WordPress Vulnerability Report — March 25, 2026

Since last week, 331 new vulnerabilities have emerged in the WordPress ecosystem, including 275 plugins and 56 themes. Of those, 120 remain unpatched, but Solid Security Pro users are protected by virtual patching from Patchstack.

Sarah Ulmer

Published:Mar 25, 2026

Filed Under:WordPress Vulnerability Report

Reading Time:57 min.

In this report, 331 vulnerabilities have been publicly disclosed. Security patches for 211 of these plugins and themes are now available. Please run these updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Currently, 120 plugin and theme vulnerabilities remain unpatched. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

Along with poor user account security, vulnerable plugins and themes are among the top reasons why WordPress websites get hacked. Unfortunately, cyberattacks are increasing in volume and sophistication. They’re also increasingly aimed at small to mid-sized businesses.

1. WordPress Core
2. WordPress Plugins — 162 Patched / 113 Unpatched

2.1 StoreCustomizer – A plugin to Customize all WooCommerce Pages
2.2 Product Slider, Product Grid, Product Masonry
2.3 WPCargo Track & Trace
2.4 Booking calendar, Appointment Booking System
2.5 Coinbase Commerce – Crypto Gateway for WooCommerce
2.6 CP Multi View Events Calendar
2.7 Nexa Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE
2.8 TotalPoll for Polls and Contests
2.9 Gutenberg Blocks – Unlimited blocks For Gutenberg
2.10 GZSEO
2.11 ViaBill – WooCommerce
2.12 Vertex Addons for Elementor
2.13 Product Rearrange for WooCommerce
2.14 Product Rearrange for WooCommerce
2.15 Remoji – Post/Comment Reaction and Enhancement
2.16 Automated FedEx live/manual rates with shipping labels – HPOS supported
2.17 Widget Wrangler
2.18 File Uploader for WooCommerce
2.19 Admin Safety Guard — Login Security & 2FA
2.20 Ad Short
2.21 Add Google Social Profiles to Knowledge Graph Box
2.22 ACPT (Pro) – Custom Post Types Plugin for WordPress
2.23 Alfie
2.24 Any Post Slider
2.25 App Builder
2.26 Reward Video Ad for WordPress
2.27 Appmax
2.28 Ave Core
2.29 Build App Online
2.30 Canto
2.31 CMS Commander
2.32 Comment SPAM Wiper
2.33 Company Posts for LinkedIn
2.34 Content Syndication Toolkit
2.35 Curly Core
2.36 e-shot
2.37 Easy Image Gallery
2.38 Ecover Builder For Dummies
2.39 Ed’s Font Awesome
2.40 Ed’s Social Share
2.41 ElementCamp
2.42 Expire Users
2.43 Fonts Manager | Custom Fonts
2.44 FuseDesk
2.45 fyyd podcast shortcodes
2.46 Go Night Pro
2.47 Hr Press Lite
2.48 Integration with Hubspot Forms
2.49 Invelity Product Feeds
2.50 itsukaita
2.51 iVysilani Shortcode
2.52 Jobica Core
2.53 Linksy Search and Replace
2.54 Listeo Core
2.55 Lobot Slider Administrator
2.56 login_register
2.57 Mandatory Field
2.58 MimeTypes Link Icons
2.59 MinhNhut Link Gateway
2.60 Modern Events Calendar
2.61 Multi Functional Flexi Lightbox
2.62 Multi Post Carousel by Category
2.63 myLinksDump
2.64 Neos Connector for Fakturama
2.65 Outgrow
2.66 Paypal Shortcodes
2.67 PQ Addons – Creative Elementor Widgets
2.68 Performance Monitor
2.69 Post Flagger
2.70 Post Snippits
2.71 Post Affiliate Pro
2.72 Pre* Party Resource Hints
2.73 Punnel – Landing Page Builder
2.74 Quentn WP
2.75 Redirect countdown
2.76 REST API TO MiniProgram
2.77 Review Map by RevuKangaroo
2.78 Ricerca – advanced search
2.79 WooCommerce Infinite Scroll
2.80 Schema Shortcode
2.81 Sheets2Table
2.82 Sherk Custom Post Type Displays
2.83 Weaver Show Posts
2.84 Show Posts list
2.85 Simple Football Scoreboard
2.86 Smarter Analytics
2.87 Speedup Optimization
2.88 SR WP Minify HTML
2.89 Survey
2.90 Task Manager
2.91 Text Toggle
2.92 The Aisle Core
2.93 Tour & Activity Operator Plugin for TourCMS
2.94 Tutor LMS Pro
2.95 Twitter Feeds
2.96 Unlimited Elements for Elementor (Premium)
2.97 Vagaro Booking Widget
2.98 Wikilookup
2.99 WishList Member X
2.100 WishList Member X
2.101 WZone
2.102 WZone
2.103 WordPress PayPal Donation
2.104 WP-Chatbot for Messenger
2.105 WP Games Embed
2.106 WP NG Weather
2.107 WP Posts Re-order
2.108 WP Random Button
2.109 WPBookit Pro
2.110 WPBookit Pro
2.111 WPFAQBlock
2.112 Writeprint Stylometry
2.113 Xhanch – My Advanced Settings
2.114 Yoast SEO – Advanced SEO with real-time guidance and built-in AI
2.115 WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More
2.116 Yoast Duplicate Post
2.117 Autoptimize
2.118 Autoptimize
2.119 Royal Addons for Elementor – Addons and Templates Kit for Elementor
2.120 Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery
2.121 Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App
2.122 Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App
2.123 WP Go Maps (formerly WP Google Maps)
2.124 Download Manager
2.125 LatePoint – Calendar Booking Plugin for Appointments and Events
2.126 Tutor LMS – eLearning and online course solution
2.127 JetFormBuilder — Dynamic Blocks Form Builder
2.128 SlimStat Analytics
2.129 Online Scheduling and Appointment Booking System – Bookly
2.130 EmailKit – Email Customizer for WooCommerce & WP
2.131 SMTP Mailer
2.132 Contextual Related Posts
2.133 Woody Code Snippets – Insert PHP, CSS, JS, and Header/Footer Scripts
2.134 Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin
2.135 User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder
2.136 Visual Portfolio, Photo Gallery & Post Grid
2.137 Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy
2.138 Mixed Media Gallery Blocks
2.139 Master Addons For Elementor – Widgets, Extensions, Theme Builder, Popup Builder & Template Kits
2.140 PPWP – Password Protect Pages
2.141 Ultimate Post Kit Addons for Elementor
2.142 Print Invoice & Delivery Notes for WooCommerce
2.143 Booster for WooCommerce – PDF Invoices, Abandoned Cart, Variation Swatches & 100+ Tools
2.144 WP Custom Admin Interface
2.145 Kali Forms — Contact Form & Drag-and-Drop Builder
2.146 New User Approve
2.147 Post Snippets – Custom WordPress Code Snippets Customizer
2.148 Co-Authors, Multiple Authors and Guest Authors in an Author Box with PublishPress Authors
2.149 Thim Kit for Elementor – Pre-built Templates & Widgets for Elementor
2.150 Wicked Folders – Folder Organizer for Pages, Posts, and Custom Post Types
2.151 User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration
2.152 User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration
2.153 Lead Form Builder & Contact Form
2.154 Five Star Restaurant Reservations – WordPress Booking Plugin
2.155 Membership Plugin – Restrict Content
2.156 Membership Plugin – Restrict Content
2.157 Review Schema – Review & Structure Data Schema Plugin
2.158 PublishPress Revisions: Duplicate Posts, Submit, Approve and Schedule Content Changes
2.159 Code Embed
2.160 Subscriptions for WooCommerce
2.161 Team – Team Members Showcase Plugin
2.162 weForms – Easy Drag & Drop Contact Form Builder For WordPress
2.163 Spam Protect for Contact Form 7
2.164 WP REST Cache
2.165 WPVulnerability
2.166 YML for Yandex Market
2.167 Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms
2.168 Contact Form Email
2.169 RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login
2.170 Event Booking Manager for WooCommerce
2.171 ReviewX – Multi-Criteria Reviews for WooCommerce with Google Reviews & Schema
2.172 ReviewX – Multi-Criteria Reviews for WooCommerce with Google Reviews & Schema
2.173 WP TripAdvisor Review Slider
2.174 Image Alt Text Manager – Bulk & Dynamic Alt Tags For image SEO Optimization + AI
2.175 EventPrime – Events Calendar, Bookings and Tickets
2.176 EventPrime – Events Calendar, Bookings and Tickets
2.177 JS Help Desk – AI-Powered Support & Ticketing System
2.178 JS Help Desk – AI-Powered Support & Ticketing System
2.179 NEX-Forms – Ultimate Forms Plugin for WordPress
2.180 NEX-Forms – Ultimate Forms Plugin for WordPress
2.181 WP Review Slider
2.182 WPBot – AI ChatBot for Live Support, Lead Generation, AI Services
2.183 Get Use APIs – JSON Content Importer
2.184 OOPSpam Anti-Spam: Spam Protection for WordPress Forms & Comments (No CAPTCHA)
2.185 ProfileGrid – User Profiles, Groups and Communities
2.186 WowStore – Store Builder & Product Blocks for WooCommerce
2.187 User Verification by PickPlugins
2.188 Fraud Prevention For WooCommerce and EDD
2.189 ElementInvader Addons for Elementor
2.190 Nelio A/B Testing – AB Tests and Heatmaps for Better Conversion Optimization
2.191 RSFirewall!
2.192 Abandoned Cart Recovery for WooCommerce
2.193 WPJAM Basic
2.194 WP Telegram Widget and Join Link
2.195 JS Archive List
2.196 Kargo Takip
2.197 WP Terms Popup – Terms and Conditions and Privacy Policy WordPress Popups
2.198 Bit SMTP – Easy SMTP Solution with Email Logs
2.199 Comments Import & Export
2.200 Info Cards – Add Text and Media in Card Layouts
2.201 KiviCare – Clinic & Patient Management System (EHR)
2.202 KiviCare – Clinic & Patient Management System (EHR)
2.203 KiviCare – Clinic & Patient Management System (EHR)
2.204 KiviCare – Clinic & Patient Management System (EHR)
2.205 Photo Engine (Media Organizer & Lightroom)
2.206 avalex – Automatisch sichere Rechtstexte
2.207 Booking and Rental Manager for Bike | Car | Resort | Appointment | Dress | Equipment
2.208 Contact List – Online Staff Directory & Address Book
2.209 Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe
2.210 Flexmls® IDX Plugin
2.211 Injection Guard
2.212 WowOptin: Next-Gen Popup Maker – Create Stunning Popups and Optins for Lead Generation
2.213 WP Easy Pay – Payment and Donation form Builder for Square
2.214 bBlocks – Essential Gutenberg Blocks & Patterns Collection
2.215 My Tickets – Accessible Event Ticketing
2.216 Premmerce Redirect Manager
2.217 VikRestaurants Table Reservations and Take-Away
2.218 WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses
2.219 RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress
2.220 Taboola Pixel
2.221 Advanced Reporting & Statistics for WooCommerce – Orders, Products & Customers Reporting
2.222 Keep Backup Daily
2.223 Keep Backup Daily
2.224 CM Custom Reports – Flexible reporting to track what matters most
2.225 Helpdesk Support Ticket System for WooCommerce
2.226 ilGhera Carta Docente for WooCommerce
2.227 Image Slider by Ays- Responsive Slider and Carousel
2.228 WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms
2.229 Contact Manager
2.230 Creator LMS – Online Courses and eLearning Plugin
2.231 FAQ Builder AYS
2.232 LearnPress – Sepay Payment
2.233 Petitioner
2.234 Product File Upload for WooCommerce
2.235 RewardsWP – Loyalty Points & Referral Program for WooCommerce
2.236 Add Custom Fields to Media
2.237 Draft List
2.238 Filestack WP Upload
2.239 Activity Log for WordPress
2.240 Instant Popup Builder – Powerful Popup Maker for Opt-ins, Email Newsletters & Lead Generation
2.241 Scoreboard for HTML5 Games Lite
2.242 [CR]Paid Link Manager
2.243 RockPress
2.244 WP Cost Estimation & Payment Forms Builder
2.245 Addon Jobsearch Chat
2.246 Addon Jobsearch Chat
2.247 SUMO Affiliates Pro
2.248 Aimogen Pro
2.249 Elated Listing
2.250 XStore Core
2.251 Fusion Builder
2.252 Gyan Elements
2.253 Green Downloads
2.254 Ultimate Membership Pro
2.255 Jobica Core
2.256 Jobica Core
2.257 Lumise Product Designer
2.258 Miraculous Core Plugin
2.259 Motta Addons
2.260 NaturaLife Extensions
2.261 NaturaLife Extensions
2.262 Organici Library
2.263 Organici Library
2.264 Organici Library
2.265 Visionary Core
2.266 Visionary Core
2.267 Phox Hosting
2.268 Salon Booking System Pro
2.269 tagDiv Opt-In Builder
2.270 The Grid
2.271 The Grid
2.272 UpSolution Core
2.273 WooCommerce Support Ticket System
2.274 WP Configurator Pro
2.275 JobSearch

3. WordPress Themes — 49 Patched / 7 Unpatched

3.1 Apicona
3.2 Jannah
3.3 Kentha
3.4 Mixtape
3.5 Moments
3.6 Photography
3.7 The League
3.8 Education Zone
3.9 Ona
3.10 Archicon
3.11 Borgholm
3.12 Car Dealer
3.13 Feedy
3.14 Gaea
3.15 Goldish
3.16 Golo
3.17 Gracey
3.18 Halstein
3.19 IdealAuto
3.20 Jaroti
3.21 Kamperen
3.22 Kiddy
3.23 KIDZ
3.24 Kunco
3.25 Boutique
3.26 Leroux
3.27 Loobek
3.28 LoveDate
3.29 Meloo
3.30 MetaMax
3.31 Miraculous
3.32 Miti
3.33 Molla
3.34 MyDecor
3.35 MyMedi
3.36 CitiLights
3.37 CitiLights
3.38 Jobmonster
3.39 Nooni
3.40 Pelicula
3.41 Pendulum
3.42 Reebox
3.43 Ricky
3.44 Riode
3.45 Sanzo
3.46 Scape
3.47 Stål
3.48 StreamVid
3.49 Tasty Daily
3.50 Traveler
3.51 Trendustry
3.52 Vayvo
3.53 Vex
3.54 VintWood
3.55 WoodMart
3.56 Yobazar

Our WordPress Vulnerability Report covers the latest emerging WordPress plugin, theme, and core vulnerabilities. Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure of vulnerabilities is essential to keeping the WordPress community safe. Please share this report to help spread the word and make WordPress — and the web — more secure.

WordPress Core

WordPress 6.9.4 is now available, addressing 10 security issues and a bug that affected template file loading on a limited number of sites. Because this is a security release, it is recommended that you update your sites immediately.

Also, WordPress 7.0 RC1 is ready for download and testing! As this is a pre-release version, it is intended for testing and development only and should not be installed on production or mission-critical sites. Organizations should use local or staging environments to evaluate compatibility and new features before the final rollout.

WordPress 7.0 is scheduled for release on April 9, 2026.

WordPress Plugins — 162 Patched / 113 Unpatched

Plugin:: StoreCustomizer – A plugin to Customize all WooCommerce Pages
Plugin Slug:: woocustomizer
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-27046

Plugin:: Product Slider, Product Grid, Product Masonry
Plugin Slug:: woocommerce-products-slider
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-25455

Plugin:: WPCargo Track & Trace
Plugin Slug:: wpcargo
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-25401

Plugin:: Booking calendar, Appointment Booking System
Plugin Slug:: booking-calendar
Installations: 4,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-25435

Plugin:: Coinbase Commerce – Crypto Gateway for WooCommerce
Plugin Slug:: commerce-coinbase-for-woocommerce
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-25396

Plugin:: CP Multi View Events Calendar
Plugin Slug:: cp-multi-view-calendar
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-25465

Plugin:: Nexa Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE
Plugin Slug:: nexa-blocks
Installations: 1,000+
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2026-25429

Plugin:: TotalPoll for Polls and Contests
Plugin Slug:: totalpoll-lite
Installations: 1,000+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2026-27044

Plugin:: Gutenberg Blocks – Unlimited blocks For Gutenberg
Plugin Slug:: unlimited-blocks
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-25438

Plugin:: GZSEO
Plugin Slug:: gzseo
Installations: 600+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-25437

Plugin:: ViaBill – WooCommerce
Plugin Slug:: viabill-woocommerce
Installations: 500+
Vulnerability:: Settings Change
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-25469

Plugin:: Vertex Addons for Elementor
Plugin Slug:: addons-for-elementor-builder
Installations: 400+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-25398

Plugin:: Product Rearrange for WooCommerce
Plugin Slug:: products-rearrange-woocommerce
Installations: 400+
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2026-31920

Plugin:: Product Rearrange for WooCommerce
Plugin Slug:: products-rearrange-woocommerce
Installations: 400+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-31921

Plugin:: Remoji – Post/Comment Reaction and Enhancement
Plugin Slug:: remoji
Installations: 400+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-25452

Plugin:: Automated FedEx live/manual rates with shipping labels – HPOS supported
Plugin Slug:: a2z-fedex-shipping
Installations: 200+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-25456

Plugin:: Widget Wrangler
Plugin Slug:: widget-wrangler
Installations: 200+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2026-25447

Plugin:: File Uploader for WooCommerce
Plugin Slug:: file-uploader-for-woocommerce
Installations: 100+
Vulnerability:: Path Traversal
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-25397

Plugin:: Admin Safety Guard — Login Security & 2FA
Plugin Slug:: admin-safety-guard
Installations: 10+
Vulnerability:: Broken Authentication
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-25471

Plugin:: Ad Short
Plugin Slug:: ad-short
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-4067

Plugin:: Add Google Social Profiles to Knowledge Graph Box
Plugin Slug:: add-google-social-profiles-to-knowledge-graph-box
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1393

Plugin:: ACPT (Pro) – Custom Post Types Plugin for WordPress
Plugin Slug:: advanced-custom-post-type
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2026-25470

Plugin:: Alfie
Plugin Slug:: alfie-the-productfeedtool-wp-plugin
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-4069

Plugin:: Any Post Slider
Plugin Slug:: any-post-slider
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1899

Plugin:: App Builder
Plugin Slug:: app-builder
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-2375

Plugin:: Reward Video Ad for WordPress
Plugin Slug:: applixir
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-2424

Plugin:: Appmax
Plugin Slug:: appmax
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3641

Plugin:: Ave Core
Plugin Slug:: ave-core
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-25460

Plugin:: Build App Online
Plugin Slug:: build-app-online
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3651

Plugin:: Canto
Plugin Slug:: canto
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3335

Plugin:: CMS Commander
Plugin Slug:: cms-commander-client
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-3334

Plugin:: Comment SPAM Wiper
Plugin Slug:: comment-spam-wiper
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3353

Plugin:: Company Posts for LinkedIn
Plugin Slug:: company-posts-for-linkedin
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1935

Plugin:: Content Syndication Toolkit
Plugin Slug:: content-syndication-toolkit
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-3478

Plugin:: Curly Core
Plugin Slug:: curly-core
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-27047

Plugin:: e-shot
Plugin Slug:: e-shot-form-builder
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3546

Plugin:: Easy Image Gallery
Plugin Slug:: easy-image-gallery
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-2540

Plugin:: Ecover Builder For Dummies
Plugin Slug:: ecover-builder-for-dummies
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-4077

Plugin:: Ed’s Font Awesome
Plugin Slug:: eds-font-awesome
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-2496

Plugin:: Ed’s Social Share
Plugin Slug:: eds-social-share
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-2501

Plugin:: ElementCamp
Plugin Slug:: element-camp
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-2503

Plugin:: Expire Users
Plugin Slug:: expire-users
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-4261

Plugin:: Fonts Manager | Custom Fonts
Plugin Slug:: fonts-manager-custom-fonts
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2026-1800

Plugin:: FuseDesk
Plugin Slug:: fusedesk
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1914

Plugin:: fyyd podcast shortcodes
Plugin Slug:: fyyd-podcast-shortcodes
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-4084

Plugin:: Go Night Pro
Plugin Slug:: go-night-pro
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1886

Plugin:: Hr Press Lite
Plugin Slug:: hr-press-lite
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-2720

Plugin:: Integration with Hubspot Forms
Plugin Slug:: integration-with-hubspot-forms
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1908

Plugin:: Invelity Product Feeds
Plugin Slug:: invelity-products-feeds
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-14037

Plugin:: itsukaita
Plugin Slug:: itsukaita
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-2427

Plugin:: iVysilani Shortcode
Plugin Slug:: ivysilani-shortcode
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1851

Plugin:: Jobica Core
Plugin Slug:: jobica-core
Vulnerability:: Broken Authentication
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2026-27049

Plugin:: Linksy Search and Replace
Plugin Slug:: linksy-search-and-replace
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-2941

Plugin:: Listeo Core
Plugin Slug:: listeo-core
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-25461

Plugin:: Lobot Slider Administrator
Plugin Slug:: lobot-slider-administrator
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3331

Plugin:: login_register
Plugin Slug:: login-register
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1503

Plugin:: Mandatory Field
Plugin Slug:: mandatory-fields
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1278

Plugin:: MimeTypes Link Icons
Plugin Slug:: mimetypes-link-icons
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-1313

Plugin:: MinhNhut Link Gateway
Plugin Slug:: minhnhut-link-gateway
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3333

Plugin:: Modern Events Calendar
Plugin Slug:: modern-events-calendar
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-32583

Plugin:: Multi Functional Flexi Lightbox
Plugin Slug:: multi-functional-flexi-lightbox
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3347

Plugin:: Multi Post Carousel by Category
Plugin Slug:: multi-post-carousel
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1275

Plugin:: myLinksDump
Plugin Slug:: mylinksdump
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-2279

Plugin:: Neos Connector for Fakturama
Plugin Slug:: neos-connector-for-fakturama
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-4143

Plugin:: Outgrow
Plugin Slug:: outgrow
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1889

Plugin:: Paypal Shortcodes
Plugin Slug:: paypal-shortcodes
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3617

Plugin:: PQ Addons – Creative Elementor Widgets
Plugin Slug:: peacefulqode-elementzplus-widgets
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1397

Plugin:: Performance Monitor
Plugin Slug:: performance-monitor
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-1648

Plugin:: Post Flagger
Plugin Slug:: post-flagger
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1854

Plugin:: Post Snippits
Plugin Slug:: post-snippits
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-2723

Plugin:: Post Affiliate Pro
Plugin Slug:: postaffiliatepro
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-2290

Plugin:: Pre* Party Resource Hints
Plugin Slug:: pre-party-browser-hints
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-4087

Plugin:: Punnel – Landing Page Builder
Plugin Slug:: punnel-landing-page-builder
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3645

Plugin:: Quentn WP
Plugin Slug:: quentn-wp
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2026-2468

Plugin:: Redirect countdown
Plugin Slug:: redirect-countdown
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1390

Plugin:: REST API TO MiniProgram
Plugin Slug:: rest-api-to-miniprogram
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3460

Plugin:: Review Map by RevuKangaroo
Plugin Slug:: review-map-by-revukangaroo
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-4161

Plugin:: Ricerca – advanced search
Plugin Slug:: ricerca-smart-search
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-2837

Plugin:: WooCommerce Infinite Scroll
Plugin Slug:: sb-woocommerce-infinite-scroll
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-27045

Plugin:: Schema Shortcode
Plugin Slug:: schema-shortcode
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1575

Plugin:: Sheets2Table
Plugin Slug:: sheets2table
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3619

Plugin:: Sherk Custom Post Type Displays
Plugin Slug:: sherk-custom-post-type-displays
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3554

Plugin:: Weaver Show Posts
Plugin Slug:: show-posts
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-2121

Plugin:: Show Posts list
Plugin Slug:: show-posts-shortcodes
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-4022

Plugin:: Simple Football Scoreboard
Plugin Slug:: simple-football-score-board
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1891

Plugin:: Smarter Analytics
Plugin Slug:: smarter-analytics
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3570

Plugin:: Speedup Optimization
Plugin Slug:: speedup-optimization
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-4127

Plugin:: SR WP Minify HTML
Plugin Slug:: sr-wp-minify-html
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1392

Plugin:: Survey
Plugin Slug:: survey
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1247

Plugin:: Task Manager
Plugin Slug:: task-manager
Vulnerability:: Arbitrary File Download
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-2351

Plugin:: Text Toggle
Plugin Slug:: text-toggle
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3997

Plugin:: The Aisle Core
Plugin Slug:: theaisle-core
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-27048

Plugin:: Tour & Activity Operator Plugin for TourCMS
Plugin Slug:: tour-operator-plugin
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1806

Plugin:: Tutor LMS Pro
Plugin Slug:: tutor-pro
Vulnerability:: Broken Authentication
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-25406

Plugin:: Twitter Feeds
Plugin Slug:: twitter-feeds
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1911

Plugin:: Unlimited Elements for Elementor (Premium)
Plugin Slug:: unlimited-elements-for-elementor-premium
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2026-27041

Plugin:: Vagaro Booking Widget
Plugin Slug:: vagaro-booking-widget
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-3003

Plugin:: Wikilookup
Plugin Slug:: wikilookup
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3354

Plugin:: WishList Member X
Plugin Slug:: wishlist-member-x
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-25445

Plugin:: WishList Member X
Plugin Slug:: wishlist-member-x
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2026-25446

Plugin:: WZone
Plugin Slug:: woozone
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-27039

Plugin:: WZone
Plugin Slug:: woozone
Vulnerability:: Arbitrary File Deletion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-27040

Plugin:: WordPress PayPal Donation
Plugin Slug:: wordpress-paypal-donation
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-4072

Plugin:: WP-Chatbot for Messenger
Plugin Slug:: wp-chatbot
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3506

Plugin:: WP Games Embed
Plugin Slug:: wp-games-embed
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3996

Plugin:: WP NG Weather
Plugin Slug:: wp-ng-weather
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1822

Plugin:: WP Posts Re-order
Plugin Slug:: wp-posts-re-order
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1378

Plugin:: WP Random Button
Plugin Slug:: wp-random-button
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-4086

Plugin:: WPBookit Pro
Plugin Slug:: wpbookit-pro
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2026-25413

Plugin:: WPBookit Pro
Plugin Slug:: wpbookit-pro
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-25414

Plugin:: WPFAQBlock
Plugin Slug:: wpfaqblock
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1093

Plugin:: Writeprint Stylometry
Plugin Slug:: writeprint-stylometry
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-3512

Plugin:: Xhanch – My Advanced Settings
Plugin Slug:: xhanch-my-advanced-settings
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3332

Plugin:: Yoast SEO – Advanced SEO with real-time guidance and built-in AI
Plugin Slug:: wordpress-seo
Installations: 10,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 27.2
Severity Score:: Medium
CVE:: 2026-3427

Plugin:: WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More
Plugin Slug:: wpforms-lite
Installations: 6,000,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 1.9.9.2
Severity Score:: Medium
CVE:: 2026-25339

Plugin:: Yoast Duplicate Post
Plugin Slug:: duplicate-post
Installations: 4,000,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.6
Severity Score:: Medium
CVE:: 2026-1217

Plugin:: Autoptimize
Plugin Slug:: autoptimize
Installations: 900,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.1.15
Severity Score:: Medium
CVE:: 2026-2430

Plugin:: Autoptimize
Plugin Slug:: autoptimize
Installations: 900,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.1.15
Severity Score:: Medium
CVE:: 2026-2352

Plugin:: Royal Addons for Elementor – Addons and Templates Kit for Elementor
Plugin Slug:: royal-elementor-addons
Installations: 600,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.7.1050
Severity Score:: Medium
CVE:: 2026-2373

Plugin:: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery
Plugin Slug:: nextgen-gallery
Installations: 400,000+
Vulnerability:: Local File Inclusion
Patched in Version:: 4.0.5
Severity Score:: High
CVE:: 2026-1463

Plugin:: Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App
Plugin Slug:: post-smtp
Installations: 400,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.9.0
Severity Score:: High
CVE:: 2026-3090

Plugin:: Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App
Plugin Slug:: post-smtp
Installations: 400,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.9.0
Severity Score:: Medium
CVE:: 2026-2559

Plugin:: WP Go Maps (formerly WP Google Maps)
Plugin Slug:: wp-google-maps
Installations: 300,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 10.0.06
Severity Score:: Medium
CVE:: 2026-4268

Plugin:: Download Manager
Plugin Slug:: download-manager
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.3.50
Severity Score:: Medium
CVE:: 2026-2571

Plugin:: LatePoint – Calendar Booking Plugin for Appointments and Events
Plugin Slug:: latepoint
Installations: 100,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 5.2.7
Severity Score:: Medium
CVE:: 2026-32533

Plugin:: Tutor LMS – eLearning and online course solution
Plugin Slug:: tutor
Installations: 100,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 3.9.5
Severity Score:: Medium
CVE:: 2025-32223

Plugin:: JetFormBuilder — Dynamic Blocks Form Builder
Plugin Slug:: jetformbuilder
Installations: 90,000+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 3.5.6.2
Severity Score:: Critical
CVE:: 2026-32525

Plugin:: SlimStat Analytics
Plugin Slug:: wp-slimstat
Installations: 80,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.4.0
Severity Score:: High
CVE:: 2026-1238

Plugin:: Online Scheduling and Appointment Booking System – Bookly
Plugin Slug:: bookly-responsive-appointment-booking-tool
Installations: 70,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 26.8
Severity Score:: High
CVE:: 2026-32540

Plugin:: EmailKit – Email Customizer for WooCommerce & WP
Plugin Slug:: emailkit
Installations: 70,000+
Vulnerability:: Path Traversal
Patched in Version:: 1.6.4
Severity Score:: Medium
CVE:: 2026-3474

Plugin:: SMTP Mailer
Plugin Slug:: smtp-mailer
Installations: 70,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 1.1.25
Severity Score:: High
CVE:: 2026-32538

Plugin:: Contextual Related Posts
Plugin Slug:: contextual-related-posts
Installations: 60,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.2.2
Severity Score:: Medium
CVE:: 2026-32565

Plugin:: Woody Code Snippets – Insert PHP, CSS, JS, and Header/Footer Scripts
Plugin Slug:: insert-php
Installations: 60,000+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 2.7.2
Severity Score:: Critical
CVE:: 2026-25366

Plugin:: Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin
Plugin Slug:: simply-schedule-appointments
Installations: 60,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.6.10.2
Severity Score:: Critical
CVE:: 2026-3658

Plugin:: User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder
Plugin Slug:: user-registration
Installations: 60,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 5.1.3
Severity Score:: High
CVE:: 2026-32488

Plugin:: Visual Portfolio, Photo Gallery & Post Grid
Plugin Slug:: visual-portfolio
Installations: 60,000+
Vulnerability:: Local File Inclusion
Patched in Version:: 3.5.2
Severity Score:: High
CVE:: 2026-32537

Plugin:: Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy
Plugin Slug:: dokan-lite
Installations: 40,000+
Vulnerability:: Broken Authentication
Patched in Version:: 4.2.5
Severity Score:: High
CVE:: 2026-24359

Plugin:: Mixed Media Gallery Blocks
Plugin Slug:: simply-gallery-block
Installations: 40,000+
Vulnerability:: Arbitrary Code Execution
Patched in Version:: 3.3.2.1
Severity Score:: Critical
CVE:: 2026-25345

Plugin:: Master Addons For Elementor – Widgets, Extensions, Theme Builder, Popup Builder & Template Kits
Plugin Slug:: master-addons
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.1.4
Severity Score:: Medium
CVE:: 2026-32462

Plugin:: PPWP – Password Protect Pages
Plugin Slug:: password-protect-page
Installations: 30,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.9.16
Severity Score:: Medium
CVE:: 2026-32562

Plugin:: Ultimate Post Kit Addons for Elementor
Plugin Slug:: ultimate-post-kit
Installations: 30,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.0.22
Severity Score:: Medium
CVE:: 2026-24362

Plugin:: Print Invoice & Delivery Notes for WooCommerce
Plugin Slug:: woocommerce-delivery-notes
Installations: 30,000+
Vulnerability:: Broken Access Control
Patched in Version:: 6.0.0
Severity Score:: High
CVE:: 2026-25317

Plugin:: Booster for WooCommerce – PDF Invoices, Abandoned Cart, Variation Swatches & 100+ Tools
Plugin Slug:: woocommerce-jetpack
Installations: 30,000+
Vulnerability:: Broken Access Control
Patched in Version:: 7.11.3
Severity Score:: Medium
CVE:: 2026-32586

Plugin:: WP Custom Admin Interface
Plugin Slug:: wp-custom-admin-interface
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 7.43
Severity Score:: Medium
CVE:: 2026-32521

Plugin:: Kali Forms — Contact Form & Drag-and-Drop Builder
Plugin Slug:: kali-forms
Installations: 20,000+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 2.4.10
Severity Score:: Critical
CVE:: 2026-3584

Plugin:: New User Approve
Plugin Slug:: new-user-approve
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.2.4
Severity Score:: Medium
CVE:: 2026-25390

Plugin:: Post Snippets – Custom WordPress Code Snippets Customizer
Plugin Slug:: post-snippets
Installations: 20,000+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 4.0.13
Severity Score:: High
CVE:: 2026-25001

Plugin:: Co-Authors, Multiple Authors and Guest Authors in an Author Box with PublishPress Authors
Plugin Slug:: publishpress-authors
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.11.0
Severity Score:: High
CVE:: 2026-25309

Plugin:: Thim Kit for Elementor – Pre-built Templates & Widgets for Elementor
Plugin Slug:: thim-elementor-kit
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.3.8
Severity Score:: Medium
CVE:: 2026-1870

Plugin:: Wicked Folders – Folder Organizer for Pages, Posts, and Custom Post Types
Plugin Slug:: wicked-folders
Installations: 20,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 4.1.1
Severity Score:: Medium
CVE:: 2026-1883

Plugin:: User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration
Plugin Slug:: wp-user-frontend
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.2.9
Severity Score:: High
CVE:: 2026-32485

Plugin:: User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration
Plugin Slug:: wp-user-frontend
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.2.9
Severity Score:: Medium
CVE:: 2026-2233

Plugin:: Lead Form Builder & Contact Form
Plugin Slug:: lead-form-builder
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.2
Severity Score:: High
CVE:: 2026-32532

Plugin:: Five Star Restaurant Reservations – WordPress Booking Plugin
Plugin Slug:: restaurant-reservations
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.7.10
Severity Score:: Medium
CVE:: 2026-25327

Plugin:: Membership Plugin – Restrict Content
Plugin Slug:: restrict-content
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.2.23
Severity Score:: High
CVE:: 2026-32546

Plugin:: Membership Plugin – Restrict Content
Plugin Slug:: restrict-content
Installations: 10,000+
Vulnerability:: Broken Authentication
Patched in Version:: 3.2.25
Severity Score:: Medium
CVE:: 2026-4136

Plugin:: Review Schema – Review & Structure Data Schema Plugin
Plugin Slug:: review-schema
Installations: 10,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 2.2.7
Severity Score:: Medium
CVE:: 2026-25344

Plugin:: PublishPress Revisions: Duplicate Posts, Submit, Approve and Schedule Content Changes
Plugin Slug:: revisionary
Installations: 10,000+
Vulnerability:: SQL Injection
Patched in Version:: 3.7.24
Severity Score:: Critical
CVE:: 2026-32539

Plugin:: Code Embed
Plugin Slug:: simple-embed-code
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.5.2
Severity Score:: Medium
CVE:: 2026-2512

Plugin:: Subscriptions for WooCommerce
Plugin Slug:: subscriptions-for-woocommerce
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.9.3
Severity Score:: Medium
CVE:: 2026-1926

Plugin:: Team – Team Members Showcase Plugin
Plugin Slug:: tlp-team
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 5.0.12
Severity Score:: High
CVE:: 2026-25026

Plugin:: weForms – Easy Drag & Drop Contact Form Builder For WordPress
Plugin Slug:: weforms
Installations: 10,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 1.6.27
Severity Score:: High
CVE:: 2026-32484

Plugin:: Spam Protect for Contact Form 7
Plugin Slug:: wp-contact-form-7-spam-blocker
Installations: 10,000+
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 1.2.10
Severity Score:: Medium
CVE:: 2026-32496

Plugin:: WP REST Cache
Plugin Slug:: wp-rest-cache
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2026.1.1
Severity Score:: High
CVE:: 2026-25347

Plugin:: WPVulnerability
Plugin Slug:: wpvulnerability
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.2.1.1
Severity Score:: Medium
CVE:: 2026-24376

Plugin:: YML for Yandex Market
Plugin Slug:: yml-for-yandex-market
Installations: 10,000+
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 5.3.0
Severity Score:: Medium
CVE:: 2026-32567

Plugin:: Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms
Plugin Slug:: cf7-mailchimp
Installations: 9,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.2.3
Severity Score:: Medium
CVE:: 2026-25430

Plugin:: Contact Form Email
Plugin Slug:: contact-form-to-email
Installations: 9,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.3.64
Severity Score:: Medium
CVE:: 2026-32483

Plugin:: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login
Plugin Slug:: custom-registration-form-builder-with-submission-manager
Installations: 9,000+
Vulnerability:: Broken Access Control
Patched in Version:: 6.0.7.7
Severity Score:: High
CVE:: 2026-32498

Plugin:: Event Booking Manager for WooCommerce
Plugin Slug:: mage-eventpress
Installations: 8,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.1.5
Severity Score:: High
CVE:: 2026-25361

Plugin:: ReviewX – Multi-Criteria Reviews for WooCommerce with Google Reviews & Schema
Plugin Slug:: reviewx
Installations: 8,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 2.3.0
Severity Score:: Medium
CVE:: 2025-10734

Plugin:: ReviewX – Multi-Criteria Reviews for WooCommerce with Google Reviews & Schema
Plugin Slug:: reviewx
Installations: 8,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 2.3.0
Severity Score:: Medium
CVE:: 2025-10731

Plugin:: WP TripAdvisor Review Slider
Plugin Slug:: wp-tripadvisor-review-slider
Installations: 8,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 14.2
Severity Score:: Medium
CVE:: 2026-32490

Plugin:: Image Alt Text Manager – Bulk & Dynamic Alt Tags For image SEO Optimization + AI
Plugin Slug:: alt-manager
Installations: 7,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.8.3
Severity Score:: Medium
CVE:: 2026-3350

Plugin:: EventPrime – Events Calendar, Bookings and Tickets
Plugin Slug:: eventprime-event-calendar-management
Installations: 7,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.2.8.4
Severity Score:: High
CVE:: 2026-25312

Plugin:: EventPrime – Events Calendar, Bookings and Tickets
Plugin Slug:: eventprime-event-calendar-management
Installations: 7,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 4.2.8.1
Severity Score:: Critical
CVE:: 2026-24378

Plugin:: JS Help Desk – AI-Powered Support & Ticketing System
Plugin Slug:: js-support-ticket
Installations: 7,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 3.0.4
Severity Score:: Medium
CVE:: 2026-32535

Plugin:: JS Help Desk – AI-Powered Support & Ticketing System
Plugin Slug:: js-support-ticket
Installations: 7,000+
Vulnerability:: SQL Injection
Patched in Version:: 3.0.4
Severity Score:: High
CVE:: 2026-32534

Plugin:: NEX-Forms – Ultimate Forms Plugin for WordPress
Plugin Slug:: nex-forms-express-wp-form-builder
Installations: 7,000+
Vulnerability:: Broken Access Control
Patched in Version:: 9.1.10
Severity Score:: Medium
CVE:: 2026-1948

Plugin:: NEX-Forms – Ultimate Forms Plugin for WordPress
Plugin Slug:: nex-forms-express-wp-form-builder
Installations: 7,000+
Vulnerability:: Broken Access Control
Patched in Version:: 9.1.10
Severity Score:: High
CVE:: 2026-1947

Plugin:: WP Review Slider
Plugin Slug:: wp-facebook-reviews
Installations: 7,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 14.0
Severity Score:: Medium
CVE:: 2026-32491

Plugin:: WPBot – AI ChatBot for Live Support, Lead Generation, AI Services
Plugin Slug:: chatbot
Installations: 6,000+
Vulnerability:: SQL Injection
Patched in Version:: 7.8.0
Severity Score:: Critical
CVE:: 2026-32499

Plugin:: Get Use APIs – JSON Content Importer
Plugin Slug:: json-content-importer
Installations: 6,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.10
Severity Score:: Medium
CVE:: 2025-15363

Plugin:: OOPSpam Anti-Spam: Spam Protection for WordPress Forms & Comments (No CAPTCHA)
Plugin Slug:: oopspam-anti-spam
Installations: 6,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.2.63
Severity Score:: High
CVE:: 2026-32544

Plugin:: ProfileGrid – User Profiles, Groups and Communities
Plugin Slug:: profilegrid-user-profiles-groups-and-communities
Installations: 6,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.9.8.2
Severity Score:: Medium
CVE:: 2026-25417

Plugin:: WowStore – Store Builder & Product Blocks for WooCommerce
Plugin Slug:: product-blocks
Installations: 5,000+
Vulnerability:: SQL Injection
Patched in Version:: 4.4.4
Severity Score:: Critical
CVE:: 2026-2579

Plugin:: User Verification by PickPlugins
Plugin Slug:: user-verification
Installations: 5,000+
Vulnerability:: Broken Authentication
Patched in Version:: 2.0.46
Severity Score:: Medium
CVE:: 2026-32497

Plugin:: Fraud Prevention For WooCommerce and EDD
Plugin Slug:: woo-blocker-lite-prevent-fake-orders-and-blacklist-fraud-customers
Installations: 5,000+
Vulnerability:: Arbitrary Content Deletion
Patched in Version:: 2.3.4
Severity Score:: High
CVE:: 2026-25443

Plugin:: ElementInvader Addons for Elementor
Plugin Slug:: elementinvader-addons-for-elementor
Installations: 4,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.4.3
Severity Score:: High
CVE:: 2026-25007

Plugin:: Nelio A/B Testing – AB Tests and Heatmaps for Better Conversion Optimization
Plugin Slug:: nelio-ab-testing
Installations: 4,000+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 8.2.8
Severity Score:: Critical
CVE:: 2026-32573

Plugin:: RSFirewall!
Plugin Slug:: rsfirewall
Installations: 4,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.1.46
Severity Score:: High
CVE:: 2026-25341

Plugin:: Abandoned Cart Recovery for WooCommerce
Plugin Slug:: woo-abandoned-cart-recovery
Installations: 4,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.1.11
Severity Score:: High
CVE:: 2026-32526

Plugin:: WPJAM Basic
Plugin Slug:: wpjam-basic
Installations: 4,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 6.9.2.1
Severity Score:: Critical
CVE:: 2026-32523

Plugin:: WP Telegram Widget and Join Link
Plugin Slug:: wptelegram-widget
Installations: 4,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.2.14
Severity Score:: High
CVE:: 2026-23807

Plugin:: JS Archive List
Plugin Slug:: jquery-archive-list-widget
Installations: 3,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 6.2.0
Severity Score:: High
CVE:: 2026-32513

Plugin:: Kargo Takip
Plugin Slug:: kargo-takip-turkiye
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: 0.2.4
Severity Score:: Medium
CVE:: 2026-25365

Plugin:: WP Terms Popup – Terms and Conditions and Privacy Policy WordPress Popups
Plugin Slug:: wp-terms-popup
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.11.0
Severity Score:: High
CVE:: 2026-32495

Plugin:: Bit SMTP – Easy SMTP Solution with Email Logs
Plugin Slug:: bit-smtp
Installations: 2,000+
Vulnerability:: Broken Authentication
Patched in Version:: 1.2.3
Severity Score:: Critical
CVE:: 2026-32519

Plugin:: Comments Import & Export
Plugin Slug:: comments-import-export-woocommerce
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.5.0
Severity Score:: High
CVE:: 2026-32441

Plugin:: Info Cards – Add Text and Media in Card Layouts
Plugin Slug:: info-cards
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.8
Severity Score:: Medium
CVE:: 2026-4120

Plugin:: KiviCare – Clinic & Patient Management System (EHR)
Plugin Slug:: kivicare-clinic-management-system
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.0.0
Severity Score:: High
CVE:: 2026-25383

Plugin:: KiviCare – Clinic & Patient Management System (EHR)
Plugin Slug:: kivicare-clinic-management-system
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.0.0
Severity Score:: Medium
CVE:: 2026-25034

Plugin:: KiviCare – Clinic & Patient Management System (EHR)
Plugin Slug:: kivicare-clinic-management-system
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.1.3
Severity Score:: High
CVE:: 2026-2992

Plugin:: KiviCare – Clinic & Patient Management System (EHR)
Plugin Slug:: kivicare-clinic-management-system
Installations: 2,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 4.1.3
Severity Score:: Critical
CVE:: 2026-2991

Plugin:: Photo Engine (Media Organizer & Lightroom)
Plugin Slug:: wplr-sync
Installations: 2,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 6.5.0
Severity Score:: Critical
CVE:: 2026-32524

Plugin:: avalex – Automatisch sichere Rechtstexte
Plugin Slug:: avalex
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.1.4
Severity Score:: Medium
CVE:: 2026-25462

Plugin:: Booking and Rental Manager for Bike | Car | Resort | Appointment | Dress | Equipment
Plugin Slug:: booking-and-rental-manager-for-woocommerce
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.6.1
Severity Score:: Medium
CVE:: 2026-23972

Plugin:: Contact List – Online Staff Directory & Address Book
Plugin Slug:: contact-list
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.0.19
Severity Score:: Medium
CVE:: 2026-3516

Plugin:: Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe
Plugin Slug:: contest-gallery
Installations: 1,000+
Vulnerability:: Broken Authentication
Patched in Version:: 28.1.3
Severity Score:: Critical
CVE:: 2026-25035

Plugin:: Flexmls® IDX Plugin
Plugin Slug:: flexmls-idx
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.15.10
Severity Score:: High
CVE:: 2026-25369

Plugin:: Injection Guard
Plugin Slug:: injection-guard
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.0
Severity Score:: High
CVE:: 2026-3368

Plugin:: WowOptin: Next-Gen Popup Maker – Create Stunning Popups and Optins for Lead Generation
Plugin Slug:: optin
Installations: 1,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 1.4.30
Severity Score:: High
CVE:: 2026-4302

Plugin:: WP Easy Pay – Payment and Donation form Builder for Square
Plugin Slug:: wp-easy-pay
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.2.12
Severity Score:: Medium
CVE:: 2026-32587

Plugin:: bBlocks – Essential Gutenberg Blocks & Patterns Collection
Plugin Slug:: b-blocks
Installations: 700+
Vulnerability:: Broken Access Control
Patched in Version:: 2.0.30
Severity Score:: Medium
CVE:: 2026-32489

Plugin:: My Tickets – Accessible Event Ticketing
Plugin Slug:: my-tickets
Installations: 700+
Vulnerability:: Bypass Vulnerability
Patched in Version:: 2.1.2
Severity Score:: Medium
CVE:: 2026-32492

Plugin:: Premmerce Redirect Manager
Plugin Slug:: premmerce-redirect-manager
Installations: 600+
Vulnerability:: Broken Access Control
Patched in Version:: 1.0.13
Severity Score:: Medium
CVE:: 2026-32541

Plugin:: VikRestaurants Table Reservations and Take-Away
Plugin Slug:: vikrestaurants
Installations: 600+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.5.3
Severity Score:: High
CVE:: 2026-25025

Plugin:: WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses
Plugin Slug:: wp-courses
Installations: 600+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.2.27
Severity Score:: Medium
CVE:: 2026-31914

Plugin:: RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress
Plugin Slug:: computer-repair-shop
Installations: 400+
Vulnerability:: Broken Access Control
Patched in Version:: 4.1133
Severity Score:: Medium
CVE:: 2026-3567

Plugin:: Taboola Pixel
Plugin Slug:: taboola-pixel
Installations: 400+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.1.5
Severity Score:: High
CVE:: 2026-32545

Plugin:: Advanced Reporting & Statistics for WooCommerce – Orders, Products & Customers Reporting
Plugin Slug:: webd-woocommerce-advanced-reporting-statistics
Installations: 400+
Vulnerability:: SQL Injection
Patched in Version:: 4.1.4
Severity Score:: Critical
CVE:: 2026-24993

Plugin:: Keep Backup Daily
Plugin Slug:: keep-backup-daily
Installations: 300+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.1.3
Severity Score:: Medium
CVE:: 2026-3577

Plugin:: Keep Backup Daily
Plugin Slug:: keep-backup-daily
Installations: 300+
Vulnerability:: Path Traversal
Patched in Version:: 2.1.3
Severity Score:: Low
CVE:: 2026-3339

Plugin:: CM Custom Reports – Flexible reporting to track what matters most
Plugin Slug:: cm-custom-reports
Installations: 200+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.2.8
Severity Score:: Medium
CVE:: 2026-2432

Plugin:: Helpdesk Support Ticket System for WooCommerce
Plugin Slug:: support-ticket-system-for-woocommerce
Installations: 200+
Vulnerability:: Broken Access Control
Patched in Version:: 2.1.3
Severity Score:: High
CVE:: 2026-23977

Plugin:: ilGhera Carta Docente for WooCommerce
Plugin Slug:: wc-carta-docente
Installations: 200+
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 1.5.1
Severity Score:: Medium
CVE:: 2026-2421

Plugin:: Image Slider by Ays- Responsive Slider and Carousel
Plugin Slug:: ays-slider
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.7.2
Severity Score:: High
CVE:: 2026-32494

Plugin:: WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms
Plugin Slug:: cf7-insightly
Installations: 100+
Vulnerability:: Broken Access Control
Patched in Version:: 1.1.6
Severity Score:: Medium
CVE:: 2026-32527

Plugin:: Contact Manager
Plugin Slug:: contact-manager
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 9.1.1
Severity Score:: High
CVE:: 2026-32517

Plugin:: Creator LMS – Online Courses and eLearning Plugin
Plugin Slug:: creatorlms
Installations: 100+
Vulnerability:: Privilege Escalation
Patched in Version:: 1.1.19
Severity Score:: High
CVE:: 2026-32530

Plugin:: FAQ Builder AYS
Plugin Slug:: faq-builder-ays
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.8.3
Severity Score:: High
CVE:: 2026-25346

Plugin:: LearnPress – Sepay Payment
Plugin Slug:: learnpress-sepay-payment
Installations: 100+
Vulnerability:: Broken Authentication
Patched in Version:: 4.0.1
Severity Score:: High
CVE:: 2026-25002

Plugin:: Petitioner
Plugin Slug:: petitioner
Installations: 100+
Vulnerability:: Broken Access Control
Patched in Version:: 0.7.4
Severity Score:: Medium
CVE:: 2026-32514

Plugin:: Product File Upload for WooCommerce
Plugin Slug:: products-file-upload-for-woocommerce
Installations: 100+
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 2.2.5
Severity Score:: Medium
CVE:: 2026-25328

Plugin:: RewardsWP – Loyalty Points & Referral Program for WooCommerce
Plugin Slug:: rewardswp
Installations: 100+
Vulnerability:: Privilege Escalation
Patched in Version:: 1.0.5
Severity Score:: Critical
CVE:: 2026-32520

Plugin:: Add Custom Fields to Media
Plugin Slug:: add-custom-fields-to-media
Installations: 90+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.0.4
Severity Score:: Medium
CVE:: 2026-4068

Plugin:: Draft List
Plugin Slug:: simple-draft-list
Installations: 80+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.6.3
Severity Score:: Medium
CVE:: 2026-4006

Plugin:: Filestack WP Upload
Plugin Slug:: filestack-upload
Installations: 60+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.0.0
Severity Score:: High
CVE:: 2024-11462

Plugin:: Activity Log for WordPress
Plugin Slug:: winterlock
Installations: 60+
Vulnerability:: Broken Access Control
Patched in Version:: 1.2.8
Severity Score:: Medium
CVE:: 2026-24987

Plugin:: Instant Popup Builder – Powerful Popup Maker for Opt-ins, Email Newsletters & Lead Generation
Plugin Slug:: instant-popup-builder
Installations: 30+
Vulnerability:: Content Injection
Patched in Version:: 1.1.8
Severity Score:: Medium
CVE:: 2026-3475

Plugin:: Scoreboard for HTML5 Games Lite
Plugin Slug:: scoreboard-for-html5-game-lite
Installations: 20+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3
Severity Score:: Medium
CVE:: 2026-4083

Plugin:: [CR]Paid Link Manager
Plugin Slug:: crpaid-link-manager
Installations: 10+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 0.6
Severity Score:: High
CVE:: 2026-1780

Plugin:: RockPress
Plugin Slug:: ft-rockpress
Installations: 10+
Vulnerability:: Broken Access Control
Patched in Version:: 1.0.18
Severity Score:: Medium
CVE:: 2026-3550

Plugin:: WP Cost Estimation & Payment Forms Builder
Plugin Slug:: WP_Estimation_Form
Vulnerability:: Broken Access Control
Patched in Version:: 10.3.0
Severity Score:: High
CVE:: 2026-24363

Plugin:: Addon Jobsearch Chat
Plugin Slug:: addon-jobsearch-chat
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.1
Severity Score:: High
CVE:: 2026-25376

Plugin:: Addon Jobsearch Chat
Plugin Slug:: addon-jobsearch-chat
Vulnerability:: SQL Injection
Patched in Version:: 3.1
Severity Score:: Critical
CVE:: 2026-25377

Plugin:: SUMO Affiliates Pro
Plugin Slug:: affs
Vulnerability:: PHP Object Injection
Patched in Version:: 11.4.0
Severity Score:: Critical
CVE:: 2026-24989

Plugin:: Aimogen Pro
Plugin Slug:: aimogen-pro
Vulnerability:: Privilege Escalation
Patched in Version:: 2.7.6
Severity Score:: Critical
CVE:: 2026-4038

Plugin:: Elated Listing
Plugin Slug:: eltd-listing
Vulnerability:: Broken Access Control
Patched in Version:: 1.5
Severity Score:: Medium
CVE:: 2026-24972

Plugin:: XStore Core
Plugin Slug:: et-core-plugin
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.6.5
Severity Score:: High
CVE:: 2026-25306

Plugin:: Fusion Builder
Plugin Slug:: fusion-builder
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.15.0
Severity Score:: High
CVE:: 2026-32542

Plugin:: Gyan Elements
Plugin Slug:: gyan-elements
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.2.2
Severity Score:: High
CVE:: 2026-23979

Plugin:: Green Downloads
Plugin Slug:: halfdata-paypal-green-downloads
Vulnerability:: Arbitrary File Upload
Patched in Version:: 2.09
Severity Score:: Critical
CVE:: 2026-32536

Plugin:: Ultimate Membership Pro
Plugin Slug:: indeed-membership-pro
Vulnerability:: Broken Authentication
Patched in Version:: 13.7.1
Severity Score:: High
CVE:: 2026-25357

Plugin:: Jobica Core
Plugin Slug:: jobica-core
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.4.2
Severity Score:: High
CVE:: 2026-24979

Plugin:: Jobica Core
Plugin Slug:: jobica-core
Vulnerability:: PHP Object Injection
Patched in Version:: 1.4.2
Severity Score:: High
CVE:: 2026-24978

Plugin:: Lumise Product Designer
Plugin Slug:: lumise
Vulnerability:: SQL Injection
Patched in Version:: 2.0.9
Severity Score:: Critical
CVE:: 2026-25371

Plugin:: Miraculous Core Plugin
Plugin Slug:: miraculouscore
Vulnerability:: SQL Injection
Patched in Version:: 2.1.2
Severity Score:: High
CVE:: 2026-32516

Plugin:: Motta Addons
Plugin Slug:: motta-addons
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.6.1
Severity Score:: High
CVE:: 2026-25033

Plugin:: NaturaLife Extensions
Plugin Slug:: naturalife-extensions
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.2
Severity Score:: High
CVE:: 2026-25018

Plugin:: NaturaLife Extensions
Plugin Slug:: naturalife-extensions
Vulnerability:: Local File Inclusion
Patched in Version:: 2.2
Severity Score:: High
CVE:: 2026-25017

Plugin:: Organici Library
Plugin Slug:: noo-organici-library
Vulnerability:: SQL Injection
Patched in Version:: 2.1.3
Severity Score:: High
CVE:: 2026-24977

Plugin:: Organici Library
Plugin Slug:: noo-organici-library
Vulnerability:: PHP Object Injection
Patched in Version:: 2.1.3
Severity Score:: High
CVE:: 2026-24976

Plugin:: Organici Library
Plugin Slug:: noo-organici-library
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.1.3
Severity Score:: High
CVE:: 2026-24975

Plugin:: Visionary Core
Plugin Slug:: noo-visionary-core
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.5.0
Severity Score:: High
CVE:: 2026-24980

Plugin:: Visionary Core
Plugin Slug:: noo-visionary-core
Vulnerability:: PHP Object Injection
Patched in Version:: 1.5.0
Severity Score:: High
CVE:: 2026-24981

Plugin:: Phox Hosting
Plugin Slug:: phox-host
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.9
Severity Score:: High
CVE:: 2026-25013

Plugin:: Salon Booking System Pro
Plugin Slug:: salon-booking-plugin-pro
Vulnerability:: Broken Authentication
Patched in Version:: 10.30.12
Severity Score:: High
CVE:: 2026-25334

Plugin:: tagDiv Opt-In Builder
Plugin Slug:: td-subscription
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.7.4
Severity Score:: High
CVE:: 2025-53222

Plugin:: The Grid
Plugin Slug:: the-grid
Vulnerability:: Broken Access Control
Patched in Version:: 2.8.0
Severity Score:: High
CVE:: 2026-24369

Plugin:: The Grid
Plugin Slug:: the-grid
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.8.0
Severity Score:: Medium
CVE:: 2026-24370

Plugin:: UpSolution Core
Plugin Slug:: us-core
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 8.42
Severity Score:: High
CVE:: 2026-24983

Plugin:: WooCommerce Support Ticket System
Plugin Slug:: woocommerce-support-ticket-system
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 18.5
Severity Score:: High
CVE:: 2026-32522

Plugin:: WP Configurator Pro
Plugin Slug:: wp-configurator-pro
Vulnerability:: Broken Access Control
Patched in Version:: 3.8.0
Severity Score:: High
CVE:: 2026-32501

Plugin:: JobSearch
Plugin Slug:: wp-jobsearch
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.2.2
Severity Score:: High
CVE:: 2026-32493

WordPress Themes — 49 Patched / 7 Unpatched

Theme:: Apicona
Theme Slug:: apicona
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-25400

Theme:: Jannah
Theme Slug:: jannah
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-25464

Theme:: Kentha
Theme Slug:: kentha
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-25442

Theme:: Mixtape
Theme Slug:: mixtape
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-25457

Theme:: Moments
Theme Slug:: moments
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-25458

Theme:: Photography
Theme Slug:: photography
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-27043

Theme:: The League
Theme Slug:: the-league
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-25454

Theme:: Education Zone
Theme Slug:: education-zone
Downloads: 483,880
Vulnerability:: Broken Access Control
Patched in Version:: 1.3.9
Severity Score:: Medium
CVE:: 2026-25009

Theme:: Ona
Theme Slug:: ona
Downloads: 243,101
Vulnerability:: Arbitrary File Upload
Patched in Version:: 1.24
Severity Score:: Critical
CVE:: 2026-32482

Theme:: Archicon
Theme Slug:: archicon
Vulnerability:: PHP Object Injection
Patched in Version:: 1.7
Severity Score:: Medium
CVE:: 2026-32506

Theme:: Borgholm
Theme Slug:: borgholm-marketing-agency-theme
Vulnerability:: PHP Object Injection
Patched in Version:: 1.6
Severity Score:: Critical
CVE:: 2026-32502

Theme:: Car Dealer
Theme Slug:: cardealer
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.6.8
Severity Score:: High
CVE:: 2026-24391

Theme:: Feedy
Theme Slug:: feedy
Vulnerability:: Local File Inclusion
Patched in Version:: 2.1.5
Severity Score:: High
CVE:: 2026-25380

Theme:: Gaea
Theme Slug:: gaea
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.8
Severity Score:: High
CVE:: 2026-32518

Theme:: Goldish
Theme Slug:: goldish
Vulnerability:: PHP Object Injection
Patched in Version:: 3.47
Severity Score:: Critical
CVE:: 2026-25030

Theme:: Golo
Theme Slug:: golo
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.7.5
Severity Score:: High
CVE:: 2026-23973

Theme:: Gracey
Theme Slug:: gracey
Vulnerability:: PHP Object Injection
Patched in Version:: 1.4
Severity Score:: Medium
CVE:: 2026-32509

Theme:: Halstein
Theme Slug:: halstein
Vulnerability:: PHP Object Injection
Patched in Version:: 1.8
Severity Score:: Medium
CVE:: 2026-32508

Theme:: IdealAuto
Theme Slug:: idealauto
Vulnerability:: Local File Inclusion
Patched in Version:: 3.8.6
Severity Score:: High
CVE:: 2026-25382

Theme:: Jaroti
Theme Slug:: jaroti
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.4.8
Severity Score:: High
CVE:: 2026-25304

Theme:: Kamperen
Theme Slug:: kamperen
Vulnerability:: PHP Object Injection
Patched in Version:: 1.3
Severity Score:: Medium
CVE:: 2026-32510

Theme:: Kiddy
Theme Slug:: kiddy
Vulnerability:: Local File Inclusion
Patched in Version:: 2.0.9
Severity Score:: High
CVE:: 2026-32505

Theme:: KIDZ
Theme Slug:: kidz
Vulnerability:: PHP Object Injection
Patched in Version:: 5.25
Severity Score:: Critical
CVE:: 2026-25029

Theme:: Kunco
Theme Slug:: kunco
Vulnerability:: Local File Inclusion
Patched in Version:: 1.4.5
Severity Score:: High
CVE:: 2026-32531

Theme:: Boutique
Theme Slug:: kute-boutique
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.4.6
Severity Score:: High
CVE:: 2026-25342

Theme:: Leroux
Theme Slug:: leroux
Vulnerability:: PHP Object Injection
Patched in Version:: 1.4
Severity Score:: Medium
CVE:: 2026-32507

Theme:: Loobek
Theme Slug:: loobek
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.5.2
Severity Score:: High
CVE:: 2026-25349

Theme:: LoveDate
Theme Slug:: lovedate
Vulnerability:: Local File Inclusion
Patched in Version:: 3.8.6
Severity Score:: High
CVE:: 2026-25381

Theme:: Meloo
Theme Slug:: meloo
Vulnerability:: PHP Object Injection
Patched in Version:: 2.8.2
Severity Score:: High
CVE:: 2026-25358

Theme:: MetaMax
Theme Slug:: metamax
Vulnerability:: Local File Inclusion
Patched in Version:: 1.1.5
Severity Score:: High
CVE:: 2026-32500

Theme:: Miraculous
Theme Slug:: miraculous
Vulnerability:: Broken Access Control
Patched in Version:: 2.1.2
Severity Score:: High
CVE:: 2026-32515

Theme:: Miti
Theme Slug:: miti
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.5.3
Severity Score:: High
CVE:: 2026-25350

Theme:: Molla
Theme Slug:: molla
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.5.19
Severity Score:: High
CVE:: 2026-32529

Theme:: MyDecor
Theme Slug:: mydecor
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.5.9
Severity Score:: High
CVE:: 2026-25352

Theme:: MyMedi
Theme Slug:: mymedi
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.7.7
Severity Score:: High
CVE:: 2026-25351

Theme:: CitiLights
Theme Slug:: noo-citilights
Vulnerability:: PHP Object Injection
Patched in Version:: 3.7.2
Severity Score:: High
CVE:: 2026-24974

Theme:: CitiLights
Theme Slug:: noo-citilights
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.7.2
Severity Score:: High
CVE:: 2026-24973

Theme:: Jobmonster
Theme Slug:: noo-jobmonster
Vulnerability:: SQL Injection
Patched in Version:: 4.8.4
Severity Score:: Critical
CVE:: 2026-25340

Theme:: Nooni
Theme Slug:: nooni
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.5.1
Severity Score:: High
CVE:: 2026-25353

Theme:: Pelicula
Theme Slug:: pelicula-video-production-and-movie-theme
Vulnerability:: PHP Object Injection
Patched in Version:: 1.10
Severity Score:: Critical
CVE:: 2026-32512

Theme:: Pendulum
Theme Slug:: pendulum
Vulnerability:: PHP Object Injection
Patched in Version:: 3.1.5
Severity Score:: High
CVE:: 2026-25359

Theme:: Reebox
Theme Slug:: reebox
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.4.8
Severity Score:: High
CVE:: 2026-25354

Theme:: Ricky
Theme Slug:: ricky
Vulnerability:: PHP Object Injection
Patched in Version:: 2.31
Severity Score:: Critical
CVE:: 2026-25032

Theme:: Riode
Theme Slug:: riode
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.6.29
Severity Score:: High
CVE:: 2026-32528

Theme:: Sanzo
Theme Slug:: sanzo
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.4.3
Severity Score:: Medium
CVE:: 2026-25355

Theme:: Scape
Theme Slug:: scape
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 1.5.16
Severity Score:: High
CVE:: 2026-31913

Theme:: Stål
Theme Slug:: stal
Vulnerability:: PHP Object Injection
Patched in Version:: 1.7
Severity Score:: Medium
CVE:: 2026-32511

Theme:: StreamVid
Theme Slug:: streamvid
Vulnerability:: Local File Inclusion
Patched in Version:: 6.8.6
Severity Score:: High
CVE:: 2026-25379

Theme:: Tasty Daily
Theme Slug:: tastydaily
Vulnerability:: PHP Object Injection
Patched in Version:: 1.27
Severity Score:: Critical
CVE:: 2026-25031

Theme:: Traveler
Theme Slug:: traveler
Vulnerability:: PHP Object Injection
Patched in Version:: 3.2.8.1
Severity Score:: Critical
CVE:: 2026-25449

Theme:: Trendustry
Theme Slug:: trendustry
Vulnerability:: Local File Inclusion
Patched in Version:: 1.1.5
Severity Score:: High
CVE:: 2026-32503

Theme:: Vayvo
Theme Slug:: vayvo-progression
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.8
Severity Score:: High
CVE:: 2026-25373

Theme:: Vex
Theme Slug:: vex
Vulnerability:: PHP Object Injection
Patched in Version:: 1.2.9
Severity Score:: High
CVE:: 2026-25360

Theme:: VintWood
Theme Slug:: vintwood
Vulnerability:: Local File Inclusion
Patched in Version:: 1.1.9
Severity Score:: High
CVE:: 2026-32504

Theme:: WoodMart
Theme Slug:: woodmart
Vulnerability:: PHP Object Injection
Patched in Version:: 8.3.9
Severity Score:: High
CVE:: 2026-23971

Theme:: Yobazar
Theme Slug:: yobazar
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.6.7
Severity Score:: High
CVE:: 2026-25356

Solid Security is part of Solid Suite — The best foundation for WordPress websites.

Every WordPress site needs security, backups, and management tools. That’s Solid Suite — an integrated bundle of three plugins: Solid Security, Solid Backups, and Solid Central. You also get access to Solid Academy’s learning resources for WordPress professionals. Build your next WordPress website on a solid foundation with Solid Suite!

Get Solid Security

Author:

Sarah Ulmer

Sarah has been with SolidWP since 2015. Thanks to her deep connection to the brand, its products, and its users, Sarah was tapped as Solid’s primary Product Marketer in 2023. Sarah helps ensure that Solid’s product development team understands our users’ needs. When not at work, Sarah can be found at home with her husband, their three boys, and their dogs. Sarah enjoys long family walks, running with her lab, and watching her three boys play soccer. Sarah is originally from Texas and loves watching football games (Go Longhorns!)

Browse all of Sarah's articles

Sign up

Placeholder text

Thanks

Oops something went wrong, please try submitting again

Solid Suite

Protect

Repair

Manage

Free Plugins

Solid Suite

Academy

Solid Academy

Guides

Livestreams

Tutorials Academy

Resources

Blog

Vulnerability Report

Support

Documentation

Table of Contents

WordPress Core

WordPress Plugins — 162 Patched / 113 Unpatched