WordPress Vulnerability Report — November 26, 2025

Since last week, 164 new vulnerabilities have emerged in the WordPress ecosystem, including 163 plugins and 1 theme. Of those, 75 remain unpatched, but Solid Security Pro users are protected by virtual patching from Patchstack.

Sarah Ulmer

Published:Nov 26, 2025

Filed Under:WordPress Vulnerability Report

Reading Time:31 min.

In this report, 164 vulnerabilities have been publicly disclosed. Security patches for 89 of these plugins and themes are now available. Please run these updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Currently, 75 plugin and theme vulnerabilities remain unpatched. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

Along with poor user account security, vulnerable plugins and themes are among the top reasons why WordPress websites get hacked. Unfortunately, cyberattacks are increasing in volume and sophistication. They’re also increasingly aimed at small to mid-sized businesses.

1. WordPress Core
2. WordPress Plugins — 89 Patched / 74 Unpatched

2.1 Image Hover Effects Ultimate
2.2 Enable SVG, WebP, and ICO Upload
2.3 Enable SVG, WebP, and ICO Upload
2.4 UiPress lite | Effortless custom dashboards, admin themes and pages
2.5 UiPress lite | Effortless custom dashboards, admin themes and pages
2.6 Gutenify – Visual Site Builder Blocks & Site Templates.
2.7 Gallery with thumbnail slider
2.8 ?????
2.9 Simple User Import Export
2.10 Ace Post Type Builder
2.11 ACF Flexible Layouts Manager
2.12 OrderConvo
2.13 OrderConvo
2.14 ArtiBot
2.15 Attention Bar
2.16 AudioTube
2.17 AuthorSure
2.18 Autochat Automatic Conversation
2.19 BigBuy Dropshipping Connector for WooCommerce
2.20 Bookme – Free Online Appointment Booking and Scheduling Plugin
2.21 Restrictions for BuddyPress
2.22 BrightTALK WordPress Shortcode
2.23 Bulma Shortcodes
2.24 Category and Product Woocommerce Tabs
2.25 Chamber Dashboard Business Directory
2.26 Coil Web Monetization
2.27 CSV to SortTable
2.28 Custom Post Type
2.29 Display Pages Shortcode
2.30 Download Panel (Biggiko Team)
2.31 YouTube Subscribe
2.32 everviz
2.33 Flo Forms
2.34 HotelRunner Booking Widget
2.35 Inline frame – Iframe
2.36 Islamic Phrases
2.37 Just Highlight
2.38 LightGallery WP
2.39 Like-it
2.40 Local Syndication
2.41 Locker Content
2.42 Conditionnal Maintenance Mode for WordPress
2.43 Make Email Customizer for WooCommerce
2.44 Meta Display Block
2.45 Mstore Mobile App
2.46 Multiple Roles per User
2.47 Frontend File Manager
2.48 Peer Publish
2.49 Drag & Drop Builder
2.50 Pollcaster Shortcode Plugin
2.51 Premmerce Wholesale Pricing for WooCommerce
2.52 Project Honey Pot Spam Trap
2.53 ProjectList
2.54 Realty Portal
2.55 Refund Request for WooCommerce
2.56 Shortcodes Bootstrap
2.57 Social Images Widget
2.58 Stock Tools
2.59 Surbma | MiniCRM Shortcode
2.60 The Permalinks Cascade
2.61 Tips Shortcode
2.62 Cryptocurrency (Token), Launchpad (Presale), ICO & IDO, Airdrop by TokenICO
2.63 Cryptocurrency (Token), Launchpad (Presale), ICO & IDO, Airdrop by TokenICO
2.64 Top Friends
2.65 Cryptocurrency Payment Gateway for WooCommerce
2.66 WP Twitter Auto Publish
2.67 Padlet Shortcode
2.68 Mstore Mobile App
2.69 WP Admin Microblog
2.70 WP AUDIO GALLERY
2.71 WP Company Info
2.72 Shortcode for Google Street View
2.73 WPSite Shortcode
2.74 Zweb Social Mobile
2.75 Code Snippets
2.76 W3 Total Cache
2.77 Royal Addons for Elementor – Addons and Templates Kit for Elementor
2.78 Royal Addons for Elementor – Addons and Templates Kit for Elementor
2.79 YITH WooCommerce Wishlist
2.80 YITH WooCommerce Wishlist
2.81 SiteSEO – SEO Simplified
2.82 SiteSEO – SEO Simplified
2.83 Broken Link Checker by AIOSEO – Easily Fix/Monitor Internal and External links
2.84 SureForms – Contact Form, Payment Form & Other Custom Form Builder
2.85 WP Go Maps (formerly WP Google Maps)
2.86 Post Type Switcher
2.87 WP Migrate Lite – WordPress Migration Made Easy
2.88 AI Engine
2.89 Element Pack Addons for Elementor
2.90 GiveWP – Donation Plugin and Fundraising Platform
2.91 Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories
2.92 Responsive Lightbox & Gallery
2.93 VK All in One Expansion Unit
2.94 Booking for Appointments and Events Calendar – Amelia
2.95 Booking for Appointments and Events Calendar – Amelia
2.96 HT Mega – Absolute Addons For Elementor
2.97 LearnPress – WordPress LMS Plugin
2.98 Email Subscribers & Newsletters – Powerful Email Marketing, Post Notification & Newsletter Plugin for WordPress & WooCommerce
2.99 FluentCRM – Email Newsletter, Automation, Email Marketing, Email Campaigns, Optins, Leads, and CRM Solution
2.100 Live sales notification for WooCommerce
2.101 Blog2Social: Social Media Auto Post & Scheduler
2.102 User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor
2.103 Pixel Manager for WooCommerce – Track Conversions and Analytics, Google Ads, TikTok and more
2.104 WP Duplicate Page
2.105 OneClick Chat to Order
2.106 RTMKit
2.107 Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers
2.108 Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers
2.109 Custom Order Numbers for WooCommerce
2.110 Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings
2.111 New User Approve
2.112 Quiz Maker
2.113 PPOM – Product Addons & Custom Fields for WooCommerce
2.114 WP Import – Ultimate CSV XML Importer for WordPress
2.115 Classified Listing – AI-Powered Classified ads & Business Directory Plugin
2.116 Legal Pages – Privacy Policy, Terms & Conditions, GDPR, CCPA, and Cookie Notice Generator
2.117 Photonic Gallery & Lightbox for Flickr, SmugMug & Others
2.118 UiPress lite | Effortless custom dashboards, admin themes and pages
2.119 Checkout Files Upload for WooCommerce
2.120 Portfolio, Gallery, Product Catalog – Grid KIT Portfolio
2.121 Icon List Block – Add Icon-Based Lists with Custom Styles
2.122 Import WP – Export and Import CSV and XML files to WordPress
2.123 Return Refund and Exchange For WooCommerce
2.124 Team Members Showcase
2.125 Magical Products Display – Elementor WooCommerce Widgets | Product Sliders, Grids & AJAX Search
2.126 Property Hive
2.127 WP Directory Kit
2.128 Accordion Slider
2.129 Extensions for Leaflet Map
2.130 Groundhogg — CRM, Newsletters, and Marketing Automation
2.131 Groundhogg — CRM, Newsletters, and Marketing Automation
2.132 Vitepos – Point of Sale (POS) for WooCommerce
2.133 Appointment Booking Calendar
2.134 wModes – Catalog Mode, Product Pricing, Enquiry Forms & Promotions | for WooCommerce
2.135 CBX Bookmark & Favorite
2.136 CP Contact Form with PayPal
2.137 GSheetConnector For Ninja Forms
2.138 Tainacan
2.139 Tainacan
2.140 TP WooCommerce Product Gallery
2.141 Better Chat Support for Messenger
2.142 Booking Calendar Contact Form
2.143 Show Variations as Single Products Woocommerce
2.144 Checkbox
2.145 ELEX WordPress HelpDesk & Customer Ticketing System
2.146 ELEX WordPress HelpDesk & Customer Ticketing System
2.147 ELEX WordPress HelpDesk & Customer Ticketing System
2.148 ELEX WordPress HelpDesk & Customer Ticketing System
2.149 Simple User Registration
2.150 WP Delete Post Copies
2.151 WP Login and Register using JWT
2.152 Time Slot – Booking and Appointment Scheduling
2.153 EchBay Admin Security
2.154 WP Dropzone
2.155 S2B AI Assistant – ChatBot, ChatGPT, OpenAI, Content & Image Generator
2.156 Affiliate AI Lite
2.157 WSChat – WordPress Live Chat
2.158 Community Events
2.159 Pet-Manager – Petfinder
2.160 WPBookit
2.161 atec Duplicate Page & Post
2.162 Gravity Forms
2.163 Zegen Core

3. WordPress Themes — 0 Patched / 1 Unpatched

3.1 OnePress

Our WordPress Vulnerability Report covers the latest emerging WordPress plugin, theme, and core vulnerabilities. Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure of vulnerabilities is essential to keeping the WordPress community safe. Please share this report to help spread the word and make WordPress — and the web — more secure.

WordPress Core

WordPress 6.8.3 was released on September 30, 2025. This is a security release that features two fixes. As this is a security release, we recommend updating your sites immediately. For more information on WordPress 6.8.3, please visit the version page on the HelpHub site.

WordPress 6.9 Release Candidate 3 (RC3) is now available for testing. This version is still under development and should not be installed on production or mission-critical websites. Instead, test RC2 on a staging or test site. You can read more on the WordPress Core blog for details on how to download and test this release.

The final release of WordPress 6.9 is scheduled for December 2, 2025. For updates, testing information, and release announcements, visit the Make WordPress Core blog.

WordPress Plugins — 89 Patched / 74 Unpatched

Plugin:: Image Hover Effects Ultimate
Plugin Slug:: image-hover-effects-ultimate
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-5092

Plugin:: Enable SVG, WebP, and ICO Upload
Plugin Slug:: enable-svg-webp-ico-upload
Installations: 10,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-13069

Plugin:: Enable SVG, WebP, and ICO Upload
Plugin Slug:: enable-svg-webp-ico-upload
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12457

Plugin:: UiPress lite | Effortless custom dashboards, admin themes and pages
Plugin Slug:: uipress-lite
Installations: 10,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-10938

Plugin:: UiPress lite | Effortless custom dashboards, admin themes and pages
Plugin Slug:: uipress-lite
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11003

Plugin:: Gutenify – Visual Site Builder Blocks & Site Templates.
Plugin Slug:: gutenify
Installations: 6,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-8605

Plugin:: Gallery with thumbnail slider
Plugin Slug:: gallery-with-thumbnail-slider
Installations: 3,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-5092

Plugin:: ?????
Plugin Slug:: keydatas
Installations: 2,000+
Vulnerability:: Arbitrary File Download
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11973

Plugin:: Simple User Import Export
Plugin Slug:: a3-user-importer
Vulnerability:: CSV Injection
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13133

Plugin:: Ace Post Type Builder
Plugin Slug:: ace-post-type-builder
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13405

Plugin:: ACF Flexible Layouts Manager
Plugin Slug:: acf-flexible-layouts-manager
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12937

Plugin:: OrderConvo
Plugin Slug:: admin-and-client-message-after-order-for-woocommerce
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13389

Plugin:: OrderConvo
Plugin Slug:: admin-and-client-message-after-order-for-woocommerce
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13452

Plugin:: ArtiBot
Plugin Slug:: artibot
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-12078

Plugin:: Attention Bar
Plugin Slug:: attention-bar
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-12502

Plugin:: AudioTube
Plugin Slug:: audiotube
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11801

Plugin:: AuthorSure
Plugin Slug:: authorsure
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-13134

Plugin:: Autochat Automatic Conversation
Plugin Slug:: auyautochat-for-wp
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12043

Plugin:: BigBuy Dropshipping Connector for WooCommerce
Plugin Slug:: bigbuy-wc-dropshipping-connector
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12039

Plugin:: Bookme – Free Online Appointment Booking and Scheduling Plugin
Plugin Slug:: bookme-free-appointment-booking-system
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-13385

Plugin:: Restrictions for BuddyPress
Plugin Slug:: bp-restrict
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12391

Plugin:: BrightTALK WordPress Shortcode
Plugin Slug:: brighttalk-wp-shortcode
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11770

Plugin:: Bulma Shortcodes
Plugin Slug:: bulma-shortcodes
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11802

Plugin:: Category and Product Woocommerce Tabs
Plugin Slug:: category-and-product-woocommerce-tabs
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-13088

Plugin:: Chamber Dashboard Business Directory
Plugin Slug:: chamber-dashboard-business-directory
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13414

Plugin:: Coil Web Monetization
Plugin Slug:: coil-web-monetization
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-9625

Plugin:: CSV to SortTable
Plugin Slug:: csv-to-sorttable
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12823

Plugin:: Custom Post Type
Plugin Slug:: custom-post-type
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13142

Plugin:: Display Pages Shortcode
Plugin Slug:: display-pages-shortcode
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11763

Plugin:: Download Panel (Biggiko Team)
Plugin Slug:: download-panel
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12961

Plugin:: YouTube Subscribe
Plugin Slug:: easy-youtube-subscribe
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12025

Plugin:: everviz
Plugin Slug:: everviz
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11868

Plugin:: Flo Forms
Plugin Slug:: flo-forms
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-13159

Plugin:: HotelRunner Booking Widget
Plugin Slug:: hotelrunner
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13135

Plugin:: Inline frame – Iframe
Plugin Slug:: inline-frame-iframe
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12645

Plugin:: Islamic Phrases
Plugin Slug:: islamic-phrases
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11768

Plugin:: Just Highlight
Plugin Slug:: just-highlight
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13311

Plugin:: LightGallery WP
Plugin Slug:: lightgallerywp
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-5092

Plugin:: Like-it
Plugin Slug:: like-it
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-12404

Plugin:: Local Syndication
Plugin Slug:: local-syndication
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12962

Plugin:: Locker Content
Plugin Slug:: locker-content
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12525

Plugin:: Conditionnal Maintenance Mode for WordPress
Plugin Slug:: maintenance-mode-based-on-user-roles
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12586

Plugin:: Make Email Customizer for WooCommerce
Plugin Slug:: make-email-customizer-for-woocommerce
Vulnerability:: Settings Change
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-11237

Plugin:: Meta Display Block
Plugin Slug:: meta-display-block
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12088

Plugin:: Mstore Mobile App
Plugin Slug:: mstoreapp-mobile-app
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-11127

Plugin:: Multiple Roles per User
Plugin Slug:: multiple-roles-per-user
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-11620

Plugin:: Frontend File Manager
Plugin Slug:: nmedia-user-file-uploader
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13382

Plugin:: Peer Publish
Plugin Slug:: peer-publish
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12587

Plugin:: Drag & Drop Builder
Plugin Slug:: pie-forms-for-wp
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-12528

Plugin:: Pollcaster Shortcode Plugin
Plugin Slug:: pollcaster-shortcode
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12661

Plugin:: Premmerce Wholesale Pricing for WooCommerce
Plugin Slug:: premmerce-woocommerce-wholesale-pricing
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-12411

Plugin:: Project Honey Pot Spam Trap
Plugin Slug:: project-honey-pot-spam-trap
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-12406

Plugin:: ProjectList
Plugin Slug:: projectlist
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-13370

Plugin:: Realty Portal
Plugin Slug:: realty-portal
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-11985

Plugin:: Refund Request for WooCommerce
Plugin Slug:: refund-request-for-woocommerce
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12634

Plugin:: Shortcodes Bootstrap
Plugin Slug:: shortcodes-bootstrap
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11764

Plugin:: Social Images Widget
Plugin Slug:: social-images-widget
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13386

Plugin:: Stock Tools
Plugin Slug:: stock-tools
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11765

Plugin:: Surbma | MiniCRM Shortcode
Plugin Slug:: surbma-minicrm-shortcode
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11800

Plugin:: The Permalinks Cascade
Plugin Slug:: the-permalinks-cascade
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12372

Plugin:: Tips Shortcode
Plugin Slug:: tips-shortcode
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11767

Plugin:: Cryptocurrency (Token), Launchpad (Presale), ICO & IDO, Airdrop by TokenICO
Plugin Slug:: tokenico-cryptocurrency-token-launchpad-presale-ico-ido-airdrop
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11771

Plugin:: Cryptocurrency (Token), Launchpad (Presale), ICO & IDO, Airdrop by TokenICO
Plugin Slug:: tokenico-cryptocurrency-token-launchpad-presale-ico-ido-airdrop
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11773

Plugin:: Top Friends
Plugin Slug:: top-friends
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12827

Plugin:: Cryptocurrency Payment Gateway for WooCommerce
Plugin Slug:: triplea-cryptocurrency-payment-gateway-for-woocommerce
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12392

Plugin:: WP Twitter Auto Publish
Plugin Slug:: twitter-auto-publish
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-12079

Plugin:: Padlet Shortcode
Plugin Slug:: wallwisher-shortcode
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12660

Plugin:: Mstore Mobile App
Plugin Slug:: woo-mstoreapp-mobile-app
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-11127

Plugin:: WP Admin Microblog
Plugin Slug:: wp-admin-microblog
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12173

Plugin:: WP AUDIO GALLERY
Plugin Slug:: wp-audio-gallery
Vulnerability:: Arbitrary File Deletion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-13322

Plugin:: WP Company Info
Plugin Slug:: wp-company-info
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11826

Plugin:: Shortcode for Google Street View
Plugin Slug:: wp-google-street-view-shortcode
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11808

Plugin:: WPSite Shortcode
Plugin Slug:: wpsite-shortcode
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11803

Plugin:: Zweb Social Mobile
Plugin Slug:: zweb-social-mobile
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12032

Plugin:: Code Snippets
Plugin Slug:: code-snippets
Installations: 1,000,000+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 3.9.2
Severity Score:: High
CVE:: 2025-13035

Plugin:: W3 Total Cache
Plugin Slug:: w3-total-cache
Installations: 1,000,000+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 2.8.13
Severity Score:: Critical
CVE:: 2025-9501

Plugin:: Royal Addons for Elementor – Addons and Templates Kit for Elementor
Plugin Slug:: royal-elementor-addons
Installations: 600,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.7.1032
Severity Score:: Medium
CVE:: 2025-5092

Plugin:: Royal Addons for Elementor – Addons and Templates Kit for Elementor
Plugin Slug:: royal-elementor-addons
Installations: 600,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.7.1037
Severity Score:: Medium
CVE:: 2025-6251

Plugin:: YITH WooCommerce Wishlist
Plugin Slug:: yith-woocommerce-wishlist
Installations: 500,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.10.1
Severity Score:: Medium
CVE:: 2025-12777

Plugin:: YITH WooCommerce Wishlist
Plugin Slug:: yith-woocommerce-wishlist
Installations: 500,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 4.10.1
Severity Score:: Medium
CVE:: 2025-12427

Plugin:: SiteSEO – SEO Simplified
Plugin Slug:: siteseo
Installations: 400,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 1.3.3
Severity Score:: Medium
CVE:: 2025-13085

Plugin:: SiteSEO – SEO Simplified
Plugin Slug:: siteseo
Installations: 400,000+
Vulnerability:: Broken Authentication
Patched in Version:: 1.3.3
Severity Score:: Medium
CVE:: 2025-12814

Plugin:: Broken Link Checker by AIOSEO – Easily Fix/Monitor Internal and External links
Plugin Slug:: broken-link-checker-seo
Installations: 300,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.2.6
Severity Score:: Medium
CVE:: 2025-11734

Plugin:: SureForms – Contact Form, Payment Form & Other Custom Form Builder
Plugin Slug:: sureforms
Installations: 300,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.13.2
Severity Score:: Medium
CVE:: 2025-12535

Plugin:: WP Go Maps (formerly WP Google Maps)
Plugin Slug:: wp-google-maps
Installations: 300,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 9.0.48
Severity Score:: High
CVE:: 2025-11307

Plugin:: Post Type Switcher
Plugin Slug:: post-type-switcher
Installations: 200,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 4.0.1
Severity Score:: Medium
CVE:: 2025-12524

Plugin:: WP Migrate Lite – WordPress Migration Made Easy
Plugin Slug:: wp-migrate-db
Installations: 200,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 2.7.7
Severity Score:: High
CVE:: 2025-11427

Plugin:: AI Engine
Plugin Slug:: ai-engine
Installations: 100,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 3.1.9
Severity Score:: Medium
CVE:: 2025-8084

Plugin:: Element Pack Addons for Elementor
Plugin Slug:: bdthemes-element-pack-lite
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 8.3.5
Severity Score:: Medium
CVE:: 2025-13196

Plugin:: GiveWP – Donation Plugin and Fundraising Platform
Plugin Slug:: give
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.13.1
Severity Score:: High
CVE:: 2025-13206

Plugin:: Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories
Plugin Slug:: post-expirator
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.9.2
Severity Score:: Low
CVE:: 2025-13149

Plugin:: Responsive Lightbox & Gallery
Plugin Slug:: responsive-lightbox
Installations: 100,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 2.5.4
Severity Score:: Medium
CVE:: 2025-12359

Plugin:: VK All in One Expansion Unit
Plugin Slug:: vk-all-in-one-expansion-unit
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 9.112.2
Severity Score:: Medium
CVE:: 2025-11265

Plugin:: Booking for Appointments and Events Calendar – Amelia
Plugin Slug:: ameliabooking
Installations: 90,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 1.2.37
Severity Score:: Medium
CVE:: 2023-49282

Plugin:: Booking for Appointments and Events Calendar – Amelia
Plugin Slug:: ameliabooking
Installations: 90,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.2.36
Severity Score:: Critical
CVE:: 2025-12482

Plugin:: HT Mega – Absolute Addons For Elementor
Plugin Slug:: ht-mega-for-elementor
Installations: 80,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.0.1
Severity Score:: Medium
CVE:: 2025-13141

Plugin:: LearnPress – WordPress LMS Plugin
Plugin Slug:: learnpress
Installations: 80,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.3.0
Severity Score:: Medium
CVE:: 2025-11368

Plugin:: Email Subscribers & Newsletters – Powerful Email Marketing, Post Notification & Newsletter Plugin for WordPress & WooCommerce
Plugin Slug:: email-subscribers
Installations: 70,000+
Vulnerability:: Broken Access Control
Patched in Version:: 5.9.11
Severity Score:: Medium
CVE:: 2025-12349

Plugin:: FluentCRM – Email Newsletter, Automation, Email Marketing, Email Campaigns, Optins, Leads, and CRM Solution
Plugin Slug:: fluent-crm
Installations: 70,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.9.85
Severity Score:: Medium
CVE:: 2025-12935

Plugin:: Live sales notification for WooCommerce
Plugin Slug:: live-sales-notifications-for-woocommerce
Installations: 60,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.3.40
Severity Score:: High
CVE:: 2025-12955

Plugin:: Blog2Social: Social Media Auto Post & Scheduler
Plugin Slug:: blog2social
Installations: 50,000+
Vulnerability:: Broken Access Control
Patched in Version:: 8.7.1
Severity Score:: Medium
CVE:: 2025-13558

Plugin:: User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor
Plugin Slug:: profile-builder
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.14.9
Severity Score:: Medium
CVE:: 2025-13054

Plugin:: Pixel Manager for WooCommerce – Track Conversions and Analytics, Google Ads, TikTok and more
Plugin Slug:: woocommerce-google-adwords-conversion-tracking-tag
Installations: 50,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 1.49.3
Severity Score:: Medium
CVE:: 2025-12545

Plugin:: WP Duplicate Page
Plugin Slug:: wp-duplicate-page
Installations: 50,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.8
Severity Score:: Medium
CVE:: 2025-12481

Plugin:: OneClick Chat to Order
Plugin Slug:: oneclick-whatsapp-order
Installations: 40,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 1.0.9
Severity Score:: High
CVE:: 2025-13526

Plugin:: RTMKit
Plugin Slug:: rometheme-for-elementor
Installations: 40,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.6.6
Severity Score:: Medium
CVE:: 2025-8609

Plugin:: Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers
Plugin Slug:: rafflepress
Installations: 30,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.12.21
Severity Score:: Medium
CVE:: 2025-66064

Plugin:: Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers
Plugin Slug:: rafflepress
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.12.21
Severity Score:: High
CVE:: 2025-12484

Plugin:: Custom Order Numbers for WooCommerce
Plugin Slug:: custom-order-numbers-for-woocommerce
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.11.1
Severity Score:: Medium
CVE:: 2025-66071

Plugin:: Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings
Plugin Slug:: directorist
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 8.5.3
Severity Score:: Medium
CVE:: 2025-12174

Plugin:: New User Approve
Plugin Slug:: new-user-approve
Installations: 20,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 3.1.0
Severity Score:: Medium
CVE:: 2025-12770

Plugin:: Quiz Maker
Plugin Slug:: quiz-maker
Installations: 20,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 6.7.0.81
Severity Score:: Medium
CVE:: 2025-12426

Plugin:: PPOM – Product Addons & Custom Fields for WooCommerce
Plugin Slug:: woocommerce-product-addon
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 33.0.17
Severity Score:: Medium
CVE:: 2025-66069

Plugin:: WP Import – Ultimate CSV XML Importer for WordPress
Plugin Slug:: wp-ultimate-csv-importer
Installations: 20,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 7.34
Severity Score:: High
CVE:: 2025-13145

Plugin:: Classified Listing – AI-Powered Classified ads & Business Directory Plugin
Plugin Slug:: classified-listing
Installations: 10,000+
Vulnerability:: Content Spoofing
Patched in Version:: 5.0.4
Severity Score:: Medium
CVE:: 2025-7711

Plugin:: Legal Pages – Privacy Policy, Terms & Conditions, GDPR, CCPA, and Cookie Notice Generator
Plugin Slug:: legal-pages
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.4.7
Severity Score:: Medium
CVE:: 2025-66077

Plugin:: Photonic Gallery & Lightbox for Flickr, SmugMug & Others
Plugin Slug:: photonic
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.22
Severity Score:: Medium
CVE:: 2025-12691

Plugin:: UiPress lite | Effortless custom dashboards, admin themes and pages
Plugin Slug:: uipress-lite
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.5.09
Severity Score:: Medium
CVE:: 2025-11815

Plugin:: Checkout Files Upload for WooCommerce
Plugin Slug:: checkout-files-upload-woocommerce
Installations: 7,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.2.2
Severity Score:: High
CVE:: 2025-4212

Plugin:: Portfolio, Gallery, Product Catalog – Grid KIT Portfolio
Plugin Slug:: portfolio-wp
Installations: 7,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.2.2
Severity Score:: Medium
CVE:: 2025-5092

Plugin:: Icon List Block – Add Icon-Based Lists with Custom Styles
Plugin Slug:: icon-list-block
Installations: 5,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 1.2.2
Severity Score:: Medium
CVE:: 2025-12376

Plugin:: Import WP – Export and Import CSV and XML files to WordPress
Plugin Slug:: jc-importer
Installations: 5,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 2.14.18
Severity Score:: Medium
CVE:: 2025-12894

Plugin:: Return Refund and Exchange For WooCommerce
Plugin Slug:: woo-refund-and-exchange-lite
Installations: 5,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 4.5.6
Severity Score:: Medium
CVE:: 2025-12881

Plugin:: Team Members Showcase
Plugin Slug:: wps-team
Installations: 4,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.5.0
Severity Score:: High
CVE:: 2025-11560

Plugin:: Magical Products Display – Elementor WooCommerce Widgets | Product Sliders, Grids & AJAX Search
Plugin Slug:: magical-products-display
Installations: 3,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.1.30
Severity Score:: Medium
CVE:: 2025-12964

Plugin:: Property Hive
Plugin Slug:: propertyhive
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.1.13
Severity Score:: Medium
CVE:: 2025-66087

Plugin:: WP Directory Kit
Plugin Slug:: wpdirectorykit
Installations: 3,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.4.4
Severity Score:: Critical
CVE:: 2025-13138

Plugin:: Accordion Slider
Plugin Slug:: accordion-slider
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.9.14
Severity Score:: Medium
CVE:: 2025-66092

Plugin:: Extensions for Leaflet Map
Plugin Slug:: extensions-leaflet-map
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.9
Severity Score:: Medium
CVE:: 2025-66093

Plugin:: Groundhogg — CRM, Newsletters, and Marketing Automation
Plugin Slug:: groundhogg
Installations: 2,000+
Vulnerability:: SQL Injection
Patched in Version:: 4.2.7
Severity Score:: High
CVE:: 2025-12750

Plugin:: Groundhogg — CRM, Newsletters, and Marketing Automation
Plugin Slug:: groundhogg
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.2.6.1
Severity Score:: Medium
CVE:: 2025-64367

Plugin:: Vitepos – Point of Sale (POS) for WooCommerce
Plugin Slug:: vitepos-lite
Installations: 2,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 3.3.1
Severity Score:: Critical
CVE:: 2025-13156

Plugin:: Appointment Booking Calendar
Plugin Slug:: appointment-booking-calendar
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.3.97
Severity Score:: Medium
CVE:: 2025-13317

Plugin:: wModes – Catalog Mode, Product Pricing, Enquiry Forms & Promotions | for WooCommerce
Plugin Slug:: catalog-mode-pricing-enquiry-forms-promotions
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.3
Severity Score:: Medium
CVE:: 2025-12639

Plugin:: CBX Bookmark & Favorite
Plugin Slug:: cbxwpbookmark
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.0.2
Severity Score:: Medium
CVE:: 2025-66101

Plugin:: CP Contact Form with PayPal
Plugin Slug:: cp-contact-form-with-paypal
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.3.57
Severity Score:: High
CVE:: 2025-13384

Plugin:: GSheetConnector For Ninja Forms
Plugin Slug:: gsheetconnector-ninja-forms
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.0.2
Severity Score:: Medium
CVE:: 2025-13136

Plugin:: Tainacan
Plugin Slug:: tainacan
Installations: 1,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 1.0.1
Severity Score:: Medium
CVE:: 2025-12747

Plugin:: Tainacan
Plugin Slug:: tainacan
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.0.1
Severity Score:: High
CVE:: 2025-12746

Plugin:: TP WooCommerce Product Gallery
Plugin Slug:: tp-woocommerce-product-gallery
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.0
Severity Score:: Medium
CVE:: 2025-5092

Plugin:: Better Chat Support for Messenger
Plugin Slug:: better-chat-support
Installations: 800+
Vulnerability:: Broken Access Control
Patched in Version:: 1.2.19
Severity Score:: Medium
CVE:: 2025-66113

Plugin:: Booking Calendar Contact Form
Plugin Slug:: booking-calendar-contact-form
Installations: 600+
Vulnerability:: Broken Access Control
Patched in Version:: 1.2.61
Severity Score:: Medium
CVE:: 2025-13318

Plugin:: Show Variations as Single Products Woocommerce
Plugin Slug:: woo-show-single-variations-shop-category
Installations: 500+
Vulnerability:: Broken Access Control
Patched in Version:: 3.0
Severity Score:: Medium
CVE:: 2025-66114

Plugin:: Checkbox
Plugin Slug:: checkbox
Installations: 400+
Vulnerability:: Broken Access Control
Patched in Version:: 2.8.11
Severity Score:: Medium
CVE:: 2025-12170

Plugin:: ELEX WordPress HelpDesk & Customer Ticketing System
Plugin Slug:: elex-helpdesk-customer-support-ticket-system
Installations: 300+
Vulnerability:: Broken Access Control
Patched in Version:: 3.3.2
Severity Score:: Medium
CVE:: 2025-10054

Plugin:: ELEX WordPress HelpDesk & Customer Ticketing System
Plugin Slug:: elex-helpdesk-customer-support-ticket-system
Installations: 300+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 3.3.0
Severity Score:: Medium
CVE:: 2025-10039

Plugin:: ELEX WordPress HelpDesk & Customer Ticketing System
Plugin Slug:: elex-helpdesk-customer-support-ticket-system
Installations: 300+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 3.3.2
Severity Score:: Critical
CVE:: 2025-11456

Plugin:: ELEX WordPress HelpDesk & Customer Ticketing System
Plugin Slug:: elex-helpdesk-customer-support-ticket-system
Installations: 300+
Vulnerability:: Broken Access Control
Patched in Version:: 3.3.1
Severity Score:: Medium
CVE:: 2025-12169

Plugin:: Simple User Registration
Plugin Slug:: wp-registration
Installations: 300+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.7
Severity Score:: High
CVE:: 2025-12160

Plugin:: WP Delete Post Copies
Plugin Slug:: etruel-del-post-copies
Installations: 200+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.0.3
Severity Score:: Medium
CVE:: 2025-12066

Plugin:: WP Login and Register using JWT
Plugin Slug:: login-register-using-jwt
Installations: 200+
Vulnerability:: Broken Access Control
Patched in Version:: 3.1.0
Severity Score:: Medium
CVE:: 2025-12822

Plugin:: Time Slot – Booking and Appointment Scheduling
Plugin Slug:: timeslot
Installations: 200+
Vulnerability:: Broken Access Control
Patched in Version:: 1.4.8
Severity Score:: Medium
CVE:: 2025-12842

Plugin:: EchBay Admin Security
Plugin Slug:: echbay-admin-security
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.1
Severity Score:: High
CVE:: 2025-11885

Plugin:: WP Dropzone
Plugin Slug:: wp-dropzone
Installations: 100+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 1.1.1
Severity Score:: Critical
CVE:: 2025-12775

Plugin:: S2B AI Assistant – ChatBot, ChatGPT, OpenAI, Content & Image Generator
Plugin Slug:: s2b-ai-assistant
Installations: 70+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 1.7.9
Severity Score:: Critical
CVE:: 2025-12973

Plugin:: Affiliate AI Lite
Plugin Slug:: affiliate-ai-lite
Installations: 40+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.0.2
Severity Score:: Medium
CVE:: 2025-11799

Plugin:: WSChat – WordPress Live Chat
Plugin Slug:: wschat-live-chat
Installations: 40+
Vulnerability:: Broken Access Control
Patched in Version:: 3.1.7
Severity Score:: Medium
CVE:: 2025-12751

Plugin:: Community Events
Plugin Slug:: community-events
Installations: 30+
Vulnerability:: SQL Injection
Patched in Version:: 1.5.5
Severity Score:: Critical
CVE:: 2025-12646

Plugin:: Pet-Manager – Petfinder
Plugin Slug:: tier-management-petfinder
Installations: 20+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.6.2
Severity Score:: Medium
CVE:: 2025-12710

Plugin:: WPBookit
Plugin Slug:: wpbookit
Installations: 20+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.0.7
Severity Score:: High
CVE:: 2025-12135

Plugin:: atec Duplicate Page & Post
Plugin Slug:: atec-duplicate-page-post
Vulnerability:: Broken Access Control
Patched in Version:: 1.2.21
Severity Score:: Medium
CVE:: 2025-13404

Plugin:: Gravity Forms
Plugin Slug:: gravityforms
Vulnerability:: Arbitrary File Upload
Patched in Version:: 2.9.22
Severity Score:: Critical
CVE:: 2025-12974

Plugin:: Zegen Core
Plugin Slug:: zegen-core
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.0.2
Severity Score:: Critical
CVE:: 2025-11087

WordPress Themes — 0 Patched / 1 Unpatched

Theme:: OnePress
Theme Slug:: onepress
Downloads: 2,469,341
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-5092

Solid Security is part of Solid Suite — The best foundation for WordPress websites.

Every WordPress site needs security, backups, and management tools. That’s Solid Suite — an integrated bundle of three plugins: Solid Security, Solid Backups, and Solid Central. You also get access to Solid Academy’s learning resources for WordPress professionals. Build your next WordPress website on a solid foundation with Solid Suite!

Get Solid Security

Author:

Sarah Ulmer

Sarah has been with SolidWP since 2015. Thanks to her deep connection to the brand, its products, and its users, Sarah was tapped as Solid’s primary Product Marketer in 2023. Sarah helps ensure that Solid’s product development team understands our users’ needs. When not at work, Sarah can be found at home with her husband, their three boys, and their dogs. Sarah enjoys long family walks, running with her lab, and watching her three boys play soccer. Sarah is originally from Texas and loves watching football games (Go Longhorns!)

Browse all of Sarah's articles

Sign up

Placeholder text

Thanks

Oops something went wrong, please try submitting again

Solid Suite

Protect

Repair

Manage

Free Plugins

Solid Suite

Academy

Solid Academy

Guides

Livestreams

Tutorials Academy

Resources

Blog

Vulnerability Report

Support

Documentation

Table of Contents

WordPress Core

WordPress Plugins — 89 Patched / 74 Unpatched