WordPress Vulnerability Report — April 15, 2026

Since last week, 185 new vulnerabilities have emerged in the WordPress ecosystem, including 161 plugins and 24 themes. Of those, 16 remain unpatched, but Solid Security Pro users are protected by virtual patching from Patchstack.

Sarah Ulmer

Published:Apr 15, 2026

Filed Under:WordPress Vulnerability Report

Reading Time:34 min.

In this report, 185 vulnerabilities have been publicly disclosed. Security patches for 169 of these plugins and themes are now available. Please run these updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Currently, 16 plugin vulnerabilities remain unpatched. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

Along with poor user account security, vulnerable plugins and themes are among the top reasons why WordPress websites get hacked. Unfortunately, cyberattacks are increasing in volume and sophistication. They’re also increasingly aimed at small to mid-sized businesses.

1. WordPress Core
2. WordPress Plugins — 145 Patched / 16 Unpatched

2.1 AM LottiePlayer
2.2 Attendance Manager
2.3 Columns by BestWebSoft
2.4 DSGVO Google Web Fonts GDPR
2.5 Gerador de Certificados – DevApps
2.6 Inquiry form to posts or pages
2.7 Pinterest Site Verification plugin using Meta Tag
2.8 pz-frontend-manager
2.9 Quran Translations
2.10 Riaxe Product Customizer
2.11 Sports Club Management
2.12 Wavr
2.13 Whole Enquiry Cart for WooCommerce
2.14 IDPay Payment Gateway for Woocommerce
2.15 WowPress
2.16 WP Blockade
2.17 Elementor Website Builder – more than just a page builder
2.18 ManageWP Worker
2.19 WP-Optimize – Cache, Compress images, Minify & Clean database to boost page speed & performance
2.20 Smart Slider 3
2.21 Kadence Blocks — Page Builder Toolkit for Gutenberg Editor
2.22 Kadence Blocks — Page Builder Toolkit for Gutenberg Editor
2.23 BackWPup – WordPress Backup & Restore Plugin
2.24 Meta Box
2.25 Ocean Extra
2.26 YITH WooCommerce Wishlist
2.27 Page Builder: Pagelayer – Drag and Drop website builder
2.28 Cart Abandonment Recovery for WooCommerce – Recover Lost Sales with Automated Emails
2.29 MW WP Form
2.30 Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization
2.31 Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization
2.32 Post Duplicator
2.33 Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
2.34 Aruba HiSpeed Cache
2.35 Element Pack – Widgets, Templates & Addons for Elementor
2.36 Prime Slider – Addons for Elementor
2.37 Beaver Builder Page Builder – Drag and Drop Website Builder
2.38 Download Manager
2.39 Download Manager
2.40 Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder
2.41 LatePoint – Calendar Booking Plugin for Appointments and Events
2.42 MainWP Child Reports
2.43 The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce
2.44 Tutor LMS – eLearning and online course solution
2.45 Tutor LMS – eLearning and online course solution
2.46 Tutor LMS – eLearning and online course solution
2.47 Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
2.48 Booking for Appointments and Events Calendar – Amelia
2.49 BackupBliss – Backup & Migration with Free Cloud Storage
2.50 BackupBliss – Backup & Migration with Free Cloud Storage
2.51 Download Monitor
2.52 Strong Testimonials
2.53 ShopLentor – All-in-One WooCommerce Growth & Store Enhancement Plugin
2.54 Hustle – Email Marketing, Lead Generation, Optins, Popups
2.55 Customer Reviews for WooCommerce
2.56 Jupiter X Core
2.57 LearnPress – WordPress LMS Plugin for Create and Sell Online Courses
2.58 List category posts
2.59 Product Feed PRO for WooCommerce by AdTribes – Product Feeds for WooCommerce
2.60 Advanced Contact form 7 DB
2.61 Advanced Contact form 7 DB
2.62 Online Scheduling and Appointment Booking System – Bookly
2.63 Greenshift – animation and page builder blocks
2.64 Media Library Assistant
2.65 Media Library Assistant
2.66 Product Feed Manager for WooCommerce – CTX Feed – Support 220+ Shopping & Social Channels
2.67 Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin
2.68 User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder
2.69 User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder
2.70 Product Filter for WooCommerce by WBW
2.71 WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters
2.72 Popup Box – Create Countdown, Coupon, Video, Contact Form Popups
2.73 Blog2Social: Social Media Auto Post & Scheduler
2.74 Robo Gallery – Photo & Image Slider
2.75 BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net
2.76 BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net
2.77 LightPress Lightbox
2.78 Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder
2.79 Link Whisper Free
2.80 PowerPress Podcasting plugin by Blubrry
2.81 Ultimate FAQ Accordion Plugin
2.82 Visitor Traffic Real Time Statistics
2.83 AddFunc Head & Footer Code
2.84 Smart Post Show – Post Grid, Post Carousel & Slider, and List Category Posts
2.85 Simple Social Media Share Buttons – Social Sharing for Everyone
2.86 UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP
2.87 UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP
2.88 UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP
2.89 WP Visitor Statistics (Real Time Traffic)
2.90 wpForo Forum
2.91 wpForo Forum
2.92 BlockArt Blocks – Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library
2.93 Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More
2.94 Easy Appointments
2.95 GeoDirectory – WP Business Directory Plugin and Classified Listings Directory
2.96 LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes
2.97 OSM – OpenStreetMap
2.98 Royal WordPress Backup, Restore & Migration Plugin – Backup WordPress Sites Safely
2.99 Widgets for Social Photo Feed
2.100 Under Construction, Coming Soon & Maintenance Mode
2.101 Product Table and List Builder for WooCommerce Lite
2.102 Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered)
2.103 WP Photo Album Plus
2.104 YML for Yandex Market
2.105 WCAPF – Ajax Product Filter for WooCommerce
2.106 Awesome Support – WordPress HelpDesk & Support Plugin
2.107 ActivityPub
2.108 GeekyBot — AI Copilot, Chatbot, WooCommerce Lead Gen & Zero-Prompt Content
2.109 WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell
2.110 Booking Activities
2.111 Masteriyo LMS – Online Course Builder for eLearning, LMS & Education
2.112 Masteriyo LMS – Online Course Builder for eLearning, LMS & Education
2.113 AWP Classifieds
2.114 Majestic Support – The Leading-Edge Help Desk & Customer Support Plugin
2.115 MStore API – Create Native Android & iOS Apps On The Cloud
2.116 SpeakOut! Email Petitions
2.117 WP Directory Kit
2.118 WP Directory Kit
2.119 Extensions for Leaflet Map
2.120 Timetics – Appointment Booking & Scheduling
2.121 Event Tickets Manager for WooCommerce
2.122 iControlWP
2.123 SQL Chart Builder
2.124 Webling
2.125 Datalogics Ecommerce Delivery – Datalogics
2.126 Post Blocks & Tools
2.127 TableOn – WordPress Posts Table Filterable
2.128 WP BASE Booking of Appointments, Services and Events
2.129 Text to Speech – TTSWP
2.130 LTL Freight Quotes – Worldwide Express Edition
2.131 Ziggeo
2.132 BuddyPress Groupblog
2.133 WP-BusinessDirectory – Business directory plugin for WordPress
2.134 Advanced Members for ACF
2.135 PrivateContent Free
2.136 ProSolution WP Client
2.137 Experto Dashboard for WooCommerce
2.138 Investi
2.139 LTL Freight Quotes – R+L Carriers Edition
2.140 Magic Conversation For Gravity Forms
2.141 Surbma | Booking.com Shortcode
2.142 WholeSale Products Dynamic Pricing Management WooCommerce
2.143 WPAMS
2.144 Blocksy Companion Pro
2.145 Bricksforge
2.146 Gravity Forms
2.147 Gravity Forms
2.148 Gravity SMTP
2.149 Integrio Core
2.150 Listeo Core
2.151 Mikado Core
2.152 Smart Slider 3 PRO
2.153 Ninja Forms File Uploads Extension
2.154 pdfl.io
2.155 Perfmatters
2.156 Quick Playground
2.157 Softlab Core
2.158 Solene Core
2.159 Thegov Core
2.160 Users manager – PN
2.161 MultiLoca

3. WordPress Themes — 24 Patched / 0 Unpatched

3.1 Alloggio – Hotel Booking
3.2 Aperitif
3.3 Aperitif
3.4 Askka
3.5 Blueprint
3.6 Fidalgo
3.7 Getaway
3.8 Hiroshi
3.9 Konsept
3.10 Malmö
3.11 Micdrop
3.12 Mildhill
3.13 Mr. SEO
3.14 NeoBeat
3.15 Playroom
3.16 Santé
3.17 SingleMalt
3.18 Solene
3.19 Töbel
3.20 Uppercase
3.21 Valiance
3.22 WaveRide
3.23 Hitek
3.24 Zermatt

Our WordPress Vulnerability Report covers the latest emerging WordPress plugin, theme, and core vulnerabilities. Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure of vulnerabilities is essential to keeping the WordPress community safe. Please share this report to help spread the word and make WordPress — and the web — more secure.

WordPress Core

WordPress 6.9.4 is available, addressing 10 security issues and a template loading bug. Immediate updates are recommended for all production sites.

WordPress 7.0 Release Candidate 2 (RC2) is now ready for testing via the Beta Tester plugin, direct download, WP-CLI, or WordPress Playground. As a pre-release version, it should only be evaluated in staging or local environments.

WordPress Plugins — 145 Patched / 16 Unpatched

Plugin:: AM LottiePlayer
Plugin Slug:: am-lottieplayer
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-1794

Plugin:: Attendance Manager
Plugin Slug:: attendance-manager
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-3781

Plugin:: Columns by BestWebSoft
Plugin Slug:: columns-bws
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3618

Plugin:: DSGVO Google Web Fonts GDPR
Plugin Slug:: dsgvo-google-web-fonts-gdpr
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2026-3535

Plugin:: Gerador de Certificados – DevApps
Plugin Slug:: gerador-de-certificados-devapps
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-4808

Plugin:: Inquiry form to posts or pages
Plugin Slug:: inquiry-form-to-posts-or-pages
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-5169

Plugin:: Pinterest Site Verification plugin using Meta Tag
Plugin Slug:: pinterest-site-verification
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3142

Plugin:: pz-frontend-manager
Plugin Slug:: pz-frontend-manager
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3477

Plugin:: Quran Translations
Plugin Slug:: quran-translations-by-edc
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-4141

Plugin:: Riaxe Product Customizer
Plugin Slug:: riaxe-product-customizer
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3594

Plugin:: Sports Club Management
Plugin Slug:: sports-club-management
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-4871

Plugin:: Wavr
Plugin Slug:: wavr
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-5506

Plugin:: Whole Enquiry Cart for WooCommerce
Plugin Slug:: whole-cart-enquiry
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-2838

Plugin:: IDPay Payment Gateway for Woocommerce
Plugin Slug:: woo-idpay-gateway
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-34891

Plugin:: WowPress
Plugin Slug:: wowpress
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-5508

Plugin:: WP Blockade
Plugin Slug:: wp-blockade
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3480

Plugin:: Elementor Website Builder – more than just a page builder
Plugin Slug:: elementor
Installations: 10,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.35.6
Severity Score:: Medium
CVE:: 2025-14732

Plugin:: ManageWP Worker
Plugin Slug:: worker
Installations: 1,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.9.32
Severity Score:: High
CVE:: 2026-39463

Plugin:: WP-Optimize – Cache, Compress images, Minify & Clean database to boost page speed & performance
Plugin Slug:: wp-optimize
Installations: 1,000,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.5.1
Severity Score:: Medium
CVE:: 2026-2712

Plugin:: Smart Slider 3
Plugin Slug:: smart-slider-3
Installations: 800,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.5.1.34
Severity Score:: Medium
CVE:: 2026-4065

Plugin:: Kadence Blocks — Page Builder Toolkit for Gutenberg Editor
Plugin Slug:: kadence-blocks
Installations: 600,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.6.4
Severity Score:: High
CVE:: 2026-2826

Plugin:: Kadence Blocks — Page Builder Toolkit for Gutenberg Editor
Plugin Slug:: kadence-blocks
Installations: 600,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.6.4
Severity Score:: Medium
CVE:: 2026-2826

Plugin:: BackWPup – WordPress Backup & Restore Plugin
Plugin Slug:: backwpup
Installations: 500,000+
Vulnerability:: Local File Inclusion
Patched in Version:: 5.6.7
Severity Score:: High
CVE:: 2026-6227

Plugin:: Meta Box
Plugin Slug:: meta-box
Installations: 500,000+
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 5.11.2
Severity Score:: Medium
CVE:: 2026-39468

Plugin:: Ocean Extra
Plugin Slug:: ocean-extra
Installations: 500,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.5.4
Severity Score:: Medium
CVE:: 2026-34903

Plugin:: YITH WooCommerce Wishlist
Plugin Slug:: yith-woocommerce-wishlist
Installations: 500,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 4.13.0
Severity Score:: Medium
CVE:: 2026-4432

Plugin:: Page Builder: Pagelayer – Drag and Drop website builder
Plugin Slug:: pagelayer
Installations: 400,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.9
Severity Score:: Medium
CVE:: 2026-2509

Plugin:: Cart Abandonment Recovery for WooCommerce – Recover Lost Sales with Automated Emails
Plugin Slug:: woo-cart-abandonment-recovery
Installations: 300,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 2.1.0
Severity Score:: High
CVE:: 2026-39470

Plugin:: MW WP Form
Plugin Slug:: mw-wp-form
Installations: 200,000+
Vulnerability:: Directory Traversal
Patched in Version:: 5.1.2
Severity Score:: High
CVE:: 2026-5436

Plugin:: Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization
Plugin Slug:: optimole-wp
Installations: 200,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.2.3
Severity Score:: High
CVE:: 2026-5217

Plugin:: Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization
Plugin Slug:: optimole-wp
Installations: 200,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.2.4
Severity Score:: High
CVE:: 2026-5226

Plugin:: Post Duplicator
Plugin Slug:: post-duplicator
Installations: 200,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 3.0.11
Severity Score:: High
CVE:: 2026-39474

Plugin:: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
Plugin Slug:: ultimate-member
Installations: 200,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.11.2
Severity Score:: Medium
CVE:: 2025-15064

Plugin:: Aruba HiSpeed Cache
Plugin Slug:: aruba-hispeed-cache
Installations: 100,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 3.0.5
Severity Score:: Medium
CVE:: 2026-1924

Plugin:: Element Pack – Widgets, Templates & Addons for Elementor
Plugin Slug:: bdthemes-element-pack-lite
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 8.5.0
Severity Score:: Medium
CVE:: 2026-4655

Plugin:: Prime Slider – Addons for Elementor
Plugin Slug:: bdthemes-prime-slider-lite
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.1.11
Severity Score:: Medium
CVE:: 2026-4341

Plugin:: Beaver Builder Page Builder – Drag and Drop Website Builder
Plugin Slug:: beaver-builder-lite-version
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.10.1.2
Severity Score:: Medium
CVE:: 2026-2481

Plugin:: Download Manager
Plugin Slug:: download-manager
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.3.52
Severity Score:: Medium
CVE:: 2026-4057

Plugin:: Download Manager
Plugin Slug:: download-manager
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.3.53
Severity Score:: Medium
CVE:: 2026-5357

Plugin:: Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder
Plugin Slug:: everest-forms
Installations: 100,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 3.4.4
Severity Score:: Critical
CVE:: 2026-3296

Plugin:: LatePoint – Calendar Booking Plugin for Appointments and Events
Plugin Slug:: latepoint
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.3.1
Severity Score:: Medium
CVE:: 2026-4785

Plugin:: MainWP Child Reports
Plugin Slug:: mainwp-child-reports
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.3
Severity Score:: Medium
CVE:: 2026-4299

Plugin:: The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce
Plugin Slug:: the-plus-addons-for-elementor-page-builder
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.4.10
Severity Score:: Medium
CVE:: 2026-3311

Plugin:: Tutor LMS – eLearning and online course solution
Plugin Slug:: tutor
Installations: 100,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 3.9.8
Severity Score:: Medium
CVE:: 2026-3371

Plugin:: Tutor LMS – eLearning and online course solution
Plugin Slug:: tutor
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.9.8
Severity Score:: Medium
CVE:: 2026-3358

Plugin:: Tutor LMS – eLearning and online course solution
Plugin Slug:: tutor
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.9.8
Severity Score:: High
CVE:: 2026-3360

Plugin:: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
Plugin Slug:: wp-user-avatar
Installations: 100,000+
Vulnerability:: Content Injection
Patched in Version:: 4.16.12
Severity Score:: Medium
CVE:: 2026-3309

Plugin:: Booking for Appointments and Events Calendar – Amelia
Plugin Slug:: ameliabooking
Installations: 90,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 2.2
Severity Score:: High
CVE:: 2026-5465

Plugin:: BackupBliss – Backup & Migration with Free Cloud Storage
Plugin Slug:: backup-backup
Installations: 90,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 2.1.2
Severity Score:: High
CVE:: 2026-39480

Plugin:: BackupBliss – Backup & Migration with Free Cloud Storage
Plugin Slug:: backup-backup
Installations: 90,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.1.0
Severity Score:: Medium
CVE:: 2025-14944

Plugin:: Download Monitor
Plugin Slug:: download-monitor
Installations: 90,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 5.1.11
Severity Score:: Medium
CVE:: 2026-4401

Plugin:: Strong Testimonials
Plugin Slug:: strong-testimonials
Installations: 90,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.2.22
Severity Score:: Medium
CVE:: 2026-3239

Plugin:: ShopLentor – All-in-One WooCommerce Growth & Store Enhancement Plugin
Plugin Slug:: woolentor-addons
Installations: 90,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.3.6
Severity Score:: Medium
CVE:: 2026-4059

Plugin:: Hustle – Email Marketing, Lead Generation, Optins, Popups
Plugin Slug:: wordpress-popup
Installations: 90,000+
Vulnerability:: Broken Access Control
Patched in Version:: 7.8.11
Severity Score:: Medium
CVE:: 2026-2263

Plugin:: Customer Reviews for WooCommerce
Plugin Slug:: customer-reviews-woocommerce
Installations: 80,000+
Vulnerability:: Broken Authentication
Patched in Version:: 5.104.0
Severity Score:: Medium
CVE:: 2026-4664

Plugin:: Jupiter X Core
Plugin Slug:: jupiterx-core
Installations: 80,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.14.2
Severity Score:: Medium
CVE:: 2026-39491

Plugin:: LearnPress – WordPress LMS Plugin for Create and Sell Online Courses
Plugin Slug:: learnpress
Installations: 80,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.3.4
Severity Score:: Medium
CVE:: 2026-4333

Plugin:: List category posts
Plugin Slug:: list-category-posts
Installations: 80,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 0.95.0
Severity Score:: Medium
CVE:: 2026-3005

Plugin:: Product Feed PRO for WooCommerce by AdTribes – Product Feeds for WooCommerce
Plugin Slug:: woo-product-feed-pro
Installations: 80,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 13.5.2.2
Severity Score:: High
CVE:: 2026-3499

Plugin:: Advanced Contact form 7 DB
Plugin Slug:: advanced-cf7-db
Installations: 70,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.1.0
Severity Score:: Medium
CVE:: 2026-0811

Plugin:: Advanced Contact form 7 DB
Plugin Slug:: advanced-cf7-db
Installations: 70,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.1.0
Severity Score:: Medium
CVE:: 2026-0814

Plugin:: Online Scheduling and Appointment Booking System – Bookly
Plugin Slug:: bookly-responsive-appointment-booking-tool
Installations: 70,000+
Vulnerability:: Content Injection
Patched in Version:: 27.1
Severity Score:: Medium
CVE:: 2026-2519

Plugin:: Greenshift – animation and page builder blocks
Plugin Slug:: greenshift-animation-and-page-builder-blocks
Installations: 70,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 12.9.0
Severity Score:: Medium
CVE:: 2026-4895

Plugin:: Media Library Assistant
Plugin Slug:: media-library-assistant
Installations: 70,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.35
Severity Score:: Medium
CVE:: 2026-34897

Plugin:: Media Library Assistant
Plugin Slug:: media-library-assistant
Installations: 70,000+
Vulnerability:: SQL Injection
Patched in Version:: 3.35
Severity Score:: High
CVE:: 2026-34885

Plugin:: Product Feed Manager for WooCommerce – CTX Feed – Support 220+ Shopping & Social Channels
Plugin Slug:: webappick-product-feed-for-woocommerce
Installations: 70,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 6.6.27
Severity Score:: High
CVE:: 2026-39434

Plugin:: Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin
Plugin Slug:: simply-schedule-appointments
Installations: 60,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.6.9.29
Severity Score:: Critical
CVE:: 2026-39493

Plugin:: User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder
Plugin Slug:: user-registration
Installations: 60,000+
Vulnerability:: Open Redirection
Patched in Version:: 5.1.5
Severity Score:: Medium
CVE:: 2026-6203

Plugin:: User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder
Plugin Slug:: user-registration
Installations: 60,000+
Vulnerability:: SQL Injection
Patched in Version:: 5.1.3
Severity Score:: High
CVE:: 2026-1865

Plugin:: Product Filter for WooCommerce by WBW
Plugin Slug:: woo-product-filter
Installations: 60,000+
Vulnerability:: SQL Injection
Patched in Version:: 3.1.3
Severity Score:: Critical
CVE:: 2026-39494

Plugin:: WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters
Plugin Slug:: wp-google-map-plugin
Installations: 60,000+
Vulnerability:: SQL Injection
Patched in Version:: 4.9.2
Severity Score:: Critical
CVE:: 2026-39492

Plugin:: Popup Box – Create Countdown, Coupon, Video, Contact Form Popups
Plugin Slug:: ays-popup-box
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.5.0
Severity Score:: High
CVE:: 2025-15611

Plugin:: Blog2Social: Social Media Auto Post & Scheduler
Plugin Slug:: blog2social
Installations: 50,000+
Vulnerability:: Broken Authentication
Patched in Version:: 8.8.4
Severity Score:: Medium
CVE:: 2026-4330

Plugin:: Robo Gallery – Photo & Image Slider
Plugin Slug:: robo-gallery
Installations: 40,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.1.4
Severity Score:: Medium
CVE:: 2026-4300

Plugin:: BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net
Plugin Slug:: woo-bulk-editor
Installations: 40,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.1.6
Severity Score:: Medium
CVE:: 2026-1673

Plugin:: BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net
Plugin Slug:: woo-bulk-editor
Installations: 40,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.1.6
Severity Score:: Medium
CVE:: 2026-1672

Plugin:: LightPress Lightbox
Plugin Slug:: wp-jquery-lightbox
Installations: 40,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.3.5
Severity Score:: Medium
CVE:: 2026-4379

Plugin:: Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder
Plugin Slug:: form-maker
Installations: 30,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.15.39
Severity Score:: Critical
CVE:: 2026-39502

Plugin:: Link Whisper Free
Plugin Slug:: link-whisper
Installations: 30,000+
Vulnerability:: Settings Change
Patched in Version:: 0.9.1
Severity Score:: Medium
CVE:: 2026-1900

Plugin:: PowerPress Podcasting plugin by Blubrry
Plugin Slug:: powerpress
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 11.15.16
Severity Score:: Medium
CVE:: 2026-2988

Plugin:: Ultimate FAQ Accordion Plugin
Plugin Slug:: ultimate-faqs
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.4.8
Severity Score:: Medium
CVE:: 2026-4336

Plugin:: Visitor Traffic Real Time Statistics
Plugin Slug:: visitors-traffic-real-time-statistics
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 8.5
Severity Score:: High
CVE:: 2026-2936

Plugin:: AddFunc Head & Footer Code
Plugin Slug:: addfunc-head-footer-code
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.4
Severity Score:: Medium
CVE:: 2026-2305

Plugin:: Smart Post Show – Post Grid, Post Carousel & Slider, and List Category Posts
Plugin Slug:: post-carousel
Installations: 20,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 3.0.13
Severity Score:: High
CVE:: 2026-3017

Plugin:: Simple Social Media Share Buttons – Social Sharing for Everyone
Plugin Slug:: simple-social-buttons
Installations: 20,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 6.2.1
Severity Score:: High
CVE:: 2026-34904

Plugin:: UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP
Plugin Slug:: userswp
Installations: 20,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 1.2.59
Severity Score:: Medium
CVE:: 2026-4979

Plugin:: UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP
Plugin Slug:: userswp
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.2.59
Severity Score:: Medium
CVE:: 2026-4977

Plugin:: UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP
Plugin Slug:: userswp
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.2.61
Severity Score:: Medium
CVE:: 2026-5742

Plugin:: WP Visitor Statistics (Real Time Traffic)
Plugin Slug:: wp-stats-manager
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 8.5
Severity Score:: Medium
CVE:: 2026-4303

Plugin:: wpForo Forum
Plugin Slug:: wpforo
Installations: 20,000+
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 3.0.3
Severity Score:: High
CVE:: 2026-5809

Plugin:: wpForo Forum
Plugin Slug:: wpforo
Installations: 20,000+
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 2.4.17
Severity Score:: High
CVE:: 2026-3666

Plugin:: BlockArt Blocks – Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library
Plugin Slug:: blockart-blocks
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.3.0
Severity Score:: Medium
CVE:: 2026-3498

Plugin:: Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More
Plugin Slug:: charitable
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.8.10
Severity Score:: Medium
CVE:: 2026-3177

Plugin:: Easy Appointments
Plugin Slug:: easy-appointments
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.12.22
Severity Score:: High
CVE:: 2026-39513

Plugin:: GeoDirectory – WP Business Directory Plugin and Classified Listings Directory
Plugin Slug:: geodirectory
Installations: 10,000+
Vulnerability:: SQL Injection
Patched in Version:: 2.8.154
Severity Score:: Critical
CVE:: 2026-39512

Plugin:: LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes
Plugin Slug:: lifterlms
Installations: 10,000+
Vulnerability:: SQL Injection
Patched in Version:: 9.2.2
Severity Score:: Medium
CVE:: 2026-5207

Plugin:: OSM – OpenStreetMap
Plugin Slug:: osm
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.1.16
Severity Score:: Medium
CVE:: 2026-4429

Plugin:: Royal WordPress Backup, Restore & Migration Plugin – Backup WordPress Sites Safely
Plugin Slug:: royal-backup-reset
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.0.17
Severity Score:: High
CVE:: 2026-4305

Plugin:: Widgets for Social Photo Feed
Plugin Slug:: social-photo-feed-widget
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.8.0
Severity Score:: High
CVE:: 2026-5425

Plugin:: Under Construction, Coming Soon & Maintenance Mode
Plugin Slug:: under-construction-maintenance-mode
Installations: 10,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.1.2
Severity Score:: High
CVE:: 2026-34896

Plugin:: Product Table and List Builder for WooCommerce Lite
Plugin Slug:: wc-product-table-lite
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.6.4
Severity Score:: High
CVE:: 2026-34902

Plugin:: Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered)
Plugin Slug:: wp-event-solution
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.1.9
Severity Score:: Medium
CVE:: 2026-4109

Plugin:: WP Photo Album Plus
Plugin Slug:: wp-photo-album-plus
Installations: 10,000+
Vulnerability:: SQL Injection
Patched in Version:: 9.1.08.002
Severity Score:: Critical
CVE:: 2026-39511

Plugin:: YML for Yandex Market
Plugin Slug:: yml-for-yandex-market
Installations: 10,000+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 5.0.26
Severity Score:: High
CVE:: 2025-14545

Plugin:: WCAPF – Ajax Product Filter for WooCommerce
Plugin Slug:: wc-ajax-product-filter
Installations: 9,000+
Vulnerability:: SQL Injection
Patched in Version:: 4.3.0
Severity Score:: Critical
CVE:: 2026-3396

Plugin:: Awesome Support – WordPress HelpDesk & Support Plugin
Plugin Slug:: awesome-support
Installations: 7,000+
Vulnerability:: Broken Authentication
Patched in Version:: 6.3.8
Severity Score:: Medium
CVE:: 2026-4654

Plugin:: ActivityPub
Plugin Slug:: activitypub
Installations: 6,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 8.0.2
Severity Score:: High
CVE:: 2026-4338

Plugin:: GeekyBot — AI Copilot, Chatbot, WooCommerce Lead Gen & Zero-Prompt Content
Plugin Slug:: geeky-bot
Installations: 6,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.2.1
Severity Score:: Critical
CVE:: 2026-39519

Plugin:: WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell
Plugin Slug:: wpfunnels
Installations: 6,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.8.0
Severity Score:: Medium
CVE:: 2026-0626

Plugin:: Booking Activities
Plugin Slug:: booking-activities
Installations: 4,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.17.0
Severity Score:: Medium
CVE:: 2026-39525

Plugin:: Masteriyo LMS – Online Course Builder for eLearning, LMS & Education
Plugin Slug:: learning-management-system
Installations: 4,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.1.6
Severity Score:: High
CVE:: 2026-39524

Plugin:: Masteriyo LMS – Online Course Builder for eLearning, LMS & Education
Plugin Slug:: learning-management-system
Installations: 4,000+
Vulnerability:: Broken Authentication
Patched in Version:: 2.1.8
Severity Score:: Medium
CVE:: 2026-5167

Plugin:: AWP Classifieds
Plugin Slug:: another-wordpress-classifieds-plugin
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.4.5
Severity Score:: High
CVE:: 2026-39533

Plugin:: Majestic Support – The Leading-Edge Help Desk & Customer Support Plugin
Plugin Slug:: majestic-support
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.1.3
Severity Score:: Medium
CVE:: 2026-40778

Plugin:: MStore API – Create Native Android & iOS Apps On The Cloud
Plugin Slug:: mstore-api
Installations: 3,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 4.18.4
Severity Score:: Medium
CVE:: 2026-3568

Plugin:: SpeakOut! Email Petitions
Plugin Slug:: speakout
Installations: 3,000+
Vulnerability:: SQL Injection
Patched in Version:: 4.6.5.1
Severity Score:: Critical
CVE:: 2026-39530

Plugin:: WP Directory Kit
Plugin Slug:: wpdirectorykit
Installations: 3,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.5.1
Severity Score:: Critical
CVE:: 2026-39531

Plugin:: WP Directory Kit
Plugin Slug:: wpdirectorykit
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.5.1
Severity Score:: High
CVE:: 2026-39534

Plugin:: Extensions for Leaflet Map
Plugin Slug:: extensions-leaflet-map
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.15
Severity Score:: Medium
CVE:: 2026-5451

Plugin:: Timetics – Appointment Booking & Scheduling
Plugin Slug:: timetics
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.0.54
Severity Score:: High
CVE:: 2026-39432

Plugin:: Event Tickets Manager for WooCommerce
Plugin Slug:: event-tickets-manager-for-woocommerce
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.5.4
Severity Score:: High
CVE:: 2026-34898

Plugin:: iControlWP
Plugin Slug:: worpit-admin-dashboard-plugin
Installations: 1,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 5.5.4
Severity Score:: Critical
CVE:: 2026-34901

Plugin:: SQL Chart Builder
Plugin Slug:: sql-chart-builder
Installations: 600+
Vulnerability:: SQL Injection
Patched in Version:: 2.3.8
Severity Score:: Critical
CVE:: 2026-4079

Plugin:: Webling
Plugin Slug:: webling
Installations: 500+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.9.1
Severity Score:: Medium
CVE:: 2026-1263

Plugin:: Datalogics Ecommerce Delivery – Datalogics
Plugin Slug:: datalogics
Installations: 400+
Vulnerability:: Privilege Escalation
Patched in Version:: 2.6.63
Severity Score:: Critical
CVE:: 2026-39583

Plugin:: Post Blocks & Tools
Plugin Slug:: bnm-blocks
Installations: 300+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.1
Severity Score:: Medium
CVE:: 2026-5711

Plugin:: TableOn – WordPress Posts Table Filterable
Plugin Slug:: posts-table-filterable
Installations: 300+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.0.5
Severity Score:: Medium
CVE:: 2026-3513

Plugin:: WP BASE Booking of Appointments, Services and Events
Plugin Slug:: wp-base-booking-of-appointments-services-and-events
Installations: 200+
Vulnerability:: Privilege Escalation
Patched in Version:: 6.0.0
Severity Score:: High
CVE:: 2026-39587

Plugin:: Text to Speech – TTSWP
Plugin Slug:: text-to-speech-tts
Installations: 100+
Vulnerability:: Bypass Vulnerability
Patched in Version:: 1.9.9
Severity Score:: High
CVE:: 2026-1233

Plugin:: LTL Freight Quotes – Worldwide Express Edition
Plugin Slug:: ltl-freight-quotes-worldwide-express-edition
Installations: 90+
Vulnerability:: Broken Access Control
Patched in Version:: 5.2.2
Severity Score:: Medium
CVE:: 2026-34899

Plugin:: Ziggeo
Plugin Slug:: ziggeo
Installations: 80+
Vulnerability:: Broken Access Control
Patched in Version:: 3.1.2
Severity Score:: Medium
CVE:: 2026-4124

Plugin:: BuddyPress Groupblog
Plugin Slug:: bp-groupblog
Installations: 50+
Vulnerability:: Privilege Escalation
Patched in Version:: 1.9.4
Severity Score:: High
CVE:: 2026-5144

Plugin:: WP-BusinessDirectory – Business directory plugin for WordPress
Plugin Slug:: wp-businessdirectory
Installations: 40+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 4.0.1
Severity Score:: Critical
CVE:: 2026-39591

Plugin:: Advanced Members for ACF
Plugin Slug:: advanced-members
Installations: 30+
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 1.2.6
Severity Score:: High
CVE:: 2026-3243

Plugin:: PrivateContent Free
Plugin Slug:: privatecontent-free
Installations: 20+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.0
Severity Score:: Medium
CVE:: 2026-4025

Plugin:: ProSolution WP Client
Plugin Slug:: prosolution-wp-client
Installations: 20+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 2.0.0
Severity Score:: Critical
CVE:: 2026-2942

Plugin:: Experto Dashboard for WooCommerce
Plugin Slug:: experto-custom-dashboard
Installations: 10+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.0.5
Severity Score:: Medium
CVE:: 2026-3574

Plugin:: Investi
Plugin Slug:: investi
Installations: 10+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.0.27
Severity Score:: Medium
CVE:: 2026-3600

Plugin:: LTL Freight Quotes – R+L Carriers Edition
Plugin Slug:: ltl-freight-quotes-rl-edition
Installations: 10+
Vulnerability:: Broken Access Control
Patched in Version:: 3.3.14
Severity Score:: Medium
CVE:: 2026-3646

Plugin:: Magic Conversation For Gravity Forms
Plugin Slug:: magic-conversation-for-gravity-forms
Installations: 10+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.0.98
Severity Score:: Medium
CVE:: 2026-1396

Plugin:: Surbma | Booking.com Shortcode
Plugin Slug:: surbma-bookingcom-shortcode
Installations: 10+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.1.1
Severity Score:: Medium
CVE:: 2026-1607

Plugin:: WholeSale Products Dynamic Pricing Management WooCommerce
Plugin Slug:: wholesale-products-dynamic-pricing-management-woocommerce
Installations: 10+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.0
Severity Score:: Medium
CVE:: 2026-4479

Plugin:: WPAMS
Plugin Slug:: apartment-management
Vulnerability:: Arbitrary Content Deletion
Patched in Version:: 49.5.3
Severity Score:: Medium
CVE:: 2026-39433

Plugin:: Blocksy Companion Pro
Plugin Slug:: blocksy-companion-pro
Vulnerability:: SQL Injection
Patched in Version:: 2.1.29
Severity Score:: Critical
CVE:: 2026-39596

Plugin:: Bricksforge
Plugin Slug:: bricksforge
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 3.1.8.5
Severity Score:: High
CVE:: 2026-34888

Plugin:: Gravity Forms
Plugin Slug:: gravityforms
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.9.31
Severity Score:: High
CVE:: 2026-4394

Plugin:: Gravity Forms
Plugin Slug:: gravityforms
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.9.31
Severity Score:: High
CVE:: 2026-4406

Plugin:: Gravity SMTP
Plugin Slug:: gravitysmtp
Vulnerability:: Broken Access Control
Patched in Version:: 2.1.5
Severity Score:: High
CVE:: 2026-4162

Plugin:: Integrio Core
Plugin Slug:: integrio-core
Vulnerability:: Local File Inclusion
Patched in Version:: 1.2.8
Severity Score:: High
CVE:: 2026-34894

Plugin:: Listeo Core
Plugin Slug:: listeo-core
Vulnerability:: Arbitrary File Upload
Patched in Version:: 2.0.28
Severity Score:: Medium
CVE:: 2025-14938

Plugin:: Mikado Core
Plugin Slug:: mikado-core
Vulnerability:: Local File Inclusion
Patched in Version:: 1.7.2
Severity Score:: High
CVE:: 2026-39537

Plugin:: Smart Slider 3 PRO
Plugin Slug:: nextend-smart-slider3-pro
Vulnerability:: Backdoor
Patched in Version:: 3.5.1.36
Severity Score:: Critical

Plugin:: Ninja Forms File Uploads Extension
Plugin Slug:: ninja-forms-uploads
Vulnerability:: Arbitrary File Upload
Patched in Version:: 3.3.27
Severity Score:: Critical
CVE:: 2026-0740

Plugin:: pdfl.io
Plugin Slug:: pdfl-io
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.0.6
Severity Score:: Medium
CVE:: 2026-4073

Plugin:: Perfmatters
Plugin Slug:: perfmatters
Vulnerability:: Directory Traversal
Patched in Version:: 2.6.0
Severity Score:: High
CVE:: 2026-4351

Plugin:: Quick Playground
Plugin Slug:: quick-playground
Vulnerability:: Arbitrary File Upload
Patched in Version:: 1.3.2
Severity Score:: Critical
CVE:: 2026-1830

Plugin:: Softlab Core
Plugin Slug:: softlab-core
Vulnerability:: Local File Inclusion
Patched in Version:: 1.2.11
Severity Score:: High
CVE:: 2026-34895

Plugin:: Solene Core
Plugin Slug:: solene-core
Vulnerability:: Local File Inclusion
Patched in Version:: 2.3.4
Severity Score:: High
CVE:: 2026-39523

Plugin:: Thegov Core
Plugin Slug:: thegov-core
Vulnerability:: Local File Inclusion
Patched in Version:: 2.0.23
Severity Score:: High
CVE:: 2026-34893

Plugin:: Users manager – PN
Plugin Slug:: userspn
Vulnerability:: Privilege Escalation
Patched in Version:: 1.1.20
Severity Score:: Critical
CVE:: 2026-4003

Plugin:: MultiLoca
Plugin Slug:: woocommerce-multi-locations-inventory-management
Vulnerability:: Privilege Escalation
Patched in Version:: 4.2.16
Severity Score:: High
CVE:: 2026-39546

WordPress Themes — 24 Patched / 0 Unpatched

Theme:: Alloggio – Hotel Booking
Theme Slug:: alloggio
Vulnerability:: PHP Object Injection
Patched in Version:: 2.1.3
Severity Score:: High
CVE:: 2026-39539

Theme:: Aperitif
Theme Slug:: aperitif
Vulnerability:: PHP Object Injection
Patched in Version:: 1.6.1
Severity Score:: High
CVE:: 2026-39550

Theme:: Aperitif
Theme Slug:: aperitif
Vulnerability:: Local File Inclusion
Patched in Version:: 1.6
Severity Score:: High
CVE:: 2026-39549

Theme:: Askka
Theme Slug:: askka
Vulnerability:: PHP Object Injection
Patched in Version:: 1.4
Severity Score:: High
CVE:: 2026-39555

Theme:: Blueprint
Theme Slug:: blueprint
Vulnerability:: Local File Inclusion
Patched in Version:: 1.1.5
Severity Score:: High
CVE:: 2026-39552

Theme:: Fidalgo
Theme Slug:: fidalgo
Vulnerability:: PHP Object Injection
Patched in Version:: 1.3
Severity Score:: High
CVE:: 2026-39554

Theme:: Getaway
Theme Slug:: getaway
Vulnerability:: Local File Inclusion
Patched in Version:: 1.8
Severity Score:: High
CVE:: 2026-39547

Theme:: Hiroshi
Theme Slug:: hiroshi
Vulnerability:: PHP Object Injection
Patched in Version:: 1.6
Severity Score:: High
CVE:: 2026-39560

Theme:: Konsept
Theme Slug:: konsept
Vulnerability:: PHP Object Injection
Patched in Version:: 2.0
Severity Score:: High
CVE:: 2026-39556

Theme:: Malmö
Theme Slug:: malmo
Vulnerability:: Local File Inclusion
Patched in Version:: 2.3
Severity Score:: High
CVE:: 2026-39558

Theme:: Micdrop
Theme Slug:: micdrop
Vulnerability:: PHP Object Injection
Patched in Version:: 1.4
Severity Score:: High
CVE:: 2026-39580

Theme:: Mildhill
Theme Slug:: mildhill
Vulnerability:: PHP Object Injection
Patched in Version:: 1.6
Severity Score:: High
CVE:: 2026-39573

Theme:: Mr. SEO
Theme Slug:: mrseo
Vulnerability:: Local File Inclusion
Patched in Version:: 2.1
Severity Score:: High
CVE:: 2026-39568

Theme:: NeoBeat
Theme Slug:: neobeat
Vulnerability:: PHP Object Injection
Patched in Version:: 1.8
Severity Score:: High
CVE:: 2026-39557

Theme:: Playroom
Theme Slug:: playroom
Vulnerability:: PHP Object Injection
Patched in Version:: 1.5
Severity Score:: High
CVE:: 2026-39577

Theme:: Santé
Theme Slug:: sante
Vulnerability:: PHP Object Injection
Patched in Version:: 1.6
Severity Score:: High
CVE:: 2026-39567

Theme:: SingleMalt
Theme Slug:: singlemalt
Vulnerability:: PHP Object Injection
Patched in Version:: 1.6
Severity Score:: High
CVE:: 2026-39576

Theme:: Solene
Theme Slug:: solene
Vulnerability:: Local File Inclusion
Patched in Version:: 3.4.1
Severity Score:: High
CVE:: 2026-39522

Theme:: Töbel
Theme Slug:: tobel
Vulnerability:: PHP Object Injection
Patched in Version:: 1.9
Severity Score:: High
CVE:: 2026-39551

Theme:: Uppercase
Theme Slug:: uppercase
Vulnerability:: Local File Inclusion
Patched in Version:: 1.2.2
Severity Score:: High
CVE:: 2026-39559

Theme:: Valiance
Theme Slug:: valiance
Vulnerability:: PHP Object Injection
Patched in Version:: 1.3
Severity Score:: High
CVE:: 2026-39578

Theme:: WaveRide
Theme Slug:: waveride
Vulnerability:: Local File Inclusion
Patched in Version:: 1.5
Severity Score:: High
CVE:: 2026-39553

Theme:: Hitek
Theme Slug:: xts-hitek
Vulnerability:: Local File Inclusion
Patched in Version:: 1.8.3
Severity Score:: High
CVE:: 2026-39582

Theme:: Zermatt
Theme Slug:: zermatt
Vulnerability:: PHP Object Injection
Patched in Version:: 1.7
Severity Score:: High
CVE:: 2026-39545

Solid Security is part of Solid Suite — The best foundation for WordPress websites.

Every WordPress site needs security, backups, and management tools. That’s Solid Suite — an integrated bundle of three plugins: Solid Security, Solid Backups, and Solid Central. You also get access to Solid Academy’s learning resources for WordPress professionals. Build your next WordPress website on a solid foundation with Solid Suite!

Get Solid Security

Author:

Sarah Ulmer

Sarah has been with SolidWP since 2015. Thanks to her deep connection to the brand, its products, and its users, Sarah was tapped as Solid’s primary Product Marketer in 2023. Sarah helps ensure that Solid’s product development team understands our users’ needs. When not at work, Sarah can be found at home with her husband, their three boys, and their dogs. Sarah enjoys long family walks, running with her lab, and watching her three boys play soccer. Sarah is originally from Texas and loves watching football games (Go Longhorns!)

Browse all of Sarah's articles

Sign up

Placeholder text

Thanks

Oops something went wrong, please try submitting again

Solid Suite

Protect

Repair

Manage

Free Plugins

Solid Suite

Academy

Solid Academy

Guides

Livestreams

Tutorials Academy

Resources

Blog

Vulnerability Report

Support

Documentation

Table of Contents

WordPress Core

WordPress Plugins — 145 Patched / 16 Unpatched