In this report, 225 vulnerabilities have been publicly disclosed. Security patches for 134 of these plugins and themes are now available. Please run these updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.
Currently, 91 plugin and theme vulnerabilities remain unpatched. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.
WordPress Core
WordPress 6.9.4 is available, addressing 10 security issues and a template loading bug. Immediate updates are recommended for all production sites.
WordPress 7.0 Release Candidate 2 (RC2) is now ready for testing via the Beta Tester plugin, direct download, WP-CLI, or WordPress Playground. As a pre-release version, it should only be evaluated in staging or local environments.
WordPress 7.0 is scheduled for release on April 9, 2026.
WordPress Plugins — 113 Patched / 90 Unpatched
WPCargo Track & Trace
- Plugin:
- WPCargo Track & Trace
- Plugin Slug:
- wpcargo
- Installations
- 10,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
- 2026-25401
MimeTypes Link Icons
- Plugin:
- MimeTypes Link Icons
- Plugin Slug:
- mimetypes-link-icons
- Installations
- 8,000+
- Vulnerability:
- Server Side Request Forgery (SSRF)
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
- 2026-1313
Coinbase Commerce – Crypto Gateway for WooCommerce
- Plugin Slug:
- commerce-coinbase-for-woocommerce
- Installations
- 1,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
- 2026-25396
SurveyJS: Drag & Drop Form Builder
- Plugin Slug:
- surveyjs
- Installations
- 500+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
- 2026-2440
File Uploader for WooCommerce
- Plugin:
- File Uploader for WooCommerce
- Plugin Slug:
- file-uploader-for-woocommerce
- Installations
- 100+
- Vulnerability:
- Path Traversal
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
- 2026-25397
Any Post Slider
- Plugin:
- Any Post Slider
- Plugin Slug:
- any-post-slider
- Installations
- 60+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2026-1899
FuseDesk
WPFAQBlock– FAQ & Accordion Plugin For Gutenberg
- Plugin Slug:
- wpfaqblock
- Installations
- 10+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2026-1093
Ad Short
- Plugin:
- Ad Short
- Plugin Slug:
- ad-short
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2026-4067
Add Google Social Profiles to Knowledge Graph Box
- Plugin:
- Add Google Social Profiles to Knowledge Graph Box
- Plugin Slug:
- add-google-social-profiles-to-knowledge-graph-box
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2026-1393
Alfie
- Plugin:
- Alfie
- Plugin Slug:
- alfie-the-productfeedtool-wp-plugin
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
- 2026-4069
App Builder
- Plugin:
- App Builder
- Plugin Slug:
- app-builder
- Vulnerability:
- Privilege Escalation
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2026-2375
Reward Video Ad for WordPress
- Plugin:
- Reward Video Ad for WordPress
- Plugin Slug:
- applixir
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2026-2424
Appmax
- Plugin:
- Appmax
- Plugin Slug:
- appmax
- Vulnerability:
- Broken Access Control
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2026-3641
ARForms Form Builder
- Plugin:
- ARForms Form Builder
- Plugin Slug:
- arforms-form-builder
- Vulnerability:
- Content Injection
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2024-13785
Build App Online
- Plugin:
- Build App Online
- Plugin Slug:
- build-app-online
- Vulnerability:
- Broken Access Control
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2026-3651
Canto
- Plugin:
- Canto
- Plugin Slug:
- canto
- Vulnerability:
- Broken Access Control
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2026-3335
CMS Commander
- Plugin:
- CMS Commander
- Plugin Slug:
- cms-commander-client
- Vulnerability:
- SQL Injection
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
- 2026-3334
Comment Genius
- Plugin:
- Comment Genius
- Plugin Slug:
- comment-genius
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
- 2026-1647
Comment SPAM Wiper
- Plugin:
- Comment SPAM Wiper
- Plugin Slug:
- comment-spam-wiper
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2026-3353
Company Posts for LinkedIn
- Plugin:
- Company Posts for LinkedIn
- Plugin Slug:
- company-posts-for-linkedin
- Vulnerability:
- Broken Access Control
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2026-1935
Content Syndication Toolkit
- Plugin:
- Content Syndication Toolkit
- Plugin Slug:
- content-syndication-toolkit
- Vulnerability:
- Server Side Request Forgery (SSRF)
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
- 2026-3478
e-shot
- Plugin:
- e-shot
- Plugin Slug:
- e-shot-form-builder
- Vulnerability:
- Broken Access Control
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2026-3546
Easy Image Gallery
- Plugin:
- Easy Image Gallery
- Plugin Slug:
- easy-image-gallery
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2026-4766
Ecover Builder For Dummies
- Plugin:
- Ecover Builder For Dummies
- Plugin Slug:
- ecover-builder-for-dummies
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2026-4077
Ed’s Font Awesome
- Plugin:
- Ed’s Font Awesome
- Plugin Slug:
- eds-font-awesome
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2026-2496
Ed’s Social Share
- Plugin:
- Ed’s Social Share
- Plugin Slug:
- eds-social-share
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2026-2501
ElementCamp
- Plugin:
- ElementCamp
- Plugin Slug:
- element-camp
- Vulnerability:
- SQL Injection
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
- 2026-2503
Expire Users
- Plugin:
- Expire Users
- Plugin Slug:
- expire-users
- Vulnerability:
- Privilege Escalation
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
- 2026-4261
Fonts Manager | Custom Fonts
- Plugin:
- Fonts Manager | Custom Fonts
- Plugin Slug:
- fonts-manager-custom-fonts
- Vulnerability:
- SQL Injection
- Patched in Version:
- No Fix
- Severity Score:
- Critical
- CVE:
- 2026-1800
fyyd podcast shortcodes
- Plugin:
- fyyd podcast shortcodes
- Plugin Slug:
- fyyd-podcast-shortcodes
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2026-4084
Go Night Pro
- Plugin:
- Go Night Pro
- Plugin Slug:
- go-night-pro
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2026-1886
Hr Press Lite
- Plugin:
- Hr Press Lite
- Plugin Slug:
- hr-press-lite
- Vulnerability:
- Broken Access Control
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2026-2720
Integration with Hubspot Forms
- Plugin:
- Integration with Hubspot Forms
- Plugin Slug:
- integration-with-hubspot-forms
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2026-1908
Invelity Product Feeds
- Plugin:
- Invelity Product Feeds
- Plugin Slug:
- invelity-products-feeds
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
- 2025-14037
itsukaita
- Plugin:
- itsukaita
- Plugin Slug:
- itsukaita
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
- 2026-2427
iVysilani Shortcode
- Plugin:
- iVysilani Shortcode
- Plugin Slug:
- ivysilani-shortcode
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2026-1851
Linksy Search and Replace
- Plugin:
- Linksy Search and Replace
- Plugin Slug:
- linksy-search-and-replace
- Vulnerability:
- Broken Access Control
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
- 2026-2941
Lobot Slider Administrator
- Plugin:
- Lobot Slider Administrator
- Plugin Slug:
- lobot-slider-administrator
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2026-3331
login_register
- Plugin:
- login_register
- Plugin Slug:
- login-register
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2026-1503
Mandatory Field
- Plugin:
- Mandatory Field
- Plugin Slug:
- mandatory-fields
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2026-1278
MinhNhut Link Gateway
- Plugin:
- MinhNhut Link Gateway
- Plugin Slug:
- minhnhut-link-gateway
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2026-3333
Multi Functional Flexi Lightbox
- Plugin:
- Multi Functional Flexi Lightbox
- Plugin Slug:
- multi-functional-flexi-lightbox
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2026-3347
Multi Post Carousel by Category
- Plugin:
- Multi Post Carousel by Category
- Plugin Slug:
- multi-post-carousel
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2026-1275
myLinksDump
- Plugin:
- myLinksDump
- Plugin Slug:
- mylinksdump
- Vulnerability:
- SQL Injection
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
- 2026-2279
Neos Connector for Fakturama
- Plugin:
- Neos Connector for Fakturama
- Plugin Slug:
- neos-connector-for-fakturama
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2026-4143
Outgrow
- Plugin:
- Outgrow
- Plugin Slug:
- outgrow
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2026-1889
Paypal Shortcodes
- Plugin:
- Paypal Shortcodes
- Plugin Slug:
- paypal-shortcodes
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2026-3617
PQ Addons – Creative Elementor Widgets
- Plugin:
- PQ Addons – Creative Elementor Widgets
- Plugin Slug:
- peacefulqode-elementzplus-widgets
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2026-1397
Performance Monitor
- Plugin:
- Performance Monitor
- Plugin Slug:
- performance-monitor
- Vulnerability:
- Server Side Request Forgery (SSRF)
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
- 2026-1648
Post Flagger
- Plugin:
- Post Flagger
- Plugin Slug:
- post-flagger
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2026-1854
Post Snippits
- Plugin:
- Post Snippits
- Plugin Slug:
- post-snippits
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2026-2723
Post Affiliate Pro
- Plugin:
- Post Affiliate Pro
- Plugin Slug:
- postaffiliatepro
- Vulnerability:
- Server Side Request Forgery (SSRF)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2026-2290
Pre* Party Resource Hints
- Plugin:
- Pre* Party Resource Hints
- Plugin Slug:
- pre-party-browser-hints
- Vulnerability:
- SQL Injection
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
- 2026-4087
Punnel – Landing Page Builder
- Plugin:
- Punnel – Landing Page Builder
- Plugin Slug:
- punnel-landing-page-builder
- Vulnerability:
- Broken Access Control
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2026-3645
Quentn WP
- Plugin:
- Quentn WP
- Plugin Slug:
- quentn-wp
- Vulnerability:
- SQL Injection
- Patched in Version:
- No Fix
- Severity Score:
- Critical
- CVE:
- 2026-2468
Redirect countdown
- Plugin:
- Redirect countdown
- Plugin Slug:
- redirect-countdown
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2026-1390
REST API TO MiniProgram
- Plugin:
- REST API TO MiniProgram
- Plugin Slug:
- rest-api-to-miniprogram
- Vulnerability:
- Insecure Direct Object References (IDOR)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2026-3460
Review Map by RevuKangaroo
- Plugin:
- Review Map by RevuKangaroo
- Plugin Slug:
- review-map-by-revukangaroo
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2026-4161
rexCrawler
- Plugin:
- rexCrawler
- Plugin Slug:
- rexcrawler
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
- 2026-2277
Ricerca – advanced search
- Plugin:
- Ricerca – advanced search
- Plugin Slug:
- ricerca-smart-search
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2026-2837
Schema Shortcode
- Plugin:
- Schema Shortcode
- Plugin Slug:
- schema-shortcode
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2026-1575
Sheets2Table
- Plugin:
- Sheets2Table
- Plugin Slug:
- sheets2table
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2026-3619
Sherk Custom Post Type Displays
- Plugin:
- Sherk Custom Post Type Displays
- Plugin Slug:
- sherk-custom-post-type-displays
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2026-3554
Weaver Show Posts
- Plugin:
- Weaver Show Posts
- Plugin Slug:
- show-posts
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2026-2121
Show Posts list
- Plugin:
- Show Posts list
- Plugin Slug:
- show-posts-shortcodes
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2026-4022
Simple Football Scoreboard
- Plugin:
- Simple Football Scoreboard
- Plugin Slug:
- simple-football-score-board
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2026-1891
Smarter Analytics
- Plugin:
- Smarter Analytics
- Plugin Slug:
- smarter-analytics
- Vulnerability:
- Broken Access Control
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2026-3570
Speedup Optimization
- Plugin:
- Speedup Optimization
- Plugin Slug:
- speedup-optimization
- Vulnerability:
- Broken Access Control
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2026-4127
SR WP Minify HTML
- Plugin:
- SR WP Minify HTML
- Plugin Slug:
- sr-wp-minify-html
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2026-1392
Survey
- Plugin:
- Survey
- Plugin Slug:
- survey
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2026-1247
Task Manager
- Plugin:
- Task Manager
- Plugin Slug:
- task-manager
- Vulnerability:
- Arbitrary File Download
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2026-2351
Task Manager
- Plugin:
- Task Manager
- Plugin Slug:
- task-manager
- Vulnerability:
- Content Injection
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2026-4004
Text Toggle
- Plugin:
- Text Toggle
- Plugin Slug:
- text-toggle
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2026-3997
Tour & Activity Operator Plugin for TourCMS
- Plugin:
- Tour & Activity Operator Plugin for TourCMS
- Plugin Slug:
- tour-operator-plugin
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2026-1806
Tutor LMS Pro
- Plugin:
- Tutor LMS Pro
- Plugin Slug:
- tutor-pro
- Vulnerability:
- Broken Authentication
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
- 2026-25406
Twitter Feeds
- Plugin:
- Twitter Feeds
- Plugin Slug:
- twitter-feeds
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2026-1911
Shortcodes Blocks Creator Ultimate
- Plugin:
- Shortcodes Blocks Creator Ultimate
- Plugin Slug:
- ultimate-shortcodes-creator
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
- 2024-12166
Shortcodes Blocks Creator Ultimate
- Plugin:
- Shortcodes Blocks Creator Ultimate
- Plugin Slug:
- ultimate-shortcodes-creator
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
- 2024-12167
Vagaro Booking Widget
- Plugin:
- Vagaro Booking Widget
- Plugin Slug:
- vagaro-booking-widget
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
- 2026-3003
Wikilookup
- Plugin:
- Wikilookup
- Plugin Slug:
- wikilookup
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2026-3354
WordPress PayPal Donation
- Plugin:
- WordPress PayPal Donation
- Plugin Slug:
- wordpress-paypal-donation
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2026-4072
WP Games Embed
- Plugin:
- WP Games Embed
- Plugin Slug:
- wp-games-embed
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2026-3996
WP NG Weather
- Plugin:
- WP NG Weather
- Plugin Slug:
- wp-ng-weather
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2026-1822
WP Posts Re-order
- Plugin:
- WP Posts Re-order
- Plugin Slug:
- wp-posts-re-order
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2026-1378
WP Random Button
- Plugin:
- WP Random Button
- Plugin Slug:
- wp-random-button
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2026-4086
WP-WebAuthn
- Plugin:
- WP-WebAuthn
- Plugin Slug:
- wp-webauthn
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
- 2025-13910
WPBookit Pro
- Plugin:
- WPBookit Pro
- Plugin Slug:
- wpbookit-pro
- Vulnerability:
- Arbitrary File Upload
- Patched in Version:
- No Fix
- Severity Score:
- Critical
- CVE:
- 2026-25413
WPBookit Pro
- Plugin:
- WPBookit Pro
- Plugin Slug:
- wpbookit-pro
- Vulnerability:
- Privilege Escalation
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
- 2026-25414
Xhanch – My Advanced Settings
- Plugin:
- Xhanch – My Advanced Settings
- Plugin Slug:
- xhanch-my-advanced-settings
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2026-3332
Elementor Website Builder – more than just a page builder
- Plugin Slug:
- elementor
- Installations
- 10,000,000+
- Vulnerability:
- Sensitive Data Exposure
- Patched in Version:
- 3.35.8
- Severity Score:
- Medium
- CVE:
- 2026-1206
Yoast SEO – Advanced SEO with real-time guidance and built-in AI
- Plugin Slug:
- wordpress-seo
- Installations
- 10,000,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 27.2
- Severity Score:
- Medium
- CVE:
- 2026-3427
WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More
- Plugin Slug:
- wpforms-lite
- Installations
- 6,000,000+
- Vulnerability:
- Sensitive Data Exposure
- Patched in Version:
- 1.9.9.2
- Severity Score:
- Medium
- CVE:
- 2026-25339
Complianz – GDPR/CCPA Cookie Consent
- Plugin Slug:
- complianz-gdpr
- Installations
- 1,000,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 7.4.5
- Severity Score:
- Medium
- CVE:
- 2026-2389
Smart Slider 3
- Plugin:
- Smart Slider 3
- Plugin Slug:
- smart-slider-3
- Installations
- 800,000+
- Vulnerability:
- Arbitrary File Download
- Patched in Version:
- 3.5.1.34
- Severity Score:
- Medium
- CVE:
- 2026-3098
Ninja Forms – The Contact Form Builder That Grows With You
- Plugin Slug:
- ninja-forms
- Installations
- 600,000+
- Vulnerability:
- Sensitive Data Exposure
- Patched in Version:
- 3.14.2
- Severity Score:
- Medium
- CVE:
- 2026-1307
SureForms – Contact Form, Payment Form & Other Custom Form Builder
- Plugin Slug:
- sureforms
- Installations
- 500,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 2.6.0
- Severity Score:
- High
- CVE:
- 2026-4987
Page Builder: Pagelayer – Drag and Drop website builder
- Plugin Slug:
- pagelayer
- Installations
- 400,000+
- Vulnerability:
- Content Injection
- Patched in Version:
- 2.0.8
- Severity Score:
- Medium
- CVE:
- 2026-2442
ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF
- Plugin Slug:
- shortpixel-image-optimiser
- Installations
- 300,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 6.4.4
- Severity Score:
- Medium
- CVE:
- 2026-4335
Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
- Plugin Slug:
- ultimate-member
- Installations
- 200,000+
- Vulnerability:
- Privilege Escalation
- Patched in Version:
- 2.11.3
- Severity Score:
- High
- CVE:
- 2026-4248
LatePoint – Calendar Booking Plugin for Appointments and Events
- Plugin Slug:
- latepoint
- Installations
- 100,000+
- Vulnerability:
- Insecure Direct Object References (IDOR)
- Patched in Version:
- 5.2.7
- Severity Score:
- Medium
- CVE:
- 2026-32533
Booking for Appointments and Events Calendar – Amelia
- Plugin Slug:
- ameliabooking
- Installations
- 90,000+
- Vulnerability:
- Broken Authentication
- Patched in Version:
- 9.2
- Severity Score:
- High
- CVE:
- 2026-2931
Download Monitor
- Plugin:
- Download Monitor
- Plugin Slug:
- download-monitor
- Installations
- 90,000+
- Vulnerability:
- Insecure Direct Object References (IDOR)
- Patched in Version:
- 5.1.8
- Severity Score:
- Medium
- CVE:
- 2026-3124
JetFormBuilder — Dynamic Blocks Form Builder
- Plugin Slug:
- jetformbuilder
- Installations
- 90,000+
- Vulnerability:
- Arbitrary File Download
- Patched in Version:
- 3.5.6.3
- Severity Score:
- High
- CVE:
- 2026-4373
JetFormBuilder — Dynamic Blocks Form Builder
- Plugin Slug:
- jetformbuilder
- Installations
- 90,000+
- Vulnerability:
- Remote Code Execution (RCE)
- Patched in Version:
- 3.5.6.2
- Severity Score:
- Critical
- CVE:
- 2026-32525
Import and export users and customers
- Plugin Slug:
- import-users-from-csv-with-meta
- Installations
- 80,000+
- Vulnerability:
- Privilege Escalation
- Patched in Version:
- 2.0
- Severity Score:
- High
- CVE:
- 2026-3629
Jupiter X Core
- Plugin:
- Jupiter X Core
- Plugin Slug:
- jupiterx-core
- Installations
- 80,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 4.14.2
- Severity Score:
- High
- CVE:
- 2026-3533
LearnPress – WordPress LMS Plugin for Create and Sell Online Courses
- Plugin Slug:
- learnpress
- Installations
- 80,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 4.3.3
- Severity Score:
- Medium
- CVE:
- 2026-3225
Conditional Menus
- Plugin:
- Conditional Menus
- Plugin Slug:
- conditional-menus
- Installations
- 60,000+
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- 1.2.7
- Severity Score:
- Medium
- CVE:
- 2026-1032
Woody Code Snippets – Insert PHP, CSS, JS, and Header/Footer Scripts
- Plugin Slug:
- insert-php
- Installations
- 60,000+
- Vulnerability:
- Remote Code Execution (RCE)
- Patched in Version:
- 2.7.2
- Severity Score:
- Critical
- CVE:
- 2026-25366
User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder
- Plugin Slug:
- user-registration
- Installations
- 60,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 5.1.5
- Severity Score:
- Medium
- CVE:
- 2026-4056
User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder
- Plugin Slug:
- user-registration
- Installations
- 60,000+
- Vulnerability:
- Privilege Escalation
- Patched in Version:
- 5.1.3
- Severity Score:
- High
- CVE:
- 2026-32488
Product Filter for WooCommerce by WBW
- Plugin Slug:
- woo-product-filter
- Installations
- 60,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 3.1.3
- Severity Score:
- Medium
- CVE:
- 2026-3138
WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters
- Plugin Slug:
- wp-google-map-plugin
- Installations
- 60,000+
- Vulnerability:
- SQL Injection
- Patched in Version:
- 4.9.2
- Severity Score:
- Critical
- CVE:
- 2026-2580
Blog2Social: Social Media Auto Post & Scheduler
- Plugin Slug:
- blog2social
- Installations
- 50,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 8.8.3
- Severity Score:
- Medium
- CVE:
- 2026-4331
Sina Extension for Elementor
- Plugin:
- Sina Extension for Elementor
- Plugin Slug:
- sina-extension-for-elementor
- Installations
- 50,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 3.7.1
- Severity Score:
- Medium
- CVE:
- 2025-6229
Smart Custom Fields
- Plugin:
- Smart Custom Fields
- Plugin Slug:
- smart-custom-fields
- Installations
- 50,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 5.0.7
- Severity Score:
- Medium
- CVE:
- 2026-4066
Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker
- Plugin Slug:
- quiz-master-next
- Installations
- 40,000+
- Vulnerability:
- SQL Injection
- Patched in Version:
- 11.0.0
- Severity Score:
- High
- CVE:
- 2026-2412
Mixed Media Gallery Blocks
- Plugin:
- Mixed Media Gallery Blocks
- Plugin Slug:
- simply-gallery-block
- Installations
- 40,000+
- Vulnerability:
- Arbitrary Code Execution
- Patched in Version:
- 3.3.2.1
- Severity Score:
- Critical
- CVE:
- 2026-25345
Blackhole for Bad Bots
- Plugin:
- Blackhole for Bad Bots
- Plugin Slug:
- blackhole-bad-bots
- Installations
- 30,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 3.8.1
- Severity Score:
- High
- CVE:
- 2026-4329
LeadConnector
- Plugin:
- LeadConnector
- Plugin Slug:
- leadconnector
- Installations
- 30,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 3.0.22
- Severity Score:
- Medium
- CVE:
- 2026-1890
PPWP – Password Protect Pages
- Plugin:
- PPWP – Password Protect Pages
- Plugin Slug:
- password-protect-page
- Installations
- 30,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 1.9.16
- Severity Score:
- Medium
- CVE:
- 2026-32562
WPGraphQL
- Plugin:
- WPGraphQL
- Plugin Slug:
- wp-graphql
- Installations
- 30,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 2.10
- Severity Score:
- Medium
- CVE:
- 2026-33290
WP Lightbox 2
- Plugin:
- WP Lightbox 2
- Plugin Slug:
- wp-lightbox-2
- Installations
- 30,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 3.0.7
- Severity Score:
- Medium
- CVE:
- 2026-1430
Fluent Booking – The Ultimate Appointments Scheduling, Events Booking, Events Calendar Solution
- Plugin:
- Fluent Booking – The Ultimate Appointments Scheduling, Events Booking, Events Calendar Solution
- Plugin Slug:
- fluent-booking
- Installations
- 20,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 2.0.05
- Severity Score:
- High
- CVE:
- 2026-2231
Ibtana – WordPress Website Builder
- Plugin Slug:
- ibtana-visual-editor
- Installations
- 20,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 1.2.5.8
- Severity Score:
- Medium
- CVE:
- 2026-1834
Quads Ads Manager for Google AdSense
- Plugin Slug:
- quick-adsense-reloaded
- Installations
- 20,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 2.0.99
- Severity Score:
- Medium
- CVE:
- 2026-2595
Twentig Supercharged Block Editor – Blocks, Patterns, Starter Sites, Portfolio
- Plugin Slug:
- twentig
- Installations
- 20,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 2.0
- Severity Score:
- Medium
- CVE:
- 2026-2602
User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration
- Plugin:
- User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration
- Plugin Slug:
- wp-user-frontend
- Installations
- 20,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 4.2.9
- Severity Score:
- High
- CVE:
- 2026-32485
Frontend Admin by DynamiApps
- Plugin:
- Frontend Admin by DynamiApps
- Plugin Slug:
- acf-frontend-form-element
- Installations
- 10,000+
- Vulnerability:
- PHP Object Injection
- Patched in Version:
- 3.28.32
- Severity Score:
- High
- CVE:
- 2026-3328
Kali Forms — Contact Form & Drag-and-Drop Builder
- Plugin Slug:
- kali-forms
- Installations
- 10,000+
- Vulnerability:
- Remote Code Execution (RCE)
- Patched in Version:
- 2.4.10
- Severity Score:
- Critical
- CVE:
- 2026-3584
King Addons for Elementor – 80+ Elementor Widgets, 4 000+ Elementor Templates, WooCommerce, Mega Menu, Popup Builder
- Plugin Slug:
- king-addons
- Installations
- 10,000+
- Vulnerability:
- Sensitive Data Exposure
- Patched in Version:
- 51.1.51
- Severity Score:
- Medium
- CVE:
- 2025-13997
Lead Form Builder & Contact Form
- Plugin:
- Lead Form Builder & Contact Form
- Plugin Slug:
- lead-form-builder
- Installations
- 10,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 2.0.2
- Severity Score:
- High
- CVE:
- 2026-32532
Responsive Plus – Elementor Templates & Starter Sites
- Plugin Slug:
- responsive-add-ons
- Installations
- 10,000+
- Vulnerability:
- Arbitrary Code Execution
- Patched in Version:
- 3.4.3
- Severity Score:
- Medium
- CVE:
- 2025-15488
Five Star Restaurant Reservations – WordPress Booking Plugin
- Plugin Slug:
- restaurant-reservations
- Installations
- 10,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 2.7.10
- Severity Score:
- Medium
- CVE:
- 2026-25327
Review Schema – Review & Structure Data Schema Plugin
- Plugin Slug:
- review-schema
- Installations
- 10,000+
- Vulnerability:
- Sensitive Data Exposure
- Patched in Version:
- 2.2.7
- Severity Score:
- Medium
- CVE:
- 2026-25344
WP DSGVO Tools (GDPR)
- Plugin:
- WP DSGVO Tools (GDPR)
- Plugin Slug:
- shapepress-dsgvo
- Installations
- 10,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 3.1.39
- Severity Score:
- Critical
- CVE:
- 2026-4283
Team – Team Members Showcase Plugin
- Plugin Slug:
- tlp-team
- Installations
- 10,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 5.0.12
- Severity Score:
- High
- CVE:
- 2026-25026
weForms – Easy Drag & Drop Contact Form Builder For WordPress
- Plugin Slug:
- weforms
- Installations
- 10,000+
- Vulnerability:
- PHP Object Injection
- Patched in Version:
- 1.6.27
- Severity Score:
- High
- CVE:
- 2026-32484
WP REST Cache
- Plugin:
- WP REST Cache
- Plugin Slug:
- wp-rest-cache
- Installations
- 10,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 2026.1.1
- Severity Score:
- High
- CVE:
- 2026-25347
YML for Yandex Market
- Plugin:
- YML for Yandex Market
- Plugin Slug:
- yml-for-yandex-market
- Installations
- 10,000+
- Vulnerability:
- Arbitrary File Deletion
- Patched in Version:
- 5.3.0
- Severity Score:
- Medium
- CVE:
- 2026-32567
Contact Form Email
- Plugin:
- Contact Form Email
- Plugin Slug:
- contact-form-to-email
- Installations
- 9,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 1.3.64
- Severity Score:
- Medium
- CVE:
- 2026-32483
ReviewX – Multi-Criteria Reviews for WooCommerce with Google Reviews & Schema
- Plugin Slug:
- reviewx
- Installations
- 8,000+
- Vulnerability:
- Sensitive Data Exposure
- Patched in Version:
- 2.3.0
- Severity Score:
- Medium
- CVE:
- 2025-10734
ReviewX – Multi-Criteria Reviews for WooCommerce with Google Reviews & Schema
- Plugin Slug:
- reviewx
- Installations
- 8,000+
- Vulnerability:
- Remote Code Execution (RCE)
- Patched in Version:
- 2.3.0
- Severity Score:
- High
- CVE:
- 2025-10679
ReviewX – Multi-Criteria Reviews for WooCommerce with Google Reviews & Schema
- Plugin Slug:
- reviewx
- Installations
- 8,000+
- Vulnerability:
- Sensitive Data Exposure
- Patched in Version:
- 2.3.0
- Severity Score:
- Medium
- CVE:
- 2025-10731
ReviewX – Multi-Criteria Reviews for WooCommerce with Google Reviews & Schema
- Plugin Slug:
- reviewx
- Installations
- 8,000+
- Vulnerability:
- Sensitive Data Exposure
- Patched in Version:
- 2.2.12
- Severity Score:
- Medium
- CVE:
- 2025-10736
WP Job Portal – AI-Powered Recruitment System for Company or Job Board website
- Plugin Slug:
- wp-job-portal
- Installations
- 8,000+
- Vulnerability:
- Arbitrary File Deletion
- Patched in Version:
- 2.5.0
- Severity Score:
- High
- CVE:
- 2026-4758
WP Job Portal – AI-Powered Recruitment System for Company or Job Board website
- Plugin Slug:
- wp-job-portal
- Installations
- 8,000+
- Vulnerability:
- SQL Injection
- Patched in Version:
- 2.4.9
- Severity Score:
- Critical
- CVE:
- 2026-4306
WP TripAdvisor Review Slider
- Plugin:
- WP TripAdvisor Review Slider
- Plugin Slug:
- wp-tripadvisor-review-slider
- Installations
- 8,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 14.2
- Severity Score:
- Medium
- CVE:
- 2026-32490
JS Help Desk – AI-Powered Support & Ticketing System
- Plugin Slug:
- js-support-ticket
- Installations
- 7,000+
- Vulnerability:
- SQL Injection
- Patched in Version:
- 3.0.5
- Severity Score:
- Critical
- CVE:
- 2026-2511
JS Help Desk – AI-Powered Support & Ticketing System
- Plugin Slug:
- js-support-ticket
- Installations
- 7,000+
- Vulnerability:
- Insecure Direct Object References (IDOR)
- Patched in Version:
- 3.0.4
- Severity Score:
- Medium
- CVE:
- 2026-32535
WP Review Slider
- Plugin:
- WP Review Slider
- Plugin Slug:
- wp-facebook-reviews
- Installations
- 7,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 14.0
- Severity Score:
- Medium
- CVE:
- 2026-32491
OOPSpam Anti-Spam: Spam Protection for WordPress Forms & Comments (No CAPTCHA)
- Plugin Slug:
- oopspam-anti-spam
- Installations
- 6,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 1.2.63
- Severity Score:
- High
- CVE:
- 2026-32544
PeproDev Ultimate Invoice
- Plugin:
- PeproDev Ultimate Invoice
- Plugin Slug:
- pepro-ultimate-invoice
- Installations
- 6,000+
- Vulnerability:
- Sensitive Data Exposure
- Patched in Version:
- 2.2.6
- Severity Score:
- Medium
- CVE:
- 2026-2343
ProfileGrid – User Profiles, Groups and Communities
- Plugin Slug:
- profilegrid-user-profiles-groups-and-communities
- Installations
- 6,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 5.9.8.2
- Severity Score:
- Medium
- CVE:
- 2026-25417
Nelio A/B Testing – AB Tests and Heatmaps for Better Conversion Optimization
- Plugin Slug:
- nelio-ab-testing
- Installations
- 5,000+
- Vulnerability:
- Remote Code Execution (RCE)
- Patched in Version:
- 8.2.8
- Severity Score:
- Critical
- CVE:
- 2026-32573
User Verification by PickPlugins
- Plugin:
- User Verification by PickPlugins
- Plugin Slug:
- user-verification
- Installations
- 5,000+
- Vulnerability:
- Broken Authentication
- Patched in Version:
- 2.0.46
- Severity Score:
- Medium
- CVE:
- 2026-32497
Masteriyo LMS – Online Course Builder for eLearning, LMS & Education
- Plugin Slug:
- learning-management-system
- Installations
- 4,000+
- Vulnerability:
- Privilege Escalation
- Patched in Version:
- 2.1.7
- Severity Score:
- High
- CVE:
- 2026-4484
RSFirewall!
- Plugin:
- RSFirewall!
- Plugin Slug:
- rsfirewall
- Installations
- 4,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 1.1.46
- Severity Score:
- High
- CVE:
- 2026-25341
Shared Files – Frontend File Upload Form & Secure File Sharing
- Plugin Slug:
- shared-files
- Installations
- 4,000+
- Vulnerability:
- Arbitrary File Download
- Patched in Version:
- 1.7.58
- Severity Score:
- Medium
- CVE:
- 2025-15433
WP Telegram Widget and Join Link
- Plugin:
- WP Telegram Widget and Join Link
- Plugin Slug:
- wptelegram-widget
- Installations
- 4,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 2.2.14
- Severity Score:
- High
- CVE:
- 2026-23807
ElementInvader Addons for Elementor
- Plugin Slug:
- elementinvader-addons-for-elementor
- Installations
- 3,000+
- Vulnerability:
- SQL Injection
- Patched in Version:
- 1.4.3
- Severity Score:
- High
- CVE:
- 2026-25007
KiviCare – Clinic & Patient Management System (EHR)
- Plugin Slug:
- kivicare-clinic-management-system
- Installations
- 2,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 4.0.0
- Severity Score:
- High
- CVE:
- 2026-25383
KiviCare – Clinic & Patient Management System (EHR)
- Plugin Slug:
- kivicare-clinic-management-system
- Installations
- 2,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 4.0.0
- Severity Score:
- Medium
- CVE:
- 2026-25034
Simple Download Counter
- Plugin:
- Simple Download Counter
- Plugin Slug:
- simple-download-counter
- Installations
- 2,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 2.3.1
- Severity Score:
- Medium
- CVE:
- 2026-4278
Booking and Rental Manager for Bike | Car | Resort | Appointment | Dress | Equipment
- Plugin Slug:
- booking-and-rental-manager-for-woocommerce
- Installations
- 1,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 2.6.1
- Severity Score:
- Medium
- CVE:
- 2026-23972
Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe
- Plugin Slug:
- contest-gallery
- Installations
- 1,000+
- Vulnerability:
- Privilege Escalation
- Patched in Version:
- 28.1.6
- Severity Score:
- High
- CVE:
- 2026-4021
Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe
- Plugin Slug:
- contest-gallery
- Installations
- 1,000+
- Vulnerability:
- Broken Authentication
- Patched in Version:
- 28.1.3
- Severity Score:
- Critical
- CVE:
- 2026-25035
Injection Guard
- Plugin:
- Injection Guard
- Plugin Slug:
- injection-guard
- Installations
- 1,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 1.3.0
- Severity Score:
- High
- CVE:
- 2026-3368
WowOptin: Next-Gen Popup Maker – Create Stunning Popups and Optins for Lead Generation
- Plugin Slug:
- optin
- Installations
- 1,000+
- Vulnerability:
- Server Side Request Forgery (SSRF)
- Patched in Version:
- 1.4.30
- Severity Score:
- High
- CVE:
- 2026-4302
bBlocks – Essential Gutenberg Blocks & Patterns Collection
- Plugin Slug:
- b-blocks
- Installations
- 700+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 2.0.30
- Severity Score:
- Medium
- CVE:
- 2026-32489
The Ultimate WordPress Toolkit – WP Extended
- Plugin Slug:
- wpextended
- Installations
- 700+
- Vulnerability:
- Privilege Escalation
- Patched in Version:
- 3.2.5
- Severity Score:
- High
- CVE:
- 2026-4314
Truebooker – Appointment Booking and Scheduler System
- Plugin Slug:
- truebooker-appointment-booking
- Installations
- 600+
- Vulnerability:
- Sensitive Data Exposure
- Patched in Version:
- 1.1.5
- Severity Score:
- Medium
- CVE:
- 2026-1797
VikRestaurants Table Reservations and Take-Away
- Plugin Slug:
- vikrestaurants
- Installations
- 600+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 1.5.3
- Severity Score:
- High
- CVE:
- 2026-25025
WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses
- Plugin:
- WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses
- Plugin Slug:
- wp-courses
- Installations
- 600+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 3.2.27
- Severity Score:
- Medium
- CVE:
- 2026-31914
Vertex Addons for Elementor
- Plugin:
- Vertex Addons for Elementor
- Plugin Slug:
- addons-for-elementor-builder
- Installations
- 400+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 1.7.0
- Severity Score:
- Medium
- CVE:
- 2026-25398
FormLift for Infusionsoft Web Forms
- Plugin Slug:
- formlift
- Installations
- 400+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 7.5.22
- Severity Score:
- Medium
- CVE:
- 2026-4281
Helpdesk Support Ticket System for WooCommerce
- Plugin Slug:
- support-ticket-system-for-woocommerce
- Installations
- 200+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 2.1.3
- Severity Score:
- High
- CVE:
- 2026-23977
Contact Manager
- Plugin:
- Contact Manager
- Plugin Slug:
- contact-manager
- Installations
- 100+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 9.1.1
- Severity Score:
- High
- CVE:
- 2026-32517
DSGVO snippet for Leaflet Map and its Extensions
- Plugin Slug:
- dsgvo-leaflet-map
- Installations
- 100+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 3.4
- Severity Score:
- Medium
- CVE:
- 2026-4389
Video & Photo Gallery for Ultimate Member
- Plugin Slug:
- gallery-for-ultimate-member
- Installations
- 100+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 1.1.2
- Severity Score:
- High
- CVE:
- 2024-12162
Product File Upload for WooCommerce
- Plugin Slug:
- products-file-upload-for-woocommerce
- Installations
- 100+
- Vulnerability:
- Arbitrary File Deletion
- Patched in Version:
- 2.2.5
- Severity Score:
- Medium
- CVE:
- 2026-25328
Filestack WP Upload
- Plugin:
- Filestack WP Upload
- Plugin Slug:
- filestack-upload
- Installations
- 60+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 3.0.0
- Severity Score:
- High
- CVE:
- 2024-11462
Debugger & Troubleshooter
- Plugin:
- Debugger & Troubleshooter
- Plugin Slug:
- debugger-troubleshooter
- Installations
- 40+
- Vulnerability:
- Privilege Escalation
- Patched in Version:
- 1.4.0
- Severity Score:
- Critical
- CVE:
- 2026-5130
BWL Advanced FAQ Manager Lite
- Plugin:
- BWL Advanced FAQ Manager Lite
- Plugin Slug:
- bwl-advanced-faq-manager-lite
- Installations
- 30+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 1.1.2
- Severity Score:
- Medium
- CVE:
- 2026-4075
QC SEO Help for llms.txt, AI Analytics, AI Content Writer, Subtitle to Article
- Plugin Slug:
- seo-help
- Installations
- 30+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 6.1.4
- Severity Score:
- High
- CVE:
- 2024-12156
FloristPress for Woo – Customize your eCommerce store for your Florist
- Plugin Slug:
- bakkbone-florist-companion
- Installations
- 10+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 7.8.3
- Severity Score:
- High
- CVE:
- 2026-1986
WP Cost Estimation & Payment Forms Builder
- Plugin:
- WP Cost Estimation & Payment Forms Builder
- Plugin Slug:
- WP_Estimation_Form
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 10.3.0
- Severity Score:
- High
- CVE:
- 2026-24363
Addon Jobsearch Chat
- Plugin:
- Addon Jobsearch Chat
- Plugin Slug:
- addon-jobsearch-chat
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 3.1
- Severity Score:
- High
- CVE:
- 2026-25376
Addon Jobsearch Chat
- Plugin:
- Addon Jobsearch Chat
- Plugin Slug:
- addon-jobsearch-chat
- Vulnerability:
- SQL Injection
- Patched in Version:
- 3.1
- Severity Score:
- Critical
- CVE:
- 2026-25377
Gyan Elements
- Plugin:
- Gyan Elements
- Plugin Slug:
- gyan-elements
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 2.2.2
- Severity Score:
- High
- CVE:
- 2026-23979
Ultimate Membership Pro
- Plugin:
- Ultimate Membership Pro
- Plugin Slug:
- indeed-membership-pro
- Vulnerability:
- Broken Authentication
- Patched in Version:
- 13.7.1
- Severity Score:
- High
- CVE:
- 2026-25357
JetEngine
- Plugin:
- JetEngine
- Plugin Slug:
- jet-engine
- Vulnerability:
- SQL Injection
- Patched in Version:
- 3.8.6.2
- Severity Score:
- Critical
- CVE:
- 2026-4662
NaturaLife Extensions
- Plugin:
- NaturaLife Extensions
- Plugin Slug:
- naturalife-extensions
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 2.2
- Severity Score:
- High
- CVE:
- 2026-25018
NaturaLife Extensions
- Plugin:
- NaturaLife Extensions
- Plugin Slug:
- naturalife-extensions
- Vulnerability:
- Local File Inclusion
- Patched in Version:
- 2.2
- Severity Score:
- High
- CVE:
- 2026-25017
Salon Booking System Pro
- Plugin:
- Salon Booking System Pro
- Plugin Slug:
- salon-booking-plugin-pro
- Vulnerability:
- Broken Authentication
- Patched in Version:
- 10.30.12
- Severity Score:
- High
- CVE:
- 2026-25334
LearnDash LMS
- Plugin:
- LearnDash LMS
- Plugin Slug:
- sfwd-lms
- Vulnerability:
- SQL Injection
- Patched in Version:
- 5.0.3.1
- Severity Score:
- High
- CVE:
- 2026-3079
The Grid
- Plugin:
- The Grid
- Plugin Slug:
- the-grid
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 2.8.0
- Severity Score:
- High
- CVE:
- 2026-24369
The Grid
- Plugin:
- The Grid
- Plugin Slug:
- the-grid
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 2.8.0
- Severity Score:
- Medium
- CVE:
- 2026-24370
ThemeREX Addons
- Plugin:
- ThemeREX Addons
- Plugin Slug:
- trx_addons
- Vulnerability:
- Arbitrary File Upload
- Patched in Version:
- 2.38.5
- Severity Score:
- Critical
- CVE:
- 2026-1969
Woocommerce Custom Product Addons Pro
- Plugin:
- Woocommerce Custom Product Addons Pro
- Plugin Slug:
- woo-custom-product-addons-pro
- Vulnerability:
- Remote Code Execution (RCE)
- Patched in Version:
- 5.4.2
- Severity Score:
- Critical
- CVE:
- 2026-4001
WP Configurator Pro
- Plugin:
- WP Configurator Pro
- Plugin Slug:
- wp-configurator-pro
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 3.8.0
- Severity Score:
- High
- CVE:
- 2026-32501
JobSearch
- Plugin:
- JobSearch
- Plugin Slug:
- wp-jobsearch
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 3.2.2
- Severity Score:
- High
- CVE:
- 2026-32493
WordPress Themes — 21 Patched / 1 Unpatched
Apicona
- Theme:
- Apicona
- Theme Slug:
- apicona
- Vulnerability:
- PHP Object Injection
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
- 2026-25400
Ona
- Theme:
- Ona
- Theme Slug:
- ona
- Downloads
- 244,053
- Vulnerability:
- Arbitrary File Upload
- Patched in Version:
- 1.24
- Severity Score:
- Critical
- CVE:
- 2026-32482
Archicon
- Theme:
- Archicon
- Theme Slug:
- archicon
- Vulnerability:
- PHP Object Injection
- Patched in Version:
- 1.7
- Severity Score:
- Medium
- CVE:
- 2026-32506
Borgholm
- Theme:
- Borgholm
- Theme Slug:
- borgholm-marketing-agency-theme
- Vulnerability:
- PHP Object Injection
- Patched in Version:
- 1.6
- Severity Score:
- Critical
- CVE:
- 2026-32502
Car Dealer
- Theme:
- Car Dealer
- Theme Slug:
- cardealer
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 1.6.8
- Severity Score:
- High
- CVE:
- 2026-24391
Gaea
- Theme:
- Gaea
- Theme Slug:
- gaea
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 3.8
- Severity Score:
- High
- CVE:
- 2026-32518
Goldish
- Theme:
- Goldish
- Theme Slug:
- goldish
- Vulnerability:
- PHP Object Injection
- Patched in Version:
- 3.47
- Severity Score:
- Critical
- CVE:
- 2026-25030
Golo
- Theme:
- Golo
- Theme Slug:
- golo
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 1.7.5
- Severity Score:
- High
- CVE:
- 2026-23973
Gracey
- Theme:
- Gracey
- Theme Slug:
- gracey
- Vulnerability:
- PHP Object Injection
- Patched in Version:
- 1.4
- Severity Score:
- Medium
- CVE:
- 2026-32509
Halstein
- Theme:
- Halstein
- Theme Slug:
- halstein
- Vulnerability:
- PHP Object Injection
- Patched in Version:
- 1.8
- Severity Score:
- Medium
- CVE:
- 2026-32508
Kamperen
- Theme:
- Kamperen
- Theme Slug:
- kamperen
- Vulnerability:
- PHP Object Injection
- Patched in Version:
- 1.3
- Severity Score:
- Medium
- CVE:
- 2026-32510
KIDZ
- Theme:
- KIDZ
- Theme Slug:
- kidz
- Vulnerability:
- PHP Object Injection
- Patched in Version:
- 5.25
- Severity Score:
- Critical
- CVE:
- 2026-25029
Boutique
- Theme:
- Boutique
- Theme Slug:
- kute-boutique
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 2.4.6
- Severity Score:
- High
- CVE:
- 2026-25342
Leroux
- Theme:
- Leroux
- Theme Slug:
- leroux
- Vulnerability:
- PHP Object Injection
- Patched in Version:
- 1.4
- Severity Score:
- Medium
- CVE:
- 2026-32507
Meloo
- Theme:
- Meloo
- Theme Slug:
- meloo
- Vulnerability:
- PHP Object Injection
- Patched in Version:
- 2.8.2
- Severity Score:
- High
- CVE:
- 2026-25358
Jobmonster
- Theme:
- Jobmonster
- Theme Slug:
- noo-jobmonster
- Vulnerability:
- SQL Injection
- Patched in Version:
- 4.8.4
- Severity Score:
- Critical
- CVE:
- 2026-25340
Ricky
- Theme:
- Ricky
- Theme Slug:
- ricky
- Vulnerability:
- PHP Object Injection
- Patched in Version:
- 2.31
- Severity Score:
- Critical
- CVE:
- 2026-25032
Sanzo
- Theme:
- Sanzo
- Theme Slug:
- sanzo
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 2.4.3
- Severity Score:
- Medium
- CVE:
- 2026-25355
Stål
- Theme:
- Stål
- Theme Slug:
- stal
- Vulnerability:
- PHP Object Injection
- Patched in Version:
- 1.7
- Severity Score:
- Medium
- CVE:
- 2026-32511
Tasty Daily
- Theme:
- Tasty Daily
- Theme Slug:
- tastydaily
- Vulnerability:
- PHP Object Injection
- Patched in Version:
- 1.27
- Severity Score:
- Critical
- CVE:
- 2026-25031
Vayvo
- Theme:
- Vayvo
- Theme Slug:
- vayvo-progression
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 6.8
- Severity Score:
- High
- CVE:
- 2026-25373
WoodMart
- Theme:
- WoodMart
- Theme Slug:
- woodmart
- Vulnerability:
- PHP Object Injection
- Patched in Version:
- 8.3.9
- Severity Score:
- High
- CVE:
- 2026-23971
Solid Security is part of Solid Suite — The best foundation for WordPress websites.
Every WordPress site needs security, backups, and management tools. That’s Solid Suite — an integrated bundle of three plugins: Solid Security, Solid Backups, and Solid Central. You also get access to Solid Academy’s learning resources for WordPress professionals. Build your next WordPress website on a solid foundation with Solid Suite!
Join us for the next Solid Academy Webinar!
Free weekly webinars that will help you master WordPress and increase your business's bottom line.
What is a WordPress Phishing Attack?
Learn how to identify and prevent phishing attacks on WordPress websites.
Kiki SheldonWebsite Protection: 5 Ways to Keep Your Website Safe
Robust website protection is the shield that stands between your business and relentless cyber attacks. Prioritizing website protection enables businesses to fortify defenses to safeguard their online presence and preserve the trust of their customers in the face of ever-evolving cybersecurity threats.
Kiki Sheldon23 Ideas To Grow Your WordPress Business in 2023
WordPress is the most popular website-building platform worldwide, trusted by numerous brands. WordPress enables you to build a user-friendly and highly reliable site, together with tools and plugins to enhance your marketing and work like a lead magnet. All these features make WordPress the platform chosen by more than 43% of businesses globally.
SolidWP Editorial TeamSign up now — Get SolidWP updates and valuable content straight to your inbox
Sign up
Placeholder text
Placeholder text
Get started with confidence — risk free, guaranteed
