WordPress Vulnerability Report — December 10, 2025

Since last week, 170 new vulnerabilities have emerged in the WordPress ecosystem, including 168 plugins and 2 themes. Of those, 91 remain unpatched, but Solid Security Pro users are protected by virtual patching from Patchstack.

Sarah Ulmer

Published:Dec 10, 2025

Filed Under:WordPress Vulnerability Report

Reading Time:32 min.

In this report, 170 vulnerabilities have been publicly disclosed. Security patches for 79 of these plugins and themes are now available. Please run these updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Currently, 91 plugin and theme vulnerabilities remain unpatched. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

Along with poor user account security, vulnerable plugins and themes are among the top reasons why WordPress websites get hacked. Unfortunately, cyberattacks are increasing in volume and sophistication. They’re also increasingly aimed at small to mid-sized businesses.

1. WordPress Core
2. WordPress Plugins — 77 Patched / 91 Unpatched

2.1 Happy Addons for Elementor
2.2 Yandex.Metrica
2.3 WP Ultimate Review
2.4 Contact Form by BestWebSoft – Advanced WP Contact Form Builder for WordPress
2.5 Master Addons For Elementor – White Label, Free Widgets, Hover Effects, Conditions, & Animations
2.6 Custom Field Template
2.7 Xpro Addons — 140+ Widgets for Elementor
2.8 Page View Count
2.9 Make Section & Column Clickable For Elementor
2.10 Order Delivery Date for WooCommerce
2.11 Xagio SEO – AI Powered SEO
2.12 Paysera Payment Gateway for WooCommerce
2.13 WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting
2.14 WP Google Analytics Events – No-Code Custom Event Tracking for Google Analytics
2.15 WP AI CoPilot – AI content writer plugin, ChatGPT WordPress, GPT-3/4 , Ai assistance
2.16 WP AI CoPilot – AI content writer plugin, ChatGPT WordPress, GPT-3/4 , Ai assistance
2.17 Arconix Shortcodes
2.18 Custom Layouts – Post + Product grids made easy
2.19 MultiParcels Shipping For WooCommerce
2.20 Shopping Cart & eCommerce Store
2.21 Ergonet Cache
2.22 Eupago Gateway For Woocommerce
2.23 Social Photo Fetcher
2.24 Gravitec.net – Web Push Notifications
2.25 Just TinyMCE Custom Styles
2.26 Media Library Downloader
2.27 Post Cloner
2.28 WP Flashy Marketing Automation
2.29 Add Custom Codes – Insert Header, Footer, Custom PHP Snippets, CSS, Javascript
2.30 Feeds for TikTok – Display Video Feeds in Grid Layouts
2.31 Custom Sidebars by ProteusThemes
2.32 Formstack Online Forms
2.33 Image Cleanup
2.34 Image Cleanup
2.35 SMTP Mail
2.36 User Spam Remover
2.37 WP-CRM System – Manage Clients and Projects
2.38 Gutenverse News – Advanced News Magazine Blog Gutenberg Blocks Addons
2.39 Generic Elements
2.40 g-FFL Cockpit
2.41 Search, Filters & Merchandising for WooCommerce
2.42 Torod – The smart shipping and delivery portal for e-shops and retailers
2.43 Actionwear products sync
2.44 Flex QR Code Generator
2.45 Hype
2.46 Application Passwords
2.47 ARK Related Posts
2.48 Broken Link Manager
2.49 Canadian Nutrition Facts Label
2.50 Clikstats
2.51 Hello Accessibility – Easy One-Click Accessibility Toolbar That Truly Matters
2.52 CryptX
2.53 CSS3 Buttons
2.54 CSV Sumotto
2.55 Cute News Ticker
2.56 DB Access
2.57 dream gallery
2.58 Extra Post Images
2.59 FitVids for WordPress
2.60 Helloprint
2.61 Jabbernotification
2.62 List Attachments Shortcode
2.63 Listar – Directory Listing & Classifieds
2.64 Listar – Directory Listing & Classifieds
2.65 Live CSS Preview
2.66 myLCO
2.67 Nouri.sh Newsletter
2.68 Payaza
2.69 Post Grid and Gutenberg Blocks
2.70 PostGallery
2.71 Projectopia
2.72 Projectopia
2.73 RevInsite
2.74 Social Feed Gallery Portfolio
2.75 WordPress eCommerce Plugin – Studiocart
2.76 Thai Lottery Widget
2.77 Time Sheets
2.78 Time Sheets
2.79 TR Timthumb
2.80 Trail Manager
2.81 Twitscription
2.82 Ultra Skype Button
2.83 User Generator and Importer
2.84 User Verification
2.85 Voidek Employee Portal
2.86 WebP Express
2.87 Weekly Planner
2.88 Live Sales Notification for Woocommerce – Woomotiv
2.89 WP Landing Page
2.90 WP-SOS-Donate
2.91 Yet Another WebClap for WordPress
2.92 Starter Templates – AI-Powered Templates for Elementor & Gutenberg
2.93 Custom Post Type UI
2.94 Autoptimize
2.95 Widgets for Google Reviews
2.96 Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder
2.97 Post SMTP – Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App
2.98 Post SMTP – Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App
2.99 PDF Invoices & Packing Slips for WooCommerce
2.100 SureMail – SMTP and Email Logs Plugin with Amazon SES, Postmark, and Other Providers
2.101 Advanced Custom Fields: Extended
2.102 Backup Migration
2.103 Beaver Builder Page Builder – Drag and Drop Website Builder
2.104 Beaver Builder Page Builder – Drag and Drop Website Builder
2.105 Kadence WooCommerce Email Designer
2.106 Image Gallery – Photo Grid & Video Gallery
2.107 Image Gallery – Photo Grid & Video Gallery
2.108 Rich Shortcodes for Google Reviews
2.109 HUSKY – Products Filter Professional for WooCommerce
2.110 10Web Booster – Website speed optimization, Cache & Page Speed optimizer
2.111 WP 2FA – Two-factor authentication for WordPress
2.112 ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution
2.113 Wp Social Login and Register Social Counter
2.114 Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI
2.115 Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI
2.116 FunnelKit – Funnel Builder for WooCommerce Checkout
2.117 Cost Calculator Builder
2.118 Envo Extra
2.119 Timetable and Event Schedule by MotoPress
2.120 WP Social Ninja – Embed Social Feeds, User Reviews & Chat Widgets
2.121 All-in-One Video Gallery
2.122 Quiz Maker
2.123 Thim Kit for Elementor – Pre-built Templates & Widgets for Elementor
2.124 Visualizer: Tables and Charts Manager for WordPress
2.125 Frontend Admin by DynamiApps
2.126 BlockArt Blocks – Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library
2.127 Business Directory Plugin – Easy Listing Directories for WordPress
2.128 Nexter Extension – Site Enhancements Toolkit
2.129 Export All Posts, Products, Orders, Refunds & Users
2.130 Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent
2.131 GSheetConnector For WPForms
2.132 Event Booking Manager for WooCommerce
2.133 weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot
2.134 WPKoi Templates for Elementor
2.135 Chartify – WordPress Chart Plugin
2.136 SMS Alert Order Notifications – WooCommerce
2.137 VikRentCar Car Rental Management System
2.138 WC Vendors – WooCommerce Multivendor, WooCommerce Marketplace, Product Vendors
2.139 Thank You Page Customizer for WooCommerce – Increase Your Sales
2.140 Salon Booking System – Free Version
2.141 WP Directory Kit
2.142 WP Directory Kit
2.143 Advanced FAQ Manager
2.144 Auto Alt Text
2.145 Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms
2.146 CSSIgniter Shortcodes
2.147 FluentCart A New Era of eCommerce – Faster, Lighter, and Simpler
2.148 Photo Gallery by Ays – Responsive Image Gallery
2.149 PDF Thumbnail Generator
2.150 Portfolio and Projects
2.151 Tableberg – Simple Gutenberg Table Block
2.152 Email Marketing Plugin – WP Email Capture
2.153 Constant Contact + WooCommerce
2.154 MxChat – AI Chatbot for WordPress
2.155 My Tickets – Accessible Event Ticketing
2.156 My auctions allegro
2.157 My auctions allegro
2.158 ELEX WordPress HelpDesk & Customer Ticketing System
2.159 Guest posting / Frontend Posting / Front Editor – WP Front User Submit
2.160 Zigaform – Price Calculator & Cost Estimation Form Builder Lite
2.161 IDonate – Blood Donation, Request And Donor Management System
2.162 TAX SERVICE Electronic HDM
2.163 DesignThemes LMS
2.164 FindAll Listing
2.165 JNews Gallery
2.166 JNews Paywall
2.167 StreamTube Core
2.168 Upload.am – File Hosting & VPN

3. WordPress Themes — 2 Patched / 0 Unpatched

3.1 AdForest
3.2 Rehub

Our WordPress Vulnerability Report covers the latest emerging WordPress plugin, theme, and core vulnerabilities. Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure of vulnerabilities is essential to keeping the WordPress community safe. Please share this report to help spread the word and make WordPress — and the web — more secure.

WordPress Core

WordPress 6.9 “Gene” was released on December 2, 2025. This release brings major upgrades to how teams collaborate and create. The new Notes feature adds block-level commenting for posts and pages, streamlining editorial reviews, while an expanded Command Palette helps power users navigate and operate across the dashboard even faster. The introduction of the Abilities API delivers a standardized, machine-readable permissions system that lays the groundwork for next-generation AI-powered and automated workflows. WordPress 6.9 also includes notable performance improvements for faster page loads, several new practical blocks, and more visual drag-and-drop tools to help creators build richer, more dynamic content.

Following a major release, you should not update live sites without first taking backups and testing the update in a non-production environment.

WordPress Plugins — 77 Patched / 91 Unpatched

Plugin:: Happy Addons for Elementor
Plugin Slug:: happy-elementor-addons
Installations: 400,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-63077

Plugin:: Yandex.Metrica
Plugin Slug:: wp-yandex-metrika
Installations: 60,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-63063

Plugin:: WP Ultimate Review
Plugin Slug:: wp-ultimate-review
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-63057

Plugin:: Contact Form by BestWebSoft – Advanced WP Contact Form Builder for WordPress
Plugin Slug:: contact-form-plugin
Installations: 40,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-63056

Plugin:: Master Addons For Elementor – White Label, Free Widgets, Hover Effects, Conditions, & Animations
Plugin Slug:: master-addons
Installations: 40,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-63055

Plugin:: Custom Field Template
Plugin Slug:: custom-field-template
Installations: 30,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-63058

Plugin:: Xpro Addons — 140+ Widgets for Elementor
Plugin Slug:: xpro-elementor-addons
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-63044

Plugin:: Page View Count
Plugin Slug:: page-views-count
Installations: 20,000+
Vulnerability:: Settings Change
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-63034

Plugin:: Make Section & Column Clickable For Elementor
Plugin Slug:: make-section-column-clickable-elementor
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-63033

Plugin:: Order Delivery Date for WooCommerce
Plugin Slug:: order-delivery-date-for-woocommerce
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-63024

Plugin:: Xagio SEO – AI Powered SEO
Plugin Slug:: xagio-seo
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-63025

Plugin:: Paysera Payment Gateway for WooCommerce
Plugin Slug:: woo-payment-gateway-paysera
Installations: 8,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-63015

Plugin:: WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting
Plugin Slug:: erp
Installations: 7,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-63008

Plugin:: WP Google Analytics Events – No-Code Custom Event Tracking for Google Analytics
Plugin Slug:: wp-google-analytics-events
Installations: 6,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-63009

Plugin:: WP AI CoPilot – AI content writer plugin, ChatGPT WordPress, GPT-3/4 , Ai assistance
Plugin Slug:: ai-co-pilot-for-wp
Installations: 4,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62994

Plugin:: WP AI CoPilot – AI content writer plugin, ChatGPT WordPress, GPT-3/4 , Ai assistance
Plugin Slug:: ai-co-pilot-for-wp
Installations: 4,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62998

Plugin:: Arconix Shortcodes
Plugin Slug:: arconix-shortcodes
Installations: 4,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13835

Plugin:: Custom Layouts – Post + Product grids made easy
Plugin Slug:: custom-layouts
Installations: 4,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62996

Plugin:: MultiParcels Shipping For WooCommerce
Plugin Slug:: multiparcels-shipping-for-woocommerce
Installations: 4,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62995

Plugin:: Shopping Cart & eCommerce Store
Plugin Slug:: wp-easycart
Installations: 4,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62997

Plugin:: Ergonet Cache
Plugin Slug:: ergonet-varnish-cache
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62867

Plugin:: Eupago Gateway For Woocommerce
Plugin Slug:: eupago-gateway-for-woocommerce
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62870

Plugin:: Social Photo Fetcher
Plugin Slug:: facebook-photo-fetcher
Installations: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62872

Plugin:: Gravitec.net – Web Push Notifications
Plugin Slug:: gravitec-net-web-push-notifications
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62869

Plugin:: Just TinyMCE Custom Styles
Plugin Slug:: just-tinymce-styles
Installations: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62871

Plugin:: Media Library Downloader
Plugin Slug:: media-library-downloader
Installations: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62734

Plugin:: Post Cloner
Plugin Slug:: post-cloner
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62865

Plugin:: WP Flashy Marketing Automation
Plugin Slug:: wp-flashy-marketing-automation
Installations: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62873

Plugin:: Add Custom Codes – Insert Header, Footer, Custom PHP Snippets, CSS, Javascript
Plugin Slug:: add-custom-codes
Installations: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62739

Plugin:: Feeds for TikTok – Display Video Feeds in Grid Layouts
Plugin Slug:: b-tiktok-feed
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-66110

Plugin:: Custom Sidebars by ProteusThemes
Plugin Slug:: custom-sidebars-by-proteusthemes
Installations: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62733

Plugin:: Formstack Online Forms
Plugin Slug:: formstack
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62738

Plugin:: Image Cleanup
Plugin Slug:: image-cleanup
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62736

Plugin:: Image Cleanup
Plugin Slug:: image-cleanup
Installations: 1,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62737

Plugin:: SMTP Mail
Plugin Slug:: smtp-mail
Installations: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62762

Plugin:: User Spam Remover
Plugin Slug:: user-spam-remover
Installations: 1,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62735

Plugin:: WP-CRM System – Manage Clients and Projects
Plugin Slug:: wp-crm-system
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62740

Plugin:: Gutenverse News – Advanced News Magazine Blog Gutenberg Blocks Addons
Plugin Slug:: gutenverse-news
Installations: 800+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62090

Plugin:: Generic Elements
Plugin Slug:: generic-elements-for-elementor
Installations: 600+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62082

Plugin:: g-FFL Cockpit
Plugin Slug:: g-ffl-cockpit
Installations: 400+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12720

Plugin:: Search, Filters & Merchandising for WooCommerce
Plugin Slug:: instantsearch-for-woocommerce
Installations: 200+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12091

Plugin:: Torod – The smart shipping and delivery portal for e-shops and retailers
Plugin Slug:: torod
Installations: 70+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12373

Plugin:: Actionwear products sync
Plugin Slug:: actionwear-products-sync
Installations: 60+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49350

Plugin:: Flex QR Code Generator
Plugin Slug:: flex-qr-code-generator
Installations: 50+
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-12673

Plugin:: Hype
Plugin Slug:: pico
Installations: 50+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49348

Plugin:: Application Passwords
Plugin Slug:: application-passwords
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-13308

Plugin:: ARK Related Posts
Plugin Slug:: ark-relatedpost
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13684

Plugin:: Broken Link Manager
Plugin Slug:: broken-link-manager
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-12629

Plugin:: Canadian Nutrition Facts Label
Plugin Slug:: canadian-nutrition-facts-label
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12715

Plugin:: Clikstats
Plugin Slug:: clikstats
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-13513

Plugin:: Hello Accessibility – Easy One-Click Accessibility Toolbar That Truly Matters
Plugin Slug:: codeconfig-accessibility
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13358

Plugin:: CryptX
Plugin Slug:: cryptx
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13739

Plugin:: CSS3 Buttons
Plugin Slug:: css3-buttons
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13907

Plugin:: CSV Sumotto
Plugin Slug:: csv-sumotto
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-13894

Plugin:: Cute News Ticker
Plugin Slug:: cute-news-ticker
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13656

Plugin:: DB Access
Plugin Slug:: db-access
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-13000

Plugin:: dream gallery
Plugin Slug:: dream-gallery
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-13621

Plugin:: Extra Post Images
Plugin Slug:: extra-post-images
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13856

Plugin:: FitVids for WordPress
Plugin Slug:: fitvids-for-wordpress
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12124

Plugin:: Helloprint
Plugin Slug:: helloprint
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13666

Plugin:: Jabbernotification
Plugin Slug:: jabberbenachrichtigung
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-13622

Plugin:: List Attachments Shortcode
Plugin Slug:: list-attachments-shortcode
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12717

Plugin:: Listar – Directory Listing & Classifieds
Plugin Slug:: listar-directory-listing
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12574

Plugin:: Listar – Directory Listing & Classifieds
Plugin Slug:: listar-directory-listing
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12577

Plugin:: Live CSS Preview
Plugin Slug:: live-css-preview
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12354

Plugin:: myLCO
Plugin Slug:: mylco
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-13626

Plugin:: Nouri.sh Newsletter
Plugin Slug:: newsletters-from-rss-to-email-newsletters-using-nourish
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-13515

Plugin:: Payaza
Plugin Slug:: payaza
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12355

Plugin:: Post Grid and Gutenberg Blocks
Plugin Slug:: post-grid
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-63043

Plugin:: PostGallery
Plugin Slug:: postgallery
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-13543

Plugin:: Projectopia
Plugin Slug:: projectopia-core
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-59133

Plugin:: Projectopia
Plugin Slug:: projectopia-core
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12876

Plugin:: RevInsite
Plugin Slug:: revinsite
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13863

Plugin:: Social Feed Gallery Portfolio
Plugin Slug:: social-feed-gallery-portfolio
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13896

Plugin:: WordPress eCommerce Plugin – Studiocart
Plugin Slug:: studiocart
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-14015

Plugin:: Thai Lottery Widget
Plugin Slug:: thai-lottery-widget
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13678

Plugin:: Time Sheets
Plugin Slug:: time-sheets
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2013-6880

Plugin:: Time Sheets
Plugin Slug:: time-sheets
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-10055

Plugin:: TR Timthumb
Plugin Slug:: tr-timthumb
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13899

Plugin:: Trail Manager
Plugin Slug:: trail-manager
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13682

Plugin:: Twitscription
Plugin Slug:: twitscription
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-13623

Plugin:: Ultra Skype Button
Plugin Slug:: ultra-skype-button
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13898

Plugin:: User Generator and Importer
Plugin Slug:: user-importer-and-generator
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-12879

Plugin:: User Verification
Plugin Slug:: user-verification
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-12374

Plugin:: Voidek Employee Portal
Plugin Slug:: voidek-employee-portal
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12093

Plugin:: WebP Express
Plugin Slug:: webp-express
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11379

Plugin:: Weekly Planner
Plugin Slug:: weekly-planner
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12186

Plugin:: Live Sales Notification for Woocommerce – Woomotiv
Plugin Slug:: woomotiv
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-13137

Plugin:: WP Landing Page
Plugin Slug:: wp-landing-page
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13629

Plugin:: WP-SOS-Donate
Plugin Slug:: wp-sos-donate
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-13625

Plugin:: Yet Another WebClap for WordPress
Plugin Slug:: yet-another-webclap-for-wordpress
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13857

Plugin:: Starter Templates – AI-Powered Templates for Elementor & Gutenberg
Plugin Slug:: astra-sites
Installations: 2,000,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 4.4.42
Severity Score:: Critical
CVE:: 2025-13065

Plugin:: Custom Post Type UI
Plugin Slug:: custom-post-type-ui
Installations: 1,000,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.18.1
Severity Score:: Medium
CVE:: 2025-12826

Plugin:: Autoptimize
Plugin Slug:: autoptimize
Installations: 900,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.1.14
Severity Score:: Medium
CVE:: 2025-13401

Plugin:: Widgets for Google Reviews
Plugin Slug:: wp-reviews-plugin-for-google
Installations: 800,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 13.2.5
Severity Score:: High
CVE:: 2025-12510

Plugin:: Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder
Plugin Slug:: fluentform
Installations: 600,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 6.1.8
Severity Score:: Medium
CVE:: 2025-13748

Plugin:: Post SMTP – Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App
Plugin Slug:: post-smtp
Installations: 400,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.6.2
Severity Score:: Medium
CVE:: 2025-67563

Plugin:: Post SMTP – Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App
Plugin Slug:: post-smtp
Installations: 400,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.6.2
Severity Score:: Medium
CVE:: 2025-12887

Plugin:: PDF Invoices & Packing Slips for WooCommerce
Plugin Slug:: woocommerce-pdf-invoices-packing-slips
Installations: 300,000+
Vulnerability:: Broken Access Control
Patched in Version:: 5.0.0
Severity Score:: Medium
CVE:: 2025-67589

Plugin:: SureMail – SMTP and Email Logs Plugin with Amazon SES, Postmark, and Other Providers
Plugin Slug:: suremails
Installations: 200,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 1.9.1
Severity Score:: Critical
CVE:: 2025-13516

Plugin:: Advanced Custom Fields: Extended
Plugin Slug:: acf-extended
Installations: 100,000+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 0.9.2
Severity Score:: Critical
CVE:: 2025-13486

Plugin:: Backup Migration
Plugin Slug:: backup-backup
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.0.0
Severity Score:: High
CVE:: 2025-12394

Plugin:: Beaver Builder Page Builder – Drag and Drop Website Builder
Plugin Slug:: beaver-builder-lite-version
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.9.4.1
Severity Score:: Medium
CVE:: 2025-12782

Plugin:: Beaver Builder Page Builder – Drag and Drop Website Builder
Plugin Slug:: beaver-builder-lite-version
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.9.4.1
Severity Score:: Medium
CVE:: 2025-11726

Plugin:: Kadence WooCommerce Email Designer
Plugin Slug:: kadence-woocommerce-email-designer
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.5.18
Severity Score:: High
CVE:: 2025-13387

Plugin:: Image Gallery – Photo Grid & Video Gallery
Plugin Slug:: modula-best-grid-gallery
Installations: 100,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 2.13.3
Severity Score:: Medium
CVE:: 2025-13646

Plugin:: Image Gallery – Photo Grid & Video Gallery
Plugin Slug:: modula-best-grid-gallery
Installations: 100,000+
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 2.13.3
Severity Score:: Medium
CVE:: 2025-13645

Plugin:: Rich Shortcodes for Google Reviews
Plugin Slug:: widget-google-reviews
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.8.1
Severity Score:: High
CVE:: 2025-12499

Plugin:: HUSKY – Products Filter Professional for WooCommerce
Plugin Slug:: woocommerce-products-filter
Installations: 100,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 1.3.7.3
Severity Score:: Medium
CVE:: 2025-13109

Plugin:: 10Web Booster – Website speed optimization, Cache & Page Speed optimizer
Plugin Slug:: tenweb-speed-optimizer
Installations: 90,000+
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 2.32.11
Severity Score:: Critical
CVE:: 2025-13377

Plugin:: WP 2FA – Two-factor authentication for WordPress
Plugin Slug:: wp-2fa
Installations: 90,000+
Vulnerability:: Bypass Vulnerability
Patched in Version:: 3.0.0
Severity Score:: Medium
CVE:: 2025-12628

Plugin:: ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution
Plugin Slug:: shopengine
Installations: 80,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 4.8.6
Severity Score:: Medium
CVE:: 2025-12358

Plugin:: Wp Social Login and Register Social Counter
Plugin Slug:: wp-social
Installations: 60,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.1.4
Severity Score:: Medium
CVE:: 2025-13620

Plugin:: Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI
Plugin Slug:: simple-tags
Installations: 50,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.41.0
Severity Score:: Medium
CVE:: 2025-13354

Plugin:: Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI
Plugin Slug:: simple-tags
Installations: 50,000+
Vulnerability:: SQL Injection
Patched in Version:: 3.41.0
Severity Score:: High
CVE:: 2025-13359

Plugin:: FunnelKit – Funnel Builder for WooCommerce Checkout
Plugin Slug:: funnel-builder
Installations: 40,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.13.1.3
Severity Score:: Medium
CVE:: 2025-66067

Plugin:: Cost Calculator Builder
Plugin Slug:: cost-calculator-builder
Installations: 30,000+
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 3.6.4
Severity Score:: High
CVE:: 2025-12529

Plugin:: Envo Extra
Plugin Slug:: envo-extra
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.9.12
Severity Score:: Medium
CVE:: 2025-66066

Plugin:: Timetable and Event Schedule by MotoPress
Plugin Slug:: mp-timetable
Installations: 30,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 2.4.16
Severity Score:: Medium
CVE:: 2025-12954

Plugin:: WP Social Ninja – Embed Social Feeds, User Reviews & Chat Widgets
Plugin Slug:: wp-social-reviews
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.0.0
Severity Score:: High
CVE:: 2025-13007

Plugin:: All-in-One Video Gallery
Plugin Slug:: all-in-one-video-gallery
Installations: 20,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 4.6.4
Severity Score:: Critical
CVE:: 2025-12966

Plugin:: Quiz Maker
Plugin Slug:: quiz-maker
Installations: 20,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 6.7.0.83
Severity Score:: Medium
CVE:: 2025-67595

Plugin:: Thim Kit for Elementor – Pre-built Templates & Widgets for Elementor
Plugin Slug:: thim-elementor-kit
Installations: 20,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 1.3.4
Severity Score:: Medium
CVE:: 2025-67594

Plugin:: Visualizer: Tables and Charts Manager for WordPress
Plugin Slug:: visualizer
Installations: 20,000+
Vulnerability:: SQL Injection
Patched in Version:: 3.11.13
Severity Score:: High
CVE:: 2025-12483

Plugin:: Frontend Admin by DynamiApps
Plugin Slug:: acf-frontend-form-element
Installations: 10,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 3.28.21
Severity Score:: Critical
CVE:: 2025-13342

Plugin:: BlockArt Blocks – Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library
Plugin Slug:: blockart-blocks
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.2.14
Severity Score:: Medium
CVE:: 2025-13697

Plugin:: Business Directory Plugin – Easy Listing Directories for WordPress
Plugin Slug:: business-directory-plugin
Installations: 10,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 6.4.20
Severity Score:: Medium
CVE:: 2025-67596

Plugin:: Nexter Extension – Site Enhancements Toolkit
Plugin Slug:: nexter-extension
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.4.2
Severity Score:: Medium
CVE:: 2025-13731

Plugin:: Export All Posts, Products, Orders, Refunds & Users
Plugin Slug:: wp-ultimate-exporter
Installations: 10,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.20
Severity Score:: Medium
CVE:: 2025-13606

Plugin:: Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent
Plugin Slug:: tablesome
Installations: 9,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.1.35.1
Severity Score:: Medium
CVE:: 2025-66526

Plugin:: GSheetConnector For WPForms
Plugin Slug:: gsheetconnector-wpforms
Installations: 8,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.0.1
Severity Score:: Medium
CVE:: 2025-67570

Plugin:: Event Booking Manager for WooCommerce
Plugin Slug:: mage-eventpress
Installations: 8,000+
Vulnerability:: Broken Access Control
Patched in Version:: 5.0.5
Severity Score:: Medium
CVE:: 2025-66083

Plugin:: weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot
Plugin Slug:: wedocs
Installations: 5,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.1.15
Severity Score:: Medium
CVE:: 2025-12505

Plugin:: WPKoi Templates for Elementor
Plugin Slug:: wpkoi-templates-for-elementor
Installations: 5,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.4.5
Severity Score:: Medium
CVE:: 2025-64274

Plugin:: Chartify – WordPress Chart Plugin
Plugin Slug:: chart-builder
Installations: 4,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 3.6.4
Severity Score:: Medium
CVE:: 2025-66529

Plugin:: SMS Alert Order Notifications – WooCommerce
Plugin Slug:: sms-alert
Installations: 4,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.8.9
Severity Score:: Medium
CVE:: 2025-66086

Plugin:: VikRentCar Car Rental Management System
Plugin Slug:: vikrentcar
Installations: 4,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.4.5
Severity Score:: High
CVE:: 2025-13724

Plugin:: WC Vendors – WooCommerce Multivendor, WooCommerce Marketplace, Product Vendors
Plugin Slug:: wc-vendors
Installations: 4,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.6.4.1
Severity Score:: Medium
CVE:: 2025-12130

Plugin:: Thank You Page Customizer for WooCommerce – Increase Your Sales
Plugin Slug:: woo-thank-you-page-customizer
Installations: 4,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.1.9
Severity Score:: Medium
CVE:: 2025-66528

Plugin:: Salon Booking System – Free Version
Plugin Slug:: salon-booking-system
Installations: 3,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 10.30.4
Severity Score:: Medium
CVE:: 2025-66531

Plugin:: WP Directory Kit
Plugin Slug:: wpdirectorykit
Installations: 3,000+
Vulnerability:: Broken Authentication
Patched in Version:: 1.4.5
Severity Score:: Critical
CVE:: 2025-13390

Plugin:: WP Directory Kit
Plugin Slug:: wpdirectorykit
Installations: 3,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.4.7
Severity Score:: High
CVE:: 2025-13090

Plugin:: Advanced FAQ Manager
Plugin Slug:: advanced-faq-manager
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.5.3
Severity Score:: Medium
CVE:: 2025-67556

Plugin:: Auto Alt Text
Plugin Slug:: auto-alt-text
Installations: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.5.3
Severity Score:: Medium
CVE:: 2025-62866

Plugin:: Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms
Plugin Slug:: cf7-salesforce
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.4.7
Severity Score:: Medium
CVE:: 2025-67468

Plugin:: CSSIgniter Shortcodes
Plugin Slug:: cssigniter-shortcodes
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.4.2
Severity Score:: Medium
CVE:: 2025-13448

Plugin:: FluentCart A New Era of eCommerce – Faster, Lighter, and Simpler
Plugin Slug:: fluent-cart
Installations: 2,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.3.2
Severity Score:: High
CVE:: 2025-13495

Plugin:: Photo Gallery by Ays – Responsive Image Gallery
Plugin Slug:: gallery-photo-gallery
Installations: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 6.4.9
Severity Score:: Medium
CVE:: 2025-13685

Plugin:: PDF Thumbnail Generator
Plugin Slug:: pdf-thumbnail-generator
Installations: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.5
Severity Score:: Medium
CVE:: 2025-67469

Plugin:: Portfolio and Projects
Plugin Slug:: portfolio-and-projects
Installations: 2,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 1.5.6
Severity Score:: Medium
CVE:: 2025-67470

Plugin:: Tableberg – Simple Gutenberg Table Block
Plugin Slug:: tableberg
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: 0.6.10
Severity Score:: Medium
CVE:: 2025-66096

Plugin:: Email Marketing Plugin – WP Email Capture
Plugin Slug:: wp-email-capture
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.12.5
Severity Score:: Medium
CVE:: 2025-67578

Plugin:: Constant Contact + WooCommerce
Plugin Slug:: constant-contact-woocommerce
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.4.2
Severity Score:: Medium
CVE:: 2025-67580

Plugin:: MxChat – AI Chatbot for WordPress
Plugin Slug:: mxchat-basic
Installations: 900+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 2.5.6
Severity Score:: Medium
CVE:: 2025-12585

Plugin:: My Tickets – Accessible Event Ticketing
Plugin Slug:: my-tickets
Installations: 700+
Vulnerability:: Broken Access Control
Patched in Version:: 2.1.1
Severity Score:: Medium
CVE:: 2025-64257

Plugin:: My auctions allegro
Plugin Slug:: my-auctions-allegro-free-edition
Installations: 600+
Vulnerability:: Local File Inclusion
Patched in Version:: 3.6.33
Severity Score:: High
CVE:: 2025-12851

Plugin:: My auctions allegro
Plugin Slug:: my-auctions-allegro-free-edition
Installations: 600+
Vulnerability:: SQL Injection
Patched in Version:: 3.6.33
Severity Score:: Critical
CVE:: 2025-12850

Plugin:: ELEX WordPress HelpDesk & Customer Ticketing System
Plugin Slug:: elex-helpdesk-customer-support-ticket-system
Installations: 300+
Vulnerability:: Privilege Escalation
Patched in Version:: 3.3.3
Severity Score:: High
CVE:: 2025-13534

Plugin:: Guest posting / Frontend Posting / Front Editor – WP Front User Submit
Plugin Slug:: front-editor
Installations: 200+
Vulnerability:: Open Redirection
Patched in Version:: 5.0.0
Severity Score:: Medium
CVE:: 2025-12569

Plugin:: Zigaform – Price Calculator & Cost Estimation Form Builder Lite
Plugin Slug:: zigaform-calculator-cost-estimation-form-builder-lite
Installations: 200+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 7.6.7
Severity Score:: Medium
CVE:: 2025-13696

Plugin:: IDonate – Blood Donation, Request And Donor Management System
Plugin Slug:: idonate
Installations: 100+
Vulnerability:: Broken Access Control
Patched in Version:: 2.1.16
Severity Score:: Medium
CVE:: 2025-67583

Plugin:: TAX SERVICE Electronic HDM
Plugin Slug:: virtual-hdm-for-taxservice-am
Installations: 10+
Vulnerability:: SQL Injection
Patched in Version:: 1.2.1
Severity Score:: Critical
CVE:: 2025-12061

Plugin:: DesignThemes LMS
Plugin Slug:: designthemes-lms
Vulnerability:: Privilege Escalation
Patched in Version:: 1.0.5
Severity Score:: Critical
CVE:: 2025-13542

Plugin:: FindAll Listing
Plugin Slug:: findall-listing
Vulnerability:: Privilege Escalation
Patched in Version:: 1.1
Severity Score:: Critical
CVE:: 2025-13538

Plugin:: JNews Gallery
Plugin Slug:: jnews-gallery
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 12.0.1
Severity Score:: Medium
CVE:: 2025-67538

Plugin:: JNews Paywall
Plugin Slug:: jnews-paywall
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 12.0.1
Severity Score:: Medium
CVE:: 2025-67591

Plugin:: StreamTube Core
Plugin Slug:: streamtube-core
Vulnerability:: Broken Authentication
Patched in Version:: 4.79
Severity Score:: Critical
CVE:: 2025-13615

Plugin:: Upload.am – File Hosting & VPN
Plugin Slug:: upload-am-file-hosting-vpn
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 1.0.1
Severity Score:: Medium
CVE:: 2025-12630

WordPress Themes — 2 Patched / 0 Unpatched

Theme:: AdForest
Theme Slug:: adforest
Vulnerability:: Broken Access Control
Patched in Version:: 6.0.12
Severity Score:: Medium
CVE:: 2025-67569

Theme:: Rehub
Theme Slug:: rehub-theme
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 19.9.9.2
Severity Score:: Medium
CVE:: 2025-67565

Solid Security is part of Solid Suite — The best foundation for WordPress websites.

Every WordPress site needs security, backups, and management tools. That’s Solid Suite — an integrated bundle of three plugins: Solid Security, Solid Backups, and Solid Central. You also get access to Solid Academy’s learning resources for WordPress professionals. Build your next WordPress website on a solid foundation with Solid Suite!

Get Solid Security

Author:

Sarah Ulmer

Sarah has been with SolidWP since 2015. Thanks to her deep connection to the brand, its products, and its users, Sarah was tapped as Solid’s primary Product Marketer in 2023. Sarah helps ensure that Solid’s product development team understands our users’ needs. When not at work, Sarah can be found at home with her husband, their three boys, and their dogs. Sarah enjoys long family walks, running with her lab, and watching her three boys play soccer. Sarah is originally from Texas and loves watching football games (Go Longhorns!)

Browse all of Sarah's articles

Sign up

Placeholder text

Thanks

Oops something went wrong, please try submitting again

Solid Suite

Protect

Repair

Manage

Free Plugins

Solid Suite

Academy

Solid Academy

Guides

Livestreams

Tutorials Academy

Resources

Blog

Vulnerability Report

Support

Documentation

Table of Contents

WordPress Core

WordPress Plugins — 77 Patched / 91 Unpatched