WordPress Vulnerability Report

WordPress Vulnerability Report — October 1, 2025

Since last week, 476 new vulnerabilities have emerged in the WordPress ecosystem, including 457 plugins and 17 themes. Of those, 340 remain unpatched, but Solid Security Pro users are protected by virtual patching from Patchstack.

Avatar photo
Sarah Ulmer

Published:Oct 1, 2025

Filed Under:WordPress Vulnerability Report

Reading Time:85 min.

In this report, 476 vulnerabilities have been publicly disclosed. Security patches for 136 vulnerabilities in WordPress Core, plugins, and themes are now available. Please run these updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Additionally, there are 340 plugin and theme vulnerabilities, and no patch has been available yet. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

Along with poor user account security, vulnerable plugins and themes are among the top reasons why WordPress websites get hacked. Unfortunately, cyberattacks are increasing in volume and sophistication. They’re also increasingly aimed at small to mid-sized businesses.

Our WordPress Vulnerability Report covers the latest emerging WordPress plugin, theme, and core vulnerabilities. Each vulnerability will have a severity rating of LowMediumHigh, or Critical. Responsible disclosure of vulnerabilities is essential to keeping the WordPress community safe. Please share this report to help spread the word and make WordPress — and the web — more secure.

WordPress Core

WordPress 6.8.3 is now available! This is a security release that features two fixes. As this is a security release, we recommend updating your sites immediately. For more information on WordPress 6.8.3, please visit the version page on the HelpHub site.

WordPress Core

Vulnerability:
Sensitive Data Exposure
Patched in Version:
6.8.3
Severity Score:
Medium
CVE:
2025-58246
The vulnerability has been patched, so you should update to version 6.8.3.

WordPress Core

Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
6.8.3
Severity Score:
Medium
CVE:
2025-58674
The vulnerability has been patched, so you should update to version 6.8.3.

WordPress Plugins — 128 Patched / 329 Unpatched

Sticky Header Effects for Elementor

Plugin:
Sticky Header Effects for Elementor
Plugin Slug:
sticky-header-effects-for-elementor
Installations
300,000+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58251
The vulnerability has not been patched. You should deactivate the plugin.

Download Manager

Plugin:
Download Manager
Plugin Slug:
download-manager
Installations
100,000+
Vulnerability:
Sensitive Data Exposure
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-60092
The vulnerability has not been patched. You should deactivate the plugin.

TI WooCommerce Wishlist

Plugin:
TI WooCommerce Wishlist
Plugin Slug:
ti-woocommerce-wishlist
Installations
100,000+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58247
The vulnerability has not been patched. You should deactivate the plugin.

Master Slider – Responsive Touch Slider

Plugin:
Master Slider – Responsive Touch Slider
Plugin Slug:
master-slider
Installations
70,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58025
The vulnerability has not been patched. You should deactivate the plugin.

Getwid – Gutenberg Blocks

Plugin:
Getwid – Gutenberg Blocks
Plugin Slug:
getwid
Installations
50,000+
Vulnerability:
Sensitive Data Exposure
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58252
The vulnerability has not been patched. You should deactivate the plugin.

Image Hover Effects – Elementor Addon

Plugin:
Image Hover Effects – Elementor Addon
Plugin Slug:
image-hover-effects-addon-for-elementor
Installations
50,000+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57939
The vulnerability has not been patched. You should deactivate the plugin.

Perfect Brands for WooCommerce

Plugin:
Perfect Brands for WooCommerce
Plugin Slug:
perfect-woocommerce-brands
Installations
50,000+
Vulnerability:
SQL Injection
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-58686
The vulnerability has not been patched. You should deactivate the plugin.

DethemeKit for Elementor

Plugin:
DethemeKit for Elementor
Plugin Slug:
dethemekit-for-elementor
Installations
40,000+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57995
The vulnerability has not been patched. You should deactivate the plugin.

Hubbub Lite – Fast, Reliable Social Sharing Buttons

Plugin:
Hubbub Lite – Fast, Reliable Social Sharing Buttons
Plugin Slug:
social-pug
Installations
40,000+
Vulnerability:
Sensitive Data Exposure
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58007
The vulnerability has not been patched. You should deactivate the plugin.

WPFront User Role Editor

Plugin:
WPFront User Role Editor
Plugin Slug:
wpfront-user-role-editor
Installations
40,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-60102
The vulnerability has not been patched. You should deactivate the plugin.

Ditty – Responsive News Tickers, Sliders, and Lists

Plugin:
Ditty – Responsive News Tickers, Sliders, and Lists
Plugin Slug:
ditty-news-ticker
Installations
30,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-60105
The vulnerability has not been patched. You should deactivate the plugin.

EmailKit – Email Customizer for WooCommerce & WP

Plugin:
EmailKit – Email Customizer for WooCommerce & WP
Plugin Slug:
emailkit
Installations
30,000+
Vulnerability:
Arbitrary Content Deletion
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-60106
The vulnerability has not been patched. You should deactivate the plugin.

Ads by Quads – Adsense Ads, Banner Ads, Popup Ads

Plugin:
Ads by Quads – Adsense Ads, Banner Ads, Popup Ads
Plugin Slug:
quick-adsense-reloaded
Installations
30,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-53459
The vulnerability has not been patched. You should deactivate the plugin.

WP Events Manager

Plugin:
WP Events Manager
Plugin Slug:
wp-events-manager
Installations
30,000+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57987
The vulnerability has not been patched. You should deactivate the plugin.

Geolocation IP Detection

Plugin:
Geolocation IP Detection
Plugin Slug:
geoip-detect
Installations
20,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57993
The vulnerability has not been patched. You should deactivate the plugin.

Quiz Maker

Plugin:
Quiz Maker
Plugin Slug:
quiz-maker
Installations
20,000+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58014
The vulnerability has not been patched. You should deactivate the plugin.

Quiz Maker

Plugin:
Quiz Maker
Plugin Slug:
quiz-maker
Installations
20,000+
Vulnerability:
Sensitive Data Exposure
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58015
The vulnerability has not been patched. You should deactivate the plugin.

Blog Designer

Plugin:
Blog Designer
Plugin Slug:
blog-designer
Installations
10,000+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57990
The vulnerability has not been patched. You should deactivate the plugin.

Passster – Password Protect Pages and Content

Plugin:
Passster – Password Protect Pages and Content
Plugin Slug:
content-protector
Installations
10,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57926
The vulnerability has not been patched. You should deactivate the plugin.

Translate WordPress with ConveyThis

Plugin:
Translate WordPress with ConveyThis
Plugin Slug:
conveythis-translate
Installations
10,000+
Vulnerability:
PHP Object Injection
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-57919
The vulnerability has not been patched. You should deactivate the plugin.

Dashboard Notepad

Plugin:
Dashboard Notepad
Plugin Slug:
dashboard-notepad
Installations
10,000+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57927
The vulnerability has not been patched. You should deactivate the plugin.

Gallery Lightbox

Plugin:
Gallery Lightbox
Plugin Slug:
gallery-lightbox-slider
Installations
10,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57966
The vulnerability has not been patched. You should deactivate the plugin.

Portfolio for Elementor & Image Gallery | PowerFolio

Plugin:
Portfolio for Elementor & Image Gallery | PowerFolio
Plugin Slug:
portfolio-elementor
Installations
10,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57932
The vulnerability has not been patched. You should deactivate the plugin.

Qubely – Advanced Gutenberg Blocks

Plugin:
Qubely – Advanced Gutenberg Blocks
Plugin Slug:
qubely
Installations
10,000+
Vulnerability:
Sensitive Data Exposure
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58249
The vulnerability has not been patched. You should deactivate the plugin.

Qubely – Advanced Gutenberg Blocks

Plugin:
Qubely – Advanced Gutenberg Blocks
Plugin Slug:
qubely
Installations
10,000+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58663
The vulnerability has not been patched. You should deactivate the plugin.

WP Subtitle

Plugin:
WP Subtitle
Plugin Slug:
wp-subtitle
Installations
10,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57986
The vulnerability has not been patched. You should deactivate the plugin.

Convert WordPress to app | AppMySite

Plugin:
Convert WordPress to app | AppMySite
Plugin Slug:
appmysite
Installations
9,000+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58679
The vulnerability has not been patched. You should deactivate the plugin.

No External Links

Plugin:
No External Links
Plugin Slug:
mihdan-no-external-links
Installations
9,000+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-53451
The vulnerability has not been patched. You should deactivate the plugin.

WP Mailto Links – Protect Email Addresses

Plugin:
WP Mailto Links – Protect Email Addresses
Plugin Slug:
wp-mailto-links
Installations
9,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-53464
The vulnerability has not been patched. You should deactivate the plugin.

Awesome Support – WordPress HelpDesk & Support Plugin

Plugin:
Awesome Support – WordPress HelpDesk & Support Plugin
Plugin Slug:
awesome-support
Installations
8,000+
Vulnerability:
Deserialization of untrusted data
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-58662
The vulnerability has not been patched. You should deactivate the plugin.

Participants Database

Plugin:
Participants Database
Plugin Slug:
participants-database
Installations
8,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58008
The vulnerability has not been patched. You should deactivate the plugin.

YayCurrency – WooCommerce Multi-Currency Switcher

Plugin:
YayCurrency – WooCommerce Multi-Currency Switcher
Plugin Slug:
yaycurrency
Installations
7,000+
Vulnerability:
Remote Code Execution (RCE)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-60114
The vulnerability has not been patched. You should deactivate the plugin.

Flexible PDF Invoices for WooCommerce & WordPress

Plugin:
Flexible PDF Invoices for WooCommerce & WordPress
Plugin Slug:
flexible-invoices
Installations
6,000+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-57977
The vulnerability has not been patched. You should deactivate the plugin.

WordPress Mega menu Plugin – Groovy Menu (Free)

Plugin:
WordPress Mega menu Plugin – Groovy Menu (Free)
Plugin Slug:
groovy-menu-free
Installations
6,000+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-60113
The vulnerability has not been patched. You should deactivate the plugin.

Instapage Plugin

Plugin:
Instapage Plugin
Plugin Slug:
instapage
Installations
5,000+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-60115
The vulnerability has not been patched. You should deactivate the plugin.

WP Social Widget

Plugin:
WP Social Widget
Plugin Slug:
wp-social-widget
Installations
5,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57981
The vulnerability has not been patched. You should deactivate the plugin.

Mail Subscribe List

Plugin:
Mail Subscribe List
Plugin Slug:
mail-subscribe-list
Installations
4,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58018
The vulnerability has not been patched. You should deactivate the plugin.

Post Carousel Slider for Elementor

Plugin:
Post Carousel Slider for Elementor
Plugin Slug:
post-carousel-slider-for-elementor
Installations
4,000+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57955
The vulnerability has not been patched. You should deactivate the plugin.

Cecabank WooCommerce Plugin

Plugin:
Cecabank WooCommerce Plugin
Plugin Slug:
cecabank-woocommerce
Installations
3,000+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58685
The vulnerability has not been patched. You should deactivate the plugin.

CoSchedule

Plugin:
CoSchedule
Plugin Slug:
coschedule-by-todaymade
Installations
3,000+
Vulnerability:
Sensitive Data Exposure
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-60119
The vulnerability has not been patched. You should deactivate the plugin.

E-namad & Shamed Logo Manager

Plugin:
E-namad & Shamed Logo Manager
Plugin Slug:
e-namad-shamed-logo-manager
Installations
3,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57998
The vulnerability has not been patched. You should deactivate the plugin.

HivePress Claim Listings

Plugin:
HivePress Claim Listings
Plugin Slug:
hivepress-claim-listings
Installations
3,000+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-60123
The vulnerability has not been patched. You should deactivate the plugin.

HivePress Claim Listings

Plugin:
HivePress Claim Listings
Plugin Slug:
hivepress-claim-listings
Installations
3,000+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-60122
The vulnerability has not been patched. You should deactivate the plugin.

Login-Logout

Plugin:
Login-Logout
Plugin Slug:
login-logout
Installations
3,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-53467
The vulnerability has not been patched. You should deactivate the plugin.

Designil PDPA Thailand

Plugin:
Designil PDPA Thailand
Plugin Slug:
pdpa-thailand
Installations
3,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58028
The vulnerability has not been patched. You should deactivate the plugin.

Piotnet Forms

Plugin:
Piotnet Forms
Plugin Slug:
piotnetforms
Installations
3,000+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57933
The vulnerability has not been patched. You should deactivate the plugin.

Podlove Subscribe button

Plugin:
Podlove Subscribe button
Plugin Slug:
podlove-subscribe-button
Installations
3,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58227
The vulnerability has not been patched. You should deactivate the plugin.

Text To Speech TTS Accessibility

Plugin:
Text To Speech TTS Accessibility
Plugin Slug:
text-to-audio
Installations
3,000+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58664
The vulnerability has not been patched. You should deactivate the plugin.

CardCom Payment Gateway

Plugin:
CardCom Payment Gateway
Plugin Slug:
woo-cardcom-payment-gateway
Installations
3,000+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57976
The vulnerability has not been patched. You should deactivate the plugin.

WP Directory Kit

Plugin:
WP Directory Kit
Plugin Slug:
wpdirectorykit
Installations
3,000+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-60120
The vulnerability has not been patched. You should deactivate the plugin.

Compact Archives

Plugin:
Compact Archives
Plugin Slug:
compact-archives
Installations
2,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58001
The vulnerability has not been patched. You should deactivate the plugin.

Estonian Shipping Methods for WooCommerce

Plugin:
Estonian Shipping Methods for WooCommerce
Plugin Slug:
estonian-shipping-methods-for-woocommerce
Installations
2,000+
Vulnerability:
Sensitive Data Exposure
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58656
The vulnerability has not been patched. You should deactivate the plugin.

Photo Gallery by Ays – Responsive Image Gallery

Plugin:
Photo Gallery by Ays – Responsive Image Gallery
Plugin Slug:
gallery-photo-gallery
Installations
2,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57947
The vulnerability has not been patched. You should deactivate the plugin.

GD bbPress Tools

Plugin:
GD bbPress Tools
Plugin Slug:
gd-bbpress-tools
Installations
2,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58002
The vulnerability has not been patched. You should deactivate the plugin.

Import Markdown – Versatile Markdown Importer

Plugin:
Import Markdown – Versatile Markdown Importer
Plugin Slug:
import-markdown
Installations
2,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57901
The vulnerability has not been patched. You should deactivate the plugin.

Simple Colorbox

Plugin:
Simple Colorbox
Plugin Slug:
simple-colorbox
Installations
2,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-60124
The vulnerability has not been patched. You should deactivate the plugin.

Sitekit

Plugin:
Sitekit
Plugin Slug:
sitekit
Installations
2,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58229
The vulnerability has not been patched. You should deactivate the plugin.

Bitly’s WordPress Plugin

Plugin:
Bitly’s WordPress Plugin
Plugin Slug:
wp-bitly
Installations
2,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58231
The vulnerability has not been patched. You should deactivate the plugin.

Advanced Appointment Booking & Scheduling

Plugin:
Advanced Appointment Booking & Scheduling
Plugin Slug:
advanced-appointment-booking-scheduling
Installations
1,000+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57978
The vulnerability has not been patched. You should deactivate the plugin.

Append extensions on Pages

Plugin:
Append extensions on Pages
Plugin Slug:
append-extensions-on-pages
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57940
The vulnerability has not been patched. You should deactivate the plugin.

Append Link on Copy

Plugin:
Append Link on Copy
Plugin Slug:
append-link-on-copy
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57941
The vulnerability has not been patched. You should deactivate the plugin.

AuthorSure

Plugin:
AuthorSure
Plugin Slug:
authorsure
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57979
The vulnerability has not been patched. You should deactivate the plugin.

BP Disable Activation Reloaded

Plugin:
BP Disable Activation Reloaded
Plugin Slug:
bp-disable-activation-reloaded
Installations
1,000+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57983
The vulnerability has not been patched. You should deactivate the plugin.

Classic Widgets with Block-based Widgets

Plugin:
Classic Widgets with Block-based Widgets
Plugin Slug:
classic-widgets-with-block-based-widgets
Installations
1,000+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58029
The vulnerability has not been patched. You should deactivate the plugin.

Content Mask

Plugin:
Content Mask
Plugin Slug:
content-mask
Installations
1,000+
Vulnerability:
Server Side Request Forgery (SSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58011
The vulnerability has not been patched. You should deactivate the plugin.

Content Mask

Plugin:
Content Mask
Plugin Slug:
content-mask
Installations
1,000+
Vulnerability:
Insecure Direct Object References (IDOR)
Patched in Version:
No Fix
Severity Score:
Low
CVE:
2025-58012
The vulnerability has not been patched. You should deactivate the plugin.

CP Multi View Event Calendar

Plugin:
CP Multi View Event Calendar
Plugin Slug:
cp-multi-view-calendar
Installations
1,000+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Low
CVE:
2025-58009
The vulnerability has not been patched. You should deactivate the plugin.

Di Themes Demo Site Importer

Plugin:
Di Themes Demo Site Importer
Plugin Slug:
di-themes-demo-site-importer
Installations
1,000+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58914
The vulnerability has not been patched. You should deactivate the plugin.

Delisho – Recipe Widgets and Blocks

Plugin:
Delisho – Recipe Widgets and Blocks
Plugin Slug:
dr-widgets-blocks
Installations
1,000+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-60128
The vulnerability has not been patched. You should deactivate the plugin.

Emergency Password Reset

Plugin:
Emergency Password Reset
Plugin Slug:
emergency-password-reset
Installations
1,000+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57942
The vulnerability has not been patched. You should deactivate the plugin.

Fastly

Plugin:
Fastly
Plugin Slug:
fastly
Installations
1,000+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58199
The vulnerability has not been patched. You should deactivate the plugin.

Flexible FAQ

Plugin:
Flexible FAQ
Plugin Slug:
flexible-faq
Installations
1,000+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58200
The vulnerability has not been patched. You should deactivate the plugin.

Force Update Translations

Plugin:
Force Update Translations
Plugin Slug:
force-update-translations
Installations
1,000+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58236
The vulnerability has not been patched. You should deactivate the plugin.

Genesis Club Lite

Plugin:
Genesis Club Lite
Plugin Slug:
genesis-club-lite
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58691
The vulnerability has not been patched. You should deactivate the plugin.

Connector Wizard (formerly LC Wizard)

Plugin:
Connector Wizard (formerly LC Wizard)
Plugin Slug:
ghl-wizard
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58237
The vulnerability has not been patched. You should deactivate the plugin.

Hide WP Toolbar

Plugin:
Hide WP Toolbar
Plugin Slug:
hide-wp-toolbar
Installations
1,000+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57969
The vulnerability has not been patched. You should deactivate the plugin.

HT Mega – Absolute Addons for WPBakery Page Builder

Plugin:
HT Mega – Absolute Addons for WPBakery Page Builder
Plugin Slug:
ht-mega-for-wpbakery
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-53463
The vulnerability has not been patched. You should deactivate the plugin.

Beaf – Photo Comparison Block

Plugin:
Beaf – Photo Comparison Block
Plugin Slug:
image-compare-block
Installations
1,000+
Vulnerability:
Server Side Request Forgery (SSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-53461
The vulnerability has not been patched. You should deactivate the plugin.

Kama Click Counter

Plugin:
Kama Click Counter
Plugin Slug:
kama-clic-counter
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58682
The vulnerability has not been patched. You should deactivate the plugin.

Last Updated Shortcode

Plugin:
Last Updated Shortcode
Plugin Slug:
last-updated-shortcode
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58683
The vulnerability has not been patched. You should deactivate the plugin.

MakeStories (for Google Web Stories)

Plugin:
MakeStories (for Google Web Stories)
Plugin Slug:
makestories-helper
Installations
1,000+
Vulnerability:
Server Side Request Forgery (SSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57984
The vulnerability has not been patched. You should deactivate the plugin.

MarketKing — Ultimate WooCommerce Multivendor Marketplace Solution

Plugin:
MarketKing — Ultimate WooCommerce Multivendor Marketplace Solution
Plugin Slug:
marketking-multivendor-marketplace-for-woocommerce
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58702
The vulnerability has not been patched. You should deactivate the plugin.

Memberful – Membership Plugin

Plugin:
Memberful – Membership Plugin
Plugin Slug:
memberful-wp
Installations
1,000+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58000
The vulnerability has not been patched. You should deactivate the plugin.

Yoga Schedule Momoyoga

Plugin:
Yoga Schedule Momoyoga
Plugin Slug:
momoyoga-integration
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-9852
The vulnerability has not been patched. You should deactivate the plugin.

Netgsm

Plugin:
Netgsm
Plugin Slug:
netgsm
Installations
1,000+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-60143
The vulnerability has not been patched. You should deactivate the plugin.

Frontend File Manager Plugin

Plugin:
Frontend File Manager Plugin
Plugin Slug:
nmedia-user-file-uploader
Installations
1,000+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57921
The vulnerability has not been patched. You should deactivate the plugin.

Sendle Shipping Plugin

Plugin:
Sendle Shipping Plugin
Plugin Slug:
official-sendle-shipping-method
Installations
1,000+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-60139
The vulnerability has not been patched. You should deactivate the plugin.

PilotPress

Plugin:
PilotPress
Plugin Slug:
pilotpress
Installations
1,000+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58221
The vulnerability has not been patched. You should deactivate the plugin.

PilotPress

Plugin:
PilotPress
Plugin Slug:
pilotpress
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58238
The vulnerability has not been patched. You should deactivate the plugin.

PlayerJS

Plugin:
PlayerJS
Plugin Slug:
playerjs
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58651
The vulnerability has not been patched. You should deactivate the plugin.

Plugin Security Scanner

Plugin:
Plugin Security Scanner
Plugin Slug:
plugin-security-scanner
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57950
The vulnerability has not been patched. You should deactivate the plugin.

Post Featured Video

Plugin:
Post Featured Video
Plugin Slug:
post-featured-video
Installations
1,000+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-60137
The vulnerability has not been patched. You should deactivate the plugin.

SALESmanago & Leadoo

Plugin:
SALESmanago & Leadoo
Plugin Slug:
salesmanago
Installations
1,000+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57970
The vulnerability has not been patched. You should deactivate the plugin.

SALESmanago & Leadoo

Plugin:
SALESmanago & Leadoo
Plugin Slug:
salesmanago
Installations
1,000+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57971
The vulnerability has not been patched. You should deactivate the plugin.

SiteNarrator Text-to-Speech Widget

Plugin:
SiteNarrator Text-to-Speech Widget
Plugin Slug:
sitespeaker-widget
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57951
The vulnerability has not been patched. You should deactivate the plugin.

Skimlinks Affiliate Marketing Tool

Plugin:
Skimlinks Affiliate Marketing Tool
Plugin Slug:
skimlinks
Installations
1,000+
Vulnerability:
Server Side Request Forgery (SSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57943
The vulnerability has not been patched. You should deactivate the plugin.

Skimlinks Affiliate Marketing Tool

Plugin:
Skimlinks Affiliate Marketing Tool
Plugin Slug:
skimlinks
Installations
1,000+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57944
The vulnerability has not been patched. You should deactivate the plugin.

SKT Blocks – Gutenberg based Page Builder

Plugin:
SKT Blocks – Gutenberg based Page Builder
Plugin Slug:
skt-blocks
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-60138
The vulnerability has not been patched. You should deactivate the plugin.

Skyword XMLRPC publishing

Plugin:
Skyword XMLRPC publishing
Plugin Slug:
skyword-plugin
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58703
The vulnerability has not been patched. You should deactivate the plugin.

Slightly troublesome permalink

Plugin:
Slightly troublesome permalink
Plugin Slug:
slightly-troublesome-permalink
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57959
The vulnerability has not been patched. You should deactivate the plugin.

SV Proven Expert

Plugin:
SV Proven Expert
Plugin Slug:
sv-provenexpert
Installations
1,000+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58010
The vulnerability has not been patched. You should deactivate the plugin.

Testimonial Slider – Free Testimonials Slider Plugin

Plugin:
Testimonial Slider – Free Testimonials Slider Plugin
Plugin Slug:
testimonial-add
Installations
1,000+
Vulnerability:
Local File Inclusion
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-60126
The vulnerability has not been patched. You should deactivate the plugin.

Ultimate Watermark – Advanced Image Watermarking

Plugin:
Ultimate Watermark – Advanced Image Watermarking
Plugin Slug:
ultimate-watermark
Installations
1,000+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57985
The vulnerability has not been patched. You should deactivate the plugin.

Upcoming Events Lists

Plugin:
Upcoming Events Lists
Plugin Slug:
upcoming-events-lists
Installations
1,000+
Vulnerability:
Insecure Direct Object References (IDOR)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57994
The vulnerability has not been patched. You should deactivate the plugin.

User Notes

Plugin:
User Notes
Plugin Slug:
user-notes
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-60136
The vulnerability has not been patched. You should deactivate the plugin.

Draft – Tailwind CSS for WordPress.

Plugin:
Draft – Tailwind CSS for WordPress.
Plugin Slug:
website-builder
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58033
The vulnerability has not been patched. You should deactivate the plugin.

Website Chat Button: Kommo integration

Plugin:
Website Chat Button: Kommo integration
Plugin Slug:
website-chat-button-kommo-integration
Installations
1,000+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58666
The vulnerability has not been patched. You should deactivate the plugin.

Werk aan de Muur

Plugin:
Werk aan de Muur
Plugin Slug:
werk-aan-de-muur
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-60131
The vulnerability has not been patched. You should deactivate the plugin.

WEDOS Global (CDN Cache & Security)

Plugin:
WEDOS Global (CDN Cache & Security)
Plugin Slug:
wgpwpp
Installations
1,000+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-60130
The vulnerability has not been patched. You should deactivate the plugin.

WPB Quick View Popup for WooCommerce

Plugin:
WPB Quick View Popup for WooCommerce
Plugin Slug:
woocommerce-lightbox
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57967
The vulnerability has not been patched. You should deactivate the plugin.

WP Advanced PDF

Plugin:
WP Advanced PDF
Plugin Slug:
wp-advanced-pdf
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57945
The vulnerability has not been patched. You should deactivate the plugin.

Category Dropdown by GCS Design

Plugin:
Category Dropdown by GCS Design
Plugin Slug:
wp-category-dropdown
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58239
The vulnerability has not been patched. You should deactivate the plugin.

WP Compiler

Plugin:
WP Compiler
Plugin Slug:
wp-compiler
Installations
1,000+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58032
The vulnerability has not been patched. You should deactivate the plugin.

CopySafe Web Protection

Plugin:
CopySafe Web Protection
Plugin Slug:
wp-copysafe-web
Installations
1,000+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-60127
The vulnerability has not been patched. You should deactivate the plugin.

WP Delete User Accounts

Plugin:
WP Delete User Accounts
Plugin Slug:
wp-delete-user-accounts
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58704
The vulnerability has not been patched. You should deactivate the plugin.

Subresource Integrity (SRI) Manager

Plugin:
Subresource Integrity (SRI) Manager
Plugin Slug:
wp-sri
Installations
1,000+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57936
The vulnerability has not been patched. You should deactivate the plugin.

xili-tidy-tags

Plugin:
xili-tidy-tags
Plugin Slug:
xili-tidy-tags
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58240
The vulnerability has not been patched. You should deactivate the plugin.

BMI Adult & Kid Calculator

Plugin:
BMI Adult & Kid Calculator
Plugin Slug:
bmi-adultkid-calculator
Installations
900+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-53469
The vulnerability has not been patched. You should deactivate the plugin.

Bot Block – Stop Spam Referrals in Google Analytics

Plugin:
Bot Block – Stop Spam Referrals in Google Analytics
Plugin Slug:
bot-block-stop-spam-google-analytics-referrals
Installations
900+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57935
The vulnerability has not been patched. You should deactivate the plugin.

Developer

Plugin:
Developer
Plugin Slug:
developer
Installations
900+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57924
The vulnerability has not been patched. You should deactivate the plugin.

WeShare Buttons

Plugin:
WeShare Buttons
Plugin Slug:
e-mailit
Installations
900+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-60135
The vulnerability has not been patched. You should deactivate the plugin.

Highlight and Share – Social Text and Image Sharing

Plugin:
Highlight and Share – Social Text and Image Sharing
Plugin Slug:
highlight-and-share
Installations
900+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58260
The vulnerability has not been patched. You should deactivate the plugin.

Lenix scss compiler

Plugin:
Lenix scss compiler
Plugin Slug:
lenix-scss-compiler
Installations
900+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-60145
The vulnerability has not been patched. You should deactivate the plugin.

Lenix scss compiler

Plugin:
Lenix scss compiler
Plugin Slug:
lenix-scss-compiler
Installations
900+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-60144
The vulnerability has not been patched. You should deactivate the plugin.

LWS Affiliation

Plugin:
LWS Affiliation
Plugin Slug:
lws-affiliation
Installations
900+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57934
The vulnerability has not been patched. You should deactivate the plugin.

Mail Baby SMTP

Plugin:
Mail Baby SMTP
Plugin Slug:
mail-baby-smtp
Installations
900+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57992
The vulnerability has not been patched. You should deactivate the plugin.

Map Categories to Pages

Plugin:
Map Categories to Pages
Plugin Slug:
map-categories-to-pages
Installations
900+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-60146
The vulnerability has not been patched. You should deactivate the plugin.

PE Easy Slider

Plugin:
PE Easy Slider
Plugin Slug:
pe-easy-slider
Installations
900+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-60133
The vulnerability has not been patched. You should deactivate the plugin.

SEO Backlink Monitor

Plugin:
SEO Backlink Monitor
Plugin Slug:
seo-backlink-monitor
Installations
900+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-53456
The vulnerability has not been patched. You should deactivate the plugin.

SEO Backlink Monitor

Plugin:
SEO Backlink Monitor
Plugin Slug:
seo-backlink-monitor
Installations
900+
Vulnerability:
Server Side Request Forgery (SSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-53457
The vulnerability has not been patched. You should deactivate the plugin.

Simple Meta Tags

Plugin:
Simple Meta Tags
Plugin Slug:
simple-meta-tags
Installations
900+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-60142
The vulnerability has not been patched. You should deactivate the plugin.

The Tribal Plugin

Plugin:
The Tribal Plugin
Plugin Slug:
the-tech-tribe
Installations
900+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-60141
The vulnerability has not been patched. You should deactivate the plugin.

The Tribal Plugin

Plugin:
The Tribal Plugin
Plugin Slug:
the-tech-tribe
Installations
900+
Vulnerability:
Sensitive Data Exposure
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-60140
The vulnerability has not been patched. You should deactivate the plugin.

TOCHAT.BE

Plugin:
TOCHAT.BE
Plugin Slug:
tochat-be
Installations
900+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57915
The vulnerability has not been patched. You should deactivate the plugin.

Ultimate WP Mail

Plugin:
Ultimate WP Mail
Plugin Slug:
ultimate-wp-mail
Installations
900+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-53454
The vulnerability has not been patched. You should deactivate the plugin.

Video Blogster Lite

Plugin:
Video Blogster Lite
Plugin Slug:
video-blogster-lite
Installations
900+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-60132
The vulnerability has not been patched. You should deactivate the plugin.

WP Media Categories

Plugin:
WP Media Categories
Plugin Slug:
wp-media-categories
Installations
900+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-60134
The vulnerability has not been patched. You should deactivate the plugin.

WP System Information

Plugin:
WP System Information
Plugin Slug:
wp-system-info
Installations
900+
Vulnerability:
Sensitive Data Exposure
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57916
The vulnerability has not been patched. You should deactivate the plugin.

Yext Plugin

Plugin:
Yext Plugin
Plugin Slug:
yext
Installations
900+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-60129
The vulnerability has not been patched. You should deactivate the plugin.

BuddyPress Notification Widget

Plugin:
BuddyPress Notification Widget
Plugin Slug:
buddypress-notifications-widget
Installations
800+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58263
The vulnerability has not been patched. You should deactivate the plugin.

Category Featured Images

Plugin:
Category Featured Images
Plugin Slug:
category-featured-images
Installations
800+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58655
The vulnerability has not been patched. You should deactivate the plugin.

StylePress for Elementor

Plugin:
StylePress for Elementor
Plugin Slug:
full-site-builder-for-elementor
Installations
800+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58254
The vulnerability has not been patched. You should deactivate the plugin.

Gianism

Plugin:
Gianism
Plugin Slug:
gianism
Installations
800+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58266
The vulnerability has not been patched. You should deactivate the plugin.

HT Feed

Plugin:
HT Feed
Plugin Slug:
ht-instagram
Installations
800+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-60147
The vulnerability has not been patched. You should deactivate the plugin.

Image Editor by Pixo

Plugin:
Image Editor by Pixo
Plugin Slug:
image-editor-by-pixo
Installations
800+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58232
The vulnerability has not been patched. You should deactivate the plugin.

Pinterest Pinboard Widget

Plugin:
Pinterest Pinboard Widget
Plugin Slug:
pinterest-pinboard-widget
Installations
800+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58248
The vulnerability has not been patched. You should deactivate the plugin.

Events Manager – OpenStreetMaps

Plugin:
Events Manager – OpenStreetMaps
Plugin Slug:
stonehenge-em-osm
Installations
800+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58265
The vulnerability has not been patched. You should deactivate the plugin.

xili-language

Plugin:
xili-language
Plugin Slug:
xili-language
Installations
800+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58654
The vulnerability has not been patched. You should deactivate the plugin.

Carousel Ultimate

Plugin:
Carousel Ultimate
Plugin Slug:
carousel
Installations
700+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58652
The vulnerability has not been patched. You should deactivate the plugin.

WP Gravity Forms HubSpot

Plugin:
WP Gravity Forms HubSpot
Plugin Slug:
gf-hubspot
Installations
700+
Vulnerability:
Open Redirection
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-60151
The vulnerability has not been patched. You should deactivate the plugin.

JS Job Manager

Plugin:
JS Job Manager
Plugin Slug:
js-jobs
Installations
700+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58234
The vulnerability has not been patched. You should deactivate the plugin.

MWW Disclaimer Buttons

Plugin:
MWW Disclaimer Buttons
Plugin Slug:
mww-disclaimer-buttons
Installations
700+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-60154
The vulnerability has not been patched. You should deactivate the plugin.

Notely

Plugin:
Notely
Plugin Slug:
notely
Installations
700+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-60149
The vulnerability has not been patched. You should deactivate the plugin.

SQL Chart Builder

Plugin:
SQL Chart Builder
Plugin Slug:
sql-chart-builder
Installations
700+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58233
The vulnerability has not been patched. You should deactivate the plugin.

Buckets

Plugin:
Buckets
Plugin Slug:
buckets
Installations
600+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57996
The vulnerability has not been patched. You should deactivate the plugin.

Genealogical Tree – WordPress Family Tree

Plugin:
Genealogical Tree – WordPress Family Tree
Plugin Slug:
genealogical-tree
Installations
600+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58023
The vulnerability has not been patched. You should deactivate the plugin.

Shortcode

Plugin:
Shortcode
Plugin Slug:
shortcode
Installations
600+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58022
The vulnerability has not been patched. You should deactivate the plugin.

SnapWidget Social Photo Feed Widget

Plugin:
SnapWidget Social Photo Feed Widget
Plugin Slug:
snapwidget-wp-instagram-widget
Installations
600+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58241
The vulnerability has not been patched. You should deactivate the plugin.

Theater for WordPress

Plugin:
Theater for WordPress
Plugin Slug:
theatre
Installations
600+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58020
The vulnerability has not been patched. You should deactivate the plugin.

VikRestaurants Table Reservations and Take-Away

Plugin:
VikRestaurants Table Reservations and Take-Away
Plugin Slug:
vikrestaurants
Installations
600+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57962
The vulnerability has not been patched. You should deactivate the plugin.

VikRestaurants Table Reservations and Take-Away

Plugin:
VikRestaurants Table Reservations and Take-Away
Plugin Slug:
vikrestaurants
Installations
600+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-57968
The vulnerability has not been patched. You should deactivate the plugin.

WooMS

Plugin:
WooMS
Plugin Slug:
wooms
Installations
600+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57956
The vulnerability has not been patched. You should deactivate the plugin.

WooMS

Plugin:
WooMS
Plugin Slug:
wooms
Installations
600+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57957
The vulnerability has not been patched. You should deactivate the plugin.

WordPress Widgets Shortcode

Plugin:
WordPress Widgets Shortcode
Plugin Slug:
wp-widgets-shortcode
Installations
600+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57989
The vulnerability has not been patched. You should deactivate the plugin.

AgreeMe Checkboxes For WooCommerce

Plugin:
AgreeMe Checkboxes For WooCommerce
Plugin Slug:
agreeme-checkboxes-for-woocommerce
Installations
500+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57905
The vulnerability has not been patched. You should deactivate the plugin.

AR for WordPress

Plugin:
AR for WordPress
Plugin Slug:
ar-for-wordpress
Installations
500+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2025-60156
The vulnerability has not been patched. You should deactivate the plugin.

Card Elements for WPBakery

Plugin:
Card Elements for WPBakery
Plugin Slug:
card-elements-for-wpbakery
Installations
500+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58220
The vulnerability has not been patched. You should deactivate the plugin.

Category Featured Images Extended

Plugin:
Category Featured Images Extended
Plugin Slug:
category-featured-images-extended
Installations
500+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57920
The vulnerability has not been patched. You should deactivate the plugin.

DELUCKS SEO

Plugin:
DELUCKS SEO
Plugin Slug:
delucks-seo
Installations
500+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-53570
The vulnerability has not been patched. You should deactivate the plugin.

WP Frontend Admin – Display WP Admin Pages in the Frontend

Plugin:
WP Frontend Admin – Display WP Admin Pages in the Frontend
Plugin Slug:
display-admin-page-on-frontend
Installations
500+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57898
The vulnerability has not been patched. You should deactivate the plugin.

Epeken All Kurir Plugin for Woocommerce Full Version

Plugin:
Epeken All Kurir Plugin for Woocommerce Full Version
Plugin Slug:
epeken-all-kurir
Installations
500+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57906
The vulnerability has not been patched. You should deactivate the plugin.

Front End Users

Plugin:
Front End Users
Plugin Slug:
front-end-only-users
Installations
500+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58235
The vulnerability has not been patched. You should deactivate the plugin.

Heureka

Plugin:
Heureka
Plugin Slug:
heureka
Installations
500+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57907
The vulnerability has not been patched. You should deactivate the plugin.

Library Bookshelves

Plugin:
Library Bookshelves
Plugin Slug:
library-bookshelves
Installations
500+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57964
The vulnerability has not been patched. You should deactivate the plugin.

Maps for WP

Plugin:
Maps for WP
Plugin Slug:
maps-for-wp
Installations
500+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57952
The vulnerability has not been patched. You should deactivate the plugin.

NGG Smart Image Search

Plugin:
NGG Smart Image Search
Plugin Slug:
ngg-smart-image-search
Installations
500+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58027
The vulnerability has not been patched. You should deactivate the plugin.

Nota Fiscal Eletrônica WooCommerce

Plugin:
Nota Fiscal Eletrônica WooCommerce
Plugin Slug:
nota-fiscal-eletronica-woocommerce
Installations
500+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-60159
The vulnerability has not been patched. You should deactivate the plugin.

Nota Fiscal Eletrônica WooCommerce

Plugin:
Nota Fiscal Eletrônica WooCommerce
Plugin Slug:
nota-fiscal-eletronica-woocommerce
Installations
500+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-60158
The vulnerability has not been patched. You should deactivate the plugin.

payOS

Plugin:
payOS
Plugin Slug:
payos
Installations
500+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57946
The vulnerability has not been patched. You should deactivate the plugin.

Behance Portfolio Manager

Plugin:
Behance Portfolio Manager
Plugin Slug:
portfolio-manager-powered-by-behance
Installations
500+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57913
The vulnerability has not been patched. You should deactivate the plugin.

Product Time Countdown for WooCommerce

Plugin:
Product Time Countdown for WooCommerce
Plugin Slug:
product-countdown-for-woocommerce
Installations
500+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57908
The vulnerability has not been patched. You should deactivate the plugin.

Tapfiliate

Plugin:
Tapfiliate
Plugin Slug:
tapfiliate
Installations
500+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58689
The vulnerability has not been patched. You should deactivate the plugin.

UK Address Postcode Validation

Plugin:
UK Address Postcode Validation
Plugin Slug:
uk-address-postcode-validation
Installations
500+
Vulnerability:
Sensitive Data Exposure
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57923
The vulnerability has not been patched. You should deactivate the plugin.

Deliver via Shipos for WooCommerce

Plugin:
Deliver via Shipos for WooCommerce
Plugin Slug:
wc-shipos-delivery
Installations
500+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57914
The vulnerability has not been patched. You should deactivate the plugin.

JSM file_get_contents() Shortcode

Plugin:
JSM file_get_contents() Shortcode
Plugin Slug:
wp-file-get-contents
Installations
500+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58653
The vulnerability has not been patched. You should deactivate the plugin.

WP Proposals

Plugin:
WP Proposals
Plugin Slug:
wp-proposals
Installations
500+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57965
The vulnerability has not been patched. You should deactivate the plugin.

Zoho Billing – Embed Payment Form

Plugin:
Zoho Billing – Embed Payment Form
Plugin Slug:
zoho-subscriptions
Installations
500+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57963
The vulnerability has not been patched. You should deactivate the plugin.

bbp topic count

Plugin:
bbp topic count
Plugin Slug:
bbp-topic-count
Installations
400+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-60163
The vulnerability has not been patched. You should deactivate the plugin.

WP Gravity Forms Keap/Infusionsoft

Plugin:
WP Gravity Forms Keap/Infusionsoft
Plugin Slug:
gf-infusionsoft
Installations
400+
Vulnerability:
Open Redirection
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58006
The vulnerability has not been patched. You should deactivate the plugin.

Job Board Manager

Plugin:
Job Board Manager
Plugin Slug:
job-board-manager
Installations
400+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-60162
The vulnerability has not been patched. You should deactivate the plugin.

NewsmanApp

Plugin:
NewsmanApp
Plugin Slug:
newsmanapp
Installations
400+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-60164
The vulnerability has not been patched. You should deactivate the plugin.

Helpdesk Support Ticket System for WooCommerce

Plugin:
Helpdesk Support Ticket System for WooCommerce
Plugin Slug:
support-ticket-system-for-woocommerce
Installations
400+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57972
The vulnerability has not been patched. You should deactivate the plugin.

TZ Plus Gallery

Plugin:
TZ Plus Gallery
Plugin Slug:
tz-plus-gallery
Installations
400+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57974
The vulnerability has not been patched. You should deactivate the plugin.

Sales Count Manager for WooCommerce

Plugin:
Sales Count Manager for WooCommerce
Plugin Slug:
wc-sales-count-manager
Installations
400+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57904
The vulnerability has not been patched. You should deactivate the plugin.

Additional Fees For WooCommerce Checkout (Free)

Plugin:
Additional Fees For WooCommerce Checkout (Free)
Plugin Slug:
woo-additional-fees-on-checkout-wordpress
Installations
400+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57903
The vulnerability has not been patched. You should deactivate the plugin.

Goracash

Plugin:
Goracash
Plugin Slug:
goracash
Installations
300+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-53458
The vulnerability has not been patched. You should deactivate the plugin.

AnyClip Luminous Studio

Plugin:
AnyClip Luminous Studio
Plugin Slug:
anyclip-media
Installations
200+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57910
The vulnerability has not been patched. You should deactivate the plugin.

AnyClip Luminous Studio

Plugin:
AnyClip Luminous Studio
Plugin Slug:
anyclip-media
Installations
200+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58271
The vulnerability has not been patched. You should deactivate the plugin.

Form Generator for WordPress

Plugin:
Form Generator for WordPress
Plugin Slug:
form-generator-powered-by-jotform
Installations
200+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58665
The vulnerability has not been patched. You should deactivate the plugin.

VoucherPress

Plugin:
VoucherPress
Plugin Slug:
voucherpress
Installations
200+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58223
The vulnerability has not been patched. You should deactivate the plugin.

Auction Feed

Plugin:
Auction Feed
Plugin Slug:
auction-feed
Installations
100+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-58671
The vulnerability has not been patched. You should deactivate the plugin.

Editor Custom Color Palette

Plugin:
Editor Custom Color Palette
Plugin Slug:
editor-custom-color-palette
Installations
100+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57909
The vulnerability has not been patched. You should deactivate the plugin.

HotelRunner Booking Widget

Plugin:
HotelRunner Booking Widget
Plugin Slug:
hotelrunner
Installations
100+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-60168
The vulnerability has not been patched. You should deactivate the plugin.

Magento 2 WordPress Integration

Plugin:
Magento 2 WordPress Integration
Plugin Slug:
m2wp
Installations
100+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58669
The vulnerability has not been patched. You should deactivate the plugin.

Mavis HTTPS to HTTP Redirection

Plugin:
Mavis HTTPS to HTTP Redirection
Plugin Slug:
mavis-https-to-http-redirect
Installations
100+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-58261
The vulnerability has not been patched. You should deactivate the plugin.

eZee Online Hotel Booking Engine

Plugin:
eZee Online Hotel Booking Engine
Plugin Slug:
online-booking-engine
Installations
100+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58661
The vulnerability has not been patched. You should deactivate the plugin.

Page Manager for Elementor

Plugin:
Page Manager for Elementor
Plugin Slug:
page-manager-for-elementor
Installations
100+
Vulnerability:
Sensitive Data Exposure
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-60167
The vulnerability has not been patched. You should deactivate the plugin.

Printcart Web to Print Product Designer for WooCommerce

Plugin:
Printcart Web to Print Product Designer for WooCommerce
Plugin Slug:
printcart-integration
Installations
100+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57917
The vulnerability has not been patched. You should deactivate the plugin.

Proof Factor – Social Proof Notifications

Plugin:
Proof Factor – Social Proof Notifications
Plugin Slug:
proof-factor-social-proof-notifications
Installations
100+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58658
The vulnerability has not been patched. You should deactivate the plugin.

GSheets Connector

Plugin:
GSheets Connector
Plugin Slug:
sheetlink
Installations
100+
Vulnerability:
PHP Object Injection
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-53465
The vulnerability has not been patched. You should deactivate the plugin.

Sweet Energy Efficiency

Plugin:
Sweet Energy Efficiency
Plugin Slug:
sweet-energy-efficiency
Installations
100+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-58262
The vulnerability has not been patched. You should deactivate the plugin.

Verowa Connect

Plugin:
Verowa Connect
Plugin Slug:
verowa-connect
Installations
100+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58257
The vulnerability has not been patched. You should deactivate the plugin.

WPMK PDF Generator

Plugin:
WPMK PDF Generator
Plugin Slug:
wpmk-pdf-generator
Installations
100+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-58268
The vulnerability has not been patched. You should deactivate the plugin.

LinkedInclude

Plugin:
LinkedInclude
Plugin Slug:
linkedinclude
Installations
90+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-57918
The vulnerability has not been patched. You should deactivate the plugin.

Mobi2Go

Plugin:
Mobi2Go
Plugin Slug:
mobi2go
Installations
90+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58646
The vulnerability has not been patched. You should deactivate the plugin.

NIX Anti-Spam Light

Plugin:
NIX Anti-Spam Light
Plugin Slug:
nix-anti-spam-light
Installations
90+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-58270
The vulnerability has not been patched. You should deactivate the plugin.

Stock Message

Plugin:
Stock Message
Plugin Slug:
stock-message
Installations
90+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-58267
The vulnerability has not been patched. You should deactivate the plugin.

WP Content Protection

Plugin:
WP Content Protection
Plugin Slug:
wp-content-protection
Installations
90+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-58670
The vulnerability has not been patched. You should deactivate the plugin.

WordPress Adverts Plugin – Adverts Click Tracker

Plugin:
WordPress Adverts Plugin – Adverts Click Tracker
Plugin Slug:
adverts-click-tracker
Installations
80+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57911
The vulnerability has not been patched. You should deactivate the plugin.

Grid

Plugin:
Grid
Plugin Slug:
grid
Installations
80+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-58657
The vulnerability has not been patched. You should deactivate the plugin.

HORIZONTAL SLIDER

Plugin:
HORIZONTAL SLIDER
Plugin Slug:
horizontal-slider
Installations
80+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-58676
The vulnerability has not been patched. You should deactivate the plugin.

HTACCESS IP Blocker

Plugin:
HTACCESS IP Blocker
Plugin Slug:
htaccess-ip-blocker
Installations
80+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-60170
The vulnerability has not been patched. You should deactivate the plugin.

ShrinkTheWeb (STW) Website Previews Plugin

Plugin:
ShrinkTheWeb (STW) Website Previews Plugin
Plugin Slug:
shrinktheweb-website-preview-plugin
Installations
80+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-58677
The vulnerability has not been patched. You should deactivate the plugin.

W3SCloud Contact Form 7 to Zoho CRM

Plugin:
W3SCloud Contact Form 7 to Zoho CRM
Plugin Slug:
w3s-cf7-zoho
Installations
80+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-60169
The vulnerability has not been patched. You should deactivate the plugin.

Flytedesk Digital

Plugin:
Flytedesk Digital
Plugin Slug:
flytedesk-digital
Installations
70+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-60172
The vulnerability has not been patched. You should deactivate the plugin.

GST for WooCommerce

Plugin:
GST for WooCommerce
Plugin Slug:
gst-for-woocommerce
Installations
70+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-60173
The vulnerability has not been patched. You should deactivate the plugin.

Show Pages List

Plugin:
Show Pages List
Plugin Slug:
show-pages-list
Installations
70+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58219
The vulnerability has not been patched. You should deactivate the plugin.

Simple Restaurant Menu

Plugin:
Simple Restaurant Menu
Plugin Slug:
simple-restaurant-menu
Installations
70+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58647
The vulnerability has not been patched. You should deactivate the plugin.

Casengo Live Chat Support

Plugin:
Casengo Live Chat Support
Plugin Slug:
the-casengo-chat-widget
Installations
70+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-58688
The vulnerability has not been patched. You should deactivate the plugin.

Conditional Cart Messages for WooCommerce – YourPlugins.com

Plugin:
Conditional Cart Messages for WooCommerce – YourPlugins.com
Plugin Slug:
yourplugins-wc-conditional-cart-notices
Installations
70+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-60171
The vulnerability has not been patched. You should deactivate the plugin.

SAPO Feed

Plugin:
SAPO Feed
Plugin Slug:
sapo-feed
Installations
50+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-53462
The vulnerability has not been patched. You should deactivate the plugin.

WP Tesseract

Plugin:
WP Tesseract
Plugin Slug:
wp-tesseract
Installations
50+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-60176
The vulnerability has not been patched. You should deactivate the plugin.

DOAJ Export

Plugin:
DOAJ Export
Plugin Slug:
doaj-export
Installations
40+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58256
The vulnerability has not been patched. You should deactivate the plugin.

Google+ Comments

Plugin:
Google+ Comments
Plugin Slug:
google-plus-comments
Installations
40+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-60186
The vulnerability has not been patched. You should deactivate the plugin.

Gravitate Automated Tester

Plugin:
Gravitate Automated Tester
Plugin Slug:
gravitate-automated-tester
Installations
40+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58645
The vulnerability has not been patched. You should deactivate the plugin.

HieCOR Payment Gateway Plugin

Plugin:
HieCOR Payment Gateway Plugin
Plugin Slug:
hcv4-payment-gateway
Installations
40+
Vulnerability:
SQL Injection
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2025-52773
The vulnerability has not been patched. You should deactivate the plugin.

kontur Admin Style

Plugin:
kontur Admin Style
Plugin Slug:
kontur-admin-style
Installations
40+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-60185
The vulnerability has not been patched. You should deactivate the plugin.

Recaptcha – wp

Plugin:
Recaptcha – wp
Plugin Slug:
recaptcha-wp
Installations
40+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-60177
The vulnerability has not been patched. You should deactivate the plugin.

SEO Search Permalink

Plugin:
SEO Search Permalink
Plugin Slug:
seo-search-permalink
Installations
40+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-60184
The vulnerability has not been patched. You should deactivate the plugin.

Bg Church Memos

Plugin:
Bg Church Memos
Plugin Slug:
bg-church-memos
Installations
30+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58242
The vulnerability has not been patched. You should deactivate the plugin.

Wp tabber widget

Plugin:
Wp tabber widget
Plugin Slug:
wp-tabber-widget
Installations
20+
Vulnerability:
SQL Injection
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-53468
The vulnerability has not been patched. You should deactivate the plugin.

Custom Post Type Images

Plugin:
Custom Post Type Images
Plugin Slug:
custom-post-types-image
Installations
10+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2025-58255
The vulnerability has not been patched. You should deactivate the plugin.

Dialogity Free Live Chat

Plugin:
Dialogity Free Live Chat
Plugin Slug:
dialogity-website-chat
Installations
10+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57912
The vulnerability has not been patched. You should deactivate the plugin.

WP Virtual Assistant

Plugin:
WP Virtual Assistant
Plugin Slug:
VirtualAssistant
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-60155
The vulnerability has not been patched. You should deactivate the plugin.

AllInOne – Banner Rotator

Plugin:
AllInOne – Banner Rotator
Plugin Slug:
all-in-one-bannerRotator
Vulnerability:
SQL Injection
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-60110
The vulnerability has not been patched. You should deactivate the plugin.

LambertGroup – AllInOne – Banner with Playlist

Plugin:
LambertGroup – AllInOne – Banner with Playlist
Plugin Slug:
all-in-one-bannerWithPlaylist
Vulnerability:
SQL Injection
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-60107
The vulnerability has not been patched. You should deactivate the plugin.

LambertGroup – AllInOne – Content Slider

Plugin:
LambertGroup – AllInOne – Content Slider
Plugin Slug:
all-in-one-contentSlider
Vulnerability:
SQL Injection
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-60109
The vulnerability has not been patched. You should deactivate the plugin.

All in One Music Player

Plugin:
All in One Music Player
Plugin Slug:
all-in-one-music-player
Vulnerability:
Path Traversal
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-8559
The vulnerability has not been patched. You should deactivate the plugin.

LambertGroup – AllInOne – Banner with Thumbnails

Plugin:
LambertGroup – AllInOne – Banner with Thumbnails
Plugin Slug:
all-in-one-thumbnailsBanner
Vulnerability:
SQL Injection
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-60108
The vulnerability has not been patched. You should deactivate the plugin.

All Social Share Options

Plugin:
All Social Share Options
Plugin Slug:
all-social-share-options
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-10131
The vulnerability has not been patched. You should deactivate the plugin.

Eulerpool Research Systems

Plugin:
Eulerpool Research Systems
Plugin Slug:
alleaktien-quantitativ
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-10128
The vulnerability has not been patched. You should deactivate the plugin.

Any News Ticker

Plugin:
Any News Ticker
Plugin Slug:
any-news-ticker
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-10168
The vulnerability has not been patched. You should deactivate the plugin.

Bei Fen

Plugin:
Bei Fen
Plugin Slug:
bei-fen
Vulnerability:
Local File Inclusion
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-9993
The vulnerability has not been patched. You should deactivate the plugin.

BP Direct Menus

Plugin:
BP Direct Menus
Plugin Slug:
bp-direct-menus
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-10189
The vulnerability has not been patched. You should deactivate the plugin.

cForms

Plugin:
cForms
Plugin Slug:
cforms-plugin
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-9898
The vulnerability has not been patched. You should deactivate the plugin.

Chat by Chatwee

Plugin:
Chat by Chatwee
Plugin Slug:
chatwee
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-9948
The vulnerability has not been patched. You should deactivate the plugin.

Click & Tweet

Plugin:
Click & Tweet
Plugin Slug:
click-tweet
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-60179
The vulnerability has not been patched. You should deactivate the plugin.

Copypress Rest API

Plugin:
Copypress Rest API
Plugin Slug:
copypress-rest-api
Vulnerability:
Remote Code Execution (RCE)
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2025-8625
The vulnerability has not been patched. You should deactivate the plugin.

dbview

Plugin:
dbview
Plugin Slug:
dbview
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-10182
The vulnerability has not been patched. You should deactivate the plugin.

Directory Pro

Plugin:
Directory Pro
Plugin Slug:
directory-pro
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57948
The vulnerability has not been patched. You should deactivate the plugin.

Easy Hotel Booking

Plugin:
Easy Hotel Booking
Plugin Slug:
easy-hotel
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57938
The vulnerability has not been patched. You should deactivate the plugin.

Easy Pricing Table WP

Plugin:
Easy Pricing Table WP
Plugin Slug:
easy-pricing-table-wp
Vulnerability:
Local File Inclusion
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-53450
The vulnerability has not been patched. You should deactivate the plugin.

Event Rocket

Plugin:
Event Rocket
Plugin Slug:
event-rocket
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-53452
The vulnerability has not been patched. You should deactivate the plugin.

Silencesoft RSS Reader

Plugin:
Silencesoft RSS Reader
Plugin Slug:
external-rss-reader
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-60183
The vulnerability has not been patched. You should deactivate the plugin.

Silencesoft RSS Reader

Plugin:
Silencesoft RSS Reader
Plugin Slug:
external-rss-reader
Vulnerability:
Server Side Request Forgery (SSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-60181
The vulnerability has not been patched. You should deactivate the plugin.

FancyTabs

Plugin:
FancyTabs
Plugin Slug:
fancytabs
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-8560
The vulnerability has not been patched. You should deactivate the plugin.

FoodBook

Plugin:
FoodBook
Plugin Slug:
foodbook
Vulnerability:
Sensitive Data Exposure
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-60125
The vulnerability has not been patched. You should deactivate the plugin.

Grand Conference Theme Custom Post Type

Plugin:
Grand Conference Theme Custom Post Type
Plugin Slug:
grandconference-custom-post
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-60116
The vulnerability has not been patched. You should deactivate the plugin.

GutenBee

Plugin:
GutenBee
Plugin Slug:
gutenbee
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-8566
The vulnerability has not been patched. You should deactivate the plugin.

Printeers Print & Ship

Plugin:
Printeers Print & Ship
Plugin Slug:
invition-print-ship
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58224
The vulnerability has not been patched. You should deactivate the plugin.

Javo Core

Plugin:
Javo Core
Plugin Slug:
javo-core
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-60111
The vulnerability has not been patched. You should deactivate the plugin.

Javo Core

Plugin:
Javo Core
Plugin Slug:
javo-core
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58003
The vulnerability has not been patched. You should deactivate the plugin.

Layers

Plugin:
Layers
Plugin Slug:
layers
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-10130
The vulnerability has not been patched. You should deactivate the plugin.

ListingPro

Plugin:
ListingPro
Plugin Slug:
listingpro-plugin
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-60103
The vulnerability has not been patched. You should deactivate the plugin.

ListingPro Reviews

Plugin:
ListingPro Reviews
Plugin Slug:
listingpro-reviews
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58667
The vulnerability has not been patched. You should deactivate the plugin.

Mihdan: Elementor Yandex Maps

Plugin:
Mihdan: Elementor Yandex Maps
Plugin Slug:
mihdan-elementor-yandex-maps
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-8608
The vulnerability has not been patched. You should deactivate the plugin.

My AskAI

Plugin:
My AskAI
Plugin Slug:
my-askai
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-10179
The vulnerability has not been patched. You should deactivate the plugin.

Nexa Blocks

Plugin:
Nexa Blocks
Plugin Slug:
nexa-blocks
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-8624
The vulnerability has not been patched. You should deactivate the plugin.

Oshine Core

Plugin:
Oshine Core
Plugin Slug:
oshine-core
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58660
The vulnerability has not been patched. You should deactivate the plugin.

PGS Core

Plugin:
PGS Core
Plugin Slug:
pgs-core
Vulnerability:
SQL Injection
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-60118
The vulnerability has not been patched. You should deactivate the plugin.

planetcalc

Plugin:
planetcalc
Plugin Slug:
planetcalc
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-8777
The vulnerability has not been patched. You should deactivate the plugin.

PopAd

Plugin:
PopAd
Plugin Slug:
popad
Vulnerability:
Server Side Request Forgery (SSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-60175
The vulnerability has not been patched. You should deactivate the plugin.

Post By Email

Plugin:
Post By Email
Plugin Slug:
post-by-email
Vulnerability:
Arbitrary File Upload
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2025-9762
The vulnerability has not been patched. You should deactivate the plugin.

Accordion FAQ

Plugin:
Accordion FAQ
Plugin Slug:
pressapps-accordion-faq
Vulnerability:
Local File Inclusion
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-58024
The vulnerability has not been patched. You should deactivate the plugin.

Professional Contact Form

Plugin:
Professional Contact Form
Plugin Slug:
professional-contact-form
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-9944
The vulnerability has not been patched. You should deactivate the plugin.

Subscribe to Download

Plugin:
Subscribe to Download
Plugin Slug:
subscribe-to-download
Vulnerability:
Local File Inclusion
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-60150
The vulnerability has not been patched. You should deactivate the plugin.

Subscribe to Download

Plugin:
Subscribe to Download
Plugin Slug:
subscribe-to-download
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-60148
The vulnerability has not been patched. You should deactivate the plugin.

Subscribe To Unlock

Plugin:
Subscribe To Unlock
Plugin Slug:
subscribe-to-unlock
Vulnerability:
Local File Inclusion
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-60153
The vulnerability has not been patched. You should deactivate the plugin.

Subscribe To Unlock

Plugin:
Subscribe To Unlock
Plugin Slug:
subscribe-to-unlock
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-60152
The vulnerability has not been patched. You should deactivate the plugin.

Survey Anyplace

Plugin:
Survey Anyplace
Plugin Slug:
surveyanyplace
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-10196
The vulnerability has not been patched. You should deactivate the plugin.

Sync Feedly

Plugin:
Sync Feedly
Plugin Slug:
sync-feedly
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-9894
The vulnerability has not been patched. You should deactivate the plugin.

TF Woo Product Grid Addon For Elementor

Plugin:
TF Woo Product Grid Addon For Elementor
Plugin Slug:
tf-woo-product-grid
Vulnerability:
Deserialization of untrusted data
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2025-59007
The vulnerability has not been patched. You should deactivate the plugin.

The Pack Elementor addons

Plugin:
The Pack Elementor addons
Plugin Slug:
the-pack-addon
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-8214
The vulnerability has not been patched. You should deactivate the plugin.

Tiny Bootstrap Elements Light

Plugin:
Tiny Bootstrap Elements Light
Plugin Slug:
tiny-bootstrap-elements-light
Vulnerability:
Local File Inclusion
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-9991
The vulnerability has not been patched. You should deactivate the plugin.

Trust Reviews

Plugin:
Trust Reviews
Plugin Slug:
trust-reviews
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-9899
The vulnerability has not been patched. You should deactivate the plugin.

TweetThis Shortcode

Plugin:
TweetThis Shortcode
Plugin Slug:
tweetthis-shortcode
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-10136
The vulnerability has not been patched. You should deactivate the plugin.

VM Menu Reorder

Plugin:
VM Menu Reorder
Plugin Slug:
vm-menu-reorder
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-9893
The vulnerability has not been patched. You should deactivate the plugin.

WeedMaps Menu

Plugin:
WeedMaps Menu
Plugin Slug:
weedmaps-menu-embed
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-8623
The vulnerability has not been patched. You should deactivate the plugin.

Big Post Shipping for WooCommerce

Plugin:
Big Post Shipping for WooCommerce
Plugin Slug:
woo-bigpost-shipping
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-10191
The vulnerability has not been patched. You should deactivate the plugin.

WooEvents

Plugin:
WooEvents
Plugin Slug:
woo-events
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-60121
The vulnerability has not been patched. You should deactivate the plugin.

WP Subscription Forms PRO

Plugin:
WP Subscription Forms PRO
Plugin Slug:
wp-subscription-forms-pro
Vulnerability:
Arbitrary Content Deletion
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-60166
The vulnerability has not been patched. You should deactivate the plugin.

Backuply – Backup, Restore, Migrate and Clone

Plugin:
Backuply – Backup, Restore, Migrate and Clone
Plugin Slug:
backuply
Installations
600,000+
Vulnerability:
Arbitrary File Deletion
Patched in Version:
1.4.9
Severity Score:
Medium
CVE:
2025-10307
The vulnerability has been patched, so you should update to version 1.4.9.

Ninja Forms – The Contact Form Builder That Grows With You

Plugin:
Ninja Forms – The Contact Form Builder That Grows With You
Plugin Slug:
ninja-forms
Installations
600,000+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
3.12.1
Severity Score:
Medium
CVE:
2025-10498
The vulnerability has been patched, so you should update to version 3.12.1.

Ninja Forms – The Contact Form Builder That Grows With You

Plugin:
Ninja Forms – The Contact Form Builder That Grows With You
Plugin Slug:
ninja-forms
Installations
600,000+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
3.12.1
Severity Score:
Medium
CVE:
2025-10499
The vulnerability has been patched, so you should update to version 3.12.1.

Translate Multilingual sites – TranslatePress

Plugin:
Translate Multilingual sites – TranslatePress
Plugin Slug:
translatepress-multilingual
Installations
400,000+
Vulnerability:
Deserialization of untrusted data
Patched in Version:
2.10.3
Severity Score:
High
CVE:
2025-58592
The vulnerability has been patched, so you should update to version 2.10.3.

Admin and Site Enhancements (ASE)

Plugin:
Admin and Site Enhancements (ASE)
Plugin Slug:
admin-site-enhancements
Installations
200,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
7.9.8
Severity Score:
Medium
CVE:
2025-9487
The vulnerability has been patched, so you should update to version 7.9.8.

Nextend Social Login and Register

Plugin:
Nextend Social Login and Register
Plugin Slug:
nextend-facebook-connect
Installations
200,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
3.1.20
Severity Score:
Medium
CVE:
2025-58031
The vulnerability has been patched, so you should update to version 3.1.20.

Colibri Page Builder

Plugin:
Colibri Page Builder
Plugin Slug:
colibri-page-builder
Installations
100,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.0.334
Severity Score:
Medium
CVE:
2025-59593
The vulnerability has been patched, so you should update to version 1.0.334.

Download Manager

Plugin:
Download Manager
Plugin Slug:
download-manager
Installations
100,000+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
3.3.25
Severity Score:
Medium
CVE:
2025-60093
The vulnerability has been patched, so you should update to version 3.3.25.

Make Column Clickable for Elementor

Plugin:
Make Column Clickable for Elementor
Plugin Slug:
make-column-clickable-elementor
Installations
100,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.6.1
Severity Score:
Medium
CVE:
2025-59592
The vulnerability has been patched, so you should update to version 1.6.1.

Stackable – Page Builder Gutenberg Blocks

Plugin:
Stackable – Page Builder Gutenberg Blocks
Plugin Slug:
stackable-ultimate-gutenberg-blocks
Installations
100,000+
Vulnerability:
Sensitive Data Exposure
Patched in Version:
3.19.0
Severity Score:
Medium
CVE:
2025-60095
The vulnerability has been patched, so you should update to version 3.19.0.

Stackable – Page Builder Gutenberg Blocks

Plugin:
Stackable – Page Builder Gutenberg Blocks
Plugin Slug:
stackable-ultimate-gutenberg-blocks
Installations
100,000+
Vulnerability:
Broken Access Control
Patched in Version:
3.19.0
Severity Score:
Medium
CVE:
2025-60094
The vulnerability has been patched, so you should update to version 3.19.0.

Featured Image from URL (FIFU)

Plugin:
Featured Image from URL (FIFU)
Plugin Slug:
featured-image-from-url
Installations
80,000+
Vulnerability:
SQL Injection
Patched in Version:
5.2.8
Severity Score:
High
CVE:
2025-10037
The vulnerability has been patched, so you should update to version 5.2.8.

Featured Image from URL (FIFU)

Plugin:
Featured Image from URL (FIFU)
Plugin Slug:
featured-image-from-url
Installations
80,000+
Vulnerability:
Broken Access Control
Patched in Version:
5.2.8
Severity Score:
Medium
CVE:
2025-9984
The vulnerability has been patched, so you should update to version 5.2.8.

Featured Image from URL (FIFU)

Plugin:
Featured Image from URL (FIFU)
Plugin Slug:
featured-image-from-url
Installations
80,000+
Vulnerability:
Sensitive Data Exposure
Patched in Version:
5.2.8
Severity Score:
Medium
CVE:
2025-9985
The vulnerability has been patched, so you should update to version 5.2.8.

Jupiter X Core

Plugin:
Jupiter X Core
Plugin Slug:
jupiterx-core
Installations
80,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
4.11.1
Severity Score:
Medium
CVE:
2025-58264
The vulnerability has been patched, so you should update to version 4.11.1.

Comments – wpDiscuz

Plugin:
Comments – wpDiscuz
Plugin Slug:
wpdiscuz
Installations
80,000+
Vulnerability:
Broken Access Control
Patched in Version:
7.6.34
Severity Score:
Medium
CVE:
2025-59591
The vulnerability has been patched, so you should update to version 7.6.34.

Media Library Assistant

Plugin:
Media Library Assistant
Plugin Slug:
media-library-assistant
Installations
70,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
3.29
Severity Score:
Medium
CVE:
2025-59590
The vulnerability has been patched, so you should update to version 3.29.

Theme My Login

Plugin:
Theme My Login
Plugin Slug:
theme-my-login
Installations
60,000+
Vulnerability:
Broken Access Control
Patched in Version:
7.1.13
Severity Score:
Medium
CVE:
2025-60098
The vulnerability has been patched, so you should update to version 7.1.13.

WP-Members Membership Plugin

Plugin:
WP-Members Membership Plugin
Plugin Slug:
wp-members
Installations
60,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
3.5.4.3
Severity Score:
Medium
CVE:
2025-57973
The vulnerability has been patched, so you should update to version 3.5.4.3.

Better Find and Replace – AI-Powered Suggestions

Plugin:
Better Find and Replace – AI-Powered Suggestions
Plugin Slug:
real-time-auto-find-and-replace
Installations
50,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.7.7
Severity Score:
Medium
CVE:
2025-53466
The vulnerability has been patched, so you should update to version 1.7.7.

Ajax Load More – Infinite Scroll

Plugin:
Ajax Load More – Infinite Scroll
Plugin Slug:
ajax-load-more
Installations
40,000+
Vulnerability:
Sensitive Data Exposure
Patched in Version:
7.6.1
Severity Score:
Medium
CVE:
2025-59582
The vulnerability has been patched, so you should update to version 7.6.1.

Page-list

Plugin:
Page-list
Plugin Slug:
page-list
Installations
40,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
5.9
Severity Score:
Medium
CVE:
2025-58030
The vulnerability has been patched, so you should update to version 5.9.

Gallery Custom Links

Plugin:
Gallery Custom Links
Plugin Slug:
gallery-custom-links
Installations
30,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.2.6
Severity Score:
Medium
CVE:
2025-60104
The vulnerability has been patched, so you should update to version 2.2.6.

Team Members

Plugin:
Team Members
Plugin Slug:
team-members
Installations
30,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
5.3.6
Severity Score:
Medium
CVE:
2025-8440
The vulnerability has been patched, so you should update to version 5.3.6.

Trustpilot Reviews

Plugin:
Trustpilot Reviews
Plugin Slug:
trustpilot-reviews
Installations
30,000+
Vulnerability:
Broken Access Control
Patched in Version:
3.6.0
Severity Score:
Medium
CVE:
2025-57997
The vulnerability has been patched, so you should update to version 3.6.0.

Ibtana – WordPress Website Builder

Plugin:
Ibtana – WordPress Website Builder
Plugin Slug:
ibtana-visual-editor
Installations
20,000+
Vulnerability:
Arbitrary Content Deletion
Patched in Version:
1.2.5.4
Severity Score:
Medium
CVE:
2025-59581
The vulnerability has been patched, so you should update to version 1.2.5.4.

Custom Block Builder – Lazy Blocks

Plugin:
Custom Block Builder – Lazy Blocks
Plugin Slug:
lazy-blocks
Installations
20,000+
Vulnerability:
Broken Access Control
Patched in Version:
4.1.1
Severity Score:
Medium
CVE:
2025-58258
The vulnerability has been patched, so you should update to version 4.1.1.

SmartCrawl SEO checker, analyzer & optimizer

Plugin:
SmartCrawl SEO checker, analyzer & optimizer
Plugin Slug:
smartcrawl-seo
Installations
20,000+
Vulnerability:
Broken Access Control
Patched in Version:
3.14.4
Severity Score:
Medium
CVE:
2025-11163
The vulnerability has been patched, so you should update to version 3.14.4.

Uncanny Toolkit for LearnDash

Plugin:
Uncanny Toolkit for LearnDash
Plugin Slug:
uncanny-learndash-toolkit
Installations
20,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
3.7.0.4
Severity Score:
Medium
CVE:
2025-57988
The vulnerability has been patched, so you should update to version 3.7.0.4.

Mega Elements – Addons for Elementor

Plugin:
Mega Elements – Addons for Elementor
Plugin Slug:
mega-elements-addons-for-elementor
Installations
10,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.3.3
Severity Score:
Medium
CVE:
2025-8200
The vulnerability has been patched, so you should update to version 1.3.3.

Open User Map

Plugin:
Open User Map
Plugin Slug:
open-user-map
Installations
10,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.4.15
Severity Score:
Medium
CVE:
2025-57953
The vulnerability has been patched, so you should update to version 1.4.15.

Postie

Plugin:
Postie
Plugin Slug:
postie
Installations
10,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.9.71
Severity Score:
Medium
CVE:
2024-5200
The vulnerability has been patched, so you should update to version 1.9.71.

Team – Team Members Showcase Plugin

Plugin:
Team – Team Members Showcase Plugin
Plugin Slug:
tlp-team
Installations
10,000+
Vulnerability:
Broken Access Control
Patched in Version:
5.0.7
Severity Score:
Medium
CVE:
2025-57975
The vulnerability has been patched, so you should update to version 5.0.7.

WPeMatico RSS Feed Fetcher

Plugin:
WPeMatico RSS Feed Fetcher
Plugin Slug:
wpematico
Installations
10,000+
Vulnerability:
Sensitive Data Exposure
Patched in Version:
2.8.11
Severity Score:
Medium
CVE:
2025-57937
The vulnerability has been patched, so you should update to version 2.8.11.

Super Blank

Plugin:
Super Blank
Plugin Slug:
super-blank
Installations
9,000+
Vulnerability:
Arbitrary Content Deletion
Patched in Version:
1.3.0
Severity Score:
Medium
CVE:
2025-54741
The vulnerability has been patched, so you should update to version 1.3.0.

WP Compress – Instant Performance & Speed Optimization

Plugin:
WP Compress – Instant Performance & Speed Optimization
Plugin Slug:
wp-compress-image-optimizer
Installations
9,000+
Vulnerability:
Broken Access Control
Patched in Version:
6.50.55
Severity Score:
Medium
CVE:
2025-57899
The vulnerability has been patched, so you should update to version 6.50.55.

Download After Email – Subscribe & Download Form Plugin

Plugin:
Download After Email – Subscribe & Download Form Plugin
Plugin Slug:
download-after-email
Installations
8,000+
Vulnerability:
Other Vulnerability Type
Patched in Version:
2.1.7
Severity Score:
Medium
CVE:
2025-54743
The vulnerability has been patched, so you should update to version 2.1.7.

aThemes Addons for Elementor

Plugin:
aThemes Addons for Elementor
Plugin Slug:
athemes-addons-for-elementor-lite
Installations
7,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.1.3
Severity Score:
Medium
CVE:
2025-60112
The vulnerability has been patched, so you should update to version 1.1.3.

OAuth Single Sign On – SSO (OAuth Client)

Plugin:
OAuth Single Sign On – SSO (OAuth Client)
Plugin Slug:
miniorange-login-with-eve-online-google-facebook
Installations
7,000+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
6.26.13
Severity Score:
Medium
CVE:
2025-10752
The vulnerability has been patched, so you should update to version 6.26.13.

Themify Builder

Plugin:
Themify Builder
Plugin Slug:
themify-builder
Installations
7,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
7.7.0
Severity Score:
Medium
CVE:
2025-9353
The vulnerability has been patched, so you should update to version 7.7.0.

CubeWP – All-in-One Dynamic Content Framework

Plugin:
CubeWP – All-in-One Dynamic Content Framework
Plugin Slug:
cubewp-framework
Installations
5,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.1.27
Severity Score:
Medium
CVE:
2025-59569
The vulnerability has been patched, so you should update to version 1.1.27.

Termageddon: Cookie Consent & Privacy Compliance

Plugin:
Termageddon: Cookie Consent & Privacy Compliance
Plugin Slug:
termageddon-usercentrics
Installations
5,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.8.2
Severity Score:
Medium
CVE:
2025-58026
The vulnerability has been patched, so you should update to version 1.8.2.

Coupon Affiliates – Affiliate Plugin for WooCommerce

Plugin:
Coupon Affiliates – Affiliate Plugin for WooCommerce
Plugin Slug:
woo-coupon-usage
Installations
5,000+
Vulnerability:
Broken Access Control
Patched in Version:
6.8.1
Severity Score:
Medium
CVE:
2025-59567
The vulnerability has been patched, so you should update to version 6.8.1.

WPKoi Templates for Elementor

Plugin:
WPKoi Templates for Elementor
Plugin Slug:
wpkoi-templates-for-elementor
Installations
5,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
3.4.4
Severity Score:
Medium
CVE:
2025-57999
The vulnerability has been patched, so you should update to version 3.4.4.

Etsy Shop

Plugin:
Etsy Shop
Plugin Slug:
etsy-shop
Installations
4,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
3.0.7
Severity Score:
High
CVE:
2025-9115
The vulnerability has been patched, so you should update to version 3.0.7.

Podlove Podcast Publisher

Plugin:
Podlove Podcast Publisher
Plugin Slug:
podlove-podcasting-plugin-for-wordpress
Installations
4,000+
Vulnerability:
Arbitrary File Upload
Patched in Version:
4.2.7
Severity Score:
Critical
CVE:
2025-10147
The vulnerability has been patched, so you should update to version 4.2.7.

Interact: Embed A Quiz On Your Site

Plugin:
Interact: Embed A Quiz On Your Site
Plugin Slug:
interact-quiz-embed
Installations
3,000+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
3.2
Severity Score:
Medium
CVE:
2025-58675
The vulnerability has been patched, so you should update to version 3.2.

Mapster WP Maps

Plugin:
Mapster WP Maps
Plugin Slug:
mapster-wp-maps
Installations
3,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.21.0
Severity Score:
Medium
CVE:
2025-9044
The vulnerability has been patched, so you should update to version 1.21.0.

Upsell Funnel Builder for WooCommerce – New Marketing Funnel Builder and Sales Funnel Builder tailored for your store.

Plugin:
Upsell Funnel Builder for WooCommerce – New Marketing Funnel Builder and Sales Funnel Builder tailored for your store.
Plugin Slug:
upsell-order-bump-offer-for-woocommerce
Installations
3,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
3.0.8
Severity Score:
Medium
CVE:
2025-59565
The vulnerability has been patched, so you should update to version 3.0.8.

WP-DownloadManager

Plugin:
WP-DownloadManager
Plugin Slug:
wp-downloadmanager
Installations
3,000+
Vulnerability:
Arbitrary File Upload
Patched in Version:
1.69
Severity Score:
High
CVE:
2025-10747
The vulnerability has been patched, so you should update to version 1.69.

Smart Blocks

Plugin:
Smart Blocks
Plugin Slug:
smart-blocks
Installations
2,000+
Vulnerability:
Broken Access Control
Patched in Version:
2.5
Severity Score:
Medium
CVE:
2025-59561
The vulnerability has been patched, so you should update to version 2.5.

Payrexx Payment Gateway for WooCommerce

Plugin:
Payrexx Payment Gateway for WooCommerce
Plugin Slug:
woo-payrexx-gateway
Installations
2,000+
Vulnerability:
Broken Access Control
Patched in Version:
3.1.6
Severity Score:
Medium
CVE:
2025-59559
The vulnerability has been patched, so you should update to version 3.1.6.

Quick View for WooCommerce

Plugin:
Quick View for WooCommerce
Plugin Slug:
woo-quickview
Installations
2,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.2.17
Severity Score:
Medium
CVE:
2025-58228
The vulnerability has been patched, so you should update to version 2.2.17.

Clariti

Plugin:
Clariti
Plugin Slug:
clariti
Installations
1,000+
Vulnerability:
Broken Access Control
Patched in Version:
1.2.2
Severity Score:
Medium
CVE:
2025-57991
The vulnerability has been patched, so you should update to version 1.2.2.

Custom Login URL

Plugin:
Custom Login URL
Plugin Slug:
custom-login-url
Installations
1,000+
Vulnerability:
Broken Access Control
Patched in Version:
1.0.3
Severity Score:
Medium
CVE:
2025-58969
The vulnerability has been patched, so you should update to version 1.0.3.

Easy Elementor Addons

Plugin:
Easy Elementor Addons
Plugin Slug:
easy-elementor-addons
Installations
1,000+
Vulnerability:
Local File Inclusion
Patched in Version:
2.2.9
Severity Score:
High
CVE:
2025-58973
The vulnerability has been patched, so you should update to version 2.2.9.

GetResponse Forms by Optin Cat

Plugin:
GetResponse Forms by Optin Cat
Plugin Slug:
getresponse
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.6.1
Severity Score:
Medium
CVE:
2025-59549
The vulnerability has been patched, so you should update to version 2.6.1.

Markup Markdown

Plugin:
Markup Markdown
Plugin Slug:
markup-markdown
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
3.20.10
Severity Score:
Medium
CVE:
2025-9540
The vulnerability has been patched, so you should update to version 3.20.10.

Product Catalog Simple

Plugin:
Product Catalog Simple
Plugin Slug:
post-type-x
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.8.3
Severity Score:
Medium
CVE:
2025-58992
The vulnerability has been patched, so you should update to version 1.8.3.

Revive.so – Bulk Rewrite and Republish Blog Posts

Plugin:
Revive.so – Bulk Rewrite and Republish Blog Posts
Plugin Slug:
revive-so
Installations
1,000+
Vulnerability:
Broken Access Control
Patched in Version:
2.0.7
Severity Score:
Medium
CVE:
2025-59551
The vulnerability has been patched, so you should update to version 2.0.7.

Safety Exit

Plugin:
Safety Exit
Plugin Slug:
safety-exit
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.8.1
Severity Score:
Medium
CVE:
2025-57980
The vulnerability has been patched, so you should update to version 1.8.1.

Save as PDF Plugin by PDFCrowd

Plugin:
Save as PDF Plugin by PDFCrowd
Plugin Slug:
save-as-pdf-by-pdfcrowd
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
4.5.3
Severity Score:
Medium
CVE:
2025-59552
The vulnerability has been patched, so you should update to version 4.5.3.

Sign-up Sheets

Plugin:
Sign-up Sheets
Plugin Slug:
sign-up-sheets
Installations
1,000+
Vulnerability:
PHP Object Injection
Patched in Version:
2.3.3
Severity Score:
Critical
CVE:
2025-49393
The vulnerability has been patched, so you should update to version 2.3.3.

Travel Map

Plugin:
Travel Map
Plugin Slug:
travelmap-blog
Installations
1,000+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
1.0.4
Severity Score:
Medium
CVE:
2025-57960
The vulnerability has been patched, so you should update to version 1.0.4.

wp-mpdf

Plugin:
wp-mpdf
Plugin Slug:
wp-mpdf
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
3.9.2
Severity Score:
Medium
CVE:
2025-60040
The vulnerability has been patched, so you should update to version 3.9.2.

WPCasa

Plugin:
WPCasa
Plugin Slug:
wpcasa
Installations
1,000+
Vulnerability:
Remote Code Execution (RCE)
Patched in Version:
1.4.2
Severity Score:
Critical
CVE:
2025-9321
The vulnerability has been patched, so you should update to version 1.4.2.

WPComplete

Plugin:
WPComplete
Plugin Slug:
wpcomplete
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.9.5.3
Severity Score:
Medium
CVE:
2025-58974
The vulnerability has been patched, so you should update to version 2.9.5.3.

Zephyr Project Manager

Plugin:
Zephyr Project Manager
Plugin Slug:
zephyr-project-manager
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
3.3.203
Severity Score:
Medium
CVE:
2025-10490
The vulnerability has been patched, so you should update to version 3.3.203.

AffiliateWP – External Referral Links

Plugin:
AffiliateWP – External Referral Links
Plugin Slug:
affiliatewp-external-referral-links
Installations
900+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.2.2
Severity Score:
Medium
CVE:
2025-53460
The vulnerability has been patched, so you should update to version 1.2.2.

CashBill.pl – P?atno?ci WooCommerce

Plugin:
CashBill.pl – P?atno?ci WooCommerce
Plugin Slug:
cashbill-payment-method
Installations
900+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
3.3.0
Severity Score:
Medium
CVE:
2025-53455
The vulnerability has been patched, so you should update to version 3.3.0.

System Dashboard

Plugin:
System Dashboard
Plugin Slug:
system-dashboard
Installations
900+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
2.8.21
Severity Score:
Medium
CVE:
2025-10377
The vulnerability has been patched, so you should update to version 2.8.21.

Fusion Page Builder : Extension – Gallery

Plugin:
Fusion Page Builder : Extension – Gallery
Plugin Slug:
fusion-extension-gallery
Installations
700+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.7.7
Severity Score:
Medium
CVE:
2025-58965
The vulnerability has been patched, so you should update to version 1.7.7.

Easy Quotes

Plugin:
Easy Quotes
Plugin Slug:
easy-quotes
Installations
600+
Vulnerability:
Broken Access Control
Patched in Version:
1.2.5
Severity Score:
Medium
CVE:
2025-58681
The vulnerability has been patched, so you should update to version 1.2.5.

List Child Pages Shortcode

Plugin:
List Child Pages Shortcode
Plugin Slug:
list-child-pages-shortcode
Installations
600+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.4.0
Severity Score:
Medium
CVE:
2025-58021
The vulnerability has been patched, so you should update to version 1.4.0.

Publitio

Plugin:
Publitio
Plugin Slug:
publitio
Installations
500+
Vulnerability:
Server Side Request Forgery (SSRF)
Patched in Version:
2.2.2
Severity Score:
Medium
CVE:
2025-58962
The vulnerability has been patched, so you should update to version 2.2.2.

IP Based Login

Plugin:
IP Based Login
Plugin Slug:
ip-based-login
Installations
400+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.4.4
Severity Score:
Medium
CVE:
2025-58960
The vulnerability has been patched, so you should update to version 2.4.4.

Advanced Settings 3

Plugin:
Advanced Settings 3
Plugin Slug:
advanced-settings
Installations
200+
Vulnerability:
Arbitrary File Upload
Patched in Version:
3.2.0
Severity Score:
Critical
CVE:
2025-58996
The vulnerability has been patched, so you should update to version 3.2.0.

immonex Kickstart Team

Plugin:
immonex Kickstart Team
Plugin Slug:
immonex-kickstart-team
Installations
200+
Vulnerability:
Local File Inclusion
Patched in Version:
1.7.0
Severity Score:
High
CVE:
2025-57925
The vulnerability has been patched, so you should update to version 1.7.0.

Current Age Plugin

Plugin:
Current Age Plugin
Plugin Slug:
current-age
Installations
70+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
1.7
Severity Score:
High
CVE:
2025-58687
The vulnerability has been patched, so you should update to version 1.7.

Doliconnect

Plugin:
Doliconnect
Plugin Slug:
doliconnect
Installations
70+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
9.6.2
Severity Score:
High
CVE:
2025-58690
The vulnerability has been patched, so you should update to version 9.6.2.

Markdown Shortcode

Plugin:
Markdown Shortcode
Plugin Slug:
markdown-shortcode
Installations
20+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
0.2.3
Severity Score:
Medium
CVE:
2025-10180
The vulnerability has been patched, so you should update to version 0.2.3.

Widgets for Tiktok Feed

Plugin:
Widgets for Tiktok Feed
Plugin Slug:
widgets-for-tiktok-video-feed
Installations
20+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.7.4
Severity Score:
Medium
CVE:
2025-8906
The vulnerability has been patched, so you should update to version 1.7.4.

AffiliateWP

Plugin:
AffiliateWP
Plugin Slug:
affiliate-wp
Vulnerability:
SQL Injection
Patched in Version:
2.29.0
Severity Score:
Critical
CVE:
2025-8877
The vulnerability has been patched, so you should update to version 2.29.0.

BM Content Builder

Plugin:
BM Content Builder
Plugin Slug:
bm-builder
Vulnerability:
Arbitrary File Deletion
Patched in Version:
3.16.3.3
Severity Score:
High
CVE:
2025-59002
The vulnerability has been patched, so you should update to version 3.16.3.3.

Widget Options – Extended

Plugin:
Widget Options – Extended
Plugin Slug:
extended-widget-options
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
5.2.2
Severity Score:
Medium
CVE:
2025-8902
The vulnerability has been patched, so you should update to version 5.2.2.

Houzez Theme – Functionality

Plugin:
Houzez Theme – Functionality
Plugin Slug:
houzez-theme-functionality
Vulnerability:
Broken Access Control
Patched in Version:
4.1.4
Severity Score:
High
CVE:
2025-49403
The vulnerability has been patched, so you should update to version 4.1.4.

Houzez Theme – Functionality

Plugin:
Houzez Theme – Functionality
Plugin Slug:
houzez-theme-functionality
Vulnerability:
Arbitrary File Download
Patched in Version:
4.1.4
Severity Score:
Medium
CVE:
2025-49404
The vulnerability has been patched, so you should update to version 4.1.4.

Penci Filter Everything

Plugin:
Penci Filter Everything
Plugin Slug:
penci-filter-everything
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.7
Severity Score:
Medium
CVE:
2025-59583
The vulnerability has been patched, so you should update to version 1.7.

Penci Podcast

Plugin:
Penci Podcast
Plugin Slug:
penci-podcast
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.7
Severity Score:
Medium
CVE:
2025-59584
The vulnerability has been patched, so you should update to version 1.7.

Penci Portfolio

Plugin:
Penci Portfolio
Plugin Slug:
penci-portfolio
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
3.6
Severity Score:
Medium
CVE:
2025-59586
The vulnerability has been patched, so you should update to version 3.6.

Penci Recipe

Plugin:
Penci Recipe
Plugin Slug:
penci-recipe
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
4.1
Severity Score:
Medium
CVE:
2025-59585
The vulnerability has been patched, so you should update to version 4.1.

Penci Shortcodes & Performance

Plugin:
Penci Shortcodes & Performance
Plugin Slug:
penci-shortcodes
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
6.1
Severity Score:
Medium
CVE:
2025-59587
The vulnerability has been patched, so you should update to version 6.1.

Uni CPO (Premium)

Plugin:
Uni CPO (Premium)
Plugin Slug:
uni-woo-custom-product-options-premium
Vulnerability:
Arbitrary File Upload
Patched in Version:
4.9.55
Severity Score:
Critical
CVE:
2025-10412
The vulnerability has been patched, so you should update to version 4.9.55.

Vehica Core

Plugin:
Vehica Core
Plugin Slug:
vehica-core
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
1.0.101
Severity Score:
Medium
CVE:
2025-60117
The vulnerability has been patched, so you should update to version 1.0.101.

MultiLoca

Plugin:
MultiLoca
Plugin Slug:
woocommerce-multi-locations-inventory-management
Vulnerability:
Broken Access Control
Patched in Version:
4.2.9
Severity Score:
Critical
CVE:
2025-9054
The vulnerability has been patched, so you should update to version 4.2.9.

WorkScout-Core

Plugin:
WorkScout-Core
Plugin Slug:
workscout-core
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
1.7.06
Severity Score:
High
CVE:
2025-59572
The vulnerability has been patched, so you should update to version 1.7.06.

WP Attractive Donations System

Plugin:
WP Attractive Donations System
Plugin Slug:
wp-attractive-donations-system-easy-stripe-paypal-donations
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
1.29
Severity Score:
High
CVE:
2025-58956
The vulnerability has been patched, so you should update to version 1.29.

WordPress Themes — 6 Patched / 11 Unpatched

Woostify

Theme:
Woostify
Theme Slug:
woostify
Downloads
721,458
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-60101
The vulnerability has not been patched. You should switch themes.

Constructo

Theme:
Constructo
Theme Slug:
constructo
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-58244
The vulnerability has not been patched. You should switch themes.

CouponXxL

Theme:
CouponXxL
Theme Slug:
couponxxl
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-58013
The vulnerability has not been patched. You should switch themes.

DriCub

Theme:
DriCub
Theme Slug:
dricub-driving-school
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58004
The vulnerability has not been patched. You should switch themes.

DriCub

Theme:
DriCub
Theme Slug:
dricub-driving-school
Vulnerability:
Server Side Request Forgery (SSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58005
The vulnerability has not been patched. You should switch themes.

Findgo

Theme:
Findgo
Theme Slug:
fingo
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-58250
The vulnerability has not been patched. You should switch themes.

Frames

Theme:
Frames
Theme Slug:
frames
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-60165
The vulnerability has not been patched. You should switch themes.

imEvent

Theme:
imEvent
Theme Slug:
imevent
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58243
The vulnerability has not been patched. You should switch themes.

Nokri

Theme:
Nokri
Theme Slug:
nokri
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-58259
The vulnerability has not been patched. You should switch themes.

WPLMS

Theme:
WPLMS
Theme Slug:
wplms
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58668
The vulnerability has not been patched. You should switch themes.

XStore

Theme:
XStore
Theme Slug:
xstore
Vulnerability:
Content Injection
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-60100
The vulnerability has not been patched. You should switch themes.

DentiCare

Theme:
DentiCare
Theme Slug:
denticare
Vulnerability:
PHP Object Injection
Patched in Version:
1.4.3
Severity Score:
Critical
CVE:
2025-54723
The vulnerability has been patched, so you should update to version 1.4.3.

Snow Monkey

Theme:
Snow Monkey
Theme Slug:
snow-monkey
Vulnerability:
Server Side Request Forgery (SSRF)
Patched in Version:
29.1.6
Severity Score:
Medium
CVE:
2025-10137
The vulnerability has been patched, so you should update to version 29.1.6.

Soledad

Theme:
Soledad
Theme Slug:
soledad
Vulnerability:
Local File Inclusion
Patched in Version:
8.6.9
Severity Score:
High
CVE:
2025-59588
The vulnerability has been patched, so you should update to version 8.6.9.

Soledad

Theme:
Soledad
Theme Slug:
soledad
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
8.6.9
Severity Score:
Medium
CVE:
2025-59589
The vulnerability has been patched, so you should update to version 8.6.9.

TheGem

Theme:
TheGem
Theme Slug:
thegem
Vulnerability:
Broken Access Control
Patched in Version:
5.10.5.1
Severity Score:
Medium
CVE:
2025-60097
The vulnerability has been patched, so you should update to version 5.10.5.1.

TheGem (Elementor)

Theme:
TheGem (Elementor)
Theme Slug:
thegem-elementor
Vulnerability:
Broken Access Control
Patched in Version:
5.10.5.1
Severity Score:
Medium
CVE:
2025-60096
The vulnerability has been patched, so you should update to version 5.10.5.1.

Solid Security is part of Solid Suite — The best foundation for WordPress websites.

Every WordPress site needs security, backups, and management tools. That’s Solid Suite — an integrated bundle of three plugins: Solid Security, Solid Backups, and Solid Central. You also get access to Solid Academy’s learning resources for WordPress professionals. Build your next WordPress website on a solid foundation with Solid Suite!

Get Solid Security

Author:

Avatar photoSarah Ulmer

Sarah has been with SolidWP since 2015. Thanks to her deep connection to the brand, its products, and its users, Sarah was tapped as Solid’s primary Product Marketer in 2023. Sarah helps ensure that Solid’s product development team understands our users’ needs. When not at work, Sarah can be found at home with her husband, their three boys, and their dogs. Sarah enjoys long family walks, running with her lab, and watching her three boys play soccer. Sarah is originally from Texas and loves watching football games (Go Longhorns!)

Browse all of Sarah's articles

Author:

Avatar photoSarah Ulmer

Sarah has been with SolidWP since 2015. Thanks to her deep connection to the brand, its products, and its users, Sarah was tapped as Solid’s primary Product Marketer in 2023. Sarah helps ensure that Solid’s product development team understands our users’ needs. When not at work, Sarah can be found at home with her husband, their three boys, and their dogs. Sarah enjoys long family walks, running with her lab, and watching her three boys play soccer. Sarah is originally from Texas and loves watching football games (Go Longhorns!)

Browse all of Sarah's articles