WordPress Vulnerability Report

WordPress Vulnerability Report — September 24, 2025

Since last week, 354 new vulnerabilities have emerged in the WordPress ecosystem, including 2 in WordPress Core, 339 plugins and 13 themes. Of those, 265 remain unpatched, but Solid Security Pro users are protected by virtual patching from Patchstack.

Avatar photo
Sarah Ulmer

Updated:Oct 8, 2025
Published:Sep 24, 2025

Filed Under:WordPress Vulnerability Report

Reading Time:64 min.

In this report, 354 vulnerabilities have been publicly disclosed. Security patches for 89 of these plugins and themes are now available, so please run those updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Additionally, there are 265 WordPress Core, plugin, and theme vulnerabilities, and no patch has been available yet. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

Along with poor user account security, vulnerable plugins and themes are among the top reasons why WordPress websites get hacked. Unfortunately, cyberattacks are increasing in volume and sophistication. They’re also increasingly aimed at small to mid-sized businesses.

Our WordPress Vulnerability Report covers the latest emerging WordPress plugin, theme, and core vulnerabilities. Each vulnerability will have a severity rating of LowMediumHigh, or Critical. Responsible disclosure of vulnerabilities is essential to keeping the WordPress community safe. Please share this report to help spread the word and make WordPress — and the web — more secure.

WordPress Core

Patchstack’s bug-bounty program recently disclosed two WordPress Core vulnerabilities. Both are assessed as low severity and require an attacker to have a compromised Contributor-level account on the site to exploit, making widespread abuse unlikely. No virtual patch is available or required; the WordPress Core security team is actively investigating and coordinating fixes.

WordPress Core

Vulnerability:
Sensitive Data Exposure
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58246
The vulnerability has not been patched.

WordPress Core

Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58674
The vulnerability has not been patched.

WordPress Plugins — 85 Patched / 254 Unpatched

Sticky Header Effects for Elementor

Plugin:
Sticky Header Effects for Elementor
Plugin Slug:
sticky-header-effects-for-elementor
Installations
300,000+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58251
The vulnerability has not been patched. You should deactivate the plugin.

Nextend Social Login and Register

Plugin:
Nextend Social Login and Register
Plugin Slug:
nextend-facebook-connect
Installations
200,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58031
The vulnerability has not been patched. You should deactivate the plugin.

TI WooCommerce Wishlist

Plugin:
TI WooCommerce Wishlist
Plugin Slug:
ti-woocommerce-wishlist
Installations
100,000+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58247
The vulnerability has not been patched. You should deactivate the plugin.

Jupiter X Core

Plugin:
Jupiter X Core
Plugin Slug:
jupiterx-core
Installations
80,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58264
The vulnerability has not been patched. You should deactivate the plugin.

Master Slider – Responsive Touch Slider

Plugin:
Master Slider – Responsive Touch Slider
Plugin Slug:
master-slider
Installations
70,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58025
The vulnerability has not been patched. You should deactivate the plugin.

Getwid – Gutenberg Blocks

Plugin:
Getwid – Gutenberg Blocks
Plugin Slug:
getwid
Installations
50,000+
Vulnerability:
Sensitive Data Exposure
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58252
The vulnerability has not been patched. You should deactivate the plugin.

Image Hover Effects – Elementor Addon

Plugin:
Image Hover Effects – Elementor Addon
Plugin Slug:
image-hover-effects-addon-for-elementor
Installations
50,000+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57939
The vulnerability has not been patched. You should deactivate the plugin.

Perfect Brands for WooCommerce

Plugin:
Perfect Brands for WooCommerce
Plugin Slug:
perfect-woocommerce-brands
Installations
50,000+
Vulnerability:
SQL Injection
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-58686
The vulnerability has not been patched. You should deactivate the plugin.

Better Find and Replace – AI-Powered Suggestions

Plugin:
Better Find and Replace – AI-Powered Suggestions
Plugin Slug:
real-time-auto-find-and-replace
Installations
50,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-53466
The vulnerability has not been patched. You should deactivate the plugin.

DethemeKit for Elementor

Plugin:
DethemeKit for Elementor
Plugin Slug:
dethemekit-for-elementor
Installations
40,000+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57995
The vulnerability has not been patched. You should deactivate the plugin.

Page-list

Plugin:
Page-list
Plugin Slug:
page-list
Installations
40,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58030
The vulnerability has not been patched. You should deactivate the plugin.

Hubbub Lite – Fast, Reliable Social Sharing Buttons

Plugin:
Hubbub Lite – Fast, Reliable Social Sharing Buttons
Plugin Slug:
social-pug
Installations
40,000+
Vulnerability:
Sensitive Data Exposure
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58007
The vulnerability has not been patched. You should deactivate the plugin.

Ads by Quads – Adsense Ads, Banner Ads, Popup Ads

Plugin:
Ads by Quads – Adsense Ads, Banner Ads, Popup Ads
Plugin Slug:
quick-adsense-reloaded
Installations
30,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-53459
The vulnerability has not been patched. You should deactivate the plugin.

Trustpilot Reviews

Plugin:
Trustpilot Reviews
Plugin Slug:
trustpilot-reviews
Installations
30,000+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57997
The vulnerability has not been patched. You should deactivate the plugin.

WP Events Manager

Plugin:
WP Events Manager
Plugin Slug:
wp-events-manager
Installations
30,000+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57987
The vulnerability has not been patched. You should deactivate the plugin.

Geolocation IP Detection

Plugin:
Geolocation IP Detection
Plugin Slug:
geoip-detect
Installations
20,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57993
The vulnerability has not been patched. You should deactivate the plugin.

Custom Block Builder – Lazy Blocks

Plugin:
Custom Block Builder – Lazy Blocks
Plugin Slug:
lazy-blocks
Installations
20,000+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58258
The vulnerability has not been patched. You should deactivate the plugin.

Quiz Maker

Plugin:
Quiz Maker
Plugin Slug:
quiz-maker
Installations
20,000+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58014
The vulnerability has not been patched. You should deactivate the plugin.

Quiz Maker

Plugin:
Quiz Maker
Plugin Slug:
quiz-maker
Installations
20,000+
Vulnerability:
Sensitive Data Exposure
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58015
The vulnerability has not been patched. You should deactivate the plugin.

Uncanny Toolkit for LearnDash

Plugin:
Uncanny Toolkit for LearnDash
Plugin Slug:
uncanny-learndash-toolkit
Installations
20,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57988
The vulnerability has not been patched. You should deactivate the plugin.

Blog Designer

Plugin:
Blog Designer
Plugin Slug:
blog-designer
Installations
10,000+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57990
The vulnerability has not been patched. You should deactivate the plugin.

Passster – Password Protect Pages and Content

Plugin:
Passster – Password Protect Pages and Content
Plugin Slug:
content-protector
Installations
10,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57926
The vulnerability has not been patched. You should deactivate the plugin.

Translate WordPress with ConveyThis

Plugin:
Translate WordPress with ConveyThis
Plugin Slug:
conveythis-translate
Installations
10,000+
Vulnerability:
PHP Object Injection
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-57919
The vulnerability has not been patched. You should deactivate the plugin.

Dashboard Notepad

Plugin:
Dashboard Notepad
Plugin Slug:
dashboard-notepad
Installations
10,000+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57927
The vulnerability has not been patched. You should deactivate the plugin.

Gallery Lightbox

Plugin:
Gallery Lightbox
Plugin Slug:
gallery-lightbox-slider
Installations
10,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57966
The vulnerability has not been patched. You should deactivate the plugin.

Open User Map

Plugin:
Open User Map
Plugin Slug:
open-user-map
Installations
10,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57953
The vulnerability has not been patched. You should deactivate the plugin.

Portfolio for Elementor & Image Gallery | PowerFolio

Plugin:
Portfolio for Elementor & Image Gallery | PowerFolio
Plugin Slug:
portfolio-elementor
Installations
10,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57932
The vulnerability has not been patched. You should deactivate the plugin.

Qubely – Advanced Gutenberg Blocks

Plugin:
Qubely – Advanced Gutenberg Blocks
Plugin Slug:
qubely
Installations
10,000+
Vulnerability:
Sensitive Data Exposure
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58249
The vulnerability has not been patched. You should deactivate the plugin.

Qubely – Advanced Gutenberg Blocks

Plugin:
Qubely – Advanced Gutenberg Blocks
Plugin Slug:
qubely
Installations
10,000+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58663
The vulnerability has not been patched. You should deactivate the plugin.

Team – Team Members Showcase Plugin

Plugin:
Team – Team Members Showcase Plugin
Plugin Slug:
tlp-team
Installations
10,000+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57975
The vulnerability has not been patched. You should deactivate the plugin.

WP Subtitle

Plugin:
WP Subtitle
Plugin Slug:
wp-subtitle
Installations
10,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57986
The vulnerability has not been patched. You should deactivate the plugin.

WPeMatico RSS Feed Fetcher

Plugin:
WPeMatico RSS Feed Fetcher
Plugin Slug:
wpematico
Installations
10,000+
Vulnerability:
Sensitive Data Exposure
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57937
The vulnerability has not been patched. You should deactivate the plugin.

Convert WordPress to app | AppMySite

Plugin:
Convert WordPress to app | AppMySite
Plugin Slug:
appmysite
Installations
9,000+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58679
The vulnerability has not been patched. You should deactivate the plugin.

No External Links

Plugin:
No External Links
Plugin Slug:
mihdan-no-external-links
Installations
9,000+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-53451
The vulnerability has not been patched. You should deactivate the plugin.

WP Compress – Instant Performance & Speed Optimization

Plugin:
WP Compress – Instant Performance & Speed Optimization
Plugin Slug:
wp-compress-image-optimizer
Installations
9,000+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57899
The vulnerability has not been patched. You should deactivate the plugin.

WP Mailto Links – Protect Email Addresses

Plugin:
WP Mailto Links – Protect Email Addresses
Plugin Slug:
wp-mailto-links
Installations
9,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-53464
The vulnerability has not been patched. You should deactivate the plugin.

Awesome Support – WordPress HelpDesk & Support Plugin

Plugin:
Awesome Support – WordPress HelpDesk & Support Plugin
Plugin Slug:
awesome-support
Installations
8,000+
Vulnerability:
Deserialization of untrusted data
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-58662
The vulnerability has not been patched. You should deactivate the plugin.

Participants Database

Plugin:
Participants Database
Plugin Slug:
participants-database
Installations
8,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58008
The vulnerability has not been patched. You should deactivate the plugin.

Flexible PDF Invoices for WooCommerce & WordPress

Plugin:
Flexible PDF Invoices for WooCommerce & WordPress
Plugin Slug:
flexible-invoices
Installations
6,000+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-57977
The vulnerability has not been patched. You should deactivate the plugin.

WP Social Widget

Plugin:
WP Social Widget
Plugin Slug:
wp-social-widget
Installations
5,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57981
The vulnerability has not been patched. You should deactivate the plugin.

WPKoi Templates for Elementor

Plugin:
WPKoi Templates for Elementor
Plugin Slug:
wpkoi-templates-for-elementor
Installations
5,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57999
The vulnerability has not been patched. You should deactivate the plugin.

Mail Subscribe List

Plugin:
Mail Subscribe List
Plugin Slug:
mail-subscribe-list
Installations
4,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58018
The vulnerability has not been patched. You should deactivate the plugin.

Post Carousel Slider for Elementor

Plugin:
Post Carousel Slider for Elementor
Plugin Slug:
post-carousel-slider-for-elementor
Installations
4,000+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57955
The vulnerability has not been patched. You should deactivate the plugin.

Cecabank WooCommerce Plugin

Plugin:
Cecabank WooCommerce Plugin
Plugin Slug:
cecabank-woocommerce
Installations
3,000+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58685
The vulnerability has not been patched. You should deactivate the plugin.

E-namad & Shamed Logo Manager

Plugin:
E-namad & Shamed Logo Manager
Plugin Slug:
e-namad-shamed-logo-manager
Installations
3,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57998
The vulnerability has not been patched. You should deactivate the plugin.

Interact: Embed A Quiz On Your Site

Plugin:
Interact: Embed A Quiz On Your Site
Plugin Slug:
interact-quiz-embed
Installations
3,000+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58675
The vulnerability has not been patched. You should deactivate the plugin.

Login-Logout

Plugin:
Login-Logout
Plugin Slug:
login-logout
Installations
3,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-53467
The vulnerability has not been patched. You should deactivate the plugin.

Designil PDPA Thailand

Plugin:
Designil PDPA Thailand
Plugin Slug:
pdpa-thailand
Installations
3,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58028
The vulnerability has not been patched. You should deactivate the plugin.

Piotnet Forms

Plugin:
Piotnet Forms
Plugin Slug:
piotnetforms
Installations
3,000+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57933
The vulnerability has not been patched. You should deactivate the plugin.

Podlove Subscribe button

Plugin:
Podlove Subscribe button
Plugin Slug:
podlove-subscribe-button
Installations
3,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58227
The vulnerability has not been patched. You should deactivate the plugin.

Text To Speech TTS Accessibility

Plugin:
Text To Speech TTS Accessibility
Plugin Slug:
text-to-audio
Installations
3,000+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58664
The vulnerability has not been patched. You should deactivate the plugin.

CardCom Payment Gateway

Plugin:
CardCom Payment Gateway
Plugin Slug:
woo-cardcom-payment-gateway
Installations
3,000+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57976
The vulnerability has not been patched. You should deactivate the plugin.

Compact Archives

Plugin:
Compact Archives
Plugin Slug:
compact-archives
Installations
2,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58001
The vulnerability has not been patched. You should deactivate the plugin.

Estonian Shipping Methods for WooCommerce

Plugin:
Estonian Shipping Methods for WooCommerce
Plugin Slug:
estonian-shipping-methods-for-woocommerce
Installations
2,000+
Vulnerability:
Sensitive Data Exposure
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58656
The vulnerability has not been patched. You should deactivate the plugin.

Photo Gallery by Ays – Responsive Image Gallery

Plugin:
Photo Gallery by Ays – Responsive Image Gallery
Plugin Slug:
gallery-photo-gallery
Installations
2,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57947
The vulnerability has not been patched. You should deactivate the plugin.

GD bbPress Tools

Plugin:
GD bbPress Tools
Plugin Slug:
gd-bbpress-tools
Installations
2,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58002
The vulnerability has not been patched. You should deactivate the plugin.

Import Markdown – Versatile Markdown Importer

Plugin:
Import Markdown – Versatile Markdown Importer
Plugin Slug:
import-markdown
Installations
2,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57901
The vulnerability has not been patched. You should deactivate the plugin.

Sitekit

Plugin:
Sitekit
Plugin Slug:
sitekit
Installations
2,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58229
The vulnerability has not been patched. You should deactivate the plugin.

Quick View for WooCommerce

Plugin:
Quick View for WooCommerce
Plugin Slug:
woo-quickview
Installations
2,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58228
The vulnerability has not been patched. You should deactivate the plugin.

Bitly’s WordPress Plugin

Plugin:
Bitly’s WordPress Plugin
Plugin Slug:
wp-bitly
Installations
2,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58231
The vulnerability has not been patched. You should deactivate the plugin.

Advanced Appointment Booking & Scheduling

Plugin:
Advanced Appointment Booking & Scheduling
Plugin Slug:
advanced-appointment-booking-scheduling
Installations
1,000+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57978
The vulnerability has not been patched. You should deactivate the plugin.

Append extensions on Pages

Plugin:
Append extensions on Pages
Plugin Slug:
append-extensions-on-pages
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57940
The vulnerability has not been patched. You should deactivate the plugin.

Append Link on Copy

Plugin:
Append Link on Copy
Plugin Slug:
append-link-on-copy
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57941
The vulnerability has not been patched. You should deactivate the plugin.

AuthorSure

Plugin:
AuthorSure
Plugin Slug:
authorsure
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57979
The vulnerability has not been patched. You should deactivate the plugin.

BP Disable Activation Reloaded

Plugin:
BP Disable Activation Reloaded
Plugin Slug:
bp-disable-activation-reloaded
Installations
1,000+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57983
The vulnerability has not been patched. You should deactivate the plugin.

Clariti

Plugin:
Clariti
Plugin Slug:
clariti
Installations
1,000+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57991
The vulnerability has not been patched. You should deactivate the plugin.

Classic Widgets with Block-based Widgets

Plugin:
Classic Widgets with Block-based Widgets
Plugin Slug:
classic-widgets-with-block-based-widgets
Installations
1,000+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58029
The vulnerability has not been patched. You should deactivate the plugin.

Content Mask

Plugin:
Content Mask
Plugin Slug:
content-mask
Installations
1,000+
Vulnerability:
Server Side Request Forgery (SSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58011
The vulnerability has not been patched. You should deactivate the plugin.

Content Mask

Plugin:
Content Mask
Plugin Slug:
content-mask
Installations
1,000+
Vulnerability:
Insecure Direct Object References (IDOR)
Patched in Version:
No Fix
Severity Score:
Low
CVE:
2025-58012
The vulnerability has not been patched. You should deactivate the plugin.

CP Multi View Event Calendar

Plugin:
CP Multi View Event Calendar
Plugin Slug:
cp-multi-view-calendar
Installations
1,000+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Low
CVE:
2025-58009
The vulnerability has not been patched. You should deactivate the plugin.

Emergency Password Reset

Plugin:
Emergency Password Reset
Plugin Slug:
emergency-password-reset
Installations
1,000+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57942
The vulnerability has not been patched. You should deactivate the plugin.

Fastly

Plugin:
Fastly
Plugin Slug:
fastly
Installations
1,000+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58199
The vulnerability has not been patched. You should deactivate the plugin.

Flexible FAQ

Plugin:
Flexible FAQ
Plugin Slug:
flexible-faq
Installations
1,000+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58200
The vulnerability has not been patched. You should deactivate the plugin.

Force Update Translations

Plugin:
Force Update Translations
Plugin Slug:
force-update-translations
Installations
1,000+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58236
The vulnerability has not been patched. You should deactivate the plugin.

Genesis Club Lite

Plugin:
Genesis Club Lite
Plugin Slug:
genesis-club-lite
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58691
The vulnerability has not been patched. You should deactivate the plugin.

Connector Wizard (formerly LC Wizard)

Plugin:
Connector Wizard (formerly LC Wizard)
Plugin Slug:
ghl-wizard
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58237
The vulnerability has not been patched. You should deactivate the plugin.

Hide WP Toolbar

Plugin:
Hide WP Toolbar
Plugin Slug:
hide-wp-toolbar
Installations
1,000+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57969
The vulnerability has not been patched. You should deactivate the plugin.

HT Mega – Absolute Addons for WPBakery Page Builder

Plugin:
HT Mega – Absolute Addons for WPBakery Page Builder
Plugin Slug:
ht-mega-for-wpbakery
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-53463
The vulnerability has not been patched. You should deactivate the plugin.

Beaf – Photo Comparison Block

Plugin:
Beaf – Photo Comparison Block
Plugin Slug:
image-compare-block
Installations
1,000+
Vulnerability:
Server Side Request Forgery (SSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-53461
The vulnerability has not been patched. You should deactivate the plugin.

Kama Click Counter

Plugin:
Kama Click Counter
Plugin Slug:
kama-clic-counter
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58682
The vulnerability has not been patched. You should deactivate the plugin.

Last Updated Shortcode

Plugin:
Last Updated Shortcode
Plugin Slug:
last-updated-shortcode
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58683
The vulnerability has not been patched. You should deactivate the plugin.

MakeStories (for Google Web Stories)

Plugin:
MakeStories (for Google Web Stories)
Plugin Slug:
makestories-helper
Installations
1,000+
Vulnerability:
Server Side Request Forgery (SSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57984
The vulnerability has not been patched. You should deactivate the plugin.

MarketKing — Ultimate WooCommerce Multivendor Marketplace Solution

Plugin:
MarketKing — Ultimate WooCommerce Multivendor Marketplace Solution
Plugin Slug:
marketking-multivendor-marketplace-for-woocommerce
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58702
The vulnerability has not been patched. You should deactivate the plugin.

Memberful – Membership Plugin

Plugin:
Memberful – Membership Plugin
Plugin Slug:
memberful-wp
Installations
1,000+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58000
The vulnerability has not been patched. You should deactivate the plugin.

Frontend File Manager Plugin

Plugin:
Frontend File Manager Plugin
Plugin Slug:
nmedia-user-file-uploader
Installations
1,000+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57921
The vulnerability has not been patched. You should deactivate the plugin.

PilotPress

Plugin:
PilotPress
Plugin Slug:
pilotpress
Installations
1,000+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58221
The vulnerability has not been patched. You should deactivate the plugin.

PilotPress

Plugin:
PilotPress
Plugin Slug:
pilotpress
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58238
The vulnerability has not been patched. You should deactivate the plugin.

Plugin Security Scanner

Plugin:
Plugin Security Scanner
Plugin Slug:
plugin-security-scanner
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57950
The vulnerability has not been patched. You should deactivate the plugin.

Quantities and Units for WooCommerce

Plugin:
Quantities and Units for WooCommerce
Plugin Slug:
quantities-and-units-for-woocommerce
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58917
The vulnerability has not been patched. You should deactivate the plugin.

Safety Exit

Plugin:
Safety Exit
Plugin Slug:
safety-exit
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57980
The vulnerability has not been patched. You should deactivate the plugin.

SALESmanago & Leadoo

Plugin:
SALESmanago & Leadoo
Plugin Slug:
salesmanago
Installations
1,000+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57970
The vulnerability has not been patched. You should deactivate the plugin.

SALESmanago & Leadoo

Plugin:
SALESmanago & Leadoo
Plugin Slug:
salesmanago
Installations
1,000+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57971
The vulnerability has not been patched. You should deactivate the plugin.

SiteNarrator Text-to-Speech Widget

Plugin:
SiteNarrator Text-to-Speech Widget
Plugin Slug:
sitespeaker-widget
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57951
The vulnerability has not been patched. You should deactivate the plugin.

Skimlinks Affiliate Marketing Tool

Plugin:
Skimlinks Affiliate Marketing Tool
Plugin Slug:
skimlinks
Installations
1,000+
Vulnerability:
Server Side Request Forgery (SSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57943
The vulnerability has not been patched. You should deactivate the plugin.

Skimlinks Affiliate Marketing Tool

Plugin:
Skimlinks Affiliate Marketing Tool
Plugin Slug:
skimlinks
Installations
1,000+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57944
The vulnerability has not been patched. You should deactivate the plugin.

Skyword XMLRPC publishing

Plugin:
Skyword XMLRPC publishing
Plugin Slug:
skyword-plugin
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58703
The vulnerability has not been patched. You should deactivate the plugin.

Slightly troublesome permalink

Plugin:
Slightly troublesome permalink
Plugin Slug:
slightly-troublesome-permalink
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57959
The vulnerability has not been patched. You should deactivate the plugin.

SV Proven Expert

Plugin:
SV Proven Expert
Plugin Slug:
sv-provenexpert
Installations
1,000+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58010
The vulnerability has not been patched. You should deactivate the plugin.

Travel Map

Plugin:
Travel Map
Plugin Slug:
travelmap-blog
Installations
1,000+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57960
The vulnerability has not been patched. You should deactivate the plugin.

Ultimate Watermark – Advanced Image Watermarking

Plugin:
Ultimate Watermark – Advanced Image Watermarking
Plugin Slug:
ultimate-watermark
Installations
1,000+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57985
The vulnerability has not been patched. You should deactivate the plugin.

Upcoming Events Lists

Plugin:
Upcoming Events Lists
Plugin Slug:
upcoming-events-lists
Installations
1,000+
Vulnerability:
Insecure Direct Object References (IDOR)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57994
The vulnerability has not been patched. You should deactivate the plugin.

Draft – Tailwind CSS for WordPress.

Plugin:
Draft – Tailwind CSS for WordPress.
Plugin Slug:
website-builder
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58033
The vulnerability has not been patched. You should deactivate the plugin.

Website Chat Button: Kommo integration

Plugin:
Website Chat Button: Kommo integration
Plugin Slug:
website-chat-button-kommo-integration
Installations
1,000+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58666
The vulnerability has not been patched. You should deactivate the plugin.

WPB Quick View Popup for WooCommerce

Plugin:
WPB Quick View Popup for WooCommerce
Plugin Slug:
woocommerce-lightbox
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57967
The vulnerability has not been patched. You should deactivate the plugin.

WP Advanced PDF

Plugin:
WP Advanced PDF
Plugin Slug:
wp-advanced-pdf
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57945
The vulnerability has not been patched. You should deactivate the plugin.

Category Dropdown by GCS Design

Plugin:
Category Dropdown by GCS Design
Plugin Slug:
wp-category-dropdown
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58239
The vulnerability has not been patched. You should deactivate the plugin.

WP Compiler

Plugin:
WP Compiler
Plugin Slug:
wp-compiler
Installations
1,000+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58032
The vulnerability has not been patched. You should deactivate the plugin.

WP Delete User Accounts

Plugin:
WP Delete User Accounts
Plugin Slug:
wp-delete-user-accounts
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58704
The vulnerability has not been patched. You should deactivate the plugin.

Subresource Integrity (SRI) Manager

Plugin:
Subresource Integrity (SRI) Manager
Plugin Slug:
wp-sri
Installations
1,000+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57936
The vulnerability has not been patched. You should deactivate the plugin.

xili-tidy-tags

Plugin:
xili-tidy-tags
Plugin Slug:
xili-tidy-tags
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58240
The vulnerability has not been patched. You should deactivate the plugin.

BMI Adult & Kid Calculator

Plugin:
BMI Adult & Kid Calculator
Plugin Slug:
bmi-adultkid-calculator
Installations
900+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-53469
The vulnerability has not been patched. You should deactivate the plugin.

Bot Block – Stop Spam Referrals in Google Analytics

Plugin:
Bot Block – Stop Spam Referrals in Google Analytics
Plugin Slug:
bot-block-stop-spam-google-analytics-referrals
Installations
900+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57935
The vulnerability has not been patched. You should deactivate the plugin.

CashBill.pl – P?atno?ci WooCommerce

Plugin:
CashBill.pl – P?atno?ci WooCommerce
Plugin Slug:
cashbill-payment-method
Installations
900+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-53455
The vulnerability has not been patched. You should deactivate the plugin.

Developer

Plugin:
Developer
Plugin Slug:
developer
Installations
900+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57924
The vulnerability has not been patched. You should deactivate the plugin.

Highlight and Share – Social Text and Image Sharing

Plugin:
Highlight and Share – Social Text and Image Sharing
Plugin Slug:
highlight-and-share
Installations
900+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58260
The vulnerability has not been patched. You should deactivate the plugin.

LWS Affiliation

Plugin:
LWS Affiliation
Plugin Slug:
lws-affiliation
Installations
900+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57934
The vulnerability has not been patched. You should deactivate the plugin.

Mail Baby SMTP

Plugin:
Mail Baby SMTP
Plugin Slug:
mail-baby-smtp
Installations
900+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57992
The vulnerability has not been patched. You should deactivate the plugin.

PlayerJS

Plugin:
PlayerJS
Plugin Slug:
playerjs
Installations
900+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58651
The vulnerability has not been patched. You should deactivate the plugin.

SEO Backlink Monitor

Plugin:
SEO Backlink Monitor
Plugin Slug:
seo-backlink-monitor
Installations
900+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-53456
The vulnerability has not been patched. You should deactivate the plugin.

SEO Backlink Monitor

Plugin:
SEO Backlink Monitor
Plugin Slug:
seo-backlink-monitor
Installations
900+
Vulnerability:
Server Side Request Forgery (SSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-53457
The vulnerability has not been patched. You should deactivate the plugin.

TOCHAT.BE

Plugin:
TOCHAT.BE
Plugin Slug:
tochat-be
Installations
900+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57915
The vulnerability has not been patched. You should deactivate the plugin.

Ultimate WP Mail

Plugin:
Ultimate WP Mail
Plugin Slug:
ultimate-wp-mail
Installations
900+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-53454
The vulnerability has not been patched. You should deactivate the plugin.

WP System Information

Plugin:
WP System Information
Plugin Slug:
wp-system-info
Installations
900+
Vulnerability:
Sensitive Data Exposure
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57916
The vulnerability has not been patched. You should deactivate the plugin.

BuddyPress Notification Widget

Plugin:
BuddyPress Notification Widget
Plugin Slug:
buddypress-notifications-widget
Installations
800+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58263
The vulnerability has not been patched. You should deactivate the plugin.

Category Featured Images

Plugin:
Category Featured Images
Plugin Slug:
category-featured-images
Installations
800+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58655
The vulnerability has not been patched. You should deactivate the plugin.

StylePress for Elementor

Plugin:
StylePress for Elementor
Plugin Slug:
full-site-builder-for-elementor
Installations
800+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58254
The vulnerability has not been patched. You should deactivate the plugin.

Gianism

Plugin:
Gianism
Plugin Slug:
gianism
Installations
800+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58266
The vulnerability has not been patched. You should deactivate the plugin.

Image Editor by Pixo

Plugin:
Image Editor by Pixo
Plugin Slug:
image-editor-by-pixo
Installations
800+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58232
The vulnerability has not been patched. You should deactivate the plugin.

Pinterest Pinboard Widget

Plugin:
Pinterest Pinboard Widget
Plugin Slug:
pinterest-pinboard-widget
Installations
800+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58248
The vulnerability has not been patched. You should deactivate the plugin.

Events Manager – OpenStreetMaps

Plugin:
Events Manager – OpenStreetMaps
Plugin Slug:
stonehenge-em-osm
Installations
800+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58265
The vulnerability has not been patched. You should deactivate the plugin.

xili-language

Plugin:
xili-language
Plugin Slug:
xili-language
Installations
800+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58654
The vulnerability has not been patched. You should deactivate the plugin.

Carousel Ultimate

Plugin:
Carousel Ultimate
Plugin Slug:
carousel
Installations
700+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58652
The vulnerability has not been patched. You should deactivate the plugin.

JS Job Manager

Plugin:
JS Job Manager
Plugin Slug:
js-jobs
Installations
700+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58234
The vulnerability has not been patched. You should deactivate the plugin.

SQL Chart Builder

Plugin:
SQL Chart Builder
Plugin Slug:
sql-chart-builder
Installations
700+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58233
The vulnerability has not been patched. You should deactivate the plugin.

Buckets

Plugin:
Buckets
Plugin Slug:
buckets
Installations
600+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57996
The vulnerability has not been patched. You should deactivate the plugin.

Easy Quotes

Plugin:
Easy Quotes
Plugin Slug:
easy-quotes
Installations
600+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58681
The vulnerability has not been patched. You should deactivate the plugin.

Genealogical Tree – WordPress Family Tree

Plugin:
Genealogical Tree – WordPress Family Tree
Plugin Slug:
genealogical-tree
Installations
600+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58023
The vulnerability has not been patched. You should deactivate the plugin.

Shortcode

Plugin:
Shortcode
Plugin Slug:
shortcode
Installations
600+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58022
The vulnerability has not been patched. You should deactivate the plugin.

SnapWidget Social Photo Feed Widget

Plugin:
SnapWidget Social Photo Feed Widget
Plugin Slug:
snapwidget-wp-instagram-widget
Installations
600+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58241
The vulnerability has not been patched. You should deactivate the plugin.

Theater for WordPress

Plugin:
Theater for WordPress
Plugin Slug:
theatre
Installations
600+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58020
The vulnerability has not been patched. You should deactivate the plugin.

VikRestaurants Table Reservations and Take-Away

Plugin:
VikRestaurants Table Reservations and Take-Away
Plugin Slug:
vikrestaurants
Installations
600+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57962
The vulnerability has not been patched. You should deactivate the plugin.

VikRestaurants Table Reservations and Take-Away

Plugin:
VikRestaurants Table Reservations and Take-Away
Plugin Slug:
vikrestaurants
Installations
600+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-57968
The vulnerability has not been patched. You should deactivate the plugin.

WooMS

Plugin:
WooMS
Plugin Slug:
wooms
Installations
600+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57956
The vulnerability has not been patched. You should deactivate the plugin.

WooMS

Plugin:
WooMS
Plugin Slug:
wooms
Installations
600+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57957
The vulnerability has not been patched. You should deactivate the plugin.

WordPress Widgets Shortcode

Plugin:
WordPress Widgets Shortcode
Plugin Slug:
wp-widgets-shortcode
Installations
600+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57989
The vulnerability has not been patched. You should deactivate the plugin.

AgreeMe Checkboxes For WooCommerce

Plugin:
AgreeMe Checkboxes For WooCommerce
Plugin Slug:
agreeme-checkboxes-for-woocommerce
Installations
500+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57905
The vulnerability has not been patched. You should deactivate the plugin.

Card Elements for WPBakery

Plugin:
Card Elements for WPBakery
Plugin Slug:
card-elements-for-wpbakery
Installations
500+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58220
The vulnerability has not been patched. You should deactivate the plugin.

Category Featured Images Extended

Plugin:
Category Featured Images Extended
Plugin Slug:
category-featured-images-extended
Installations
500+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57920
The vulnerability has not been patched. You should deactivate the plugin.

DELUCKS SEO

Plugin:
DELUCKS SEO
Plugin Slug:
delucks-seo
Installations
500+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-53570
The vulnerability has not been patched. You should deactivate the plugin.

WP Frontend Admin – Display WP Admin Pages in the Frontend

Plugin:
WP Frontend Admin – Display WP Admin Pages in the Frontend
Plugin Slug:
display-admin-page-on-frontend
Installations
500+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57898
The vulnerability has not been patched. You should deactivate the plugin.

Easy Hotel Booking – Powerful Hotel Booking Plugin

Plugin:
Easy Hotel Booking – Powerful Hotel Booking Plugin
Plugin Slug:
easy-hotel
Installations
500+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57938
The vulnerability has not been patched. You should deactivate the plugin.

Epeken All Kurir Plugin for Woocommerce Full Version

Plugin:
Epeken All Kurir Plugin for Woocommerce Full Version
Plugin Slug:
epeken-all-kurir
Installations
500+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57906
The vulnerability has not been patched. You should deactivate the plugin.

Front End Users

Plugin:
Front End Users
Plugin Slug:
front-end-only-users
Installations
500+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58235
The vulnerability has not been patched. You should deactivate the plugin.

Heureka

Plugin:
Heureka
Plugin Slug:
heureka
Installations
500+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57907
The vulnerability has not been patched. You should deactivate the plugin.

Library Bookshelves

Plugin:
Library Bookshelves
Plugin Slug:
library-bookshelves
Installations
500+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57964
The vulnerability has not been patched. You should deactivate the plugin.

Maps for WP

Plugin:
Maps for WP
Plugin Slug:
maps-for-wp
Installations
500+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57952
The vulnerability has not been patched. You should deactivate the plugin.

NGG Smart Image Search

Plugin:
NGG Smart Image Search
Plugin Slug:
ngg-smart-image-search
Installations
500+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58027
The vulnerability has not been patched. You should deactivate the plugin.

payOS

Plugin:
payOS
Plugin Slug:
payos
Installations
500+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57946
The vulnerability has not been patched. You should deactivate the plugin.

Behance Portfolio Manager

Plugin:
Behance Portfolio Manager
Plugin Slug:
portfolio-manager-powered-by-behance
Installations
500+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57913
The vulnerability has not been patched. You should deactivate the plugin.

Product Time Countdown for WooCommerce

Plugin:
Product Time Countdown for WooCommerce
Plugin Slug:
product-countdown-for-woocommerce
Installations
500+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57908
The vulnerability has not been patched. You should deactivate the plugin.

Tapfiliate

Plugin:
Tapfiliate
Plugin Slug:
tapfiliate
Installations
500+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58689
The vulnerability has not been patched. You should deactivate the plugin.

UK Address Postcode Validation

Plugin:
UK Address Postcode Validation
Plugin Slug:
uk-address-postcode-validation
Installations
500+
Vulnerability:
Sensitive Data Exposure
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57923
The vulnerability has not been patched. You should deactivate the plugin.

Deliver via Shipos for WooCommerce

Plugin:
Deliver via Shipos for WooCommerce
Plugin Slug:
wc-shipos-delivery
Installations
500+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57914
The vulnerability has not been patched. You should deactivate the plugin.

JSM file_get_contents() Shortcode

Plugin:
JSM file_get_contents() Shortcode
Plugin Slug:
wp-file-get-contents
Installations
500+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58653
The vulnerability has not been patched. You should deactivate the plugin.

WP Proposals

Plugin:
WP Proposals
Plugin Slug:
wp-proposals
Installations
500+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57965
The vulnerability has not been patched. You should deactivate the plugin.

Zoho Billing – Embed Payment Form

Plugin:
Zoho Billing – Embed Payment Form
Plugin Slug:
zoho-subscriptions
Installations
500+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57963
The vulnerability has not been patched. You should deactivate the plugin.

WP Gravity Forms Keap/Infusionsoft

Plugin:
WP Gravity Forms Keap/Infusionsoft
Plugin Slug:
gf-infusionsoft
Installations
400+
Vulnerability:
Open Redirection
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58006
The vulnerability has not been patched. You should deactivate the plugin.

Helpdesk Support Ticket System for WooCommerce

Plugin:
Helpdesk Support Ticket System for WooCommerce
Plugin Slug:
support-ticket-system-for-woocommerce
Installations
400+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57972
The vulnerability has not been patched. You should deactivate the plugin.

TZ Plus Gallery

Plugin:
TZ Plus Gallery
Plugin Slug:
tz-plus-gallery
Installations
400+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57974
The vulnerability has not been patched. You should deactivate the plugin.

Sales Count Manager for WooCommerce

Plugin:
Sales Count Manager for WooCommerce
Plugin Slug:
wc-sales-count-manager
Installations
400+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57904
The vulnerability has not been patched. You should deactivate the plugin.

Additional Fees For WooCommerce Checkout (Free)

Plugin:
Additional Fees For WooCommerce Checkout (Free)
Plugin Slug:
woo-additional-fees-on-checkout-wordpress
Installations
400+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57903
The vulnerability has not been patched. You should deactivate the plugin.

Goracash

Plugin:
Goracash
Plugin Slug:
goracash
Installations
300+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-53458
The vulnerability has not been patched. You should deactivate the plugin.

AnyClip Luminous Studio

Plugin:
AnyClip Luminous Studio
Plugin Slug:
anyclip-media
Installations
200+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57910
The vulnerability has not been patched. You should deactivate the plugin.

AnyClip Luminous Studio

Plugin:
AnyClip Luminous Studio
Plugin Slug:
anyclip-media
Installations
200+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58271
The vulnerability has not been patched. You should deactivate the plugin.

Easy Pricing Table WP

Plugin:
Easy Pricing Table WP
Plugin Slug:
easy-pricing-table-wp
Installations
200+
Vulnerability:
Local File Inclusion
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-53450
The vulnerability has not been patched. You should deactivate the plugin.

Form Generator for WordPress

Plugin:
Form Generator for WordPress
Plugin Slug:
form-generator-powered-by-jotform
Installations
200+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58665
The vulnerability has not been patched. You should deactivate the plugin.

immonex Kickstart Team

Plugin:
immonex Kickstart Team
Plugin Slug:
immonex-kickstart-team
Installations
200+
Vulnerability:
Local File Inclusion
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-57925
The vulnerability has not been patched. You should deactivate the plugin.

VoucherPress

Plugin:
VoucherPress
Plugin Slug:
voucherpress
Installations
200+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58223
The vulnerability has not been patched. You should deactivate the plugin.

Auction Feed

Plugin:
Auction Feed
Plugin Slug:
auction-feed
Installations
100+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-58671
The vulnerability has not been patched. You should deactivate the plugin.

Editor Custom Color Palette

Plugin:
Editor Custom Color Palette
Plugin Slug:
editor-custom-color-palette
Installations
100+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57909
The vulnerability has not been patched. You should deactivate the plugin.

Magento 2 WordPress Integration

Plugin:
Magento 2 WordPress Integration
Plugin Slug:
m2wp
Installations
100+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58669
The vulnerability has not been patched. You should deactivate the plugin.

Mavis HTTPS to HTTP Redirection

Plugin:
Mavis HTTPS to HTTP Redirection
Plugin Slug:
mavis-https-to-http-redirect
Installations
100+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-58261
The vulnerability has not been patched. You should deactivate the plugin.

NIX Anti-Spam Light

Plugin:
NIX Anti-Spam Light
Plugin Slug:
nix-anti-spam-light
Installations
100+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-58270
The vulnerability has not been patched. You should deactivate the plugin.

eZee Online Hotel Booking Engine

Plugin:
eZee Online Hotel Booking Engine
Plugin Slug:
online-booking-engine
Installations
100+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58661
The vulnerability has not been patched. You should deactivate the plugin.

Printcart Web to Print Product Designer for WooCommerce

Plugin:
Printcart Web to Print Product Designer for WooCommerce
Plugin Slug:
printcart-integration
Installations
100+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57917
The vulnerability has not been patched. You should deactivate the plugin.

Proof Factor – Social Proof Notifications

Plugin:
Proof Factor – Social Proof Notifications
Plugin Slug:
proof-factor-social-proof-notifications
Installations
100+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58658
The vulnerability has not been patched. You should deactivate the plugin.

Sweet Energy Efficiency

Plugin:
Sweet Energy Efficiency
Plugin Slug:
sweet-energy-efficiency
Installations
100+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-58262
The vulnerability has not been patched. You should deactivate the plugin.

Verowa Connect

Plugin:
Verowa Connect
Plugin Slug:
verowa-connect
Installations
100+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58257
The vulnerability has not been patched. You should deactivate the plugin.

LinkedInclude

Plugin:
LinkedInclude
Plugin Slug:
linkedinclude
Installations
90+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-57918
The vulnerability has not been patched. You should deactivate the plugin.

Mobi2Go

Plugin:
Mobi2Go
Plugin Slug:
mobi2go
Installations
90+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58646
The vulnerability has not been patched. You should deactivate the plugin.

GSheets Connector

Plugin:
GSheets Connector
Plugin Slug:
sheetlink
Installations
90+
Vulnerability:
PHP Object Injection
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-53465
The vulnerability has not been patched. You should deactivate the plugin.

Stock Message

Plugin:
Stock Message
Plugin Slug:
stock-message
Installations
90+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-58267
The vulnerability has not been patched. You should deactivate the plugin.

WP Content Protection

Plugin:
WP Content Protection
Plugin Slug:
wp-content-protection
Installations
90+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-58670
The vulnerability has not been patched. You should deactivate the plugin.

WPMK PDF Generator

Plugin:
WPMK PDF Generator
Plugin Slug:
wpmk-pdf-generator
Installations
90+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-58268
The vulnerability has not been patched. You should deactivate the plugin.

WordPress Adverts Plugin – Adverts Click Tracker

Plugin:
WordPress Adverts Plugin – Adverts Click Tracker
Plugin Slug:
adverts-click-tracker
Installations
80+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57911
The vulnerability has not been patched. You should deactivate the plugin.

Current Age Plugin

Plugin:
Current Age Plugin
Plugin Slug:
current-age
Installations
80+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-58687
The vulnerability has not been patched. You should deactivate the plugin.

Grid

Plugin:
Grid
Plugin Slug:
grid
Installations
80+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-58657
The vulnerability has not been patched. You should deactivate the plugin.

HORIZONTAL SLIDER

Plugin:
HORIZONTAL SLIDER
Plugin Slug:
horizontal-slider
Installations
80+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-58676
The vulnerability has not been patched. You should deactivate the plugin.

ShrinkTheWeb (STW) Website Previews Plugin

Plugin:
ShrinkTheWeb (STW) Website Previews Plugin
Plugin Slug:
shrinktheweb-website-preview-plugin
Installations
80+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-58677
The vulnerability has not been patched. You should deactivate the plugin.

Casengo Live Chat Support

Plugin:
Casengo Live Chat Support
Plugin Slug:
the-casengo-chat-widget
Installations
80+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-58688
The vulnerability has not been patched. You should deactivate the plugin.

Show Pages List

Plugin:
Show Pages List
Plugin Slug:
show-pages-list
Installations
70+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58219
The vulnerability has not been patched. You should deactivate the plugin.

Simple Restaurant Menu

Plugin:
Simple Restaurant Menu
Plugin Slug:
simple-restaurant-menu
Installations
70+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58647
The vulnerability has not been patched. You should deactivate the plugin.

Doliconnect

Plugin:
Doliconnect
Plugin Slug:
doliconnect
Installations
60+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-58690
The vulnerability has not been patched. You should deactivate the plugin.

Wide Banner

Plugin:
Wide Banner
Plugin Slug:
wide-banner
Installations
50+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58919
The vulnerability has not been patched. You should deactivate the plugin.

DOAJ Export

Plugin:
DOAJ Export
Plugin Slug:
doaj-export
Installations
40+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58256
The vulnerability has not been patched. You should deactivate the plugin.

Gravitate Automated Tester

Plugin:
Gravitate Automated Tester
Plugin Slug:
gravitate-automated-tester
Installations
40+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58645
The vulnerability has not been patched. You should deactivate the plugin.

SAPO Feed

Plugin:
SAPO Feed
Plugin Slug:
sapo-feed
Installations
40+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-53462
The vulnerability has not been patched. You should deactivate the plugin.

Bg Church Memos

Plugin:
Bg Church Memos
Plugin Slug:
bg-church-memos
Installations
30+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58242
The vulnerability has not been patched. You should deactivate the plugin.

Wp tabber widget

Plugin:
Wp tabber widget
Plugin Slug:
wp-tabber-widget
Installations
20+
Vulnerability:
SQL Injection
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-53468
The vulnerability has not been patched. You should deactivate the plugin.

Custom Post Type Images

Plugin:
Custom Post Type Images
Plugin Slug:
custom-post-types-image
Installations
10+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2025-58255
The vulnerability has not been patched. You should deactivate the plugin.

Dialogity Free Live Chat

Plugin:
Dialogity Free Live Chat
Plugin Slug:
dialogity-website-chat
Installations
10+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57912
The vulnerability has not been patched. You should deactivate the plugin.

Service Finder SMS System

Plugin:
Service Finder SMS System
Plugin Slug:
aone-sms
Vulnerability:
Broken Authentication
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-5955
The vulnerability has not been patched. You should deactivate the plugin.

Browser Sniff

Plugin:
Browser Sniff
Plugin Slug:
browser-sniff
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-9883
The vulnerability has not been patched. You should deactivate the plugin.

Custom Login And Signup Widget

Plugin:
Custom Login And Signup Widget
Plugin Slug:
custom-login-and-signup-widget
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-9887
The vulnerability has not been patched. You should deactivate the plugin.

Directory Pro

Plugin:
Directory Pro
Plugin Slug:
directory-pro
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-57948
The vulnerability has not been patched. You should deactivate the plugin.

Event Rocket

Plugin:
Event Rocket
Plugin Slug:
event-rocket
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-53452
The vulnerability has not been patched. You should deactivate the plugin.

Printeers Print & Ship

Plugin:
Printeers Print & Ship
Plugin Slug:
invition-print-ship
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58224
The vulnerability has not been patched. You should deactivate the plugin.

Javo Core

Plugin:
Javo Core
Plugin Slug:
javo-core
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58003
The vulnerability has not been patched. You should deactivate the plugin.

ListingPro Reviews

Plugin:
ListingPro Reviews
Plugin Slug:
listingpro-reviews
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58667
The vulnerability has not been patched. You should deactivate the plugin.

Miniorange OTP Verification with Firebase

Plugin:
Miniorange OTP Verification with Firebase
Plugin Slug:
miniorange-firebase-sms-otp-verification
Vulnerability:
Privilege Escalation
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2025-7665
The vulnerability has not been patched. You should deactivate the plugin.

Oshine Core

Plugin:
Oshine Core
Plugin Slug:
oshine-core
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58660
The vulnerability has not been patched. You should deactivate the plugin.

osTicket WP Bridge

Plugin:
osTicket WP Bridge
Plugin Slug:
osticket-wp-bridge
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-9882
The vulnerability has not been patched. You should deactivate the plugin.

Accordion FAQ

Plugin:
Accordion FAQ
Plugin Slug:
pressapps-accordion-faq
Vulnerability:
Local File Inclusion
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-58024
The vulnerability has not been patched. You should deactivate the plugin.

Robcore Netatmo

Plugin:
Robcore Netatmo
Plugin Slug:
robcore-netatmo
Vulnerability:
SQL Injection
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-10652
The vulnerability has not been patched. You should deactivate the plugin.

Service Finder Booking

Plugin:
Service Finder Booking
Plugin Slug:
sf-booking
Vulnerability:
Privilege Escalation
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2025-5948
The vulnerability has not been patched. You should deactivate the plugin.

The Events Calendar

Plugin:
The Events Calendar
Plugin Slug:
the-events-calendar
Installations
700,000+
Vulnerability:
Broken Access Control
Patched in Version:
6.15.3
Severity Score:
Medium
CVE:
2025-9808
The vulnerability has been patched, so you should update to version 6.15.3.

Blocksy Companion

Plugin:
Blocksy Companion
Plugin Slug:
blocksy-companion
Installations
300,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.1.11
Severity Score:
Medium
CVE:
2025-9565
The vulnerability has been patched, so you should update to version 2.1.11.

Admin and Site Enhancements (ASE)

Plugin:
Admin and Site Enhancements (ASE)
Plugin Slug:
admin-site-enhancements
Installations
200,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
7.9.8
Severity Score:
Medium
CVE:
2025-9487
The vulnerability has been patched, so you should update to version 7.9.8.

Colibri Page Builder

Plugin:
Colibri Page Builder
Plugin Slug:
colibri-page-builder
Installations
100,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.0.334
Severity Score:
Medium
CVE:
2025-59593
The vulnerability has been patched, so you should update to version 1.0.334.

Download Manager

Plugin:
Download Manager
Plugin Slug:
download-manager
Installations
100,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
3.3.24
Severity Score:
High
CVE:
2025-10146
The vulnerability has been patched, so you should update to version 3.3.24.

Kubio AI Page Builder

Plugin:
Kubio AI Page Builder
Plugin Slug:
kubio
Installations
100,000+
Vulnerability:
Broken Access Control
Patched in Version:
2.6.5
Severity Score:
Medium
CVE:
2025-8487
The vulnerability has been patched, so you should update to version 2.6.5.

Make Column Clickable for Elementor

Plugin:
Make Column Clickable for Elementor
Plugin Slug:
make-column-clickable-elementor
Installations
100,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.6.1
Severity Score:
Medium
CVE:
2025-59592
The vulnerability has been patched, so you should update to version 1.6.1.

Comments – wpDiscuz

Plugin:
Comments – wpDiscuz
Plugin Slug:
wpdiscuz
Installations
80,000+
Vulnerability:
Broken Access Control
Patched in Version:
7.6.34
Severity Score:
Medium
CVE:
2025-59591
The vulnerability has been patched, so you should update to version 7.6.34.

Media Library Assistant

Plugin:
Media Library Assistant
Plugin Slug:
media-library-assistant
Installations
70,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
3.29
Severity Score:
Medium
CVE:
2025-59590
The vulnerability has been patched, so you should update to version 3.29.

WP-Members Membership Plugin

Plugin:
WP-Members Membership Plugin
Plugin Slug:
wp-members
Installations
60,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
3.5.4.3
Severity Score:
Medium
CVE:
2025-57973
The vulnerability has been patched, so you should update to version 3.5.4.3.

Ajax Load More – Infinite Scroll

Plugin:
Ajax Load More – Infinite Scroll
Plugin Slug:
ajax-load-more
Installations
40,000+
Vulnerability:
Sensitive Data Exposure
Patched in Version:
7.6.1
Severity Score:
Medium
CVE:
2025-59582
The vulnerability has been patched, so you should update to version 7.6.1.

Ibtana – WordPress Website Builder

Plugin:
Ibtana – WordPress Website Builder
Plugin Slug:
ibtana-visual-editor
Installations
20,000+
Vulnerability:
Arbitrary Content Deletion
Patched in Version:
1.2.5.4
Severity Score:
Medium
CVE:
2025-59581
The vulnerability has been patched, so you should update to version 1.2.5.4.

Quiz Maker

Plugin:
Quiz Maker
Plugin Slug:
quiz-maker
Installations
20,000+
Vulnerability:
SQL Injection
Patched in Version:
6.7.0.57
Severity Score:
Critical
CVE:
2025-10042
The vulnerability has been patched, so you should update to version 6.7.0.57.

WP Import – Ultimate CSV XML Importer for WordPress

Plugin:
WP Import – Ultimate CSV XML Importer for WordPress
Plugin Slug:
wp-ultimate-csv-importer
Installations
20,000+
Vulnerability:
Remote Code Execution (RCE)
Patched in Version:
7.29
Severity Score:
Critical
CVE:
2025-10057
The vulnerability has been patched, so you should update to version 7.29.

WP Import – Ultimate CSV XML Importer for WordPress

Plugin:
WP Import – Ultimate CSV XML Importer for WordPress
Plugin Slug:
wp-ultimate-csv-importer
Installations
20,000+
Vulnerability:
Arbitrary File Deletion
Patched in Version:
7.28
Severity Score:
High
CVE:
2025-10058
The vulnerability has been patched, so you should update to version 7.28.

Blaze Demo Importer

Plugin:
Blaze Demo Importer
Plugin Slug:
blaze-demo-importer
Installations
10,000+
Vulnerability:
Broken Access Control
Patched in Version:
1.0.13
Severity Score:
Medium
CVE:
2025-8446
The vulnerability has been patched, so you should update to version 1.0.13.

Internal Links Manager

Plugin:
Internal Links Manager
Plugin Slug:
seo-automated-link-building
Installations
10,000+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
3.0.2
Severity Score:
Medium
CVE:
2025-9949
The vulnerability has been patched, so you should update to version 3.0.2.

WP Hotel Booking

Plugin:
WP Hotel Booking
Plugin Slug:
wp-hotel-booking
Installations
8,000+
Vulnerability:
Content Injection
Patched in Version:
2.2.3
Severity Score:
Medium
CVE:
2025-8942
The vulnerability has been patched, so you should update to version 2.2.3.

CubeWP – All-in-One Dynamic Content Framework

Plugin:
CubeWP – All-in-One Dynamic Content Framework
Plugin Slug:
cubewp-framework
Installations
5,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.1.27
Severity Score:
Medium
CVE:
2025-59569
The vulnerability has been patched, so you should update to version 1.1.27.

Termageddon: Cookie Consent & Privacy Compliance

Plugin:
Termageddon: Cookie Consent & Privacy Compliance
Plugin Slug:
termageddon-usercentrics
Installations
5,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.8.2
Severity Score:
Medium
CVE:
2025-58026
The vulnerability has been patched, so you should update to version 1.8.2.

Coupon Affiliates – Affiliate Plugin for WooCommerce

Plugin:
Coupon Affiliates – Affiliate Plugin for WooCommerce
Plugin Slug:
woo-coupon-usage
Installations
5,000+
Vulnerability:
Broken Access Control
Patched in Version:
6.8.1
Severity Score:
Medium
CVE:
2025-59567
The vulnerability has been patched, so you should update to version 6.8.1.

Etsy Shop

Plugin:
Etsy Shop
Plugin Slug:
etsy-shop
Installations
4,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
3.0.7
Severity Score:
High
CVE:
2025-9115
The vulnerability has been patched, so you should update to version 3.0.7.

Podlove Podcast Publisher

Plugin:
Podlove Podcast Publisher
Plugin Slug:
podlove-podcasting-plugin-for-wordpress
Installations
4,000+
Vulnerability:
Arbitrary File Upload
Patched in Version:
4.2.7
Severity Score:
Critical
CVE:
2025-10147
The vulnerability has been patched, so you should update to version 4.2.7.

Upsell Funnel Builder for WooCommerce – New Marketing Funnel Builder and Sales Funnel Builder tailored for your store.

Plugin:
Upsell Funnel Builder for WooCommerce – New Marketing Funnel Builder and Sales Funnel Builder tailored for your store.
Plugin Slug:
upsell-order-bump-offer-for-woocommerce
Installations
3,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
3.0.8
Severity Score:
Medium
CVE:
2025-59565
The vulnerability has been patched, so you should update to version 3.0.8.

Smart Blocks

Plugin:
Smart Blocks
Plugin Slug:
smart-blocks
Installations
2,000+
Vulnerability:
Broken Access Control
Patched in Version:
2.5
Severity Score:
Medium
CVE:
2025-59561
The vulnerability has been patched, so you should update to version 2.5.

Payrexx Payment Gateway for WooCommerce

Plugin:
Payrexx Payment Gateway for WooCommerce
Plugin Slug:
woo-payrexx-gateway
Installations
2,000+
Vulnerability:
Broken Access Control
Patched in Version:
3.1.6
Severity Score:
Medium
CVE:
2025-59559
The vulnerability has been patched, so you should update to version 3.1.6.

Password Reset with Code for WordPress REST API

Plugin:
Password Reset with Code for WordPress REST API
Plugin Slug:
bdvs-password-reset
Installations
1,000+
Vulnerability:
Other Vulnerability Type
Patched in Version:
0.0.17
Severity Score:
High
CVE:
2025-5305
The vulnerability has been patched, so you should update to version 0.0.17.

Chained Quiz

Plugin:
Chained Quiz
Plugin Slug:
chained-quiz
Installations
1,000+
Vulnerability:
Insecure Direct Object References (IDOR)
Patched in Version:
1.3.6
Severity Score:
Medium
CVE:
2025-10493
The vulnerability has been patched, so you should update to version 1.3.6.

Custom Login URL

Plugin:
Custom Login URL
Plugin Slug:
custom-login-url
Installations
1,000+
Vulnerability:
Broken Access Control
Patched in Version:
1.0.3
Severity Score:
Medium
CVE:
2025-58969
The vulnerability has been patched, so you should update to version 1.0.3.

Easy Elementor Addons

Plugin:
Easy Elementor Addons
Plugin Slug:
easy-elementor-addons
Installations
1,000+
Vulnerability:
Local File Inclusion
Patched in Version:
2.2.9
Severity Score:
High
CVE:
2025-58973
The vulnerability has been patched, so you should update to version 2.2.9.

GetResponse Forms by Optin Cat

Plugin:
GetResponse Forms by Optin Cat
Plugin Slug:
getresponse
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.6.1
Severity Score:
Medium
CVE:
2025-59549
The vulnerability has been patched, so you should update to version 2.6.1.

Markup Markdown

Plugin:
Markup Markdown
Plugin Slug:
markup-markdown
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
3.20.10
Severity Score:
Medium
CVE:
2025-9540
The vulnerability has been patched, so you should update to version 3.20.10.

Product Catalog Simple

Plugin:
Product Catalog Simple
Plugin Slug:
post-type-x
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.8.3
Severity Score:
Medium
CVE:
2025-58992
The vulnerability has been patched, so you should update to version 1.8.3.

Revive.so – Bulk Rewrite and Republish Blog Posts

Plugin:
Revive.so – Bulk Rewrite and Republish Blog Posts
Plugin Slug:
revive-so
Installations
1,000+
Vulnerability:
Broken Access Control
Patched in Version:
2.0.7
Severity Score:
Medium
CVE:
2025-59551
The vulnerability has been patched, so you should update to version 2.0.7.

Save as PDF Plugin by PDFCrowd

Plugin:
Save as PDF Plugin by PDFCrowd
Plugin Slug:
save-as-pdf-by-pdfcrowd
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
4.5.3
Severity Score:
Medium
CVE:
2025-59552
The vulnerability has been patched, so you should update to version 4.5.3.

WPCasa

Plugin:
WPCasa
Plugin Slug:
wpcasa
Installations
1,000+
Vulnerability:
Remote Code Execution (RCE)
Patched in Version:
1.4.2
Severity Score:
Critical
CVE:
2025-9321
The vulnerability has been patched, so you should update to version 1.4.2.

WPComplete

Plugin:
WPComplete
Plugin Slug:
wpcomplete
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.9.5.3
Severity Score:
Medium
CVE:
2025-58974
The vulnerability has been patched, so you should update to version 2.9.5.3.

AffiliateWP – External Referral Links

Plugin:
AffiliateWP – External Referral Links
Plugin Slug:
affiliatewp-external-referral-links
Installations
900+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.2.2
Severity Score:
Medium
CVE:
2025-53460
The vulnerability has been patched, so you should update to version 1.2.2.

Fusion Page Builder : Extension – Gallery

Plugin:
Fusion Page Builder : Extension – Gallery
Plugin Slug:
fusion-extension-gallery
Installations
700+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.7.7
Severity Score:
Medium
CVE:
2025-58965
The vulnerability has been patched, so you should update to version 1.7.7.

List Child Pages Shortcode

Plugin:
List Child Pages Shortcode
Plugin Slug:
list-child-pages-shortcode
Installations
600+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.4.0
Severity Score:
Medium
CVE:
2025-58021
The vulnerability has been patched, so you should update to version 1.4.0.

Publitio

Plugin:
Publitio
Plugin Slug:
publitio
Installations
500+
Vulnerability:
Server Side Request Forgery (SSRF)
Patched in Version:
2.2.2
Severity Score:
Medium
CVE:
2025-58962
The vulnerability has been patched, so you should update to version 2.2.2.

The Hack Repair Guy’s Plugin Archiver

Plugin:
The Hack Repair Guy’s Plugin Archiver
Plugin Slug:
hackrepair-plugin-archiver
Installations
400+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
3.1.1
Severity Score:
Medium
CVE:
2025-10188
The vulnerability has been patched, so you should update to version 3.1.1.

IP Based Login

Plugin:
IP Based Login
Plugin Slug:
ip-based-login
Installations
400+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.4.4
Severity Score:
Medium
CVE:
2025-58960
The vulnerability has been patched, so you should update to version 2.4.4.

Developer Loggers for Simple History

Plugin:
Developer Loggers for Simple History
Plugin Slug:
developer-loggers-for-simple-history
Installations
300+
Vulnerability:
Local File Inclusion
Patched in Version:
0.5.1
Severity Score:
Medium
CVE:
2025-10050
The vulnerability has been patched, so you should update to version 0.5.1.

Secure Passkeys

Plugin:
Secure Passkeys
Plugin Slug:
secure-passkeys
Installations
300+
Vulnerability:
Broken Access Control
Patched in Version:
1.2.2
Severity Score:
Medium
CVE:
2025-10305
The vulnerability has been patched, so you should update to version 1.2.2.

User Sync

Plugin:
User Sync
Plugin Slug:
user-sync
Installations
200+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
1.0.3
Severity Score:
Medium
CVE:
2025-9891
The vulnerability has been patched, so you should update to version 1.0.3.

Appointmind

Plugin:
Appointmind
Plugin Slug:
appointmind
Installations
100+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
4.2.0
Severity Score:
Medium
CVE:
2025-9851
The vulnerability has been patched, so you should update to version 4.2.0.

Catch Dark Mode

Plugin:
Catch Dark Mode
Plugin Slug:
catch-dark-mode
Installations
50+
Vulnerability:
Local File Inclusion
Patched in Version:
2.0.1
Severity Score:
High
CVE:
2025-10143
The vulnerability has been patched, so you should update to version 2.0.1.

Draft List

Plugin:
Draft List
Plugin Slug:
simple-draft-list
Installations
50+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.6.1
Severity Score:
Medium
CVE:
2025-10181
The vulnerability has been patched, so you should update to version 2.6.1.

Social Media Shortcodes

Plugin:
Social Media Shortcodes
Plugin Slug:
social-media-shortcodes
Installations
50+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.3.2
Severity Score:
Medium
CVE:
2025-10166
The vulnerability has been patched, so you should update to version 1.3.2.

USS Upyun

Plugin:
USS Upyun
Plugin Slug:
uss-upyun
Installations
50+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
1.5.1
Severity Score:
Medium
CVE:
2025-9629
The vulnerability has been patched, so you should update to version 1.5.1.

Embed PDF for WPForms

Plugin:
Embed PDF for WPForms
Plugin Slug:
embed-pdf-wpforms
Installations
40+
Vulnerability:
Arbitrary File Upload
Patched in Version:
1.1.6
Severity Score:
Critical
CVE:
2025-10647
The vulnerability has been patched, so you should update to version 1.1.6.

Widget Options – Extended

Plugin:
Widget Options – Extended
Plugin Slug:
extended-widget-options
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
5.2.2
Severity Score:
Medium
CVE:
2025-8902
The vulnerability has been patched, so you should update to version 5.2.2.

Penci Filter Everything

Plugin:
Penci Filter Everything
Plugin Slug:
penci-filter-everything
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.7
Severity Score:
Medium
CVE:
2025-59583
The vulnerability has been patched, so you should update to version 1.7.

Penci Podcast

Plugin:
Penci Podcast
Plugin Slug:
penci-podcast
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.7
Severity Score:
Medium
CVE:
2025-59584
The vulnerability has been patched, so you should update to version 1.7.

Penci Portfolio

Plugin:
Penci Portfolio
Plugin Slug:
penci-portfolio
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
3.6
Severity Score:
Medium
CVE:
2025-59586
The vulnerability has been patched, so you should update to version 3.6.

Penci Recipe

Plugin:
Penci Recipe
Plugin Slug:
penci-recipe
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
4.1
Severity Score:
Medium
CVE:
2025-59585
The vulnerability has been patched, so you should update to version 4.1.

Penci Shortcodes & Performance

Plugin:
Penci Shortcodes & Performance
Plugin Slug:
penci-shortcodes
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
6.1
Severity Score:
Medium
CVE:
2025-59587
The vulnerability has been patched, so you should update to version 6.1.

Uni CPO (Premium)

Plugin:
Uni CPO (Premium)
Plugin Slug:
uni-woo-custom-product-options-premium
Vulnerability:
Arbitrary File Upload
Patched in Version:
4.9.55
Severity Score:
Critical
CVE:
2025-10412
The vulnerability has been patched, so you should update to version 4.9.55.

WorkScout-Core

Plugin:
WorkScout-Core
Plugin Slug:
workscout-core
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
1.7.06
Severity Score:
High
CVE:
2025-59572
The vulnerability has been patched, so you should update to version 1.7.06.

WP Attractive Donations System

Plugin:
WP Attractive Donations System
Plugin Slug:
wp-attractive-donations-system-easy-stripe-paypal-donations
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
1.29
Severity Score:
High
CVE:
2025-58956
The vulnerability has been patched, so you should update to version 1.29.

WordPress Themes — 4 Patched / 9 Unpatched

Constructo

Theme:
Constructo
Theme Slug:
constructo
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-58244
The vulnerability has not been patched. You should switch themes.

CouponXxL

Theme:
CouponXxL
Theme Slug:
couponxxl
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-58013
The vulnerability has not been patched. You should switch themes.

DriCub

Theme:
DriCub
Theme Slug:
dricub-driving-school
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58004
The vulnerability has not been patched. You should switch themes.

DriCub

Theme:
DriCub
Theme Slug:
dricub-driving-school
Vulnerability:
Server Side Request Forgery (SSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58005
The vulnerability has not been patched. You should switch themes.

Entrada

Theme:
Entrada
Theme Slug:
entrada
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58918
The vulnerability has not been patched. You should switch themes.

Findgo

Theme:
Findgo
Theme Slug:
fingo
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-58250
The vulnerability has not been patched. You should switch themes.

imEvent

Theme:
imEvent
Theme Slug:
imevent
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58243
The vulnerability has not been patched. You should switch themes.

Nokri

Theme:
Nokri
Theme Slug:
nokri
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-58259
The vulnerability has not been patched. You should switch themes.

WPLMS

Theme:
WPLMS
Theme Slug:
wplms
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-58668
The vulnerability has not been patched. You should switch themes.

Sydney

Theme:
Sydney
Theme Slug:
sydney
Downloads
4,661,099
Vulnerability:
Broken Access Control
Patched in Version:
2.57
Severity Score:
Medium
CVE:
2025-8999
The vulnerability has been patched, so you should update to version 2.57.

Leblix

Theme:
Leblix
Theme Slug:
leblix
Vulnerability:
Local File Inclusion
Patched in Version:
2.5
Severity Score:
High
CVE:
2025-58995
The vulnerability has been patched, so you should update to version 2.5.

Soledad

Theme:
Soledad
Theme Slug:
soledad
Vulnerability:
Local File Inclusion
Patched in Version:
8.6.9
Severity Score:
High
CVE:
2025-59588
The vulnerability has been patched, so you should update to version 8.6.9.

Soledad

Theme:
Soledad
Theme Slug:
soledad
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
8.6.9
Severity Score:
Medium
CVE:
2025-59589
The vulnerability has been patched, so you should update to version 8.6.9.

Solid Security is part of Solid Suite — The best foundation for WordPress websites.

Every WordPress site needs security, backups, and management tools. That’s Solid Suite — an integrated bundle of three plugins: Solid Security, Solid Backups, and Solid Central. You also get access to Solid Academy’s learning resources for WordPress professionals. Build your next WordPress website on a solid foundation with Solid Suite!

Get Solid Security

Author:

Avatar photoSarah Ulmer

Sarah has been with SolidWP since 2015. Thanks to her deep connection to the brand, its products, and its users, Sarah was tapped as Solid’s primary Product Marketer in 2023. Sarah helps ensure that Solid’s product development team understands our users’ needs. When not at work, Sarah can be found at home with her husband, their three boys, and their dogs. Sarah enjoys long family walks, running with her lab, and watching her three boys play soccer. Sarah is originally from Texas and loves watching football games (Go Longhorns!)

Browse all of Sarah's articles

Author:

Avatar photoSarah Ulmer

Sarah has been with SolidWP since 2015. Thanks to her deep connection to the brand, its products, and its users, Sarah was tapped as Solid’s primary Product Marketer in 2023. Sarah helps ensure that Solid’s product development team understands our users’ needs. When not at work, Sarah can be found at home with her husband, their three boys, and their dogs. Sarah enjoys long family walks, running with her lab, and watching her three boys play soccer. Sarah is originally from Texas and loves watching football games (Go Longhorns!)

Browse all of Sarah's articles