WordPress Vulnerability Report

WordPress Vulnerability Report — February 26, 2025

This last week, 335 new plugin and theme vulnerabilities emerged in the WordPress ecosystem. 177 of the vulnerable plugins remain unpatched, but Solid Security Pro users are protected by virtual patching from Patchstack.

Sarah

Published:Feb 26, 2025

Filed Under:WordPress Vulnerability Report

Reading Time:59 min.

In this report, 335 vulnerabilities have been publicly disclosed. Security patches for 158 of these plugins and themes are available now, so run those updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Additionally, there are 177 plugin vulnerabilities with no patch available yet. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

Along with poor user account security, vulnerable plugins and themes are among the top reasons why WordPress websites get hacked. Unfortunately, cyberattacks are increasing in volume and sophistication. They’re also increasingly aimed at small to mid-sized businesses.

Our WordPress Vulnerability Report covers the latest emerging WordPress plugin, theme, and core vulnerabilities. Each vulnerability will have a severity rating of LowMediumHigh, or Critical. Responsible disclosure of vulnerabilities is essential to keeping the WordPress community safe. Please share this report to help spread the word and make WordPress — and the web — more secure.

WordPress Core

WordPress 6.7.2 is now available! This minor release includes 35 bug fixes, addressing issues affecting multiple components including the block editor, HTML API, and Customize.

No new core vulnerabilities were disclosed this week.

WordPress Plugins — 147 Patched / 177 Unpatched

Ibtana – WordPress Website Builder

Plugin:
Ibtana – WordPress Website Builder
Plugin Slug:
ibtana-visual-editor
Installations
20,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-26891
The vulnerability has not been patched. You should deactivate the plugin.

Social Sharing Plugin – Social Warfare

Plugin:
Social Sharing Plugin – Social Warfare
Plugin Slug:
social-warfare
Installations
20,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-26973
The vulnerability has not been patched. You should deactivate the plugin.

Newpost Catch

Plugin:
Newpost Catch
Plugin Slug:
newpost-catch
Installations
10,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-1406
The vulnerability has not been patched. You should deactivate the plugin.

Estatik Real Estate Plugin

Plugin:
Estatik Real Estate Plugin
Plugin Slug:
estatik
Installations
9,000+
Vulnerability:
Local File Inclusion
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-26905
The vulnerability has not been patched. You should deactivate the plugin.

Raptive Ads

Plugin:
Raptive Ads
Plugin Slug:
adthrive-ads
Installations
5,000+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-13364
The vulnerability has not been patched. You should deactivate the plugin.

Estatik Mortgage Calculator

Plugin:
Estatik Mortgage Calculator
Plugin Slug:
estatik-mortgage-calculator
Installations
1,000+
Vulnerability:
Local File Inclusion
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-26907
The vulnerability has not been patched. You should deactivate the plugin.

Store Locator Widget

Plugin:
Store Locator Widget
Plugin Slug:
store-locator-widget
Installations
400+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-13657
The vulnerability has not been patched. You should deactivate the plugin.

Responsive Flickr Slideshow

Plugin:
Responsive Flickr Slideshow
Plugin Slug:
mobile-friendly-flickr-slideshow
Installations
300+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-13660
The vulnerability has not been patched. You should deactivate the plugin.

PiwigoPress

Plugin:
PiwigoPress
Plugin Slug:
piwigopress
Installations
200+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-26896
The vulnerability has not been patched. You should deactivate the plugin.

Terms Dictionary

Plugin:
Terms Dictionary
Plugin Slug:
terms-dictionary
Installations
200+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
The vulnerability has not been patched. You should deactivate the plugin.

Better Customer List for WooCommerce

Plugin:
Better Customer List for WooCommerce
Plugin Slug:
woo-better-customer-list
Installations
200+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
The vulnerability has not been patched. You should deactivate the plugin.

Easy MLS Listings Import

Plugin:
Easy MLS Listings Import
Plugin Slug:
easy-mls-listings-import
Installations
100+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-12525
The vulnerability has not been patched. You should deactivate the plugin.

List Related Attachments

Plugin:
List Related Attachments
Plugin Slug:
list-related-attachments-widget
Installations
100+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-26897
The vulnerability has not been patched. You should deactivate the plugin.

Prime Addons for Elementor

Plugin:
Prime Addons for Elementor
Plugin Slug:
prime-addons-for-elementor
Installations
100+
Vulnerability:
Insecure Direct Object References (IDOR)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-13855
The vulnerability has not been patched. You should deactivate the plugin.

Gumlet Video

Plugin:
Gumlet Video
Plugin Slug:
gumlet-video
Installations
90+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-13576
The vulnerability has not been patched. You should deactivate the plugin.

Actionwear products sync

Plugin:
Actionwear products sync
Plugin Slug:
actionwear-products-sync
Installations
60+
Vulnerability:
Sensitive Data Exposure
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-13535
The vulnerability has not been patched. You should deactivate the plugin.

A1POST.BG Shipping for WooCommerce

Plugin:
A1POST.BG Shipping for WooCommerce
Plugin Slug:
a1post-bg-shipping-for-woocommerce
Installations
30+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-27012
The vulnerability has not been patched. You should deactivate the plugin.

1 Click WordPress Migration

Plugin:
1 Click WordPress Migration
Plugin Slug:
1-click-migration
Vulnerability:
Sensitive Data Exposure
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-13609
The vulnerability has not been patched. You should deactivate the plugin.

1 Click WordPress Migration

Plugin:
1 Click WordPress Migration
Plugin Slug:
1-click-migration
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-13555
The vulnerability has not been patched. You should deactivate the plugin.

17TRACK for WooCommerce

Plugin:
17TRACK for WooCommerce
Plugin Slug:
17track
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-27324
The vulnerability has not been patched. You should deactivate the plugin.

3D Photo Gallery

Plugin:
3D Photo Gallery
Plugin Slug:
3d-photo-gallery
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-13751
The vulnerability has not been patched. You should deactivate the plugin.

Add Linked Images To Gallery

Plugin:
Add Linked Images To Gallery
Plugin Slug:
add-linked-images-to-gallery-v01
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-27277
The vulnerability has not been patched. You should deactivate the plugin.

ADFO

Plugin:
ADFO
Plugin Slug:
admin-form
Vulnerability:
Deserialization of untrusted data
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-27300
The vulnerability has not been patched. You should deactivate the plugin.

ADFO

Plugin:
ADFO
Plugin Slug:
admin-form
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-13390
The vulnerability has not been patched. You should deactivate the plugin.

Adsmonetizer

Plugin:
Adsmonetizer
Plugin Slug:
adsensei-b30
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
The vulnerability has not been patched. You should deactivate the plugin.

All-In-One Cufon

Plugin:
All-In-One Cufon
Plugin Slug:
all-in-one-cufon
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-27315
The vulnerability has not been patched. You should deactivate the plugin.

AMO Team Showcase

Plugin:
AMO Team Showcase
Plugin Slug:
amo-team-showcase
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-1407
The vulnerability has not been patched. You should deactivate the plugin.

Apptivo Business Site CRM

Plugin:
Apptivo Business Site CRM
Plugin Slug:
apptivo-business-site
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-13405
The vulnerability has not been patched. You should deactivate the plugin.

Archive Page

Plugin:
Archive Page
Plugin Slug:
archive-page
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-27280
The vulnerability has not been patched. You should deactivate the plugin.

Ark Theme Core

Plugin:
Ark Theme Core
Plugin Slug:
ark-core
Vulnerability:
Remote Code Execution (RCE)
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2025-26970
The vulnerability has not been patched. You should deactivate the plugin.

Auto Tag Links

Plugin:
Auto Tag Links
Plugin Slug:
auto-tag-links
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-27335
The vulnerability has not been patched. You should deactivate the plugin.

Bandsintown Events

Plugin:
Bandsintown Events
Plugin Slug:
bandsintown
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-13802
The vulnerability has not been patched. You should deactivate the plugin.

BigBuy Dropshipping Connector for WooCommerce

Plugin:
BigBuy Dropshipping Connector for WooCommerce
Plugin Slug:
bigbuy-wc-dropshipping-connector
Vulnerability:
Sensitive Data Exposure
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-13538
The vulnerability has not been patched. You should deactivate the plugin.

Blightly Explorer

Plugin:
Blightly Explorer
Plugin Slug:
blighty-explorer
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-27321
The vulnerability has not been patched. You should deactivate the plugin.

Booknetic

Plugin:
Booknetic
Plugin Slug:
booknetic
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-26926
The vulnerability has not been patched. You should deactivate the plugin.

Bravo Search & Replace

Plugin:
Bravo Search & Replace
Plugin Slug:
bravo-search-and-replace
Vulnerability:
SQL Injection
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-27297
The vulnerability has not been patched. You should deactivate the plugin.

Bulk Content Creator

Plugin:
Bulk Content Creator
Plugin Slug:
bulk-content-creator
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-27311
The vulnerability has not been patched. You should deactivate the plugin.

Widget BUY.BOX

Plugin:
Widget BUY.BOX
Plugin Slug:
buybox-widget
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-13679
The vulnerability has not been patched. You should deactivate the plugin.

WooODT Lite

Plugin:
WooODT Lite
Plugin Slug:
byconsole-woo-order-delivery-time
Vulnerability:
Sensitive Data Exposure
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-13540
The vulnerability has not been patched. You should deactivate the plugin.

C9 Admin Dashboard

Plugin:
C9 Admin Dashboard
Plugin Slug:
c9-admin-dashboard
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-13379
The vulnerability has not been patched. You should deactivate the plugin.

C9 Blocks

Plugin:
C9 Blocks
Plugin Slug:
c9-blocks
Vulnerability:
Full Path Disclosure (FPD)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-13537
The vulnerability has not been patched. You should deactivate the plugin.

Categorized Gallery Plugin

Plugin:
Categorized Gallery Plugin
Plugin Slug:
categorized-gallery
Vulnerability:
SQL Injection
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-13676
The vulnerability has not been patched. You should deactivate the plugin.

CATS Job Listings

Plugin:
CATS Job Listings
Plugin Slug:
cats-job-listings
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-13577
The vulnerability has not been patched. You should deactivate the plugin.

CHATLIVE

Plugin:
CHATLIVE
Plugin Slug:
chatlive
Vulnerability:
SQL Injection
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2025-27302
The vulnerability has not been patched. You should deactivate the plugin.

Coaching Staffs

Plugin:
Coaching Staffs
Plugin Slug:
coaching-staffs
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-13663
The vulnerability has not been patched. You should deactivate the plugin.

Contact Form 7 Star Rating

Plugin:
Contact Form 7 Star Rating
Plugin Slug:
contact-form-7-star-rating
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-27303
The vulnerability has not been patched. You should deactivate the plugin.

Contact Form 7 Star Rating with font Awesome

Plugin:
Contact Form 7 Star Rating with font Awesome
Plugin Slug:
contact-form-7-star-rating-with-font-awersome
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-27304
The vulnerability has not been patched. You should deactivate the plugin.

Cookie Notice Bar

Plugin:
Cookie Notice Bar
Plugin Slug:
cookie-notice-bar
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-13849
The vulnerability has not been patched. You should deactivate the plugin.

Cosmic Blocks

Plugin:
Cosmic Blocks
Plugin Slug:
cosmic-blocks
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-13674
The vulnerability has not been patched. You should deactivate the plugin.

Live css

Plugin:
Live css
Plugin Slug:
css-live
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-27295
The vulnerability has not been patched. You should deactivate the plugin.

Custom Post Type Date Archives

Plugin:
Custom Post Type Date Archives
Plugin Slug:
custom-post-type-date-archives
Vulnerability:
Remote Code Execution (RCE)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-1510
The vulnerability has not been patched. You should deactivate the plugin.

Disable Auto Updates

Plugin:
Disable Auto Updates
Plugin Slug:
disable-auto-updates
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-13336
The vulnerability has not been patched. You should deactivate the plugin.

Drivr Lite – Google Drive Plugin

Plugin:
Drivr Lite – Google Drive Plugin
Plugin Slug:
drivr-google-drive-file-picker
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-27016
The vulnerability has not been patched. You should deactivate the plugin.

Easy Form by AYS

Plugin:
Easy Form by AYS
Plugin Slug:
easy-form
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-27285
The vulnerability has not been patched. You should deactivate the plugin.

Education Addon for Elementor

Plugin:
Education Addon for Elementor
Plugin Slug:
education-addon
Vulnerability:
Insecure Direct Object References (IDOR)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-13854
The vulnerability has not been patched. You should deactivate the plugin.

CanadaHelps Embedded Donation Form

Plugin:
CanadaHelps Embedded Donation Form
Plugin Slug:
embedded-cdn
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-11778
The vulnerability has not been patched. You should deactivate the plugin.

Erima Zarinpal Donate

Plugin:
Erima Zarinpal Donate
Plugin Slug:
erima-zarinpal-donate
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-27290
The vulnerability has not been patched. You should deactivate the plugin.

F12-Profiler

Plugin:
F12-Profiler
Plugin Slug:
f12-profiler
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-27340
The vulnerability has not been patched. You should deactivate the plugin.

File Icons

Plugin:
File Icons
Plugin Slug:
file-icons
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-27288
The vulnerability has not been patched. You should deactivate the plugin.

Flagged Content

Plugin:
Flagged Content
Plugin Slug:
flagged-content
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-27284
The vulnerability has not been patched. You should deactivate the plugin.

Flashfader

Plugin:
Flashfader
Plugin Slug:
flashfader
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-27279
The vulnerability has not been patched. You should deactivate the plugin.

flickr-slideshow-wrapper

Plugin:
flickr-slideshow-wrapper
Plugin Slug:
flickr-slideshow-wrapper
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-27309
The vulnerability has not been patched. You should deactivate the plugin.

WP-FormAssembly

Plugin:
WP-FormAssembly
Plugin Slug:
formassembly-web-forms
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-13501
The vulnerability has not been patched. You should deactivate the plugin.

Fresh Framework

Plugin:
Fresh Framework
Plugin Slug:
fresh-framework
Vulnerability:
Remote Code Execution (RCE)
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2025-26936
The vulnerability has not been patched. You should deactivate the plugin.

GetBookingsWP

Plugin:
GetBookingsWP
Plugin Slug:
get-bookings-wp
Vulnerability:
Privilege Escalation
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-13677
The vulnerability has not been patched. You should deactivate the plugin.

Gift Vouchers

Plugin:
Gift Vouchers
Plugin Slug:
gift-voucher
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-13520
The vulnerability has not been patched. You should deactivate the plugin.

Google Maps for WordPress

Plugin:
Google Maps for WordPress
Plugin Slug:
google-maps-for-wordpress
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-27265
The vulnerability has not been patched. You should deactivate the plugin.

Google Maps GPX Viewer

Plugin:
Google Maps GPX Viewer
Plugin Slug:
google-maps-gpx-viewer
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-27313
The vulnerability has not been patched. You should deactivate the plugin.

Helloprint

Plugin:
Helloprint
Plugin Slug:
helloprint
Vulnerability:
Arbitrary File Deletion
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-26540
The vulnerability has not been patched. You should deactivate the plugin.

Helloprint

Plugin:
Helloprint
Plugin Slug:
helloprint
Vulnerability:
Arbitrary File Deletion
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-26534
The vulnerability has not been patched. You should deactivate the plugin.

Hover Image Button

Plugin:
Hover Image Button
Plugin Slug:
hover-image-button
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-27266
The vulnerability has not been patched. You should deactivate the plugin.

Keap Official Opt-in Forms

Plugin:
Keap Official Opt-in Forms
Plugin Slug:
infusionsoft-official-opt-in-forms
Vulnerability:
Local File Inclusion
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-13725
The vulnerability has not been patched. You should deactivate the plugin.

EZ InLinkz linkup

Plugin:
EZ InLinkz linkup
Plugin Slug:
inlinkz-scripter
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-27329
The vulnerability has not been patched. You should deactivate the plugin.

YouTube Playlists with Schema

Plugin:
YouTube Playlists with Schema
Plugin Slug:
jma-youtube-playlists-with-schema
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-13589
The vulnerability has not been patched. You should deactivate the plugin.

Just Variables

Plugin:
Just Variables
Plugin Slug:
just-wp-variables
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-27336
The vulnerability has not been patched. You should deactivate the plugin.

Kush Micro News

Plugin:
Kush Micro News
Plugin Slug:
kush-micro-news
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-27314
The vulnerability has not been patched. You should deactivate the plugin.

Legoeso PDF Manager

Plugin:
Legoeso PDF Manager
Plugin Slug:
legoeso-pdf-manager
Vulnerability:
SQL Injection
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-0866
The vulnerability has not been patched. You should deactivate the plugin.

Library Bookshelves

Plugin:
Library Bookshelves
Plugin Slug:
library-bookshelves
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-13464
The vulnerability has not been patched. You should deactivate the plugin.

Phee’s LinkPreview

Plugin:
Phee’s LinkPreview
Plugin Slug:
linkpreview
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-27344
The vulnerability has not been patched. You should deactivate the plugin.

Local Search SEO Contact Page

Plugin:
Local Search SEO Contact Page
Plugin Slug:
local-search-seo-contact-page
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-27351
The vulnerability has not been patched. You should deactivate the plugin.

Woocommerce – Loi Hamon

Plugin:
Woocommerce – Loi Hamon
Plugin Slug:
loi-hamon
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-27355
The vulnerability has not been patched. You should deactivate the plugin.

magayo Lottery Results

Plugin:
magayo Lottery Results
Plugin Slug:
magayo-lottery-results
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-13522
The vulnerability has not been patched. You should deactivate the plugin.

Mambo Importer

Plugin:
Mambo Importer
Plugin Slug:
mambo-joomla-importer
Vulnerability:
PHP Object Injection
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-13899
The vulnerability has not been patched. You should deactivate the plugin.

AcuGIS Leaflet Maps

Plugin:
AcuGIS Leaflet Maps
Plugin Slug:
mapfig-premium-leaflet-map-maker
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-27278
The vulnerability has not been patched. You should deactivate the plugin.

Minimum Password Strength

Plugin:
Minimum Password Strength
Plugin Slug:
minimum-password-strength
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-27339
The vulnerability has not been patched. You should deactivate the plugin.

Mortgage Calculator / Loan Calculator

Plugin:
Mortgage Calculator / Loan Calculator
Plugin Slug:
mortgage-loan-calculator
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-0805
The vulnerability has not been patched. You should deactivate the plugin.

Typed JS

Plugin:
Typed JS
Plugin Slug:
mrlegend-typedjs
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-1328
The vulnerability has not been patched. You should deactivate the plugin.

MyTicket Events

Plugin:
MyTicket Events
Plugin Slug:
myticket-events
Vulnerability:
Arbitrary File Download
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-27299
The vulnerability has not been patched. You should deactivate the plugin.

Namaste! LMS

Plugin:
Namaste! LMS
Plugin Slug:
namaste-lms
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-27353
The vulnerability has not been patched. You should deactivate the plugin.

NHR Options Table Manager

Plugin:
NHR Options Table Manager
Plugin Slug:
nhrrob-options-table-manager
Vulnerability:
Deserialization of untrusted data
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-27301
The vulnerability has not been patched. You should deactivate the plugin.

Get Posts

Plugin:
Get Posts
Plugin Slug:
nurelm-get-posts
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-27349
The vulnerability has not been patched. You should deactivate the plugin.

Önceki Yaz? Link

Plugin:
Önceki Yaz? Link
Plugin Slug:
onceki-yazi-linki
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-27357
The vulnerability has not been patched. You should deactivate the plugin.

Open Hours

Plugin:
Open Hours
Plugin Slug:
open-hours
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-12813
The vulnerability has not been patched. You should deactivate the plugin.

Option Editor

Plugin:
Option Editor
Plugin Slug:
option-editor
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-13852
The vulnerability has not been patched. You should deactivate the plugin.

Page and Post Lister

Plugin:
Page and Post Lister
Plugin Slug:
page-and-post-lister
Vulnerability:
Arbitrary Content Deletion
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-27310
The vulnerability has not been patched. You should deactivate the plugin.

Pathomation

Plugin:
Pathomation
Plugin Slug:
pathomation
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-27306
The vulnerability has not been patched. You should deactivate the plugin.

PeproDev Ultimate Invoice

Plugin:
PeproDev Ultimate Invoice
Plugin Slug:
pepro-ultimate-invoice
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-13719
The vulnerability has not been patched. You should deactivate the plugin.

Photo Gallery ( Responsive )

Plugin:
Photo Gallery ( Responsive )
Plugin Slug:
photo-gallery-pearlbells
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-27276
The vulnerability has not been patched. You should deactivate the plugin.

WordPress Photo Gallery – Image Gallery

Plugin:
WordPress Photo Gallery – Image Gallery
Plugin Slug:
photo-image-gallery
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-27291
The vulnerability has not been patched. You should deactivate the plugin.

Pie Register

Plugin:
Pie Register
Plugin Slug:
pie-register
Vulnerability:
Sensitive Data Exposure
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-13818
The vulnerability has not been patched. You should deactivate the plugin.

PlayerJS

Plugin:
PlayerJS
Plugin Slug:
playerjs
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-27330
The vulnerability has not been patched. You should deactivate the plugin.

Pollin

Plugin:
Pollin
Plugin Slug:
pollin
Vulnerability:
SQL Injection
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-13712
The vulnerability has not been patched. You should deactivate the plugin.

Pollin

Plugin:
Pollin
Plugin Slug:
pollin
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-13711
The vulnerability has not been patched. You should deactivate the plugin.

PrivateContent

Plugin:
PrivateContent
Plugin Slug:
private-content
Vulnerability:
Broken Authentication
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2025-26966
The vulnerability has not been patched. You should deactivate the plugin.

Profile Widget Ninja

Plugin:
Profile Widget Ninja
Plugin Slug:
profile-widget-ninja
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-27320
The vulnerability has not been patched. You should deactivate the plugin.

Protected wp-login

Plugin:
Protected wp-login
Plugin Slug:
protected-wp-login
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-27333
The vulnerability has not been patched. You should deactivate the plugin.

Pure Chat

Plugin:
Pure Chat
Plugin Slug:
pure-chat
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-13736
The vulnerability has not been patched. You should deactivate the plugin.

Quotes llama

Plugin:
Quotes llama
Plugin Slug:
quotes-llama
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-27307
The vulnerability has not been patched. You should deactivate the plugin.

Rapid Cache

Plugin:
Rapid Cache
Plugin Slug:
rapid-cache
Vulnerability:
Content Spoofing
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-12314
The vulnerability has not been patched. You should deactivate the plugin.

Ravpage

Plugin:
Ravpage
Plugin Slug:
ravpage
Vulnerability:
PHP Object Injection
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2024-13789
The vulnerability has not been patched. You should deactivate the plugin.

RAYS Grid

Plugin:
RAYS Grid
Plugin Slug:
rays-grid
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-27317
The vulnerability has not been patched. You should deactivate the plugin.

Reaction Buttons

Plugin:
Reaction Buttons
Plugin Slug:
reaction-buttons
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-13848
The vulnerability has not been patched. You should deactivate the plugin.

Reactive Mortgage Calculator

Plugin:
Reactive Mortgage Calculator
Plugin Slug:
reactive-mortgage-calculator
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-27341
The vulnerability has not been patched. You should deactivate the plugin.

Reset

Plugin:
Reset
Plugin Slug:
reset
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-13684
The vulnerability has not been patched. You should deactivate the plugin.

Residential Address Detection

Plugin:
Residential Address Detection
Plugin Slug:
residential-address-detection
Vulnerability:
Privilege Escalation
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2025-27270
The vulnerability has not been patched. You should deactivate the plugin.

Restrict Taxonomies

Plugin:
Restrict Taxonomies
Plugin Slug:
restrict-taxonomies
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-27289
The vulnerability has not been patched. You should deactivate the plugin.

Auto Ad Inserter – Increase Google Adsense and Ad Manager Revenue

Plugin:
Auto Ad Inserter – Increase Google Adsense and Ad Manager Revenue
Plugin Slug:
revenueflex-easy-ads
Vulnerability:
Settings Change
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-27296
The vulnerability has not been patched. You should deactivate the plugin.

Saoshyant Slider

Plugin:
Saoshyant Slider
Plugin Slug:
saoshyant-slider
Vulnerability:
PHP Object Injection
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2025-27286
The vulnerability has not been patched. You should deactivate the plugin.

Show Me The Cookies

Plugin:
Show Me The Cookies
Plugin Slug:
show-me-the-cookies
Vulnerability:
Remote Code Execution (RCE)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-1509
The vulnerability has not been patched. You should deactivate the plugin.

Simple Charts

Plugin:
Simple Charts
Plugin Slug:
simple-charts
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-13581
The vulnerability has not been patched. You should deactivate the plugin.

Simple Email Subscriber

Plugin:
Simple Email Subscriber
Plugin Slug:
simple-email-subscriber
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-27354
The vulnerability has not been patched. You should deactivate the plugin.

Simple Google Sitemap

Plugin:
Simple Google Sitemap
Plugin Slug:
simple-google-sitemap
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-27318
The vulnerability has not been patched. You should deactivate the plugin.

Simple Pricing Tables For WPBakery Page Builder

Plugin:
Simple Pricing Tables For WPBakery Page Builder
Plugin Slug:
simple-pricing-tables-vc-extension
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-13582
The vulnerability has not been patched. You should deactivate the plugin.

Simple Signup Form

Plugin:
Simple Signup Form
Plugin Slug:
simple-signup-form
Vulnerability:
SQL Injection
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-13595
The vulnerability has not been patched. You should deactivate the plugin.

Small Package Quotes – Worldwide Express Edition

Plugin:
Small Package Quotes – Worldwide Express Edition
Plugin Slug:
small-package-quotes-wwe-edition
Vulnerability:
SQL Injection
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2025-27268
The vulnerability has not been patched. You should deactivate the plugin.

Smart Maintenance & Countdown

Plugin:
Smart Maintenance & Countdown
Plugin Slug:
smart-maintenance-countdown
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-27332
The vulnerability has not been patched. You should deactivate the plugin.

Live Streaming Video Player – by SRS Player

Plugin:
Live Streaming Video Player – by SRS Player
Plugin Slug:
srs-player
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-27327
The vulnerability has not been patched. You should deactivate the plugin.

SS Quiz

Plugin:
SS Quiz
Plugin Slug:
ssquiz
Vulnerability:
PHP Object Injection
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2025-27287
The vulnerability has not been patched. You should deactivate the plugin.

Sticky Header On Scroll

Plugin:
Sticky Header On Scroll
Plugin Slug:
sticky-header-on-scroll
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-27356
The vulnerability has not been patched. You should deactivate the plugin.

Table of Contents Block

Plugin:
Table of Contents Block
Plugin Slug:
table-of-contents
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-27305
The vulnerability has not been patched. You should deactivate the plugin.

Themes Coder

Plugin:
Themes Coder
Plugin Slug:
tc-ecommerce
Vulnerability:
SQL Injection
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2024-13726
The vulnerability has not been patched. You should deactivate the plugin.

TCBD Tooltip

Plugin:
TCBD Tooltip
Plugin Slug:
tcbd-tooltip
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-13388
The vulnerability has not been patched. You should deactivate the plugin.

Team Builder For WPBakery Page Builder

Plugin:
Team Builder For WPBakery Page Builder
Plugin Slug:
team-builder-for-wpbakery-page-builder
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-13591
The vulnerability has not been patched. You should deactivate the plugin.

Team Builder For WPBakery Page Builder

Plugin:
Team Builder For WPBakery Page Builder
Plugin Slug:
team-builder-for-wpbakery-page-builder
Vulnerability:
Local File Inclusion
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-13592
The vulnerability has not been patched. You should deactivate the plugin.

Team Builder

Plugin:
Team Builder
Plugin Slug:
team-display
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-13687
The vulnerability has not been patched. You should deactivate the plugin.

Theme File Duplicator

Plugin:
Theme File Duplicator
Plugin Slug:
theme-file-duplicator
Vulnerability:
Arbitrary File Upload
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2025-27282
The vulnerability has not been patched. You should deactivate the plugin.

Theme File Duplicator

Plugin:
Theme File Duplicator
Plugin Slug:
theme-file-duplicator
Vulnerability:
Arbitrary File Download
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-27283
The vulnerability has not been patched. You should deactivate the plugin.

Track Logins

Plugin:
Track Logins
Plugin Slug:
track-logins
Vulnerability:
SQL Injection
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-13608
The vulnerability has not been patched. You should deactivate the plugin.

Trash Duplicate and 301 Redirect

Plugin:
Trash Duplicate and 301 Redirect
Plugin Slug:
trash-duplicate-and-301-redirect
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-13468
The vulnerability has not been patched. You should deactivate the plugin.

Tube Video Ads Lite

Plugin:
Tube Video Ads Lite
Plugin Slug:
tube-video-ads-lite
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-13625
The vulnerability has not been patched. You should deactivate the plugin.

WordPress Portfolio Builder – Portfolio Gallery

Plugin:
WordPress Portfolio Builder – Portfolio Gallery
Plugin Slug:
uber-grid
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-13231
The vulnerability has not been patched. You should deactivate the plugin.

Ultimate Classified Listings

Plugin:
Ultimate Classified Listings
Plugin Slug:
ultimate-classified-listings
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-13748
The vulnerability has not been patched. You should deactivate the plugin.

Ultimate Classified Listings

Plugin:
Ultimate Classified Listings
Plugin Slug:
ultimate-classified-listings
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-13753
The vulnerability has not been patched. You should deactivate the plugin.

UltraEmbed

Plugin:
UltraEmbed
Plugin Slug:
ultraembed-advanced-iframe
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-11335
The vulnerability has not been patched. You should deactivate the plugin.

UMich OIDC Login

Plugin:
UMich OIDC Login
Plugin Slug:
umich-oidc-login
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-11753
The vulnerability has not been patched. You should deactivate the plugin.

User List

Plugin:
User List
Plugin Slug:
user-list
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-27319
The vulnerability has not been patched. You should deactivate the plugin.

VG PostCarousel

Plugin:
VG PostCarousel
Plugin Slug:
vg-postcarousel
Vulnerability:
Local File Inclusion
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-27272
The vulnerability has not been patched. You should deactivate the plugin.

Video.js HLS Player

Plugin:
Video.js HLS Player
Plugin Slug:
videojs-hls-player
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-27325
The vulnerability has not been patched. You should deactivate the plugin.

ViperBar

Plugin:
ViperBar
Plugin Slug:
viperbar
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-26557
The vulnerability has not been patched. You should deactivate the plugin.

VR-Frases

Plugin:
VR-Frases
Plugin Slug:
vr-frases
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-13626
The vulnerability has not been patched. You should deactivate the plugin.

QR Code for WooCommerce

Plugin:
QR Code for WooCommerce
Plugin Slug:
wc-qr-codes
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-27322
The vulnerability has not been patched. You should deactivate the plugin.

Shipmozo Courier Tracking

Plugin:
Shipmozo Courier Tracking
Plugin Slug:
webparex
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-27293
The vulnerability has not been patched. You should deactivate the plugin.

Wise Forms

Plugin:
Wise Forms
Plugin Slug:
wise-forms
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-13603
The vulnerability has not been patched. You should deactivate the plugin.

File Uploads Addon for WooCommerce

Plugin:
File Uploads Addon for WooCommerce
Plugin Slug:
woo-addon-uploads
Vulnerability:
Sensitive Data Exposure
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-13622
The vulnerability has not been patched. You should deactivate the plugin.

WOO Codice Fiscale

Plugin:
WOO Codice Fiscale
Plugin Slug:
woo-codice-fiscale
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-27275
The vulnerability has not been patched. You should deactivate the plugin.

Direct Checkout Button for WooCommerce

Plugin:
Direct Checkout Button for WooCommerce
Plugin Slug:
woo-direct-checkout-button
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-27347
The vulnerability has not been patched. You should deactivate the plugin.

WooCommerce Recargo de Equivalencia

Plugin:
WooCommerce Recargo de Equivalencia
Plugin Slug:
woo-recargo-de-equivalencia
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-27342
The vulnerability has not been patched. You should deactivate the plugin.

WooCommerce Display Products by Tags

Plugin:
WooCommerce Display Products by Tags
Plugin Slug:
woocommerce-display-products-by-tags
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-27331
The vulnerability has not been patched. You should deactivate the plugin.

WooCommerce HTML5 Video

Plugin:
WooCommerce HTML5 Video
Plugin Slug:
woocommerce-html5-video
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-27343
The vulnerability has not been patched. You should deactivate the plugin.

WP About Author

Plugin:
WP About Author
Plugin Slug:
wp-about-author
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-27323
The vulnerability has not been patched. You should deactivate the plugin.

WP-Asambleas

Plugin:
WP-Asambleas
Plugin Slug:
wp-asambleas
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-27294
The vulnerability has not been patched. You should deactivate the plugin.

WP-Asambleas

Plugin:
WP-Asambleas
Plugin Slug:
wp-asambleas
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-13579
The vulnerability has not been patched. You should deactivate the plugin.

WP-BibTeX

Plugin:
WP-BibTeX
Plugin Slug:
wp-bibtex
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-13578
The vulnerability has not been patched. You should deactivate the plugin.

JPG, PNG Compression and Optimization

Plugin:
JPG, PNG Compression and Optimization
Plugin Slug:
wp-image-compression
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-27316
The vulnerability has not been patched. You should deactivate the plugin.

WP-PostRatings Cheater

Plugin:
WP-PostRatings Cheater
Plugin Slug:
wp-postratings-cheater
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-27328
The vulnerability has not been patched. You should deactivate the plugin.

WP Sitemap

Plugin:
WP Sitemap
Plugin Slug:
wp-sitemap
Vulnerability:
SQL Injection
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-27312
The vulnerability has not been patched. You should deactivate the plugin.

WP Social SEO Booster – Knowledge Graph Social Signals SEO

Plugin:
WP Social SEO Booster – Knowledge Graph Social Signals SEO
Plugin Slug:
wp-social-seo-booster
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-27348
The vulnerability has not been patched. You should deactivate the plugin.

OWL Carousel Slider

Plugin:
OWL Carousel Slider
Plugin Slug:
wp-touch-slider
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2024-13627
The vulnerability has not been patched. You should deactivate the plugin.

WP Video Posts

Plugin:
WP Video Posts
Plugin Slug:
wp-video-posts
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-27308
The vulnerability has not been patched. You should deactivate the plugin.

WP Video Posts

Plugin:
WP Video Posts
Plugin Slug:
wp-video-posts
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-27298
The vulnerability has not been patched. You should deactivate the plugin.

WP Wiki Tooltip

Plugin:
WP Wiki Tooltip
Plugin Slug:
wp-wiki-tooltip
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-13462
The vulnerability has not been patched. You should deactivate the plugin.

Mortgage Lead Capture System

Plugin:
Mortgage Lead Capture System
Plugin Slug:
wprequal
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-0796
The vulnerability has not been patched. You should deactivate the plugin.

WPUpper Share Buttons

Plugin:
WPUpper Share Buttons
Plugin Slug:
wpupper-share-buttons
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2024-13883
The vulnerability has not been patched. You should deactivate the plugin.

WPYog Documents

Plugin:
WPYog Documents
Plugin Slug:
wpyog-documents
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-27292
The vulnerability has not been patched. You should deactivate the plugin.

????????

Plugin:
????????
Plugin Slug:
wumii-related-posts
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-27352
The vulnerability has not been patched. You should deactivate the plugin.

Yawave

Plugin:
Yawave
Plugin Slug:
yawave
Vulnerability:
SQL Injection
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2025-1648
The vulnerability has not been patched. You should deactivate the plugin.

ElementsKit Elementor addons

Plugin:
ElementsKit Elementor addons
Plugin Slug:
elementskit-lite
Installations
1,000,000+
Vulnerability:
Broken Access Control
Patched in Version:
3.4.1
Severity Score:
Medium
CVE:
2025-0968
The vulnerability has been patched, so you should update to version 3.4.1.

SVG Support

Plugin:
SVG Support
Plugin Slug:
svg-support
Installations
1,000,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.5.9
Severity Score:
Medium
CVE:
2022-23638
The vulnerability has been patched, so you should update to version 2.5.9.

SVG Support

Plugin:
SVG Support
Plugin Slug:
svg-support
Installations
1,000,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.5.11
Severity Score:
Medium
CVE:
2024-10222
The vulnerability has been patched, so you should update to version 2.5.11.

Migration, Backup, Staging – WPvivid Backup & Migration

Plugin:
Migration, Backup, Staging – WPvivid Backup & Migration
Plugin Slug:
wpvivid-backuprestore
Installations
600,000+
Vulnerability:
Arbitrary File Upload
Patched in Version:
0.9.113
Severity Score:
High
CVE:
2024-13869
The vulnerability has been patched, so you should update to version 0.9.113.

Royal Elementor Addons and Templates

Plugin:
Royal Elementor Addons and Templates
Plugin Slug:
royal-elementor-addons
Installations
500,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.7.1008
Severity Score:
High
CVE:
2025-1441
The vulnerability has been patched, so you should update to version 1.7.1008.

Post SMTP – WordPress SMTP Plugin with Email Logs and Mobile App for Failure Notifications – Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES and more

Plugin:
Post SMTP – WordPress SMTP Plugin with Email Logs and Mobile App for Failure Notifications – Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES and more
Plugin Slug:
post-smtp
Installations
400,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
3.1.0
Severity Score:
High
CVE:
2025-0521
The vulnerability has been patched, so you should update to version 3.1.0.

Head, Footer and Post Injections

Plugin:
Head, Footer and Post Injections
Plugin Slug:
header-footer
Installations
300,000+
Vulnerability:
Remote Code Execution (RCE)
Patched in Version:
3.3.1
Severity Score:
High
CVE:
2024-13900
The vulnerability has been patched, so you should update to version 3.3.1.

Unlimited Elements For Elementor

Plugin:
Unlimited Elements For Elementor
Plugin Slug:
unlimited-elements-for-elementor
Installations
300,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.5.141
Severity Score:
Medium
CVE:
2024-13155
The vulnerability has been patched, so you should update to version 1.5.141.

FileBird – WordPress Media Library Folders & File Manager

Plugin:
FileBird – WordPress Media Library Folders & File Manager
Plugin Slug:
filebird
Installations
200,000+
Vulnerability:
Insecure Direct Object References (IDOR)
Patched in Version:
6.4.6
Severity Score:
Low
CVE:
2025-26977
The vulnerability has been patched, so you should update to version 6.4.6.

Strong Testimonials

Plugin:
Strong Testimonials
Plugin Slug:
strong-testimonials
Installations
100,000+
Vulnerability:
Broken Access Control
Patched in Version:
3.2.4
Severity Score:
Medium
CVE:
2025-26975
The vulnerability has been patched, so you should update to version 3.2.4.

Event Tickets and Registration

Plugin:
Event Tickets and Registration
Plugin Slug:
event-tickets
Installations
90,000+
Vulnerability:
Broken Access Control
Patched in Version:
5.19.1.2
Severity Score:
Medium
CVE:
2025-1402
The vulnerability has been patched, so you should update to version 5.19.1.2.

Ajax Search Lite – Live Search & Filter

Plugin:
Ajax Search Lite – Live Search & Filter
Plugin Slug:
ajax-search-lite
Installations
80,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
4.12.5
Severity Score:
Medium
CVE:
2024-13585
The vulnerability has been patched, so you should update to version 4.12.5.

Booking for Appointments and Events Calendar – Amelia

Plugin:
Booking for Appointments and Events Calendar – Amelia
Plugin Slug:
ameliabooking
Installations
80,000+
Vulnerability:
Insecure Direct Object References (IDOR)
Patched in Version:
1.2.17
Severity Score:
Medium
CVE:
2025-26965
The vulnerability has been patched, so you should update to version 1.2.17.

Master Slider – Responsive Touch Slider

Plugin:
Master Slider – Responsive Touch Slider
Plugin Slug:
master-slider
Installations
80,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
3.10.5
Severity Score:
Medium
CVE:
2024-12173
The vulnerability has been patched, so you should update to version 3.10.5.

WP ULike – All-in-One Engagement Toolkit

Plugin:
WP ULike – All-in-One Engagement Toolkit
Plugin Slug:
wp-ulike
Installations
80,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
4.7.6
Severity Score:
Medium
CVE:
2024-12770
The vulnerability has been patched, so you should update to version 4.7.6.

Simple Image Sizes

Plugin:
Simple Image Sizes
Plugin Slug:
simple-image-sizes
Installations
70,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
3.2.3
Severity Score:
Medium
CVE:
2025-24810
The vulnerability has been patched, so you should update to version 3.2.3.

Carousel, Slider, Gallery by WP Carousel – Image Carousel with Lightbox & Photo Gallery, Video Slider, Post Carousel & Post Grid, Product Carousel & Product Grid

Plugin:
Carousel, Slider, Gallery by WP Carousel – Image Carousel with Lightbox & Photo Gallery, Video Slider, Post Carousel & Post Grid, Product Carousel & Product Grid
Plugin Slug:
wp-carousel-free
Installations
60,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.6.9
Severity Score:
Medium
CVE:
2024-4002
The vulnerability has been patched, so you should update to version 2.6.9.

Carousel, Slider, Gallery by WP Carousel – Image Carousel with Lightbox & Photo Gallery, Video Slider, Post Carousel & Post Grid, Product Carousel & Product Grid

Plugin:
Carousel, Slider, Gallery by WP Carousel – Image Carousel with Lightbox & Photo Gallery, Video Slider, Post Carousel & Post Grid, Product Carousel & Product Grid
Plugin Slug:
wp-carousel-free
Installations
60,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.7.4
Severity Score:
Medium
CVE:
2024-13314
The vulnerability has been patched, so you should update to version 2.7.4.

Login/Signup Popup ( Inline Form + Woocommerce )

Plugin:
Login/Signup Popup ( Inline Form + Woocommerce )
Plugin Slug:
easy-login-woocommerce
Installations
50,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.8.6
Severity Score:
Medium
CVE:
2025-1064
The vulnerability has been patched, so you should update to version 2.8.6.

Greenshift – animation and page builder blocks

Plugin:
Greenshift – animation and page builder blocks
Plugin Slug:
greenshift-animation-and-page-builder-blocks
Installations
40,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
10.9
Severity Score:
Medium
CVE:
2025-26884
The vulnerability has been patched, so you should update to version 10.9.

Post Grid and Gutenberg Blocks – ComboBlocks

Plugin:
Post Grid and Gutenberg Blocks – ComboBlocks
Plugin Slug:
post-grid
Installations
40,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.2.93
Severity Score:
Medium
CVE:
2024-9645
The vulnerability has been patched, so you should update to version 2.2.93.

Post Grid and Gutenberg Blocks – ComboBlocks

Plugin:
Post Grid and Gutenberg Blocks – ComboBlocks
Plugin Slug:
post-grid
Installations
40,000+
Vulnerability:
Broken Access Control
Patched in Version:
2.3.6
Severity Score:
Medium
CVE:
2024-13798
The vulnerability has been patched, so you should update to version 2.3.6.

WooCommerce Checkout & Funnel Builder by FunnelKit

Plugin:
WooCommerce Checkout & Funnel Builder by FunnelKit
Plugin Slug:
funnel-builder
Installations
30,000+
Vulnerability:
Local File Inclusion
Patched in Version:
3.9.1
Severity Score:
High
CVE:
2025-26979
The vulnerability has been patched, so you should update to version 3.9.1.

Rife Elementor Extensions & Templates

Plugin:
Rife Elementor Extensions & Templates
Plugin Slug:
rife-elementor-extensions
Installations
30,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.2.6
Severity Score:
Medium
CVE:
2024-13564
The vulnerability has been patched, so you should update to version 1.2.6.

Visualizer: Tables and Charts Manager for WordPress

Plugin:
Visualizer: Tables and Charts Manager for WordPress
Plugin Slug:
visualizer
Installations
30,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
3.11.9
Severity Score:
Medium
CVE:
2025-1065
The vulnerability has been patched, so you should update to version 3.11.9.

Accept Donations with PayPal & Stripe

Plugin:
Accept Donations with PayPal & Stripe
Plugin Slug:
easy-paypal-donation
Installations
20,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.4.5
Severity Score:
High
CVE:
2024-13728
The vulnerability has been patched, so you should update to version 1.4.5.

Ecwid by Lightspeed Ecommerce Shopping Cart

Plugin:
Ecwid by Lightspeed Ecommerce Shopping Cart
Plugin Slug:
ecwid-shopping-cart
Installations
20,000+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
6.12.28
Severity Score:
Medium
CVE:
2024-13795
The vulnerability has been patched, so you should update to version 6.12.28.

IP2Location Country Blocker

Plugin:
IP2Location Country Blocker
Plugin Slug:
ip2location-country-blocker
Installations
20,000+
Vulnerability:
Broken Access Control
Patched in Version:
2.38.9
Severity Score:
High
CVE:
2025-1361
The vulnerability has been patched, so you should update to version 2.38.9.

Lenix Leads Collector

Plugin:
Lenix Leads Collector
Plugin Slug:
lenix-elementor-leads-addon
Installations
20,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.8.3
Severity Score:
High
CVE:
2025-1039
The vulnerability has been patched, so you should update to version 1.8.3.

Subscribe2 – Form, Email Subscribers & Newsletters

Plugin:
Subscribe2 – Form, Email Subscribers & Newsletters
Plugin Slug:
subscribe2
Installations
20,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
10.44
Severity Score:
High
CVE:
2024-11582
The vulnerability has been patched, so you should update to version 10.44.

WordPress File Upload

Plugin:
WordPress File Upload
Plugin Slug:
wp-file-upload
Installations
20,000+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
4.25.3
Severity Score:
Medium
CVE:
2024-13494
The vulnerability has been patched, so you should update to version 4.25.3.

Web Accessibility By accessiBe

Plugin:
Web Accessibility By accessiBe
Plugin Slug:
accessibe
Installations
10,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.6
Severity Score:
High
CVE:
2025-26981
The vulnerability has been patched, so you should update to version 2.6.

Booking Package

Plugin:
Booking Package
Plugin Slug:
booking-package
Installations
10,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.6.73
Severity Score:
High
CVE:
2024-13508
The vulnerability has been patched, so you should update to version 1.6.73.

Modal Window – create popup modal window

Plugin:
Modal Window – create popup modal window
Plugin Slug:
modal-window
Installations
10,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
6.1.6
Severity Score:
Medium
CVE:
2025-0897
The vulnerability has been patched, so you should update to version 6.1.6.

Frontend Admin by DynamiApps

Plugin:
Frontend Admin by DynamiApps
Plugin Slug:
acf-frontend-form-element
Installations
9,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
3.25.18
Severity Score:
High
CVE:
2025-26987
The vulnerability has been patched, so you should update to version 3.25.18.

WP Media Category Management

Plugin:
WP Media Category Management
Plugin Slug:
wp-media-category-management
Installations
8,000+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
2.4.0
Severity Score:
Medium
CVE:
2025-0865
The vulnerability has been patched, so you should update to version 2.4.0.

WPO365 | MICROSOFT 365 GRAPH MAILER

Plugin:
WPO365 | MICROSOFT 365 GRAPH MAILER
Plugin Slug:
wpo365-msgraphmailer
Installations
8,000+
Vulnerability:
Open Redirection
Patched in Version:
3.3
Severity Score:
Medium
CVE:
2025-1488
The vulnerability has been patched, so you should update to version 3.3.

ProfileGrid – User Profiles, Groups and Communities

Plugin:
ProfileGrid – User Profiles, Groups and Communities
Plugin Slug:
profilegrid-user-profiles-groups-and-communities
Installations
7,000+
Vulnerability:
Insecure Direct Object References (IDOR)
Patched in Version:
5.9.4.3
Severity Score:
Medium
CVE:
2024-13740
The vulnerability has been patched, so you should update to version 5.9.4.3.

ProfileGrid – User Profiles, Groups and Communities

Plugin:
ProfileGrid – User Profiles, Groups and Communities
Plugin Slug:
profilegrid-user-profiles-groups-and-communities
Installations
7,000+
Vulnerability:
Server Side Request Forgery (SSRF)
Patched in Version:
5.9.4.3
Severity Score:
Medium
CVE:
2024-13741
The vulnerability has been patched, so you should update to version 5.9.4.3.

AI ChatBot for WordPress – WPBot

Plugin:
AI ChatBot for WordPress – WPBot
Plugin Slug:
chatbot
Installations
6,000+
Vulnerability:
Local File Inclusion
Patched in Version:
6.3.6
Severity Score:
High
CVE:
2025-26932
The vulnerability has been patched, so you should update to version 6.3.6.

Wonder Video Embed

Plugin:
Wonder Video Embed
Plugin Slug:
wonderplugin-video-embed
Installations
6,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.3
Severity Score:
Medium
CVE:
2024-13743
The vulnerability has been patched, so you should update to version 2.3.

Animated Text Block

Plugin:
Animated Text Block
Plugin Slug:
animated-text-block
Installations
5,000+
Vulnerability:
Broken Access Control
Patched in Version:
1.0.8
Severity Score:
Medium
CVE:
2025-26883
The vulnerability has been patched, so you should update to version 1.0.8.

WPMobile.App

Plugin:
WPMobile.App
Plugin Slug:
wpappninja
Installations
5,000+
Vulnerability:
Open Redirection
Patched in Version:
11.57
Severity Score:
Medium
CVE:
2024-13888
The vulnerability has been patched, so you should update to version 11.57.

Assistant – Every Day Productivity Apps

Plugin:
Assistant – Every Day Productivity Apps
Plugin Slug:
assistant
Installations
4,000+
Vulnerability:
PHP Object Injection
Patched in Version:
1.5.1.1
Severity Score:
High
CVE:
2025-26885
The vulnerability has been patched, so you should update to version 1.5.1.1.

Icon List Block

Plugin:
Icon List Block
Plugin Slug:
icon-list-block
Installations
4,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.1.4
Severity Score:
Medium
CVE:
2025-26937
The vulnerability has been patched, so you should update to version 1.1.4.

Place Order Without Payment for WooCommerce

Plugin:
Place Order Without Payment for WooCommerce
Plugin Slug:
wc-place-order-without-payment
Installations
4,000+
Vulnerability:
Local File Inclusion
Patched in Version:
2.6.8
Severity Score:
High
CVE:
2025-26933
The vulnerability has been patched, so you should update to version 2.6.8.

Contact Form Plugin

Plugin:
Contact Form Plugin
Plugin Slug:
contact-form-lite
Installations
3,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.1.27
Severity Score:
Medium
CVE:
2025-26962
The vulnerability has been patched, so you should update to version 1.1.27.

SMTP for Amazon SES – YaySMTP

Plugin:
SMTP for Amazon SES – YaySMTP
Plugin Slug:
smtp-amazon-ses
Installations
3,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.8
Severity Score:
High
CVE:
2025-0957
The vulnerability has been patched, so you should update to version 1.8.

Super Testimonials

Plugin:
Super Testimonials
Plugin Slug:
super-testimonial
Installations
3,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
4.0.2
Severity Score:
High
CVE:
2024-13704
The vulnerability has been patched, so you should update to version 4.0.2.

WP-Appbox

Plugin:
WP-Appbox
Plugin Slug:
wp-appbox
Installations
3,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
4.5.5
Severity Score:
Medium
CVE:
2025-1489
The vulnerability has been patched, so you should update to version 4.5.5.

Counters Block – Display Number as an animated counter.

Plugin:
Counters Block – Display Number as an animated counter.
Plugin Slug:
counters-block
Installations
2,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.1.3
Severity Score:
Medium
CVE:
2025-26939
The vulnerability has been patched, so you should update to version 1.1.3.

Easy Charts

Plugin:
Easy Charts
Plugin Slug:
easy-charts
Installations
2,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.2.4
Severity Score:
Medium
CVE:
2025-26893
The vulnerability has been patched, so you should update to version 1.2.4.

WP Yelp Review Slider

Plugin:
WP Yelp Review Slider
Plugin Slug:
wp-yelp-review-slider
Installations
2,000+
Vulnerability:
SQL Injection
Patched in Version:
8.2
Severity Score:
High
CVE:
2025-26946
The vulnerability has been patched, so you should update to version 8.2.

Flexmls® IDX Plugin

Plugin:
Flexmls® IDX Plugin
Plugin Slug:
flexmls-idx
Installations
1,000+
Vulnerability:
PHP Object Injection
Patched in Version:
3.14.28
Severity Score:
Critical
CVE:
2025-26900
The vulnerability has been patched, so you should update to version 3.14.28.

Market Exporter

Plugin:
Market Exporter
Plugin Slug:
market-exporter
Installations
1,000+
Vulnerability:
Broken Access Control
Patched in Version:
2.0.22
Severity Score:
Medium
CVE:
2025-26995
The vulnerability has been patched, so you should update to version 2.0.22.

Events Calendar Made Simple – Pie Calendar

Plugin:
Events Calendar Made Simple – Pie Calendar
Plugin Slug:
pie-calendar
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.2.6
Severity Score:
Medium
CVE:
2025-1410
The vulnerability has been patched, so you should update to version 1.2.6.

Order Limit for WooCommerce

Plugin:
Order Limit for WooCommerce
Plugin Slug:
wc-order-limit-lite
Installations
1,000+
Vulnerability:
Broken Access Control
Patched in Version:
3.0.3
Severity Score:
Medium
CVE:
2025-26928
The vulnerability has been patched, so you should update to version 3.0.3.

Wired Impact Volunteer Management

Plugin:
Wired Impact Volunteer Management
Plugin Slug:
wired-impact-volunteer-management
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.5.1
Severity Score:
Medium
CVE:
2025-26980
The vulnerability has been patched, so you should update to version 2.5.1.

WPPizza – A Restaurant Plugin

Plugin:
WPPizza – A Restaurant Plugin
Plugin Slug:
wppizza
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
3.19.5
Severity Score:
High
CVE:
2025-26991
The vulnerability has been patched, so you should update to version 3.19.5.

aBlocks – WordPress Gutenberg Blocks

Plugin:
aBlocks – WordPress Gutenberg Blocks
Plugin Slug:
ablocks
Installations
900+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.6.2
Severity Score:
Medium
CVE:
2024-13465
The vulnerability has been patched, so you should update to version 1.6.2.

SMTP for SendGrid – YaySMTP

Plugin:
SMTP for SendGrid – YaySMTP
Plugin Slug:
smtp-sendgrid
Installations
900+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.4
Severity Score:
High
CVE:
2025-0918
The vulnerability has been patched, so you should update to version 1.4.

System Dashboard

Plugin:
System Dashboard
Plugin Slug:
system-dashboard
Installations
800+
Vulnerability:
Sensitive Data Exposure
Patched in Version:
2.8.19
Severity Score:
Medium
CVE:
2025-26911
The vulnerability has been patched, so you should update to version 2.8.19.

Pago por Redsys

Plugin:
Pago por Redsys
Plugin Slug:
pago-redsys-tpv-grafreak
Installations
700+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.0.13
Severity Score:
High
CVE:
2024-12467
The vulnerability has been patched, so you should update to version 1.0.13.

WP Responsive Auto Fit Text

Plugin:
WP Responsive Auto Fit Text
Plugin Slug:
wp-responsive-slab-text
Installations
700+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
0.3
Severity Score:
Medium
CVE:
2025-26904
The vulnerability has been patched, so you should update to version 0.3.

AR for WordPress

Plugin:
AR for WordPress
Plugin Slug:
ar-for-wordpress
Installations
600+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
7.8
Severity Score:
Medium
CVE:
2025-26913
The vulnerability has been patched, so you should update to version 7.8.

Popup Builder

Plugin:
Popup Builder
Plugin Slug:
easy-notify-lite
Installations
600+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.1.35
Severity Score:
Medium
CVE:
2025-26882
The vulnerability has been patched, so you should update to version 1.1.35.

Front End Users

Plugin:
Front End Users
Plugin Slug:
front-end-only-users
Installations
600+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
3.2.31
Severity Score:
Medium
CVE:
2025-26877
The vulnerability has been patched, so you should update to version 3.2.31.

Search with Typesense

Plugin:
Search with Typesense
Plugin Slug:
search-with-typesense
Installations
600+
Vulnerability:
Path Traversal
Patched in Version:
2.0.9
Severity Score:
Medium
CVE:
2025-26876
The vulnerability has been patched, so you should update to version 2.0.9.

Easy Quotes

Plugin:
Easy Quotes
Plugin Slug:
easy-quotes
Installations
500+
Vulnerability:
SQL Injection
Patched in Version:
1.2.3
Severity Score:
Critical
CVE:
2025-26943
The vulnerability has been patched, so you should update to version 1.2.3.

EZ SQL Reports Shortcode Widget and DB Backup

Plugin:
EZ SQL Reports Shortcode Widget and DB Backup
Plugin Slug:
elisqlreports
Installations
500+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
5.25.08
Severity Score:
Medium
CVE:
2025-26887
The vulnerability has been patched, so you should update to version 5.25.08.

Wishlist

Plugin:
Wishlist
Plugin Slug:
wishlist
Installations
500+
Vulnerability:
SQL Injection
Patched in Version:
1.0.42
Severity Score:
High
CVE:
2025-26915
The vulnerability has been patched, so you should update to version 1.0.42.

SMTP for Sendinblue – YaySMTP

Plugin:
SMTP for Sendinblue – YaySMTP
Plugin Slug:
smtp-sendinblue
Installations
400+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.2
Severity Score:
High
CVE:
2025-0953
The vulnerability has been patched, so you should update to version 1.2.

SpeedSize Image & Video AI-Optimizer

Plugin:
SpeedSize Image & Video AI-Optimizer
Plugin Slug:
speedsize-ai-image-optimizer
Installations
400+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
1.5.2
Severity Score:
Medium
CVE:
2024-13438
The vulnerability has been patched, so you should update to version 1.5.2.

Autoship Cloud for WooCommerce Subscription Products

Plugin:
Autoship Cloud for WooCommerce Subscription Products
Plugin Slug:
autoship-cloud
Installations
300+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.8.1
Severity Score:
Medium
CVE:
2025-26878
The vulnerability has been patched, so you should update to version 2.8.1.

Easy Elementor Addons

Plugin:
Easy Elementor Addons
Plugin Slug:
easy-elementor-addons
Installations
300+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.1.7
Severity Score:
Medium
CVE:
2025-26912
The vulnerability has been patched, so you should update to version 2.1.7.

Tribulant Gallery Voting

Plugin:
Tribulant Gallery Voting
Plugin Slug:
gallery-voting
Installations
300+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
1.3
Severity Score:
High
CVE:
2025-26931
The vulnerability has been patched, so you should update to version 1.3.

Sticky Content – Stick any content on pages

Plugin:
Sticky Content – Stick any content on pages
Plugin Slug:
sticky-menu-block
Installations
300+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.0.2
Severity Score:
Medium
CVE:
2025-26881
The vulnerability has been patched, so you should update to version 1.0.2.

Web Stories Enhancer – Level Up Your Web Stories

Plugin:
Web Stories Enhancer – Level Up Your Web Stories
Plugin Slug:
web-stories-enhancer
Installations
300+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.4
Severity Score:
Medium
CVE:
2024-13575
The vulnerability has been patched, so you should update to version 1.4.

Fast Flow

Plugin:
Fast Flow
Plugin Slug:
fast-flow-dashboard
Installations
200+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.2.18
Severity Score:
High
CVE:
2025-26868
The vulnerability has been patched, so you should update to version 1.2.18.

Threepress

Plugin:
Threepress
Plugin Slug:
threepress
Installations
200+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.7.2
Severity Score:
Medium
CVE:
2024-13395
The vulnerability has been patched, so you should update to version 1.7.2.

Zigaform – Price Calculator & Cost Estimation Form Builder Lite

Plugin:
Zigaform – Price Calculator & Cost Estimation Form Builder Lite
Plugin Slug:
zigaform-calculator-cost-estimation-form-builder-lite
Installations
200+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
7.4.3
Severity Score:
High
CVE:
2025-26994
The vulnerability has been patched, so you should update to version 7.4.3.

Ziggeo

Plugin:
Ziggeo
Plugin Slug:
ziggeo
Installations
100+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
3.1.1
Severity Score:
Medium
CVE:
2024-12452
The vulnerability has been patched, so you should update to version 3.1.1.

Zigaform – Form Builder Lite

Plugin:
Zigaform – Form Builder Lite
Plugin Slug:
zigaform-form-builder-lite
Installations
90+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
7.4.3
Severity Score:
High
CVE:
2025-26989
The vulnerability has been patched, so you should update to version 7.4.3.

Shopwarden – Automated WooCommerce monitoring & testing

Plugin:
Shopwarden – Automated WooCommerce monitoring & testing
Plugin Slug:
shopwarden
Installations
80+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
1.0.12
Severity Score:
High
CVE:
2024-13315
The vulnerability has been patched, so you should update to version 1.0.12.

Activity Log WinterLock

Plugin:
Activity Log WinterLock
Plugin Slug:
winterlock
Installations
70+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
1.2.5
Severity Score:
Medium
CVE:
2025-24982
The vulnerability has been patched, so you should update to version 1.2.5.

Yay! Forms

Plugin:
Yay! Forms
Plugin Slug:
yayforms
Installations
70+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.3
Severity Score:
Medium
CVE:
2024-12522
The vulnerability has been patched, so you should update to version 1.3.

Easypromos Plugin

Plugin:
Easypromos Plugin
Plugin Slug:
easypromos
Installations
60+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.3.9
Severity Score:
Medium
CVE:
2024-13443
The vulnerability has been patched, so you should update to version 1.3.9.

MemorialDay

Plugin:
MemorialDay
Plugin Slug:
memorialday
Installations
60+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
1.1.0
Severity Score:
High
CVE:
2024-13523
The vulnerability has been patched, so you should update to version 1.1.0.

igumbi Online Booking

Plugin:
igumbi Online Booking
Plugin Slug:
igumbi-online-booking
Installations
50+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.41
Severity Score:
Medium
CVE:
2024-13455
The vulnerability has been patched, so you should update to version 1.41.

LTL Freight Quotes – GlobalTranz Edition

Plugin:
LTL Freight Quotes – GlobalTranz Edition
Plugin Slug:
ltl-freight-quotes-globaltranz-edition
Installations
40+
Vulnerability:
Broken Access Control
Patched in Version:
2.3.13
Severity Score:
Medium
CVE:
2025-1483
The vulnerability has been patched, so you should update to version 2.3.13.

LTL Freight Quotes – GlobalTranz Edition

Plugin:
LTL Freight Quotes – GlobalTranz Edition
Plugin Slug:
ltl-freight-quotes-globaltranz-edition
Installations
40+
Vulnerability:
SQL Injection
Patched in Version:
2.3.12
Severity Score:
Critical
CVE:
2024-13476
The vulnerability has been patched, so you should update to version 2.3.12.

Small Package Quotes – Unishippers Edition

Plugin:
Small Package Quotes – Unishippers Edition
Plugin Slug:
small-package-quotes-unishippers-edition
Installations
40+
Vulnerability:
Broken Access Control
Patched in Version:
2.4.10
Severity Score:
Medium
CVE:
2025-26960
The vulnerability has been patched, so you should update to version 2.4.10.

LTL Freight Quotes – ABF Freight Edition

Plugin:
LTL Freight Quotes – ABF Freight Edition
Plugin Slug:
ltl-freight-quotes-abf-freight-edition
Installations
30+
Vulnerability:
SQL Injection
Patched in Version:
3.3.8
Severity Score:
Critical
CVE:
2024-13485
The vulnerability has been patched, so you should update to version 3.3.8.

LTL Freight Quotes – Old Dominion Edition

Plugin:
LTL Freight Quotes – Old Dominion Edition
Plugin Slug:
ltl-freight-quotes-odfl-edition
Installations
30+
Vulnerability:
SQL Injection
Patched in Version:
4.2.11
Severity Score:
Critical
CVE:
2024-13489
The vulnerability has been patched, so you should update to version 4.2.11.

Small Package Quotes – For Customers of FedEx

Plugin:
Small Package Quotes – For Customers of FedEx
Plugin Slug:
small-package-quotes-fedex-edition
Installations
30+
Vulnerability:
SQL Injection
Patched in Version:
4.3.2
Severity Score:
Critical
CVE:
2024-13491
The vulnerability has been patched, so you should update to version 4.3.2.

LTL Freight Quotes – SAIA Edition

Plugin:
LTL Freight Quotes – SAIA Edition
Plugin Slug:
ltl-freight-quotes-saia-edition
Installations
20+
Vulnerability:
SQL Injection
Patched in Version:
2.2.11
Severity Score:
Critical
CVE:
2024-13483
The vulnerability has been patched, so you should update to version 2.2.11.

LTL Freight Quotes – R+L Carriers Edition

Plugin:
LTL Freight Quotes – R+L Carriers Edition
Plugin Slug:
ltl-freight-quotes-rl-edition
Installations
10+
Vulnerability:
SQL Injection
Patched in Version:
3.3.5
Severity Score:
Critical
CVE:
2024-13481
The vulnerability has been patched, so you should update to version 3.3.5.

LTL Freight Quotes – SEFL Edition

Plugin:
LTL Freight Quotes – SEFL Edition
Plugin Slug:
ltl-freight-quotes-sefl-edition
Installations
10+
Vulnerability:
SQL Injection
Patched in Version:
3.2.5
Severity Score:
Critical
CVE:
2024-13479
The vulnerability has been patched, so you should update to version 3.2.5.

LTL Freight Quotes – TForce Edition

Plugin:
LTL Freight Quotes – TForce Edition
Plugin Slug:
ltl-freight-quotes-ups-edition
Installations
10+
Vulnerability:
SQL Injection
Patched in Version:
3.6.5
Severity Score:
Critical
CVE:
2024-13478
The vulnerability has been patched, so you should update to version 3.6.5.

FormCraft 3

Plugin:
FormCraft 3
Plugin Slug:
formcraft3
Vulnerability:
Broken Access Control
Patched in Version:
3.9.12
Severity Score:
Medium
CVE:
2024-13783
The vulnerability has been patched, so you should update to version 3.9.12.

FormCraft 3

Plugin:
FormCraft 3
Plugin Slug:
formcraft3
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
3.9.12
Severity Score:
High
CVE:
2025-0817
The vulnerability has been patched, so you should update to version 3.9.12.

K Elements

Plugin:
K Elements
Plugin Slug:
k-elements
Vulnerability:
Privilege Escalation
Patched in Version:
5.4.0
Severity Score:
Critical
CVE:
2024-56000
The vulnerability has been patched, so you should update to version 5.4.0.

LTL Freight Quotes – Purolator Edition

Plugin:
LTL Freight Quotes – Purolator Edition
Plugin Slug:
ltl-freight-quotes-purolator-freight-edition
Vulnerability:
SQL Injection
Patched in Version:
2.2.4
Severity Score:
Critical
CVE:
2024-13474
The vulnerability has been patched, so you should update to version 2.2.4.

Pie Register Premium

Plugin:
Pie Register Premium
Plugin Slug:
pie-register-premium
Vulnerability:
Broken Access Control
Patched in Version:
3.8.3.3
Severity Score:
Medium
CVE:
2025-26948
The vulnerability has been patched, so you should update to version 3.8.3.3.

Small Package Quotes – USPS Edition

Plugin:
Small Package Quotes – USPS Edition
Plugin Slug:
small-package-quotes-usps-edition
Vulnerability:
SQL Injection
Patched in Version:
1.3.6
Severity Score:
Critical
CVE:
2024-13533
The vulnerability has been patched, so you should update to version 1.3.6.

Tourmaster

Plugin:
Tourmaster
Plugin Slug:
tourmaster
Vulnerability:
SQL Injection
Patched in Version:
5.3.7
Severity Score:
High
CVE:
2024-13369
The vulnerability has been patched, so you should update to version 5.3.7.

Indeed Ultimate Learning Pro

Plugin:
Indeed Ultimate Learning Pro
Plugin Slug:
ulp-duplicate-post-sql-timebased
Vulnerability:
SQL Injection
Patched in Version:
3.9.1
Severity Score:
High
CVE:
2024-13846
The vulnerability has been patched, so you should update to version 3.9.1.

Uncode Core

Plugin:
Uncode Core
Plugin Slug:
uncode-core
Vulnerability:
Content Injection
Patched in Version:
2.9.1.7
Severity Score:
Medium
CVE:
2024-13689
The vulnerability has been patched, so you should update to version 2.9.1.7.

WooCommerce Food – Restaurant Menu & Food ordering

Plugin:
WooCommerce Food – Restaurant Menu & Food ordering
Plugin Slug:
woo-exfood
Vulnerability:
Remote Code Execution (RCE)
Patched in Version:
3.3.3
Severity Score:
High
CVE:
2024-13792
The vulnerability has been patched, so you should update to version 3.3.3.

WordPress Themes — 11 Patched / 0 Unpatched

Uncode

Theme:
Uncode
Theme Slug:
uncode
Downloads
2,271
Vulnerability:
Arbitrary File Download
Patched in Version:
2.9.1.7
Severity Score:
Medium
CVE:
2024-13691
The vulnerability has been patched, so you should update to version 2.9.1.7.

Uncode

Theme:
Uncode
Theme Slug:
uncode
Downloads
2,271
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.9.1.7
Severity Score:
Medium
CVE:
2024-13667
The vulnerability has been patched, so you should update to version 2.9.1.7.

Uncode

Theme:
Uncode
Theme Slug:
uncode
Downloads
2,271
Vulnerability:
Arbitrary File Download
Patched in Version:
2.9.1.7
Severity Score:
High
CVE:
2024-13681
The vulnerability has been patched, so you should update to version 2.9.1.7.

CarSpot

Theme:
CarSpot
Theme Slug:
carspot
Vulnerability:
Broken Authentication
Patched in Version:
2.4.4
Severity Score:
Critical
CVE:
2024-12860
The vulnerability has been patched, so you should update to version 2.4.4.

Enfold

Theme:
Enfold
Theme Slug:
enfold
Vulnerability:
Server Side Request Forgery (SSRF)
Patched in Version:
7.0
Severity Score:
Medium
CVE:
2024-13695
The vulnerability has been patched, so you should update to version 7.0.

Enfold

Theme:
Enfold
Theme Slug:
enfold
Vulnerability:
Broken Access Control
Patched in Version:
7.0
Severity Score:
Medium
CVE:
2024-13693
The vulnerability has been patched, so you should update to version 7.0.

Hostiko

Theme:
Hostiko
Theme Slug:
hostiko
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
30.1
Severity Score:
High
CVE:
2025-27014
The vulnerability has been patched, so you should update to version 30.1.

Hostiko

Theme:
Hostiko
Theme Slug:
hostiko
Vulnerability:
Local File Inclusion
Patched in Version:
30.1
Severity Score:
High
CVE:
2025-27015
The vulnerability has been patched, so you should update to version 30.1.

MediCenter – Health Medical Clinic WordPress Theme

Theme:
MediCenter – Health Medical Clinic WordPress Theme
Theme Slug:
medicenter
Vulnerability:
Sensitive Data Exposure
Patched in Version:
14.7
Severity Score:
Medium
CVE:
2025-27013
The vulnerability has been patched, so you should update to version 14.7.

Pearl – Corporate Business

Theme:
Pearl – Corporate Business
Theme Slug:
pearl
Vulnerability:
Local File Inclusion
Patched in Version:
3.4.8
Severity Score:
High
CVE:
2025-26986
The vulnerability has been patched, so you should update to version 3.4.8.

PressMart

Theme:
PressMart
Theme Slug:
pressmart
Vulnerability:
Content Injection
Patched in Version:
1.2.17
Severity Score:
Medium
CVE:
2024-13797
The vulnerability has been patched, so you should update to version 1.2.17.

Solid Security is part of Solid Suite — The best foundation for WordPress websites.

Every WordPress site needs security, backups, and management tools. That’s Solid Suite — an integrated bundle of three plugins: Solid Security, Solid Backups, and Solid Central. You also get access to Solid Academy’s learning resources for WordPress professionals. Build your next WordPress website on a solid foundation with Solid Suite!

Get Solid Security

Author:

Sarah

Sarah has been with StellarWP since 2024. As our marketing generalist, she spends her day writing content and completing projects for SolidWP, LearnDash, and The Events Calendar. In her free time, Sarah can be found playing pickleball, enjoying coffee at a local coffee shop, and spending time with her husband.

Browse all of Sarah's articles

Author:

Sarah

Sarah has been with StellarWP since 2024. As our marketing generalist, she spends her day writing content and completing projects for SolidWP, LearnDash, and The Events Calendar. In her free time, Sarah can be found playing pickleball, enjoying coffee at a local coffee shop, and spending time with her husband.

Browse all of Sarah's articles