Vulnerability Report

WordPress Vulnerability Report: July 5 – July 12, 2026

199 WordPress vulnerabilities disclosed between July 5 – July 12, 2026. 13 critical, 60 high severity. 3 patched, 196 unpatched.

WPSentryJuly 12, 202645 min read

During the reporting period (July 5 – July 12, 2026), 199 WordPress security vulnerabilities were disclosed across plugins, themes, and core. This report aggregates data from the NIST National Vulnerability Database, Wordfence Intelligence, and our own scanning database.

Summary

199
Total
13
Critical
60
High
126
Medium
0
Low
3
Patched
Table of Contents 204 plugins & components

WordPress Plugin Vulnerabilities (197)

FileOrganizer

critical
Vulnerability
FileOrganizer — CVE-2026-6382
Severity
critical Critical risk
Affected Versions
<=1.1.9
CVE Reference
Patch Status
No patch
Source
NVD

uncanny-automator-pro

critical
Vulnerability
uncanny-automator-pro — CVE-2026-12375
Severity
critical Critical risk
Affected Versions
<=7.3.0.6
CVE Reference
Patch Status
No patch
Source
NVD

WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell

critical
Vulnerability
WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell — Remote Code Execution
Severity
critical Critical risk
Affected Versions
<=3.12.7
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

DoLeads Integrator

critical
Vulnerability
DoLeads Integrator — CVE-2026-4375
Severity
critical Critical risk
Affected Versions
<=0.65
CVE Reference
Patch Status
No patch
Source
NVD

Simple Coherent Form

critical
Vulnerability
Simple Coherent Form — Arbitrary file deletion
Severity
critical Critical risk
Affected Versions
<=2.4.13
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Eventer

critical
Vulnerability
Eventer — An insecure password reset mechanism
Severity
critical Critical risk
Affected Versions
<=4.4.2
CVE Reference
Patch Status
No patch
Source
NVD

WP Learn Manager

critical
Vulnerability
WP Learn Manager — Authorization bypass
Severity
critical Critical risk
Affected Versions
<=1.1.8
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

miniOrange OTP Login, Verification and SMS Notifications

critical
Vulnerability
miniOrange OTP Login, Verification and SMS Notifications — Authentication Bypass leading to Administrator Account Takeover
Severity
critical Critical risk
Affected Versions
<=5.5.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Blocksy Companion

critical
Vulnerability
Blocksy Companion — Arbitrary File Upload
Severity
critical Critical risk
Affected Versions
<=2.1.46
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Super Forms – Drag & Drop Form Builder

critical
Vulnerability
Super Forms – Drag & Drop Form Builder — Arbitrary File Upload
Severity
critical Critical risk
Affected Versions
<=6.3.313
CVE Reference
Patch Status
No patch
Source
NVD

Instant Appointment

critical
Vulnerability
Instant Appointment — Arbitrary file uploads
Severity
critical Critical risk
Affected Versions
<=1.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

GEO my WP

critical
Vulnerability
GEO my WP — SQL Injection
Severity
critical Critical risk
Affected Versions
<=4.5.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn)

critical
Vulnerability
miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) — Authentication bypass leading to account takeover
Severity
critical Critical risk
Affected Versions
<=7.7.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Notifications for Forms & WordPress Actions

high
Vulnerability
Notifications for Forms & WordPress Actions — Validate a user-supplied value before using it to build a server-side file inclusion path
Severity
high High risk
Affected Versions
<=2.6
CVE Reference
Patch Status
No patch
Source
NVD

AllCoach

high
Vulnerability
AllCoach — Verify that an email address submitted to a public account-registration endpoint is not already asso
Severity
high High risk
Affected Versions
<=1.0.2
CVE Reference
Patch Status
No patch
Source
NVD

Ultimate Member

high
Vulnerability
Ultimate Member — Properly sanitise and escape the value of custom textarea profile fields before outputting it on use
Severity
high High risk
Affected Versions
<=2.12.0
CVE Reference
Patch Status
No patch
Source
NVD

Simple Membership

high
Vulnerability
Simple Membership — Verify the authenticity of Stripe webhook requests when no signing secret is configured
Severity
high High risk
Affected Versions
<=4.7.5
CVE Reference
Patch Status
No patch
Source
NVD

FileOrganizer

high
Vulnerability
FileOrganizer — Validate the file type on several of its file-management operations
Severity
high High risk
Affected Versions
<=1.2.0
CVE Reference
Patch Status
No patch
Source
NVD

Admin and Site Enhancements (ASE)

high
Vulnerability
Admin and Site Enhancements (ASE) — Perform authentication
Severity
high High risk
Affected Versions
<=8.8.4
CVE Reference
Patch Status
No patch
Source
NVD

Frontend File Manager Plugin

high
Vulnerability
Frontend File Manager Plugin — Validate a file path derived from user input before deleting the referenced file
Severity
high High risk
Affected Versions
<=23.6
CVE Reference
Patch Status
No patch
Source
NVD

AMP for WP – Accelerated Mobile Pages

high
Vulnerability
AMP for WP – Accelerated Mobile Pages — Arbitrary File Write
Severity
high High risk
Affected Versions
<=1.1.12
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Widget Logic Visual

high
Vulnerability
Widget Logic Visual — Remote Code Execution
Severity
high High risk
Affected Versions
<=1.52
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Jssor Slider by jssor.com

high
Vulnerability
Jssor Slider by jssor.com — Directory Traversal
Severity
high High risk
Affected Versions
<=3.1.24
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

多说社会化评论框

high
Vulnerability
多说社会化评论框 — Privilege Escalation
Severity
high High risk
Affected Versions
<=1.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Backstage - Customizer Demo Access

high
Vulnerability
Backstage - Customizer Demo Access — Privilege Escalation
Severity
high High risk
Affected Versions
<=1.4.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

WHMCS Bridge

high
Vulnerability
WHMCS Bridge — Arbitrary file uploads
Severity
high High risk
Affected Versions
<=6.9
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

DoLogin Security

high
Vulnerability
DoLogin Security — Authentication Bypass
Severity
high High risk
Affected Versions
<=4.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Eventer

high
Vulnerability
Eventer — Time-based SQL Injection
Severity
high High risk
Affected Versions
<=4.4.2
CVE Reference
Patch Status
No patch
Source
NVD

Appointment Booking Calendar Plugin and Scheduling Plugin

high
Vulnerability
Appointment Booking Calendar Plugin and Scheduling Plugin — Validate data before passing it to a PHP deserialization function
Severity
high High risk
Affected Versions
<=1.1.28
CVE Reference
Patch Status
No patch
Source
NVD

WCFM Membership – WooCommerce Memberships for Multivendor Marketplace

high
Vulnerability
WCFM Membership – WooCommerce Memberships for Multivendor Marketplace — Insecure Direct Object Reference
Severity
high High risk
Affected Versions
<=2.11.10
CVE Reference
Patch Status
No patch
Source
NVD

Tainacan

high
Vulnerability
Tainacan — Time-based blind SQL Injection
Severity
high High risk
Affected Versions
<=1.0.3
CVE Reference
Patch Status
No patch
Source
NVD

VikBooking Hotel Booking Engine & PMS

high
Vulnerability
VikBooking Hotel Booking Engine & PMS — Stored Cross-Site Scripting
Severity
high High risk
Affected Versions
<=1.8.8
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

My Calendar – Accessible Event Manager

high
Vulnerability
My Calendar – Accessible Event Manager — Time-based blind SQL Injection
Severity
high High risk
Affected Versions
<=3.7.8
CVE Reference
Patch Status
No patch
Source
NVD

LatePoint – Calendar Booking Plugin for Appointments and Events

high
Vulnerability
LatePoint – Calendar Booking Plugin for Appointments and Events — Improper Input Validation
Severity
high High risk
Affected Versions
<=5.4.0
CVE Reference
Patch Status
No patch
Source
NVD

VikBooking Hotel Booking Engine & PMS

high
Vulnerability
VikBooking Hotel Booking Engine & PMS — Stored Cross-Site Scripting
Severity
high High risk
Affected Versions
<=1.8.8
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Divi Form Builder

high
Vulnerability
Divi Form Builder — Missing Authorization
Severity
high High risk
Affected Versions
<=5.1.8
CVE Reference
Patch Status
No patch
Source
NVD

Everest Forms

high
Vulnerability
Everest Forms — Reliably delete temporary CSV files generated during email-notification processing and leaves them p
Severity
high High risk
Affected Versions
<=3.5.0
CVE Reference
Patch Status
No patch
Source
NVD

Connect Contact Form 7 and Mailchimp

high
Vulnerability
Connect Contact Form 7 and Mailchimp — Stored Cross-Site Scripting
Severity
high High risk
Affected Versions
<=0.9.78.06
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popup Builder

high
Vulnerability
Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popup Builder — Authorization bypass
Severity
high High risk
Affected Versions
<=1.22.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

EventPrime – Events Calendar, Bookings and Tickets

high
Vulnerability
EventPrime – Events Calendar, Bookings and Tickets — Stored Cross-Site Scripting
Severity
high High risk
Affected Versions
<=4.3.4.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Bit Form – Contact Form, Payment Forms, Multi Step Forms, Calculator & Custom Form Builder

high
Vulnerability
Bit Form – Contact Form, Payment Forms, Multi Step Forms, Calculator & Custom Form Builder — Arbitrary file deletion
Severity
high High risk
Affected Versions
<=3.1.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Divi Torque Lite – Divi Theme, Divi Builder & Extra Theme

high
Vulnerability
Divi Torque Lite – Divi Theme, Divi Builder & Extra Theme — Cross-Site Request Forgery
Severity
high High risk
Affected Versions
<=4.2.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

WP Cost Estimation & Payment Forms Builder (E&P Forms)

high
Vulnerability
WP Cost Estimation & Payment Forms Builder (E&P Forms) — Stored Cross-Site Scripting
Severity
high High risk
Affected Versions
<=10.5.97
CVE Reference
Patch Status
No patch
Source
NVD

UsersWP

high
Vulnerability
UsersWP — Arbitrary File Deletion
Severity
high High risk
Affected Versions
<=1.2.65
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

LoginPress Pro

high
Vulnerability
LoginPress Pro — Authentication Bypass
Severity
high High risk
Affected Versions
<=6.2.3
CVE Reference
Patch Status
No patch
Source
NVD

LoginPress Pro

high
Vulnerability
LoginPress Pro — Authentication Bypass
Severity
high High risk
Affected Versions
<=6.2.3
CVE Reference
Patch Status
No patch
Source
NVD

LoginPress Pro

high
Vulnerability
LoginPress Pro — Authentication bypass
Severity
high High risk
Affected Versions
<=6.2.3
CVE Reference
Patch Status
No patch
Source
NVD

Post Export Import with Media

high
Vulnerability
Post Export Import with Media — Arbitrary File Upload
Severity
high High risk
Affected Versions
<=1.13.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Salon Booking System – Free Version

high
Vulnerability
Salon Booking System – Free Version — Cross-Site Request Forgery
Severity
high High risk
Affected Versions
<=10.30.32
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

SureForms – Drag and Drop Form Builder for WordPress

high
Vulnerability
SureForms – Drag and Drop Form Builder for WordPress — Improper Input Validation
Severity
high High risk
Affected Versions
<=2.2.1
CVE Reference
Patch Status
No patch
Source
NVD

Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

high
Vulnerability
Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin — Blind SQL Injection
Severity
high High risk
Affected Versions
<=2.10.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Chat Help – Click to Chat Button & Form

high
Vulnerability
Chat Help – Click to Chat Button & Form — Sensitive Information Exposure
Severity
high High risk
Affected Versions
<=3.1.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

WP Business Intelligence Lite

high
Vulnerability
WP Business Intelligence Lite — Authorization bypass
Severity
high High risk
Affected Versions
<=3.2.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

TelSender

high
Vulnerability
TelSender — DOM-Based Cross-Site Scripting
Severity
high High risk
Affected Versions
<=1.14.14
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Hide My WP Lite

high
Vulnerability
Hide My WP Lite — Arbitrary File Read
Severity
high High risk
Affected Versions
<=1.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

SEO Plugin by Squirrly SEO

high
Vulnerability
SEO Plugin by Squirrly SEO — Arbitrary Post Creation and Stored Cross-Site Scripting
Severity
high High risk
Affected Versions
<=14.0.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

WP Grid Builder

high
Vulnerability
WP Grid Builder — Privilege Escalation
Severity
high High risk
Affected Versions
<=2.3.3
CVE Reference
Patch Status
No patch
Source
NVD

Motors – Car Dealership & Classified Listings Plugin

high
Vulnerability
Motors – Car Dealership & Classified Listings Plugin — Stored Cross-Site Scripting
Severity
high High risk
Affected Versions
<=1.4.112
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

WP Ultimate CSV Importer – WordPress Import & Export for CSV, XML & Excel

high
Vulnerability
WP Ultimate CSV Importer – WordPress Import & Export for CSV, XML & Excel — Remote Code Execution
Severity
high High risk
Affected Versions
<=8.0.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

LA-Studio Element Kit for Elementor

high
Vulnerability
LA-Studio Element Kit for Elementor — Local File Inclusion
Severity
high High risk
Affected Versions
<=1.6.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Simple JWT Login – Allows you to use JWT on REST endpoints.

high
Vulnerability
Simple JWT Login – Allows you to use JWT on REST endpoints. — Authentication Bypass to Privilege Escalation
Severity
high High risk
Affected Versions
<=3.6.6
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Booking Package

high
Vulnerability
Booking Package — Generic SQL Injection
Severity
high High risk
Affected Versions
<=1.7.20
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Swiss Toolkit For WP

high
Vulnerability
Swiss Toolkit For WP — Arbitrary file upload
Severity
high High risk
Affected Versions
<=1.4.6
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Planyo Online Reservation System

high
Vulnerability
Planyo Online Reservation System — Server-Side Request Forgery leading to Local File Inclusion
Severity
high High risk
Affected Versions
<=3.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Form Vibes – Database Manager for Forms

high
Vulnerability
Form Vibes – Database Manager for Forms — Stored Cross-Site Scripting
Severity
high High risk
Affected Versions
<=1.5.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

SureCart

high
Vulnerability
SureCart — Privilege escalation
Severity
high High risk
Affected Versions
<=4.2.3
CVE Reference
Patch Status
No patch
Source
NVD

Code Engine

high
Vulnerability
Code Engine — Remote Code Execution
Severity
high High risk
Affected Versions
<=0.3.5
CVE Reference
Patch Status
No patch
Source
NVD

Essential Addons for Elementor – Popular Elementor Templates & Widgets

high
Vulnerability
Essential Addons for Elementor – Popular Elementor Templates & Widgets — Authenticated Account Takeover
Severity
high High risk
Affected Versions
<=6.6.10
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

WP CTA – Sticky CTA Builder, Generate Leads, Promote Sales

high
Vulnerability
WP CTA – Sticky CTA Builder, Generate Leads, Promote Sales — Time-based blind SQL Injection
Severity
high High risk
Affected Versions
<=2.2.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

CorvusPay WooCommerce Payment Gateway

high
Vulnerability
CorvusPay WooCommerce Payment Gateway — Stored Cross-Site Scripting
Severity
high High risk
Affected Versions
<=2.7.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

W3 Total Cache

high
Vulnerability
W3 Total Cache — Directory Traversal
Severity
high High risk
Affected Versions
<=2.9.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Genolve – AI image AI video generation

high
Vulnerability
Genolve – AI image AI video generation — Unauthorized modification of data
Severity
high High risk
Affected Versions
<=5.0.5
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

User Frontend: AI Powered Frontend Posting, User Directory, Profile Builder, Membership & User Registration

medium
Vulnerability
User Frontend <= 4.3.7 - Missing Authorization to Unauthenticated Arbitrary Attachment Deletion via 'attach_id' Parameter
Severity
medium Medium risk
Affected Versions
<=4.3.7
CVE Reference
Patch Status
4.3.8
Source
Wordfence
Plugin Page

Reviews Widgets for Google, Yelp & TripAdvisor

medium
Vulnerability
Reviews Widgets for Google, Yelp & TripAdvisor — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.7.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Exclusive Addons for Elementor

medium
Vulnerability
Exclusive Addons for Elementor — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.7.9.8
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

WP Travel Engine

medium
Vulnerability
WP Travel Engine — Properly validate the source of a user-supplied profile image path before moving the file
Severity
medium Medium risk
Affected Versions
<=6.8.1
CVE Reference
Patch Status
No patch
Source
NVD

Sympl Repeater for ACF and Elementor

medium
Vulnerability
Sympl Repeater for ACF and Elementor — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Social Share, Social Login and Social Comments Plugin – Super Socializer

medium
Vulnerability
Social Share, Social Login and Social Comments Plugin – Super Socializer — Reflected Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=7.14.5
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Chatra Live Chat + ChatBot + Cart Saver

medium
Vulnerability
Chatra Live Chat + ChatBot + Cart Saver — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.0.12
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

User Management

medium
Vulnerability
User Management — Authorization bypass
Severity
medium Medium risk
Affected Versions
<=1.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Bulk Order Update for WooCommerce

medium
Vulnerability
Bulk Order Update for WooCommerce — Arbitrary File Read
Severity
medium Medium risk
Affected Versions
<=1.6
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Wp Js Detect

medium
Vulnerability
Wp Js Detect — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=1.0.9
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Website Builder by SeedProd - Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode

medium
Vulnerability
Website Builder by SeedProd - Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=6.20.2
CVE Reference
Patch Status
No patch
Source
NVD

Recurio – Ultimate Subscription for WooCommerce

medium
Vulnerability
Recurio – Ultimate Subscription for WooCommerce — Generic SQL Injection
Severity
medium Medium risk
Affected Versions
<=1.1.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Themehunk Login Registration

medium
Vulnerability
Themehunk Login Registration — Privilege escalation
Severity
medium Medium risk
Affected Versions
<=1.0.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Advanced iFrame

medium
Vulnerability
Advanced iFrame — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2026.1
CVE Reference
Patch Status
No patch
Source
NVD

Smash Balloon Social Photo Feed – Easy Social Feeds Plugin

medium
Vulnerability
Smash Balloon Social Photo Feed – Easy Social Feeds Plugin — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=6.11.1
CVE Reference
Patch Status
No patch
Source
NVD

User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration

medium
Vulnerability
User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration — Insecure Direct Object Reference
Severity
medium Medium risk
Affected Versions
<=4.3.1
CVE Reference
Patch Status
No patch
Source
NVD

Essential Addons for Elementor – Popular Elementor Templates & Widgets

medium
Vulnerability
Essential Addons for Elementor – Popular Elementor Templates & Widgets — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=6.6.2
CVE Reference
Patch Status
No patch
Source
NVD

Nexter Blocks – Gutenberg Blocks, Page Builder & AI Website Builder

medium
Vulnerability
Nexter Blocks – Gutenberg Blocks, Page Builder & AI Website Builder — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=4.7.4
CVE Reference
Patch Status
No patch
Source
NVD

WP DSGVO Tools (GDPR)

medium
Vulnerability
WP DSGVO Tools (GDPR) — Perform an authorization check on the immediate-processing path of its data subject access request f
Severity
medium Medium risk
Affected Versions
<=3.1.40
CVE Reference
Patch Status
No patch
Source
NVD

WP Support Plus Responsive Ticket System

medium
Vulnerability
WP Support Plus Responsive Ticket System — Sign or verify its guest-session cookie
Severity
medium Medium risk
Affected Versions
<=9.1.2
CVE Reference
Patch Status
No patch
Source
NVD

Everest Forms

medium
Vulnerability
Everest Forms — Correctly restrict access to several REST API endpoints belonging to its onboarding assistant: the c
Severity
medium Medium risk
Affected Versions
<=3.5.0
CVE Reference
Patch Status
No patch
Source
NVD

Fediverse Embeds

medium
Vulnerability
Fediverse Embeds — Validate the destination of the server-side request performed by an unauthenticated media-proxying e
Severity
medium Medium risk
Affected Versions
<=1.5.8
CVE Reference
Patch Status
No patch
Source
NVD

Fediverse Embeds

medium
Vulnerability
Fediverse Embeds — Validate the destination of the server-side request performed by an unauthenticated site-info endpoi
Severity
medium Medium risk
Affected Versions
<=1.5.8
CVE Reference
Patch Status
No patch
Source
NVD

Memberships and User Profiles for WooCommerce – ProfileGrid WooCommerce Integration

medium
Vulnerability
Memberships and User Profiles for WooCommerce – ProfileGrid WooCommerce Integration — Unauthorized plugin installation and activation
Severity
medium Medium risk
Affected Versions
<=3.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress

medium
Vulnerability
AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=10.10.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration

medium
Vulnerability
User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration — Authorization bypass
Severity
medium Medium risk
Affected Versions
<=4.3.7
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration

medium
Vulnerability
User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration — Insecure Direct Object Reference
Severity
medium Medium risk
Affected Versions
<=4.3.7
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

ERP: Complete HR, Accounting & CRM Suite with Recruitment and WooCommerce CRM Support

medium
Vulnerability
ERP: Complete HR, Accounting & CRM Suite with Recruitment and WooCommerce CRM Support — Generic SQL Injection
Severity
medium Medium risk
Affected Versions
<=1.17.5
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell

medium
Vulnerability
WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell — Local File Inclusion
Severity
medium Medium risk
Affected Versions
<=3.12.7
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Ultimate Post

medium
Vulnerability
Ultimate Post — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=5.0.31
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Mang Board WP

medium
Vulnerability
Mang Board WP — Reflected Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.3.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress

medium
Vulnerability
GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress — Insecure Direct Object Reference
Severity
medium Medium risk
Affected Versions
<=7.9.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Customer Reviews for WooCommerce

medium
Vulnerability
Customer Reviews for WooCommerce — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=5.113.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Mail Mint – Email Marketing, Newsletter, Email Automation & WooCommerce Emails

medium
Vulnerability
Mail Mint – Email Marketing, Newsletter, Email Automation & WooCommerce Emails — Time-based SQL Injection
Severity
medium Medium risk
Affected Versions
<=1.24.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Download Manager

medium
Vulnerability
Download Manager — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=3.3.61
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Block, Suspend, Report for BuddyPress

medium
Vulnerability
Block, Suspend, Report for BuddyPress — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=3.6.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Bookero.pl – system rezerwacji online

medium
Vulnerability
Bookero.pl – system rezerwacji online — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Age Verification & Identity Verification by Token of Trust

medium
Vulnerability
Age Verification & Identity Verification by Token of Trust — Unauthorized access
Severity
medium Medium risk
Affected Versions
<=4.0.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Backup and Staging by WP Time Capsule

medium
Vulnerability
Backup and Staging by WP Time Capsule — Sensitive Information Exposure
Severity
medium Medium risk
Affected Versions
<=1.22.26
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Hydra Booking – Appointment Scheduling & Booking Calendar

medium
Vulnerability
Hydra Booking – Appointment Scheduling & Booking Calendar — Insecure Direct Object Reference
Severity
medium Medium risk
Affected Versions
<=1.2.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Blocks for ACF Fields

medium
Vulnerability
Blocks for ACF Fields — Unauthorized access of data
Severity
medium Medium risk
Affected Versions
<=1.6.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

DSGVO All in one for WP

medium
Vulnerability
DSGVO All in one for WP — Missing Authorization
Severity
medium Medium risk
Affected Versions
<=4.9
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Easy Invoice

medium
Vulnerability
Easy Invoice — Missing Authorization
Severity
medium Medium risk
Affected Versions
<=2.1.19
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

CorvusPay WooCommerce Payment Gateway

medium
Vulnerability
CorvusPay WooCommerce Payment Gateway — Payment Bypass
Severity
medium Medium risk
Affected Versions
<=2.7.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

CorvusPay WooCommerce Payment Gateway

medium
Vulnerability
CorvusPay WooCommerce Payment Gateway — Authorization bypass
Severity
medium Medium risk
Affected Versions
<=2.7.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

DHL eCommerce (Benelux) for WooCommerce

medium
Vulnerability
DHL eCommerce (Benelux) for WooCommerce — Unauthorized modification and loss of data
Severity
medium Medium risk
Affected Versions
<=2.2.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Employee, Leave and Recruitment Management System – Crew HRM

medium
Vulnerability
Employee, Leave and Recruitment Management System – Crew HRM — Authorization bypass
Severity
medium Medium risk
Affected Versions
<=1.2.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Colissimo Officiel : Méthodes de livraison pour WooCommerce

medium
Vulnerability
Colissimo Officiel : Méthodes de livraison pour WooCommerce — Unauthorized modification of data
Severity
medium Medium risk
Affected Versions
<=2.9.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

WP Hotel Booking

medium
Vulnerability
WP Hotel Booking — Reflected Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.3.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

WPCafe – Restaurant Menu, Online Food Ordering & Table Booking System

medium
Vulnerability
WPCafe – Restaurant Menu, Online Food Ordering & Table Booking System — Authorization bypass
Severity
medium Medium risk
Affected Versions
<=3.0.14
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Fluent Forms

medium
Vulnerability
Fluent Forms — Incorrect authorization
Severity
medium Medium risk
Affected Versions
<=6.2.1
CVE Reference
Patch Status
No patch
Source
NVD

WPvivid Backup for MainWP

medium
Vulnerability
WPvivid Backup for MainWP — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=0.9.33
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

King Addons for Elementor

medium
Vulnerability
King Addons for Elementor — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=51.1.62
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Plus Addons for Elementor

medium
Vulnerability
Plus Addons for Elementor — Authenticated (Contributor+) Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=6.4.11
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Gutenberg Blocks with AI by Kadence WP – Page Builder Features

medium
Vulnerability
Gutenberg Blocks with AI by Kadence WP – Page Builder Features — Unauthorized post publication
Severity
medium Medium risk
Affected Versions
<=3.5.32
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

rtMedia for WordPress, BuddyPress and bbPress

medium
Vulnerability
rtMedia for WordPress, BuddyPress and bbPress — Time-based SQL Injection
Severity
medium Medium risk
Affected Versions
<=4.6.18
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Booking calendar, Appointment Booking System

medium
Vulnerability
Booking calendar, Appointment Booking System — Time-based SQL Injection
Severity
medium Medium risk
Affected Versions
<=3.2.17
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Sudoku Shortcode

medium
Vulnerability
Sudoku Shortcode — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.0.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

affiliate-toolkit – WP Affiliate Plugin with Amazon

medium
Vulnerability
affiliate-toolkit – WP Affiliate Plugin with Amazon — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=3.7.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Newsletter, SMTP, Email marketing and Subscribe forms by Brevo (formely Sendinblue)

medium
Vulnerability
Newsletter, SMTP, Email marketing and Subscribe forms by Brevo (formely Sendinblue) — Reflected Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=3.1.77
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Animation Addons for Elementor

medium
Vulnerability
Animation Addons for Elementor — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.6.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

BuddyHolis TableSearch

medium
Vulnerability
BuddyHolis TableSearch — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.1.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

ARMember

medium
Vulnerability
ARMember — Directory Traversal
Severity
medium Medium risk
Affected Versions
<=4.0.27
CVE Reference
Patch Status
No patch
Source
NVD

All-in-One Video Gallery

medium
Vulnerability
All-in-One Video Gallery — Server-Side Request Forgery
Severity
medium Medium risk
Affected Versions
<=4.8.5
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

LA-Studio Element Kit for Elementor

medium
Vulnerability
LA-Studio Element Kit for Elementor — Check whether user registration is enabled on the site before creating an account through one of its
Severity
medium Medium risk
Affected Versions
<=1.6.1
CVE Reference
Patch Status
No patch
Source
NVD

Happyforms – Form Builder for WordPress: Drag & Drop Contact Forms, Surveys, Payments & Multipurpose Forms

medium
Vulnerability
Happyforms – Form Builder for WordPress: Drag & Drop Contact Forms, Surveys, Payments & Multipurpose Forms — Local File Inclusion
Severity
medium Medium risk
Affected Versions
<=1.26.12
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Easy Appointments

medium
Vulnerability
Easy Appointments — Authorization bypass
Severity
medium Medium risk
Affected Versions
<=3.12.27
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Highlighting Code Block

medium
Vulnerability
Highlighting Code Block — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.2.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

FlowForms – Conversational Form Builder

medium
Vulnerability
FlowForms – Conversational Form Builder — Insecure Direct Object Reference
Severity
medium Medium risk
Affected Versions
<=1.1.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered)

medium
Vulnerability
Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered) — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=4.1.15
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

GDPR Cookie Consent

medium
Vulnerability
GDPR Cookie Consent — Unauthorized modification of data
Severity
medium Medium risk
Affected Versions
<=4.3.6
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Cookie Banner for GDPR / CCPA – WPLP Cookie Consent

medium
Vulnerability
Cookie Banner for GDPR / CCPA – WPLP Cookie Consent — Generic SQL Injection
Severity
medium Medium risk
Affected Versions
<=4.3.6
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Import and export users and customers

medium
Vulnerability
Import and export users and customers — Sensitive Information Exposure
Severity
medium Medium risk
Affected Versions
<=2.4.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

BetterDocs – AI Documentation, Knowledge Base, Docs, Wikis, FAQ with Chatbot

medium
Vulnerability
BetterDocs – AI Documentation, Knowledge Base, Docs, Wikis, FAQ with Chatbot — Generic SQL Injection
Severity
medium Medium risk
Affected Versions
<=4.6.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

GW AI Website Builder

medium
Vulnerability
GW AI Website Builder — Unauthorized modification of data
Severity
medium Medium risk
Affected Versions
<=1.0.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Hostel

medium
Vulnerability
Hostel — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.1.7
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

GoodMeet – Google Meet Integration for Webinar, Meeting & Video Conference

medium
Vulnerability
GoodMeet – Google Meet Integration for Webinar, Meeting & Video Conference — Cross-Site Request Forgery
Severity
medium Medium risk
Affected Versions
<=1.1.8
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Easy Upload Files During Checkout

medium
Vulnerability
Easy Upload Files During Checkout — Unauthorized access
Severity
medium Medium risk
Affected Versions
<=3.0.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

ICS Calendar

medium
Vulnerability
ICS Calendar — Reflected Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=12.0.9
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

KiviCare – Clinic & Patient Management System (EHR)

medium
Vulnerability
KiviCare – Clinic & Patient Management System (EHR) — Authorization bypass
Severity
medium Medium risk
Affected Versions
<=4.4.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Mail Mint – Email Marketing, Newsletter, Email Automation & WooCommerce Emails

medium
Vulnerability
Mail Mint – Email Marketing, Newsletter, Email Automation & WooCommerce Emails — Generic SQL Injection
Severity
medium Medium risk
Affected Versions
<=1.24.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

JoomSport – for Sports: Team & League, Football, Hockey & more

medium
Vulnerability
JoomSport – for Sports: Team & League, Football, Hockey & more — Time-based SQL Injection
Severity
medium Medium risk
Affected Versions
<=5.7.9
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Logo Slider – Logo Carousel, Client Logo Slider & Brand Showcase for WordPress

medium
Vulnerability
Logo Slider – Logo Carousel, Client Logo Slider & Brand Showcase for WordPress — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=5.5
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Jeg Kit for Elementor – Powerful Addons for Elementor, Widgets & Templates for WordPress

medium
Vulnerability
Jeg Kit for Elementor – Powerful Addons for Elementor, Widgets & Templates for WordPress — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=3.2.6
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Invoice123

medium
Vulnerability
Invoice123 — Authorization bypass
Severity
medium Medium risk
Affected Versions
<=1.7.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

WordPress Infinite Scroll – Ajax Load More

medium
Vulnerability
WordPress Infinite Scroll – Ajax Load More — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=7.0.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered)

medium
Vulnerability
Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered) — Authorization bypass
Severity
medium Medium risk
Affected Versions
<=4.1.15
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

UnderConstructionPage PRO

medium
Vulnerability
UnderConstructionPage PRO — Arbitrary File Read
Severity
medium Medium risk
Affected Versions
<=5.76
CVE Reference
Patch Status
No patch
Source
NVD

Points and Rewards for WooCommerce

medium
Vulnerability
Points and Rewards for WooCommerce — Authorization bypass
Severity
medium Medium risk
Affected Versions
<=2.10.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Members – Membership & User Role Editor Plugin

medium
Vulnerability
Members – Membership & User Role Editor Plugin — Sensitive Information Exposure
Severity
medium Medium risk
Affected Versions
<=3.2.22
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Majestic Support – The Leading-Edge Help Desk & Customer Support Plugin

medium
Vulnerability
Majestic Support – The Leading-Edge Help Desk & Customer Support Plugin — Generic SQL Injection
Severity
medium Medium risk
Affected Versions
<=1.1.9
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

KiviCare – Clinic & Patient Management System (EHR)

medium
Vulnerability
KiviCare – Clinic & Patient Management System (EHR) — Generic SQL Injection
Severity
medium Medium risk
Affected Versions
<=4.5.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

KiviCare – Clinic & Patient Management System (EHR)

medium
Vulnerability
KiviCare – Clinic & Patient Management System (EHR) — Generic SQL Injection
Severity
medium Medium risk
Affected Versions
<=4.5.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Lockme OAuth2 calendars integration

medium
Vulnerability
Lockme OAuth2 calendars integration — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.11.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

SimpLy Gallery Block & Lightbox

medium
Vulnerability
SimpLy Gallery Block & Lightbox — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=3.3.3.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Mux Video Uploader

medium
Vulnerability
Mux Video Uploader — Sensitive Information Exposure
Severity
medium Medium risk
Affected Versions
<=1.1.4
CVE Reference
Patch Status
No patch
Source
NVD

MyParcel

medium
Vulnerability
MyParcel — Authorization bypass
Severity
medium Medium risk
Affected Versions
<=4.25.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Starboard Suite Reservation Calendars

medium
Vulnerability
Starboard Suite Reservation Calendars — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=3.1.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Premium Addons for Elementor – Powerful Elementor Templates & Widgets

medium
Vulnerability
Premium Addons for Elementor – Powerful Elementor Templates & Widgets — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=4.11.84
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

PDF Invoices & Packing Slips for WooCommerce

medium
Vulnerability
PDF Invoices & Packing Slips for WooCommerce — Insecure Direct Object Reference
Severity
medium Medium risk
Affected Versions
<=5.14.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Solace Extra

medium
Vulnerability
Solace Extra — Authorization bypass
Severity
medium Medium risk
Affected Versions
<=1.5.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Themify Builder

medium
Vulnerability
Themify Builder — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=7.7.6
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Themify Builder

medium
Vulnerability
Themify Builder — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=7.7.6
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

ThriveDesk – Live Chat, AI Chatbot, Helpdesk & Knowledge Base

medium
Vulnerability
ThriveDesk – Live Chat, AI Chatbot, Helpdesk & Knowledge Base — Unauthorized cache deletion
Severity
medium Medium risk
Affected Versions
<=2.1.7
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

SurfLink - Ultimate Link Manager

medium
Vulnerability
SurfLink - Ultimate Link Manager — Unauthorized data modification
Severity
medium Medium risk
Affected Versions
<=2.6.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

AI Chatbot & Workflow Automation by AIWU

medium
Vulnerability
AI Chatbot & Workflow Automation by AIWU — Missing Authorization
Severity
medium Medium risk
Affected Versions
<=1.4.12
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

AI Chatbot & Workflow Automation by AIWU

medium
Vulnerability
AI Chatbot & Workflow Automation by AIWU — Authorization bypass
Severity
medium Medium risk
Affected Versions
<=1.4.12
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Affilia – Affiliate Program & Referral Tracking for WordPress

medium
Vulnerability
Affilia – Affiliate Program & Referral Tracking for WordPress — Unauthorized access
Severity
medium Medium risk
Affected Versions
<=3.3.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Notification for Telegram

medium
Vulnerability
Notification for Telegram — Authorization bypass
Severity
medium Medium risk
Affected Versions
<=3.5.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Print, PDF, Email by PrintFriendly

medium
Vulnerability
Print, PDF, Email by PrintFriendly — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=5.5.10
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Catalyst Connect Zoho CRM Client Portal

medium
Vulnerability
Catalyst Connect Zoho CRM Client Portal — Time-based SQL Injection
Severity
medium Medium risk
Affected Versions
<=2.2.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

WCFM – Frontend Manager for WooCommerce

medium
Vulnerability
WCFM – Frontend Manager for WooCommerce — Insecure Direct Object Reference
Severity
medium Medium risk
Affected Versions
<=6.7.27
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Cost Calculator Builder

medium
Vulnerability
Cost Calculator Builder — Sensitive Information Exposure
Severity
medium Medium risk
Affected Versions
<=4.0.11
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Widgets for Google Reviews

medium
Vulnerability
Widgets for Google Reviews — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=13.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

White Label CMS

medium
Vulnerability
White Label CMS — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=2.7.12
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

WP Hotel Booking

medium
Vulnerability
WP Hotel Booking — Insufficient Verification of Data Authenticity
Severity
medium Medium risk
Affected Versions
<=2.3.1
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

Wallet for WooCommerce

medium
Vulnerability
Wallet for WooCommerce — Authorization bypass
Severity
medium Medium risk
Affected Versions
<=1.6.4
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

WCFM Marketplace – Multivendor Marketplace for WooCommerce

medium
Vulnerability
WCFM Marketplace – Multivendor Marketplace for WooCommerce — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=3.7.3
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

WP Easy Pay – Payment and Donation form Builder for Square

medium
Vulnerability
WP Easy Pay – Payment and Donation form Builder for Square — Authorization bypass
Severity
medium Medium risk
Affected Versions
<=4.5.0
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

WCFM – Frontend Manager for WooCommerce

medium
Vulnerability
WCFM – Frontend Manager for WooCommerce — Authorization bypass
Severity
medium Medium risk
Affected Versions
<=6.7.27
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

bbp Style Pack

medium
Vulnerability
bbp Style Pack — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=6.4.5
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

fresh Podcaster

medium
Vulnerability
fresh Podcaster — Stored Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<=1.0.7
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

NEX-Forms – Ultimate Forms

medium
Vulnerability
NEX-Forms – Ultimate Forms — Authorization bypass
Severity
medium Medium risk
Affected Versions
<=9.2.2
CVE Reference
Patch Status
No patch
Source
NVD
Plugin Page

woocommerce

medium
Vulnerability
WooCommerce < 8.4.0 - Reflected Cross-Site Scripting
Severity
medium Medium risk
Affected Versions
<8.4.0
CVE Reference
N/A
Patch Status
Available
Source
Scanner
Plugin Page

gutenberg

medium
Vulnerability
WordPress Core < 5.9.2 & Gutenberg < 12.7.2 - Prototype Pollution via Block Editor
Severity
medium Medium risk
Affected Versions
<12.7.2
CVE Reference
N/A
Patch Status
Available
Source
Scanner
Plugin Page

WordPress Theme Vulnerabilities (2)

EscortWP escortwp

high
Vulnerability
EscortWP escortwp — CVE-2026-12685
Severity
high High risk
Affected Versions
<=3.6.2
CVE Reference
Patch Status
No patch
Source
NVD

Context Blog

medium
Vulnerability
Context Blog — Sensitive Information Exposure
Severity
medium Medium risk
Affected Versions
<=1.3.5
CVE Reference
Patch Status
No patch
Source
NVD

WordPress Core Vulnerabilities (0)

No vulnerabilities reported in this category this week.

Recommendations

1
Update immediately
Install the latest versions of all plugins, themes, and WordPress core.
2
Enable auto-updates
Turn on automatic updates for minor WordPress releases and plugins where possible.
3
Remove unused plugins
Deactivate and delete any plugins or themes you no longer use.
4
Run a security scan
Use our free WordPress security scanner to check your site for known vulnerabilities.
5
Monitor regularly
Set up uptime monitoring and periodic security scans to catch issues early.

Methodology

This report is compiled automatically from multiple trusted sources:

NIST National Vulnerability Database (NVD)
CVE records with CVSS severity scores
Wordfence Intelligence
WordPress-specific vulnerability data with patch information
Our Scanning Database
Vulnerabilities detected through active WordPress security scans

Tags

Related Posts