WordPress Vulnerability Report — April 22, 2026

Since last week, 216 new vulnerabilities have emerged in the WordPress ecosystem, including 187 plugins and 29 themes. Of those, 29 remain unpatched, but Solid Security Pro users are protected by virtual patching from Patchstack.

Sarah Ulmer

Published:Apr 22, 2026

Filed Under:WordPress Vulnerability Report

Reading Time:39 min.

In this report, 216 vulnerabilities have been publicly disclosed. Security patches for 187 of these plugins and themes are now available. Please run these updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Currently, 29 plugin and theme vulnerabilities remain unpatched. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

Along with poor user account security, vulnerable plugins and themes are among the top reasons why WordPress websites get hacked. Unfortunately, cyberattacks are increasing in volume and sophistication. They’re also increasingly aimed at small to mid-sized businesses.

1. WordPress Core
2. WordPress Plugins — 159 Patched / 28 Unpatched

2.1 Pz-LinkCard
2.2 WCFM Marketplace – Multivendor Marketplace for WooCommerce
2.3 Smart Online Order for Clover
2.4 Accept Cryptocurrencies with Plisio
2.5 Quick Interest Slider
2.6 Livemesh Addons for Elementor
2.7 Livemesh Addons for Elementor
2.8 Canto
2.9 CMS für Motorrad Werkstätten
2.10 Coachific Shortcode
2.11 Custom New User Notification
2.12 e-shot
2.13 Inquiry form to posts or pages
2.14 Katalogportal-pdf-sync Widget
2.15 Login as User
2.16 Accessibility Suite
2.17 OPEN-BRAIN
2.18 OPEN-BRAIN
2.19 Accessibly – WordPress Website Accessibility
2.20 Petje.af
2.21 Riaxe Product Customizer
2.22 Riaxe Product Customizer
2.23 Riaxe Product Customizer
2.24 VI: Include Post By
2.25 Visa Acceptance Solutions
2.26 WM JqMath
2.27 WP Circliful
2.28 Power Charts
2.29 Advanced Custom Fields (ACF®)
2.30 ManageWP Worker
2.31 Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder
2.32 Royal Addons for Elementor – Addons and Templates Kit for Elementor
2.33 WP Statistics – Simple, privacy-friendly Google Analytics alternative
2.34 WP Statistics – Simple, privacy-friendly Google Analytics alternative
2.35 BackWPup – WordPress Backup & Restore Plugin
2.36 Meta Box
2.37 Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider
2.38 Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider
2.39 WP Shortcodes Plugin — Shortcodes Ultimate
2.40 Page Builder Gutenberg Blocks – CoBlocks
2.41 ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF
2.42 Unlimited Elements For Elementor
2.43 PDF Invoices & Packing Slips for WooCommerce
2.44 CMP – Coming Soon & Maintenance Plugin by NiteoThemes
2.45 Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization
2.46 Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization
2.47 Post Duplicator
2.48 JetBackup – Backup, Restore & Migrate
2.49 Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder
2.50 Anti-Malware Security and Brute-Force Firewall
2.51 Kubio AI Page Builder
2.52 LatePoint – Calendar Booking Plugin for Appointments and Events
2.53 Modula Image Gallery – Photo Grid & Video Gallery
2.54 Tutor LMS – eLearning and online course solution
2.55 Tutor LMS – eLearning and online course solution
2.56 Tutor LMS – eLearning and online course solution
2.57 Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
2.58 Download Monitor
2.59 Email Encoder – Protect Email Addresses and Phone Numbers
2.60 Email Encoder – Protect Email Addresses and Phone Numbers
2.61 ShopLentor – All-in-One WooCommerce Growth & Store Enhancement Plugin
2.62 Customer Reviews for WooCommerce
2.63 Customer Reviews for WooCommerce
2.64 3D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery
2.65 Jupiter X Core
2.66 Jupiter X Core
2.67 LearnPress – WordPress LMS Plugin for Create and Sell Online Courses
2.68 OneSignal – Web Push Notifications
2.69 Germanized for WooCommerce
2.70 wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin
2.71 Contextual Related Posts
2.72 Drag and Drop Multiple File Upload for Contact Form 7
2.73 Drag and Drop Multiple File Upload for Contact Form 7
2.74 User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder
2.75 Product Filter for WooCommerce by WBW
2.76 Product Filter for WooCommerce by WBW
2.77 WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters
2.78 Advanced Product Fields (Product Addons) for WooCommerce
2.79 Categories Images
2.80 Better Find and Replace – AI-Powered Suggestions
2.81 YayMail – WooCommerce Email Customizer
2.82 BetterDocs – Knowledge Base Docs & FAQ Solution for Elementor & Block Editor
2.83 Easy Digital Downloads – eCommerce Payments and Subscriptions made easy
2.84 Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker
2.85 Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX
2.86 Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder
2.87 Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder
2.88 Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder
2.89 Website LLMs.txt
2.90 Website LLMs.txt
2.91 WP YouTube Lyte
2.92 Social Slider Feed
2.93 Smart Post Show – Post Grid, Post Carousel & Slider, and List Category Posts
2.94 UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP
2.95 Payment Gateway for Redsys & WooCommerce Lite
2.96 Payment Gateway for Redsys & WooCommerce Lite
2.97 wpForo Forum
2.98 wpForo Forum
2.99 wpForo Forum
2.100 WPZOOM Addons for Elementor – Starter Templates & Widgets
2.101 Content Blocks (Custom Post Widget)
2.102 WP Customer Area
2.103 Easy Appointments
2.104 Easy Appointments
2.105 EMC – Easily Embed Calendly Scheduling
2.106 GeoDirectory – WP Business Directory Plugin and Classified Listings Directory
2.107 MasterStudy LMS WordPress Plugin – for Online Courses and Education
2.108 Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction
2.109 Royal WordPress Backup, Restore & Migration Plugin – Backup WordPress Sites Safely
2.110 Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered)
2.111 WP Photo Album Plus
2.112 YML for Yandex Market
2.113 WCAPF – Ajax Product Filter for WooCommerce
2.114 AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress
2.115 EventPrime – Events Calendar, Bookings and Tickets
2.116 ActivityPub
2.117 Nexi XPay
2.118 FluentBoards – Project Management, Task Management, Goal Tracking, Kanban Board, and, Team Collaboration
2.119 Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress
2.120 Booking Activities
2.121 Notification for Telegram
2.122 Responsive Blocks – Page Builder for Blocks & Patterns
2.123 WpStream – Live Streaming, Video on Demand, Pay Per View
2.124 Basic Google Maps Placemarks
2.125 Events Calendar for GeoDirectory
2.126 Image Source Control Lite – Show Image Credits and Captions
2.127 SpeakOut! Email Petitions
2.128 WP Directory Kit
2.129 Groundhogg — CRM, Newsletters, and Marketing Automation
2.130 Prismatic
2.131 Shipment Tracker for Woocommerce
2.132 MyRewards
2.133 Video Gallery – YouTube Gallery & Responsive Video Playlist
2.134 Barcode Scanner (+Mobile App) – Inventory manager, Order fulfillment system, POS (Point of Sale)
2.135 Mini Ajax Cart for WooCommerce
2.136 WP Docs
2.137 DirectoryPress – Business Directory And Classified Ad Listing
2.138 InPost Gallery
2.139 bBlocks – Essential Gutenberg Blocks & Patterns Collection
2.140 WP Sessions Time Monitoring Full Automatic
2.141 List View Google Calendar
2.142 Webling
2.143 RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress
2.144 Flipbox Addon for Elementor
2.145 BuddyPress Groupblog
2.146 Age Verification & Identity Verification by Token of Trust
2.147 Ultra Addons for WPForms
2.148 Hostel
2.149 HAPPY – Helpdesk Support Ticket System
2.150 Surbma | Booking.com Shortcode
2.151 WholeSale Products Dynamic Pricing Management WooCommerce
2.152 Academy LMS Pro
2.153 Accordion and Accordion Slider
2.154 Album and Image Gallery plus Lightbox
2.155 Blog Designer – Post and Widget
2.156 Career Section
2.157 Countdown Timer Ultimate
2.158 Featured Post Creative
2.159 Fusion Builder
2.160 Fusion Builder
2.161 Gravity SMTP
2.162 Video gallery and Player
2.163 JetEngine
2.164 Client Portal (Pro)
2.165 Meta slider and carousel with lightbox
2.166 MetForm Pro
2.167 Popup Anything
2.168 Portfolio and Projects
2.169 Post grid and filter ultimate
2.170 WP responsive FAQ with category
2.171 WP News and Scrolling Widgets
2.172 WowShipping Pro
2.173 Post Ticker Ultimate
2.174 Timeline and History slider
2.175 User Registration Stripe
2.176 Userpro
2.177 Product Pricing Table by WooBeWoo
2.178 WooCommerce Product Filters
2.179 WP Blog and Widget
2.180 WP Featured Content and Slider
2.181 WP Logo Showcase Responsive Slider and Carousel
2.182 WP Responsive Recent Post Slider/Carousel
2.183 WP Slick Slider and Image Carousel
2.184 Team Slider and Team Grid Showcase plus Team Carousel
2.185 Testimonial Grid and Testimonial Slider plus Carousel with Rotator Widget
2.186 Trending/Popular Post Slider and Widget
2.187 Royal Elementor Addons Pro

3. WordPress Themes — 28 Patched / 1 Unpatched

3.1 WebStack
3.2 Charity Zone
3.3 Ecommerce Zone
3.4 Kids Gift Shop
3.5 Kids Online Store
3.6 Restaurant Zone
3.7 Vantage
3.8 Webenvo
3.9 Ashtanga
3.10 Atomlab
3.11 Behold
3.12 ChapterOne
3.13 Château
3.14 EasyMeals
3.15 Eldon
3.16 Eleganzo
3.17 Elementra
3.18 Esmée
3.19 Laurits
3.20 Léonie
3.21 LuxeDrive
3.22 MagOne
3.23 Manufaktur Solutions
3.24 Reina
3.25 Roisin
3.26 ShiftUp
3.27 TechLink
3.28 Valeska
3.29 Zoya

Our WordPress Vulnerability Report covers the latest emerging WordPress plugin, theme, and core vulnerabilities. Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure of vulnerabilities is essential to keeping the WordPress community safe. Please share this report to help spread the word and make WordPress — and the web — more secure.

WordPress Core

WordPress 6.9.4 is available, addressing 10 security issues and a template loading bug. Immediate updates are recommended for all production sites.

WordPress 7.0 Release Candidate 2 (RC2) is now ready for testing via the Beta Tester plugin, direct download, WP-CLI, or WordPress Playground. As a pre-release version, it should only be evaluated in staging or local environments.

WordPress Plugins — 159 Patched / 28 Unpatched

Plugin:: Pz-LinkCard
Plugin Slug:: pz-linkcard
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-2434

Plugin:: WCFM Marketplace – Multivendor Marketplace for WooCommerce
Plugin Slug:: wc-multivendor-marketplace
Installations: 10,000+
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-63029

Plugin:: Smart Online Order for Clover
Plugin Slug:: clover-online-orders
Installations: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-15635

Plugin:: Accept Cryptocurrencies with Plisio
Plugin Slug:: plisio-payment-gateway-for-woocommerce
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-6372

Plugin:: Quick Interest Slider
Plugin Slug:: quick-interest-slider
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-5694

Plugin:: Livemesh Addons for Elementor
Plugin Slug:: addons-for-elementor
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-1620

Plugin:: Livemesh Addons for Elementor
Plugin Slug:: addons-for-elementor
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1572

Plugin:: Canto
Plugin Slug:: canto
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-6441

Plugin:: CMS für Motorrad Werkstätten
Plugin Slug:: cms-fuer-motorrad-werkstaetten
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-6451

Plugin:: Coachific Shortcode
Plugin Slug:: coachific-shortcode
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-4005

Plugin:: Custom New User Notification
Plugin Slug:: custom-new-user-notification
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3551

Plugin:: e-shot
Plugin Slug:: e-shot-form-builder
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3642

Plugin:: Inquiry form to posts or pages
Plugin Slug:: inquiry-form-to-posts-or-pages
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-6293

Plugin:: Katalogportal-pdf-sync Widget
Plugin Slug:: katalogportal-pdf-sync
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3649

Plugin:: Login as User
Plugin Slug:: one-click-login-as-user
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-5617

Plugin:: Accessibility Suite
Plugin Slug:: online-accessibility
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-3773

Plugin:: OPEN-BRAIN
Plugin Slug:: open-brain
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3995

Plugin:: OPEN-BRAIN
Plugin Slug:: open-brain
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-4091

Plugin:: Accessibly – WordPress Website Accessibility
Plugin Slug:: otm-accessibly
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-3643

Plugin:: Petje.af
Plugin Slug:: petje-af
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-4002

Plugin:: Riaxe Product Customizer
Plugin Slug:: riaxe-product-customizer
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2026-3599

Plugin:: Riaxe Product Customizer
Plugin Slug:: riaxe-product-customizer
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3595

Plugin:: Riaxe Product Customizer
Plugin Slug:: riaxe-product-customizer
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2026-3596

Plugin:: VI: Include Post By
Plugin Slug:: vi-include-post-by
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-5717

Plugin:: Visa Acceptance Solutions
Plugin Slug:: visa-acceptance-solutions
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2026-3461

Plugin:: WM JqMath
Plugin Slug:: wm-jqmath
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3998

Plugin:: WP Circliful
Plugin Slug:: wp-circliful
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3659

Plugin:: Power Charts
Plugin Slug:: wpgo-power-charts-lite
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-4011

Plugin:: Advanced Custom Fields (ACF®)
Plugin Slug:: advanced-custom-fields
Installations: 2,000,000+
Vulnerability:: Broken Access Control
Patched in Version:: 6.7.1
Severity Score:: Medium
CVE:: 2026-4812

Plugin:: ManageWP Worker
Plugin Slug:: worker
Installations: 1,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.9.32
Severity Score:: High
CVE:: 2026-39463

Plugin:: Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder
Plugin Slug:: fluentform
Installations: 700,000+
Vulnerability:: Broken Authentication
Patched in Version:: 6.2.0
Severity Score:: Medium
CVE:: 2026-4160

Plugin:: Royal Addons for Elementor – Addons and Templates Kit for Elementor
Plugin Slug:: royal-elementor-addons
Installations: 600,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.7.1057
Severity Score:: Medium
CVE:: 2026-5162

Plugin:: WP Statistics – Simple, privacy-friendly Google Analytics alternative
Plugin Slug:: wp-statistics
Installations: 600,000+
Vulnerability:: Broken Access Control
Patched in Version:: 14.16.5
Severity Score:: Medium
CVE:: 2026-3488

Plugin:: WP Statistics – Simple, privacy-friendly Google Analytics alternative
Plugin Slug:: wp-statistics
Installations: 600,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 14.16.5
Severity Score:: High
CVE:: 2026-5231

Plugin:: BackWPup – WordPress Backup & Restore Plugin
Plugin Slug:: backwpup
Installations: 500,000+
Vulnerability:: Local File Inclusion
Patched in Version:: 5.6.7
Severity Score:: High
CVE:: 2026-6227

Plugin:: Meta Box
Plugin Slug:: meta-box
Installations: 500,000+
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 5.11.2
Severity Score:: Medium
CVE:: 2026-39468

Plugin:: Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider
Plugin Slug:: ml-slider
Installations: 500,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 3.107.0
Severity Score:: High
CVE:: 2026-39467

Plugin:: Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider
Plugin Slug:: ml-slider
Installations: 500,000+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 3.107.0
Severity Score:: Critical
CVE:: 2026-39465

Plugin:: WP Shortcodes Plugin — Shortcodes Ultimate
Plugin Slug:: shortcodes-ultimate
Installations: 400,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 7.5.0
Severity Score:: Medium
CVE:: 2026-3885

Plugin:: Page Builder Gutenberg Blocks – CoBlocks
Plugin Slug:: coblocks
Installations: 300,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.1.17
Severity Score:: Medium
CVE:: 2026-4801

Plugin:: ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF
Plugin Slug:: shortpixel-image-optimiser
Installations: 300,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 6.4.4
Severity Score:: High
CVE:: 2026-39471

Plugin:: Unlimited Elements For Elementor
Plugin Slug:: unlimited-elements-for-elementor
Installations: 300,000+
Vulnerability:: Arbitrary File Download
Patched in Version:: 2.0.7
Severity Score:: High
CVE:: 2026-4659

Plugin:: PDF Invoices & Packing Slips for WooCommerce
Plugin Slug:: woocommerce-pdf-invoices-packing-slips
Installations: 300,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 5.9.0
Severity Score:: High
CVE:: 2026-39472

Plugin:: CMP – Coming Soon & Maintenance Plugin by NiteoThemes
Plugin Slug:: cmp-coming-soon-maintenance
Installations: 200,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 4.1.17
Severity Score:: High
CVE:: 2026-6518

Plugin:: Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization
Plugin Slug:: optimole-wp
Installations: 200,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.2.3
Severity Score:: High
CVE:: 2026-5217

Plugin:: Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization
Plugin Slug:: optimole-wp
Installations: 200,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.2.4
Severity Score:: High
CVE:: 2026-5226

Plugin:: Post Duplicator
Plugin Slug:: post-duplicator
Installations: 200,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 3.0.11
Severity Score:: High
CVE:: 2026-39474

Plugin:: JetBackup – Backup, Restore & Migrate
Plugin Slug:: backup
Installations: 100,000+
Vulnerability:: Path Traversal
Patched in Version:: 3.1.20.3
Severity Score:: Medium
CVE:: 2026-4853

Plugin:: Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder
Plugin Slug:: everest-forms
Installations: 100,000+
Vulnerability:: Directory Traversal
Patched in Version:: 3.4.5
Severity Score:: High
CVE:: 2026-5478

Plugin:: Anti-Malware Security and Brute-Force Firewall
Plugin Slug:: gotmls
Installations: 100,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 4.23.88
Severity Score:: High
CVE:: 2026-39478

Plugin:: Kubio AI Page Builder
Plugin Slug:: kubio
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.7.3
Severity Score:: Medium
CVE:: 2026-5427

Plugin:: LatePoint – Calendar Booking Plugin for Appointments and Events
Plugin Slug:: latepoint
Installations: 100,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 5.4.0
Severity Score:: Medium
CVE:: 2026-5234

Plugin:: Modula Image Gallery – Photo Grid & Video Gallery
Plugin Slug:: modula-best-grid-gallery
Installations: 100,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 2.14.19
Severity Score:: High
CVE:: 2026-39481

Plugin:: Tutor LMS – eLearning and online course solution
Plugin Slug:: tutor
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.9.8
Severity Score:: Medium
CVE:: 2026-40743

Plugin:: Tutor LMS – eLearning and online course solution
Plugin Slug:: tutor
Installations: 100,000+
Vulnerability:: SQL Injection
Patched in Version:: 3.9.9
Severity Score:: High
CVE:: 2026-6080

Plugin:: Tutor LMS – eLearning and online course solution
Plugin Slug:: tutor
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.9.9
Severity Score:: Medium
CVE:: 2026-5502

Plugin:: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
Plugin Slug:: wp-user-avatar
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.16.13
Severity Score:: Medium
CVE:: 2026-4949

Plugin:: Download Monitor
Plugin Slug:: download-monitor
Installations: 90,000+
Vulnerability:: Arbitrary File Download
Patched in Version:: 5.1.10
Severity Score:: Medium
CVE:: 2026-39489

Plugin:: Email Encoder – Protect Email Addresses and Phone Numbers
Plugin Slug:: email-encoder-bundle
Installations: 90,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.3.4
Severity Score:: Medium
CVE:: 2024-7083

Plugin:: Email Encoder – Protect Email Addresses and Phone Numbers
Plugin Slug:: email-encoder-bundle
Installations: 90,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.4.5
Severity Score:: Medium
CVE:: 2026-2840

Plugin:: ShopLentor – All-in-One WooCommerce Growth & Store Enhancement Plugin
Plugin Slug:: woolentor-addons
Installations: 90,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.3.6
Severity Score:: Medium
CVE:: 2026-4059

Plugin:: Customer Reviews for WooCommerce
Plugin Slug:: customer-reviews-woocommerce
Installations: 80,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.102.0
Severity Score:: High
CVE:: 2026-3355

Plugin:: Customer Reviews for WooCommerce
Plugin Slug:: customer-reviews-woocommerce
Installations: 80,000+
Vulnerability:: Broken Authentication
Patched in Version:: 5.104.0
Severity Score:: Medium
CVE:: 2026-4664

Plugin:: 3D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery
Plugin Slug:: interactive-3d-flipbook-powered-physics-engine
Installations: 80,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.16.18
Severity Score:: Medium
CVE:: 2026-1314

Plugin:: Jupiter X Core
Plugin Slug:: jupiterx-core
Installations: 80,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.14.2
Severity Score:: High
CVE:: 2026-39490

Plugin:: Jupiter X Core
Plugin Slug:: jupiterx-core
Installations: 80,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.14.2
Severity Score:: Medium
CVE:: 2026-39491

Plugin:: LearnPress – WordPress LMS Plugin for Create and Sell Online Courses
Plugin Slug:: learnpress
Installations: 80,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.3.3
Severity Score:: Critical
CVE:: 2026-4365

Plugin:: OneSignal – Web Push Notifications
Plugin Slug:: onesignal-free-web-push-notifications
Installations: 70,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.8.1
Severity Score:: Low
CVE:: 2026-3155

Plugin:: Germanized for WooCommerce
Plugin Slug:: woocommerce-germanized
Installations: 70,000+
Vulnerability:: Content Injection
Patched in Version:: 3.20.6
Severity Score:: Medium
CVE:: 2026-2582

Plugin:: wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin
Plugin Slug:: wpdatatables
Installations: 70,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.5.0.5
Severity Score:: Medium
CVE:: 2026-5721

Plugin:: Contextual Related Posts
Plugin Slug:: contextual-related-posts
Installations: 60,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.2.2
Severity Score:: Medium
CVE:: 2026-2986

Plugin:: Drag and Drop Multiple File Upload for Contact Form 7
Plugin Slug:: drag-and-drop-multiple-file-upload-contact-form-7
Installations: 60,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 1.3.9.7
Severity Score:: High
CVE:: 2026-5718

Plugin:: Drag and Drop Multiple File Upload for Contact Form 7
Plugin Slug:: drag-and-drop-multiple-file-upload-contact-form-7
Installations: 60,000+
Vulnerability:: Arbitrary File Download
Patched in Version:: 1.3.9.7
Severity Score:: High
CVE:: 2026-5710

Plugin:: User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder
Plugin Slug:: user-registration
Installations: 60,000+
Vulnerability:: Open Redirection
Patched in Version:: 5.1.5
Severity Score:: Medium
CVE:: 2026-6203

Plugin:: Product Filter for WooCommerce by WBW
Plugin Slug:: woo-product-filter
Installations: 60,000+
Vulnerability:: SQL Injection
Patched in Version:: 3.1.3
Severity Score:: Critical
CVE:: 2026-3830

Plugin:: Product Filter for WooCommerce by WBW
Plugin Slug:: woo-product-filter
Installations: 60,000+
Vulnerability:: SQL Injection
Patched in Version:: 3.1.3
Severity Score:: Critical
CVE:: 2026-39494

Plugin:: WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters
Plugin Slug:: wp-google-map-plugin
Installations: 60,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.8.8
Severity Score:: Medium
CVE:: 2025-13364

Plugin:: Advanced Product Fields (Product Addons) for WooCommerce
Plugin Slug:: advanced-product-fields-for-woocommerce
Installations: 50,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 1.6.20
Severity Score:: High
CVE:: 2026-39499

Plugin:: Categories Images
Plugin Slug:: categories-images
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.3.2
Severity Score:: Medium
CVE:: 2026-2505

Plugin:: Better Find and Replace – AI-Powered Suggestions
Plugin Slug:: real-time-auto-find-and-replace
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.8.0
Severity Score:: Medium
CVE:: 2026-3369

Plugin:: YayMail – WooCommerce Email Customizer
Plugin Slug:: yaymail
Installations: 50,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 4.3.4
Severity Score:: High
CVE:: 2026-39498

Plugin:: BetterDocs – Knowledge Base Docs & FAQ Solution for Elementor & Block Editor
Plugin Slug:: betterdocs
Installations: 40,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.3.9
Severity Score:: Medium
CVE:: 2026-3875

Plugin:: Easy Digital Downloads – eCommerce Payments and Subscriptions made easy
Plugin Slug:: easy-digital-downloads
Installations: 40,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.6.6
Severity Score:: High
CVE:: 2026-39503

Plugin:: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker
Plugin Slug:: quiz-master-next
Installations: 40,000+
Vulnerability:: Content Injection
Patched in Version:: 11.1.1
Severity Score:: Medium
CVE:: 2026-5797

Plugin:: Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX
Plugin Slug:: ultimate-post
Installations: 40,000+
Vulnerability:: Broken Access Control
Patched in Version:: 5.0.6
Severity Score:: Medium
CVE:: 2026-0718

Plugin:: Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder
Plugin Slug:: form-maker
Installations: 30,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.15.41
Severity Score:: High
CVE:: 2026-3330

Plugin:: Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder
Plugin Slug:: form-maker
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.15.41
Severity Score:: High
CVE:: 2026-4388

Plugin:: Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder
Plugin Slug:: form-maker
Installations: 30,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.15.38
Severity Score:: Critical
CVE:: 2025-15441

Plugin:: Website LLMs.txt
Plugin Slug:: website-llms-txt
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 8.2.7
Severity Score:: Medium
CVE:: 2026-6712

Plugin:: Website LLMs.txt
Plugin Slug:: website-llms-txt
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 8.2.7
Severity Score:: Medium
CVE:: 2026-6711

Plugin:: WP YouTube Lyte
Plugin Slug:: wp-youtube-lyte
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.7.30
Severity Score:: Medium
CVE:: 2026-3299

Plugin:: Social Slider Feed
Plugin Slug:: instagram-slider-widget
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.3.3
Severity Score:: High
CVE:: 2026-39507

Plugin:: Smart Post Show – Post Grid, Post Carousel & Slider, and List Category Posts
Plugin Slug:: post-carousel
Installations: 20,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 3.0.13
Severity Score:: High
CVE:: 2026-3017

Plugin:: UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP
Plugin Slug:: userswp
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.2.61
Severity Score:: Medium
CVE:: 2026-5742

Plugin:: Payment Gateway for Redsys & WooCommerce Lite
Plugin Slug:: woo-redsys-gateway-light
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 7.0.1
Severity Score:: High
CVE:: 2026-40741

Plugin:: Payment Gateway for Redsys & WooCommerce Lite
Plugin Slug:: woo-redsys-gateway-light
Installations: 20,000+
Vulnerability:: Bypass Vulnerability
Patched in Version:: 7.0.1
Severity Score:: High
CVE:: 2026-5050

Plugin:: wpForo Forum
Plugin Slug:: wpforo
Installations: 20,000+
Vulnerability:: Directory Traversal
Patched in Version:: 3.0.6
Severity Score:: High
CVE:: 2026-6248

Plugin:: wpForo Forum
Plugin Slug:: wpforo
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.0.0
Severity Score:: Medium
CVE:: 2026-4666

Plugin:: wpForo Forum
Plugin Slug:: wpforo
Installations: 20,000+
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 3.0.3
Severity Score:: High
CVE:: 2026-5809

Plugin:: WPZOOM Addons for Elementor – Starter Templates & Widgets
Plugin Slug:: wpzoom-elementor-addons
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.5
Severity Score:: High
CVE:: 2026-39597

Plugin:: Content Blocks (Custom Post Widget)
Plugin Slug:: custom-post-widget
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.4.1
Severity Score:: Medium
CVE:: 2026-0894

Plugin:: WP Customer Area
Plugin Slug:: customer-area
Installations: 10,000+
Vulnerability:: Arbitrary File Download
Patched in Version:: 8.3.5
Severity Score:: High
CVE:: 2026-3464

Plugin:: Easy Appointments
Plugin Slug:: easy-appointments
Installations: 10,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 3.12.22
Severity Score:: High
CVE:: 2026-2262

Plugin:: Easy Appointments
Plugin Slug:: easy-appointments
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.12.22
Severity Score:: High
CVE:: 2026-39513

Plugin:: EMC – Easily Embed Calendly Scheduling
Plugin Slug:: embed-calendly-scheduling
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.5
Severity Score:: Medium
CVE:: 2026-0868

Plugin:: GeoDirectory – WP Business Directory Plugin and Classified Listings Directory
Plugin Slug:: geodirectory
Installations: 10,000+
Vulnerability:: SQL Injection
Patched in Version:: 2.8.154
Severity Score:: Critical
CVE:: 2026-39512

Plugin:: MasterStudy LMS WordPress Plugin – for Online Courses and Education
Plugin Slug:: masterstudy-lms-learning-management-system
Installations: 10,000+
Vulnerability:: SQL Injection
Patched in Version:: 3.7.26
Severity Score:: High
CVE:: 2026-4817

Plugin:: Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction
Plugin Slug:: paid-member-subscriptions
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.0.0
Severity Score:: High
CVE:: 2026-39514

Plugin:: Royal WordPress Backup, Restore & Migration Plugin – Backup WordPress Sites Safely
Plugin Slug:: royal-backup-reset
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.0.17
Severity Score:: High
CVE:: 2026-4305

Plugin:: Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered)
Plugin Slug:: wp-event-solution
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.1.9
Severity Score:: Medium
CVE:: 2026-4109

Plugin:: WP Photo Album Plus
Plugin Slug:: wp-photo-album-plus
Installations: 10,000+
Vulnerability:: SQL Injection
Patched in Version:: 9.1.08.002
Severity Score:: Critical
CVE:: 2026-39511

Plugin:: YML for Yandex Market
Plugin Slug:: yml-for-yandex-market
Installations: 10,000+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 5.0.26
Severity Score:: High
CVE:: 2025-14545

Plugin:: WCAPF – Ajax Product Filter for WooCommerce
Plugin Slug:: wc-ajax-product-filter
Installations: 9,000+
Vulnerability:: SQL Injection
Patched in Version:: 4.3.0
Severity Score:: Critical
CVE:: 2026-3396

Plugin:: AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress
Plugin Slug:: acymailing
Installations: 7,000+
Vulnerability:: Broken Access Control
Patched in Version:: 10.8.2
Severity Score:: High
CVE:: 2026-3614

Plugin:: EventPrime – Events Calendar, Bookings and Tickets
Plugin Slug:: eventprime-event-calendar-management
Installations: 7,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 4.3.0.1
Severity Score:: High
CVE:: 2026-39518

Plugin:: ActivityPub
Plugin Slug:: activitypub
Installations: 6,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 8.0.2
Severity Score:: High
CVE:: 2026-4338

Plugin:: Nexi XPay
Plugin Slug:: cartasi-x-pay
Installations: 6,000+
Vulnerability:: Broken Access Control
Patched in Version:: 8.3.2
Severity Score:: Medium
CVE:: 2025-15565

Plugin:: FluentBoards – Project Management, Task Management, Goal Tracking, Kanban Board, and, Team Collaboration
Plugin Slug:: fluent-boards
Installations: 6,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 1.91.3
Severity Score:: High
CVE:: 2026-40784

Plugin:: Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress
Plugin Slug:: youzify
Installations: 6,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.7
Severity Score:: Medium
CVE:: 2026-1559

Plugin:: Booking Activities
Plugin Slug:: booking-activities
Installations: 4,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.17.0
Severity Score:: Medium
CVE:: 2026-39525

Plugin:: Notification for Telegram
Plugin Slug:: notification-for-telegram
Installations: 4,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.5.1
Severity Score:: High
CVE:: 2026-40732

Plugin:: Responsive Blocks – Page Builder for Blocks & Patterns
Plugin Slug:: responsive-block-editor-addons
Installations: 4,000+
Vulnerability:: Open Redirection
Patched in Version:: 2.2.1
Severity Score:: Medium
CVE:: 2026-6675

Plugin:: WpStream – Live Streaming, Video on Demand, Pay Per View
Plugin Slug:: wpstream
Installations: 4,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 4.11.2
Severity Score:: Medium
CVE:: 2026-39527

Plugin:: Basic Google Maps Placemarks
Plugin Slug:: basic-google-maps-placemarks
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.10.8
Severity Score:: Medium
CVE:: 2026-3581

Plugin:: Events Calendar for GeoDirectory
Plugin Slug:: events-for-geodirectory
Installations: 3,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 2.3.26
Severity Score:: High
CVE:: 2026-39532

Plugin:: Image Source Control Lite – Show Image Credits and Captions
Plugin Slug:: image-source-control-isc
Installations: 3,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.9.2
Severity Score:: Medium
CVE:: 2026-4852

Plugin:: SpeakOut! Email Petitions
Plugin Slug:: speakout
Installations: 3,000+
Vulnerability:: SQL Injection
Patched in Version:: 4.6.5.1
Severity Score:: Critical
CVE:: 2026-39530

Plugin:: WP Directory Kit
Plugin Slug:: wpdirectorykit
Installations: 3,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.5.1
Severity Score:: Critical
CVE:: 2026-39531

Plugin:: Groundhogg — CRM, Newsletters, and Marketing Automation
Plugin Slug:: groundhogg
Installations: 2,000+
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 4.4.1
Severity Score:: High
CVE:: 2026-40727

Plugin:: Prismatic
Plugin Slug:: prismatic
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.7.4
Severity Score:: High
CVE:: 2026-3876

Plugin:: Shipment Tracker for Woocommerce
Plugin Slug:: shipment-tracker-for-woocommerce
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.5.3.3
Severity Score:: Medium
CVE:: 2026-39540

Plugin:: MyRewards
Plugin Slug:: woorewards
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: 5.7.4
Severity Score:: Medium
CVE:: 2026-40786

Plugin:: Video Gallery – YouTube Gallery & Responsive Video Playlist
Plugin Slug:: youtube-showcase
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.5.2
Severity Score:: Medium
CVE:: 2025-15636

Plugin:: Barcode Scanner (+Mobile App) – Inventory manager, Order fulfillment system, POS (Point of Sale)
Plugin Slug:: barcode-scanner-lite-pos-to-manage-products-inventory-and-orders
Installations: 1,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 1.12.0
Severity Score:: Critical
CVE:: 2026-4880

Plugin:: Mini Ajax Cart for WooCommerce
Plugin Slug:: mini-ajax-woo-cart
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.5
Severity Score:: Medium
CVE:: 2026-6370

Plugin:: WP Docs
Plugin Slug:: wp-docs
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.3.0
Severity Score:: Medium
CVE:: 2026-3878

Plugin:: DirectoryPress – Business Directory And Classified Ad Listing
Plugin Slug:: directorypress
Installations: 900+
Vulnerability:: SQL Injection
Patched in Version:: 3.6.27
Severity Score:: Critical
CVE:: 2026-3489

Plugin:: InPost Gallery
Plugin Slug:: inpost-gallery
Installations: 800+
Vulnerability:: SQL Injection
Patched in Version:: 2.1.5
Severity Score:: Critical
CVE:: 2026-39574

Plugin:: bBlocks – Essential Gutenberg Blocks & Patterns Collection
Plugin Slug:: b-blocks
Installations: 700+
Vulnerability:: Privilege Escalation
Patched in Version:: 2.0.32
Severity Score:: High
CVE:: 2026-39579

Plugin:: WP Sessions Time Monitoring Full Automatic
Plugin Slug:: activitytime
Installations: 600+
Vulnerability:: SQL Injection
Patched in Version:: 1.1.5
Severity Score:: High
CVE:: 2026-39581

Plugin:: List View Google Calendar
Plugin Slug:: list-view-google-calendar
Installations: 500+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 7.4.4
Severity Score:: Medium
CVE:: 2026-2396

Plugin:: Webling
Plugin Slug:: webling
Installations: 500+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.9.1
Severity Score:: Medium
CVE:: 2026-1263

Plugin:: RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress
Plugin Slug:: computer-repair-shop
Installations: 400+
Vulnerability:: Broken Access Control
Patched in Version:: 4.1133
Severity Score:: Medium
CVE:: 2026-39584

Plugin:: Flipbox Addon for Elementor
Plugin Slug:: ultimate-flipbox-addon-for-elementor
Installations: 300+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.1.2
Severity Score:: Medium
CVE:: 2026-6048

Plugin:: BuddyPress Groupblog
Plugin Slug:: bp-groupblog
Installations: 50+
Vulnerability:: Privilege Escalation
Patched in Version:: 1.9.4
Severity Score:: High
CVE:: 2026-5144

Plugin:: Age Verification & Identity Verification by Token of Trust
Plugin Slug:: token-of-trust
Installations: 40+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.32.4
Severity Score:: High
CVE:: 2026-2834

Plugin:: Ultra Addons for WPForms
Plugin Slug:: ultra-addons-for-wpforms
Installations: 40+
Vulnerability:: Broken Access Control
Patched in Version:: 1.0.12
Severity Score:: Medium
CVE:: 2026-39594

Plugin:: Hostel
Plugin Slug:: hostel
Installations: 30+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.1.7
Severity Score:: High
CVE:: 2026-1838

Plugin:: HAPPY – Helpdesk Support Ticket System
Plugin Slug:: happy-helpdesk-support-ticket-system
Installations: 10+
Vulnerability:: Broken Access Control
Patched in Version:: 1.0.11
Severity Score:: Medium
CVE:: 2026-39593

Plugin:: Surbma | Booking.com Shortcode
Plugin Slug:: surbma-bookingcom-shortcode
Installations: 10+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.1.1
Severity Score:: Medium
CVE:: 2026-1607

Plugin:: WholeSale Products Dynamic Pricing Management WooCommerce
Plugin Slug:: wholesale-products-dynamic-pricing-management-woocommerce
Installations: 10+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.0
Severity Score:: Medium
CVE:: 2026-4479

Plugin:: Academy LMS Pro
Plugin Slug:: academy-pro
Vulnerability:: Arbitrary File Upload
Patched in Version:: 3.5.2
Severity Score:: High
CVE:: 2026-39598

Plugin:: Accordion and Accordion Slider
Plugin Slug:: accordion-and-accordion-slider
Vulnerability:: Backdoor
Patched in Version:: 1.4.6.1
Severity Score:: Critical

Plugin:: Album and Image Gallery plus Lightbox
Plugin Slug:: album-and-image-gallery-plus-lightbox
Vulnerability:: Backdoor
Patched in Version:: 2.1.8.1
Severity Score:: Critical

Plugin:: Blog Designer – Post and Widget
Plugin Slug:: blog-designer-for-post-and-widget
Vulnerability:: Backdoor
Patched in Version:: 2.7.7.1
Severity Score:: Critical

Plugin:: Career Section
Plugin Slug:: career-section
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 1.7
Severity Score:: High
CVE:: 2025-14868

Plugin:: Countdown Timer Ultimate
Plugin Slug:: countdown-timer-ultimate
Vulnerability:: Backdoor
Patched in Version:: 2.6.9.1
Severity Score:: Critical

Plugin:: Featured Post Creative
Plugin Slug:: featured-post-creative
Vulnerability:: Backdoor
Patched in Version:: 1.5.7.1
Severity Score:: Critical

Plugin:: Fusion Builder
Plugin Slug:: fusion-builder
Vulnerability:: Content Injection
Patched in Version:: 3.15.2
Severity Score:: Medium
CVE:: 2026-1509

Plugin:: Fusion Builder
Plugin Slug:: fusion-builder
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 3.15.2
Severity Score:: Medium
CVE:: 2026-1541

Plugin:: Gravity SMTP
Plugin Slug:: gravitysmtp
Vulnerability:: Broken Access Control
Patched in Version:: 2.1.5
Severity Score:: High
CVE:: 2026-4162

Plugin:: Video gallery and Player
Plugin Slug:: html5-videogallery-plus-player
Vulnerability:: Backdoor
Patched in Version:: 2.8.7.1
Severity Score:: Critical

Plugin:: JetEngine
Plugin Slug:: jet-engine
Vulnerability:: SQL Injection
Patched in Version:: 3.8.6.2
Severity Score:: Critical
CVE:: 2026-4352

Plugin:: Client Portal (Pro)
Plugin Slug:: leco-client-portal
Vulnerability:: Arbitrary File Download
Patched in Version:: 5.6.3
Severity Score:: Medium
CVE:: 2026-40724

Plugin:: Meta slider and carousel with lightbox
Plugin Slug:: meta-slider-and-carousel-with-lightbox
Vulnerability:: Backdoor
Patched in Version:: 2.0.8.1
Severity Score:: Critical

Plugin:: MetForm Pro
Plugin Slug:: metform-pro
Vulnerability:: Broken Access Control
Patched in Version:: 3.9.8
Severity Score:: Medium
CVE:: 2026-1782

Plugin:: Popup Anything
Plugin Slug:: popup-anything-on-click
Vulnerability:: Backdoor
Patched in Version:: 2.9.1.1
Severity Score:: Critical

Plugin:: Portfolio and Projects
Plugin Slug:: portfolio-and-projects
Vulnerability:: Backdoor
Patched in Version:: 1.5.6.1
Severity Score:: Critical

Plugin:: Post grid and filter ultimate
Plugin Slug:: post-grid-and-filter-ultimate
Vulnerability:: Backdoor
Patched in Version:: 1.7.4.1
Severity Score:: Critical

Plugin:: WP responsive FAQ with category
Plugin Slug:: sp-faq
Vulnerability:: Backdoor
Patched in Version:: 3.9.5.1
Severity Score:: Critical

Plugin:: WP News and Scrolling Widgets
Plugin Slug:: sp-news-and-widget
Vulnerability:: Backdoor
Patched in Version:: 5.0.6.1
Severity Score:: Critical

Plugin:: WowShipping Pro
Plugin Slug:: table-rate-shipping-pro
Vulnerability:: Backdoor
Patched in Version:: 1.0.8
Severity Score:: Critical

Plugin:: Post Ticker Ultimate
Plugin Slug:: ticker-ultimate
Vulnerability:: Backdoor
Patched in Version:: 1.7.6.1
Severity Score:: Critical

Plugin:: Timeline and History slider
Plugin Slug:: timeline-and-history-slider
Vulnerability:: Backdoor
Patched in Version:: 2.4.5.1
Severity Score:: Critical

Plugin:: User Registration Stripe
Plugin Slug:: user-registration-stripe
Vulnerability:: Broken Access Control
Patched in Version:: 1.3.15
Severity Score:: High
CVE:: 2026-40726

Plugin:: Userpro
Plugin Slug:: userpro
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 5.1.11
Severity Score:: Medium
CVE:: 2025-53444

Plugin:: Product Pricing Table by WooBeWoo
Plugin Slug:: woo-product-pricing-tables
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.1.1
Severity Score:: High
CVE:: 2026-1852

Plugin:: WooCommerce Product Filters
Plugin Slug:: woocommerce-product-filters
Vulnerability:: PHP Object Injection
Patched in Version:: 2.0.6
Severity Score:: Critical
CVE:: 2026-40725

Plugin:: WP Blog and Widget
Plugin Slug:: wp-blog-and-widgets
Vulnerability:: Backdoor
Patched in Version:: 2.6.6.1
Severity Score:: Critical

Plugin:: WP Featured Content and Slider
Plugin Slug:: wp-featured-content-and-slider
Vulnerability:: Backdoor
Patched in Version:: 1.7.6.1
Severity Score:: Critical

Plugin:: WP Logo Showcase Responsive Slider and Carousel
Plugin Slug:: wp-logo-showcase-responsive-slider-slider
Vulnerability:: Backdoor
Patched in Version:: 3.8.7.1
Severity Score:: Critical

Plugin:: WP Responsive Recent Post Slider/Carousel
Plugin Slug:: wp-responsive-recent-post-slider
Vulnerability:: Backdoor
Patched in Version:: 3.7.1.1
Severity Score:: Critical

Plugin:: WP Slick Slider and Image Carousel
Plugin Slug:: wp-slick-slider-and-image-carousel
Vulnerability:: Backdoor
Patched in Version:: 3.7.8.2
Severity Score:: Critical

Plugin:: Team Slider and Team Grid Showcase plus Team Carousel
Plugin Slug:: wp-team-showcase-and-slider
Vulnerability:: Backdoor
Patched in Version:: 2.8.6.1
Severity Score:: Critical

Plugin:: Testimonial Grid and Testimonial Slider plus Carousel with Rotator Widget
Plugin Slug:: wp-testimonial-with-widget
Vulnerability:: Backdoor
Patched in Version:: 3.5.6.1
Severity Score:: Critical

Plugin:: Trending/Popular Post Slider and Widget
Plugin Slug:: wp-trending-post-slider-and-widget
Vulnerability:: Backdoor
Patched in Version:: 1.8.6.1
Severity Score:: Critical

Plugin:: Royal Elementor Addons Pro
Plugin Slug:: wpr-addons-pro
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.7.1041
Severity Score:: High
CVE:: 2026-40720

WordPress Themes — 28 Patched / 1 Unpatched

Theme:: WebStack
Theme Slug:: webstack
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2026-1555

Theme:: Charity Zone
Theme Slug:: charity-zone
Downloads: 112,126
Vulnerability:: Arbitrary File Upload
Patched in Version:: 1.1.2
Severity Score:: Critical
CVE:: 2026-40749

Theme:: Ecommerce Zone
Theme Slug:: ecommerce-zone
Downloads: 89,443
Vulnerability:: Arbitrary File Upload
Patched in Version:: 0.9.8
Severity Score:: Critical
CVE:: 2026-40747

Theme:: Kids Gift Shop
Theme Slug:: kids-gift-shop
Downloads: 20,521
Vulnerability:: Arbitrary File Upload
Patched in Version:: 0.5.5
Severity Score:: Critical
CVE:: 2026-40748

Theme:: Kids Online Store
Theme Slug:: kids-online-store
Downloads: 53,065
Vulnerability:: Arbitrary File Upload
Patched in Version:: 0.9.0
Severity Score:: Critical
CVE:: 2026-40750

Theme:: Restaurant Zone
Theme Slug:: restaurant-zone
Downloads: 80,108
Vulnerability:: Arbitrary File Upload
Patched in Version:: 0.7.9
Severity Score:: Critical
CVE:: 2026-40746

Theme:: Vantage
Theme Slug:: vantage
Downloads: 3,232,270
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.20.33
Severity Score:: Medium
CVE:: 2026-5070

Theme:: Webenvo
Theme Slug:: webenvo
Downloads: 10,224
Vulnerability:: Arbitrary File Upload
Patched in Version:: 0.0.7
Severity Score:: Critical
CVE:: 2026-39589

Theme:: Ashtanga
Theme Slug:: ashtanga
Vulnerability:: PHP Object Injection
Patched in Version:: 1.3
Severity Score:: High
CVE:: 2026-40751

Theme:: Atomlab
Theme Slug:: atomlab
Vulnerability:: Local File Inclusion
Patched in Version:: 2.4.6
Severity Score:: High
CVE:: 2026-39590

Theme:: Behold
Theme Slug:: behold
Vulnerability:: PHP Object Injection
Patched in Version:: 1.6
Severity Score:: High
CVE:: 2026-40760

Theme:: ChapterOne
Theme Slug:: chapterone
Vulnerability:: Local File Inclusion
Patched in Version:: 1.8
Severity Score:: High
CVE:: 2026-40731

Theme:: Château
Theme Slug:: chateau
Vulnerability:: PHP Object Injection
Patched in Version:: 1.3
Severity Score:: High
CVE:: 2026-40757

Theme:: EasyMeals
Theme Slug:: easymeals
Vulnerability:: PHP Object Injection
Patched in Version:: 1.6
Severity Score:: High
CVE:: 2026-40753

Theme:: Eldon
Theme Slug:: eldon
Vulnerability:: PHP Object Injection
Patched in Version:: 1.5
Severity Score:: High
CVE:: 2026-40738

Theme:: Eleganzo
Theme Slug:: eleganzo
Vulnerability:: Path Traversal
Patched in Version:: 1.3
Severity Score:: Medium
CVE:: 2025-15470

Theme:: Elementra
Theme Slug:: elementra
Vulnerability:: PHP Object Injection
Patched in Version:: 1.1.0
Severity Score:: Critical
CVE:: 2026-39529

Theme:: Esmée
Theme Slug:: esme
Vulnerability:: PHP Object Injection
Patched in Version:: 1.5
Severity Score:: High
CVE:: 2026-40759

Theme:: Laurits
Theme Slug:: laurits
Vulnerability:: PHP Object Injection
Patched in Version:: 1.6
Severity Score:: High
CVE:: 2026-40736

Theme:: Léonie
Theme Slug:: lonie
Vulnerability:: PHP Object Injection
Patched in Version:: 1.3
Severity Score:: High
CVE:: 2026-40758

Theme:: LuxeDrive
Theme Slug:: luxedrive
Vulnerability:: PHP Object Injection
Patched in Version:: 1.5
Severity Score:: High
CVE:: 2026-40739

Theme:: MagOne
Theme Slug:: magone
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 9.1
Severity Score:: High
CVE:: 2026-39548

Theme:: Manufaktur Solutions
Theme Slug:: manufaktursolutions
Vulnerability:: PHP Object Injection
Patched in Version:: 1.2
Severity Score:: High
CVE:: 2026-40752

Theme:: Reina
Theme Slug:: reina
Vulnerability:: PHP Object Injection
Patched in Version:: 2.2
Severity Score:: High
CVE:: 2026-40735

Theme:: Roisin
Theme Slug:: roisin
Vulnerability:: PHP Object Injection
Patched in Version:: 1.5
Severity Score:: High
CVE:: 2026-40754

Theme:: ShiftUp
Theme Slug:: shiftup
Vulnerability:: PHP Object Injection
Patched in Version:: 1.4
Severity Score:: High
CVE:: 2026-40733

Theme:: TechLink
Theme Slug:: techlink
Vulnerability:: PHP Object Injection
Patched in Version:: 1.4
Severity Score:: High
CVE:: 2026-40755

Theme:: Valeska
Theme Slug:: valeska
Vulnerability:: PHP Object Injection
Patched in Version:: 1.3
Severity Score:: High
CVE:: 2026-40761

Theme:: Zoya
Theme Slug:: zoya
Vulnerability:: PHP Object Injection
Patched in Version:: 1.5
Severity Score:: High
CVE:: 2026-40756

Solid Security is part of Solid Suite — The best foundation for WordPress websites.

Every WordPress site needs security, backups, and management tools. That’s Solid Suite — an integrated bundle of three plugins: Solid Security, Solid Backups, and Solid Central. You also get access to Solid Academy’s learning resources for WordPress professionals. Build your next WordPress website on a solid foundation with Solid Suite!

Get Solid Security

Author:

Sarah Ulmer

Sarah has been with SolidWP since 2015. Thanks to her deep connection to the brand, its products, and its users, Sarah was tapped as Solid’s primary Product Marketer in 2023. Sarah helps ensure that Solid’s product development team understands our users’ needs. When not at work, Sarah can be found at home with her husband, their three boys, and their dogs. Sarah enjoys long family walks, running with her lab, and watching her three boys play soccer. Sarah is originally from Texas and loves watching football games (Go Longhorns!)

Browse all of Sarah's articles

Sign up

Placeholder text

Thanks

Oops something went wrong, please try submitting again

Solid Suite

Protect

Repair

Manage

Free Plugins

Solid Suite

Academy

Solid Academy

Guides

Livestreams

Tutorials Academy

Resources

Blog

Vulnerability Report

Support

Documentation

Table of Contents

WordPress Core

WordPress Plugins — 159 Patched / 28 Unpatched