SolidWP

WordPress Vulnerability Report — April 22, 2026

Sarah Ulmer — Wed, 22 Apr 2026 13:16:46 +0000

In this report, 216 vulnerabilities have been publicly disclosed. Security patches for 187 of these plugins and themes are now available. Please run these updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Currently, 29 plugin and theme vulnerabilities remain unpatched. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

Along with poor user account security, vulnerable plugins and themes are among the top reasons why WordPress websites get hacked. Unfortunately, cyberattacks are increasing in volume and sophistication. They’re also increasingly aimed at small to mid-sized businesses.

1. WordPress Core
2. WordPress Plugins — 159 Patched / 28 Unpatched

2.1 Pz-LinkCard
2.2 WCFM Marketplace – Multivendor Marketplace for WooCommerce
2.3 Smart Online Order for Clover
2.4 Accept Cryptocurrencies with Plisio
2.5 Quick Interest Slider
2.6 Livemesh Addons for Elementor
2.7 Livemesh Addons for Elementor
2.8 Canto
2.9 CMS für Motorrad Werkstätten
2.10 Coachific Shortcode
2.11 Custom New User Notification
2.12 e-shot
2.13 Inquiry form to posts or pages
2.14 Katalogportal-pdf-sync Widget
2.15 Login as User
2.16 Accessibility Suite
2.17 OPEN-BRAIN
2.18 OPEN-BRAIN
2.19 Accessibly – WordPress Website Accessibility
2.20 Petje.af
2.21 Riaxe Product Customizer
2.22 Riaxe Product Customizer
2.23 Riaxe Product Customizer
2.24 VI: Include Post By
2.25 Visa Acceptance Solutions
2.26 WM JqMath
2.27 WP Circliful
2.28 Power Charts
2.29 Advanced Custom Fields (ACF®)
2.30 ManageWP Worker
2.31 Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder
2.32 Royal Addons for Elementor – Addons and Templates Kit for Elementor
2.33 WP Statistics – Simple, privacy-friendly Google Analytics alternative
2.34 WP Statistics – Simple, privacy-friendly Google Analytics alternative
2.35 BackWPup – WordPress Backup & Restore Plugin
2.36 Meta Box
2.37 Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider
2.38 Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider
2.39 WP Shortcodes Plugin — Shortcodes Ultimate
2.40 Page Builder Gutenberg Blocks – CoBlocks
2.41 ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF
2.42 Unlimited Elements For Elementor
2.43 PDF Invoices & Packing Slips for WooCommerce
2.44 CMP – Coming Soon & Maintenance Plugin by NiteoThemes
2.45 Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization
2.46 Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization
2.47 Post Duplicator
2.48 JetBackup – Backup, Restore & Migrate
2.49 Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder
2.50 Anti-Malware Security and Brute-Force Firewall
2.51 Kubio AI Page Builder
2.52 LatePoint – Calendar Booking Plugin for Appointments and Events
2.53 Modula Image Gallery – Photo Grid & Video Gallery
2.54 Tutor LMS – eLearning and online course solution
2.55 Tutor LMS – eLearning and online course solution
2.56 Tutor LMS – eLearning and online course solution
2.57 Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
2.58 Download Monitor
2.59 Email Encoder – Protect Email Addresses and Phone Numbers
2.60 Email Encoder – Protect Email Addresses and Phone Numbers
2.61 ShopLentor – All-in-One WooCommerce Growth & Store Enhancement Plugin
2.62 Customer Reviews for WooCommerce
2.63 Customer Reviews for WooCommerce
2.64 3D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery
2.65 Jupiter X Core
2.66 Jupiter X Core
2.67 LearnPress – WordPress LMS Plugin for Create and Sell Online Courses
2.68 OneSignal – Web Push Notifications
2.69 Germanized for WooCommerce
2.70 wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin
2.71 Contextual Related Posts
2.72 Drag and Drop Multiple File Upload for Contact Form 7
2.73 Drag and Drop Multiple File Upload for Contact Form 7
2.74 User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder
2.75 Product Filter for WooCommerce by WBW
2.76 Product Filter for WooCommerce by WBW
2.77 WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters
2.78 Advanced Product Fields (Product Addons) for WooCommerce
2.79 Categories Images
2.80 Better Find and Replace – AI-Powered Suggestions
2.81 YayMail – WooCommerce Email Customizer
2.82 BetterDocs – Knowledge Base Docs & FAQ Solution for Elementor & Block Editor
2.83 Easy Digital Downloads – eCommerce Payments and Subscriptions made easy
2.84 Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker
2.85 Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX
2.86 Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder
2.87 Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder
2.88 Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder
2.89 Website LLMs.txt
2.90 Website LLMs.txt
2.91 WP YouTube Lyte
2.92 Social Slider Feed
2.93 Smart Post Show – Post Grid, Post Carousel & Slider, and List Category Posts
2.94 UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP
2.95 Payment Gateway for Redsys & WooCommerce Lite
2.96 Payment Gateway for Redsys & WooCommerce Lite
2.97 wpForo Forum
2.98 wpForo Forum
2.99 wpForo Forum
2.100 WPZOOM Addons for Elementor – Starter Templates & Widgets
2.101 Content Blocks (Custom Post Widget)
2.102 WP Customer Area
2.103 Easy Appointments
2.104 Easy Appointments
2.105 EMC – Easily Embed Calendly Scheduling
2.106 GeoDirectory – WP Business Directory Plugin and Classified Listings Directory
2.107 MasterStudy LMS WordPress Plugin – for Online Courses and Education
2.108 Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction
2.109 Royal WordPress Backup, Restore & Migration Plugin – Backup WordPress Sites Safely
2.110 Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered)
2.111 WP Photo Album Plus
2.112 YML for Yandex Market
2.113 WCAPF – Ajax Product Filter for WooCommerce
2.114 AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress
2.115 EventPrime – Events Calendar, Bookings and Tickets
2.116 ActivityPub
2.117 Nexi XPay
2.118 FluentBoards – Project Management, Task Management, Goal Tracking, Kanban Board, and, Team Collaboration
2.119 Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress
2.120 Booking Activities
2.121 Notification for Telegram
2.122 Responsive Blocks – Page Builder for Blocks & Patterns
2.123 WpStream – Live Streaming, Video on Demand, Pay Per View
2.124 Basic Google Maps Placemarks
2.125 Events Calendar for GeoDirectory
2.126 Image Source Control Lite – Show Image Credits and Captions
2.127 SpeakOut! Email Petitions
2.128 WP Directory Kit
2.129 Groundhogg — CRM, Newsletters, and Marketing Automation
2.130 Prismatic
2.131 Shipment Tracker for Woocommerce
2.132 MyRewards
2.133 Video Gallery – YouTube Gallery & Responsive Video Playlist
2.134 Barcode Scanner (+Mobile App) – Inventory manager, Order fulfillment system, POS (Point of Sale)
2.135 Mini Ajax Cart for WooCommerce
2.136 WP Docs
2.137 DirectoryPress – Business Directory And Classified Ad Listing
2.138 InPost Gallery
2.139 bBlocks – Essential Gutenberg Blocks & Patterns Collection
2.140 WP Sessions Time Monitoring Full Automatic
2.141 List View Google Calendar
2.142 Webling
2.143 RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress
2.144 Flipbox Addon for Elementor
2.145 BuddyPress Groupblog
2.146 Age Verification & Identity Verification by Token of Trust
2.147 Ultra Addons for WPForms
2.148 Hostel
2.149 HAPPY – Helpdesk Support Ticket System
2.150 Surbma | Booking.com Shortcode
2.151 WholeSale Products Dynamic Pricing Management WooCommerce
2.152 Academy LMS Pro
2.153 Accordion and Accordion Slider
2.154 Album and Image Gallery plus Lightbox
2.155 Blog Designer – Post and Widget
2.156 Career Section
2.157 Countdown Timer Ultimate
2.158 Featured Post Creative
2.159 Fusion Builder
2.160 Fusion Builder
2.161 Gravity SMTP
2.162 Video gallery and Player
2.163 JetEngine
2.164 Client Portal (Pro)
2.165 Meta slider and carousel with lightbox
2.166 MetForm Pro
2.167 Popup Anything
2.168 Portfolio and Projects
2.169 Post grid and filter ultimate
2.170 WP responsive FAQ with category
2.171 WP News and Scrolling Widgets
2.172 WowShipping Pro
2.173 Post Ticker Ultimate
2.174 Timeline and History slider
2.175 User Registration Stripe
2.176 Userpro
2.177 Product Pricing Table by WooBeWoo
2.178 WooCommerce Product Filters
2.179 WP Blog and Widget
2.180 WP Featured Content and Slider
2.181 WP Logo Showcase Responsive Slider and Carousel
2.182 WP Responsive Recent Post Slider/Carousel
2.183 WP Slick Slider and Image Carousel
2.184 Team Slider and Team Grid Showcase plus Team Carousel
2.185 Testimonial Grid and Testimonial Slider plus Carousel with Rotator Widget
2.186 Trending/Popular Post Slider and Widget
2.187 Royal Elementor Addons Pro

3. WordPress Themes — 28 Patched / 1 Unpatched

3.1 WebStack
3.2 Charity Zone
3.3 Ecommerce Zone
3.4 Kids Gift Shop
3.5 Kids Online Store
3.6 Restaurant Zone
3.7 Vantage
3.8 Webenvo
3.9 Ashtanga
3.10 Atomlab
3.11 Behold
3.12 ChapterOne
3.13 Château
3.14 EasyMeals
3.15 Eldon
3.16 Eleganzo
3.17 Elementra
3.18 Esmée
3.19 Laurits
3.20 Léonie
3.21 LuxeDrive
3.22 MagOne
3.23 Manufaktur Solutions
3.24 Reina
3.25 Roisin
3.26 ShiftUp
3.27 TechLink
3.28 Valeska
3.29 Zoya

Our WordPress Vulnerability Report covers the latest emerging WordPress plugin, theme, and core vulnerabilities. Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure of vulnerabilities is essential to keeping the WordPress community safe. Please share this report to help spread the word and make WordPress — and the web — more secure.

WordPress Core

WordPress 6.9.4 is available, addressing 10 security issues and a template loading bug. Immediate updates are recommended for all production sites.

WordPress 7.0 Release Candidate 2 (RC2) is now ready for testing via the Beta Tester plugin, direct download, WP-CLI, or WordPress Playground. As a pre-release version, it should only be evaluated in staging or local environments.

WordPress Plugins — 159 Patched / 28 Unpatched

Plugin:: Pz-LinkCard
Plugin Slug:: pz-linkcard
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-2434

Plugin:: WCFM Marketplace – Multivendor Marketplace for WooCommerce
Plugin Slug:: wc-multivendor-marketplace
Installations: 10,000+
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-63029

Plugin:: Smart Online Order for Clover
Plugin Slug:: clover-online-orders
Installations: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-15635

Plugin:: Accept Cryptocurrencies with Plisio
Plugin Slug:: plisio-payment-gateway-for-woocommerce
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-6372

Plugin:: Quick Interest Slider
Plugin Slug:: quick-interest-slider
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-5694

Plugin:: Livemesh Addons for Elementor
Plugin Slug:: addons-for-elementor
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-1620

Plugin:: Livemesh Addons for Elementor
Plugin Slug:: addons-for-elementor
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1572

Plugin:: Canto
Plugin Slug:: canto
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-6441

Plugin:: CMS für Motorrad Werkstätten
Plugin Slug:: cms-fuer-motorrad-werkstaetten
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-6451

Plugin:: Coachific Shortcode
Plugin Slug:: coachific-shortcode
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-4005

Plugin:: Custom New User Notification
Plugin Slug:: custom-new-user-notification
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3551

Plugin:: e-shot
Plugin Slug:: e-shot-form-builder
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3642

Plugin:: Inquiry form to posts or pages
Plugin Slug:: inquiry-form-to-posts-or-pages
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-6293

Plugin:: Katalogportal-pdf-sync Widget
Plugin Slug:: katalogportal-pdf-sync
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3649

Plugin:: Login as User
Plugin Slug:: one-click-login-as-user
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-5617

Plugin:: Accessibility Suite
Plugin Slug:: online-accessibility
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-3773

Plugin:: OPEN-BRAIN
Plugin Slug:: open-brain
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3995

Plugin:: OPEN-BRAIN
Plugin Slug:: open-brain
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-4091

Plugin:: Accessibly – WordPress Website Accessibility
Plugin Slug:: otm-accessibly
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-3643

Plugin:: Petje.af
Plugin Slug:: petje-af
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-4002

Plugin:: Riaxe Product Customizer
Plugin Slug:: riaxe-product-customizer
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2026-3599

Plugin:: Riaxe Product Customizer
Plugin Slug:: riaxe-product-customizer
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3595

Plugin:: Riaxe Product Customizer
Plugin Slug:: riaxe-product-customizer
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2026-3596

Plugin:: VI: Include Post By
Plugin Slug:: vi-include-post-by
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-5717

Plugin:: Visa Acceptance Solutions
Plugin Slug:: visa-acceptance-solutions
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2026-3461

Plugin:: WM JqMath
Plugin Slug:: wm-jqmath
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3998

Plugin:: WP Circliful
Plugin Slug:: wp-circliful
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3659

Plugin:: Power Charts
Plugin Slug:: wpgo-power-charts-lite
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-4011

Plugin:: Advanced Custom Fields (ACF®)
Plugin Slug:: advanced-custom-fields
Installations: 2,000,000+
Vulnerability:: Broken Access Control
Patched in Version:: 6.7.1
Severity Score:: Medium
CVE:: 2026-4812

Plugin:: ManageWP Worker
Plugin Slug:: worker
Installations: 1,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.9.32
Severity Score:: High
CVE:: 2026-39463

Plugin:: Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder
Plugin Slug:: fluentform
Installations: 700,000+
Vulnerability:: Broken Authentication
Patched in Version:: 6.2.0
Severity Score:: Medium
CVE:: 2026-4160

Plugin:: Royal Addons for Elementor – Addons and Templates Kit for Elementor
Plugin Slug:: royal-elementor-addons
Installations: 600,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.7.1057
Severity Score:: Medium
CVE:: 2026-5162

Plugin:: WP Statistics – Simple, privacy-friendly Google Analytics alternative
Plugin Slug:: wp-statistics
Installations: 600,000+
Vulnerability:: Broken Access Control
Patched in Version:: 14.16.5
Severity Score:: Medium
CVE:: 2026-3488

Plugin:: WP Statistics – Simple, privacy-friendly Google Analytics alternative
Plugin Slug:: wp-statistics
Installations: 600,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 14.16.5
Severity Score:: High
CVE:: 2026-5231

Plugin:: BackWPup – WordPress Backup & Restore Plugin
Plugin Slug:: backwpup
Installations: 500,000+
Vulnerability:: Local File Inclusion
Patched in Version:: 5.6.7
Severity Score:: High
CVE:: 2026-6227

Plugin:: Meta Box
Plugin Slug:: meta-box
Installations: 500,000+
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 5.11.2
Severity Score:: Medium
CVE:: 2026-39468

Plugin:: Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider
Plugin Slug:: ml-slider
Installations: 500,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 3.107.0
Severity Score:: High
CVE:: 2026-39467

Plugin:: Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider
Plugin Slug:: ml-slider
Installations: 500,000+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 3.107.0
Severity Score:: Critical
CVE:: 2026-39465

Plugin:: WP Shortcodes Plugin — Shortcodes Ultimate
Plugin Slug:: shortcodes-ultimate
Installations: 400,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 7.5.0
Severity Score:: Medium
CVE:: 2026-3885

Plugin:: Page Builder Gutenberg Blocks – CoBlocks
Plugin Slug:: coblocks
Installations: 300,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.1.17
Severity Score:: Medium
CVE:: 2026-4801

Plugin:: ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF
Plugin Slug:: shortpixel-image-optimiser
Installations: 300,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 6.4.4
Severity Score:: High
CVE:: 2026-39471

Plugin:: Unlimited Elements For Elementor
Plugin Slug:: unlimited-elements-for-elementor
Installations: 300,000+
Vulnerability:: Arbitrary File Download
Patched in Version:: 2.0.7
Severity Score:: High
CVE:: 2026-4659

Plugin:: PDF Invoices & Packing Slips for WooCommerce
Plugin Slug:: woocommerce-pdf-invoices-packing-slips
Installations: 300,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 5.9.0
Severity Score:: High
CVE:: 2026-39472

Plugin:: CMP – Coming Soon & Maintenance Plugin by NiteoThemes
Plugin Slug:: cmp-coming-soon-maintenance
Installations: 200,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 4.1.17
Severity Score:: High
CVE:: 2026-6518

Plugin:: Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization
Plugin Slug:: optimole-wp
Installations: 200,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.2.3
Severity Score:: High
CVE:: 2026-5217

Plugin:: Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization
Plugin Slug:: optimole-wp
Installations: 200,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.2.4
Severity Score:: High
CVE:: 2026-5226

Plugin:: Post Duplicator
Plugin Slug:: post-duplicator
Installations: 200,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 3.0.11
Severity Score:: High
CVE:: 2026-39474

Plugin:: JetBackup – Backup, Restore & Migrate
Plugin Slug:: backup
Installations: 100,000+
Vulnerability:: Path Traversal
Patched in Version:: 3.1.20.3
Severity Score:: Medium
CVE:: 2026-4853

Plugin:: Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder
Plugin Slug:: everest-forms
Installations: 100,000+
Vulnerability:: Directory Traversal
Patched in Version:: 3.4.5
Severity Score:: High
CVE:: 2026-5478

Plugin:: Anti-Malware Security and Brute-Force Firewall
Plugin Slug:: gotmls
Installations: 100,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 4.23.88
Severity Score:: High
CVE:: 2026-39478

Plugin:: Kubio AI Page Builder
Plugin Slug:: kubio
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.7.3
Severity Score:: Medium
CVE:: 2026-5427

Plugin:: LatePoint – Calendar Booking Plugin for Appointments and Events
Plugin Slug:: latepoint
Installations: 100,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 5.4.0
Severity Score:: Medium
CVE:: 2026-5234

Plugin:: Modula Image Gallery – Photo Grid & Video Gallery
Plugin Slug:: modula-best-grid-gallery
Installations: 100,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 2.14.19
Severity Score:: High
CVE:: 2026-39481

Plugin:: Tutor LMS – eLearning and online course solution
Plugin Slug:: tutor
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.9.8
Severity Score:: Medium
CVE:: 2026-40743

Plugin:: Tutor LMS – eLearning and online course solution
Plugin Slug:: tutor
Installations: 100,000+
Vulnerability:: SQL Injection
Patched in Version:: 3.9.9
Severity Score:: High
CVE:: 2026-6080

Plugin:: Tutor LMS – eLearning and online course solution
Plugin Slug:: tutor
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.9.9
Severity Score:: Medium
CVE:: 2026-5502

Plugin:: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
Plugin Slug:: wp-user-avatar
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.16.13
Severity Score:: Medium
CVE:: 2026-4949

Plugin:: Download Monitor
Plugin Slug:: download-monitor
Installations: 90,000+
Vulnerability:: Arbitrary File Download
Patched in Version:: 5.1.10
Severity Score:: Medium
CVE:: 2026-39489

Plugin:: Email Encoder – Protect Email Addresses and Phone Numbers
Plugin Slug:: email-encoder-bundle
Installations: 90,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.3.4
Severity Score:: Medium
CVE:: 2024-7083

Plugin:: Email Encoder – Protect Email Addresses and Phone Numbers
Plugin Slug:: email-encoder-bundle
Installations: 90,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.4.5
Severity Score:: Medium
CVE:: 2026-2840

Plugin:: ShopLentor – All-in-One WooCommerce Growth & Store Enhancement Plugin
Plugin Slug:: woolentor-addons
Installations: 90,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.3.6
Severity Score:: Medium
CVE:: 2026-4059

Plugin:: Customer Reviews for WooCommerce
Plugin Slug:: customer-reviews-woocommerce
Installations: 80,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.102.0
Severity Score:: High
CVE:: 2026-3355

Plugin:: Customer Reviews for WooCommerce
Plugin Slug:: customer-reviews-woocommerce
Installations: 80,000+
Vulnerability:: Broken Authentication
Patched in Version:: 5.104.0
Severity Score:: Medium
CVE:: 2026-4664

Plugin:: 3D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery
Plugin Slug:: interactive-3d-flipbook-powered-physics-engine
Installations: 80,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.16.18
Severity Score:: Medium
CVE:: 2026-1314

Plugin:: Jupiter X Core
Plugin Slug:: jupiterx-core
Installations: 80,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.14.2
Severity Score:: High
CVE:: 2026-39490

Plugin:: Jupiter X Core
Plugin Slug:: jupiterx-core
Installations: 80,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.14.2
Severity Score:: Medium
CVE:: 2026-39491

Plugin:: LearnPress – WordPress LMS Plugin for Create and Sell Online Courses
Plugin Slug:: learnpress
Installations: 80,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.3.3
Severity Score:: Critical
CVE:: 2026-4365

Plugin:: OneSignal – Web Push Notifications
Plugin Slug:: onesignal-free-web-push-notifications
Installations: 70,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.8.1
Severity Score:: Low
CVE:: 2026-3155

Plugin:: Germanized for WooCommerce
Plugin Slug:: woocommerce-germanized
Installations: 70,000+
Vulnerability:: Content Injection
Patched in Version:: 3.20.6
Severity Score:: Medium
CVE:: 2026-2582

Plugin:: wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin
Plugin Slug:: wpdatatables
Installations: 70,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.5.0.5
Severity Score:: Medium
CVE:: 2026-5721

Plugin:: Contextual Related Posts
Plugin Slug:: contextual-related-posts
Installations: 60,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.2.2
Severity Score:: Medium
CVE:: 2026-2986

Plugin:: Drag and Drop Multiple File Upload for Contact Form 7
Plugin Slug:: drag-and-drop-multiple-file-upload-contact-form-7
Installations: 60,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 1.3.9.7
Severity Score:: High
CVE:: 2026-5718

Plugin:: Drag and Drop Multiple File Upload for Contact Form 7
Plugin Slug:: drag-and-drop-multiple-file-upload-contact-form-7
Installations: 60,000+
Vulnerability:: Arbitrary File Download
Patched in Version:: 1.3.9.7
Severity Score:: High
CVE:: 2026-5710

Plugin:: User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder
Plugin Slug:: user-registration
Installations: 60,000+
Vulnerability:: Open Redirection
Patched in Version:: 5.1.5
Severity Score:: Medium
CVE:: 2026-6203

Plugin:: Product Filter for WooCommerce by WBW
Plugin Slug:: woo-product-filter
Installations: 60,000+
Vulnerability:: SQL Injection
Patched in Version:: 3.1.3
Severity Score:: Critical
CVE:: 2026-3830

Plugin:: Product Filter for WooCommerce by WBW
Plugin Slug:: woo-product-filter
Installations: 60,000+
Vulnerability:: SQL Injection
Patched in Version:: 3.1.3
Severity Score:: Critical
CVE:: 2026-39494

Plugin:: WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters
Plugin Slug:: wp-google-map-plugin
Installations: 60,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.8.8
Severity Score:: Medium
CVE:: 2025-13364

Plugin:: Advanced Product Fields (Product Addons) for WooCommerce
Plugin Slug:: advanced-product-fields-for-woocommerce
Installations: 50,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 1.6.20
Severity Score:: High
CVE:: 2026-39499

Plugin:: Categories Images
Plugin Slug:: categories-images
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.3.2
Severity Score:: Medium
CVE:: 2026-2505

Plugin:: Better Find and Replace – AI-Powered Suggestions
Plugin Slug:: real-time-auto-find-and-replace
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.8.0
Severity Score:: Medium
CVE:: 2026-3369

Plugin:: YayMail – WooCommerce Email Customizer
Plugin Slug:: yaymail
Installations: 50,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 4.3.4
Severity Score:: High
CVE:: 2026-39498

Plugin:: BetterDocs – Knowledge Base Docs & FAQ Solution for Elementor & Block Editor
Plugin Slug:: betterdocs
Installations: 40,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.3.9
Severity Score:: Medium
CVE:: 2026-3875

Plugin:: Easy Digital Downloads – eCommerce Payments and Subscriptions made easy
Plugin Slug:: easy-digital-downloads
Installations: 40,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.6.6
Severity Score:: High
CVE:: 2026-39503

Plugin:: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker
Plugin Slug:: quiz-master-next
Installations: 40,000+
Vulnerability:: Content Injection
Patched in Version:: 11.1.1
Severity Score:: Medium
CVE:: 2026-5797

Plugin:: Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX
Plugin Slug:: ultimate-post
Installations: 40,000+
Vulnerability:: Broken Access Control
Patched in Version:: 5.0.6
Severity Score:: Medium
CVE:: 2026-0718

Plugin:: Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder
Plugin Slug:: form-maker
Installations: 30,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.15.41
Severity Score:: High
CVE:: 2026-3330

Plugin:: Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder
Plugin Slug:: form-maker
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.15.41
Severity Score:: High
CVE:: 2026-4388

Plugin:: Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder
Plugin Slug:: form-maker
Installations: 30,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.15.38
Severity Score:: Critical
CVE:: 2025-15441

Plugin:: Website LLMs.txt
Plugin Slug:: website-llms-txt
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 8.2.7
Severity Score:: Medium
CVE:: 2026-6712

Plugin:: Website LLMs.txt
Plugin Slug:: website-llms-txt
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 8.2.7
Severity Score:: Medium
CVE:: 2026-6711

Plugin:: WP YouTube Lyte
Plugin Slug:: wp-youtube-lyte
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.7.30
Severity Score:: Medium
CVE:: 2026-3299

Plugin:: Social Slider Feed
Plugin Slug:: instagram-slider-widget
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.3.3
Severity Score:: High
CVE:: 2026-39507

Plugin:: Smart Post Show – Post Grid, Post Carousel & Slider, and List Category Posts
Plugin Slug:: post-carousel
Installations: 20,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 3.0.13
Severity Score:: High
CVE:: 2026-3017

Plugin:: UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP
Plugin Slug:: userswp
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.2.61
Severity Score:: Medium
CVE:: 2026-5742

Plugin:: Payment Gateway for Redsys & WooCommerce Lite
Plugin Slug:: woo-redsys-gateway-light
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 7.0.1
Severity Score:: High
CVE:: 2026-40741

Plugin:: Payment Gateway for Redsys & WooCommerce Lite
Plugin Slug:: woo-redsys-gateway-light
Installations: 20,000+
Vulnerability:: Bypass Vulnerability
Patched in Version:: 7.0.1
Severity Score:: High
CVE:: 2026-5050

Plugin:: wpForo Forum
Plugin Slug:: wpforo
Installations: 20,000+
Vulnerability:: Directory Traversal
Patched in Version:: 3.0.6
Severity Score:: High
CVE:: 2026-6248

Plugin:: wpForo Forum
Plugin Slug:: wpforo
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.0.0
Severity Score:: Medium
CVE:: 2026-4666

Plugin:: wpForo Forum
Plugin Slug:: wpforo
Installations: 20,000+
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 3.0.3
Severity Score:: High
CVE:: 2026-5809

Plugin:: WPZOOM Addons for Elementor – Starter Templates & Widgets
Plugin Slug:: wpzoom-elementor-addons
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.5
Severity Score:: High
CVE:: 2026-39597

Plugin:: Content Blocks (Custom Post Widget)
Plugin Slug:: custom-post-widget
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.4.1
Severity Score:: Medium
CVE:: 2026-0894

Plugin:: WP Customer Area
Plugin Slug:: customer-area
Installations: 10,000+
Vulnerability:: Arbitrary File Download
Patched in Version:: 8.3.5
Severity Score:: High
CVE:: 2026-3464

Plugin:: Easy Appointments
Plugin Slug:: easy-appointments
Installations: 10,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 3.12.22
Severity Score:: High
CVE:: 2026-2262

Plugin:: Easy Appointments
Plugin Slug:: easy-appointments
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.12.22
Severity Score:: High
CVE:: 2026-39513

Plugin:: EMC – Easily Embed Calendly Scheduling
Plugin Slug:: embed-calendly-scheduling
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.5
Severity Score:: Medium
CVE:: 2026-0868

Plugin:: GeoDirectory – WP Business Directory Plugin and Classified Listings Directory
Plugin Slug:: geodirectory
Installations: 10,000+
Vulnerability:: SQL Injection
Patched in Version:: 2.8.154
Severity Score:: Critical
CVE:: 2026-39512

Plugin:: MasterStudy LMS WordPress Plugin – for Online Courses and Education
Plugin Slug:: masterstudy-lms-learning-management-system
Installations: 10,000+
Vulnerability:: SQL Injection
Patched in Version:: 3.7.26
Severity Score:: High
CVE:: 2026-4817

Plugin:: Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction
Plugin Slug:: paid-member-subscriptions
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.0.0
Severity Score:: High
CVE:: 2026-39514

Plugin:: Royal WordPress Backup, Restore & Migration Plugin – Backup WordPress Sites Safely
Plugin Slug:: royal-backup-reset
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.0.17
Severity Score:: High
CVE:: 2026-4305

Plugin:: Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered)
Plugin Slug:: wp-event-solution
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.1.9
Severity Score:: Medium
CVE:: 2026-4109

Plugin:: WP Photo Album Plus
Plugin Slug:: wp-photo-album-plus
Installations: 10,000+
Vulnerability:: SQL Injection
Patched in Version:: 9.1.08.002
Severity Score:: Critical
CVE:: 2026-39511

Plugin:: YML for Yandex Market
Plugin Slug:: yml-for-yandex-market
Installations: 10,000+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 5.0.26
Severity Score:: High
CVE:: 2025-14545

Plugin:: WCAPF – Ajax Product Filter for WooCommerce
Plugin Slug:: wc-ajax-product-filter
Installations: 9,000+
Vulnerability:: SQL Injection
Patched in Version:: 4.3.0
Severity Score:: Critical
CVE:: 2026-3396

Plugin:: AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress
Plugin Slug:: acymailing
Installations: 7,000+
Vulnerability:: Broken Access Control
Patched in Version:: 10.8.2
Severity Score:: High
CVE:: 2026-3614

Plugin:: EventPrime – Events Calendar, Bookings and Tickets
Plugin Slug:: eventprime-event-calendar-management
Installations: 7,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 4.3.0.1
Severity Score:: High
CVE:: 2026-39518

Plugin:: ActivityPub
Plugin Slug:: activitypub
Installations: 6,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 8.0.2
Severity Score:: High
CVE:: 2026-4338

Plugin:: Nexi XPay
Plugin Slug:: cartasi-x-pay
Installations: 6,000+
Vulnerability:: Broken Access Control
Patched in Version:: 8.3.2
Severity Score:: Medium
CVE:: 2025-15565

Plugin:: FluentBoards – Project Management, Task Management, Goal Tracking, Kanban Board, and, Team Collaboration
Plugin Slug:: fluent-boards
Installations: 6,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 1.91.3
Severity Score:: High
CVE:: 2026-40784

Plugin:: Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress
Plugin Slug:: youzify
Installations: 6,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.7
Severity Score:: Medium
CVE:: 2026-1559

Plugin:: Booking Activities
Plugin Slug:: booking-activities
Installations: 4,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.17.0
Severity Score:: Medium
CVE:: 2026-39525

Plugin:: Notification for Telegram
Plugin Slug:: notification-for-telegram
Installations: 4,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.5.1
Severity Score:: High
CVE:: 2026-40732

Plugin:: Responsive Blocks – Page Builder for Blocks & Patterns
Plugin Slug:: responsive-block-editor-addons
Installations: 4,000+
Vulnerability:: Open Redirection
Patched in Version:: 2.2.1
Severity Score:: Medium
CVE:: 2026-6675

Plugin:: WpStream – Live Streaming, Video on Demand, Pay Per View
Plugin Slug:: wpstream
Installations: 4,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 4.11.2
Severity Score:: Medium
CVE:: 2026-39527

Plugin:: Basic Google Maps Placemarks
Plugin Slug:: basic-google-maps-placemarks
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.10.8
Severity Score:: Medium
CVE:: 2026-3581

Plugin:: Events Calendar for GeoDirectory
Plugin Slug:: events-for-geodirectory
Installations: 3,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 2.3.26
Severity Score:: High
CVE:: 2026-39532

Plugin:: Image Source Control Lite – Show Image Credits and Captions
Plugin Slug:: image-source-control-isc
Installations: 3,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.9.2
Severity Score:: Medium
CVE:: 2026-4852

Plugin:: SpeakOut! Email Petitions
Plugin Slug:: speakout
Installations: 3,000+
Vulnerability:: SQL Injection
Patched in Version:: 4.6.5.1
Severity Score:: Critical
CVE:: 2026-39530

Plugin:: WP Directory Kit
Plugin Slug:: wpdirectorykit
Installations: 3,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.5.1
Severity Score:: Critical
CVE:: 2026-39531

Plugin:: Groundhogg — CRM, Newsletters, and Marketing Automation
Plugin Slug:: groundhogg
Installations: 2,000+
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 4.4.1
Severity Score:: High
CVE:: 2026-40727

Plugin:: Prismatic
Plugin Slug:: prismatic
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.7.4
Severity Score:: High
CVE:: 2026-3876

Plugin:: Shipment Tracker for Woocommerce
Plugin Slug:: shipment-tracker-for-woocommerce
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.5.3.3
Severity Score:: Medium
CVE:: 2026-39540

Plugin:: MyRewards
Plugin Slug:: woorewards
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: 5.7.4
Severity Score:: Medium
CVE:: 2026-40786

Plugin:: Video Gallery – YouTube Gallery & Responsive Video Playlist
Plugin Slug:: youtube-showcase
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.5.2
Severity Score:: Medium
CVE:: 2025-15636

Plugin:: Barcode Scanner (+Mobile App) – Inventory manager, Order fulfillment system, POS (Point of Sale)
Plugin Slug:: barcode-scanner-lite-pos-to-manage-products-inventory-and-orders
Installations: 1,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 1.12.0
Severity Score:: Critical
CVE:: 2026-4880

Plugin:: Mini Ajax Cart for WooCommerce
Plugin Slug:: mini-ajax-woo-cart
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.5
Severity Score:: Medium
CVE:: 2026-6370

Plugin:: WP Docs
Plugin Slug:: wp-docs
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.3.0
Severity Score:: Medium
CVE:: 2026-3878

Plugin:: DirectoryPress – Business Directory And Classified Ad Listing
Plugin Slug:: directorypress
Installations: 900+
Vulnerability:: SQL Injection
Patched in Version:: 3.6.27
Severity Score:: Critical
CVE:: 2026-3489

Plugin:: InPost Gallery
Plugin Slug:: inpost-gallery
Installations: 800+
Vulnerability:: SQL Injection
Patched in Version:: 2.1.5
Severity Score:: Critical
CVE:: 2026-39574

Plugin:: bBlocks – Essential Gutenberg Blocks & Patterns Collection
Plugin Slug:: b-blocks
Installations: 700+
Vulnerability:: Privilege Escalation
Patched in Version:: 2.0.32
Severity Score:: High
CVE:: 2026-39579

Plugin:: WP Sessions Time Monitoring Full Automatic
Plugin Slug:: activitytime
Installations: 600+
Vulnerability:: SQL Injection
Patched in Version:: 1.1.5
Severity Score:: High
CVE:: 2026-39581

Plugin:: List View Google Calendar
Plugin Slug:: list-view-google-calendar
Installations: 500+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 7.4.4
Severity Score:: Medium
CVE:: 2026-2396

Plugin:: Webling
Plugin Slug:: webling
Installations: 500+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.9.1
Severity Score:: Medium
CVE:: 2026-1263

Plugin:: RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress
Plugin Slug:: computer-repair-shop
Installations: 400+
Vulnerability:: Broken Access Control
Patched in Version:: 4.1133
Severity Score:: Medium
CVE:: 2026-39584

Plugin:: Flipbox Addon for Elementor
Plugin Slug:: ultimate-flipbox-addon-for-elementor
Installations: 300+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.1.2
Severity Score:: Medium
CVE:: 2026-6048

Plugin:: BuddyPress Groupblog
Plugin Slug:: bp-groupblog
Installations: 50+
Vulnerability:: Privilege Escalation
Patched in Version:: 1.9.4
Severity Score:: High
CVE:: 2026-5144

Plugin:: Age Verification & Identity Verification by Token of Trust
Plugin Slug:: token-of-trust
Installations: 40+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.32.4
Severity Score:: High
CVE:: 2026-2834

Plugin:: Ultra Addons for WPForms
Plugin Slug:: ultra-addons-for-wpforms
Installations: 40+
Vulnerability:: Broken Access Control
Patched in Version:: 1.0.12
Severity Score:: Medium
CVE:: 2026-39594

Plugin:: Hostel
Plugin Slug:: hostel
Installations: 30+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.1.7
Severity Score:: High
CVE:: 2026-1838

Plugin:: HAPPY – Helpdesk Support Ticket System
Plugin Slug:: happy-helpdesk-support-ticket-system
Installations: 10+
Vulnerability:: Broken Access Control
Patched in Version:: 1.0.11
Severity Score:: Medium
CVE:: 2026-39593

Plugin:: Surbma | Booking.com Shortcode
Plugin Slug:: surbma-bookingcom-shortcode
Installations: 10+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.1.1
Severity Score:: Medium
CVE:: 2026-1607

Plugin:: WholeSale Products Dynamic Pricing Management WooCommerce
Plugin Slug:: wholesale-products-dynamic-pricing-management-woocommerce
Installations: 10+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.0
Severity Score:: Medium
CVE:: 2026-4479

Plugin:: Academy LMS Pro
Plugin Slug:: academy-pro
Vulnerability:: Arbitrary File Upload
Patched in Version:: 3.5.2
Severity Score:: High
CVE:: 2026-39598

Plugin:: Accordion and Accordion Slider
Plugin Slug:: accordion-and-accordion-slider
Vulnerability:: Backdoor
Patched in Version:: 1.4.6.1
Severity Score:: Critical

Plugin:: Album and Image Gallery plus Lightbox
Plugin Slug:: album-and-image-gallery-plus-lightbox
Vulnerability:: Backdoor
Patched in Version:: 2.1.8.1
Severity Score:: Critical

Plugin:: Blog Designer – Post and Widget
Plugin Slug:: blog-designer-for-post-and-widget
Vulnerability:: Backdoor
Patched in Version:: 2.7.7.1
Severity Score:: Critical

Plugin:: Career Section
Plugin Slug:: career-section
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 1.7
Severity Score:: High
CVE:: 2025-14868

Plugin:: Countdown Timer Ultimate
Plugin Slug:: countdown-timer-ultimate
Vulnerability:: Backdoor
Patched in Version:: 2.6.9.1
Severity Score:: Critical

Plugin:: Featured Post Creative
Plugin Slug:: featured-post-creative
Vulnerability:: Backdoor
Patched in Version:: 1.5.7.1
Severity Score:: Critical

Plugin:: Fusion Builder
Plugin Slug:: fusion-builder
Vulnerability:: Content Injection
Patched in Version:: 3.15.2
Severity Score:: Medium
CVE:: 2026-1509

Plugin:: Fusion Builder
Plugin Slug:: fusion-builder
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 3.15.2
Severity Score:: Medium
CVE:: 2026-1541

Plugin:: Gravity SMTP
Plugin Slug:: gravitysmtp
Vulnerability:: Broken Access Control
Patched in Version:: 2.1.5
Severity Score:: High
CVE:: 2026-4162

Plugin:: Video gallery and Player
Plugin Slug:: html5-videogallery-plus-player
Vulnerability:: Backdoor
Patched in Version:: 2.8.7.1
Severity Score:: Critical

Plugin:: JetEngine
Plugin Slug:: jet-engine
Vulnerability:: SQL Injection
Patched in Version:: 3.8.6.2
Severity Score:: Critical
CVE:: 2026-4352

Plugin:: Client Portal (Pro)
Plugin Slug:: leco-client-portal
Vulnerability:: Arbitrary File Download
Patched in Version:: 5.6.3
Severity Score:: Medium
CVE:: 2026-40724

Plugin:: Meta slider and carousel with lightbox
Plugin Slug:: meta-slider-and-carousel-with-lightbox
Vulnerability:: Backdoor
Patched in Version:: 2.0.8.1
Severity Score:: Critical

Plugin:: MetForm Pro
Plugin Slug:: metform-pro
Vulnerability:: Broken Access Control
Patched in Version:: 3.9.8
Severity Score:: Medium
CVE:: 2026-1782

Plugin:: Popup Anything
Plugin Slug:: popup-anything-on-click
Vulnerability:: Backdoor
Patched in Version:: 2.9.1.1
Severity Score:: Critical

Plugin:: Portfolio and Projects
Plugin Slug:: portfolio-and-projects
Vulnerability:: Backdoor
Patched in Version:: 1.5.6.1
Severity Score:: Critical

Plugin:: Post grid and filter ultimate
Plugin Slug:: post-grid-and-filter-ultimate
Vulnerability:: Backdoor
Patched in Version:: 1.7.4.1
Severity Score:: Critical

Plugin:: WP responsive FAQ with category
Plugin Slug:: sp-faq
Vulnerability:: Backdoor
Patched in Version:: 3.9.5.1
Severity Score:: Critical

Plugin:: WP News and Scrolling Widgets
Plugin Slug:: sp-news-and-widget
Vulnerability:: Backdoor
Patched in Version:: 5.0.6.1
Severity Score:: Critical

Plugin:: WowShipping Pro
Plugin Slug:: table-rate-shipping-pro
Vulnerability:: Backdoor
Patched in Version:: 1.0.8
Severity Score:: Critical

Plugin:: Post Ticker Ultimate
Plugin Slug:: ticker-ultimate
Vulnerability:: Backdoor
Patched in Version:: 1.7.6.1
Severity Score:: Critical

Plugin:: Timeline and History slider
Plugin Slug:: timeline-and-history-slider
Vulnerability:: Backdoor
Patched in Version:: 2.4.5.1
Severity Score:: Critical

Plugin:: User Registration Stripe
Plugin Slug:: user-registration-stripe
Vulnerability:: Broken Access Control
Patched in Version:: 1.3.15
Severity Score:: High
CVE:: 2026-40726

Plugin:: Userpro
Plugin Slug:: userpro
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 5.1.11
Severity Score:: Medium
CVE:: 2025-53444

Plugin:: Product Pricing Table by WooBeWoo
Plugin Slug:: woo-product-pricing-tables
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.1.1
Severity Score:: High
CVE:: 2026-1852

Plugin:: WooCommerce Product Filters
Plugin Slug:: woocommerce-product-filters
Vulnerability:: PHP Object Injection
Patched in Version:: 2.0.6
Severity Score:: Critical
CVE:: 2026-40725

Plugin:: WP Blog and Widget
Plugin Slug:: wp-blog-and-widgets
Vulnerability:: Backdoor
Patched in Version:: 2.6.6.1
Severity Score:: Critical

Plugin:: WP Featured Content and Slider
Plugin Slug:: wp-featured-content-and-slider
Vulnerability:: Backdoor
Patched in Version:: 1.7.6.1
Severity Score:: Critical

Plugin:: WP Logo Showcase Responsive Slider and Carousel
Plugin Slug:: wp-logo-showcase-responsive-slider-slider
Vulnerability:: Backdoor
Patched in Version:: 3.8.7.1
Severity Score:: Critical

Plugin:: WP Responsive Recent Post Slider/Carousel
Plugin Slug:: wp-responsive-recent-post-slider
Vulnerability:: Backdoor
Patched in Version:: 3.7.1.1
Severity Score:: Critical

Plugin:: WP Slick Slider and Image Carousel
Plugin Slug:: wp-slick-slider-and-image-carousel
Vulnerability:: Backdoor
Patched in Version:: 3.7.8.2
Severity Score:: Critical

Plugin:: Team Slider and Team Grid Showcase plus Team Carousel
Plugin Slug:: wp-team-showcase-and-slider
Vulnerability:: Backdoor
Patched in Version:: 2.8.6.1
Severity Score:: Critical

Plugin:: Testimonial Grid and Testimonial Slider plus Carousel with Rotator Widget
Plugin Slug:: wp-testimonial-with-widget
Vulnerability:: Backdoor
Patched in Version:: 3.5.6.1
Severity Score:: Critical

Plugin:: Trending/Popular Post Slider and Widget
Plugin Slug:: wp-trending-post-slider-and-widget
Vulnerability:: Backdoor
Patched in Version:: 1.8.6.1
Severity Score:: Critical

Plugin:: Royal Elementor Addons Pro
Plugin Slug:: wpr-addons-pro
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.7.1041
Severity Score:: High
CVE:: 2026-40720

WordPress Themes — 28 Patched / 1 Unpatched

Theme:: WebStack
Theme Slug:: webstack
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2026-1555

Theme:: Charity Zone
Theme Slug:: charity-zone
Downloads: 112,126
Vulnerability:: Arbitrary File Upload
Patched in Version:: 1.1.2
Severity Score:: Critical
CVE:: 2026-40749

Theme:: Ecommerce Zone
Theme Slug:: ecommerce-zone
Downloads: 89,443
Vulnerability:: Arbitrary File Upload
Patched in Version:: 0.9.8
Severity Score:: Critical
CVE:: 2026-40747

Theme:: Kids Gift Shop
Theme Slug:: kids-gift-shop
Downloads: 20,521
Vulnerability:: Arbitrary File Upload
Patched in Version:: 0.5.5
Severity Score:: Critical
CVE:: 2026-40748

Theme:: Kids Online Store
Theme Slug:: kids-online-store
Downloads: 53,065
Vulnerability:: Arbitrary File Upload
Patched in Version:: 0.9.0
Severity Score:: Critical
CVE:: 2026-40750

Theme:: Restaurant Zone
Theme Slug:: restaurant-zone
Downloads: 80,108
Vulnerability:: Arbitrary File Upload
Patched in Version:: 0.7.9
Severity Score:: Critical
CVE:: 2026-40746

Theme:: Vantage
Theme Slug:: vantage
Downloads: 3,232,270
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.20.33
Severity Score:: Medium
CVE:: 2026-5070

Theme:: Webenvo
Theme Slug:: webenvo
Downloads: 10,224
Vulnerability:: Arbitrary File Upload
Patched in Version:: 0.0.7
Severity Score:: Critical
CVE:: 2026-39589

Theme:: Ashtanga
Theme Slug:: ashtanga
Vulnerability:: PHP Object Injection
Patched in Version:: 1.3
Severity Score:: High
CVE:: 2026-40751

Theme:: Atomlab
Theme Slug:: atomlab
Vulnerability:: Local File Inclusion
Patched in Version:: 2.4.6
Severity Score:: High
CVE:: 2026-39590

Theme:: Behold
Theme Slug:: behold
Vulnerability:: PHP Object Injection
Patched in Version:: 1.6
Severity Score:: High
CVE:: 2026-40760

Theme:: ChapterOne
Theme Slug:: chapterone
Vulnerability:: Local File Inclusion
Patched in Version:: 1.8
Severity Score:: High
CVE:: 2026-40731

Theme:: Château
Theme Slug:: chateau
Vulnerability:: PHP Object Injection
Patched in Version:: 1.3
Severity Score:: High
CVE:: 2026-40757

Theme:: EasyMeals
Theme Slug:: easymeals
Vulnerability:: PHP Object Injection
Patched in Version:: 1.6
Severity Score:: High
CVE:: 2026-40753

Theme:: Eldon
Theme Slug:: eldon
Vulnerability:: PHP Object Injection
Patched in Version:: 1.5
Severity Score:: High
CVE:: 2026-40738

Theme:: Eleganzo
Theme Slug:: eleganzo
Vulnerability:: Path Traversal
Patched in Version:: 1.3
Severity Score:: Medium
CVE:: 2025-15470

Theme:: Elementra
Theme Slug:: elementra
Vulnerability:: PHP Object Injection
Patched in Version:: 1.1.0
Severity Score:: Critical
CVE:: 2026-39529

Theme:: Esmée
Theme Slug:: esme
Vulnerability:: PHP Object Injection
Patched in Version:: 1.5
Severity Score:: High
CVE:: 2026-40759

Theme:: Laurits
Theme Slug:: laurits
Vulnerability:: PHP Object Injection
Patched in Version:: 1.6
Severity Score:: High
CVE:: 2026-40736

Theme:: Léonie
Theme Slug:: lonie
Vulnerability:: PHP Object Injection
Patched in Version:: 1.3
Severity Score:: High
CVE:: 2026-40758

Theme:: LuxeDrive
Theme Slug:: luxedrive
Vulnerability:: PHP Object Injection
Patched in Version:: 1.5
Severity Score:: High
CVE:: 2026-40739

Theme:: MagOne
Theme Slug:: magone
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 9.1
Severity Score:: High
CVE:: 2026-39548

Theme:: Manufaktur Solutions
Theme Slug:: manufaktursolutions
Vulnerability:: PHP Object Injection
Patched in Version:: 1.2
Severity Score:: High
CVE:: 2026-40752

Theme:: Reina
Theme Slug:: reina
Vulnerability:: PHP Object Injection
Patched in Version:: 2.2
Severity Score:: High
CVE:: 2026-40735

Theme:: Roisin
Theme Slug:: roisin
Vulnerability:: PHP Object Injection
Patched in Version:: 1.5
Severity Score:: High
CVE:: 2026-40754

Theme:: ShiftUp
Theme Slug:: shiftup
Vulnerability:: PHP Object Injection
Patched in Version:: 1.4
Severity Score:: High
CVE:: 2026-40733

Theme:: TechLink
Theme Slug:: techlink
Vulnerability:: PHP Object Injection
Patched in Version:: 1.4
Severity Score:: High
CVE:: 2026-40755

Theme:: Valeska
Theme Slug:: valeska
Vulnerability:: PHP Object Injection
Patched in Version:: 1.3
Severity Score:: High
CVE:: 2026-40761

Theme:: Zoya
Theme Slug:: zoya
Vulnerability:: PHP Object Injection
Patched in Version:: 1.5
Severity Score:: High
CVE:: 2026-40756

Solid Security is part of Solid Suite — The best foundation for WordPress websites.

Every WordPress site needs security, backups, and management tools. That’s Solid Suite — an integrated bundle of three plugins: Solid Security, Solid Backups, and Solid Central. You also get access to Solid Academy’s learning resources for WordPress professionals. Build your next WordPress website on a solid foundation with Solid Suite!

Get Solid Security

The post WordPress Vulnerability Report — April 22, 2026 appeared first on SolidWP.

WordPress Vulnerability Report — April 15, 2026

Sarah Ulmer — Wed, 15 Apr 2026 13:23:50 +0000

In this report, 185 vulnerabilities have been publicly disclosed. Security patches for 169 of these plugins and themes are now available. Please run these updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Currently, 16 plugin vulnerabilities remain unpatched. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

1. WordPress Core
2. WordPress Plugins — 159 Patched / 28 Unpatched

2.1 Pz-LinkCard
2.2 WCFM Marketplace – Multivendor Marketplace for WooCommerce
2.3 Smart Online Order for Clover
2.4 Accept Cryptocurrencies with Plisio
2.5 Quick Interest Slider
2.6 Livemesh Addons for Elementor
2.7 Livemesh Addons for Elementor
2.8 Canto
2.9 CMS für Motorrad Werkstätten
2.10 Coachific Shortcode
2.11 Custom New User Notification
2.12 e-shot
2.13 Inquiry form to posts or pages
2.14 Katalogportal-pdf-sync Widget
2.15 Login as User
2.16 Accessibility Suite
2.17 OPEN-BRAIN
2.18 OPEN-BRAIN
2.19 Accessibly – WordPress Website Accessibility
2.20 Petje.af
2.21 Riaxe Product Customizer
2.22 Riaxe Product Customizer
2.23 Riaxe Product Customizer
2.24 VI: Include Post By
2.25 Visa Acceptance Solutions
2.26 WM JqMath
2.27 WP Circliful
2.28 Power Charts
2.29 Advanced Custom Fields (ACF®)
2.30 ManageWP Worker
2.31 Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder
2.32 Royal Addons for Elementor – Addons and Templates Kit for Elementor
2.33 WP Statistics – Simple, privacy-friendly Google Analytics alternative
2.34 WP Statistics – Simple, privacy-friendly Google Analytics alternative
2.35 BackWPup – WordPress Backup & Restore Plugin
2.36 Meta Box
2.37 Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider
2.38 Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider
2.39 WP Shortcodes Plugin — Shortcodes Ultimate
2.40 Page Builder Gutenberg Blocks – CoBlocks
2.41 ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF
2.42 Unlimited Elements For Elementor
2.43 PDF Invoices & Packing Slips for WooCommerce
2.44 CMP – Coming Soon & Maintenance Plugin by NiteoThemes
2.45 Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization
2.46 Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization
2.47 Post Duplicator
2.48 JetBackup – Backup, Restore & Migrate
2.49 Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder
2.50 Anti-Malware Security and Brute-Force Firewall
2.51 Kubio AI Page Builder
2.52 LatePoint – Calendar Booking Plugin for Appointments and Events
2.53 Modula Image Gallery – Photo Grid & Video Gallery
2.54 Tutor LMS – eLearning and online course solution
2.55 Tutor LMS – eLearning and online course solution
2.56 Tutor LMS – eLearning and online course solution
2.57 Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
2.58 Download Monitor
2.59 Email Encoder – Protect Email Addresses and Phone Numbers
2.60 Email Encoder – Protect Email Addresses and Phone Numbers
2.61 ShopLentor – All-in-One WooCommerce Growth & Store Enhancement Plugin
2.62 Customer Reviews for WooCommerce
2.63 Customer Reviews for WooCommerce
2.64 3D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery
2.65 Jupiter X Core
2.66 Jupiter X Core
2.67 LearnPress – WordPress LMS Plugin for Create and Sell Online Courses
2.68 OneSignal – Web Push Notifications
2.69 Germanized for WooCommerce
2.70 wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin
2.71 Contextual Related Posts
2.72 Drag and Drop Multiple File Upload for Contact Form 7
2.73 Drag and Drop Multiple File Upload for Contact Form 7
2.74 User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder
2.75 Product Filter for WooCommerce by WBW
2.76 Product Filter for WooCommerce by WBW
2.77 WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters
2.78 Advanced Product Fields (Product Addons) for WooCommerce
2.79 Categories Images
2.80 Better Find and Replace – AI-Powered Suggestions
2.81 YayMail – WooCommerce Email Customizer
2.82 BetterDocs – Knowledge Base Docs & FAQ Solution for Elementor & Block Editor
2.83 Easy Digital Downloads – eCommerce Payments and Subscriptions made easy
2.84 Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker
2.85 Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX
2.86 Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder
2.87 Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder
2.88 Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder
2.89 Website LLMs.txt
2.90 Website LLMs.txt
2.91 WP YouTube Lyte
2.92 Social Slider Feed
2.93 Smart Post Show – Post Grid, Post Carousel & Slider, and List Category Posts
2.94 UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP
2.95 Payment Gateway for Redsys & WooCommerce Lite
2.96 Payment Gateway for Redsys & WooCommerce Lite
2.97 wpForo Forum
2.98 wpForo Forum
2.99 wpForo Forum
2.100 WPZOOM Addons for Elementor – Starter Templates & Widgets
2.101 Content Blocks (Custom Post Widget)
2.102 WP Customer Area
2.103 Easy Appointments
2.104 Easy Appointments
2.105 EMC – Easily Embed Calendly Scheduling
2.106 GeoDirectory – WP Business Directory Plugin and Classified Listings Directory
2.107 MasterStudy LMS WordPress Plugin – for Online Courses and Education
2.108 Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction
2.109 Royal WordPress Backup, Restore & Migration Plugin – Backup WordPress Sites Safely
2.110 Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered)
2.111 WP Photo Album Plus
2.112 YML for Yandex Market
2.113 WCAPF – Ajax Product Filter for WooCommerce
2.114 AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress
2.115 EventPrime – Events Calendar, Bookings and Tickets
2.116 ActivityPub
2.117 Nexi XPay
2.118 FluentBoards – Project Management, Task Management, Goal Tracking, Kanban Board, and, Team Collaboration
2.119 Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress
2.120 Booking Activities
2.121 Notification for Telegram
2.122 Responsive Blocks – Page Builder for Blocks & Patterns
2.123 WpStream – Live Streaming, Video on Demand, Pay Per View
2.124 Basic Google Maps Placemarks
2.125 Events Calendar for GeoDirectory
2.126 Image Source Control Lite – Show Image Credits and Captions
2.127 SpeakOut! Email Petitions
2.128 WP Directory Kit
2.129 Groundhogg — CRM, Newsletters, and Marketing Automation
2.130 Prismatic
2.131 Shipment Tracker for Woocommerce
2.132 MyRewards
2.133 Video Gallery – YouTube Gallery & Responsive Video Playlist
2.134 Barcode Scanner (+Mobile App) – Inventory manager, Order fulfillment system, POS (Point of Sale)
2.135 Mini Ajax Cart for WooCommerce
2.136 WP Docs
2.137 DirectoryPress – Business Directory And Classified Ad Listing
2.138 InPost Gallery
2.139 bBlocks – Essential Gutenberg Blocks & Patterns Collection
2.140 WP Sessions Time Monitoring Full Automatic
2.141 List View Google Calendar
2.142 Webling
2.143 RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress
2.144 Flipbox Addon for Elementor
2.145 BuddyPress Groupblog
2.146 Age Verification & Identity Verification by Token of Trust
2.147 Ultra Addons for WPForms
2.148 Hostel
2.149 HAPPY – Helpdesk Support Ticket System
2.150 Surbma | Booking.com Shortcode
2.151 WholeSale Products Dynamic Pricing Management WooCommerce
2.152 Academy LMS Pro
2.153 Accordion and Accordion Slider
2.154 Album and Image Gallery plus Lightbox
2.155 Blog Designer – Post and Widget
2.156 Career Section
2.157 Countdown Timer Ultimate
2.158 Featured Post Creative
2.159 Fusion Builder
2.160 Fusion Builder
2.161 Gravity SMTP
2.162 Video gallery and Player
2.163 JetEngine
2.164 Client Portal (Pro)
2.165 Meta slider and carousel with lightbox
2.166 MetForm Pro
2.167 Popup Anything
2.168 Portfolio and Projects
2.169 Post grid and filter ultimate
2.170 WP responsive FAQ with category
2.171 WP News and Scrolling Widgets
2.172 WowShipping Pro
2.173 Post Ticker Ultimate
2.174 Timeline and History slider
2.175 User Registration Stripe
2.176 Userpro
2.177 Product Pricing Table by WooBeWoo
2.178 WooCommerce Product Filters
2.179 WP Blog and Widget
2.180 WP Featured Content and Slider
2.181 WP Logo Showcase Responsive Slider and Carousel
2.182 WP Responsive Recent Post Slider/Carousel
2.183 WP Slick Slider and Image Carousel
2.184 Team Slider and Team Grid Showcase plus Team Carousel
2.185 Testimonial Grid and Testimonial Slider plus Carousel with Rotator Widget
2.186 Trending/Popular Post Slider and Widget
2.187 Royal Elementor Addons Pro

3. WordPress Themes — 28 Patched / 1 Unpatched

3.1 WebStack
3.2 Charity Zone
3.3 Ecommerce Zone
3.4 Kids Gift Shop
3.5 Kids Online Store
3.6 Restaurant Zone
3.7 Vantage
3.8 Webenvo
3.9 Ashtanga
3.10 Atomlab
3.11 Behold
3.12 ChapterOne
3.13 Château
3.14 EasyMeals
3.15 Eldon
3.16 Eleganzo
3.17 Elementra
3.18 Esmée
3.19 Laurits
3.20 Léonie
3.21 LuxeDrive
3.22 MagOne
3.23 Manufaktur Solutions
3.24 Reina
3.25 Roisin
3.26 ShiftUp
3.27 TechLink
3.28 Valeska
3.29 Zoya

WordPress Core

WordPress 6.9.4 is available, addressing 10 security issues and a template loading bug. Immediate updates are recommended for all production sites.

WordPress Plugins — 145 Patched / 16 Unpatched

Plugin:: AM LottiePlayer
Plugin Slug:: am-lottieplayer
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-1794

Plugin:: Attendance Manager
Plugin Slug:: attendance-manager
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-3781

Plugin:: Columns by BestWebSoft
Plugin Slug:: columns-bws
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3618

Plugin:: DSGVO Google Web Fonts GDPR
Plugin Slug:: dsgvo-google-web-fonts-gdpr
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2026-3535

Plugin:: Gerador de Certificados – DevApps
Plugin Slug:: gerador-de-certificados-devapps
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-4808

Plugin:: Inquiry form to posts or pages
Plugin Slug:: inquiry-form-to-posts-or-pages
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-5169

Plugin:: Pinterest Site Verification plugin using Meta Tag
Plugin Slug:: pinterest-site-verification
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3142

Plugin:: pz-frontend-manager
Plugin Slug:: pz-frontend-manager
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3477

Plugin:: Quran Translations
Plugin Slug:: quran-translations-by-edc
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-4141

Plugin:: Riaxe Product Customizer
Plugin Slug:: riaxe-product-customizer
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3594

Plugin:: Sports Club Management
Plugin Slug:: sports-club-management
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-4871

Plugin:: Wavr
Plugin Slug:: wavr
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-5506

Plugin:: Whole Enquiry Cart for WooCommerce
Plugin Slug:: whole-cart-enquiry
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-2838

Plugin:: IDPay Payment Gateway for Woocommerce
Plugin Slug:: woo-idpay-gateway
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-34891

Plugin:: WowPress
Plugin Slug:: wowpress
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-5508

Plugin:: WP Blockade
Plugin Slug:: wp-blockade
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3480

Plugin:: Elementor Website Builder – more than just a page builder
Plugin Slug:: elementor
Installations: 10,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.35.6
Severity Score:: Medium
CVE:: 2025-14732

Plugin:: ManageWP Worker
Plugin Slug:: worker
Installations: 1,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.9.32
Severity Score:: High
CVE:: 2026-39463

Plugin:: WP-Optimize – Cache, Compress images, Minify & Clean database to boost page speed & performance
Plugin Slug:: wp-optimize
Installations: 1,000,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.5.1
Severity Score:: Medium
CVE:: 2026-2712

Plugin:: Smart Slider 3
Plugin Slug:: smart-slider-3
Installations: 800,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.5.1.34
Severity Score:: Medium
CVE:: 2026-4065

Plugin:: Kadence Blocks — Page Builder Toolkit for Gutenberg Editor
Plugin Slug:: kadence-blocks
Installations: 600,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.6.4
Severity Score:: High
CVE:: 2026-2826

Plugin:: Kadence Blocks — Page Builder Toolkit for Gutenberg Editor
Plugin Slug:: kadence-blocks
Installations: 600,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.6.4
Severity Score:: Medium
CVE:: 2026-2826

Plugin:: BackWPup – WordPress Backup & Restore Plugin
Plugin Slug:: backwpup
Installations: 500,000+
Vulnerability:: Local File Inclusion
Patched in Version:: 5.6.7
Severity Score:: High
CVE:: 2026-6227

Plugin:: Meta Box
Plugin Slug:: meta-box
Installations: 500,000+
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 5.11.2
Severity Score:: Medium
CVE:: 2026-39468

Plugin:: Ocean Extra
Plugin Slug:: ocean-extra
Installations: 500,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.5.4
Severity Score:: Medium
CVE:: 2026-34903

Plugin:: YITH WooCommerce Wishlist
Plugin Slug:: yith-woocommerce-wishlist
Installations: 500,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 4.13.0
Severity Score:: Medium
CVE:: 2026-4432

Plugin:: Page Builder: Pagelayer – Drag and Drop website builder
Plugin Slug:: pagelayer
Installations: 400,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.9
Severity Score:: Medium
CVE:: 2026-2509

Plugin:: Cart Abandonment Recovery for WooCommerce – Recover Lost Sales with Automated Emails
Plugin Slug:: woo-cart-abandonment-recovery
Installations: 300,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 2.1.0
Severity Score:: High
CVE:: 2026-39470

Plugin:: MW WP Form
Plugin Slug:: mw-wp-form
Installations: 200,000+
Vulnerability:: Directory Traversal
Patched in Version:: 5.1.2
Severity Score:: High
CVE:: 2026-5436

Plugin:: Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization
Plugin Slug:: optimole-wp
Installations: 200,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.2.3
Severity Score:: High
CVE:: 2026-5217

Plugin:: Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization
Plugin Slug:: optimole-wp
Installations: 200,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.2.4
Severity Score:: High
CVE:: 2026-5226

Plugin:: Post Duplicator
Plugin Slug:: post-duplicator
Installations: 200,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 3.0.11
Severity Score:: High
CVE:: 2026-39474

Plugin:: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
Plugin Slug:: ultimate-member
Installations: 200,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.11.2
Severity Score:: Medium
CVE:: 2025-15064

Plugin:: Aruba HiSpeed Cache
Plugin Slug:: aruba-hispeed-cache
Installations: 100,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 3.0.5
Severity Score:: Medium
CVE:: 2026-1924

Plugin:: Element Pack – Widgets, Templates & Addons for Elementor
Plugin Slug:: bdthemes-element-pack-lite
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 8.5.0
Severity Score:: Medium
CVE:: 2026-4655

Plugin:: Prime Slider – Addons for Elementor
Plugin Slug:: bdthemes-prime-slider-lite
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.1.11
Severity Score:: Medium
CVE:: 2026-4341

Plugin:: Beaver Builder Page Builder – Drag and Drop Website Builder
Plugin Slug:: beaver-builder-lite-version
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.10.1.2
Severity Score:: Medium
CVE:: 2026-2481

Plugin:: Download Manager
Plugin Slug:: download-manager
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.3.52
Severity Score:: Medium
CVE:: 2026-4057

Plugin:: Download Manager
Plugin Slug:: download-manager
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.3.53
Severity Score:: Medium
CVE:: 2026-5357

Plugin:: Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder
Plugin Slug:: everest-forms
Installations: 100,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 3.4.4
Severity Score:: Critical
CVE:: 2026-3296

Plugin:: LatePoint – Calendar Booking Plugin for Appointments and Events
Plugin Slug:: latepoint
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.3.1
Severity Score:: Medium
CVE:: 2026-4785

Plugin:: MainWP Child Reports
Plugin Slug:: mainwp-child-reports
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.3
Severity Score:: Medium
CVE:: 2026-4299

Plugin:: The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce
Plugin Slug:: the-plus-addons-for-elementor-page-builder
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.4.10
Severity Score:: Medium
CVE:: 2026-3311

Plugin:: Tutor LMS – eLearning and online course solution
Plugin Slug:: tutor
Installations: 100,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 3.9.8
Severity Score:: Medium
CVE:: 2026-3371

Plugin:: Tutor LMS – eLearning and online course solution
Plugin Slug:: tutor
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.9.8
Severity Score:: Medium
CVE:: 2026-3358

Plugin:: Tutor LMS – eLearning and online course solution
Plugin Slug:: tutor
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.9.8
Severity Score:: High
CVE:: 2026-3360

Plugin:: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
Plugin Slug:: wp-user-avatar
Installations: 100,000+
Vulnerability:: Content Injection
Patched in Version:: 4.16.12
Severity Score:: Medium
CVE:: 2026-3309

Plugin:: Booking for Appointments and Events Calendar – Amelia
Plugin Slug:: ameliabooking
Installations: 90,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 2.2
Severity Score:: High
CVE:: 2026-5465

Plugin:: BackupBliss – Backup & Migration with Free Cloud Storage
Plugin Slug:: backup-backup
Installations: 90,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 2.1.2
Severity Score:: High
CVE:: 2026-39480

Plugin:: BackupBliss – Backup & Migration with Free Cloud Storage
Plugin Slug:: backup-backup
Installations: 90,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.1.0
Severity Score:: Medium
CVE:: 2025-14944

Plugin:: Download Monitor
Plugin Slug:: download-monitor
Installations: 90,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 5.1.11
Severity Score:: Medium
CVE:: 2026-4401

Plugin:: Strong Testimonials
Plugin Slug:: strong-testimonials
Installations: 90,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.2.22
Severity Score:: Medium
CVE:: 2026-3239

Plugin:: ShopLentor – All-in-One WooCommerce Growth & Store Enhancement Plugin
Plugin Slug:: woolentor-addons
Installations: 90,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.3.6
Severity Score:: Medium
CVE:: 2026-4059

Plugin:: Hustle – Email Marketing, Lead Generation, Optins, Popups
Plugin Slug:: wordpress-popup
Installations: 90,000+
Vulnerability:: Broken Access Control
Patched in Version:: 7.8.11
Severity Score:: Medium
CVE:: 2026-2263

Plugin:: Customer Reviews for WooCommerce
Plugin Slug:: customer-reviews-woocommerce
Installations: 80,000+
Vulnerability:: Broken Authentication
Patched in Version:: 5.104.0
Severity Score:: Medium
CVE:: 2026-4664

Plugin:: Jupiter X Core
Plugin Slug:: jupiterx-core
Installations: 80,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.14.2
Severity Score:: Medium
CVE:: 2026-39491

Plugin:: LearnPress – WordPress LMS Plugin for Create and Sell Online Courses
Plugin Slug:: learnpress
Installations: 80,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.3.4
Severity Score:: Medium
CVE:: 2026-4333

Plugin:: List category posts
Plugin Slug:: list-category-posts
Installations: 80,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 0.95.0
Severity Score:: Medium
CVE:: 2026-3005

Plugin:: Product Feed PRO for WooCommerce by AdTribes – Product Feeds for WooCommerce
Plugin Slug:: woo-product-feed-pro
Installations: 80,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 13.5.2.2
Severity Score:: High
CVE:: 2026-3499

Plugin:: Advanced Contact form 7 DB
Plugin Slug:: advanced-cf7-db
Installations: 70,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.1.0
Severity Score:: Medium
CVE:: 2026-0811

Plugin:: Advanced Contact form 7 DB
Plugin Slug:: advanced-cf7-db
Installations: 70,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.1.0
Severity Score:: Medium
CVE:: 2026-0814

Plugin:: Online Scheduling and Appointment Booking System – Bookly
Plugin Slug:: bookly-responsive-appointment-booking-tool
Installations: 70,000+
Vulnerability:: Content Injection
Patched in Version:: 27.1
Severity Score:: Medium
CVE:: 2026-2519

Plugin:: Greenshift – animation and page builder blocks
Plugin Slug:: greenshift-animation-and-page-builder-blocks
Installations: 70,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 12.9.0
Severity Score:: Medium
CVE:: 2026-4895

Plugin:: Media Library Assistant
Plugin Slug:: media-library-assistant
Installations: 70,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.35
Severity Score:: Medium
CVE:: 2026-34897

Plugin:: Media Library Assistant
Plugin Slug:: media-library-assistant
Installations: 70,000+
Vulnerability:: SQL Injection
Patched in Version:: 3.35
Severity Score:: High
CVE:: 2026-34885

Plugin:: Product Feed Manager for WooCommerce – CTX Feed – Support 220+ Shopping & Social Channels
Plugin Slug:: webappick-product-feed-for-woocommerce
Installations: 70,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 6.6.27
Severity Score:: High
CVE:: 2026-39434

Plugin:: Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin
Plugin Slug:: simply-schedule-appointments
Installations: 60,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.6.9.29
Severity Score:: Critical
CVE:: 2026-39493

Plugin:: User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder
Plugin Slug:: user-registration
Installations: 60,000+
Vulnerability:: Open Redirection
Patched in Version:: 5.1.5
Severity Score:: Medium
CVE:: 2026-6203

Plugin:: User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder
Plugin Slug:: user-registration
Installations: 60,000+
Vulnerability:: SQL Injection
Patched in Version:: 5.1.3
Severity Score:: High
CVE:: 2026-1865

Plugin:: Product Filter for WooCommerce by WBW
Plugin Slug:: woo-product-filter
Installations: 60,000+
Vulnerability:: SQL Injection
Patched in Version:: 3.1.3
Severity Score:: Critical
CVE:: 2026-39494

Plugin:: WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters
Plugin Slug:: wp-google-map-plugin
Installations: 60,000+
Vulnerability:: SQL Injection
Patched in Version:: 4.9.2
Severity Score:: Critical
CVE:: 2026-39492

Plugin:: Popup Box – Create Countdown, Coupon, Video, Contact Form Popups
Plugin Slug:: ays-popup-box
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.5.0
Severity Score:: High
CVE:: 2025-15611

Plugin:: Blog2Social: Social Media Auto Post & Scheduler
Plugin Slug:: blog2social
Installations: 50,000+
Vulnerability:: Broken Authentication
Patched in Version:: 8.8.4
Severity Score:: Medium
CVE:: 2026-4330

Plugin:: Robo Gallery – Photo & Image Slider
Plugin Slug:: robo-gallery
Installations: 40,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.1.4
Severity Score:: Medium
CVE:: 2026-4300

Plugin:: BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net
Plugin Slug:: woo-bulk-editor
Installations: 40,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.1.6
Severity Score:: Medium
CVE:: 2026-1673

Plugin:: BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net
Plugin Slug:: woo-bulk-editor
Installations: 40,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.1.6
Severity Score:: Medium
CVE:: 2026-1672

Plugin:: LightPress Lightbox
Plugin Slug:: wp-jquery-lightbox
Installations: 40,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.3.5
Severity Score:: Medium
CVE:: 2026-4379

Plugin:: Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder
Plugin Slug:: form-maker
Installations: 30,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.15.39
Severity Score:: Critical
CVE:: 2026-39502

Plugin:: Link Whisper Free
Plugin Slug:: link-whisper
Installations: 30,000+
Vulnerability:: Settings Change
Patched in Version:: 0.9.1
Severity Score:: Medium
CVE:: 2026-1900

Plugin:: PowerPress Podcasting plugin by Blubrry
Plugin Slug:: powerpress
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 11.15.16
Severity Score:: Medium
CVE:: 2026-2988

Plugin:: Ultimate FAQ Accordion Plugin
Plugin Slug:: ultimate-faqs
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.4.8
Severity Score:: Medium
CVE:: 2026-4336

Plugin:: Visitor Traffic Real Time Statistics
Plugin Slug:: visitors-traffic-real-time-statistics
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 8.5
Severity Score:: High
CVE:: 2026-2936

Plugin:: AddFunc Head & Footer Code
Plugin Slug:: addfunc-head-footer-code
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.4
Severity Score:: Medium
CVE:: 2026-2305

Plugin:: Smart Post Show – Post Grid, Post Carousel & Slider, and List Category Posts
Plugin Slug:: post-carousel
Installations: 20,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 3.0.13
Severity Score:: High
CVE:: 2026-3017

Plugin:: Simple Social Media Share Buttons – Social Sharing for Everyone
Plugin Slug:: simple-social-buttons
Installations: 20,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 6.2.1
Severity Score:: High
CVE:: 2026-34904

Plugin:: UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP
Plugin Slug:: userswp
Installations: 20,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 1.2.59
Severity Score:: Medium
CVE:: 2026-4979

Plugin:: UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP
Plugin Slug:: userswp
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.2.59
Severity Score:: Medium
CVE:: 2026-4977

Plugin:: UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP
Plugin Slug:: userswp
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.2.61
Severity Score:: Medium
CVE:: 2026-5742

Plugin:: WP Visitor Statistics (Real Time Traffic)
Plugin Slug:: wp-stats-manager
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 8.5
Severity Score:: Medium
CVE:: 2026-4303

Plugin:: wpForo Forum
Plugin Slug:: wpforo
Installations: 20,000+
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 3.0.3
Severity Score:: High
CVE:: 2026-5809

Plugin:: wpForo Forum
Plugin Slug:: wpforo
Installations: 20,000+
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 2.4.17
Severity Score:: High
CVE:: 2026-3666

Plugin:: BlockArt Blocks – Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library
Plugin Slug:: blockart-blocks
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.3.0
Severity Score:: Medium
CVE:: 2026-3498

Plugin:: Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More
Plugin Slug:: charitable
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.8.10
Severity Score:: Medium
CVE:: 2026-3177

Plugin:: Easy Appointments
Plugin Slug:: easy-appointments
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.12.22
Severity Score:: High
CVE:: 2026-39513

Plugin:: GeoDirectory – WP Business Directory Plugin and Classified Listings Directory
Plugin Slug:: geodirectory
Installations: 10,000+
Vulnerability:: SQL Injection
Patched in Version:: 2.8.154
Severity Score:: Critical
CVE:: 2026-39512

Plugin:: LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes
Plugin Slug:: lifterlms
Installations: 10,000+
Vulnerability:: SQL Injection
Patched in Version:: 9.2.2
Severity Score:: Medium
CVE:: 2026-5207

Plugin:: OSM – OpenStreetMap
Plugin Slug:: osm
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.1.16
Severity Score:: Medium
CVE:: 2026-4429

Plugin:: Royal WordPress Backup, Restore & Migration Plugin – Backup WordPress Sites Safely
Plugin Slug:: royal-backup-reset
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.0.17
Severity Score:: High
CVE:: 2026-4305

Plugin:: Widgets for Social Photo Feed
Plugin Slug:: social-photo-feed-widget
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.8.0
Severity Score:: High
CVE:: 2026-5425

Plugin:: Under Construction, Coming Soon & Maintenance Mode
Plugin Slug:: under-construction-maintenance-mode
Installations: 10,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.1.2
Severity Score:: High
CVE:: 2026-34896

Plugin:: Product Table and List Builder for WooCommerce Lite
Plugin Slug:: wc-product-table-lite
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.6.4
Severity Score:: High
CVE:: 2026-34902

Plugin:: Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered)
Plugin Slug:: wp-event-solution
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.1.9
Severity Score:: Medium
CVE:: 2026-4109

Plugin:: WP Photo Album Plus
Plugin Slug:: wp-photo-album-plus
Installations: 10,000+
Vulnerability:: SQL Injection
Patched in Version:: 9.1.08.002
Severity Score:: Critical
CVE:: 2026-39511

Plugin:: YML for Yandex Market
Plugin Slug:: yml-for-yandex-market
Installations: 10,000+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 5.0.26
Severity Score:: High
CVE:: 2025-14545

Plugin:: WCAPF – Ajax Product Filter for WooCommerce
Plugin Slug:: wc-ajax-product-filter
Installations: 9,000+
Vulnerability:: SQL Injection
Patched in Version:: 4.3.0
Severity Score:: Critical
CVE:: 2026-3396

Plugin:: Awesome Support – WordPress HelpDesk & Support Plugin
Plugin Slug:: awesome-support
Installations: 7,000+
Vulnerability:: Broken Authentication
Patched in Version:: 6.3.8
Severity Score:: Medium
CVE:: 2026-4654

Plugin:: ActivityPub
Plugin Slug:: activitypub
Installations: 6,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 8.0.2
Severity Score:: High
CVE:: 2026-4338

Plugin:: GeekyBot — AI Copilot, Chatbot, WooCommerce Lead Gen & Zero-Prompt Content
Plugin Slug:: geeky-bot
Installations: 6,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.2.1
Severity Score:: Critical
CVE:: 2026-39519

Plugin:: WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell
Plugin Slug:: wpfunnels
Installations: 6,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.8.0
Severity Score:: Medium
CVE:: 2026-0626

Plugin:: Booking Activities
Plugin Slug:: booking-activities
Installations: 4,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.17.0
Severity Score:: Medium
CVE:: 2026-39525

Plugin:: Masteriyo LMS – Online Course Builder for eLearning, LMS & Education
Plugin Slug:: learning-management-system
Installations: 4,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.1.6
Severity Score:: High
CVE:: 2026-39524

Plugin:: Masteriyo LMS – Online Course Builder for eLearning, LMS & Education
Plugin Slug:: learning-management-system
Installations: 4,000+
Vulnerability:: Broken Authentication
Patched in Version:: 2.1.8
Severity Score:: Medium
CVE:: 2026-5167

Plugin:: AWP Classifieds
Plugin Slug:: another-wordpress-classifieds-plugin
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.4.5
Severity Score:: High
CVE:: 2026-39533

Plugin:: Majestic Support – The Leading-Edge Help Desk & Customer Support Plugin
Plugin Slug:: majestic-support
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.1.3
Severity Score:: Medium
CVE:: 2026-40778

Plugin:: MStore API – Create Native Android & iOS Apps On The Cloud
Plugin Slug:: mstore-api
Installations: 3,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 4.18.4
Severity Score:: Medium
CVE:: 2026-3568

Plugin:: SpeakOut! Email Petitions
Plugin Slug:: speakout
Installations: 3,000+
Vulnerability:: SQL Injection
Patched in Version:: 4.6.5.1
Severity Score:: Critical
CVE:: 2026-39530

Plugin:: WP Directory Kit
Plugin Slug:: wpdirectorykit
Installations: 3,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.5.1
Severity Score:: Critical
CVE:: 2026-39531

Plugin:: WP Directory Kit
Plugin Slug:: wpdirectorykit
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.5.1
Severity Score:: High
CVE:: 2026-39534

Plugin:: Extensions for Leaflet Map
Plugin Slug:: extensions-leaflet-map
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.15
Severity Score:: Medium
CVE:: 2026-5451

Plugin:: Timetics – Appointment Booking & Scheduling
Plugin Slug:: timetics
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.0.54
Severity Score:: High
CVE:: 2026-39432

Plugin:: Event Tickets Manager for WooCommerce
Plugin Slug:: event-tickets-manager-for-woocommerce
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.5.4
Severity Score:: High
CVE:: 2026-34898

Plugin:: iControlWP
Plugin Slug:: worpit-admin-dashboard-plugin
Installations: 1,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 5.5.4
Severity Score:: Critical
CVE:: 2026-34901

Plugin:: SQL Chart Builder
Plugin Slug:: sql-chart-builder
Installations: 600+
Vulnerability:: SQL Injection
Patched in Version:: 2.3.8
Severity Score:: Critical
CVE:: 2026-4079

Plugin:: Webling
Plugin Slug:: webling
Installations: 500+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.9.1
Severity Score:: Medium
CVE:: 2026-1263

Plugin:: Datalogics Ecommerce Delivery – Datalogics
Plugin Slug:: datalogics
Installations: 400+
Vulnerability:: Privilege Escalation
Patched in Version:: 2.6.63
Severity Score:: Critical
CVE:: 2026-39583

Plugin:: Post Blocks & Tools
Plugin Slug:: bnm-blocks
Installations: 300+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.1
Severity Score:: Medium
CVE:: 2026-5711

Plugin:: TableOn – WordPress Posts Table Filterable
Plugin Slug:: posts-table-filterable
Installations: 300+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.0.5
Severity Score:: Medium
CVE:: 2026-3513

Plugin:: WP BASE Booking of Appointments, Services and Events
Plugin Slug:: wp-base-booking-of-appointments-services-and-events
Installations: 200+
Vulnerability:: Privilege Escalation
Patched in Version:: 6.0.0
Severity Score:: High
CVE:: 2026-39587

Plugin:: Text to Speech – TTSWP
Plugin Slug:: text-to-speech-tts
Installations: 100+
Vulnerability:: Bypass Vulnerability
Patched in Version:: 1.9.9
Severity Score:: High
CVE:: 2026-1233

Plugin:: LTL Freight Quotes – Worldwide Express Edition
Plugin Slug:: ltl-freight-quotes-worldwide-express-edition
Installations: 90+
Vulnerability:: Broken Access Control
Patched in Version:: 5.2.2
Severity Score:: Medium
CVE:: 2026-34899

Plugin:: Ziggeo
Plugin Slug:: ziggeo
Installations: 80+
Vulnerability:: Broken Access Control
Patched in Version:: 3.1.2
Severity Score:: Medium
CVE:: 2026-4124

Plugin:: BuddyPress Groupblog
Plugin Slug:: bp-groupblog
Installations: 50+
Vulnerability:: Privilege Escalation
Patched in Version:: 1.9.4
Severity Score:: High
CVE:: 2026-5144

Plugin:: WP-BusinessDirectory – Business directory plugin for WordPress
Plugin Slug:: wp-businessdirectory
Installations: 40+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 4.0.1
Severity Score:: Critical
CVE:: 2026-39591

Plugin:: Advanced Members for ACF
Plugin Slug:: advanced-members
Installations: 30+
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 1.2.6
Severity Score:: High
CVE:: 2026-3243

Plugin:: PrivateContent Free
Plugin Slug:: privatecontent-free
Installations: 20+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.0
Severity Score:: Medium
CVE:: 2026-4025

Plugin:: ProSolution WP Client
Plugin Slug:: prosolution-wp-client
Installations: 20+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 2.0.0
Severity Score:: Critical
CVE:: 2026-2942

Plugin:: Experto Dashboard for WooCommerce
Plugin Slug:: experto-custom-dashboard
Installations: 10+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.0.5
Severity Score:: Medium
CVE:: 2026-3574

Plugin:: Investi
Plugin Slug:: investi
Installations: 10+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.0.27
Severity Score:: Medium
CVE:: 2026-3600

Plugin:: LTL Freight Quotes – R+L Carriers Edition
Plugin Slug:: ltl-freight-quotes-rl-edition
Installations: 10+
Vulnerability:: Broken Access Control
Patched in Version:: 3.3.14
Severity Score:: Medium
CVE:: 2026-3646

Plugin:: Magic Conversation For Gravity Forms
Plugin Slug:: magic-conversation-for-gravity-forms
Installations: 10+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.0.98
Severity Score:: Medium
CVE:: 2026-1396

Plugin:: Surbma | Booking.com Shortcode
Plugin Slug:: surbma-bookingcom-shortcode
Installations: 10+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.1.1
Severity Score:: Medium
CVE:: 2026-1607

Plugin:: WholeSale Products Dynamic Pricing Management WooCommerce
Plugin Slug:: wholesale-products-dynamic-pricing-management-woocommerce
Installations: 10+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.0
Severity Score:: Medium
CVE:: 2026-4479

Plugin:: WPAMS
Plugin Slug:: apartment-management
Vulnerability:: Arbitrary Content Deletion
Patched in Version:: 49.5.3
Severity Score:: Medium
CVE:: 2026-39433

Plugin:: Blocksy Companion Pro
Plugin Slug:: blocksy-companion-pro
Vulnerability:: SQL Injection
Patched in Version:: 2.1.29
Severity Score:: Critical
CVE:: 2026-39596

Plugin:: Bricksforge
Plugin Slug:: bricksforge
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 3.1.8.5
Severity Score:: High
CVE:: 2026-34888

Plugin:: Gravity Forms
Plugin Slug:: gravityforms
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.9.31
Severity Score:: High
CVE:: 2026-4394

Plugin:: Gravity Forms
Plugin Slug:: gravityforms
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.9.31
Severity Score:: High
CVE:: 2026-4406

Plugin:: Gravity SMTP
Plugin Slug:: gravitysmtp
Vulnerability:: Broken Access Control
Patched in Version:: 2.1.5
Severity Score:: High
CVE:: 2026-4162

Plugin:: Integrio Core
Plugin Slug:: integrio-core
Vulnerability:: Local File Inclusion
Patched in Version:: 1.2.8
Severity Score:: High
CVE:: 2026-34894

Plugin:: Listeo Core
Plugin Slug:: listeo-core
Vulnerability:: Arbitrary File Upload
Patched in Version:: 2.0.28
Severity Score:: Medium
CVE:: 2025-14938

Plugin:: Mikado Core
Plugin Slug:: mikado-core
Vulnerability:: Local File Inclusion
Patched in Version:: 1.7.2
Severity Score:: High
CVE:: 2026-39537

Plugin:: Smart Slider 3 PRO
Plugin Slug:: nextend-smart-slider3-pro
Vulnerability:: Backdoor
Patched in Version:: 3.5.1.36
Severity Score:: Critical

Plugin:: Ninja Forms File Uploads Extension
Plugin Slug:: ninja-forms-uploads
Vulnerability:: Arbitrary File Upload
Patched in Version:: 3.3.27
Severity Score:: Critical
CVE:: 2026-0740

Plugin:: pdfl.io
Plugin Slug:: pdfl-io
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.0.6
Severity Score:: Medium
CVE:: 2026-4073

Plugin:: Perfmatters
Plugin Slug:: perfmatters
Vulnerability:: Directory Traversal
Patched in Version:: 2.6.0
Severity Score:: High
CVE:: 2026-4351

Plugin:: Quick Playground
Plugin Slug:: quick-playground
Vulnerability:: Arbitrary File Upload
Patched in Version:: 1.3.2
Severity Score:: Critical
CVE:: 2026-1830

Plugin:: Softlab Core
Plugin Slug:: softlab-core
Vulnerability:: Local File Inclusion
Patched in Version:: 1.2.11
Severity Score:: High
CVE:: 2026-34895

Plugin:: Solene Core
Plugin Slug:: solene-core
Vulnerability:: Local File Inclusion
Patched in Version:: 2.3.4
Severity Score:: High
CVE:: 2026-39523

Plugin:: Thegov Core
Plugin Slug:: thegov-core
Vulnerability:: Local File Inclusion
Patched in Version:: 2.0.23
Severity Score:: High
CVE:: 2026-34893

Plugin:: Users manager – PN
Plugin Slug:: userspn
Vulnerability:: Privilege Escalation
Patched in Version:: 1.1.20
Severity Score:: Critical
CVE:: 2026-4003

Plugin:: MultiLoca
Plugin Slug:: woocommerce-multi-locations-inventory-management
Vulnerability:: Privilege Escalation
Patched in Version:: 4.2.16
Severity Score:: High
CVE:: 2026-39546

WordPress Themes — 24 Patched / 0 Unpatched

Theme:: Alloggio – Hotel Booking
Theme Slug:: alloggio
Vulnerability:: PHP Object Injection
Patched in Version:: 2.1.3
Severity Score:: High
CVE:: 2026-39539

Theme:: Aperitif
Theme Slug:: aperitif
Vulnerability:: PHP Object Injection
Patched in Version:: 1.6.1
Severity Score:: High
CVE:: 2026-39550

Theme:: Aperitif
Theme Slug:: aperitif
Vulnerability:: Local File Inclusion
Patched in Version:: 1.6
Severity Score:: High
CVE:: 2026-39549

Theme:: Askka
Theme Slug:: askka
Vulnerability:: PHP Object Injection
Patched in Version:: 1.4
Severity Score:: High
CVE:: 2026-39555

Theme:: Blueprint
Theme Slug:: blueprint
Vulnerability:: Local File Inclusion
Patched in Version:: 1.1.5
Severity Score:: High
CVE:: 2026-39552

Theme:: Fidalgo
Theme Slug:: fidalgo
Vulnerability:: PHP Object Injection
Patched in Version:: 1.3
Severity Score:: High
CVE:: 2026-39554

Theme:: Getaway
Theme Slug:: getaway
Vulnerability:: Local File Inclusion
Patched in Version:: 1.8
Severity Score:: High
CVE:: 2026-39547

Theme:: Hiroshi
Theme Slug:: hiroshi
Vulnerability:: PHP Object Injection
Patched in Version:: 1.6
Severity Score:: High
CVE:: 2026-39560

Theme:: Konsept
Theme Slug:: konsept
Vulnerability:: PHP Object Injection
Patched in Version:: 2.0
Severity Score:: High
CVE:: 2026-39556

Theme:: Malmö
Theme Slug:: malmo
Vulnerability:: Local File Inclusion
Patched in Version:: 2.3
Severity Score:: High
CVE:: 2026-39558

Theme:: Micdrop
Theme Slug:: micdrop
Vulnerability:: PHP Object Injection
Patched in Version:: 1.4
Severity Score:: High
CVE:: 2026-39580

Theme:: Mildhill
Theme Slug:: mildhill
Vulnerability:: PHP Object Injection
Patched in Version:: 1.6
Severity Score:: High
CVE:: 2026-39573

Theme:: Mr. SEO
Theme Slug:: mrseo
Vulnerability:: Local File Inclusion
Patched in Version:: 2.1
Severity Score:: High
CVE:: 2026-39568

Theme:: NeoBeat
Theme Slug:: neobeat
Vulnerability:: PHP Object Injection
Patched in Version:: 1.8
Severity Score:: High
CVE:: 2026-39557

Theme:: Playroom
Theme Slug:: playroom
Vulnerability:: PHP Object Injection
Patched in Version:: 1.5
Severity Score:: High
CVE:: 2026-39577

Theme:: Santé
Theme Slug:: sante
Vulnerability:: PHP Object Injection
Patched in Version:: 1.6
Severity Score:: High
CVE:: 2026-39567

Theme:: SingleMalt
Theme Slug:: singlemalt
Vulnerability:: PHP Object Injection
Patched in Version:: 1.6
Severity Score:: High
CVE:: 2026-39576

Theme:: Solene
Theme Slug:: solene
Vulnerability:: Local File Inclusion
Patched in Version:: 3.4.1
Severity Score:: High
CVE:: 2026-39522

Theme:: Töbel
Theme Slug:: tobel
Vulnerability:: PHP Object Injection
Patched in Version:: 1.9
Severity Score:: High
CVE:: 2026-39551

Theme:: Uppercase
Theme Slug:: uppercase
Vulnerability:: Local File Inclusion
Patched in Version:: 1.2.2
Severity Score:: High
CVE:: 2026-39559

Theme:: Valiance
Theme Slug:: valiance
Vulnerability:: PHP Object Injection
Patched in Version:: 1.3
Severity Score:: High
CVE:: 2026-39578

Theme:: WaveRide
Theme Slug:: waveride
Vulnerability:: Local File Inclusion
Patched in Version:: 1.5
Severity Score:: High
CVE:: 2026-39553

Theme:: Hitek
Theme Slug:: xts-hitek
Vulnerability:: Local File Inclusion
Patched in Version:: 1.8.3
Severity Score:: High
CVE:: 2026-39582

Theme:: Zermatt
Theme Slug:: zermatt
Vulnerability:: PHP Object Injection
Patched in Version:: 1.7
Severity Score:: High
CVE:: 2026-39545

Solid Security is part of Solid Suite — The best foundation for WordPress websites.

Get Solid Security

The post WordPress Vulnerability Report — April 15, 2026 appeared first on SolidWP.

WordPress Vulnerability Report — April 8, 2026

Sarah Ulmer — Wed, 08 Apr 2026 13:15:11 +0000

In this report, 68 vulnerabilities have been publicly disclosed. Security patches for 64 of these plugins and themes are now available. Please run these updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Currently, 4 plugin and theme vulnerabilities remain unpatched. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

1. WordPress Core
2. WordPress Plugins — 159 Patched / 28 Unpatched

2.1 Pz-LinkCard
2.2 WCFM Marketplace – Multivendor Marketplace for WooCommerce
2.3 Smart Online Order for Clover
2.4 Accept Cryptocurrencies with Plisio
2.5 Quick Interest Slider
2.6 Livemesh Addons for Elementor
2.7 Livemesh Addons for Elementor
2.8 Canto
2.9 CMS für Motorrad Werkstätten
2.10 Coachific Shortcode
2.11 Custom New User Notification
2.12 e-shot
2.13 Inquiry form to posts or pages
2.14 Katalogportal-pdf-sync Widget
2.15 Login as User
2.16 Accessibility Suite
2.17 OPEN-BRAIN
2.18 OPEN-BRAIN
2.19 Accessibly – WordPress Website Accessibility
2.20 Petje.af
2.21 Riaxe Product Customizer
2.22 Riaxe Product Customizer
2.23 Riaxe Product Customizer
2.24 VI: Include Post By
2.25 Visa Acceptance Solutions
2.26 WM JqMath
2.27 WP Circliful
2.28 Power Charts
2.29 Advanced Custom Fields (ACF®)
2.30 ManageWP Worker
2.31 Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder
2.32 Royal Addons for Elementor – Addons and Templates Kit for Elementor
2.33 WP Statistics – Simple, privacy-friendly Google Analytics alternative
2.34 WP Statistics – Simple, privacy-friendly Google Analytics alternative
2.35 BackWPup – WordPress Backup & Restore Plugin
2.36 Meta Box
2.37 Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider
2.38 Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider
2.39 WP Shortcodes Plugin — Shortcodes Ultimate
2.40 Page Builder Gutenberg Blocks – CoBlocks
2.41 ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF
2.42 Unlimited Elements For Elementor
2.43 PDF Invoices & Packing Slips for WooCommerce
2.44 CMP – Coming Soon & Maintenance Plugin by NiteoThemes
2.45 Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization
2.46 Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization
2.47 Post Duplicator
2.48 JetBackup – Backup, Restore & Migrate
2.49 Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder
2.50 Anti-Malware Security and Brute-Force Firewall
2.51 Kubio AI Page Builder
2.52 LatePoint – Calendar Booking Plugin for Appointments and Events
2.53 Modula Image Gallery – Photo Grid & Video Gallery
2.54 Tutor LMS – eLearning and online course solution
2.55 Tutor LMS – eLearning and online course solution
2.56 Tutor LMS – eLearning and online course solution
2.57 Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
2.58 Download Monitor
2.59 Email Encoder – Protect Email Addresses and Phone Numbers
2.60 Email Encoder – Protect Email Addresses and Phone Numbers
2.61 ShopLentor – All-in-One WooCommerce Growth & Store Enhancement Plugin
2.62 Customer Reviews for WooCommerce
2.63 Customer Reviews for WooCommerce
2.64 3D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery
2.65 Jupiter X Core
2.66 Jupiter X Core
2.67 LearnPress – WordPress LMS Plugin for Create and Sell Online Courses
2.68 OneSignal – Web Push Notifications
2.69 Germanized for WooCommerce
2.70 wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin
2.71 Contextual Related Posts
2.72 Drag and Drop Multiple File Upload for Contact Form 7
2.73 Drag and Drop Multiple File Upload for Contact Form 7
2.74 User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder
2.75 Product Filter for WooCommerce by WBW
2.76 Product Filter for WooCommerce by WBW
2.77 WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters
2.78 Advanced Product Fields (Product Addons) for WooCommerce
2.79 Categories Images
2.80 Better Find and Replace – AI-Powered Suggestions
2.81 YayMail – WooCommerce Email Customizer
2.82 BetterDocs – Knowledge Base Docs & FAQ Solution for Elementor & Block Editor
2.83 Easy Digital Downloads – eCommerce Payments and Subscriptions made easy
2.84 Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker
2.85 Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX
2.86 Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder
2.87 Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder
2.88 Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder
2.89 Website LLMs.txt
2.90 Website LLMs.txt
2.91 WP YouTube Lyte
2.92 Social Slider Feed
2.93 Smart Post Show – Post Grid, Post Carousel & Slider, and List Category Posts
2.94 UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP
2.95 Payment Gateway for Redsys & WooCommerce Lite
2.96 Payment Gateway for Redsys & WooCommerce Lite
2.97 wpForo Forum
2.98 wpForo Forum
2.99 wpForo Forum
2.100 WPZOOM Addons for Elementor – Starter Templates & Widgets
2.101 Content Blocks (Custom Post Widget)
2.102 WP Customer Area
2.103 Easy Appointments
2.104 Easy Appointments
2.105 EMC – Easily Embed Calendly Scheduling
2.106 GeoDirectory – WP Business Directory Plugin and Classified Listings Directory
2.107 MasterStudy LMS WordPress Plugin – for Online Courses and Education
2.108 Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction
2.109 Royal WordPress Backup, Restore & Migration Plugin – Backup WordPress Sites Safely
2.110 Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered)
2.111 WP Photo Album Plus
2.112 YML for Yandex Market
2.113 WCAPF – Ajax Product Filter for WooCommerce
2.114 AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress
2.115 EventPrime – Events Calendar, Bookings and Tickets
2.116 ActivityPub
2.117 Nexi XPay
2.118 FluentBoards – Project Management, Task Management, Goal Tracking, Kanban Board, and, Team Collaboration
2.119 Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress
2.120 Booking Activities
2.121 Notification for Telegram
2.122 Responsive Blocks – Page Builder for Blocks & Patterns
2.123 WpStream – Live Streaming, Video on Demand, Pay Per View
2.124 Basic Google Maps Placemarks
2.125 Events Calendar for GeoDirectory
2.126 Image Source Control Lite – Show Image Credits and Captions
2.127 SpeakOut! Email Petitions
2.128 WP Directory Kit
2.129 Groundhogg — CRM, Newsletters, and Marketing Automation
2.130 Prismatic
2.131 Shipment Tracker for Woocommerce
2.132 MyRewards
2.133 Video Gallery – YouTube Gallery & Responsive Video Playlist
2.134 Barcode Scanner (+Mobile App) – Inventory manager, Order fulfillment system, POS (Point of Sale)
2.135 Mini Ajax Cart for WooCommerce
2.136 WP Docs
2.137 DirectoryPress – Business Directory And Classified Ad Listing
2.138 InPost Gallery
2.139 bBlocks – Essential Gutenberg Blocks & Patterns Collection
2.140 WP Sessions Time Monitoring Full Automatic
2.141 List View Google Calendar
2.142 Webling
2.143 RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress
2.144 Flipbox Addon for Elementor
2.145 BuddyPress Groupblog
2.146 Age Verification & Identity Verification by Token of Trust
2.147 Ultra Addons for WPForms
2.148 Hostel
2.149 HAPPY – Helpdesk Support Ticket System
2.150 Surbma | Booking.com Shortcode
2.151 WholeSale Products Dynamic Pricing Management WooCommerce
2.152 Academy LMS Pro
2.153 Accordion and Accordion Slider
2.154 Album and Image Gallery plus Lightbox
2.155 Blog Designer – Post and Widget
2.156 Career Section
2.157 Countdown Timer Ultimate
2.158 Featured Post Creative
2.159 Fusion Builder
2.160 Fusion Builder
2.161 Gravity SMTP
2.162 Video gallery and Player
2.163 JetEngine
2.164 Client Portal (Pro)
2.165 Meta slider and carousel with lightbox
2.166 MetForm Pro
2.167 Popup Anything
2.168 Portfolio and Projects
2.169 Post grid and filter ultimate
2.170 WP responsive FAQ with category
2.171 WP News and Scrolling Widgets
2.172 WowShipping Pro
2.173 Post Ticker Ultimate
2.174 Timeline and History slider
2.175 User Registration Stripe
2.176 Userpro
2.177 Product Pricing Table by WooBeWoo
2.178 WooCommerce Product Filters
2.179 WP Blog and Widget
2.180 WP Featured Content and Slider
2.181 WP Logo Showcase Responsive Slider and Carousel
2.182 WP Responsive Recent Post Slider/Carousel
2.183 WP Slick Slider and Image Carousel
2.184 Team Slider and Team Grid Showcase plus Team Carousel
2.185 Testimonial Grid and Testimonial Slider plus Carousel with Rotator Widget
2.186 Trending/Popular Post Slider and Widget
2.187 Royal Elementor Addons Pro

3. WordPress Themes — 28 Patched / 1 Unpatched

3.1 WebStack
3.2 Charity Zone
3.3 Ecommerce Zone
3.4 Kids Gift Shop
3.5 Kids Online Store
3.6 Restaurant Zone
3.7 Vantage
3.8 Webenvo
3.9 Ashtanga
3.10 Atomlab
3.11 Behold
3.12 ChapterOne
3.13 Château
3.14 EasyMeals
3.15 Eldon
3.16 Eleganzo
3.17 Elementra
3.18 Esmée
3.19 Laurits
3.20 Léonie
3.21 LuxeDrive
3.22 MagOne
3.23 Manufaktur Solutions
3.24 Reina
3.25 Roisin
3.26 ShiftUp
3.27 TechLink
3.28 Valeska
3.29 Zoya

WordPress Core

WordPress 6.9.4 is available, addressing 10 security issues and a template loading bug. Immediate updates are recommended for all production sites.

WordPress 7.0 is scheduled for release on April 9, 2026.

WordPress Plugins — 63 Patched / 4 Unpatched

Plugin:: MSTW League Manager
Plugin Slug:: mstw-league-manager
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-34890

Plugin:: Auto Post Scheduler
Plugin Slug:: auto-post-scheduler
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-1877

Plugin:: Performance Monitor
Plugin Slug:: performance-monitor
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3881

Plugin:: IDPay Payment Gateway for Woocommerce
Plugin Slug:: woo-idpay-gateway
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-34891

Plugin:: Elementor Website Builder – more than just a page builder
Plugin Slug:: elementor
Installations: 10,000,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 3.35.8
Severity Score:: Medium
CVE:: 2026-1206

Plugin:: ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor
Plugin Slug:: elementskit-lite
Installations: 2,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.8.0
Severity Score:: Medium
CVE:: 2026-2600

Plugin:: Complianz – GDPR/CCPA Cookie Consent
Plugin Slug:: complianz-gdpr
Installations: 1,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 7.4.5
Severity Score:: Medium
CVE:: 2026-2389

Plugin:: Loco Translate
Plugin Slug:: loco-translate
Installations: 1,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.8.3
Severity Score:: High
CVE:: 2026-4146

Plugin:: W3 Total Cache
Plugin Slug:: w3-total-cache
Installations: 900,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 2.9.4
Severity Score:: High
CVE:: 2026-5032

Plugin:: WooPayments: Integrated WooCommerce Payments
Plugin Slug:: woocommerce-payments
Installations: 900,000+
Vulnerability:: Broken Access Control
Patched in Version:: 10.6.0
Severity Score:: Medium
CVE:: 2026-1710

Plugin:: Kadence Blocks — Page Builder Toolkit for Gutenberg Editor
Plugin Slug:: kadence-blocks
Installations: 600,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.6.4
Severity Score:: High
CVE:: 2026-2826

Plugin:: Kadence Blocks — Page Builder Toolkit for Gutenberg Editor
Plugin Slug:: kadence-blocks
Installations: 600,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.6.4
Severity Score:: Medium
CVE:: 2026-2826

Plugin:: Royal Addons for Elementor – Addons and Templates Kit for Elementor
Plugin Slug:: royal-elementor-addons
Installations: 600,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.7.1050
Severity Score:: Medium
CVE:: 2026-0664

Plugin:: SureForms – Contact Form, Payment Form & Other Custom Form Builder
Plugin Slug:: sureforms
Installations: 500,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.6.0
Severity Score:: High
CVE:: 2026-4987

Plugin:: WP Shortcodes Plugin — Shortcodes Ultimate
Plugin Slug:: shortcodes-ultimate
Installations: 400,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 7.4.9
Severity Score:: Medium
CVE:: 2026-0738

Plugin:: WP Shortcodes Plugin — Shortcodes Ultimate
Plugin Slug:: shortcodes-ultimate
Installations: 400,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 7.4.8
Severity Score:: Medium
CVE:: 2026-0737

Plugin:: WP Shortcodes Plugin — Shortcodes Ultimate
Plugin Slug:: shortcodes-ultimate
Installations: 400,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 7.5.0
Severity Score:: Medium
CVE:: 2026-2480

Plugin:: MW WP Form
Plugin Slug:: mw-wp-form
Installations: 200,000+
Vulnerability:: Directory Traversal
Patched in Version:: 5.1.1
Severity Score:: High
CVE:: 2026-4347

Plugin:: Query Monitor
Plugin Slug:: query-monitor
Installations: 200,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.20.4
Severity Score:: High
CVE:: 2026-4267

Plugin:: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
Plugin Slug:: ultimate-member
Installations: 200,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.11.2
Severity Score:: Medium
CVE:: 2025-15064

Plugin:: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
Plugin Slug:: ultimate-member
Installations: 200,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 2.11.3
Severity Score:: High
CVE:: 2026-4248

Plugin:: Kubio AI Page Builder
Plugin Slug:: kubio
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.7.1
Severity Score:: Medium
CVE:: 2026-34887

Plugin:: Booking for Appointments and Events Calendar – Amelia
Plugin Slug:: ameliabooking
Installations: 90,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 2.2
Severity Score:: High
CVE:: 2026-5465

Plugin:: Booking for Appointments and Events Calendar – Amelia
Plugin Slug:: ameliabooking
Installations: 90,000+
Vulnerability:: SQL Injection
Patched in Version:: 2.1.3
Severity Score:: High
CVE:: 2026-4668

Plugin:: Download Monitor
Plugin Slug:: download-monitor
Installations: 90,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 5.1.8
Severity Score:: Medium
CVE:: 2026-3124

Plugin:: Database for Contact Form 7, WPforms, Elementor forms
Plugin Slug:: contact-form-entries
Installations: 70,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.5.0
Severity Score:: Medium
CVE:: 2026-3831

Plugin:: Media Library Assistant
Plugin Slug:: media-library-assistant
Installations: 70,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.35
Severity Score:: Medium
CVE:: 2026-34897

Plugin:: Media Library Assistant
Plugin Slug:: media-library-assistant
Installations: 70,000+
Vulnerability:: SQL Injection
Patched in Version:: 3.35
Severity Score:: High
CVE:: 2026-34885

Plugin:: Conditional Menus
Plugin Slug:: conditional-menus
Installations: 60,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.2.7
Severity Score:: Medium
CVE:: 2026-1032

Plugin:: Export All URLs
Plugin Slug:: export-all-urls
Installations: 50,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 5.1
Severity Score:: Medium
CVE:: 2026-2696

Plugin:: User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor
Plugin Slug:: profile-builder
Installations: 50,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 3.15.6
Severity Score:: Medium
CVE:: 2026-3139

Plugin:: Simple Membership
Plugin Slug:: simple-membership
Installations: 40,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.7.2
Severity Score:: High
CVE:: 2026-34886

Plugin:: Blackhole for Bad Bots
Plugin Slug:: blackhole-bad-bots
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.8.1
Severity Score:: High
CVE:: 2026-4329

Plugin:: Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem
Plugin Slug:: gutenverse
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.4.7
Severity Score:: Medium
CVE:: 2026-2924

Plugin:: WP Lightbox 2
Plugin Slug:: wp-lightbox-2
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.0.7
Severity Score:: Medium
CVE:: 2026-1430

Plugin:: Xpro Addons — 140+ Widgets for Elementor
Plugin Slug:: xpro-elementor-addons
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.4.21
Severity Score:: Medium
CVE:: 2025-13368

Plugin:: Xpro Addons — 140+ Widgets for Elementor
Plugin Slug:: xpro-elementor-addons
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.4.25
Severity Score:: Medium
CVE:: 2026-2949

Plugin:: Fluent Booking – The Ultimate Appointments Scheduling, Events Booking, Events Calendar Solution
Plugin Slug:: fluent-booking
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.05
Severity Score:: High
CVE:: 2026-2231

Plugin:: Twentig Supercharged Block Editor – Blocks, Patterns, Starter Sites, Portfolio
Plugin Slug:: twentig
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0
Severity Score:: Medium
CVE:: 2026-2602

Plugin:: WCFM – Frontend Manager for WooCommerce
Plugin Slug:: wc-frontend-manager
Installations: 20,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 6.7.26
Severity Score:: High
CVE:: 2026-4896

Plugin:: WP Travel Engine – Tour Booking Plugin – Tour Operator Software
Plugin Slug:: wp-travel-engine
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.7.6
Severity Score:: Medium
CVE:: 2026-2437

Plugin:: Frontend Admin by DynamiApps
Plugin Slug:: acf-frontend-form-element
Installations: 10,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 3.28.32
Severity Score:: High
CVE:: 2026-3328

Plugin:: Ibtana – WordPress Website Builder
Plugin Slug:: ibtana-visual-editor
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.2.5.8
Severity Score:: Medium
CVE:: 2026-1834

Plugin:: King Addons for Elementor – 80+ Elementor Widgets, 4 000+ Elementor Templates, WooCommerce, Mega Menu, Popup Builder
Plugin Slug:: king-addons
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 51.1.54
Severity Score:: Medium
CVE:: 2025-13535

Plugin:: Minify HTML
Plugin Slug:: minify-html-markup
Installations: 10,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.1.13
Severity Score:: Medium
CVE:: 2026-3191

Plugin:: Responsive Plus – Elementor Templates & Starter Sites
Plugin Slug:: responsive-add-ons
Installations: 10,000+
Vulnerability:: Arbitrary Code Execution
Patched in Version:: 3.4.3
Severity Score:: Medium
CVE:: 2025-15488

Plugin:: Simple Shopping Cart
Plugin Slug:: wordpress-simple-paypal-shopping-cart
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.2.5
Severity Score:: Medium
CVE:: 2026-0552

Plugin:: Spam Protect for Contact Form 7
Plugin Slug:: wp-contact-form-7-spam-blocker
Installations: 10,000+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 1.2.10
Severity Score:: High
CVE:: 2026-1540

Plugin:: JS Help Desk – AI-Powered Support & Ticketing System
Plugin Slug:: js-support-ticket
Installations: 8,000+
Vulnerability:: SQL Injection
Patched in Version:: 3.0.5
Severity Score:: Critical
CVE:: 2026-2511

Plugin:: WP Job Portal – AI-Powered Recruitment System for Company or Job Board website
Plugin Slug:: wp-job-portal
Installations: 8,000+
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 2.5.0
Severity Score:: High
CVE:: 2026-4758

Plugin:: Contact Form by Supsystic
Plugin Slug:: contact-form-by-supsystic
Installations: 7,000+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 1.8.0
Severity Score:: Critical
CVE:: 2026-4257

Plugin:: WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell
Plugin Slug:: wpfunnels
Installations: 6,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.8.0
Severity Score:: Medium
CVE:: 2026-0626

Plugin:: Masteriyo LMS – Online Course Builder for eLearning, LMS & Education
Plugin Slug:: learning-management-system
Installations: 4,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 2.1.7
Severity Score:: High
CVE:: 2026-4484

Plugin:: Shared Files – Frontend File Upload Form & Secure File Sharing
Plugin Slug:: shared-files
Installations: 4,000+
Vulnerability:: Arbitrary File Download
Patched in Version:: 1.7.58
Severity Score:: Medium
CVE:: 2025-15433

Plugin:: Webmention
Plugin Slug:: webmention
Installations: 900+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 5.7.0
Severity Score:: Medium
CVE:: 2026-0688

Plugin:: Webmention
Plugin Slug:: webmention
Installations: 900+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 5.7.0
Severity Score:: Medium
CVE:: 2026-0686

Plugin:: Order Notification for WooCommerce – Get Audio Alert on new Orders
Plugin Slug:: woc-order-alert
Installations: 900+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 3.6.3
Severity Score:: High
CVE:: 2025-15484

Plugin:: TrueBooker – Appointment Booking and Scheduler System
Plugin Slug:: truebooker-appointment-booking
Installations: 600+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 1.1.5
Severity Score:: Medium
CVE:: 2026-1797

Plugin:: Debugger & Troubleshooter
Plugin Slug:: debugger-troubleshooter
Installations: 50+
Vulnerability:: Privilege Escalation
Patched in Version:: 1.4.0
Severity Score:: Critical
CVE:: 2026-5130

Plugin:: FloristPress for Woo – Customize your eCommerce store for your Florist
Plugin Slug:: bakkbone-florist-companion
Installations: 10+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 7.8.3
Severity Score:: High
CVE:: 2026-1986

Plugin:: Bricksforge
Plugin Slug:: bricksforge
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 3.1.8.5
Severity Score:: High
CVE:: 2026-34888

Plugin:: Everest Forms Pro
Plugin Slug:: everest-forms-pro
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 1.9.13
Severity Score:: Critical
CVE:: 2026-3300

Plugin:: Gravity SMTP
Plugin Slug:: gravitysmtp
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 2.1.5
Severity Score:: High
CVE:: 2026-4020

Plugin:: LeadConnector
Plugin Slug:: leadconnector
Vulnerability:: Broken Access Control
Patched in Version:: 3.0.22
Severity Score:: Medium
CVE:: 2026-1890

Plugin:: Perfmatters
Plugin Slug:: perfmatters
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 2.6.0
Severity Score:: High
CVE:: 2026-4350

Plugin:: ThemeREX Addons
Plugin Slug:: trx_addons
Vulnerability:: Arbitrary File Upload
Patched in Version:: 2.38.5
Severity Score:: Critical
CVE:: 2026-1969

Plugin:: Ultimate Addons for WPBakery Page Builder
Plugin Slug:: ultimate_vc_addons
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.21.4
Severity Score:: Medium
CVE:: 2026-34889

WordPress Themes — 1 Patched / 0 Unpatched

Theme:: Oxygen
Theme Slug:: oxygen
Downloads: 403,225
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 6.0.9
Severity Score:: High
CVE:: 2025-12886

Solid Security is part of Solid Suite — The best foundation for WordPress websites.

Get Solid Security

The post WordPress Vulnerability Report — April 8, 2026 appeared first on SolidWP.

WordPress Vulnerability Report — April 1, 2026

Sarah Ulmer — Wed, 01 Apr 2026 13:18:55 +0000

In this report, 225 vulnerabilities have been publicly disclosed. Security patches for 134 of these plugins and themes are now available. Please run these updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Currently, 91 plugin and theme vulnerabilities remain unpatched. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

1. WordPress Core
2. WordPress Plugins — 159 Patched / 28 Unpatched

2.1 Pz-LinkCard
2.2 WCFM Marketplace – Multivendor Marketplace for WooCommerce
2.3 Smart Online Order for Clover
2.4 Accept Cryptocurrencies with Plisio
2.5 Quick Interest Slider
2.6 Livemesh Addons for Elementor
2.7 Livemesh Addons for Elementor
2.8 Canto
2.9 CMS für Motorrad Werkstätten
2.10 Coachific Shortcode
2.11 Custom New User Notification
2.12 e-shot
2.13 Inquiry form to posts or pages
2.14 Katalogportal-pdf-sync Widget
2.15 Login as User
2.16 Accessibility Suite
2.17 OPEN-BRAIN
2.18 OPEN-BRAIN
2.19 Accessibly – WordPress Website Accessibility
2.20 Petje.af
2.21 Riaxe Product Customizer
2.22 Riaxe Product Customizer
2.23 Riaxe Product Customizer
2.24 VI: Include Post By
2.25 Visa Acceptance Solutions
2.26 WM JqMath
2.27 WP Circliful
2.28 Power Charts
2.29 Advanced Custom Fields (ACF®)
2.30 ManageWP Worker
2.31 Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder
2.32 Royal Addons for Elementor – Addons and Templates Kit for Elementor
2.33 WP Statistics – Simple, privacy-friendly Google Analytics alternative
2.34 WP Statistics – Simple, privacy-friendly Google Analytics alternative
2.35 BackWPup – WordPress Backup & Restore Plugin
2.36 Meta Box
2.37 Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider
2.38 Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider
2.39 WP Shortcodes Plugin — Shortcodes Ultimate
2.40 Page Builder Gutenberg Blocks – CoBlocks
2.41 ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF
2.42 Unlimited Elements For Elementor
2.43 PDF Invoices & Packing Slips for WooCommerce
2.44 CMP – Coming Soon & Maintenance Plugin by NiteoThemes
2.45 Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization
2.46 Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization
2.47 Post Duplicator
2.48 JetBackup – Backup, Restore & Migrate
2.49 Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder
2.50 Anti-Malware Security and Brute-Force Firewall
2.51 Kubio AI Page Builder
2.52 LatePoint – Calendar Booking Plugin for Appointments and Events
2.53 Modula Image Gallery – Photo Grid & Video Gallery
2.54 Tutor LMS – eLearning and online course solution
2.55 Tutor LMS – eLearning and online course solution
2.56 Tutor LMS – eLearning and online course solution
2.57 Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
2.58 Download Monitor
2.59 Email Encoder – Protect Email Addresses and Phone Numbers
2.60 Email Encoder – Protect Email Addresses and Phone Numbers
2.61 ShopLentor – All-in-One WooCommerce Growth & Store Enhancement Plugin
2.62 Customer Reviews for WooCommerce
2.63 Customer Reviews for WooCommerce
2.64 3D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery
2.65 Jupiter X Core
2.66 Jupiter X Core
2.67 LearnPress – WordPress LMS Plugin for Create and Sell Online Courses
2.68 OneSignal – Web Push Notifications
2.69 Germanized for WooCommerce
2.70 wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin
2.71 Contextual Related Posts
2.72 Drag and Drop Multiple File Upload for Contact Form 7
2.73 Drag and Drop Multiple File Upload for Contact Form 7
2.74 User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder
2.75 Product Filter for WooCommerce by WBW
2.76 Product Filter for WooCommerce by WBW
2.77 WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters
2.78 Advanced Product Fields (Product Addons) for WooCommerce
2.79 Categories Images
2.80 Better Find and Replace – AI-Powered Suggestions
2.81 YayMail – WooCommerce Email Customizer
2.82 BetterDocs – Knowledge Base Docs & FAQ Solution for Elementor & Block Editor
2.83 Easy Digital Downloads – eCommerce Payments and Subscriptions made easy
2.84 Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker
2.85 Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX
2.86 Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder
2.87 Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder
2.88 Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder
2.89 Website LLMs.txt
2.90 Website LLMs.txt
2.91 WP YouTube Lyte
2.92 Social Slider Feed
2.93 Smart Post Show – Post Grid, Post Carousel & Slider, and List Category Posts
2.94 UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP
2.95 Payment Gateway for Redsys & WooCommerce Lite
2.96 Payment Gateway for Redsys & WooCommerce Lite
2.97 wpForo Forum
2.98 wpForo Forum
2.99 wpForo Forum
2.100 WPZOOM Addons for Elementor – Starter Templates & Widgets
2.101 Content Blocks (Custom Post Widget)
2.102 WP Customer Area
2.103 Easy Appointments
2.104 Easy Appointments
2.105 EMC – Easily Embed Calendly Scheduling
2.106 GeoDirectory – WP Business Directory Plugin and Classified Listings Directory
2.107 MasterStudy LMS WordPress Plugin – for Online Courses and Education
2.108 Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction
2.109 Royal WordPress Backup, Restore & Migration Plugin – Backup WordPress Sites Safely
2.110 Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered)
2.111 WP Photo Album Plus
2.112 YML for Yandex Market
2.113 WCAPF – Ajax Product Filter for WooCommerce
2.114 AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress
2.115 EventPrime – Events Calendar, Bookings and Tickets
2.116 ActivityPub
2.117 Nexi XPay
2.118 FluentBoards – Project Management, Task Management, Goal Tracking, Kanban Board, and, Team Collaboration
2.119 Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress
2.120 Booking Activities
2.121 Notification for Telegram
2.122 Responsive Blocks – Page Builder for Blocks & Patterns
2.123 WpStream – Live Streaming, Video on Demand, Pay Per View
2.124 Basic Google Maps Placemarks
2.125 Events Calendar for GeoDirectory
2.126 Image Source Control Lite – Show Image Credits and Captions
2.127 SpeakOut! Email Petitions
2.128 WP Directory Kit
2.129 Groundhogg — CRM, Newsletters, and Marketing Automation
2.130 Prismatic
2.131 Shipment Tracker for Woocommerce
2.132 MyRewards
2.133 Video Gallery – YouTube Gallery & Responsive Video Playlist
2.134 Barcode Scanner (+Mobile App) – Inventory manager, Order fulfillment system, POS (Point of Sale)
2.135 Mini Ajax Cart for WooCommerce
2.136 WP Docs
2.137 DirectoryPress – Business Directory And Classified Ad Listing
2.138 InPost Gallery
2.139 bBlocks – Essential Gutenberg Blocks & Patterns Collection
2.140 WP Sessions Time Monitoring Full Automatic
2.141 List View Google Calendar
2.142 Webling
2.143 RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress
2.144 Flipbox Addon for Elementor
2.145 BuddyPress Groupblog
2.146 Age Verification & Identity Verification by Token of Trust
2.147 Ultra Addons for WPForms
2.148 Hostel
2.149 HAPPY – Helpdesk Support Ticket System
2.150 Surbma | Booking.com Shortcode
2.151 WholeSale Products Dynamic Pricing Management WooCommerce
2.152 Academy LMS Pro
2.153 Accordion and Accordion Slider
2.154 Album and Image Gallery plus Lightbox
2.155 Blog Designer – Post and Widget
2.156 Career Section
2.157 Countdown Timer Ultimate
2.158 Featured Post Creative
2.159 Fusion Builder
2.160 Fusion Builder
2.161 Gravity SMTP
2.162 Video gallery and Player
2.163 JetEngine
2.164 Client Portal (Pro)
2.165 Meta slider and carousel with lightbox
2.166 MetForm Pro
2.167 Popup Anything
2.168 Portfolio and Projects
2.169 Post grid and filter ultimate
2.170 WP responsive FAQ with category
2.171 WP News and Scrolling Widgets
2.172 WowShipping Pro
2.173 Post Ticker Ultimate
2.174 Timeline and History slider
2.175 User Registration Stripe
2.176 Userpro
2.177 Product Pricing Table by WooBeWoo
2.178 WooCommerce Product Filters
2.179 WP Blog and Widget
2.180 WP Featured Content and Slider
2.181 WP Logo Showcase Responsive Slider and Carousel
2.182 WP Responsive Recent Post Slider/Carousel
2.183 WP Slick Slider and Image Carousel
2.184 Team Slider and Team Grid Showcase plus Team Carousel
2.185 Testimonial Grid and Testimonial Slider plus Carousel with Rotator Widget
2.186 Trending/Popular Post Slider and Widget
2.187 Royal Elementor Addons Pro

3. WordPress Themes — 28 Patched / 1 Unpatched

3.1 WebStack
3.2 Charity Zone
3.3 Ecommerce Zone
3.4 Kids Gift Shop
3.5 Kids Online Store
3.6 Restaurant Zone
3.7 Vantage
3.8 Webenvo
3.9 Ashtanga
3.10 Atomlab
3.11 Behold
3.12 ChapterOne
3.13 Château
3.14 EasyMeals
3.15 Eldon
3.16 Eleganzo
3.17 Elementra
3.18 Esmée
3.19 Laurits
3.20 Léonie
3.21 LuxeDrive
3.22 MagOne
3.23 Manufaktur Solutions
3.24 Reina
3.25 Roisin
3.26 ShiftUp
3.27 TechLink
3.28 Valeska
3.29 Zoya

WordPress Core

WordPress 6.9.4 is available, addressing 10 security issues and a template loading bug. Immediate updates are recommended for all production sites.

WordPress 7.0 is scheduled for release on April 9, 2026.

WordPress Plugins — 113 Patched / 90 Unpatched

Plugin:: WPCargo Track & Trace
Plugin Slug:: wpcargo
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-25401

Plugin:: MimeTypes Link Icons
Plugin Slug:: mimetypes-link-icons
Installations: 8,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-1313

Plugin:: Coinbase Commerce – Crypto Gateway for WooCommerce
Plugin Slug:: commerce-coinbase-for-woocommerce
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-25396

Plugin:: SurveyJS: Drag & Drop Form Builder
Plugin Slug:: surveyjs
Installations: 500+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-2440

Plugin:: File Uploader for WooCommerce
Plugin Slug:: file-uploader-for-woocommerce
Installations: 100+
Vulnerability:: Path Traversal
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-25397

Plugin:: Any Post Slider
Plugin Slug:: any-post-slider
Installations: 60+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1899

Plugin:: FuseDesk
Plugin Slug:: fusedesk
Installations: 60+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1914

Plugin:: WPFAQBlock– FAQ & Accordion Plugin For Gutenberg
Plugin Slug:: wpfaqblock
Installations: 10+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1093

Plugin:: Ad Short
Plugin Slug:: ad-short
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-4067

Plugin:: Add Google Social Profiles to Knowledge Graph Box
Plugin Slug:: add-google-social-profiles-to-knowledge-graph-box
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1393

Plugin:: Alfie
Plugin Slug:: alfie-the-productfeedtool-wp-plugin
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-4069

Plugin:: App Builder
Plugin Slug:: app-builder
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-2375

Plugin:: Reward Video Ad for WordPress
Plugin Slug:: applixir
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-2424

Plugin:: Appmax
Plugin Slug:: appmax
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3641

Plugin:: ARForms Form Builder
Plugin Slug:: arforms-form-builder
Vulnerability:: Content Injection
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-13785

Plugin:: Build App Online
Plugin Slug:: build-app-online
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3651

Plugin:: Canto
Plugin Slug:: canto
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3335

Plugin:: CMS Commander
Plugin Slug:: cms-commander-client
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-3334

Plugin:: Comment Genius
Plugin Slug:: comment-genius
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-1647

Plugin:: Comment SPAM Wiper
Plugin Slug:: comment-spam-wiper
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3353

Plugin:: Company Posts for LinkedIn
Plugin Slug:: company-posts-for-linkedin
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1935

Plugin:: Content Syndication Toolkit
Plugin Slug:: content-syndication-toolkit
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-3478

Plugin:: e-shot
Plugin Slug:: e-shot-form-builder
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3546

Plugin:: Easy Image Gallery
Plugin Slug:: easy-image-gallery
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-4766

Plugin:: Ecover Builder For Dummies
Plugin Slug:: ecover-builder-for-dummies
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-4077

Plugin:: Ed’s Font Awesome
Plugin Slug:: eds-font-awesome
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-2496

Plugin:: Ed’s Social Share
Plugin Slug:: eds-social-share
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-2501

Plugin:: ElementCamp
Plugin Slug:: element-camp
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-2503

Plugin:: Expire Users
Plugin Slug:: expire-users
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-4261

Plugin:: Fonts Manager | Custom Fonts
Plugin Slug:: fonts-manager-custom-fonts
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2026-1800

Plugin:: fyyd podcast shortcodes
Plugin Slug:: fyyd-podcast-shortcodes
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-4084

Plugin:: Go Night Pro
Plugin Slug:: go-night-pro
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1886

Plugin:: Hr Press Lite
Plugin Slug:: hr-press-lite
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-2720

Plugin:: Integration with Hubspot Forms
Plugin Slug:: integration-with-hubspot-forms
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1908

Plugin:: Invelity Product Feeds
Plugin Slug:: invelity-products-feeds
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-14037

Plugin:: itsukaita
Plugin Slug:: itsukaita
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-2427

Plugin:: iVysilani Shortcode
Plugin Slug:: ivysilani-shortcode
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1851

Plugin:: Linksy Search and Replace
Plugin Slug:: linksy-search-and-replace
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-2941

Plugin:: Lobot Slider Administrator
Plugin Slug:: lobot-slider-administrator
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3331

Plugin:: login_register
Plugin Slug:: login-register
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1503

Plugin:: Mandatory Field
Plugin Slug:: mandatory-fields
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1278

Plugin:: MinhNhut Link Gateway
Plugin Slug:: minhnhut-link-gateway
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3333

Plugin:: Multi Functional Flexi Lightbox
Plugin Slug:: multi-functional-flexi-lightbox
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3347

Plugin:: Multi Post Carousel by Category
Plugin Slug:: multi-post-carousel
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1275

Plugin:: myLinksDump
Plugin Slug:: mylinksdump
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-2279

Plugin:: Neos Connector for Fakturama
Plugin Slug:: neos-connector-for-fakturama
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-4143

Plugin:: Outgrow
Plugin Slug:: outgrow
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1889

Plugin:: Paypal Shortcodes
Plugin Slug:: paypal-shortcodes
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3617

Plugin:: PQ Addons – Creative Elementor Widgets
Plugin Slug:: peacefulqode-elementzplus-widgets
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1397

Plugin:: Performance Monitor
Plugin Slug:: performance-monitor
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-1648

Plugin:: Post Flagger
Plugin Slug:: post-flagger
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1854

Plugin:: Post Snippits
Plugin Slug:: post-snippits
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-2723

Plugin:: Post Affiliate Pro
Plugin Slug:: postaffiliatepro
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-2290

Plugin:: Pre* Party Resource Hints
Plugin Slug:: pre-party-browser-hints
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-4087

Plugin:: Punnel – Landing Page Builder
Plugin Slug:: punnel-landing-page-builder
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3645

Plugin:: Quentn WP
Plugin Slug:: quentn-wp
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2026-2468

Plugin:: Redirect countdown
Plugin Slug:: redirect-countdown
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1390

Plugin:: REST API TO MiniProgram
Plugin Slug:: rest-api-to-miniprogram
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3460

Plugin:: Review Map by RevuKangaroo
Plugin Slug:: review-map-by-revukangaroo
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-4161

Plugin:: rexCrawler
Plugin Slug:: rexcrawler
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-2277

Plugin:: Ricerca – advanced search
Plugin Slug:: ricerca-smart-search
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-2837

Plugin:: Schema Shortcode
Plugin Slug:: schema-shortcode
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1575

Plugin:: Sheets2Table
Plugin Slug:: sheets2table
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3619

Plugin:: Sherk Custom Post Type Displays
Plugin Slug:: sherk-custom-post-type-displays
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3554

Plugin:: Weaver Show Posts
Plugin Slug:: show-posts
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-2121

Plugin:: Show Posts list
Plugin Slug:: show-posts-shortcodes
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-4022

Plugin:: Simple Football Scoreboard
Plugin Slug:: simple-football-score-board
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1891

Plugin:: Smarter Analytics
Plugin Slug:: smarter-analytics
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3570

Plugin:: Speedup Optimization
Plugin Slug:: speedup-optimization
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-4127

Plugin:: SR WP Minify HTML
Plugin Slug:: sr-wp-minify-html
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1392

Plugin:: Survey
Plugin Slug:: survey
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1247

Plugin:: Task Manager
Plugin Slug:: task-manager
Vulnerability:: Arbitrary File Download
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-2351

Plugin:: Task Manager
Plugin Slug:: task-manager
Vulnerability:: Content Injection
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-4004

Plugin:: Text Toggle
Plugin Slug:: text-toggle
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3997

Plugin:: Tour & Activity Operator Plugin for TourCMS
Plugin Slug:: tour-operator-plugin
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1806

Plugin:: Tutor LMS Pro
Plugin Slug:: tutor-pro
Vulnerability:: Broken Authentication
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-25406

Plugin:: Twitter Feeds
Plugin Slug:: twitter-feeds
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1911

Plugin:: Shortcodes Blocks Creator Ultimate
Plugin Slug:: ultimate-shortcodes-creator
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-12166

Plugin:: Shortcodes Blocks Creator Ultimate
Plugin Slug:: ultimate-shortcodes-creator
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-12167

Plugin:: Vagaro Booking Widget
Plugin Slug:: vagaro-booking-widget
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-3003

Plugin:: Wikilookup
Plugin Slug:: wikilookup
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3354

Plugin:: WordPress PayPal Donation
Plugin Slug:: wordpress-paypal-donation
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-4072

Plugin:: WP Games Embed
Plugin Slug:: wp-games-embed
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3996

Plugin:: WP NG Weather
Plugin Slug:: wp-ng-weather
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1822

Plugin:: WP Posts Re-order
Plugin Slug:: wp-posts-re-order
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-1378

Plugin:: WP Random Button
Plugin Slug:: wp-random-button
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-4086

Plugin:: WP-WebAuthn
Plugin Slug:: wp-webauthn
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-13910

Plugin:: WPBookit Pro
Plugin Slug:: wpbookit-pro
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2026-25413

Plugin:: WPBookit Pro
Plugin Slug:: wpbookit-pro
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-25414

Plugin:: Xhanch – My Advanced Settings
Plugin Slug:: xhanch-my-advanced-settings
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2026-3332

Plugin:: Elementor Website Builder – more than just a page builder
Plugin Slug:: elementor
Installations: 10,000,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 3.35.8
Severity Score:: Medium
CVE:: 2026-1206

Plugin:: Yoast SEO – Advanced SEO with real-time guidance and built-in AI
Plugin Slug:: wordpress-seo
Installations: 10,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 27.2
Severity Score:: Medium
CVE:: 2026-3427

Plugin:: WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More
Plugin Slug:: wpforms-lite
Installations: 6,000,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 1.9.9.2
Severity Score:: Medium
CVE:: 2026-25339

Plugin:: Complianz – GDPR/CCPA Cookie Consent
Plugin Slug:: complianz-gdpr
Installations: 1,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 7.4.5
Severity Score:: Medium
CVE:: 2026-2389

Plugin:: Smart Slider 3
Plugin Slug:: smart-slider-3
Installations: 800,000+
Vulnerability:: Arbitrary File Download
Patched in Version:: 3.5.1.34
Severity Score:: Medium
CVE:: 2026-3098

Plugin:: Ninja Forms – The Contact Form Builder That Grows With You
Plugin Slug:: ninja-forms
Installations: 600,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 3.14.2
Severity Score:: Medium
CVE:: 2026-1307

Plugin:: SureForms – Contact Form, Payment Form & Other Custom Form Builder
Plugin Slug:: sureforms
Installations: 500,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.6.0
Severity Score:: High
CVE:: 2026-4987

Plugin:: Page Builder: Pagelayer – Drag and Drop website builder
Plugin Slug:: pagelayer
Installations: 400,000+
Vulnerability:: Content Injection
Patched in Version:: 2.0.8
Severity Score:: Medium
CVE:: 2026-2442

Plugin:: ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF
Plugin Slug:: shortpixel-image-optimiser
Installations: 300,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.4.4
Severity Score:: Medium
CVE:: 2026-4335

Plugin:: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
Plugin Slug:: ultimate-member
Installations: 200,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 2.11.3
Severity Score:: High
CVE:: 2026-4248

Plugin:: LatePoint – Calendar Booking Plugin for Appointments and Events
Plugin Slug:: latepoint
Installations: 100,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 5.2.7
Severity Score:: Medium
CVE:: 2026-32533

Plugin:: Booking for Appointments and Events Calendar – Amelia
Plugin Slug:: ameliabooking
Installations: 90,000+
Vulnerability:: Broken Authentication
Patched in Version:: 9.2
Severity Score:: High
CVE:: 2026-2931

Plugin:: Download Monitor
Plugin Slug:: download-monitor
Installations: 90,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 5.1.8
Severity Score:: Medium
CVE:: 2026-3124

Plugin:: JetFormBuilder — Dynamic Blocks Form Builder
Plugin Slug:: jetformbuilder
Installations: 90,000+
Vulnerability:: Arbitrary File Download
Patched in Version:: 3.5.6.3
Severity Score:: High
CVE:: 2026-4373

Plugin:: JetFormBuilder — Dynamic Blocks Form Builder
Plugin Slug:: jetformbuilder
Installations: 90,000+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 3.5.6.2
Severity Score:: Critical
CVE:: 2026-32525

Plugin:: Import and export users and customers
Plugin Slug:: import-users-from-csv-with-meta
Installations: 80,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 2.0
Severity Score:: High
CVE:: 2026-3629

Plugin:: Jupiter X Core
Plugin Slug:: jupiterx-core
Installations: 80,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.14.2
Severity Score:: High
CVE:: 2026-3533

Plugin:: LearnPress – WordPress LMS Plugin for Create and Sell Online Courses
Plugin Slug:: learnpress
Installations: 80,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.3.3
Severity Score:: Medium
CVE:: 2026-3225

Plugin:: Conditional Menus
Plugin Slug:: conditional-menus
Installations: 60,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.2.7
Severity Score:: Medium
CVE:: 2026-1032

Plugin:: Woody Code Snippets – Insert PHP, CSS, JS, and Header/Footer Scripts
Plugin Slug:: insert-php
Installations: 60,000+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 2.7.2
Severity Score:: Critical
CVE:: 2026-25366

Plugin:: User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder
Plugin Slug:: user-registration
Installations: 60,000+
Vulnerability:: Broken Access Control
Patched in Version:: 5.1.5
Severity Score:: Medium
CVE:: 2026-4056

Plugin:: User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder
Plugin Slug:: user-registration
Installations: 60,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 5.1.3
Severity Score:: High
CVE:: 2026-32488

Plugin:: Product Filter for WooCommerce by WBW
Plugin Slug:: woo-product-filter
Installations: 60,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.1.3
Severity Score:: Medium
CVE:: 2026-3138

Plugin:: WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters
Plugin Slug:: wp-google-map-plugin
Installations: 60,000+
Vulnerability:: SQL Injection
Patched in Version:: 4.9.2
Severity Score:: Critical
CVE:: 2026-2580

Plugin:: Blog2Social: Social Media Auto Post & Scheduler
Plugin Slug:: blog2social
Installations: 50,000+
Vulnerability:: Broken Access Control
Patched in Version:: 8.8.3
Severity Score:: Medium
CVE:: 2026-4331

Plugin:: Sina Extension for Elementor
Plugin Slug:: sina-extension-for-elementor
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.7.1
Severity Score:: Medium
CVE:: 2025-6229

Plugin:: Smart Custom Fields
Plugin Slug:: smart-custom-fields
Installations: 50,000+
Vulnerability:: Broken Access Control
Patched in Version:: 5.0.7
Severity Score:: Medium
CVE:: 2026-4066

Plugin:: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker
Plugin Slug:: quiz-master-next
Installations: 40,000+
Vulnerability:: SQL Injection
Patched in Version:: 11.0.0
Severity Score:: High
CVE:: 2026-2412

Plugin:: Mixed Media Gallery Blocks
Plugin Slug:: simply-gallery-block
Installations: 40,000+
Vulnerability:: Arbitrary Code Execution
Patched in Version:: 3.3.2.1
Severity Score:: Critical
CVE:: 2026-25345

Plugin:: Blackhole for Bad Bots
Plugin Slug:: blackhole-bad-bots
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.8.1
Severity Score:: High
CVE:: 2026-4329

Plugin:: LeadConnector
Plugin Slug:: leadconnector
Installations: 30,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.0.22
Severity Score:: Medium
CVE:: 2026-1890

Plugin:: PPWP – Password Protect Pages
Plugin Slug:: password-protect-page
Installations: 30,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.9.16
Severity Score:: Medium
CVE:: 2026-32562

Plugin:: WPGraphQL
Plugin Slug:: wp-graphql
Installations: 30,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.10
Severity Score:: Medium
CVE:: 2026-33290

Plugin:: WP Lightbox 2
Plugin Slug:: wp-lightbox-2
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.0.7
Severity Score:: Medium
CVE:: 2026-1430

Plugin:: Fluent Booking – The Ultimate Appointments Scheduling, Events Booking, Events Calendar Solution
Plugin Slug:: fluent-booking
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.05
Severity Score:: High
CVE:: 2026-2231

Plugin:: Ibtana – WordPress Website Builder
Plugin Slug:: ibtana-visual-editor
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.2.5.8
Severity Score:: Medium
CVE:: 2026-1834

Plugin:: Quads Ads Manager for Google AdSense
Plugin Slug:: quick-adsense-reloaded
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.99
Severity Score:: Medium
CVE:: 2026-2595

Plugin:: Twentig Supercharged Block Editor – Blocks, Patterns, Starter Sites, Portfolio
Plugin Slug:: twentig
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0
Severity Score:: Medium
CVE:: 2026-2602

Plugin:: User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration
Plugin Slug:: wp-user-frontend
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.2.9
Severity Score:: High
CVE:: 2026-32485

Plugin:: Frontend Admin by DynamiApps
Plugin Slug:: acf-frontend-form-element
Installations: 10,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 3.28.32
Severity Score:: High
CVE:: 2026-3328

Plugin:: Kali Forms — Contact Form & Drag-and-Drop Builder
Plugin Slug:: kali-forms
Installations: 10,000+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 2.4.10
Severity Score:: Critical
CVE:: 2026-3584

Plugin:: King Addons for Elementor – 80+ Elementor Widgets, 4 000+ Elementor Templates, WooCommerce, Mega Menu, Popup Builder
Plugin Slug:: king-addons
Installations: 10,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 51.1.51
Severity Score:: Medium
CVE:: 2025-13997

Plugin:: Lead Form Builder & Contact Form
Plugin Slug:: lead-form-builder
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.2
Severity Score:: High
CVE:: 2026-32532

Plugin:: Responsive Plus – Elementor Templates & Starter Sites
Plugin Slug:: responsive-add-ons
Installations: 10,000+
Vulnerability:: Arbitrary Code Execution
Patched in Version:: 3.4.3
Severity Score:: Medium
CVE:: 2025-15488

Plugin:: Five Star Restaurant Reservations – WordPress Booking Plugin
Plugin Slug:: restaurant-reservations
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.7.10
Severity Score:: Medium
CVE:: 2026-25327

Plugin:: Review Schema – Review & Structure Data Schema Plugin
Plugin Slug:: review-schema
Installations: 10,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 2.2.7
Severity Score:: Medium
CVE:: 2026-25344

Plugin:: WP DSGVO Tools (GDPR)
Plugin Slug:: shapepress-dsgvo
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.1.39
Severity Score:: Critical
CVE:: 2026-4283

Plugin:: Team – Team Members Showcase Plugin
Plugin Slug:: tlp-team
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 5.0.12
Severity Score:: High
CVE:: 2026-25026

Plugin:: weForms – Easy Drag & Drop Contact Form Builder For WordPress
Plugin Slug:: weforms
Installations: 10,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 1.6.27
Severity Score:: High
CVE:: 2026-32484

Plugin:: WP REST Cache
Plugin Slug:: wp-rest-cache
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2026.1.1
Severity Score:: High
CVE:: 2026-25347

Plugin:: YML for Yandex Market
Plugin Slug:: yml-for-yandex-market
Installations: 10,000+
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 5.3.0
Severity Score:: Medium
CVE:: 2026-32567

Plugin:: Contact Form Email
Plugin Slug:: contact-form-to-email
Installations: 9,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.3.64
Severity Score:: Medium
CVE:: 2026-32483

Plugin:: ReviewX – Multi-Criteria Reviews for WooCommerce with Google Reviews & Schema
Plugin Slug:: reviewx
Installations: 8,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 2.3.0
Severity Score:: Medium
CVE:: 2025-10734

Plugin:: ReviewX – Multi-Criteria Reviews for WooCommerce with Google Reviews & Schema
Plugin Slug:: reviewx
Installations: 8,000+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 2.3.0
Severity Score:: High
CVE:: 2025-10679

Plugin:: ReviewX – Multi-Criteria Reviews for WooCommerce with Google Reviews & Schema
Plugin Slug:: reviewx
Installations: 8,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 2.3.0
Severity Score:: Medium
CVE:: 2025-10731

Plugin:: ReviewX – Multi-Criteria Reviews for WooCommerce with Google Reviews & Schema
Plugin Slug:: reviewx
Installations: 8,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 2.2.12
Severity Score:: Medium
CVE:: 2025-10736

Plugin:: WP Job Portal – AI-Powered Recruitment System for Company or Job Board website
Plugin Slug:: wp-job-portal
Installations: 8,000+
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 2.5.0
Severity Score:: High
CVE:: 2026-4758

Plugin:: WP Job Portal – AI-Powered Recruitment System for Company or Job Board website
Plugin Slug:: wp-job-portal
Installations: 8,000+
Vulnerability:: SQL Injection
Patched in Version:: 2.4.9
Severity Score:: Critical
CVE:: 2026-4306

Plugin:: WP TripAdvisor Review Slider
Plugin Slug:: wp-tripadvisor-review-slider
Installations: 8,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 14.2
Severity Score:: Medium
CVE:: 2026-32490

Plugin:: JS Help Desk – AI-Powered Support & Ticketing System
Plugin Slug:: js-support-ticket
Installations: 7,000+
Vulnerability:: SQL Injection
Patched in Version:: 3.0.5
Severity Score:: Critical
CVE:: 2026-2511

Plugin:: JS Help Desk – AI-Powered Support & Ticketing System
Plugin Slug:: js-support-ticket
Installations: 7,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 3.0.4
Severity Score:: Medium
CVE:: 2026-32535

Plugin:: WP Review Slider
Plugin Slug:: wp-facebook-reviews
Installations: 7,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 14.0
Severity Score:: Medium
CVE:: 2026-32491

Plugin:: OOPSpam Anti-Spam: Spam Protection for WordPress Forms & Comments (No CAPTCHA)
Plugin Slug:: oopspam-anti-spam
Installations: 6,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.2.63
Severity Score:: High
CVE:: 2026-32544

Plugin:: PeproDev Ultimate Invoice
Plugin Slug:: pepro-ultimate-invoice
Installations: 6,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 2.2.6
Severity Score:: Medium
CVE:: 2026-2343

Plugin:: ProfileGrid – User Profiles, Groups and Communities
Plugin Slug:: profilegrid-user-profiles-groups-and-communities
Installations: 6,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.9.8.2
Severity Score:: Medium
CVE:: 2026-25417

Plugin:: Nelio A/B Testing – AB Tests and Heatmaps for Better Conversion Optimization
Plugin Slug:: nelio-ab-testing
Installations: 5,000+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 8.2.8
Severity Score:: Critical
CVE:: 2026-32573

Plugin:: User Verification by PickPlugins
Plugin Slug:: user-verification
Installations: 5,000+
Vulnerability:: Broken Authentication
Patched in Version:: 2.0.46
Severity Score:: Medium
CVE:: 2026-32497

Plugin:: Masteriyo LMS – Online Course Builder for eLearning, LMS & Education
Plugin Slug:: learning-management-system
Installations: 4,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 2.1.7
Severity Score:: High
CVE:: 2026-4484

Plugin:: RSFirewall!
Plugin Slug:: rsfirewall
Installations: 4,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.1.46
Severity Score:: High
CVE:: 2026-25341

Plugin:: Shared Files – Frontend File Upload Form & Secure File Sharing
Plugin Slug:: shared-files
Installations: 4,000+
Vulnerability:: Arbitrary File Download
Patched in Version:: 1.7.58
Severity Score:: Medium
CVE:: 2025-15433

Plugin:: WP Telegram Widget and Join Link
Plugin Slug:: wptelegram-widget
Installations: 4,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.2.14
Severity Score:: High
CVE:: 2026-23807

Plugin:: ElementInvader Addons for Elementor
Plugin Slug:: elementinvader-addons-for-elementor
Installations: 3,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.4.3
Severity Score:: High
CVE:: 2026-25007

Plugin:: KiviCare – Clinic & Patient Management System (EHR)
Plugin Slug:: kivicare-clinic-management-system
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.0.0
Severity Score:: High
CVE:: 2026-25383

Plugin:: KiviCare – Clinic & Patient Management System (EHR)
Plugin Slug:: kivicare-clinic-management-system
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.0.0
Severity Score:: Medium
CVE:: 2026-25034

Plugin:: Simple Download Counter
Plugin Slug:: simple-download-counter
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.3.1
Severity Score:: Medium
CVE:: 2026-4278

Plugin:: Booking and Rental Manager for Bike | Car | Resort | Appointment | Dress | Equipment
Plugin Slug:: booking-and-rental-manager-for-woocommerce
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.6.1
Severity Score:: Medium
CVE:: 2026-23972

Plugin:: Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe
Plugin Slug:: contest-gallery
Installations: 1,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 28.1.6
Severity Score:: High
CVE:: 2026-4021

Plugin:: Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe
Plugin Slug:: contest-gallery
Installations: 1,000+
Vulnerability:: Broken Authentication
Patched in Version:: 28.1.3
Severity Score:: Critical
CVE:: 2026-25035

Plugin:: Injection Guard
Plugin Slug:: injection-guard
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.0
Severity Score:: High
CVE:: 2026-3368

Plugin:: WowOptin: Next-Gen Popup Maker – Create Stunning Popups and Optins for Lead Generation
Plugin Slug:: optin
Installations: 1,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 1.4.30
Severity Score:: High
CVE:: 2026-4302

Plugin:: bBlocks – Essential Gutenberg Blocks & Patterns Collection
Plugin Slug:: b-blocks
Installations: 700+
Vulnerability:: Broken Access Control
Patched in Version:: 2.0.30
Severity Score:: Medium
CVE:: 2026-32489

Plugin:: The Ultimate WordPress Toolkit – WP Extended
Plugin Slug:: wpextended
Installations: 700+
Vulnerability:: Privilege Escalation
Patched in Version:: 3.2.5
Severity Score:: High
CVE:: 2026-4314

Plugin:: Truebooker – Appointment Booking and Scheduler System
Plugin Slug:: truebooker-appointment-booking
Installations: 600+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 1.1.5
Severity Score:: Medium
CVE:: 2026-1797

Plugin:: VikRestaurants Table Reservations and Take-Away
Plugin Slug:: vikrestaurants
Installations: 600+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.5.3
Severity Score:: High
CVE:: 2026-25025

Plugin:: WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses
Plugin Slug:: wp-courses
Installations: 600+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.2.27
Severity Score:: Medium
CVE:: 2026-31914

Plugin:: Vertex Addons for Elementor
Plugin Slug:: addons-for-elementor-builder
Installations: 400+
Vulnerability:: Broken Access Control
Patched in Version:: 1.7.0
Severity Score:: Medium
CVE:: 2026-25398

Plugin:: FormLift for Infusionsoft Web Forms
Plugin Slug:: formlift
Installations: 400+
Vulnerability:: Broken Access Control
Patched in Version:: 7.5.22
Severity Score:: Medium
CVE:: 2026-4281

Plugin:: Helpdesk Support Ticket System for WooCommerce
Plugin Slug:: support-ticket-system-for-woocommerce
Installations: 200+
Vulnerability:: Broken Access Control
Patched in Version:: 2.1.3
Severity Score:: High
CVE:: 2026-23977

Plugin:: Contact Manager
Plugin Slug:: contact-manager
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 9.1.1
Severity Score:: High
CVE:: 2026-32517

Plugin:: DSGVO snippet for Leaflet Map and its Extensions
Plugin Slug:: dsgvo-leaflet-map
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.4
Severity Score:: Medium
CVE:: 2026-4389

Plugin:: Video & Photo Gallery for Ultimate Member
Plugin Slug:: gallery-for-ultimate-member
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.1.2
Severity Score:: High
CVE:: 2024-12162

Plugin:: Product File Upload for WooCommerce
Plugin Slug:: products-file-upload-for-woocommerce
Installations: 100+
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 2.2.5
Severity Score:: Medium
CVE:: 2026-25328

Plugin:: Filestack WP Upload
Plugin Slug:: filestack-upload
Installations: 60+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.0.0
Severity Score:: High
CVE:: 2024-11462

Plugin:: Debugger & Troubleshooter
Plugin Slug:: debugger-troubleshooter
Installations: 40+
Vulnerability:: Privilege Escalation
Patched in Version:: 1.4.0
Severity Score:: Critical
CVE:: 2026-5130

Plugin:: BWL Advanced FAQ Manager Lite
Plugin Slug:: bwl-advanced-faq-manager-lite
Installations: 30+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.1.2
Severity Score:: Medium
CVE:: 2026-4075

Plugin:: QC SEO Help for llms.txt, AI Analytics, AI Content Writer, Subtitle to Article
Plugin Slug:: seo-help
Installations: 30+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.1.4
Severity Score:: High
CVE:: 2024-12156

Plugin:: FloristPress for Woo – Customize your eCommerce store for your Florist
Plugin Slug:: bakkbone-florist-companion
Installations: 10+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 7.8.3
Severity Score:: High
CVE:: 2026-1986

Plugin:: WP Cost Estimation & Payment Forms Builder
Plugin Slug:: WP_Estimation_Form
Vulnerability:: Broken Access Control
Patched in Version:: 10.3.0
Severity Score:: High
CVE:: 2026-24363

Plugin:: Addon Jobsearch Chat
Plugin Slug:: addon-jobsearch-chat
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.1
Severity Score:: High
CVE:: 2026-25376

Plugin:: Addon Jobsearch Chat
Plugin Slug:: addon-jobsearch-chat
Vulnerability:: SQL Injection
Patched in Version:: 3.1
Severity Score:: Critical
CVE:: 2026-25377

Plugin:: Gyan Elements
Plugin Slug:: gyan-elements
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.2.2
Severity Score:: High
CVE:: 2026-23979

Plugin:: Ultimate Membership Pro
Plugin Slug:: indeed-membership-pro
Vulnerability:: Broken Authentication
Patched in Version:: 13.7.1
Severity Score:: High
CVE:: 2026-25357

Plugin:: JetEngine
Plugin Slug:: jet-engine
Vulnerability:: SQL Injection
Patched in Version:: 3.8.6.2
Severity Score:: Critical
CVE:: 2026-4662

Plugin:: NaturaLife Extensions
Plugin Slug:: naturalife-extensions
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.2
Severity Score:: High
CVE:: 2026-25018

Plugin:: NaturaLife Extensions
Plugin Slug:: naturalife-extensions
Vulnerability:: Local File Inclusion
Patched in Version:: 2.2
Severity Score:: High
CVE:: 2026-25017

Plugin:: Salon Booking System Pro
Plugin Slug:: salon-booking-plugin-pro
Vulnerability:: Broken Authentication
Patched in Version:: 10.30.12
Severity Score:: High
CVE:: 2026-25334

Plugin:: LearnDash LMS
Plugin Slug:: sfwd-lms
Vulnerability:: SQL Injection
Patched in Version:: 5.0.3.1
Severity Score:: High
CVE:: 2026-3079

Plugin:: The Grid
Plugin Slug:: the-grid
Vulnerability:: Broken Access Control
Patched in Version:: 2.8.0
Severity Score:: High
CVE:: 2026-24369

Plugin:: The Grid
Plugin Slug:: the-grid
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.8.0
Severity Score:: Medium
CVE:: 2026-24370

Plugin:: ThemeREX Addons
Plugin Slug:: trx_addons
Vulnerability:: Arbitrary File Upload
Patched in Version:: 2.38.5
Severity Score:: Critical
CVE:: 2026-1969

Plugin:: Woocommerce Custom Product Addons Pro
Plugin Slug:: woo-custom-product-addons-pro
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 5.4.2
Severity Score:: Critical
CVE:: 2026-4001

Plugin:: WP Configurator Pro
Plugin Slug:: wp-configurator-pro
Vulnerability:: Broken Access Control
Patched in Version:: 3.8.0
Severity Score:: High
CVE:: 2026-32501

Plugin:: JobSearch
Plugin Slug:: wp-jobsearch
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.2.2
Severity Score:: High
CVE:: 2026-32493

WordPress Themes — 21 Patched / 1 Unpatched

Theme:: Apicona
Theme Slug:: apicona
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2026-25400

Theme:: Ona
Theme Slug:: ona
Downloads: 244,053
Vulnerability:: Arbitrary File Upload
Patched in Version:: 1.24
Severity Score:: Critical
CVE:: 2026-32482

Theme:: Archicon
Theme Slug:: archicon
Vulnerability:: PHP Object Injection
Patched in Version:: 1.7
Severity Score:: Medium
CVE:: 2026-32506

Theme:: Borgholm
Theme Slug:: borgholm-marketing-agency-theme
Vulnerability:: PHP Object Injection
Patched in Version:: 1.6
Severity Score:: Critical
CVE:: 2026-32502

Theme:: Car Dealer
Theme Slug:: cardealer
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.6.8
Severity Score:: High
CVE:: 2026-24391

Theme:: Gaea
Theme Slug:: gaea
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.8
Severity Score:: High
CVE:: 2026-32518

Theme:: Goldish
Theme Slug:: goldish
Vulnerability:: PHP Object Injection
Patched in Version:: 3.47
Severity Score:: Critical
CVE:: 2026-25030

Theme:: Golo
Theme Slug:: golo
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.7.5
Severity Score:: High
CVE:: 2026-23973

Theme:: Gracey
Theme Slug:: gracey
Vulnerability:: PHP Object Injection
Patched in Version:: 1.4
Severity Score:: Medium
CVE:: 2026-32509

Theme:: Halstein
Theme Slug:: halstein
Vulnerability:: PHP Object Injection
Patched in Version:: 1.8
Severity Score:: Medium
CVE:: 2026-32508

Theme:: Kamperen
Theme Slug:: kamperen
Vulnerability:: PHP Object Injection
Patched in Version:: 1.3
Severity Score:: Medium
CVE:: 2026-32510

Theme:: KIDZ
Theme Slug:: kidz
Vulnerability:: PHP Object Injection
Patched in Version:: 5.25
Severity Score:: Critical
CVE:: 2026-25029

Theme:: Boutique
Theme Slug:: kute-boutique
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.4.6
Severity Score:: High
CVE:: 2026-25342

Theme:: Leroux
Theme Slug:: leroux
Vulnerability:: PHP Object Injection
Patched in Version:: 1.4
Severity Score:: Medium
CVE:: 2026-32507

Theme:: Meloo
Theme Slug:: meloo
Vulnerability:: PHP Object Injection
Patched in Version:: 2.8.2
Severity Score:: High
CVE:: 2026-25358

Theme:: Jobmonster
Theme Slug:: noo-jobmonster
Vulnerability:: SQL Injection
Patched in Version:: 4.8.4
Severity Score:: Critical
CVE:: 2026-25340

Theme:: Ricky
Theme Slug:: ricky
Vulnerability:: PHP Object Injection
Patched in Version:: 2.31
Severity Score:: Critical
CVE:: 2026-25032

Theme:: Sanzo
Theme Slug:: sanzo
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.4.3
Severity Score:: Medium
CVE:: 2026-25355

Theme:: Stål
Theme Slug:: stal
Vulnerability:: PHP Object Injection
Patched in Version:: 1.7
Severity Score:: Medium
CVE:: 2026-32511

Theme:: Tasty Daily
Theme Slug:: tastydaily
Vulnerability:: PHP Object Injection
Patched in Version:: 1.27
Severity Score:: Critical
CVE:: 2026-25031

Theme:: Vayvo
Theme Slug:: vayvo-progression
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.8
Severity Score:: High
CVE:: 2026-25373

Theme:: WoodMart
Theme Slug:: woodmart
Vulnerability:: PHP Object Injection
Patched in Version:: 8.3.9
Severity Score:: High
CVE:: 2026-23971

Solid Security is part of Solid Suite — The best foundation for WordPress websites.

Get Solid Security

The post WordPress Vulnerability Report — April 1, 2026 appeared first on SolidWP.

SolidWP

WordPress Vulnerability Report — April 22, 2026

Table of Contents

WordPress Core

WordPress Plugins — 159 Patched / 28 Unpatched