
Installations
400+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32651
The vulnerability has not been patched. You should deactivate the plugin.

WP AutoKeyword

Plugin:
WP AutoKeyword
Plugin Slug:
wp-autokeyword
Installations
400+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32582
The vulnerability has not been patched. You should deactivate the plugin.

WPSmartContracts

Plugin:
WPSmartContracts
Plugin Slug:
wp-smart-contracts
Installations
400+
Vulnerability:
SQL Injection
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2025-31565
The vulnerability has not been patched. You should deactivate the plugin.

WP w3all phpBB

Plugin:
WP w3all phpBB
Plugin Slug:
wp-w3all-phpbb-integration
Installations
400+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32575
The vulnerability has not been patched. You should deactivate the plugin.

Custom Posts Order

Plugin:
Custom Posts Order
Plugin Slug:
custom-posts-order
Installations
300+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32645
The vulnerability has not been patched. You should deactivate the plugin.

Czater.pl – live chat i telefon

Plugin:
Czater.pl – live chat i telefon
Plugin Slug:
czater
Installations
300+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32624
The vulnerability has not been patched. You should deactivate the plugin.

Lock Your Updates Plugins/Themes Manager

Plugin:
Lock Your Updates Plugins/Themes Manager
Plugin Slug:
lock-your-updates
Installations
300+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32537
The vulnerability has not been patched. You should deactivate the plugin.

TableOn – WordPress Posts Table Filterable 

Plugin:
TableOn – WordPress Posts Table Filterable 
Plugin Slug:
posts-table-filterable
Installations
300+
Vulnerability:
PHP Object Injection
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2025-32569
The vulnerability has not been patched. You should deactivate the plugin.

Print Science Designer

Plugin:
Print Science Designer
Plugin Slug:
print-science-designer
Installations
300+
Vulnerability:
Arbitrary File Download
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32671
The vulnerability has not been patched. You should deactivate the plugin.

Silvasoft boekhouden

Plugin:
Silvasoft boekhouden
Plugin Slug:
silvasoft-boekhouden
Installations
300+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32504
The vulnerability has not been patched. You should deactivate the plugin.

Task Scheduler

Plugin:
Task Scheduler
Plugin Slug:
task-scheduler
Installations
300+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32599
The vulnerability has not been patched. You should deactivate the plugin.

WP Abstracts

Plugin:
WP Abstracts
Plugin Slug:
wp-abstracts-manuscripts-manager
Installations
300+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32591
The vulnerability has not been patched. You should deactivate the plugin.

ABA PayWay Payment Gateway for WooCommerce

Plugin:
ABA PayWay Payment Gateway for WooCommerce
Plugin Slug:
aba-payway-woocommerce-payment-gateway
Installations
200+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32586
The vulnerability has not been patched. You should deactivate the plugin.

Connector to CiviCRM with CiviMcRestFace

Plugin:
Connector to CiviCRM with CiviMcRestFace
Plugin Slug:
connector-civicrm-mcrestface
Installations
200+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32551
The vulnerability has not been patched. You should deactivate the plugin.

Foliopress WYSIWYG

Plugin:
Foliopress WYSIWYG
Plugin Slug:
foliopress-wysiwyg
Installations
200+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32610
The vulnerability has not been patched. You should deactivate the plugin.

Multiple Location Google Map

Plugin:
Multiple Location Google Map
Plugin Slug:
multiple-location-google-map
Installations
200+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32617
The vulnerability has not been patched. You should deactivate the plugin.

Nimbata Call Tracking

Plugin:
Nimbata Call Tracking
Plugin Slug:
nimbata-call-tracking
Installations
200+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32616
The vulnerability has not been patched. You should deactivate the plugin.

Oxygen MyData for WooCommerce

Plugin:
Oxygen MyData for WooCommerce
Plugin Slug:
oxygen-mydata
Installations
200+
Vulnerability:
Arbitrary File Deletion
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32631
The vulnerability has not been patched. You should deactivate the plugin.

Total processing card payments for WooCommerce

Plugin:
Total processing card payments for WooCommerce
Plugin Slug:
totalprocessing-card-payments
Installations
200+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32513
The vulnerability has not been patched. You should deactivate the plugin.

Tournamatch

Plugin:
Tournamatch
Plugin Slug:
tournamatch
Installations
200+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32600
The vulnerability has not been patched. You should deactivate the plugin.

User Session Synchronizer

Plugin:
User Session Synchronizer
Plugin Slug:
user-session-synchronizer
Installations
200+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32612
The vulnerability has not been patched. You should deactivate the plugin.

Product Excel Import Export & Bulk Edit for WooCommerce

Plugin:
Product Excel Import Export & Bulk Edit for WooCommerce
Plugin Slug:
webd-woocommerce-product-excel-importer-bulk-edit
Installations
200+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32674
The vulnerability has not been patched. You should deactivate the plugin.

WooCommerce Sales MIS Report

Plugin:
WooCommerce Sales MIS Report
Plugin Slug:
woocommerce-mis-report
Installations
200+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32541
The vulnerability has not been patched. You should deactivate the plugin.

Workbox Video from Vimeo & Youtube Plugin

Plugin:
Workbox Video from Vimeo & Youtube Plugin
Plugin Slug:
workbox-video-from-vimeo-youtube-plugin
Installations
200+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32534
The vulnerability has not been patched. You should deactivate the plugin.

Chat2

Plugin:
Chat2
Plugin Slug:
chat2
Installations
100+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32584
The vulnerability has not been patched. You should deactivate the plugin.

ChillPay WooCommerce

Plugin:
ChillPay WooCommerce
Plugin Slug:
chillpay-payment-gateway
Installations
100+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32570
The vulnerability has not been patched. You should deactivate the plugin.

Clinked Client Portal

Plugin:
Clinked Client Portal
Plugin Slug:
clinked-client-portal
Installations
100+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32615
The vulnerability has not been patched. You should deactivate the plugin.

Codescar Radio Widget

Plugin:
Codescar Radio Widget
Plugin Slug:
codescar-radio-widget
Installations
100+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32500
The vulnerability has not been patched. You should deactivate the plugin.

WordPress Events Calendar Plugin – connectDaily

Plugin:
WordPress Events Calendar Plugin – connectDaily
Plugin Slug:
connect-daily-web-calendar
Installations
100+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32597
The vulnerability has not been patched. You should deactivate the plugin.

Course Booking System

Plugin:
Course Booking System
Plugin Slug:
course-booking-system
Installations
100+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32508
The vulnerability has not been patched. You should deactivate the plugin.

Credova Financial

Plugin:
Credova Financial
Plugin Slug:
credova-financial
Installations
100+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32588
The vulnerability has not been patched. You should deactivate the plugin.

EmpikPlace for Woocommerce

Plugin:
EmpikPlace for Woocommerce
Plugin Slug:
empik-for-woocommerce
Installations
100+
Vulnerability:
PHP Object Injection
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2025-32568
The vulnerability has not been patched. You should deactivate the plugin.

Error Log Viewer By WP Guru

Plugin:
Error Log Viewer By WP Guru
Plugin Slug:
error-log-viewer-wp
Installations
100+
Vulnerability:
SQL Injection
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32681
The vulnerability has not been patched. You should deactivate the plugin.

FAT Cooming Soon

Plugin:
FAT Cooming Soon
Plugin Slug:
fat-coming-soon
Installations
100+
Vulnerability:
Local File Inclusion
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32663
The vulnerability has not been patched. You should deactivate the plugin.

Flexi – Guest Submit

Plugin:
Flexi – Guest Submit
Plugin Slug:
flexi
Installations
100+
Vulnerability:
Local File Inclusion
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32589
The vulnerability has not been patched. You should deactivate the plugin.

GB Gallery Slideshow

Plugin:
GB Gallery Slideshow
Plugin Slug:
gb-gallery-slideshow
Installations
100+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32649
The vulnerability has not been patched. You should deactivate the plugin.

iCal Feeds

Plugin:
iCal Feeds
Plugin Slug:
ical-feeds
Installations
100+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32528
The vulnerability has not been patched. You should deactivate the plugin.

KeyCAPTCHA – Social WordPress CAPTCHA

Plugin:
KeyCAPTCHA – Social WordPress CAPTCHA
Plugin Slug:
keycaptcha
Installations
100+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32619
The vulnerability has not been patched. You should deactivate the plugin.

Listings for Buildium

Plugin:
Listings for Buildium
Plugin Slug:
listings-for-buildium
Installations
100+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32606
The vulnerability has not been patched. You should deactivate the plugin.

Local Magic

Plugin:
Local Magic
Plugin Slug:
local-magic
Installations
100+
Vulnerability:
SQL Injection
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2025-32636
The vulnerability has not been patched. You should deactivate the plugin.

Popping Content Light

Plugin:
Popping Content Light
Plugin Slug:
popping-content-light
Installations
100+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32115
The vulnerability has not been patched. You should deactivate the plugin.

QR Master

Plugin:
QR Master
Plugin Slug:
qr-master
Installations
100+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32116
The vulnerability has not been patched. You should deactivate the plugin.

RentSyst – CRM solution for fleet management

Plugin:
RentSyst – CRM solution for fleet management
Plugin Slug:
rentsyst
Installations
100+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32501
The vulnerability has not been patched. You should deactivate the plugin.

Sync Posts

Plugin:
Sync Posts
Plugin Slug:
sync-posts
Installations
100+
Vulnerability:
Arbitrary File Upload
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2025-32579
The vulnerability has not been patched. You should deactivate the plugin.

UXsniff AI-powered Heatmaps and Session Recordings

Plugin:
UXsniff AI-powered Heatmaps and Session Recordings
Plugin Slug:
ux-sniff
Installations
100+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32532
The vulnerability has not been patched. You should deactivate the plugin.

Web2application Convert your website to android and IOS apps with push notifications , web push , free ajax products search for woocommerce and many more advanced features

Plugin:
Web2application Convert your website to android and IOS apps with push notifications , web push , free ajax products search for woocommerce and many more advanced features
Plugin Slug:
web2application
Installations
100+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32590
The vulnerability has not been patched. You should deactivate the plugin.

WooCommerce Products without featured images

Plugin:
WooCommerce Products without featured images
Plugin Slug:
woocommerce-products-without-featured-images
Installations
100+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32545
The vulnerability has not been patched. You should deactivate the plugin.

WP Featured Screenshot

Plugin:
WP Featured Screenshot
Plugin Slug:
wp-featured-screenshot
Installations
100+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32557
The vulnerability has not been patched. You should deactivate the plugin.

WP Map Route Planner

Plugin:
WP Map Route Planner
Plugin Slug:
wp-map-route-planner
Installations
100+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32621
The vulnerability has not been patched. You should deactivate the plugin.

WP Online Users Stats

Plugin:
WP Online Users Stats
Plugin Slug:
wp-online-users-stats
Installations
100+
Vulnerability:
SQL Injection
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2025-32603
The vulnerability has not been patched. You should deactivate the plugin.

WP Remote Thumbnail

Plugin:
WP Remote Thumbnail
Plugin Slug:
wp-remote-thumbnail
Installations
100+
Vulnerability:
Arbitrary File Upload
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2025-32140
The vulnerability has not been patched. You should deactivate the plugin.

WPshop 2 – E-Commerce

Plugin:
WPshop 2 – E-Commerce
Plugin Slug:
wpshop
Installations
100+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2025-32576
The vulnerability has not been patched. You should deactivate the plugin.

PlainInventory – Inventory Management Plugin

Plugin:
PlainInventory – Inventory Management Plugin
Plugin Slug:
z-inventory-manager
Installations
100+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32623
The vulnerability has not been patched. You should deactivate the plugin.

5sterrenspecialist

Plugin:
5sterrenspecialist
Plugin Slug:
5-sterrenspecialist
Installations
90+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32114
The vulnerability has not been patched. You should deactivate the plugin.

Add Product Frontend for WooCommerce

Plugin:
Add Product Frontend for WooCommerce
Plugin Slug:
add-product-frontend-for-woocommerce
Installations
90+
Vulnerability:
Arbitrary Content Deletion
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32593
The vulnerability has not been patched. You should deactivate the plugin.

Easy Post Duplicator

Plugin:
Easy Post Duplicator
Plugin Slug:
easy-post-duplicator
Installations
90+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32538
The vulnerability has not been patched. You should deactivate the plugin.

Easy Post Duplicator

Plugin:
Easy Post Duplicator
Plugin Slug:
easy-post-duplicator
Installations
90+
Vulnerability:
SQL Injection
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32567
The vulnerability has not been patched. You should deactivate the plugin.

Neon Product Designer

Plugin:
Neon Product Designer
Plugin Slug:
neon-product-designer-for-woocommerce
Installations
90+
Vulnerability:
SQL Injection
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2025-32565
The vulnerability has not been patched. You should deactivate the plugin.

Restrict User Registration

Plugin:
Restrict User Registration
Plugin Slug:
restrict-user-registration
Installations
90+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32655
The vulnerability has not been patched. You should deactivate the plugin.

Verowa Connect

Plugin:
Verowa Connect
Plugin Slug:
verowa-connect
Installations
90+
Vulnerability:
SQL Injection
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32676
The vulnerability has not been patched. You should deactivate the plugin.

WP Easy Poll

Plugin:
WP Easy Poll
Plugin Slug:
wp-easy-poll-afo
Installations
90+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32562
The vulnerability has not been patched. You should deactivate the plugin.

Flags Widget

Plugin:
Flags Widget
Plugin Slug:
flags-widget
Installations
80+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32479
The vulnerability has not been patched. You should deactivate the plugin.

Review Stars Count For WooCommerce

Plugin:
Review Stars Count For WooCommerce
Plugin Slug:
review-stars-count-for-woocommerce
Installations
80+
Vulnerability:
SQL Injection
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32687
The vulnerability has not been patched. You should deactivate the plugin.

Spark GF Failed Submissions

Plugin:
Spark GF Failed Submissions
Plugin Slug:
spark-gf-failed-submissions
Installations
80+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32670
The vulnerability has not been patched. You should deactivate the plugin.

T&P Gallery Slider

Plugin:
T&P Gallery Slider
Plugin Slug:
tp-gallery-slider
Installations
80+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32527
The vulnerability has not been patched. You should deactivate the plugin.

WP-Planification – WP-Planning

Plugin:
WP-Planification – WP-Planning
Plugin Slug:
wp-planification
Installations
80+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32484
The vulnerability has not been patched. You should deactivate the plugin.

Custom Smilies

Plugin:
Custom Smilies
Plugin Slug:
custom-smilies
Installations
70+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32482
The vulnerability has not been patched. You should deactivate the plugin.

Nino Social Connect

Plugin:
Nino Social Connect
Plugin Slug:
nino-social-connect
Installations
70+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32481
The vulnerability has not been patched. You should deactivate the plugin.

Windows Live Writer

Plugin:
Windows Live Writer
Plugin Slug:
windows-live-writer
Installations
70+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32480
The vulnerability has not been patched. You should deactivate the plugin.

WP-Easy Menu

Plugin:
WP-Easy Menu
Plugin Slug:
wp-easy-menu
Installations
70+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32477
The vulnerability has not been patched. You should deactivate the plugin.

All push notification for WP

Plugin:
All push notification for WP
Plugin Slug:
all-push-notification
Installations
60+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32546
The vulnerability has not been patched. You should deactivate the plugin.

All push notification for WP

Plugin:
All push notification for WP
Plugin Slug:
all-push-notification
Installations
60+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32547
The vulnerability has not been patched. You should deactivate the plugin.

Automatic Ban IP

Plugin:
Automatic Ban IP
Plugin Slug:
automatic-ban-ip
Installations
60+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32632
The vulnerability has not been patched. You should deactivate the plugin.

WP_DEBUG Toggle

Plugin:
WP_DEBUG Toggle
Plugin Slug:
enable-wp-debug-toggle
Installations
60+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32561
The vulnerability has not been patched. You should deactivate the plugin.

HTML5 Video Player with Playlist

Plugin:
HTML5 Video Player with Playlist
Plugin Slug:
html5-video-player-with-playlist
Installations
60+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32536
The vulnerability has not been patched. You should deactivate the plugin.

ePaper Lister for Yumpu

Plugin:
ePaper Lister for Yumpu
Plugin Slug:
magazine-lister-for-yumpu
Installations
60+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32502
The vulnerability has not been patched. You should deactivate the plugin.

Processing Projects

Plugin:
Processing Projects
Plugin Slug:
processing-projects
Installations
60+
Vulnerability:
Arbitrary File Upload
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2025-32206
The vulnerability has not been patched. You should deactivate the plugin.

Terminal Africa

Plugin:
Terminal Africa
Plugin Slug:
terminal-africa
Installations
60+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32515
The vulnerability has not been patched. You should deactivate the plugin.

WooCommerce TBC Credit Card Payment Gateway (Free)

Plugin:
WooCommerce TBC Credit Card Payment Gateway (Free)
Plugin Slug:
woo-tbc-payment-gateway
Installations
60+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32611
The vulnerability has not been patched. You should deactivate the plugin.

WP SexyLightBox

Plugin:
WP SexyLightBox
Plugin Slug:
wp-sexylightbox
Installations
60+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32478
The vulnerability has not been patched. You should deactivate the plugin.

WP Calais Auto Tagger

Plugin:
WP Calais Auto Tagger
Plugin Slug:
calais-auto-tagger
Installations
50+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32563
The vulnerability has not been patched. You should deactivate the plugin.

Link Shield

Plugin:
Link Shield
Plugin Slug:
link-shield
Installations
50+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32503
The vulnerability has not been patched. You should deactivate the plugin.

ShopApper: Mobile App for WooCommerce

Plugin:
ShopApper: Mobile App for WooCommerce
Plugin Slug:
mobile-app-for-woocommerce
Installations
50+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32638
The vulnerability has not been patched. You should deactivate the plugin.

Mobile Blocks

Plugin:
Mobile Blocks
Plugin Slug:
mobile-pages
Installations
50+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32625
The vulnerability has not been patched. You should deactivate the plugin.

Paid Videochat Turnkey Site – HTML5 PPV Live Webcams

Plugin:
Paid Videochat Turnkey Site – HTML5 PPV Live Webcams
Plugin Slug:
ppv-live-webcams
Installations
50+
Vulnerability:
Broken Authentication
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2025-31380
The vulnerability has not been patched. You should deactivate the plugin.

Shop Products Filter

Plugin:
Shop Products Filter
Plugin Slug:
trusty-woo-products-filter
Installations
50+
Vulnerability:
Local File Inclusion
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32585
The vulnerability has not been patched. You should deactivate the plugin.

WooCommerce Pickupp

Plugin:
WooCommerce Pickupp
Plugin Slug:
wc-pickupp
Installations
50+
Vulnerability:
Local File Inclusion
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32587
The vulnerability has not been patched. You should deactivate the plugin.

WooCommerce Loyal Customers

Plugin:
WooCommerce Loyal Customers
Plugin Slug:
woocommerce-loyal-customer
Installations
50+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32544
The vulnerability has not been patched. You should deactivate the plugin.

SEO, Nutrition and Print for Recipes by Edamam

Plugin:
SEO, Nutrition and Print for Recipes by Edamam
Plugin Slug:
seo-nutrition-and-print-for-recipes-by-edamam
Installations
40+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32555
The vulnerability has not been patched. You should deactivate the plugin.

Simple Post Meta Manager

Plugin:
Simple Post Meta Manager
Plugin Slug:
simple-post-meta-manager
Installations
40+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32556
The vulnerability has not been patched. You should deactivate the plugin.

WP Social Stream Designer

Plugin:
WP Social Stream Designer
Plugin Slug:
social-stream-design
Installations
40+
Vulnerability:
SQL Injection
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32677
The vulnerability has not been patched. You should deactivate the plugin.

iONE360 configurator

Plugin:
iONE360 configurator
Plugin Slug:
ione360-configurator
Installations
30+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32529
The vulnerability has not been patched. You should deactivate the plugin.

MultiMailer

Plugin:
MultiMailer
Plugin Slug:
scand-multi-mailer
Installations
30+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32517
The vulnerability has not been patched. You should deactivate the plugin.

MultiMailer

Plugin:
MultiMailer
Plugin Slug:
scand-multi-mailer
Installations
30+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32505
The vulnerability has not been patched. You should deactivate the plugin.

AT Internet SmartTag

Plugin:
AT Internet SmartTag
Plugin Slug:
at-internet
Installations
10+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32506
The vulnerability has not been patched. You should deactivate the plugin.

Event Espresso – Custom Email Template Shortcode

Plugin:
Event Espresso – Custom Email Template Shortcode
Plugin Slug:
email-shortcode
Installations
10+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32507
The vulnerability has not been patched. You should deactivate the plugin.

Make Email Customizer for WooCommerce

Plugin:
Make Email Customizer for WooCommerce
Plugin Slug:
make-email-customizer-for-woocommerce
Installations
10+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32511
The vulnerability has not been patched. You should deactivate the plugin.

Nearby Locations

Plugin:
Nearby Locations
Plugin Slug:
nearby-locations
Installations
10+
Vulnerability:
SQL Injection
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32128
The vulnerability has not been patched. You should deactivate the plugin.

Related Videos for JW Player

Plugin:
Related Videos for JW Player
Plugin Slug:
related-videos-for-jw-player
Installations
10+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32516
The vulnerability has not been patched. You should deactivate the plugin.

Revamp CRM for WooCommerce

Plugin:
Revamp CRM for WooCommerce
Plugin Slug:
revampcrm-woocommerce
Installations
10+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32512
The vulnerability has not been patched. You should deactivate the plugin.

WP Inquiries

Plugin:
WP Inquiries
Plugin Slug:
wp-inquiries
Installations
10+
Vulnerability:
SQL Injection
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32685
The vulnerability has not been patched. You should deactivate the plugin.

ZooEffect

Plugin:
ZooEffect
Plugin Slug:
1-jquery-photo-gallery-slideshow-flash
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-26954
The vulnerability has not been patched. You should deactivate the plugin.

AAWP Obfuscator

Plugin:
AAWP Obfuscator
Plugin Slug:
aawp-obfuscator
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-3432
The vulnerability has not been patched. You should deactivate the plugin.

Accredible Certificates & Open Badges

Plugin:
Accredible Certificates & Open Badges
Plugin Slug:
accredible-certificates
Vulnerability:
SQL Injection
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-13909
The vulnerability has not been patched. You should deactivate the plugin.

Advanced Custom Fields: Link Picker Field

Plugin:
Advanced Custom Fields: Link Picker Field
Plugin Slug:
acf-link-picker-field
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-26746
The vulnerability has not been patched. You should deactivate the plugin.

Activity Reactions For Buddypress

Plugin:
Activity Reactions For Buddypress
Plugin Slug:
activity-reactions-for-buddypress
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-31006
The vulnerability has not been patched. You should deactivate the plugin.

Admin Menu Post List

Plugin:
Admin Menu Post List
Plugin Slug:
admin-menu-post-list
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-32492
The vulnerability has not been patched. You should deactivate the plugin.

Advance WP Query Search Filter

Plugin:
Advance WP Query Search Filter
Plugin Slug:
advance-wp-query-search-filter
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-26743
The vulnerability has not been patched. You should deactivate the plugin.

Advanced Advertising System

Plugin:
Advanced Advertising System
Plugin Slug:
advanced-advertising-system
Vulnerability:
Open Redirection
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-3433
The vulnerability has not been patched. You should deactivate the plugin.

Advanced Tag Lists

Plugin:
Advanced Tag Lists
Plugin Slug:
advanced-tag-list
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32476
The vulnerability has not been patched. You should deactivate the plugin.

AF Tell a Friend

Plugin:
AF Tell a Friend
Plugin Slug:
af-tell-a-friend
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-31404
The vulnerability has not been patched. You should deactivate the plugin.

AnyTrack Affiliate Link Manager

Plugin:
AnyTrack Affiliate Link Manager
Plugin Slug:
anytrack-affiliate-link-manager
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-31041
The vulnerability has not been patched. You should deactivate the plugin.

Aria Font

Plugin:
Aria Font
Plugin Slug:
aria-font
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-32488
The vulnerability has not been patched. You should deactivate the plugin.

azurecurve Shortcodes in Comments

Plugin:
azurecurve Shortcodes in Comments
Plugin Slug:
azurecurve-shortcodes-in-comments
Vulnerability:
Content Injection
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-2809
The vulnerability has not been patched. You should deactivate the plugin.

BP Social Connect

Plugin:
BP Social Connect
Plugin Slug:
bp-social-connect
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-32493
The vulnerability has not been patched. You should deactivate the plugin.

Brizy Pro

Plugin:
Brizy Pro
Plugin Slug:
brizy-pro
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-26902
The vulnerability has not been patched. You should deactivate the plugin.

Brizy Pro

Plugin:
Brizy Pro
Plugin Slug:
brizy-pro
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-26901
The vulnerability has not been patched. You should deactivate the plugin.

Buddypress Humanity

Plugin:
Buddypress Humanity
Plugin Slug:
buddypress-humanity
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2025-31033
The vulnerability has not been patched. You should deactivate the plugin.

C9 Blocks

Plugin:
C9 Blocks
Plugin Slug:
c9-blocks
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-26951
The vulnerability has not been patched. You should deactivate the plugin.

Cart66 Cloud

Plugin:
Cart66 Cloud
Plugin Slug:
cart66-cloud
Vulnerability:
Sensitive Data Exposure
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-2841
The vulnerability has not been patched. You should deactivate the plugin.

Cart66 Cloud

Plugin:
Cart66 Cloud
Plugin Slug:
cart66-cloud
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32653
The vulnerability has not been patched. You should deactivate the plugin.

CG Scroll To Top

Plugin:
CG Scroll To Top
Plugin Slug:
cg-scroll-to-top
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-31399
The vulnerability has not been patched. You should deactivate the plugin.

Checkout Mestres WP

Plugin:
Checkout Mestres WP
Plugin Slug:
checkout-mestres-wp
Vulnerability:
Privilege Escalation
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2025-32695
The vulnerability has not been patched. You should deactivate the plugin.

Comment Validation Reloaded

Plugin:
Comment Validation Reloaded
Plugin Slug:
comment-validation-reloaded
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-31026
The vulnerability has not been patched. You should deactivate the plugin.

Customize Login Page

Plugin:
Customize Login Page
Plugin Slug:
customize-login-page
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-31034
The vulnerability has not been patched. You should deactivate the plugin.

Developer Toolbar

Plugin:
Developer Toolbar
Plugin Slug:
developer-toolbar
Vulnerability:
Sensitive Data Exposure
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-2881
The vulnerability has not been patched. You should deactivate the plugin.

ZoomSounds

Plugin:
ZoomSounds
Plugin Slug:
dzs-zoomsounds
Vulnerability:
Arbitrary File Download
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-3431
The vulnerability has not been patched. You should deactivate the plugin.

Easy Custom CSS

Plugin:
Easy Custom CSS
Plugin Slug:
easy-custom-css
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-31395
The vulnerability has not been patched. You should deactivate the plugin.

Embedder

Plugin:
Embedder
Plugin Slug:
embedder
Vulnerability:
Privilege Escalation
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-3417
The vulnerability has not been patched. You should deactivate the plugin.

Essential Breadcrumbs

Plugin:
Essential Breadcrumbs
Plugin Slug:
essential-breadcrumbs
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-31038
The vulnerability has not been patched. You should deactivate the plugin.

FireDrum Email Marketing

Plugin:
FireDrum Email Marketing
Plugin Slug:
firedrum-email-marketing
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-31018
The vulnerability has not been patched. You should deactivate the plugin.

Sandwich Adsense

Plugin:
Sandwich Adsense
Plugin Slug:
firsth3tagadsense
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-31042
The vulnerability has not been patched. You should deactivate the plugin.

FrescoChat Live Chat

Plugin:
FrescoChat Live Chat
Plugin Slug:
flexytalk-widget
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-31383
The vulnerability has not been patched. You should deactivate the plugin.

FS Poster

Plugin:
FS Poster
Plugin Slug:
fs-poster
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-30962
The vulnerability has not been patched. You should deactivate the plugin.

Global Gallery

Plugin:
Global Gallery
Plugin Slug:
global-gallery
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-22263
The vulnerability has not been patched. You should deactivate the plugin.

Hamburger Icon Menu Lite

Plugin:
Hamburger Icon Menu Lite
Plugin Slug:
hamburger-icon-menu-lite
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32548
The vulnerability has not been patched. You should deactivate the plugin.

Insert HTML Here

Plugin:
Insert HTML Here
Plugin Slug:
insert-html-here
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-31379
The vulnerability has not been patched. You should deactivate the plugin.

Language Field

Plugin:
Language Field
Plugin Slug:
language-field
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-31382
The vulnerability has not been patched. You should deactivate the plugin.

Linet ERP-Woocommerce Integration

Plugin:
Linet ERP-Woocommerce Integration
Plugin Slug:
linet-erp-woocommerce-integration
Vulnerability:
Arbitrary File Deletion
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-31411
The vulnerability has not been patched. You should deactivate the plugin.

Melhor Envio

Plugin:
Melhor Envio
Plugin Slug:
melhor-envio-cotacao
Vulnerability:
Sensitive Data Exposure
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-13820
The vulnerability has not been patched. You should deactivate the plugin.

MMX – Make Me Christmas

Plugin:
MMX – Make Me Christmas
Plugin Slug:
mmx-make-me-christmas
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-31401
The vulnerability has not been patched. You should deactivate the plugin.

Mobile Smart

Plugin:
Mobile Smart
Plugin Slug:
mobile-smart
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-31021
The vulnerability has not been patched. You should deactivate the plugin.

More Mime Type Filters

Plugin:
More Mime Type Filters
Plugin Slug:
more-mime-type-filters
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-31394
The vulnerability has not been patched. You should deactivate the plugin.

My auctions allegro

Plugin:
My auctions allegro
Plugin Slug:
my-auctions-allegro-free-edition
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-27009
The vulnerability has not been patched. You should deactivate the plugin.

NewsBoard Post and RSS Scroller

Plugin:
NewsBoard Post and RSS Scroller
Plugin Slug:
newsboard
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-31402
The vulnerability has not been patched. You should deactivate the plugin.

Oppso Unit Converter

Plugin:
Oppso Unit Converter
Plugin Slug:
oppso-unit-converter
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-31378
The vulnerability has not been patched. You should deactivate the plugin.

ORDER POST

Plugin:
ORDER POST
Plugin Slug:
order-post
Vulnerability:
Content Injection
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-2805
The vulnerability has not been patched. You should deactivate the plugin.

Payment Forms for Paystack

Plugin:
Payment Forms for Paystack
Plugin Slug:
payment-forms-for-paystack
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-10894
The vulnerability has not been patched. You should deactivate the plugin.

Rankology SEO – On-site SEO

Plugin:
Rankology SEO – On-site SEO
Plugin Slug:
rankology-seo-all-in-one-seo-analytics
Vulnerability:
Privilege Escalation
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2025-32491
The vulnerability has not been patched. You should deactivate the plugin.

reCAPTCHA Jetpack

Plugin:
reCAPTCHA Jetpack
Plugin Slug:
recaptcha-jetpack
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-32494
The vulnerability has not been patched. You should deactivate the plugin.

Rich Table of Contents

Plugin:
Rich Table of Contents
Plugin Slug:
rich-table-of-content
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-31004
The vulnerability has not been patched. You should deactivate the plugin.

Scheduled

Plugin:
Scheduled
Plugin Slug:
scheduled
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-31375
The vulnerability has not been patched. You should deactivate the plugin.

Script Compressor

Plugin:
Script Compressor
Plugin Slug:
script-compressor
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-31391
The vulnerability has not been patched. You should deactivate the plugin.

Seo Meta Tags

Plugin:
Seo Meta Tags
Plugin Slug:
seo-meta-tags
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-31023
The vulnerability has not been patched. You should deactivate the plugin.

Simple WP Events

Plugin:
Simple WP Events
Plugin Slug:
simple-wp-events
Vulnerability:
Sensitive Data Exposure
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32594
The vulnerability has not been patched. You should deactivate the plugin.

Simple WP Events

Plugin:
Simple WP Events
Plugin Slug:
simple-wp-events
Vulnerability:
Arbitrary File Deletion
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32509
The vulnerability has not been patched. You should deactivate the plugin.

Coming Soon, Maintenance Mode

Plugin:
Coming Soon, Maintenance Mode
Plugin Slug:
site-mode
Vulnerability:
Local File Inclusion
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-26894
The vulnerability has not been patched. You should deactivate the plugin.

Site Notify

Plugin:
Site Notify
Plugin Slug:
site-notify
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-32240
The vulnerability has not been patched. You should deactivate the plugin.

Site Table of Contents

Plugin:
Site Table of Contents
Plugin Slug:
site-table-of-contents
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-31385
The vulnerability has not been patched. You should deactivate the plugin.

Smart Product Gallery Slider

Plugin:
Smart Product Gallery Slider
Plugin Slug:
smart-product-gallery-slider
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-31392
The vulnerability has not been patched. You should deactivate the plugin.

Social Bookmarking RELOADED

Plugin:
Social Bookmarking RELOADED
Plugin Slug:
social-bookmarking-reloaded
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-31393
The vulnerability has not been patched. You should deactivate the plugin.

Social Crowd

Plugin:
Social Crowd
Plugin Slug:
social-crowd
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-31390
The vulnerability has not been patched. You should deactivate the plugin.

Spoiler Block

Plugin:
Spoiler Block
Plugin Slug:
spoiler-block
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32497
The vulnerability has not been patched. You should deactivate the plugin.

Stop Registration Spam

Plugin:
Stop Registration Spam
Plugin Slug:
stop-registration-spam
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32564
The vulnerability has not been patched. You should deactivate the plugin.

Testimonial Slider And Showcase Pro

Plugin:
Testimonial Slider And Showcase Pro
Plugin Slug:
testimonial-slider-showcase-pro
Vulnerability:
Local File Inclusion
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32657
The vulnerability has not been patched. You should deactivate the plugin.

Testimonial Slider And Showcase Pro

Plugin:
Testimonial Slider And Showcase Pro
Plugin Slug:
testimonial-slider-showcase-pro
Vulnerability:
Local File Inclusion
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32656
The vulnerability has not been patched. You should deactivate the plugin.

The World

Plugin:
The World
Plugin Slug:
the-world
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-31388
The vulnerability has not been patched. You should deactivate the plugin.

TuriTop Booking System

Plugin:
TuriTop Booking System
Plugin Slug:
turitop-booking-system
Vulnerability:
PHP Object Injection
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32571
The vulnerability has not been patched. You should deactivate the plugin.

Twispay Credit Card Payments

Plugin:
Twispay Credit Card Payments
Plugin Slug:
twispay
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32601
The vulnerability has not been patched. You should deactivate the plugin.

Ultra Demo Importer

Plugin:
Ultra Demo Importer
Plugin Slug:
ut-demo-importer
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2025-32496
The vulnerability has not been patched. You should deactivate the plugin.

Vice Versa

Plugin:
Vice Versa
Plugin Slug:
vice-versa
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-27350
The vulnerability has not been patched. You should deactivate the plugin.

Vite Coupon

Plugin:
Vite Coupon
Plugin Slug:
vite-coupon
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2025-32642
The vulnerability has not been patched. You should deactivate the plugin.

VKontakte Cross-Post

Plugin:
VKontakte Cross-Post
Plugin Slug:
vkontakte-cross-post
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32498
The vulnerability has not been patched. You should deactivate the plugin.

Wetterwarner

Plugin:
Wetterwarner
Plugin Slug:
wetterwarner
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-32489
The vulnerability has not been patched. You should deactivate the plugin.

Woo Product Feed For Marketing Channels

Plugin:
Woo Product Feed For Marketing Channels
Plugin Slug:
woocommerce-to-google-merchant-center
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-31377
The vulnerability has not been patched. You should deactivate the plugin.

WP Editor.md – The Perfect WordPress Markdown Editor

Plugin:
WP Editor.md – The Perfect WordPress Markdown Editor
Plugin Slug:
wp-editormd
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-31035
The vulnerability has not been patched. You should deactivate the plugin.

WP Food ordering and Restaurant Menu

Plugin:
WP Food ordering and Restaurant Menu
Plugin Slug:
wp-food
Vulnerability:
Local File Inclusion
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-31040
The vulnerability has not been patched. You should deactivate the plugin.

WP-GeSHi-Highlight

Plugin:
WP-GeSHi-Highlight
Plugin Slug:
wp-geshi-highlight
Vulnerability:
Denial of Service Attack
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-13896
The vulnerability has not been patched. You should deactivate the plugin.

WP Hide Categories

Plugin:
WP Hide Categories
Plugin Slug:
wp-hide-categories
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-31028
The vulnerability has not been patched. You should deactivate the plugin.

WP Performance Pack

Plugin:
WP Performance Pack
Plugin Slug:
wp-performance-pack
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-32485
The vulnerability has not been patched. You should deactivate the plugin.

wp secure

Plugin:
wp secure
Plugin Slug:
wp-secure-by-sitesecuritymonitorcom
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-32490
The vulnerability has not been patched. You should deactivate the plugin.

WP User Profiles

Plugin:
WP User Profiles
Plugin Slug:
wp-users-profiles
Vulnerability:
Privilege Escalation
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-31524
The vulnerability has not been patched. You should deactivate the plugin.

WPSolr

Plugin:
WPSolr
Plugin Slug:
wpsolr-free
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-31036
The vulnerability has not been patched. You should deactivate the plugin.

WS Audio Player

Plugin:
WS Audio Player
Plugin Slug:
ws-audio-player
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-31400
The vulnerability has not been patched. You should deactivate the plugin.

YouTube Embed

Plugin:
YouTube Embed
Plugin Slug:
youtube-embed
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-31008
The vulnerability has not been patched. You should deactivate the plugin.

Royal Elementor Addons and Templates

Plugin:
Royal Elementor Addons and Templates
Plugin Slug:
royal-elementor-addons
Installations
500,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.7.1013
Severity Score:
Medium
CVE:
2025-1456
The vulnerability has been patched, so you should update to version 1.7.1013.

Royal Elementor Addons and Templates

Plugin:
Royal Elementor Addons and Templates
Plugin Slug:
royal-elementor-addons
Installations
500,000+
Vulnerability:
Server Side Request Forgery (SSRF)
Patched in Version:
1.7.1007
Severity Score:
Medium
CVE:
2025-26990
The vulnerability has been patched, so you should update to version 1.7.1007.

Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Plugin:
Photo Gallery by 10Web – Mobile-Friendly Image Gallery
Plugin Slug:
photo-gallery
Installations
200,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.8.35
Severity Score:
High
CVE:
2025-2269
The vulnerability has been patched, so you should update to version 1.8.35.

Tutor LMS – eLearning and online course solution

Plugin:
Tutor LMS – eLearning and online course solution
Plugin Slug:
tutor
Installations
100,000+
Vulnerability:
Content Injection
Patched in Version:
3.4.1
Severity Score:
Medium
CVE:
2025-32230
The vulnerability has been patched, so you should update to version 3.4.1.

WooCommerce Multilingual & Multicurrency with WPML

Plugin:
WooCommerce Multilingual & Multicurrency with WPML
Plugin Slug:
woocommerce-multilingual
Installations
100,000+
Vulnerability:
Broken Access Control
Patched in Version:
5.3.9
Severity Score:
Medium
CVE:
2025-26888
The vulnerability has been patched, so you should update to version 5.3.9.

Age Gate

Plugin:
Age Gate
Plugin Slug:
age-gate
Installations
40,000+
Vulnerability:
Broken Access Control
Patched in Version:
3.6.0
Severity Score:
Medium
CVE:
2025-31012
The vulnerability has been patched, so you should update to version 3.6.0.

Real Testimonials – Testimonial Slider, Carousel, Grid | Collect Customer Reviews and Video Testimonial with Testimonial Form | Social Proof Reviews and Review Slider

Plugin:
Real Testimonials – Testimonial Slider, Carousel, Grid | Collect Customer Reviews and Video Testimonial with Testimonial Form | Social Proof Reviews and Review Slider
Plugin Slug:
testimonial-free
Installations
40,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
3.1.7
Severity Score:
Medium
CVE:
2025-22269
The vulnerability has been patched, so you should update to version 3.1.7.

WPFront User Role Editor

Plugin:
WPFront User Role Editor
Plugin Slug:
wpfront-user-role-editor
Installations
40,000+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
4.2.2
Severity Score:
High
CVE:
2025-3064
The vulnerability has been patched, so you should update to version 4.2.2.

Cost Calculator Builder

Plugin:
Cost Calculator Builder
Plugin Slug:
cost-calculator-builder
Installations
30,000+
Vulnerability:
SQL Injection
Patched in Version:
3.2.68
Severity Score:
High
CVE:
2025-2128
The vulnerability has been patched, so you should update to version 3.2.68.

PowerPress Podcasting plugin by Blubrry

Plugin:
PowerPress Podcasting plugin by Blubrry
Plugin Slug:
powerpress
Installations
30,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
11.9.18
Severity Score:
Medium
CVE:
2024-9230
The vulnerability has been patched, so you should update to version 11.9.18.

PowerPress Podcasting plugin by Blubrry

Plugin:
PowerPress Podcasting plugin by Blubrry
Plugin Slug:
powerpress
Installations
30,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
11.12.16
Severity Score:
Medium
CVE:
2025-32690
The vulnerability has been patched, so you should update to version 11.12.16.

Uncanny Toolkit for LearnDash

Plugin:
Uncanny Toolkit for LearnDash
Plugin Slug:
uncanny-learndash-toolkit
Installations
30,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
3.7.0.2
Severity Score:
Medium
CVE:
2025-22268
The vulnerability has been patched, so you should update to version 3.7.0.2.

InstaWP Connect – 1-click WP Staging & Migration

Plugin:
InstaWP Connect – 1-click WP Staging & Migration
Plugin Slug:
instawp-connect
Installations
20,000+
Vulnerability:
Local File Inclusion
Patched in Version:
0.1.0.86
Severity Score:
Critical
CVE:
2025-2636
The vulnerability has been patched, so you should update to version 0.1.0.86.

WordPress Mega Menu – QuadMenu

Plugin:
WordPress Mega Menu – QuadMenu
Plugin Slug:
quadmenu
Installations
20,000+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
3.2.1
Severity Score:
Medium
CVE:
2025-2871
The vulnerability has been patched, so you should update to version 3.2.1.

Motors – Car Dealership & Classified Listings Plugin

Plugin:
Motors – Car Dealership & Classified Listings Plugin
Plugin Slug:
motors-car-dealership-classified-listings
Installations
10,000+
Vulnerability:
Broken Access Control
Patched in Version:
1.4.67
Severity Score:
Medium
CVE:
2025-3437
The vulnerability has been patched, so you should update to version 1.4.67.

Motors – Car Dealership & Classified Listings Plugin

Plugin:
Motors – Car Dealership & Classified Listings Plugin
Plugin Slug:
motors-car-dealership-classified-listings
Installations
10,000+
Vulnerability:
Broken Access Control
Patched in Version:
1.4.65
Severity Score:
High
CVE:
2025-2807
The vulnerability has been patched, so you should update to version 1.4.65.

Motors – Car Dealership & Classified Listings Plugin

Plugin:
Motors – Car Dealership & Classified Listings Plugin
Plugin Slug:
motors-car-dealership-classified-listings
Installations
10,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.4.64
Severity Score:
Medium
CVE:
2025-2808
The vulnerability has been patched, so you should update to version 1.4.64.

License Manager for WooCommerce

Plugin:
License Manager for WooCommerce
Plugin Slug:
license-manager-for-woocommerce
Installations
7,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
3.0.10
Severity Score:
High
CVE:
2025-32522
The vulnerability has been patched, so you should update to version 3.0.10.

Raptive Ads

Plugin:
Raptive Ads
Plugin Slug:
adthrive-ads
Installations
5,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
3.7.4
Severity Score:
High
CVE:
2025-32554
The vulnerability has been patched, so you should update to version 3.7.4.

WooCommerce Sync for QuickBooks Online – by MyWorks

Plugin:
WooCommerce Sync for QuickBooks Online – by MyWorks
Plugin Slug:
myworks-woo-sync-for-quickbooks-online
Installations
5,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.9.2
Severity Score:
High
CVE:
2025-32524
The vulnerability has been patched, so you should update to version 2.9.2.

Logo Carousel Gutenberg Block

Plugin:
Logo Carousel Gutenberg Block
Plugin Slug:
awesome-logo-carousel-block
Installations
4,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.1.7
Severity Score:
Medium
CVE:
2025-2083
The vulnerability has been patched, so you should update to version 2.1.7.

SMTP for Amazon SES – YaySMTP

Plugin:
SMTP for Amazon SES – YaySMTP
Plugin Slug:
smtp-amazon-ses
Installations
3,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.9
Severity Score:
High
CVE:
2025-3434
The vulnerability has been patched, so you should update to version 1.9.

SKT Blocks – Gutenberg based Page Builder

Plugin:
SKT Blocks – Gutenberg based Page Builder
Plugin Slug:
skt-blocks
Installations
2,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.0
Severity Score:
Medium
CVE:
2025-3276
The vulnerability has been patched, so you should update to version 2.0.

SKT Blocks – Gutenberg based Page Builder

Plugin:
SKT Blocks – Gutenberg based Page Builder
Plugin Slug:
skt-blocks
Installations
2,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.9
Severity Score:
Medium
CVE:
2025-26998
The vulnerability has been patched, so you should update to version 1.9.

SKT Skill Bar

Plugin:
SKT Skill Bar
Plugin Slug:
skt-skill-bar
Installations
2,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.4
Severity Score:
Medium
CVE:
2025-26880
The vulnerability has been patched, so you should update to version 2.4.

DSGVO Youtube

Plugin:
DSGVO Youtube
Plugin Slug:
dsgvo-youtube
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.5.2
Severity Score:
Medium
CVE:
2025-26982
The vulnerability has been patched, so you should update to version 1.5.2.

InPost Gallery

Plugin:
InPost Gallery
Plugin Slug:
inpost-gallery
Installations
1,000+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
2.1.4.4
Severity Score:
Medium
CVE:
2025-26903
The vulnerability has been patched, so you should update to version 2.1.4.4.

Nav Menu Manager

Plugin:
Nav Menu Manager
Plugin Slug:
noakes-menu-manager
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
3.2.6
Severity Score:
Medium
CVE:
2025-31017
The vulnerability has been patched, so you should update to version 3.2.6.

WP Delete User Accounts

Plugin:
WP Delete User Accounts
Plugin Slug:
wp-delete-user-accounts
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.2.4
Severity Score:
Medium
CVE:
2025-26906
The vulnerability has been patched, so you should update to version 1.2.4.

Zephyr Project Manager

Plugin:
Zephyr Project Manager
Plugin Slug:
zephyr-project-manager
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
3.3.102
Severity Score:
High
CVE:
2025-32526
The vulnerability has been patched, so you should update to version 3.3.102.

3DPrint Lite

Plugin:
3DPrint Lite
Plugin Slug:
3dprint-lite
Installations
800+
Vulnerability:
SQL Injection
Patched in Version:
2.1.3.7
Severity Score:
High
CVE:
2025-3430
The vulnerability has been patched, so you should update to version 2.1.3.7.

Nepali Date Converter

Plugin:
Nepali Date Converter
Plugin Slug:
nepali-date-converter
Installations
800+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
3.0.0
Severity Score:
Medium
CVE:
2025-26950
The vulnerability has been patched, so you should update to version 3.0.0.

OTP-less one tap Sign in

Plugin:
OTP-less one tap Sign in
Plugin Slug:
otpless
Installations
700+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.0.59
Severity Score:
High
CVE:
2025-32622
The vulnerability has been patched, so you should update to version 2.0.59.

WPC Admin Columns

Plugin:
WPC Admin Columns
Plugin Slug:
wpc-admin-columns
Installations
700+
Vulnerability:
Privilege Escalation
Patched in Version:
2.1.1
Severity Score:
High
CVE:
2025-3418
The vulnerability has been patched, so you should update to version 2.1.1.

Additional Custom Product Tabs for WooCommerce

Plugin:
Additional Custom Product Tabs for WooCommerce
Plugin Slug:
product-tabs-for-woocommerce
Installations
600+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.7.1
Severity Score:
Medium
CVE:
2025-26749
The vulnerability has been patched, so you should update to version 1.7.1.

Deliver via Shipos for WooCommerce

Plugin:
Deliver via Shipos for WooCommerce
Plugin Slug:
wc-shipos-delivery
Installations
500+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.2.0
Severity Score:
High
CVE:
2025-32533
The vulnerability has been patched, so you should update to version 2.2.0.

Z Companion

Plugin:
Z Companion
Plugin Slug:
z-companion
Installations
500+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.1.2
Severity Score:
Medium
CVE:
2025-2575
The vulnerability has been patched, so you should update to version 1.1.2.

Administrator Z

Plugin:
Administrator Z
Plugin Slug:
administrator-z
Installations
400+
Vulnerability:
Privilege Escalation
Patched in Version:
2025.03.27
Severity Score:
High
CVE:
2025-26959
The vulnerability has been patched, so you should update to version 2025.03.27.

Team Circle Image Slider With Lightbox

Plugin:
Team Circle Image Slider With Lightbox
Plugin Slug:
circle-image-slider-with-lightbox
Installations
400+
Vulnerability:
SQL Injection
Patched in Version:
1.0.5
Severity Score:
High
CVE:
2019-25223
The vulnerability has been patched, so you should update to version 1.0.5.

CardGate Payments for WooCommerce

Plugin:
CardGate Payments for WooCommerce
Plugin Slug:
cardgate
Installations
300+
Vulnerability:
SQL Injection
Patched in Version:
3.2.2
Severity Score:
High
CVE:
2025-32119
The vulnerability has been patched, so you should update to version 3.2.2.

Crowdfunding for WooCommerce

Plugin:
Crowdfunding for WooCommerce
Plugin Slug:
crowdfunding-for-woocommerce
Installations
300+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
3.1.13
Severity Score:
High
CVE:
2025-32628
The vulnerability has been patched, so you should update to version 3.1.13.

Sell access, Automate, and add Engaging Exclusive Discord Access: Introducing the MemberPress Discord Addon — Elevate Your Community!

Plugin:
Sell access, Automate, and add Engaging Exclusive Discord Access: Introducing the MemberPress Discord Addon — Elevate Your Community!
Plugin Slug:
expresstechsoftwares-memberpress-discord-add-on
Installations
300+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.1.2
Severity Score:
High
CVE:
2025-32605
The vulnerability has been patched, so you should update to version 1.1.2.

IP2Location World Clock

Plugin:
IP2Location World Clock
Plugin Slug:
ip2location-world-clock
Installations
300+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
1.1.10
Severity Score:
High
CVE:
2025-32644
The vulnerability has been patched, so you should update to version 1.1.10.

MSRP (RRP) Pricing for WooCommerce

Plugin:
MSRP (RRP) Pricing for WooCommerce
Plugin Slug:
msrp-for-woocommerce
Installations
300+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.0.0
Severity Score:
High
CVE:
2025-32552
The vulnerability has been patched, so you should update to version 2.0.0.

TableOn – WordPress Posts Table Filterable 

Plugin:
TableOn – WordPress Posts Table Filterable 
Plugin Slug:
posts-table-filterable
Installations
300+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.0.4
Severity Score:
High
CVE:
2025-32592
The vulnerability has been patched, so you should update to version 1.0.4.

Click & Pledge Connect Plugin

Plugin:
Click & Pledge Connect Plugin
Plugin Slug:
click-pledge-connect
Installations
200+
Vulnerability:
SQL Injection
Patched in Version:
2.24120000-WP6.7.1
Severity Score:
High
CVE:
2025-32550
The vulnerability has been patched, so you should update to version 2.24120000-WP6.7.1.

Total processing card payments for WooCommerce

Plugin:
Total processing card payments for WooCommerce
Plugin Slug:
totalprocessing-card-payments
Installations
200+
Vulnerability:
Arbitrary File Download
Patched in Version:
7.1.6
Severity Score:
Medium
CVE:
2025-32209
The vulnerability has been patched, so you should update to version 7.1.6.

GreenPay(tm) by Green.Money

Plugin:
GreenPay(tm) by Green.Money
Plugin Slug:
green-money-payment-gateway
Installations
100+
Vulnerability:
Sensitive Data Exposure
Patched in Version:
3.0.10
Severity Score:
Medium
CVE:
2025-2882
The vulnerability has been patched, so you should update to version 3.0.10.

IndieBlocks

Plugin:
IndieBlocks
Plugin Slug:
indieblocks
Installations
100+
Vulnerability:
Server Side Request Forgery (SSRF)
Patched in Version:
0.13.2
Severity Score:
Medium
CVE:
2025-31009
The vulnerability has been patched, so you should update to version 0.13.2.

WordPress Internal Link Optimiser

Plugin:
WordPress Internal Link Optimiser
Plugin Slug:
internal-link-finder
Installations
100+
Vulnerability:
Settings Change
Patched in Version:
5.1.3
Severity Score:
Medium
CVE:
2025-32243
The vulnerability has been patched, so you should update to version 5.1.3.

Email Notifications for Updates

Plugin:
Email Notifications for Updates
Plugin Slug:
wp-update-mail-notification
Installations
100+
Vulnerability:
Privilege Escalation
Patched in Version:
1.2.0
Severity Score:
High
CVE:
2025-26741
The vulnerability has been patched, so you should update to version 1.2.0.

Verowa Connect

Plugin:
Verowa Connect
Plugin Slug:
verowa-connect
Installations
90+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
3.0.5
Severity Score:
High
CVE:
2025-32609
The vulnerability has been patched, so you should update to version 3.0.5.

Material Dashboard

Plugin:
Material Dashboard
Plugin Slug:
material-dashboard
Installations
80+
Vulnerability:
Privilege Escalation
Patched in Version:
1.4.7
Severity Score:
Critical
CVE:
2025-32486
The vulnerability has been patched, so you should update to version 1.4.7.

Material Dashboard

Plugin:
Material Dashboard
Plugin Slug:
material-dashboard
Installations
80+
Vulnerability:
Local File Inclusion
Patched in Version:
1.4.6
Severity Score:
High
CVE:
2025-31014
The vulnerability has been patched, so you should update to version 1.4.6.

Shipping by Weight for WooCommerce

Plugin:
Shipping by Weight for WooCommerce
Plugin Slug:
dn-shipping-by-weight
Installations
50+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.2.1
Severity Score:
High
CVE:
2025-32535
The vulnerability has been patched, so you should update to version 1.2.1.

Accept SagePay Payments Using Contact Form 7

Plugin:
Accept SagePay Payments Using Contact Form 7
Plugin Slug:
accept-sagepay-payments-using-contact-form-7
Installations
10+
Vulnerability:
Sensitive Data Exposure
Patched in Version:
2.1
Severity Score:
Medium
CVE:
2025-2883
The vulnerability has been patched, so you should update to version 2.1.

ALD Login Page

Plugin:
ALD Login Page
Plugin Slug:
ald-login-page
Installations
10+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
1.3
Severity Score:
High
CVE:
2025-32518
The vulnerability has been patched, so you should update to version 1.3.

coreActivity: Activity Logging for WordPress

Plugin:
coreActivity: Activity Logging for WordPress
Plugin Slug:
coreactivity
Installations
10+
Vulnerability:
SQL Injection
Patched in Version:
2.7.1
Severity Score:
High
CVE:
2025-3436
The vulnerability has been patched, so you should update to version 2.7.1.

JetBlog

Plugin:
JetBlog
Plugin Slug:
jet-blog
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.4.3.1
Severity Score:
Medium
CVE:
2025-26744
The vulnerability has been patched, so you should update to version 2.4.3.1.

JetCompareWishlist

Plugin:
JetCompareWishlist
Plugin Slug:
jet-compare-wishlist
Vulnerability:
Local File Inclusion
Patched in Version:
1.5.10
Severity Score:
High
CVE:
2025-22279
The vulnerability has been patched, so you should update to version 1.5.10.

JetEngine

Plugin:
JetEngine
Plugin Slug:
jet-engine
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
3.6.5
Severity Score:
Medium
CVE:
2025-26870
The vulnerability has been patched, so you should update to version 3.6.5.

Pagopar – WooCommerce Gateway

Plugin:
Pagopar – WooCommerce Gateway
Plugin Slug:
pagopar-woocommerce-gateway
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
2.8.0
Severity Score:
High
CVE:
2025-31032
The vulnerability has been patched, so you should update to version 2.8.0.

WPJobBoard

Plugin:
WPJobBoard
Plugin Slug:
wpjobboard
Vulnerability:
Path Traversal
Patched in Version:
5.11.1
Severity Score:
Medium
CVE:
2025-30966
The vulnerability has been patched, so you should update to version 5.11.1.

WPJobBoard

Plugin:
WPJobBoard
Plugin Slug:
wpjobboard
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
5.11.1
Severity Score:
Critical
CVE:
2025-30967
The vulnerability has been patched, so you should update to version 5.11.1.

WPJobBoard

Plugin:
WPJobBoard
Plugin Slug:
wpjobboard
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
5.11.1
Severity Score:
Medium
CVE:
2025-30965
The vulnerability has been patched, so you should update to version 5.11.1.

WordPress Themes — 3 Patched / 12 Unpatched

Arkhe

Theme:
Arkhe
Theme Slug:
arkhe
Downloads
91,582
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-26748
The vulnerability has not been patched. You should switch themes.

Industrial Lite

Theme:
Industrial Lite
Theme Slug:
industrial-lite
Downloads
100,465
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-26955
The vulnerability has not been patched. You should switch themes.

SpaBiz

Theme:
SpaBiz
Theme Slug:
spabiz
Downloads
21,133
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-26740
The vulnerability has not been patched. You should switch themes.

AI Hub

Theme:
AI Hub
Theme Slug:
aihub
Vulnerability:
Arbitrary File Upload
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2025-26927
The vulnerability has not been patched. You should switch themes.

Bulk

Theme:
Bulk
Theme Slug:
bulk
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-26867
The vulnerability has not been patched. You should switch themes.

Celestial Aura

Theme:
Celestial Aura
Theme Slug:
celestial-aura
Vulnerability:
Arbitrary File Upload
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2025-26892
The vulnerability has not been patched. You should switch themes.

Customify

Theme:
Customify
Theme Slug:
customify-theme
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-26920
The vulnerability has not been patched. You should switch themes.

Eximius

Theme:
Eximius
Theme Slug:
eximius
Vulnerability:
Arbitrary File Upload
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2025-26872
The vulnerability has not been patched. You should switch themes.

Fazyvo

Theme:
Fazyvo
Theme Slug:
fazyvo
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-31418
The vulnerability has not been patched. You should switch themes.

Grip

Theme:
Grip
Theme Slug:
grip
Vulnerability:
Local File Inclusion
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-26735
The vulnerability has not been patched. You should switch themes.

Photography

Theme:
Photography
Theme Slug:
photography
Vulnerability:
Server Side Request Forgery (SSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-30964
The vulnerability has not been patched. You should switch themes.

Wireless Butler

Theme:
Wireless Butler
Theme Slug:
wireless-butler
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-26997
The vulnerability has not been patched. You should switch themes.

Streamit

Theme:
Streamit
Theme Slug:
streamit
Vulnerability:
Arbitrary File Download
Patched in Version:
4.0.2
Severity Score:
Medium
CVE:
2025-2519
The vulnerability has been patched, so you should update to version 4.0.2.

Streamit

Theme:
Streamit
Theme Slug:
streamit
Vulnerability:
Arbitrary File Upload
Patched in Version:
4.0.2
Severity Score:
Critical
CVE:
2025-2525
The vulnerability has been patched, so you should update to version 4.0.2.

Streamit

Theme:
Streamit
Theme Slug:
streamit
Vulnerability:
Privilege Escalation
Patched in Version:
4.0.3
Severity Score:
High
CVE:
2025-2526
The vulnerability has been patched, so you should update to version 4.0.3.

Solid Security is part of Solid Suite — The best foundation for WordPress websites.

Every WordPress site needs security, backups, and management tools. That’s Solid Suite — an integrated bundle of three plugins: Solid Security, Solid Backups, and Solid Central. You also get access to Solid Academy’s learning resources for WordPress professionals. Build your next WordPress website on a solid foundation with Solid Suite!

Get Solid Security

Author:

Avatar photoSarah Ulmer

Sarah has been with SolidWP since 2015. Thanks to her deep connection to the brand, its products, and its users, Sarah was tapped as Solid’s primary Product Marketer in 2023. Sarah helps ensure that Solid’s product development team understands our users’ needs. When not at work, Sarah can be found at home with her husband, their three boys, and their dogs. Sarah enjoys long family walks, running with her lab, and watching her three boys play soccer. Sarah is originally from Texas and loves watching football games (Go Longhorns!)

Browse all of Sarah's articles

Author:

Avatar photoSarah Ulmer

Sarah has been with SolidWP since 2015. Thanks to her deep connection to the brand, its products, and its users, Sarah was tapped as Solid’s primary Product Marketer in 2023. Sarah helps ensure that Solid’s product development team understands our users’ needs. When not at work, Sarah can be found at home with her husband, their three boys, and their dogs. Sarah enjoys long family walks, running with her lab, and watching her three boys play soccer. Sarah is originally from Texas and loves watching football games (Go Longhorns!)

Browse all of Sarah's articles