WordPress Vulnerability Report — May 14, 2025

WORDPRESS HOSTING
May 14, 2025
0


In this report, 234 vulnerabilities have been publicly disclosed. Security patches for 142 of these plugins and themes are available now, so run those updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Additionally, there are 92 plugin and theme vulnerabilities, and no patch has been available yet. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

Along with poor user account security, vulnerable plugins and themes are among the top reasons why WordPress websites get hacked. Unfortunately, cyberattacks are increasing in volume and sophistication. They’re also increasingly aimed at small to mid-sized businesses.

Table of Contents

Our WordPress Vulnerability Report covers the latest emerging WordPress plugin, theme, and core vulnerabilities. Each vulnerability will have a severity rating of LowMediumHigh, or Critical. Responsible disclosure of vulnerabilities is essential to keeping the WordPress community safe. Please share this report to help spread the word and make WordPress — and the web — more secure.

WordPress Core

WordPress 6.8.1 has been released! This maintenance release includes fixes for 15 bugs throughout Core and the Block Editor, addressing issues affecting multiple areas of WordPress, including the block editor, multisite, and REST API. For a full list, refer to the release candidate announcement.

Plus, WordCamp Europe 2025 lands in Basel, Switzerland, June 5-7! Connect with WordPress enthusiasts, developers, and pros for three days of learning, networking, and collaboration with the global community.

No new core vulnerabilities were disclosed this week.

WordPress Plugins — 138 Patched / 92 Unpatched

Plugin Slug:
ultimate-member

Installations
200,000+

Vulnerability:
Arbitrary Code Execution

Patched in Version:
No Fix

Severity Score:
Medium

Plugin Slug:
intelly-related-posts

Installations
100,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin Slug:
list-category-posts

Installations
90,000+

Vulnerability:
Local File Inclusion

Patched in Version:
No Fix

Severity Score:
High

Plugin Slug:
wp-maintenance

Installations
50,000+

Vulnerability:
PHP Object Injection

Patched in Version:
No Fix

Severity Score:
High

Plugin Slug:
ajax-load-more

Installations
40,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin Slug:
gt3-photo-video-gallery

Installations
20,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin Slug:
user-login-history

Installations
10,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin Slug:
wp-ecommerce-paypal

Installations
10,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin Slug:
spiraclethemes-site-library

Installations
2,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin Slug:
void-visual-whmcs-element

Installations
2,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin Slug:
wp-recall

Installations
2,000+

Vulnerability:
Local File Inclusion

Patched in Version:
No Fix

Severity Score:
High

Plugin Slug:
ablocks

Installations
1,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin Slug:
accessibility-toolbar

Installations
1,000+

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin Slug:
amazon-product-in-a-post-plugin

Installations
1,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin Slug:
awin-advertiser-tracking

Installations
1,000+

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin Slug:
belingogeo

Installations
1,000+

Vulnerability:
Arbitrary File Download

Patched in Version:
No Fix

Severity Score:
High

Plugin Slug:
bmi-adultkid-calculator

Installations
1,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
High

Plugin Slug:
cbxgooglemap

Installations
1,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin Slug:
contentstudio

Installations
1,000+

Vulnerability:
Broken Access Control

Patched in Version:
No Fix

Severity Score:
Medium

Plugin Slug:
contribuinte-checkout

Installations
1,000+

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
No Fix

Severity Score:
High

Plugin Slug:
dofollow-case-by-case

Installations
1,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin Slug:
dofollow-case-by-case

Installations
1,000+

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin Slug:
ebook-store

Installations
1,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin Slug:
email-notification-on-login

Installations
1,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin Slug:
pgall-for-woocommerce

Installations
1,000+

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin Slug:
rs-wp-books-showcase

Installations
1,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin Slug:
sidebar-manager-light

Installations
1,000+

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin Slug:
smaily-for-wp

Installations
1,000+

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin Slug:
woobox

Installations
1,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin Slug:
woobox

Installations
1,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin Slug:
wp-crm-system

Installations
1,000+

Vulnerability:
PHP Object Injection

Patched in Version:
No Fix

Severity Score:
High

Plugin Slug:
wp-webinarsystem

Installations
1,000+

Vulnerability:
Server Side Request Forgery (SSRF)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin Slug:
wpspeed

Installations
1,000+

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin Slug:
xili-tidy-tags

Installations
1,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
High

Plugin Slug:
bulk-featured-image

Installations
900+

Vulnerability:
Broken Access Control

Patched in Version:
No Fix

Severity Score:
Medium

Plugin Slug:
woc-open-close

Installations
900+

Vulnerability:
Local File Inclusion

Patched in Version:
No Fix

Severity Score:
High

Plugin Slug:
really-simple-under-construction

Installations
700+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin Slug:
wp-jquery-datatable

Installations
700+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin Slug:
beacon-by

Installations
600+

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin Slug:
cf7-submission-dom-tracking

Installations
600+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin Slug:
clickwhale

Installations
600+

Vulnerability:
Broken Access Control

Patched in Version:
No Fix

Severity Score:
Medium

Plugin Slug:
color-your-bar

Installations
600+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin Slug:
cookiecode

Installations
600+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin Slug:
easyme-connect

Installations
600+

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin Slug:
giveasap

Installations
600+

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin Slug:
liveagent

Installations
600+

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin Slug:
n360-splash-screen

Installations
600+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin Slug:
show-all-comments-in-one-page

Installations
600+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin Slug:
terms-popup-on-user-login

Installations
600+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin Slug:
wp-discord-invite

Installations
600+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin Slug:
wp-pipes

Installations
600+

Vulnerability:
Server Side Request Forgery (SSRF)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin Slug:
delucks-seo

Installations
500+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin Slug:
wp-leads-builder-any-crm

Installations
500+

Vulnerability:
Privilege Escalation

Patched in Version:
No Fix

Severity Score:
High

Plugin Slug:
elex-helpdesk-customer-support-ticket-system

Installations
400+

Vulnerability:
Arbitrary File Upload

Patched in Version:
No Fix

Severity Score:
Critical

Plugin Slug:
funnelcockpit

Installations
400+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
High

Plugin Slug:
themarketer

Installations
400+

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
No Fix

Severity Score:
High

Plugin Slug:
ajar-productions-in5-embed

Installations
300+

Vulnerability:
Arbitrary File Upload

Patched in Version:
No Fix

Severity Score:
Critical

Plugin Slug:
axima-payment-gateway

Installations
300+

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
No Fix

Severity Score:
High

Plugin Slug:
integrations-of-zoho-crm-with-elementor-form

Installations
300+

Vulnerability:
Open Redirection

Patched in Version:
No Fix

Severity Score:
Medium

Plugin Slug:
front-editor

Installations
200+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin Slug:
martins-free-and-easy-ad-network-get-more-visitors

Installations
200+

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
No Fix

Severity Score:
High

Plugin Slug:
calculate-prices-based-on-distance-for-woocommerce

Installations
100+

Vulnerability:
Broken Access Control

Patched in Version:
No Fix

Severity Score:
Medium

Plugin Slug:
credova-financial

Installations
100+

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin Slug:
soccer-live-scores

Installations
100+

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin Slug:
psw-login-and-registration

Installations
90+

Vulnerability:
Broken Authentication

Patched in Version:
No Fix

Severity Score:
Critical

Plugin Slug:
wp-podcasts-manager

Installations
80+

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin Slug:
polylang-supertext

Installations
60+

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
No Fix

Severity Score:
High

Plugin Slug:
productive-commerce

Installations
50+

Vulnerability:
SQL Injection

Patched in Version:
No Fix

Severity Score:
Critical

Plugin Slug:
storekeeper-for-woocommerce

Installations
50+

Vulnerability:
Arbitrary File Upload

Patched in Version:
No Fix

Severity Score:
Critical

Plugin Slug:
cardealerpress

Installations
40+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin Slug:
elex-product-feed

Installations
30+

Vulnerability:
SQL Injection

Patched in Version:
No Fix

Severity Score:
High

Plugin Slug:
bns-twitter-follow-button

Installations
10+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin:

1 Click WordPress Migration

Plugin Slug:
1-click-migration

Vulnerability:
Arbitrary File Upload

Patched in Version:
No Fix

Severity Score:
High

Plugin:

AHAthat

Plugin Slug:
ahathat

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin:

Awesome Gallery

Plugin Slug:
awesome-gallery

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin:

External image replace

Plugin Slug:
external-image-replace

Vulnerability:
Arbitrary File Upload

Patched in Version:
No Fix

Severity Score:
High

Plugin:

Frontend Login and Registration Blocks

Plugin Slug:
frontend-login-and-registration-blocks

Vulnerability:
Privilege Escalation

Patched in Version:
No Fix

Severity Score:
Critical

Plugin:

LayoutBoxx

Plugin Slug:
layoutboxx

Vulnerability:
Content Injection

Patched in Version:
No Fix

Severity Score:
High

Plugin:

LessButtons Social Sharing and Statistics

Plugin Slug:
lessbuttons

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin:

Multiple Post Type Order

Plugin Slug:
multiple-post-type-order

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin:

PeproDev Ultimate Profile Solutions

Plugin Slug:
peprodev-ups

Vulnerability:
Broken Authentication

Patched in Version:
No Fix

Severity Score:
High

Plugin:

PeproDev Ultimate Profile Solutions

Plugin Slug:
peprodev-ups

Vulnerability:
Broken Authentication

Patched in Version:
No Fix

Severity Score:
Medium

Plugin:

PeproDev Ultimate Profile Solutions

Plugin Slug:
peprodev-ups

Vulnerability:
Privilege Escalation

Patched in Version:
No Fix

Severity Score:
Critical

Plugin:

QS Dark Mode

Plugin Slug:
qs-dark-mode

Vulnerability:
Broken Access Control

Patched in Version:
No Fix

Severity Score:
Medium

Plugin:

Reales WP STPT

Plugin Slug:
short-tax-post

Vulnerability:
Broken Access Control

Patched in Version:
No Fix

Severity Score:
Medium

Plugin:

Reales WP STPT

Plugin Slug:
short-tax-post

Vulnerability:
Privilege Escalation

Patched in Version:
No Fix

Severity Score:
High

Plugin:

WP SmartPay

Plugin Slug:
smartpay

Vulnerability:
Broken Access Control

Patched in Version:
No Fix

Severity Score:
Medium

Plugin:

Woocommerce Multiple Addresses

Plugin Slug:
woocommerce-multiple-addresses

Vulnerability:
Privilege Escalation

Patched in Version:
No Fix

Severity Score:
High

Plugin:

WordPress Review Plugin

Plugin Slug:
wp-review

Vulnerability:
Local File Inclusion

Patched in Version:
No Fix

Severity Score:
High

Plugin:

WP shop

Plugin Slug:
wpshop

Vulnerability:
Privilege Escalation

Patched in Version:
No Fix

Severity Score:
High

Plugin:

WP shop

Plugin Slug:
wpshop

Vulnerability:
Insecure Direct Object References (IDOR)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin:

Xavin’s List Subpages

Plugin Slug:
xavins-list-subpages

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin Slug:
litespeed-cache

Installations
7,000,000+

Vulnerability:
Server Side Request Forgery (SSRF)

Patched in Version:
7.1

Severity Score:
Medium

Plugin Slug:
wpforms-lite

Installations
6,000,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
1.9.5.1

Severity Score:
Medium

Plugin Slug:
coming-soon

Installations
800,000+

Vulnerability:
Broken Access Control

Patched in Version:
6.18.16

Severity Score:
Medium

Plugin Slug:
mailpoet

Installations
600,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
5.5.2

Severity Score:
Medium

Plugin Slug:
royal-elementor-addons

Installations
600,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
1.7.1018

Severity Score:
Medium

Plugin Slug:
jeg-elementor-kit

Installations
300,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
2.6.13

Severity Score:
Medium

Plugin Slug:
newsletter

Installations
300,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
8.7.1

Severity Score:
Medium

Plugin Slug:
easy-fancybox

Installations
200,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
2.3.15

Severity Score:
Medium

Plugin Slug:
file-manager-advanced

Installations
200,000+

Vulnerability:
Broken Access Control

Patched in Version:
5.3.2

Severity Score:
Medium

Plugin Slug:
depicter

Installations
100,000+

Vulnerability:
SQL Injection

Patched in Version:
3.6.2

Severity Score:
Critical

Plugin Slug:
login-lockdown

Installations
100,000+

Vulnerability:
Broken Access Control

Patched in Version:
2.12

Severity Score:
Medium

Plugin Slug:
relevanssi

Installations
100,000+

Vulnerability:
SQL Injection

Patched in Version:
4.24.5

Severity Score:
High

Plugin Slug:
relevanssi

Installations
100,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
4.24.4

Severity Score:
High

Plugin Slug:
download-monitor

Installations
90,000+

Vulnerability:
Local File Inclusion

Patched in Version:
5.0.23

Severity Score:
High

Plugin Slug:
jupiterx-core

Installations
90,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
4.8.12

Severity Score:
Medium

Plugin Slug:
contextual-related-posts

Installations
70,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
4.0.3

Severity Score:
Medium

Plugin Slug:
user-registration

Installations
70,000+

Vulnerability:
Insecure Direct Object References (IDOR)

Patched in Version:
4.2.2

Severity Score:
Medium

Plugin Slug:
bold-page-builder

Installations
50,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
5.3.1

Severity Score:
Medium

Plugin Slug:
bold-page-builder

Installations
50,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
5.3.3

Severity Score:
Medium

Plugin Slug:
ultimate-blocks

Installations
50,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
3.3.0

Severity Score:
Medium

Plugin Slug:
content-control

Installations
40,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
2.6.2

Severity Score:
Medium

Plugin Slug:
ditty-news-ticker

Installations
40,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
3.1.52

Severity Score:
Medium

Plugin Slug:
robo-gallery

Installations
40,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
5.0.3

Severity Score:
Medium

Plugin Slug:
wp-jquery-lightbox

Installations
40,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
2.3.4

Severity Score:
Medium

Plugin Slug:
envo-extra

Installations
30,000+

Vulnerability:
Broken Access Control

Patched in Version:
1.9.10

Severity Score:
Medium

Plugin Slug:
wp-seo-structured-data-schema

Installations
30,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
2.8.0

Severity Score:
Medium

Plugin Slug:
beaf-before-and-after-gallery

Installations
20,000+

Vulnerability:
Arbitrary File Upload

Patched in Version:
4.6.11

Severity Score:
Critical

Plugin Slug:
easy-paypal-donation

Installations
20,000+

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
1.5

Severity Score:
High

Plugin Slug:
meks-flexible-shortcodes

Installations
20,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
1.3.7

Severity Score:
Medium

Plugin Slug:
publishpress-authors

Installations
20,000+

Vulnerability:
Local File Inclusion

Patched in Version:
4.7.6

Severity Score:
High

Plugin Slug:
pw-bulk-edit

Installations
20,000+

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
2.135

Severity Score:
Medium

Plugin Slug:
responsive-add-ons

Installations
20,000+

Vulnerability:
Broken Access Control

Patched in Version:
3.2.0

Severity Score:
Medium

Plugin Slug:
top-10

Installations
20,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
4.1.1

Severity Score:
Medium

Plugin Slug:
blockspare

Installations
10,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
3.2.10

Severity Score:
Medium

Plugin Slug:
charitable

Installations
10,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
1.8.5.2

Severity Score:
Medium

Plugin Slug:
gamipress

Installations
10,000+

Vulnerability:
Local File Inclusion

Patched in Version:
7.3.8

Severity Score:
High

Plugin Slug:
gpt3-ai-content-generator

Installations
10,000+

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
1.9.15

Severity Score:
Medium

Plugin Slug:
graphina-elementor-charts-and-graphs

Installations
10,000+

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
3.0.5

Severity Score:
High

Plugin Slug:
graphina-elementor-charts-and-graphs

Installations
10,000+

Vulnerability:
Broken Access Control

Patched in Version:
3.0.5

Severity Score:
Medium

Plugin Slug:
meow-gallery

Installations
10,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
5.2.8

Severity Score:
Medium

Plugin Slug:
nex-forms-express-wp-form-builder

Installations
10,000+

Vulnerability:
Arbitrary Code Execution

Patched in Version:
8.9.2

Severity Score:
Medium

Plugin Slug:
nex-forms-express-wp-form-builder

Installations
10,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
8.9.2

Severity Score:
Medium

Plugin Slug:
wemail

Installations
10,000+

Vulnerability:
Sensitive Data Exposure

Patched in Version:
1.14.14

Severity Score:
Medium

Plugin Slug:
widget-countdown

Installations
10,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
2.7.5

Severity Score:
Medium

Plugin Slug:
wp-event-solution

Installations
10,000+

Vulnerability:
Arbitrary File Download

Patched in Version:
4.0.27

Severity Score:
High

Plugin Slug:
wp-event-solution

Installations
10,000+

Vulnerability:
Privilege Escalation

Patched in Version:
4.0.27

Severity Score:
Critical

Plugin Slug:
yaysmtp

Installations
10,000+

Vulnerability:
SQL Injection

Patched in Version:
2.6.5

Severity Score:
High

Plugin Slug:
contact-form-7-paypal-add-on

Installations
9,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
2.4.1

Severity Score:
Medium

Plugin Slug:
cozy-addons

Installations
9,000+

Vulnerability:
Broken Access Control

Patched in Version:
2.1.23

Severity Score:
Medium

Plugin Slug:
wp-compress-image-optimizer

Installations
9,000+

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
6.30.31

Severity Score:
High

Plugin Slug:
wp-hotel-booking

Installations
8,000+

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
2.2.0

Severity Score:
Medium

Plugin Slug:
wpfunnels

Installations
8,000+

Vulnerability:
PHP Object Injection

Patched in Version:
3.5.19

Severity Score:
Critical

Plugin Slug:
aco-woo-dynamic-pricing

Installations
7,000+

Vulnerability:
SQL Injection

Patched in Version:
4.5.9

Severity Score:
High

Plugin Slug:
mail-mint

Installations
7,000+

Vulnerability:
Sensitive Data Exposure

Patched in Version:
1.17.8

Severity Score:
High

Plugin Slug:
poll-maker

Installations
7,000+

Vulnerability:
Race Condition

Patched in Version:
5.7.8

Severity Score:
Medium

Plugin Slug:
profilegrid-user-profiles-groups-and-communities

Installations
7,000+

Vulnerability:
SQL Injection

Patched in Version:
5.9.5.1

Severity Score:
High

Plugin Slug:
simple-file-list

Installations
7,000+

Vulnerability:
Settings Change

Patched in Version:
6.1.14

Severity Score:
Medium

Plugin Slug:
trackship-for-woocommerce

Installations
7,000+

Vulnerability:
SQL Injection

Patched in Version:
1.9.2

Severity Score:
High

Plugin Slug:
wp-job-portal

Installations
7,000+

Vulnerability:
Local File Inclusion

Patched in Version:
2.3.2

Severity Score:
High

Plugin Slug:
better-search

Installations
6,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
4.1.1

Severity Score:
Medium

Plugin Slug:
drag-and-drop-multiple-file-upload-for-woocommerce

Installations
6,000+

Vulnerability:
Arbitrary File Upload

Patched in Version:
1.1.7

Severity Score:
Critical

Plugin Slug:
eventon-lite

Installations
6,000+

Vulnerability:
Local File Inclusion

Patched in Version:
2.4.2

Severity Score:
High

Plugin Slug:
nd-booking

Installations
5,000+

Vulnerability:
Local File Inclusion

Patched in Version:
3.7

Severity Score:
High

Plugin Slug:
simple-blog-stats

Installations
5,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
20250423

Severity Score:
Medium

Plugin Slug:
sms-alert

Installations
5,000+

Vulnerability:
Privilege Escalation

Patched in Version:
3.8.2

Severity Score:
High

Plugin Slug:
sms-alert

Installations
5,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
3.8.2

Severity Score:
Medium

Plugin Slug:
sms-alert

Installations
5,000+

Vulnerability:
SQL Injection

Patched in Version:
3.8.2

Severity Score:
Critical

Plugin Slug:
wpadverts

Installations
5,000+

Vulnerability:
Local File Inclusion

Patched in Version:
2.2.3

Severity Score:
High

Plugin Slug:
ovation-elements

Installations
4,000+

Vulnerability:
Broken Access Control

Patched in Version:
1.1.3

Severity Score:
Medium

Plugin Slug:
hash-form

Installations
3,000+

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
1.2.9

Severity Score:
Medium

Plugin Slug:
media-hygiene

Installations
3,000+

Vulnerability:
Broken Access Control

Patched in Version:
4.0.1

Severity Score:
Medium

Plugin Slug:
mollie-forms

Installations
3,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
2.7.13

Severity Score:
Medium

Plugin Slug:
newsletters-lite

Installations
3,000+

Vulnerability:
SQL Injection

Patched in Version:
4.9.9.9

Severity Score:
High

Plugin Slug:
solace-extra

Installations
3,000+

Vulnerability:
Server Side Request Forgery (SSRF)

Patched in Version:
1.3.2

Severity Score:
Medium

Plugin Slug:
webappick-pdf-invoice-for-woocommerce

Installations
3,000+

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
3.7.59

Severity Score:
High

Plugin Slug:
widget-for-eventbrite-api

Installations
3,000+

Vulnerability:
Local File Inclusion

Patched in Version:
6.3

Severity Score:
High

Plugin Slug:
beds24-online-booking

Installations
2,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
2.0.30

Severity Score:
Medium

Plugin Slug:
coinpayments-payment-gateway-for-woocommerce

Installations
2,000+

Vulnerability:
PHP Object Injection

Patched in Version:
1.0.18

Severity Score:
Critical

Plugin Slug:
groundhogg

Installations
2,000+

Vulnerability:
Arbitrary File Deletion

Patched in Version:
4.1.2

Severity Score:
Medium

Plugin Slug:
gs-testimonial

Installations
2,000+

Vulnerability:
Content Injection

Patched in Version:
3.3.0

Severity Score:
Medium

Plugin Slug:
gs-testimonial

Installations
2,000+

Vulnerability:
Broken Access Control

Patched in Version:
3.3.1

Severity Score:
Medium

Plugin Slug:
sendpulse-email-marketing-newsletter

Installations
2,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
2.1.7

Severity Score:
Medium

Plugin Slug:
skt-skill-bar

Installations
2,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
2.5

Severity Score:
Medium

Plugin Slug:
cc-bmi-calculator

Installations
1,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
2.1.1

Severity Score:
Medium

Plugin Slug:
contest-gallery

Installations
1,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
26.0.7

Severity Score:
Medium

Plugin Slug:
easy-paypal-events-tickets

Installations
1,000+

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
1.3

Severity Score:
Medium

Plugin Slug:
logo-showcase

Installations
1,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
3.0.5

Severity Score:
Medium

Plugin Slug:
music-player-for-woocommerce

Installations
1,000+

Vulnerability:
Broken Access Control

Patched in Version:
1.6.0

Severity Score:
Medium

Plugin Slug:
new-contact-form-widget

Installations
1,000+

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
1.4.7

Severity Score:
High

Plugin Slug:
progress-bar

Installations
1,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
2.2.4

Severity Score:
Medium

Plugin Slug:
ultimate-wp-mail

Installations
1,000+

Vulnerability:
SQL Injection

Patched in Version:
1.3.5

Severity Score:
High

Plugin Slug:
ultimate-wp-mail

Installations
1,000+

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
1.3.5

Severity Score:
Medium

Plugin Slug:
wp-fundraising-donation

Installations
1,000+

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
1.7.4

Severity Score:
Medium

Plugin Slug:
xt-facebook-events

Installations
1,000+

Vulnerability:
Local File Inclusion

Patched in Version:
1.1.8

Severity Score:
High

Plugin Slug:
display-remote-posts-block

Installations
800+

Vulnerability:
Server Side Request Forgery (SSRF)

Patched in Version:
1.1.1

Severity Score:
Medium

Plugin Slug:
aweos-wp-lock

Installations
700+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
1.4.9

Severity Score:
Medium

Plugin Slug:
frontend-dashboard

Installations
700+

Vulnerability:
Privilege Escalation

Patched in Version:
2.2.8

Severity Score:
High

Plugin Slug:
frontend-dashboard

Installations
700+

Vulnerability:
Privilege Escalation

Patched in Version:
2.2.7

Severity Score:
Critical

Plugin Slug:
instantio

Installations
700+

Vulnerability:
Arbitrary File Upload

Patched in Version:
3.3.17

Severity Score:
Medium

Plugin Slug:
quran-text-multilanguage

Installations
700+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
2.3.24

Severity Score:
Medium

Plugin Slug:
seznam-webmaster

Installations
700+

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
1.4.8

Severity Score:
Medium

Plugin Slug:
wp-dpe-ges

Installations
700+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
1.7

Severity Score:
Medium

Plugin Slug:
custom-checkout-fields-for-woocommerce

Installations
600+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
1.9.0

Severity Score:
Medium

Plugin Slug:
hm-cool-author-box-widget

Installations
600+

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
3.0.1

Severity Score:
Medium

Plugin Slug:
listamester

Installations
600+

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
2.3.7

Severity Score:
Medium

Plugin Slug:
time-clock

Installations
600+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
1.3

Severity Score:
Medium

Plugin Slug:
easy-replace-image

Installations
500+

Vulnerability:
Server Side Request Forgery (SSRF)

Patched in Version:
3.5.1

Severity Score:
Medium

Plugin Slug:
ngg-smart-image-search

Installations
500+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
3.4.1

Severity Score:
Medium

Plugin Slug:
product-countdown-for-woocommerce

Installations
500+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
1.6.3

Severity Score:
Medium

Plugin Slug:
truebooker-appointment-booking

Installations
500+

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
1.0.8

Severity Score:
Medium

Plugin Slug:
simple-calendar-for-elementor

Installations
400+

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
1.6.6

Severity Score:
Medium

Plugin Slug:
where-did-they-go-from-here

Installations
400+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
3.1.1

Severity Score:
Medium

Plugin Slug:
gf-dynamics-crm

Installations
300+

Vulnerability:
Open Redirection

Patched in Version:
1.1.5

Severity Score:
Medium

Plugin Slug:
subaccounts-for-woocommerce

Installations
300+

Vulnerability:
Broken Authentication

Patched in Version:
1.6.7

Severity Score:
High

Plugin Slug:
activity-link-preview-for-buddypress

Installations
200+

Vulnerability:
Server Side Request Forgery (SSRF)

Patched in Version:
1.6.0

Severity Score:
Medium

Plugin Slug:
b2i-investor-tools

Installations
200+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
1.0.8

Severity Score:
High

Plugin Slug:
cart-tracking-for-woocommerce

Installations
200+

Vulnerability:
SQL Injection

Patched in Version:
1.0.18

Severity Score:
High

Plugin Slug:
eucookielaw

Installations
200+

Vulnerability:
Arbitrary File Download

Patched in Version:
2.7.3

Severity Score:
High

Plugin Slug:
gf-zendesk

Installations
200+

Vulnerability:
Open Redirection

Patched in Version:
1.1.3

Severity Score:
Medium

Plugin Slug:
locateandfilter

Installations
200+

Vulnerability:
Broken Access Control

Patched in Version:
1.6.17

Severity Score:
Medium

Plugin Slug:
product-quantity-dropdown-for-woocommerce

Installations
200+

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
1.3

Severity Score:
Medium

Plugin Slug:
spostarbust

Installations
200+

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
1.2.04.25

Severity Score:
High

Plugin Slug:
woo-salesforce-plugin-crm-perks

Installations
200+

Vulnerability:
Open Redirection

Patched in Version:
1.7.6

Severity Score:
Medium

Plugin Slug:
cision-block

Installations
100+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
4.4.0

Severity Score:
Medium

Plugin Slug:
pdf-for-woocommerce

Installations
100+

Vulnerability:
SQL Injection

Patched in Version:
5.4.0

Severity Score:
High

Plugin Slug:
wiki-embed

Installations
100+

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
1.4.7

Severity Score:
Medium

Plugin Slug:
gs-woo-variation-swatches

Installations
50+

Vulnerability:
Broken Access Control

Patched in Version:
3.0.5

Severity Score:
Medium

Plugin Slug:
wpbookit

Installations
50+

Vulnerability:
Privilege Escalation

Patched in Version:
1.0.3

Severity Score:
Critical

Plugin:

BuddyPress Platform Pro

Plugin Slug:
buddyboss-platform-pro

Vulnerability:
Broken Authentication

Patched in Version:
2.7.10

Severity Score:
Critical

Plugin:

Cost Calculator for Elementor

Plugin Slug:
cost-calculator-for-elementor

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
1.3.4

Severity Score:
Medium

Plugin:

Envolve Plugin

Plugin Slug:
envolve-plugin

Vulnerability:
Arbitrary File Upload

Patched in Version:
1.1.0

Severity Score:
Critical

Plugin:

Envolve Plugin

Plugin Slug:
envolve-plugin

Vulnerability:
Broken Access Control

Patched in Version:
1.1.0

Severity Score:
Medium

Plugin:

IMITHEMES Listing

Plugin Slug:
imithemes-listing

Vulnerability:
Privilege Escalation

Patched in Version:
3.4

Severity Score:
Critical

Plugin:

Opal Woo Custom Product Variation

Plugin Slug:
opal-woo-custom-product-variation

Vulnerability:
Arbitrary File Deletion

Patched in Version:
1.2.1

Severity Score:
High

Plugin:

PGS Core

Plugin Slug:
pgs-core

Vulnerability:
PHP Object Injection

Patched in Version:
5.9.0

Severity Score:
Critical

Plugin:

PGS Core

Plugin Slug:
pgs-core

Vulnerability:
SQL Injection

Patched in Version:
5.9.0

Severity Score:
Critical

Plugin:

PGS Core

Plugin Slug:
pgs-core

Vulnerability:
Broken Access Control

Patched in Version:
5.9.0

Severity Score:
High

Plugin:

Relevanssi Premium

Plugin Slug:
relevanssi-premium

Vulnerability:
SQL Injection

Patched in Version:
2.27.5

Severity Score:
High

WordPress Themes — 4 Patched / 0 Unpatched

Theme Slug:
blocksy

Downloads
4,484,472

Vulnerability:
Broken Access Control

Patched in Version:
2.0.98

Severity Score:
Medium

Theme:

TheGem

Theme Slug:
thegem

Vulnerability:
Broken Access Control

Patched in Version:
5.10.3.1

Severity Score:
Medium

Theme:

TheGem

Theme Slug:
thegem

Vulnerability:
Arbitrary File Upload

Patched in Version:
5.10.3.1

Severity Score:
High

Theme:

Wolmart

Theme Slug:
wolmart

Vulnerability:
Content Injection

Patched in Version:
1.8.12

Severity Score:
High

Solid Security is part of Solid Suite — The best foundation for WordPress websites.

Every WordPress site needs security, backups, and management tools. That’s Solid Suite — an integrated bundle of three plugins: Solid Security, Solid Backups, and Solid Central. You also get access to Solid Academy’s learning resources for WordPress professionals. Build your next WordPress website on a solid foundation with Solid Suite!

Get Solid Security



Source link

How to Grow Your Membership Site
From SplitText to MorphSVG: 5 Creative Demos Using Free GSAP Plugins

Leave a Reply