WordPress Vulnerability Report — January 28, 2026

Since last week, 225 new vulnerabilities have emerged in the WordPress ecosystem, including 207 plugins and 18 themes. Of those, 123 remain unpatched, but Solid Security Pro users are protected by virtual patching from Patchstack.

Sarah Ulmer

Published:Jan 28, 2026

Filed Under:WordPress Vulnerability Report

Reading Time:40 min.

In this report, 225 vulnerabilities have been publicly disclosed. Security patches for 102 of these plugins and themes are now available. Please run these updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Currently, 123 plugin and theme vulnerabilities remain unpatched. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

Along with poor user account security, vulnerable plugins and themes are among the top reasons why WordPress websites get hacked. Unfortunately, cyberattacks are increasing in volume and sophistication. They’re also increasingly aimed at small to mid-sized businesses.

1. WordPress Core
2. WordPress Plugins — 89 Patched / 118 Unpatched

2.1 Ecwid by Lightspeed Ecommerce Shopping Cart
2.2 GeoDirectory – WP Business Directory Plugin and Classified Listings Directory
2.3 Kama Thumbnail
2.4 Responsive Contact Form Builder & Lead Generation Plugin
2.5 Web Push Notifications – Webpushr
2.6 Eventin – Event Manager, Event Booking, Calendar, Tickets and Registration Plugin (AI Powered)
2.7 CLP Varnish Cache
2.8 Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent
2.9 WP FullCalendar
2.10 WP Subscribe
2.11 Booter – Bots & Crawlers Manager
2.12 Download After Email – Subscribe & Download Form Plugin
2.13 HD Quiz
2.14 Materialis Companion
2.15 WP BackItUp Community Edition
2.16 WP Term Order
2.17 Monetag Official Plugin
2.18 BOX NOW Delivery
2.19 Cloudinary – Deliver Images and Videos at Scale
2.20 Easy Property Listings
2.21 Edwiser Bridge – WordPress Moodle Integration
2.22 Nelio Content – Editorial Calendar & Social Media Auto-Posting
2.23 Fraud Prevention For WooCommerce and EDD
2.24 WP Travel – Ultimate Travel Booking System, Tour Management Engine
2.25 Ai Image Alt Text Generator for WP
2.26 Pie Register – User Registration, Profiles & Content Restriction
2.27 Ryviu – Product Reviews for WooCommerce
2.28 Admin login URL Change
2.29 Anything Order by Terms
2.30 Contact Form 7 GetResponse Extension
2.31 iNET Webkit
2.32 Send Notifications from Woocommerce, Form Plugins and More!
2.33 SEO Booster
2.34 SiteLock Security – WP Hardening, Login Security & Malware Scans
2.35 UX Flat
2.36 WebP Conversion
2.37 Order Notification for WooCommerce – Get Audio Alert on new Orders
2.38 Nova Blocks by Pixelgrade
2.39 Omnipress
2.40 Email Inquiry & Cart Options for WooCommerce
2.41 Blockons – Gutenberg blocks for WordPress and WooCommerce websites
2.42 Quick Restaurant Reservations
2.43 Accordion – Add Horizontal / Vertical Accordion in WP
2.44 Textmetrics
2.45 My Post Order
2.46 Table of Contents Creator
2.47 iRobots.txt SEO
2.48 ravpage
2.49 amr cron manager
2.50 ArtPlacer Widget
2.51 ExpressTechSoftwares Addon for MemberPress and Discord
2.52 LifePress
2.53 Paid Downloads
2.54 wpCAS
2.55 Bookingor – Booking System for Appointment Calendar, Meeting Scheduler & WooCommerce Bookings
2.56 Dinatur
2.57 LazyTasks – Project & Task Management with Collaboration, Kanban and Gantt Chart
2.58 ABG Rich Pins
2.59 APPExperts – Mobile App Builder for WordPress | WooCommerce to iOS and Android Apps
2.60 Scalenut
2.61 ShoutOut
2.62 Administrative Shortcodes
2.63 Administrative Shortcodes
2.64 AdminQuickbar
2.65 Alchemist Ajax Upload
2.66 Alpha Blocks
2.67 Canto Testimonials
2.68 CM CSS Columns
2.69 Cookie consent for developers
2.70 Coven Core
2.71 Directorist Booking
2.72 Directorist Social Login
2.73 E-xact Hosted Payment
2.74 Easy Theme Options
2.75 Final User
2.76 Final User
2.77 fitness-trainer
2.78 GZSEO
2.79 Hospital Doctor Directory
2.80 Hospital Doctor Directory
2.81 Hospital Doctor Directory
2.82 Hotel Listing
2.83 Hotel Listing
2.84 Institutions Directory
2.85 Institutions Directory
2.86 Institutions Directory
2.87 Integrate Google Drive
2.88 JavaScript Notifier
2.89 JobBank
2.90 JustClick registration plugin
2.91 Kalrav AI Agent
2.92 Lawyer Directory
2.93 ListingHub
2.94 Login Page Editor
2.95 Meta-box GalleryMeta
2.96 Meta-box GalleryMeta
2.97 Moderate Selected Posts
2.98 Postalicious
2.99 Radio Player
2.100 Real Estate Pro
2.101 Responsive Header
2.102 Set Bulk Post Categories
2.103 Simple Crypto Shortcodes
2.104 Star Review Manager
2.105 ThemeRuby Multi Authors
2.106 Ultra Portfolio
2.107 Alex User Counter
2.108 Viet contact
2.109 VK Google Job Posting Manager
2.110 Wise Analytics
2.111 WishList Member X
2.112 Wizit Gateway for WooCommerce
2.113 WP-ClanWars
2.114 WP Hello Bar
2.115 WP Membership
2.116 WP Membership
2.117 WP Youtube Video Gallery
2.118 ZT Captcha
2.119 The Events Calendar
2.120 MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor
2.121 Happy Addons for Elementor
2.122 Custom Fonts – Host Your Fonts Locally
2.123 Newsletter – Send awesome emails from WordPress
2.124 WP Go Maps (formerly WP Google Maps)
2.125 Photo Gallery by 10Web – Mobile-Friendly Image Gallery
2.126 Advanced Custom Fields: Extended
2.127 Beaver Builder Page Builder – Drag and Drop Website Builder
2.128 BuddyPress
2.129 Schema & Structured Data for WP & AMP
2.130 Tutor LMS – eLearning and online course solution
2.131 LearnPress – WordPress LMS Plugin for Create and Sell Online Courses
2.132 Koko Analytics – Privacy+Friendly statistics for WordPress
2.133 Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin
2.134 User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin
2.135 Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin
2.136 RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging
2.137 Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy
2.138 NotificationX – FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner & Floating Notification Bar
2.139 NotificationX – FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner & Floating Notification Bar
2.140 Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX
2.141 MailerLite – WooCommerce integration
2.142 Xpro Addons — 140+ Widgets for Elementor
2.143 All-in-One Video Gallery
2.144 All-in-One Video Gallery
2.145 Image Photo Gallery Final Tiles Grid
2.146 UPI QR Code Payment Gateway for WooCommerce
2.147 Demo Importer Plus
2.148 FlatPM – Ad Manager, AdSense and Custom Code
2.149 Head Meta Data
2.150 LA-Studio Element Kit for Elementor
2.151 Nexter Extension – Site Enhancements Toolkit
2.152 Recipe Card Blocks Lite
2.153 WP DSGVO Tools (GDPR)
2.154 User Submitted Posts – Enable Users to Submit Posts from the Front End
2.155 weMail – Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation
2.156 WPO365 | SEAMLESS WORDPRESS + MICROSOFT INTEGRATION (WPO365 | LOGIN)
2.157 RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login
2.158 Nexter Gutenberg Blocks – Website Builder & 1000+ Starter Templates
2.159 Automatic Featured Images from Videos
2.160 WP Job Portal – AI-Powered Recruitment System for Company or Job Board website
2.161 Points and Rewards for WooCommerce – Create Loyalty Programs, Reward Customer Purchases, User Badges, Gamification
2.162 Protección de datos – RGPD
2.163 Poll, Survey & Quiz Maker Plugin by Opinion Stage
2.164 Integration for HubSpot and Contact Form 7, WPForms, Elementor, Ninja Forms
2.165 FluentBoards – Project Management, Task Management, Goal Tracking, Kanban Board, and, Team Collaboration
2.166 Media Library File Size
2.167 weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot
2.168 Booking Activities
2.169 Nelio A/B Testing – AB Tests and Heatmaps for Better Conversion Optimization
2.170 Tabby Checkout
2.171 AIKTP
2.172 Frontis Blocks — Block Library for the Block Editor
2.173 Frontis Blocks — Block Library for the Block Editor
2.174 Gallery PhotoBlocks
2.175 Salon Booking System – Free Version
2.176 Same Category Posts
2.177 WP Directory Kit
2.178 Academy LMS – WordPress LMS Plugin for Complete eLearning Solution
2.179 Hydra Booking — Appointment Scheduling & Booking Calendar
2.180 KiviCare – Clinic & Patient Management System (EHR)
2.181 Wallet System for WooCommerce – Digital Wallet, Buy Now Pay Later (BNPL), Instant Cashback, Referral program, Partial & Subscription Payments
2.182 ElementCamp
2.183 Friendly Functions for Welcart
2.184 JobWP – Job Board, Job Listing, Career Page and Recruitment Plugin
2.185 GDPR CCPA Compliance & Cookie Consent Banner
2.186 Quick Contact Form
2.187 Broadstreet
2.188 My auctions allegro
2.189 TaxCloud for WooCommerce
2.190 PeachPay — Payments & Express Checkout for WooCommerce (supports Stripe, PayPal, Square, Authorize.net)
2.191 TableOn – WordPress Posts Table Filterable
2.192 Thim Blocks
2.193 Link Invoice Payment for WooCommerce
2.194 Creator LMS – The LMS for Creators, Coaches, and Trainers
2.195 Melapress Role Editor
2.196 AdForest Elementor
2.197 Homey Core
2.198 Kentha Elementor Widgets
2.199 Lawyer Directory
2.200 Lawyer Directory
2.201 Listivo Core
2.202 Movie Booking
2.203 MyHome Core
2.204 Real Homes CRM
2.205 Schedula – Smart Appointment Booking
2.206 WorkScout-Core
2.207 YouTube Feed Pro

3. WordPress Themes — 13 Patched / 5 Unpatched

3.1 EcoBlue
3.2 Enfold
3.3 Listihub
3.4 PeakShops
3.5 Prowess
3.6 AdForest
3.7 CarSpot
3.8 Craft
3.9 DotLife
3.10 Grand Magazine
3.11 Grand Spa
3.12 Grand Tour
3.13 Hostiko
3.14 Hoteller
3.15 PeakShops
3.16 Traveler
3.17 Werkstatt
3.18 WorkScout

Our WordPress Vulnerability Report covers the latest emerging WordPress plugin, theme, and core vulnerabilities. Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure of vulnerabilities is essential to keeping the WordPress community safe. Please share this report to help spread the word and make WordPress — and the web — more secure.

WordPress Core

WordPress 6.9 “Gene” was released on December 2, 2025, adding Notes for block-level comments, an expanded Command Palette, and the new Abilities API to standardize permissions for future automation. It also includes performance improvements and new blocks and design tools to support faster, more flexible site building.

After any major release, don’t update live sites until you’ve taken backups and tested in a non-production environment.

WordPress Plugins — 89 Patched / 118 Unpatched

Plugin:: Ecwid by Lightspeed Ecommerce Shopping Cart
Plugin Slug:: ecwid-shopping-cart
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-24580

Plugin:: GeoDirectory – WP Business Directory Plugin and Classified Listings Directory
Plugin Slug:: geodirectory
Installations: 10,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-24549

Plugin:: Kama Thumbnail
Plugin Slug:: kama-thumbnail
Installations: 10,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-24521

Plugin:: Responsive Contact Form Builder & Lead Generation Plugin
Plugin Slug:: lead-form-builder
Installations: 10,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-68046

Plugin:: Web Push Notifications – Webpushr
Plugin Slug:: webpushr-web-push-notifications
Installations: 10,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-24536

Plugin:: Eventin – Event Manager, Event Booking, Calendar, Tickets and Registration Plugin (AI Powered)
Plugin Slug:: wp-event-solution
Installations: 10,000+
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68047

Plugin:: CLP Varnish Cache
Plugin Slug:: clp-varnish-cache
Installations: 9,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-24525

Plugin:: Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent
Plugin Slug:: tablesome
Installations: 9,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-24524

Plugin:: WP FullCalendar
Plugin Slug:: wp-fullcalendar
Installations: 9,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-24523

Plugin:: WP Subscribe
Plugin Slug:: wp-subscribe
Installations: 9,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-24522

Plugin:: Booter – Bots & Crawlers Manager
Plugin Slug:: booter-bots-crawlers-manager
Installations: 8,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-24534

Plugin:: Download After Email – Subscribe & Download Form Plugin
Plugin Slug:: download-after-email
Installations: 7,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-24541

Plugin:: HD Quiz
Plugin Slug:: hd-quiz
Installations: 7,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-24544

Plugin:: Materialis Companion
Plugin Slug:: materialis-companion
Installations: 7,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-24543

Plugin:: WP BackItUp Community Edition
Plugin Slug:: wp-backitup
Installations: 7,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-68039

Plugin:: WP Term Order
Plugin Slug:: wp-term-order
Installations: 7,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-24542

Plugin:: Monetag Official Plugin
Plugin Slug:: monetag-official
Installations: 6,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-24551

Plugin:: BOX NOW Delivery
Plugin Slug:: box-now-delivery
Installations: 5,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-24571

Plugin:: Cloudinary – Deliver Images and Videos at Scale
Plugin Slug:: cloudinary-image-management-and-manipulation-in-the-cloud-cdn
Installations: 5,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-24560

Plugin:: Easy Property Listings
Plugin Slug:: easy-property-listings
Installations: 5,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-68072

Plugin:: Edwiser Bridge – WordPress Moodle Integration
Plugin Slug:: edwiser-bridge
Installations: 5,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-24570

Plugin:: Nelio Content – Editorial Calendar & Social Media Auto-Posting
Plugin Slug:: nelio-content
Installations: 5,000+
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-24572

Plugin:: Fraud Prevention For WooCommerce and EDD
Plugin Slug:: woo-blocker-lite-prevent-fake-orders-and-blacklist-fraud-customers
Installations: 5,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-24553

Plugin:: WP Travel – Ultimate Travel Booking System, Tour Management Engine
Plugin Slug:: wp-travel
Installations: 5,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-24568

Plugin:: Ai Image Alt Text Generator for WP
Plugin Slug:: ai-image-alt-text-generator-for-wp
Installations: 4,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-24579

Plugin:: Pie Register – User Registration, Profiles & Content Restriction
Plugin Slug:: pie-register
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-24577

Plugin:: Ryviu – Product Reviews for WooCommerce
Plugin Slug:: ryviu
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-24562

Plugin:: Admin login URL Change
Plugin Slug:: admin-login-url-change
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-24578

Plugin:: Anything Order by Terms
Plugin Slug:: anything-order-by-terms
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-24567

Plugin:: Contact Form 7 GetResponse Extension
Plugin Slug:: contact-form-7-getresponse-extension
Installations: 1,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-24557

Plugin:: iNET Webkit
Plugin Slug:: inet-webkit
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-24566

Plugin:: Send Notifications from Woocommerce, Form Plugins and More!
Plugin Slug:: notifier
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-68020

Plugin:: SEO Booster
Plugin Slug:: seo-booster
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-68019

Plugin:: SiteLock Security – WP Hardening, Login Security & Malware Scans
Plugin Slug:: sitelock
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-24532

Plugin:: UX Flat
Plugin Slug:: ux-flat
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-24576

Plugin:: WebP Conversion
Plugin Slug:: webp-conversion
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-24530

Plugin:: Order Notification for WooCommerce – Get Audio Alert on new Orders
Plugin Slug:: woc-order-alert
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-68018

Plugin:: Nova Blocks by Pixelgrade
Plugin Slug:: nova-blocks
Installations: 900+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-24528

Plugin:: Omnipress
Plugin Slug:: omnipress
Installations: 900+
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-24538

Plugin:: Email Inquiry & Cart Options for WooCommerce
Plugin Slug:: woocommerce-email-inquiry-cart-options
Installations: 900+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-24526

Plugin:: Blockons – Gutenberg blocks for WordPress and WooCommerce websites
Plugin Slug:: blockons
Installations: 800+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-24550

Plugin:: Quick Restaurant Reservations
Plugin Slug:: quick-restaurant-reservations
Installations: 600+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-24529

Plugin:: Accordion – Add Horizontal / Vertical Accordion in WP
Plugin Slug:: b-accordion
Installations: 500+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-24565

Plugin:: Textmetrics
Plugin Slug:: webtexttool
Installations: 500+
Vulnerability:: Content Injection
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-24564

Plugin:: My Post Order
Plugin Slug:: my-posts-order
Installations: 400+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68004

Plugin:: Table of Contents Creator
Plugin Slug:: table-of-contents-creator
Installations: 400+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68836

Plugin:: iRobots.txt SEO
Plugin Slug:: irobotstxt-seo
Installations: 300+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68840

Plugin:: ravpage
Plugin Slug:: ravpage
Installations: 300+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68835

Plugin:: amr cron manager
Plugin Slug:: amr-cron-manager
Installations: 200+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68848

Plugin:: ArtPlacer Widget
Plugin Slug:: artplacer-widget
Installations: 200+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-24555

Plugin:: ExpressTechSoftwares Addon for MemberPress and Discord
Plugin Slug:: expresstechsoftwares-memberpress-discord-add-on
Installations: 200+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68838

Plugin:: LifePress
Plugin Slug:: lifepress
Installations: 200+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-24563

Plugin:: Paid Downloads
Plugin Slug:: paid-downloads
Installations: 100+
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-68857

Plugin:: wpCAS
Plugin Slug:: wpcas
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68858

Plugin:: Bookingor – Booking System for Appointment Calendar, Meeting Scheduler & WooCommerce Bookings
Plugin Slug:: bookingor
Installations: 80+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12573

Plugin:: Dinatur
Plugin Slug:: dinatur
Installations: 80+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68866

Plugin:: LazyTasks – Project & Task Management with Collaboration, Kanban and Gantt Chart
Plugin Slug:: lazytasks-project-task-management
Installations: 70+
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-68869

Plugin:: ABG Rich Pins
Plugin Slug:: abg-rich-pins
Installations: 50+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-24558

Plugin:: APPExperts – Mobile App Builder for WordPress | WooCommerce to iOS and Android Apps
Plugin Slug:: appexperts
Installations: 40+
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68881

Plugin:: Scalenut
Plugin Slug:: scalenut
Installations: 40+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68882

Plugin:: ShoutOut
Plugin Slug:: shoutout
Installations: 40+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68894

Plugin:: Administrative Shortcodes
Plugin Slug:: administrative-shortcodes
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1099

Plugin:: Administrative Shortcodes
Plugin Slug:: administrative-shortcodes
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-1257

Plugin:: AdminQuickbar
Plugin Slug:: adminquickbar
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14630

Plugin:: Alchemist Ajax Upload
Plugin Slug:: alchemist-ajax-upload
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14629

Plugin:: Alpha Blocks
Plugin Slug:: alpha-blocks
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14985

Plugin:: Canto Testimonials
Plugin Slug:: canto-testimonials
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1095

Plugin:: CM CSS Columns
Plugin Slug:: cm-css-columns
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1098

Plugin:: Cookie consent for developers
Plugin Slug:: cookie-consent-for-developers
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1084

Plugin:: Coven Core
Plugin Slug:: coven-core
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-69295

Plugin:: Directorist Booking
Plugin Slug:: directorist-booking
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2026-22336

Plugin:: Directorist Social Login
Plugin Slug:: directorist-social-login
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2026-22337

Plugin:: E-xact Hosted Payment
Plugin Slug:: e-xact-hosted-payment
Vulnerability:: Arbitrary File Deletion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-14829

Plugin:: Easy Theme Options
Plugin Slug:: easy-theme-options
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68839

Plugin:: Final User
Plugin Slug:: final-user
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69293

Plugin:: Final User
Plugin Slug:: final-user
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69187

Plugin:: fitness-trainer
Plugin Slug:: fitness-trainer
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69188

Plugin:: GZSEO
Plugin Slug:: gzseo
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14941

Plugin:: Hospital Doctor Directory
Plugin Slug:: hospital-doctor-directory
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68057

Plugin:: Hospital Doctor Directory
Plugin Slug:: hospital-doctor-directory
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69186

Plugin:: Hospital Doctor Directory
Plugin Slug:: hospital-doctor-directory
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69183

Plugin:: Hotel Listing
Plugin Slug:: hotel-listing
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68059

Plugin:: Hotel Listing
Plugin Slug:: hotel-listing
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69185

Plugin:: Institutions Directory
Plugin Slug:: institutions-directory
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68058

Plugin:: Institutions Directory
Plugin Slug:: institutions-directory
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69184

Plugin:: Institutions Directory
Plugin Slug:: institutions-directory
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69182

Plugin:: Integrate Google Drive
Plugin Slug:: integrate-google-drive
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-24540

Plugin:: JavaScript Notifier
Plugin Slug:: javascript-notifier
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1191

Plugin:: JobBank
Plugin Slug:: jobbank
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69189

Plugin:: JustClick registration plugin
Plugin Slug:: justclick-subscriber
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-13676

Plugin:: Kalrav AI Agent
Plugin Slug:: kalrav-ai-agent
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-13374

Plugin:: Lawyer Directory
Plugin Slug:: lawyer-directory
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69181

Plugin:: ListingHub
Plugin Slug:: listinghub
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69191

Plugin:: Login Page Editor
Plugin Slug:: login-page-editor
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1088

Plugin:: Meta-box GalleryMeta
Plugin Slug:: meta-box-gallerymeta
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Low
CVE:: 2026-0687

Plugin:: Meta-box GalleryMeta
Plugin Slug:: meta-box-gallerymeta
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1302

Plugin:: Moderate Selected Posts
Plugin Slug:: moderate-selected-posts
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14907

Plugin:: Postalicious
Plugin Slug:: postalicious
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1266

Plugin:: Radio Player
Plugin Slug:: radio-player
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-24548

Plugin:: Real Estate Pro
Plugin Slug:: real-estate-pro
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69192

Plugin:: Responsive Header
Plugin Slug:: responsive-header
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1300

Plugin:: Set Bulk Post Categories
Plugin Slug:: set-bulk-post-categories
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1081

Plugin:: Simple Crypto Shortcodes
Plugin Slug:: simple-crypto-shortcodes
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14903

Plugin:: Star Review Manager
Plugin Slug:: star-review-manager
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1076

Plugin:: ThemeRuby Multi Authors
Plugin Slug:: themeruby-multi-authors
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1097

Plugin:: Ultra Portfolio
Plugin Slug:: ultra-portfolio
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69180

Plugin:: Alex User Counter
Plugin Slug:: user-counter
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1070

Plugin:: Viet contact
Plugin Slug:: viet-contact
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1045

Plugin:: VK Google Job Posting Manager
Plugin Slug:: vk-google-job-posting-manager
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12836

Plugin:: Wise Analytics
Plugin Slug:: wise-analytics
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14609

Plugin:: WishList Member X
Plugin Slug:: wishlist-member-x
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-24575

Plugin:: Wizit Gateway for WooCommerce
Plugin Slug:: wizit-gateway-for-woocommerce
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14843

Plugin:: WP-ClanWars
Plugin Slug:: wp-clanwars
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-0806

Plugin:: WP Hello Bar
Plugin Slug:: wp-hello-bar
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1042

Plugin:: WP Membership
Plugin Slug:: wp-membership
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69292

Plugin:: WP Membership
Plugin Slug:: wp-membership
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69193

Plugin:: WP Youtube Video Gallery
Plugin Slug:: wp-youtube-video-gallery
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14906

Plugin:: ZT Captcha
Plugin Slug:: zt-captcha
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1075

Plugin:: The Events Calendar
Plugin Slug:: the-events-calendar
Installations: 700,000+
Vulnerability:: Broken Access Control
Patched in Version:: 6.15.13.1
Severity Score:: Medium
CVE:: 2025-15043

Plugin:: MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor
Plugin Slug:: metform
Installations: 600,000+
Vulnerability:: Broken Authentication
Patched in Version:: 4.1.1
Severity Score:: Low
CVE:: 2026-0633

Plugin:: Happy Addons for Elementor
Plugin Slug:: happy-elementor-addons
Installations: 400,000+
Vulnerability:: SQL Injection
Patched in Version:: 3.20.6
Severity Score:: High
CVE:: 2025-68999

Plugin:: Custom Fonts – Host Your Fonts Locally
Plugin Slug:: custom-fonts
Installations: 300,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.1.17
Severity Score:: Medium
CVE:: 2025-14351

Plugin:: Newsletter – Send awesome emails from WordPress
Plugin Slug:: newsletter
Installations: 300,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 9.1.1
Severity Score:: Medium
CVE:: 2026-1051

Plugin:: WP Go Maps (formerly WP Google Maps)
Plugin Slug:: wp-google-maps
Installations: 300,000+
Vulnerability:: Broken Access Control
Patched in Version:: 10.0.05
Severity Score:: Medium
CVE:: 2026-0593

Plugin:: Photo Gallery by 10Web – Mobile-Friendly Image Gallery
Plugin Slug:: photo-gallery
Installations: 200,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.8.37
Severity Score:: Medium
CVE:: 2026-1036

Plugin:: Advanced Custom Fields: Extended
Plugin Slug:: acf-extended
Installations: 100,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 0.9.2.2
Severity Score:: Critical
CVE:: 2025-14533

Plugin:: Beaver Builder Page Builder – Drag and Drop Website Builder
Plugin Slug:: beaver-builder-lite-version
Installations: 100,000+
Vulnerability:: Arbitrary Code Execution
Patched in Version:: 2.9.4.2
Severity Score:: High
CVE:: 2025-69319

Plugin:: BuddyPress
Plugin Slug:: buddypress
Installations: 100,000+
Vulnerability:: Arbitrary Code Execution
Patched in Version:: 14.3.4
Severity Score:: High
CVE:: 2024-11976

Plugin:: Schema & Structured Data for WP & AMP
Plugin Slug:: schema-and-structured-data-for-wp
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.54.1
Severity Score:: Medium
CVE:: 2025-14069

Plugin:: Tutor LMS – eLearning and online course solution
Plugin Slug:: tutor
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.9.5
Severity Score:: Medium
CVE:: 2026-0548

Plugin:: LearnPress – WordPress LMS Plugin for Create and Sell Online Courses
Plugin Slug:: learnpress
Installations: 80,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.3.2.5
Severity Score:: Medium
CVE:: 2025-14798

Plugin:: Koko Analytics – Privacy+Friendly statistics for WordPress
Plugin Slug:: koko-analytics
Installations: 60,000+
Vulnerability:: SQL Injection
Patched in Version:: 2.1.3
Severity Score:: Medium
CVE:: 2026-22850

Plugin:: Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin
Plugin Slug:: simply-schedule-appointments
Installations: 60,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.6.9.17
Severity Score:: Medium
CVE:: 2025-69315

Plugin:: User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin
Plugin Slug:: user-registration
Installations: 60,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.4.7
Severity Score:: High
CVE:: 2025-67956

Plugin:: Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin
Plugin Slug:: uncanny-automator
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 7.0.0
Severity Score:: Medium
CVE:: 2025-15522

Plugin:: RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging
Plugin Slug:: wp-rss-aggregator
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.0.11
Severity Score:: Medium
CVE:: 2025-14745

Plugin:: Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy
Plugin Slug:: dokan-lite
Installations: 40,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 4.2.5
Severity Score:: High
CVE:: 2025-14977

Plugin:: NotificationX – FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner & Floating Notification Bar
Plugin Slug:: notificationx
Installations: 40,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.2.1
Severity Score:: Medium
CVE:: 2026-0554

Plugin:: NotificationX – FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner & Floating Notification Bar
Plugin Slug:: notificationx
Installations: 40,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.2.1
Severity Score:: High
CVE:: 2025-15380

Plugin:: Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX
Plugin Slug:: ultimate-post
Installations: 40,000+
Vulnerability:: Broken Access Control
Patched in Version:: 5.0.4
Severity Score:: High
CVE:: 2025-69313

Plugin:: MailerLite – WooCommerce integration
Plugin Slug:: woo-mailerlite
Installations: 30,000+
Vulnerability:: SQL Injection
Patched in Version:: 3.1.3
Severity Score:: Critical
CVE:: 2025-67945

Plugin:: Xpro Addons — 140+ Widgets for Elementor
Plugin Slug:: xpro-elementor-addons
Installations: 30,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 1.4.20
Severity Score:: Critical
CVE:: 2025-69312

Plugin:: All-in-One Video Gallery
Plugin Slug:: all-in-one-video-gallery
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.7.1
Severity Score:: Medium
CVE:: 2025-15516

Plugin:: All-in-One Video Gallery
Plugin Slug:: all-in-one-video-gallery
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.7.1
Severity Score:: Medium
CVE:: 2025-14947

Plugin:: Image Photo Gallery Final Tiles Grid
Plugin Slug:: final-tiles-grid-gallery-lite
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.6.10
Severity Score:: Medium
CVE:: 2025-15466

Plugin:: UPI QR Code Payment Gateway for WooCommerce
Plugin Slug:: upi-qr-code-payment-for-woocommerce
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.6.1
Severity Score:: Medium
CVE:: 2025-67969

Plugin:: Demo Importer Plus
Plugin Slug:: demo-importer-plus
Installations: 10,000+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 2.0.10
Severity Score:: High
CVE:: 2025-14478

Plugin:: FlatPM – Ad Manager, AdSense and Custom Code
Plugin Slug:: flatpm-wp
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.2.3
Severity Score:: Medium
CVE:: 2026-0690

Plugin:: Head Meta Data
Plugin Slug:: head-meta-data
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 20260105
Severity Score:: Medium
CVE:: 2026-0608

Plugin:: LA-Studio Element Kit for Elementor
Plugin Slug:: lastudio-element-kit
Installations: 10,000+
Vulnerability:: Backdoor
Patched in Version:: 1.6.0
Severity Score:: Critical
CVE:: 2026-0920

Plugin:: Nexter Extension – Site Enhancements Toolkit
Plugin Slug:: nexter-extension
Installations: 10,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 4.4.7
Severity Score:: Critical
CVE:: 2026-0726

Plugin:: Recipe Card Blocks Lite
Plugin Slug:: recipe-card-blocks-by-wpzoom
Installations: 10,000+
Vulnerability:: SQL Injection
Patched in Version:: 3.4.13
Severity Score:: High
CVE:: 2025-14973

Plugin:: WP DSGVO Tools (GDPR)
Plugin Slug:: shapepress-dsgvo
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.1.37
Severity Score:: Medium
CVE:: 2026-0914

Plugin:: User Submitted Posts – Enable Users to Submit Posts from the Front End
Plugin Slug:: user-submitted-posts
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 20260110
Severity Score:: High
CVE:: 2026-0800

Plugin:: weMail – Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation
Plugin Slug:: wemail
Installations: 10,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 2.0.8
Severity Score:: Medium
CVE:: 2025-14348

Plugin:: WPO365 | SEAMLESS WORDPRESS + MICROSOFT INTEGRATION (WPO365 | LOGIN)
Plugin Slug:: wpo365-login
Installations: 10,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 40.1
Severity Score:: Medium
CVE:: 2025-67961

Plugin:: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login
Plugin Slug:: custom-registration-form-builder-with-submission-manager
Installations: 9,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 6.0.7.2
Severity Score:: Critical
CVE:: 2025-15403

Plugin:: Nexter Gutenberg Blocks – Website Builder & 1000+ Starter Templates
Plugin Slug:: the-plus-addons-for-block-editor
Installations: 9,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 4.6.4
Severity Score:: Medium
CVE:: 2026-24377

Plugin:: Automatic Featured Images from Videos
Plugin Slug:: automatic-featured-images-from-videos
Installations: 8,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.2.8
Severity Score:: Medium
CVE:: 2026-24535

Plugin:: WP Job Portal – AI-Powered Recruitment System for Company or Job Board website
Plugin Slug:: wp-job-portal
Installations: 8,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 2.4.4
Severity Score:: Medium
CVE:: 2026-24379

Plugin:: Points and Rewards for WooCommerce – Create Loyalty Programs, Reward Customer Purchases, User Badges, Gamification
Plugin Slug:: points-and-rewards-for-woocommerce
Installations: 7,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.9.6
Severity Score:: Medium
CVE:: 2026-24581

Plugin:: Protección de datos – RGPD
Plugin Slug:: proteccion-datos-rgpd
Installations: 7,000+
Vulnerability:: Broken Access Control
Patched in Version:: 0.69
Severity Score:: Medium
CVE:: 2026-24539

Plugin:: Poll, Survey & Quiz Maker Plugin by Opinion Stage
Plugin Slug:: social-polls-by-opinionstage
Installations: 7,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 19.6.25
Severity Score:: High

Plugin:: Integration for HubSpot and Contact Form 7, WPForms, Elementor, Ninja Forms
Plugin Slug:: cf7-hubspot
Installations: 5,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 1.4.4
Severity Score:: Medium
CVE:: 2026-24559

Plugin:: FluentBoards – Project Management, Task Management, Goal Tracking, Kanban Board, and, Team Collaboration
Plugin Slug:: fluent-boards
Installations: 5,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.9.1.2
Severity Score:: Medium
CVE:: 2026-24561

Plugin:: Media Library File Size
Plugin Slug:: media-library-file-size
Installations: 5,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.6.8
Severity Score:: Medium
CVE:: 2026-24569

Plugin:: weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot
Plugin Slug:: wedocs
Installations: 5,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.1.17
Severity Score:: Medium
CVE:: 2025-13921

Plugin:: Booking Activities
Plugin Slug:: booking-activities
Installations: 4,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 1.16.45
Severity Score:: High
CVE:: 2025-67953

Plugin:: Nelio A/B Testing – AB Tests and Heatmaps for Better Conversion Optimization
Plugin Slug:: nelio-ab-testing
Installations: 4,000+
Vulnerability:: Arbitrary Code Execution
Patched in Version:: 8.2.0
Severity Score:: Critical
CVE:: 2025-67944

Plugin:: Tabby Checkout
Plugin Slug:: tabby-checkout
Installations: 4,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 5.9.1
Severity Score:: High
CVE:: 2025-68035

Plugin:: AIKTP
Plugin Slug:: aiktp
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: 5.0.05
Severity Score:: Medium
CVE:: 2026-1103

Plugin:: Frontis Blocks — Block Library for the Block Editor
Plugin Slug:: frontis-blocks
Installations: 3,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 1.1.7
Severity Score:: High
CVE:: 2026-0807

Plugin:: Frontis Blocks — Block Library for the Block Editor
Plugin Slug:: frontis-blocks
Installations: 3,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 1.1.6
Severity Score:: High
CVE:: 2025-68030

Plugin:: Gallery PhotoBlocks
Plugin Slug:: photoblocks-grid-gallery
Installations: 3,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.3
Severity Score:: Medium
CVE:: 2026-24389

Plugin:: Salon Booking System – Free Version
Plugin Slug:: salon-booking-system
Installations: 3,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 10.30.4
Severity Score:: Medium
CVE:: 2025-67954

Plugin:: Same Category Posts
Plugin Slug:: same-category-posts
Installations: 3,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.1.20
Severity Score:: Medium
CVE:: 2025-14797

Plugin:: WP Directory Kit
Plugin Slug:: wpdirectorykit
Installations: 3,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 1.5.0
Severity Score:: Medium
CVE:: 2025-13920

Plugin:: Academy LMS – WordPress LMS Plugin for Complete eLearning Solution
Plugin Slug:: academy
Installations: 2,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 3.5.1
Severity Score:: Critical
CVE:: 2025-15521

Plugin:: Hydra Booking — Appointment Scheduling & Booking Calendar
Plugin Slug:: hydra-booking
Installations: 2,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 1.1.33
Severity Score:: High
CVE:: 2025-68027

Plugin:: KiviCare – Clinic & Patient Management System (EHR)
Plugin Slug:: kivicare-clinic-management-system
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.6.16
Severity Score:: Medium
CVE:: 2026-0927

Plugin:: Wallet System for WooCommerce – Digital Wallet, Buy Now Pay Later (BNPL), Instant Cashback, Referral program, Partial & Subscription Payments
Plugin Slug:: wallet-system-for-woocommerce
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.7.3
Severity Score:: Medium
CVE:: 2025-14450

Plugin:: ElementCamp
Plugin Slug:: element-camp
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.3.6
Severity Score:: Medium
CVE:: 2026-24556

Plugin:: Friendly Functions for Welcart
Plugin Slug:: friendly-functions-for-welcart
Installations: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.2.6
Severity Score:: Medium
CVE:: 2026-1208

Plugin:: JobWP – Job Board, Job Listing, Career Page and Recruitment Plugin
Plugin Slug:: jobwp
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.4.6
Severity Score:: High
CVE:: 2025-69318

Plugin:: GDPR CCPA Compliance & Cookie Consent Banner
Plugin Slug:: ninja-gdpr-compliance
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.7.5
Severity Score:: Medium
CVE:: 2025-68073

Plugin:: Quick Contact Form
Plugin Slug:: quick-contact-form
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 8.2.7
Severity Score:: Medium
CVE:: 2025-12718

Plugin:: Broadstreet
Plugin Slug:: broadstreet
Installations: 700+
Vulnerability:: Broken Access Control
Patched in Version:: 1.52.2
Severity Score:: High
CVE:: 2025-69311

Plugin:: My auctions allegro
Plugin Slug:: my-auctions-allegro-free-edition
Installations: 600+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.6.33
Severity Score:: High
CVE:: 2025-67943

Plugin:: TaxCloud for WooCommerce
Plugin Slug:: simple-sales-tax
Installations: 500+
Vulnerability:: Broken Access Control
Patched in Version:: 8.4.0
Severity Score:: Medium
CVE:: 2025-67958

Plugin:: PeachPay — Payments & Express Checkout for WooCommerce (supports Stripe, PayPal, Square, Authorize.net)
Plugin Slug:: peachpay-for-woocommerce
Installations: 400+
Vulnerability:: Broken Access Control
Patched in Version:: 1.119.9
Severity Score:: Medium
CVE:: 2025-14978

Plugin:: TableOn – WordPress Posts Table Filterable
Plugin Slug:: posts-table-filterable
Installations: 300+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.0.4.3
Severity Score:: High
CVE:: 2025-69316

Plugin:: Thim Blocks
Plugin Slug:: thim-blocks
Installations: 300+
Vulnerability:: Arbitrary File Download
Patched in Version:: 1.0.2
Severity Score:: Medium
CVE:: 2025-13725

Plugin:: Link Invoice Payment for WooCommerce
Plugin Slug:: invoice-payment-for-woocommerce
Installations: 200+
Vulnerability:: Broken Access Control
Patched in Version:: 2.8.1
Severity Score:: Medium
CVE:: 2025-14971

Plugin:: Creator LMS – The LMS for Creators, Coaches, and Trainers
Plugin Slug:: creatorlms
Installations: 100+
Vulnerability:: Broken Access Control
Patched in Version:: 1.1.13
Severity Score:: High
CVE:: 2025-15347

Plugin:: Melapress Role Editor
Plugin Slug:: melapress-role-editor
Installations: 50+
Vulnerability:: Privilege Escalation
Patched in Version:: 1.2.0
Severity Score:: High
CVE:: 2025-14866

Plugin:: AdForest Elementor
Plugin Slug:: adforest-elementor
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.0.12
Severity Score:: High
CVE:: 2025-67947

Plugin:: Homey Core
Plugin Slug:: homey-core
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.4.4
Severity Score:: High
CVE:: 2025-67964

Plugin:: Kentha Elementor Widgets
Plugin Slug:: kentha-elementor
Vulnerability:: Local File Inclusion
Patched in Version:: 3.1
Severity Score:: High
CVE:: 2026-24390

Plugin:: Lawyer Directory
Plugin Slug:: lawyer-directory
Vulnerability:: Broken Access Control
Patched in Version:: 1.3.4
Severity Score:: High
CVE:: 2025-67967

Plugin:: Lawyer Directory
Plugin Slug:: lawyer-directory
Vulnerability:: Privilege Escalation
Patched in Version:: 1.3.4
Severity Score:: High
CVE:: 2025-67966

Plugin:: Listivo Core
Plugin Slug:: listivo-core
Vulnerability:: Local File Inclusion
Patched in Version:: 2.3.78
Severity Score:: High
CVE:: 2025-67957

Plugin:: Movie Booking
Plugin Slug:: movie-booking
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 1.1.6
Severity Score:: High
CVE:: 2025-67963

Plugin:: MyHome Core
Plugin Slug:: myhome-core
Vulnerability:: Local File Inclusion
Patched in Version:: 4.1.1
Severity Score:: High
CVE:: 2025-67955

Plugin:: Real Homes CRM
Plugin Slug:: realhomes-crm
Vulnerability:: Arbitrary File Upload
Patched in Version:: 1.0.1
Severity Score:: Critical
CVE:: 2025-67968

Plugin:: Schedula – Smart Appointment Booking
Plugin Slug:: schedula-smart-appointment-booking
Vulnerability:: Broken Access Control
Patched in Version:: 1.1
Severity Score:: Medium
CVE:: 2025-67970

Plugin:: WorkScout-Core
Plugin Slug:: workscout-core
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.7.07
Severity Score:: High
CVE:: 2025-67960

Plugin:: YouTube Feed Pro
Plugin Slug:: youtube-feed-pro
Vulnerability:: Arbitrary File Download
Patched in Version:: 2.6.1
Severity Score:: High
CVE:: 2025-12002

WordPress Themes — 13 Patched / 5 Unpatched

Theme:: EcoBlue
Theme Slug:: ecoblue
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-22338

Theme:: Enfold
Theme Slug:: enfold
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-68900

Theme:: Listihub
Theme Slug:: listihub
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69190

Theme:: PeakShops
Theme Slug:: peakshops
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-69294

Theme:: Prowess
Theme Slug:: prowess
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-24531

Theme:: AdForest
Theme Slug:: adforest
Vulnerability:: Local File Inclusion
Patched in Version:: 6.0.12
Severity Score:: High
CVE:: 2025-67946

Theme:: CarSpot
Theme Slug:: carspot
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.4.6
Severity Score:: High
CVE:: 2025-69317

Theme:: Craft
Theme Slug:: craftcoffee
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.3.7
Severity Score:: High
CVE:: 2025-68538

Theme:: DotLife
Theme Slug:: dotlife
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.9.5
Severity Score:: High
CVE:: 2025-68520

Theme:: Grand Magazine
Theme Slug:: grandmagazine
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.5.8
Severity Score:: High
CVE:: 2025-69320

Theme:: Grand Spa
Theme Slug:: grandspa
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.5.6
Severity Score:: High
CVE:: 2025-69321

Theme:: Grand Tour
Theme Slug:: grandtour
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.6.2
Severity Score:: High
CVE:: 2025-67952

Theme:: Hostiko
Theme Slug:: hostiko
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 94.3.6
Severity Score:: High
CVE:: 2025-67949

Theme:: Hoteller
Theme Slug:: hoteller
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.8.9
Severity Score:: High
CVE:: 2025-68518

Theme:: PeakShops
Theme Slug:: peakshops
Vulnerability:: Local File Inclusion
Patched in Version:: 1.5.9
Severity Score:: High
CVE:: 2025-69322

Theme:: Traveler
Theme Slug:: traveler
Vulnerability:: SQL Injection
Patched in Version:: 3.2.8
Severity Score:: High
CVE:: 2026-24367

Theme:: Werkstatt
Theme Slug:: werkstatt
Vulnerability:: Local File Inclusion
Patched in Version:: 4.8.3
Severity Score:: High
CVE:: 2025-69314

Theme:: WorkScout
Theme Slug:: workscout
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.1.08
Severity Score:: High
CVE:: 2025-67959

Solid Security is part of Solid Suite — The best foundation for WordPress websites.

Every WordPress site needs security, backups, and management tools. That’s Solid Suite — an integrated bundle of three plugins: Solid Security, Solid Backups, and Solid Central. You also get access to Solid Academy’s learning resources for WordPress professionals. Build your next WordPress website on a solid foundation with Solid Suite!

Get Solid Security

Author:

Sarah Ulmer

Sarah has been with SolidWP since 2015. Thanks to her deep connection to the brand, its products, and its users, Sarah was tapped as Solid’s primary Product Marketer in 2023. Sarah helps ensure that Solid’s product development team understands our users’ needs. When not at work, Sarah can be found at home with her husband, their three boys, and their dogs. Sarah enjoys long family walks, running with her lab, and watching her three boys play soccer. Sarah is originally from Texas and loves watching football games (Go Longhorns!)

Browse all of Sarah's articles

Sign up

Placeholder text

Thanks

Oops something went wrong, please try submitting again

Solid Suite

Protect

Repair

Manage

Free Plugins

Solid Suite

Academy

Solid Academy

Guides

Livestreams

Tutorials Academy

Resources

Blog

Vulnerability Report

Support

Documentation

Table of Contents

WordPress Core

WordPress Plugins — 89 Patched / 118 Unpatched