Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.
To help educate website owners about potential threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.
The vulnerabilities listed below are virtually patched by the Sucuri Firewall and existing clients are protected. If you don’t have it installed yet, you can use our web application firewall to protect your site against known vulnerabilities.
Plugins
Yoast SEO – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-1293 Number of Installations: 10,000,000+ Affected Software: Yoast SEO < 26.9 Patched Versions: Yoast SEO 26.9
Mitigation steps: Update to Yoast SEO version 26.9 or greater.
Yoast Duplicate Post – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2019-25314 Number of Installations: 4,000,000+ Affected Software: Yoast Duplicate Post < 3.2.4 Patched Versions: Yoast Duplicate Post 3.2.4
Mitigation steps: Update to Yoast Duplicate Post version 3.2.4 or greater.
Essential Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-1512 Number of Installations: 2,000,000+ Affected Software: Essential Addons for Elementor < 6.5.10 Patched Versions: Essential Addons for Elementor 6.5.10
Mitigation steps: Update to Essential Addons for Elementor version 6.5.10 or greater.
Essential Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-2650 Number of Installations: 2,000,000+ Affected Software: Essential Addons for Elementor < 5.9.12 Patched Versions: Essential Addons for Elementor 5.9.12
Mitigation steps: Update to Essential Addons for Elementor version 5.9.12 or greater.
Essential Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-3728 Number of Installations: 2,000,000+ Affected Software: Essential Addons for Elementor < 5.9.16 Patched Versions: Essential Addons for Elementor 5.9.16
Mitigation steps: Update to Essential Addons for Elementor version 5.9.16 or greater.
Essential Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-4448 Number of Installations: 2,000,000+ Affected Software: Essential Addons for Elementor < 5.9.20 Patched Versions: Essential Addons for Elementor 5.9.20
Mitigation steps: Update to Essential Addons for Elementor version 5.9.20 or greater.
Essential Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-4449 Number of Installations: 2,000,000+ Affected Software: Essential Addons for Elementor < 5.9.20 Patched Versions: Essential Addons for Elementor 5.9.20
Mitigation steps: Update to Essential Addons for Elementor version 5.9.20 or greater.
Essential Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-8742 Number of Installations: 2,000,000+ Affected Software: Essential Addons for Elementor < 6.0.4 Patched Versions: Essential Addons for Elementor 6.0.4
Mitigation steps: Update to Essential Addons for Elementor version 6.0.4 or greater.
Essential Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-9993 Number of Installations: 2,000,000+ Affected Software: Essential Addons for Elementor < 6.1.13 Patched Versions: Essential Addons for Elementor 6.1.13
Mitigation steps: Update to Essential Addons for Elementor version 6.1.13 or greater.
Spectra Gutenberg Blocks – Sensitive Data Exposure
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Sensitive Data Exposure CVE: CVE-2026-0950 Number of Installations: 1,000,000+ Affected Software: Spectra Gutenberg Blocks < 2.19.18 Patched Versions: Spectra Gutenberg Blocks 2.19.18
Mitigation steps: Update to Spectra Gutenberg Blocks version 2.19.18 or greater.
Spectra Gutenberg Blocks – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-1815 Number of Installations: 1,000,000+ Affected Software: Spectra Gutenberg Blocks < 2.12.9 Patched Versions: Spectra Gutenberg Blocks 2.12.9
Mitigation steps: Update to Spectra Gutenberg Blocks version 2.12.9 or greater.
Complianz – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-11185 Number of Installations: 1,000,000+ Affected Software: Complianz < 7.4.4 Patched Versions: Complianz 7.4.4
Mitigation steps: Update to Complianz version 7.4.4 or greater.
Image Optimizer – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2026-25387 Number of Installations: 1,000,000+ Affected Software: Image Optimizer < 1.7.2 Patched Versions: Image Optimizer 1.7.2
Mitigation steps: Update to Image Optimizer version 1.7.2 or greater.
Migration, Backup, Staging – Arbitrary File Upload
Security Risk: Critical Exploitation Level: No authentication required. Vulnerability: Arbitrary File Upload CVE: CVE-2026-1357 Number of Installations: 900,000+ Affected Software: Migration, Backup, Staging < 0.9.124 Patched Versions: Migration, Backup, Staging 0.9.124
Mitigation steps: Update to Migration, Backup, Staging version 0.9.124 or greater.
Breadcrumb NavXT – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2025-13842 Number of Installations: 800,000+ Affected Software: Breadcrumb NavXT < 7.5.1 Patched Versions: Breadcrumb NavXT 7.5.1
Mitigation steps: Update to Breadcrumb NavXT version 7.5.1 or greater.
Premium Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-3647 Number of Installations: 700,000+ Affected Software: Premium Addons for Elementor < 4.10.29 Patched Versions: Premium Addons for Elementor 4.10.29
Mitigation steps: Update to Premium Addons for Elementor version 4.10.29 or greater.
Premium Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-4376 Number of Installations: 700,000+ Affected Software: Premium Addons for Elementor < 4.10.32 Patched Versions: Premium Addons for Elementor 4.10.32
Mitigation steps: Update to Premium Addons for Elementor version 4.10.32 or greater.
Premium Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-4379 Number of Installations: 700,000+ Affected Software: Premium Addons for Elementor < 4.10.32 Patched Versions: Premium Addons for Elementor 4.10.32
Mitigation steps: Update to Premium Addons for Elementor version 4.10.32 or greater.
Fluent Forms – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-0996 Number of Installations: 600,000+ Affected Software: Fluent Forms < 6.1.15 Patched Versions: Fluent Forms 6.1.15
Mitigation steps: Update to Fluent Forms version 6.1.15 or greater.
Fluent Forms – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-6518 Number of Installations: 600,000+ Affected Software: Fluent Forms < 5.1.20 Patched Versions: Fluent Forms 5.1.20
Mitigation steps: Update to Fluent Forms version 5.1.20 or greater.
Fluent Forms – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-6521 Number of Installations: 600,000+ Affected Software: Fluent Forms < 5.1.20 Patched Versions: Fluent Forms 5.1.20
Mitigation steps: Update to Fluent Forms version 5.1.20 or greater.
Fluent Forms – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-6703 Number of Installations: 600,000+ Affected Software: Fluent Forms < 5.1.20 Patched Versions: Fluent Forms 5.1.20
Mitigation steps: Update to Fluent Forms version 5.1.20 or greater.
Forminator Forms – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-2002 Number of Installations: 600,000+ Affected Software: Forminator Forms < 1.50.3 Patched Versions: Forminator Forms 1.50.3
Mitigation steps: Update to Forminator Forms version 1.50.3 or greater.
Ninja Forms – Sensitive Data Exposure
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Sensitive Data Exposure CVE: CVE-2026-2268 Number of Installations: 600,000+ Affected Software: Ninja Forms < 3.14.1 Patched Versions: Ninja Forms 3.14.1
Mitigation steps: Update to Ninja Forms version 3.14.1 or greater.
Royal Addons for Elementor – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2024-0516 Number of Installations: 600,000+ Affected Software: Royal Addons for Elementor < 1.3.88 Patched Versions: Royal Addons for Elementor 1.3.88
Mitigation steps: Update to Royal Addons for Elementor version 1.3.88 or greater.
Royal Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-2798 Number of Installations: 600,000+ Affected Software: Royal Addons for Elementor < 1.3.972 Patched Versions: Royal Addons for Elementor 1.3.972
Mitigation steps: Update to Royal Addons for Elementor version 1.3.972 or greater.
Royal Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-2799 Number of Installations: 600,000+ Affected Software: Royal Addons for Elementor < 1.3.972 Patched Versions: Royal Addons for Elementor 1.3.972
Mitigation steps: Update to Royal Addons for Elementor version 1.3.972 or greater.
Royal Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-3889 Number of Installations: 600,000+ Affected Software: Royal Addons for Elementor < 1.3.972 Patched Versions: Royal Addons for Elementor 1.3.972
Mitigation steps: Update to Royal Addons for Elementor version 1.3.972 or greater.
Royal Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-4087 Number of Installations: 600,000+ Affected Software: Royal Addons for Elementor < 1.3.976 Patched Versions: Royal Addons for Elementor 1.3.976
Mitigation steps: Update to Royal Addons for Elementor version 1.3.976 or greater.
Royal Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-9059 Number of Installations: 600,000+ Affected Software: Royal Addons for Elementor < 1.7.1002 Patched Versions: Royal Addons for Elementor 1.7.1002
Mitigation steps: Update to Royal Addons for Elementor version 1.7.1002 or greater.
Royal Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-9668 Number of Installations: 600,000+ Affected Software: Royal Addons for Elementor < 1.7.1002 Patched Versions: Royal Addons for Elementor 1.7.1002
Mitigation steps: Update to Royal Addons for Elementor version 1.7.1002 or greater.
Easy Table of Contents – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-13738 Number of Installations: 600,000+ Affected Software: Easy Table of Contents < 2.0.79 Patched Versions: Easy Table of Contents 2.0.79
Mitigation steps: Update to Easy Table of Contents version 2.0.79 or greater.
Kadence Blocks – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2026-2633 Number of Installations: 600,000+ Affected Software: Kadence Blocks < 3.6.2 Patched Versions: Kadence Blocks 3.6.2
Mitigation steps: Update to Kadence Blocks version 3.6.2 or greater.
Kadence Blocks – Server Side Request Forgery (SSRF)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Server Side Request Forgery (SSRF) CVE: CVE-2026-1857 Number of Installations: 600,000+ Affected Software: Kadence Blocks < 3.6.2 Patched Versions: Kadence Blocks 3.6.2
Mitigation steps: Update to Kadence Blocks version 3.6.2 or greater.
PixelYourSite – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-27072 Number of Installations: 500,000+ Affected Software: PixelYourSite < 11.2.0.2 Patched Versions: PixelYourSite 11.2.0.2
Mitigation steps: Update to PixelYourSite version 11.2.0.2 or greater.
PixelYourSite – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-1841 Number of Installations: 500,000+ Affected Software: PixelYourSite < 11.2.0.1 Patched Versions: PixelYourSite 11.2.0.1
Mitigation steps: Update to PixelYourSite version 11.2.0.1 or greater.
SiteGuard WP Plugin – Bypass Vulnerability
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Bypass Vulnerability CVE: CVE-2026-27411 Number of Installations: 500,000+ Affected Software: SiteGuard WP Plugin (All Versions) Patched Versions: No fix available
Mitigation steps: No patch is currently available. Consider disabling or replacing the SiteGuard WP Plugin until a security update is released.
Converter for Media – Server Side Request Forgery (SSRF)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Server Side Request Forgery (SSRF) CVE: CVE-2026-1356 Number of Installations: 500,000+ Affected Software: Converter for Media < 6.5.2 Patched Versions: Converter for Media 6.5.2
Mitigation steps: Update to Converter for Media version 6.5.2 or greater.
Easy WP SMTP – Sensitive Data Exposure
Security Risk: Low Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Sensitive Data Exposure CVE: CVE-2024-3073 Number of Installations: 500,000+ Affected Software: Easy WP SMTP < 2.3.1 Patched Versions: Easy WP SMTP 2.3.1
Mitigation steps: Update to Easy WP SMTP version 2.3.1 or greater.
Gutenberg Blocks with AI by Kadence WP – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-4208 Number of Installations: 500,000+ Affected Software: Gutenberg Blocks with AI by Kadence WP < 3.2.38 Patched Versions: Gutenberg Blocks with AI by Kadence WP 3.2.38
Mitigation steps: Update to Gutenberg Blocks with AI by Kadence WP version 3.2.38 or greater.
Gutenberg Blocks with AI by Kadence WP – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-4209 Number of Installations: 500,000+ Affected Software: Gutenberg Blocks with AI by Kadence WP < 3.2.37 Patched Versions: Gutenberg Blocks with AI by Kadence WP 3.2.37
Mitigation steps: Update to Gutenberg Blocks with AI by Kadence WP version 3.2.37 or greater.
Ally – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2026-25386 Number of Installations: 400,000+ Affected Software: Ally < 4.0.3 Patched Versions: Ally 4.0.3
Mitigation steps: Update to Ally version 4.0.3 or greater.
SiteOrigin Widgets Bundle – Content Injection
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Content Injection CVE: CVE-2026-2127 Number of Installations: 400,000+ Affected Software: SiteOrigin Widgets Bundle < 1.71.0 Patched Versions: SiteOrigin Widgets Bundle 1.71.0
Mitigation steps: Update to SiteOrigin Widgets Bundle version 1.71.0 or greater.
Happy Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-1210 Number of Installations: 400,000+ Affected Software: Happy Addons for Elementor < 3.20.8 Patched Versions: Happy Addons for Elementor 3.20.8
Mitigation steps: Update to Happy Addons for Elementor version 3.20.8 or greater.
Happy Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-1498 Number of Installations: 400,000+ Affected Software: Happy Addons for Elementor < 3.10.4 Patched Versions: Happy Addons for Elementor 3.10.4
Mitigation steps: Update to Happy Addons for Elementor version 3.10.4 or greater.
Happy Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-2786 Number of Installations: 400,000+ Affected Software: Happy Addons for Elementor < 3.10.5 Patched Versions: Happy Addons for Elementor 3.10.5
Mitigation steps: Update to Happy Addons for Elementor version 3.10.5 or greater.
Happy Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-2787 Number of Installations: 400,000+ Affected Software: Happy Addons for Elementor < 3.10.5 Patched Versions: Happy Addons for Elementor 3.10.5
Mitigation steps: Update to Happy Addons for Elementor version 3.10.5 or greater.
Happy Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-2788 Number of Installations: 400,000+ Affected Software: Happy Addons for Elementor < 3.10.5 Patched Versions: Happy Addons for Elementor 3.10.5
Mitigation steps: Update to Happy Addons for Elementor version 3.10.5 or greater.
Happy Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-2789 Number of Installations: 400,000+ Affected Software: Happy Addons for Elementor < 3.10.5 Patched Versions: Happy Addons for Elementor 3.10.5
Mitigation steps: Update to Happy Addons for Elementor version 3.10.5 or greater.
Happy Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-3724 Number of Installations: 400,000+ Affected Software: Happy Addons for Elementor < 3.10.5 Patched Versions: Happy Addons for Elementor 3.10.5
Mitigation steps: Update to Happy Addons for Elementor version 3.10.5 or greater.
Happy Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-4391 Number of Installations: 400,000+ Affected Software: Happy Addons for Elementor < 3.10.8 Patched Versions: Happy Addons for Elementor 3.10.8
Mitigation steps: Update to Happy Addons for Elementor version 3.10.8 or greater.
Happy Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-5041 Number of Installations: 400,000+ Affected Software: Happy Addons for Elementor < 3.11.0 Patched Versions: Happy Addons for Elementor 3.11.0
Mitigation steps: Update to Happy Addons for Elementor version 3.11.0 or greater.
Happy Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-5088 Number of Installations: 400,000+ Affected Software: Happy Addons for Elementor < 3.10.9 Patched Versions: Happy Addons for Elementor 3.10.9
Mitigation steps: Update to Happy Addons for Elementor version 3.10.9 or greater.
Jeg Kit for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-0334 Number of Installations: 400,000+ Affected Software: Jeg Kit for Elementor < 2.6.5 Patched Versions: Jeg Kit for Elementor 2.6.5
Mitigation steps: Update to Jeg Kit for Elementor version 2.6.5 or greater.
Jeg Kit for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-3161 Number of Installations: 400,000+ Affected Software: Jeg Kit for Elementor < 2.6.5 Patched Versions: Jeg Kit for Elementor 2.6.5
Mitigation steps: Update to Jeg Kit for Elementor version 2.6.5 or greater.
Jeg Kit for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-3162 Number of Installations: 400,000+ Affected Software: Jeg Kit for Elementor < 2.6.4 Patched Versions: Jeg Kit for Elementor 2.6.4
Mitigation steps: Update to Jeg Kit for Elementor version 2.6.4 or greater.
Formidable Forms – Content Injection
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Content Injection CVE: CVE-2023-6830 Number of Installations: 300,000+ Affected Software: Formidable Forms < 6.7.1 Patched Versions: Formidable Forms 6.7.1
Mitigation steps: Update to Formidable Forms version 6.7.1 or greater.
PDF Invoices & Packing Slips for WooCommerce – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2026-1906 Number of Installations: 300,000+ Affected Software: PDF Invoices & Packing Slips for WooCommerce < 5.7.0 Patched Versions: PDF Invoices & Packing Slips for WooCommerce 5.7.0
Mitigation steps: Update to PDF Invoices & Packing Slips for WooCommerce version 5.7.0 or greater.
Post SMTP – SQL Injection
Security Risk: High Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: SQL Injection CVE: CVE-2023-6620 Number of Installations: 300,000+ Affected Software: Post SMTP < 2.8.7 Patched Versions: Post SMTP 2.8.7
Mitigation steps: Update to Post SMTP version 2.8.7 or greater.
ShortPixel Image Optimizer – Arbitrary File Download
Security Risk: Medium Exploitation Level: Requires Editor or higher level authentication. Vulnerability: Arbitrary File Download CVE: CVE-2026-1246 Number of Installations: 300,000+ Affected Software: ShortPixel Image Optimizer < 6.4.3 Patched Versions: ShortPixel Image Optimizer 6.4.3
Mitigation steps: Update to ShortPixel Image Optimizer version 6.4.3 or greater.
Unlimited Elements For Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-14274 Number of Installations: 300,000+ Affected Software: Unlimited Elements For Elementor < 2.0.2 Patched Versions: Unlimited Elements For Elementor 2.0.2
Mitigation steps: Update to Unlimited Elements For Elementor version 2.0.2 or greater.
Unlimited Elements For Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-6170 Number of Installations: 300,000+ Affected Software: Unlimited Elements For Elementor < 1.5.113 Patched Versions: Unlimited Elements For Elementor 1.5.113
Mitigation steps: Update to Unlimited Elements For Elementor version 1.5.113 or greater.
SEOPress – On-site SEO & Analytics – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-1134 Number of Installations: 300,000+ Affected Software: SEOPress – On-site SEO & Analytics < 7.6 Patched Versions: SEOPress – On-site SEO & Analytics 7.6
Mitigation steps: Update to SEOPress – On-site SEO & Analytics version 7.6 or greater.
Popup Builder – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2025-13079 Number of Installations: 200,000+ Affected Software: Popup Builder < 4.4.3 Patched Versions: Popup Builder 4.4.3
Mitigation steps: Update to Popup Builder version 4.4.3 or greater.
Ultimate Member – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-1404 Number of Installations: 200,000+ Affected Software: Ultimate Member < 2.11.2 Patched Versions: Ultimate Member 2.11.2
Mitigation steps: Update to Ultimate Member version 2.11.2 or greater.
Gutenberg Essential Blocks – Local File Inclusion
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Local File Inclusion CVE: CVE-2023-6623 Number of Installations: 200,000+ Affected Software: Gutenberg Essential Blocks < 4.4.3 Patched Versions: Gutenberg Essential Blocks 4.4.3
Mitigation steps: Update to Gutenberg Essential Blocks version 4.4.3 or greater.
Gutenberg Essential Blocks – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-2255 Number of Installations: 200,000+ Affected Software: Gutenberg Essential Blocks < 4.5.4 Patched Versions: Gutenberg Essential Blocks 4.5.4
Mitigation steps: Update to Gutenberg Essential Blocks version 4.5.4 or greater.
FileOrganizer – Sensitive Data Exposure
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Sensitive Data Exposure CVE: CVE-2024-5599 Number of Installations: 200,000+ Affected Software: FileOrganizer < 1.0.8 Patched Versions: FileOrganizer 1.0.8
Mitigation steps: Update to FileOrganizer version 1.0.8 or greater.
Advanced Ads – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-12884 Number of Installations: 100,000+ Affected Software: Advanced Ads < 2.0.15 Patched Versions: Advanced Ads 2.0.15
Mitigation steps: Update to Advanced Ads version 2.0.15 or greater.
Advanced Custom Fields: Font Awesome Field – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-14983 Number of Installations: 100,000+ Affected Software: Advanced Custom Fields: Font Awesome Field < 5.0.2 Patched Versions: Advanced Custom Fields: Font Awesome Field 5.0.2
Mitigation steps: Update to Advanced Custom Fields: Font Awesome Field version 5.0.2 or greater.
Aruba HiSpeed Cache – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2025-11725 Number of Installations: 100,000+ Affected Software: Aruba HiSpeed Cache < 3.0.3 Patched Versions: Aruba HiSpeed Cache 3.0.3
Mitigation steps: Update to Aruba HiSpeed Cache version 3.0.3 or greater.
Aruba HiSpeed Cache – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-11706 Number of Installations: 100,000+ Affected Software: Aruba HiSpeed Cache < 3.0.3 Patched Versions: Aruba HiSpeed Cache 3.0.3
Mitigation steps: Update to Aruba HiSpeed Cache version 3.0.3 or greater.
Aruba HiSpeed Cache – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2026-23545 Number of Installations: 100,000+ Affected Software: Aruba HiSpeed Cache < 3.0.5 Patched Versions: Aruba HiSpeed Cache 3.0.5
Mitigation steps: Update to Aruba HiSpeed Cache version 3.0.5 or greater.
Backup Migration – Remote Code Execution (RCE)
Security Risk: High Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Remote Code Execution (RCE) CVE: CVE-2023-7002 Number of Installations: 100,000+ Affected Software: Backup Migration < 1.4.0 Patched Versions: Backup Migration 1.4.0
Mitigation steps: Update to Backup Migration version 1.4.0 or greater.
Download Manager – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-1666 Number of Installations: 100,000+ Affected Software: Download Manager < 3.3.47 Patched Versions: Download Manager 3.3.47
Mitigation steps: Update to Download Manager plugin version 3.3.47 or greater.
Dear Flipbook- Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-0895 Number of Installations: 100,000+ Affected Software: Dear Flipbook< 2.2.27 Patched Versions: Dear Flipbook2.2.27
Mitigation steps: Update to Dear Flipbookversion 2.2.27 or greater.
Element Pack Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-10310 Number of Installations: 100,000+ Affected Software: Element Pack Addons for Elementor < 5.10.2 Patched Versions: Element Pack Addons for Elementor 5.10.2
Mitigation steps: Update to Element Pack Addons for Elementor version 5.10.2 or greater.
Element Pack Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-1426 Number of Installations: 100,000+ Affected Software: Element Pack Addons for Elementor < 5.6.1 Patched Versions: Element Pack Addons for Elementor 5.6.1
Mitigation steps: Update to Element Pack Addons for Elementor version 5.6.1 or greater.
Element Pack Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-1429 Number of Installations: 100,000+ Affected Software: Element Pack Addons for Elementor < 5.6.1 Patched Versions: Element Pack Addons for Elementor 5.6.1
Mitigation steps: Update to Element Pack Addons for Elementor version 5.6.1 or greater.
Element Pack Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-5554 Number of Installations: 100,000+ Affected Software: Element Pack Addons for Elementor < 5.6.12 Patched Versions: Element Pack Addons for Elementor 5.6.12
Mitigation steps: Update to Element Pack Addons for Elementor version 5.6.12 or greater.
Element Pack Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-9867 Number of Installations: 100,000+ Affected Software: Element Pack Addons for Elementor < 5.10.3 Patched Versions: Element Pack Addons for Elementor 5.10.3
Mitigation steps: Update to Element Pack Addons for Elementor version 5.10.3 or greater.
Prime Slider – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-3997 Number of Installations: 100,000+ Affected Software: Prime Slider < 3.14.2 Patched Versions: Prime Slider 3.14.2
Mitigation steps: Update to Prime Slider version 3.14.2 or greater.
EmbedPress – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-1565 Number of Installations: 100,000+ Affected Software: EmbedPress < 3.9.11 Patched Versions: EmbedPress 3.9.11
Mitigation steps: Update to EmbedPress version 3.9.11 or greater.
EmbedPress – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-2688 Number of Installations: 100,000+ Affected Software: EmbedPress < 3.9.13 Patched Versions: EmbedPress 3.9.13
Mitigation steps: Update to EmbedPress version 3.9.13 or greater.
EmbedPress – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-3245 Number of Installations: 100,000+ Affected Software: EmbedPress < 3.9.15 Patched Versions: EmbedPress 3.9.15
Mitigation steps: Update to EmbedPress version 3.9.15 or greater.
SlimStat Analytics – SQL Injection
Security Risk: High Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: SQL Injection CVE: CVE-2025-13431 Number of Installations: 80,000+ Affected Software: SlimStat Analytics < 5.3.2 Patched Versions: SlimStat Analytics 5.3.2
Mitigation steps: Update to SlimStat Analytics version 5.3.2 or greater.
Beaver Builder Page Builder – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-0896 Number of Installations: 100,000+ Affected Software: Beaver Builder Page Builder < 2.7.4.3 Patched Versions: Beaver Builder Page Builder 2.7.4.3
Mitigation steps: Update to Beaver Builder Page Builder version 2.7.4.3 or greater.
Gallery by FooGallery – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-15524 Number of Installations: 100,000+ Affected Software: Gallery by FooGallery < 3.1.10 Patched Versions: Gallery by FooGallery 3.1.10
Mitigation steps: Update to Gallery by FooGallery version 3.1.10 or greater.
Gallery by FooGallery – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Author or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-2081 Number of Installations: 100,000+ Affected Software: Gallery by FooGallery < 2.4.15 Patched Versions: Gallery by FooGallery 2.4.15
Mitigation steps: Update to Gallery by FooGallery version 2.4.15 or greater.
GiveWP – PHP Object Injection
Security Risk: Critical Exploitation Level: No authentication required. Vulnerability: PHP Object Injection CVE: CVE-2024-5932 Number of Installations: 100,000+ Affected Software: GiveWP < 3.14.2 Patched Versions: GiveWP 3.14.2
Mitigation steps: Update to GiveWP version 3.14.2 or greater.
LatePoint – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2026-1537 Number of Installations: 100,000+ Affected Software: LatePoint < 5.2.7 Patched Versions: LatePoint 5.2.7
Mitigation steps: Update to LatePoint version 5.2.7 or greater.
LatePoint – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-0617 Number of Installations: 100,000+ Affected Software: LatePoint < 5.2.6 Patched Versions: LatePoint 5.2.6
Mitigation steps: Update to LatePoint version 5.2.6 or greater.
Menu Icons by ThemeIsle – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Author or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-1755 Number of Installations: 100,000+ Affected Software: Menu Icons by ThemeIsle < 0.13.21 Patched Versions: Menu Icons by ThemeIsle 0.13.21
Mitigation steps: Update to Menu Icons by ThemeIsle version 0.13.21 or greater.
Modula Image Gallery – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2026-1254 Number of Installations: 100,000+ Affected Software: Modula Image Gallery < 2.13.7 Patched Versions: Modula Image Gallery 2.13.7
Mitigation steps: Update to Modula Image Gallery version 2.13.7 or greater.
Modula Image Gallery – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Author or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-23976 Number of Installations: 100,000+ Affected Software: Modula Image Gallery < 2.13.5 Patched Versions: Modula Image Gallery 2.13.5
Mitigation steps: Update to Modula Image Gallery version 2.13.5 or greater.
Mollie Payments for WooCommerce – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-68501 Number of Installations: 100,000+ Affected Software: Mollie Payments for WooCommerce < 8.1.2 Patched Versions: Mollie Payments for WooCommerce 8.1.2
Mitigation steps: Update to Mollie Payments for WooCommerce version 8.1.2 or greater.
WebSub (FKA. PubSubHubbub) – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-0688 Number of Installations: 100,000+ Affected Software: WebSub (FKA. PubSubHubbub) < 3.2.0 Patched Versions: WebSub (FKA. PubSubHubbub) 3.2.0
Mitigation steps: Update to WebSub (FKA. PubSubHubbub) version 3.2.0 or greater.
Relevanssi – Insecure Direct Object References (IDOR)
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Insecure Direct Object References (IDOR) CVE: CVE-2023-7199 Number of Installations: 100,000+ Affected Software: Relevanssi < 4.22.0 Patched Versions: Relevanssi 4.22.0
Mitigation steps: Update to Relevanssi version 4.22.0 or greater.
Robin Image Optimizer – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Author or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-1319 Number of Installations: 100,000+ Affected Software: Robin Image Optimizer < 2.0.3 Patched Versions: Robin Image Optimizer 2.0.3
Mitigation steps: Update to Robin Image Optimizer version 2.0.3 or greater.
The Plus Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-0445 Number of Installations: 100,000+ Affected Software: The Plus Addons for Elementor < 5.5.0 Patched Versions: The Plus Addons for Elementor 5.5.0
Mitigation steps: Update to The Plus Addons for Elementor version 5.5.0 or greater.
Brevo – Email, SMS, Web Push, Chat, and more. – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2025-14799 Number of Installations: 100,000+ Affected Software: Brevo – Email, SMS, Web Push, Chat, and more. < 3.3.1 Patched Versions: Brevo – Email, SMS, Web Push, Chat, and more. 3.3.1
Mitigation steps: Update to Brevo – Email, SMS, Web Push, Chat, and more. version 3.3.1 or greater.
Relevanssi – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2024-1380 Number of Installations: 100,000+ Affected Software: Relevanssi < 4.22.1 Patched Versions: Relevanssi 4.22.1
Mitigation steps: Update to Relevanssi version 4.22.1 or greater.
The Plus Addons for Elementor – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Author or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2026-2386 Number of Installations: 100,000+ Affected Software: The Plus Addons for Elementor < 6.4.8 Patched Versions: The Plus Addons for Elementor 6.4.8
Mitigation steps: Update to The Plus Addons for Elementor version 6.4.8 or greater.
The Plus Addons for Elementor – Local File Inclusion
Security Risk: High Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Local File Inclusion CVE: CVE-2024-2210 Number of Installations: 100,000+ Affected Software: The Plus Addons for Elementor < 5.4.2 Patched Versions: The Plus Addons for Elementor 5.4.2
Mitigation steps: Update to The Plus Addons for Elementor version 5.4.2 or greater.
The Plus Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-2784 Number of Installations: 100,000+ Affected Software: The Plus Addons for Elementor < 5.5.5 Patched Versions: The Plus Addons for Elementor 5.5.5
Mitigation steps: Update to The Plus Addons for Elementor version 5.5.5 or greater.
The Plus Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-2785 Number of Installations: 100,000+ Affected Software: The Plus Addons for Elementor < 5.5.0 Patched Versions: The Plus Addons for Elementor 5.5.0
Mitigation steps: Update to The Plus Addons for Elementor version 5.5.0 or greater.
The Plus Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-3197 Number of Installations: 100,000+ Affected Software: The Plus Addons for Elementor < 5.5.0 Patched Versions: The Plus Addons for Elementor 5.5.0
Mitigation steps: Update to The Plus Addons for Elementor version 5.5.0 or greater.
The Plus Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-2785 Number of Installations: 100,000+ Affected Software: The Plus Addons for Elementor < 5.5.0 Patched Versions: The Plus Addons for Elementor 5.5.0
Mitigation steps: Update to The Plus Addons for Elementor version 5.5.0 or greater.
The Plus Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-3199 Number of Installations: 100,000+ Affected Software: The Plus Addons for Elementor < 5.5.0 Patched Versions: The Plus Addons for Elementor 5.5.0
Mitigation steps: Update to The Plus Addons for Elementor version 5.5.0 or greater.
The Plus Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-4484 Number of Installations: 100,000+ Affected Software: The Plus Addons for Elementor < 5.5.3 Patched Versions: The Plus Addons for Elementor 5.5.3
Mitigation steps: Update to The Plus Addons for Elementor version 5.5.3 or greater.
The Plus Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-4485 Number of Installations: 100,000+ Affected Software: The Plus Addons for Elementor < 5.5.3 Patched Versions: The Plus Addons for Elementor 5.5.3
Mitigation steps: Update to The Plus Addons for Elementor version 5.5.3 or greater.
The Plus Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-6575 Number of Installations: 100,000+ Affected Software: The Plus Addons for Elementor < 5.6.3 Patched Versions: The Plus Addons for Elementor 5.6.3
Mitigation steps: Update to The Plus Addons for Elementor version 5.6.3 or greater.
The Plus Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-5583 Number of Installations: 100,000+ Affected Software: The Plus Addons for Elementor < 5.6.3 Patched Versions: The Plus Addons for Elementor 5.6.3
Mitigation steps: Update to The Plus Addons for Elementor version 5.6.3 or greater.
VK All in One Expansion Unit – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-11737 Number of Installations: 100,000+ Affected Software: VK All in One Expansion Unit < 9.112.4 Patched Versions: VK All in One Expansion Unit 9.112.4
Mitigation steps: Update to VK All in One Expansion Unit version 9.112.4 or greater.
WP All Export – Sensitive Data Exposure
Security Risk: Low Exploitation Level: No authentication required. Vulnerability: Sensitive Data Exposure CVE: CVE-2026-1582 Number of Installations: 100,000+ Affected Software: WP All Export < 1.4.15 Patched Versions: WP All Export 1.4.15
Mitigation steps: Update to WP All Export version 1.4.15 or greater.
Orbit Fox – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-1497 Number of Installations: 100,000+ Affected Software: Orbit Fox < 2.10.31 Patched Versions: Orbit Fox 2.10.31
Mitigation steps: Update to Orbit Fox version 2.10.31 or greater.
Tutor LMS – Insecure Direct Object References (IDOR)
Security Risk: High Exploitation Level: Requires Instructor or higher level authentication. Vulnerability: Insecure Direct Object References (IDOR) CVE: CVE-2026-1375 Number of Installations: 100,000+ Affected Software: Tutor LMS < 3.9.6 Patched Versions: Tutor LMS 3.9.6
Mitigation steps: Update to Tutor LMS version 3.9.6 or greater.
Tutor LMS – Sensitive Data Exposure
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Sensitive Data Exposure CVE: CVE-2026-1371 Number of Installations: 100,000+ Affected Software: Tutor LMS < 3.9.6 Patched Versions: Tutor LMS 3.9.6
Mitigation steps: Update to Tutor LMS version 3.9.6 or greater.
Customer Reviews for WooCommerce – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-1316 Number of Installations: 80,000+ Affected Software: Customer Reviews for WooCommerce < 5.98.0 Patched Versions: Customer Reviews for WooCommerce 5.98.0
Mitigation steps: Update to Customer Reviews for WooCommerce version 5.98.0 or greater.
WP All Import – Remote Code Execution (RCE)
Security Risk: Critical Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Remote Code Execution (RCE) CVE: CVE-2023-7082 Number of Installations: 100,000+ Affected Software: WP All Import < 3.7.3 Patched Versions: WP All Import 3.7.3
Mitigation steps: Update to WP All Import version 3.7.3 or greater.
Razorpay for WooCommerce – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2025-14294 Number of Installations: 90,000+ Affected Software: Razorpay for WooCommerce < 4.7.9 Patched Versions: Razorpay for WooCommerce 4.7.9
Mitigation steps: Update to Razorpay for WooCommerce version 4.7.9 or greater.
Checkout Field Manager (Checkout Manager) for WooCommerce – Arbitrary Content Deletion
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Arbitrary Content Deletion CVE: CVE-2025-13930 Number of Installations: 90,000+ Affected Software: Checkout Field Manager (Checkout Manager) for WooCommerce < 7.8.6 Patched Versions: Checkout Field Manager (Checkout Manager) for WooCommerce 7.8.6
Mitigation steps: Update to Checkout Field Manager (Checkout Manager) for WooCommerce version 7.8.6 or greater.
Checkout Field Manager (Checkout Manager) for WooCommerce – Arbitrary File Upload
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Arbitrary File Upload CVE: CVE-2025-12500 Number of Installations: 90,000+ Affected Software: Checkout Field Manager (Checkout Manager) for WooCommerce < 7.8.2 Patched Versions: Checkout Field Manager (Checkout Manager) for WooCommerce 7.8.2
Mitigation steps: Update to Checkout Field Manager (Checkout Manager) for WooCommerce version 7.8.2 or greater.
ShopLentor – Content Injection
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Content Injection CVE: CVE-2026-1714 Number of Installations: 90,000+ Affected Software: ShopLentor < 3.3.3 Patched Versions: ShopLentor 3.3.3
Mitigation steps: Update to ShopLentor version 3.3.3 or greater.
Addon Elements for Elementor (formerly Elementor Addon Elements) – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-1391 Number of Installations: 90,000+ Affected Software: Addon Elements for Elementor (formerly Elementor Addon Elements) < 1.13 Patched Versions: Addon Elements for Elementor (formerly Elementor Addon Elements) 1.13
Mitigation steps: Update to Addon Elements for Elementor (formerly Elementor Addon Elements) version 1.13 or greater.
Addon Elements for Elementor (formerly Elementor Addon Elements) – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-1392 Number of Installations: 90,000+ Affected Software: Addon Elements for Elementor (formerly Elementor Addon Elements) < 1.13 Patched Versions: Addon Elements for Elementor (formerly Elementor Addon Elements) 1.13
Mitigation steps: Update to Addon Elements for Elementor (formerly Elementor Addon Elements) version 1.13 or greater.
Addon Elements for Elementor (formerly Elementor Addon Elements) – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-2091 Number of Installations: 90,000+ Affected Software: Addon Elements for Elementor (formerly Elementor Addon Elements) < 1.13.3 Patched Versions: Addon Elements for Elementor (formerly Elementor Addon Elements) 1.13.3
Mitigation steps: Update to Addon Elements for Elementor (formerly Elementor Addon Elements) version 1.13.3 or greater.
Addon Elements for Elementor (formerly Elementor Addon Elements) – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-2092 Number of Installations: 90,000+ Affected Software: Addon Elements for Elementor (formerly Elementor Addon Elements) < 1.13.4 Patched Versions: Addon Elements for Elementor (formerly Elementor Addon Elements) 1.13.4
Mitigation steps: Update to Addon Elements for Elementor (formerly Elementor Addon Elements) version 1.13.4 or greater.
Addon Elements for Elementor (formerly Elementor Addon Elements) – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-4570 Number of Installations: 90,000+ Affected Software: Addon Elements for Elementor (formerly Elementor Addon Elements) < 1.13.6 Patched Versions: Addon Elements for Elementor (formerly Elementor Addon Elements) 1.13.6
Mitigation steps: Update to Addon Elements for Elementor (formerly Elementor Addon Elements) version 1.13.6 or greater.
Addon Elements for Elementor (formerly Elementor Addon Elements) – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-4401 Number of Installations: 90,000+ Affected Software: Addon Elements for Elementor (formerly Elementor Addon Elements) < 1.13.6 Patched Versions: Addon Elements for Elementor (formerly Elementor Addon Elements) 1.13.6
Mitigation steps: Update to Addon Elements for Elementor (formerly Elementor Addon Elements) version 1.13.6 or greater.
Addon Elements for Elementor (formerly Elementor Addon Elements) – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-7122 Number of Installations: 90,000+ Affected Software: Addon Elements for Elementor (formerly Elementor Addon Elements) < 1.13.7 Patched Versions: Addon Elements for Elementor (formerly Elementor Addon Elements) 1.13.7
Mitigation steps: Update to Addon Elements for Elementor (formerly Elementor Addon Elements) version 1.13.7 or greater.
Shortcodes and extra features for Phlox theme – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-12588 Number of Installations: 90,000+ Affected Software: Shortcodes and extra features for Phlox theme < 2.17.3 Patched Versions: Shortcodes and extra features for Phlox theme 2.17.3
Mitigation steps: Update to Shortcodes and extra features for Phlox theme version 2.17.3 or greater.
Shortcodes and extra features for Phlox theme – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-1348 Number of Installations: 90,000+ Affected Software: Shortcodes and extra features for Phlox theme < 2.15.8 Patched Versions: Shortcodes and extra features for Phlox theme 2.15.8
Mitigation steps: Update to Shortcodes and extra features for Phlox theme version 2.15.8 or greater.
Shortcodes and extra features for Phlox theme – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-1357 Number of Installations: 90,000+ Affected Software: Shortcodes and extra features for Phlox theme < 2.15.8 Patched Versions: Shortcodes and extra features for Phlox theme 2.15.8
Mitigation steps: Update to Shortcodes and extra features for Phlox theme version 2.15.8 or greater.
Shortcodes and extra features for Phlox theme – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-1396 Number of Installations: 90,000+ Affected Software: Shortcodes and extra features for Phlox theme < 2.15.8 Patched Versions: Shortcodes and extra features for Phlox theme 2.15.8
Mitigation steps: Update to Shortcodes and extra features for Phlox theme version 2.15.8 or greater.
Shortcodes and extra features for Phlox theme – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-1533 Number of Installations: 90,000+ Affected Software: Shortcodes and extra features for Phlox theme < 2.15.8 Patched Versions: Shortcodes and extra features for Phlox theme 2.15.8
Mitigation steps: Update to Shortcodes and extra features for Phlox theme version 2.15.8 or greater.
Shortcodes and extra features for Phlox theme – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-3341 Number of Installations: 90,000+ Affected Software: Shortcodes and extra features for Phlox theme < 2.15.8 Patched Versions: Shortcodes and extra features for Phlox theme 2.15.8
Mitigation steps: Update to Shortcodes and extra features for Phlox theme version 2.15.8 or greater.
Shortcodes and extra features for Phlox theme – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-9545 Number of Installations: 90,000+ Affected Software: Shortcodes and extra features for Phlox theme < 2.17.1 Patched Versions: Shortcodes and extra features for Phlox theme 2.17.1
Mitigation steps: Update to Shortcodes and extra features for Phlox theme version 2.17.1 or greater.
Shortcodes and extra features for Phlox theme – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-12379 Number of Installations: 90,000+ Affected Software: Shortcodes and extra features for Phlox theme < 2.17.14 Patched Versions: Shortcodes and extra features for Phlox theme 2.17.14
Mitigation steps: Update to Shortcodes and extra features for Phlox theme version 2.17.14 or greater.
Shortcodes and extra features for Phlox theme – Sensitive Data Exposure
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Sensitive Data Exposure CVE: CVE-2025-13215 Number of Installations: 90,000+ Affected Software: Shortcodes and extra features for Phlox theme < 2.17.14 Patched Versions: Shortcodes and extra features for Phlox theme 2.17.14
Mitigation steps: Update to Shortcodes and extra features for Phlox theme version 2.17.14 or greater.
Colibri Page Builder – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-3337 Number of Installations: 90,000+ Affected Software: Colibri Page Builder < 1.0.274 Patched Versions: Colibri Page Builder 1.0.274
Mitigation steps: Update to Colibri Page Builder version 1.0.274 or greater.
Colibri Page Builder – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-4451 Number of Installations: 90,000+ Affected Software: Colibri Page Builder < 1.0.277 Patched Versions: Colibri Page Builder 1.0.277
Mitigation steps: Update to Colibri Page Builder version 1.0.277 or greater.
ShopLentor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-1057 Number of Installations: 90,000+ Affected Software: ShopLentor < 2.8.2 Patched Versions: ShopLentor 2.8.2
Mitigation steps: Update to ShopLentor version 2.8.2 or greater.
HT Mega – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-2084 Number of Installations: 80,000+ Affected Software: HT Mega < 2.4.7 Patched Versions: HT Mega 2.4.7
Mitigation steps: Update to HT Mega version 2.4.7 or greater.
HT Mega – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-3308 Number of Installations: 80,000+ Affected Software: HT Mega < 2.5.0 Patched Versions: HT Mega 2.5.0
Mitigation steps: Update to HT Mega version 2.5.0 or greater.
HT Mega – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-3989 Number of Installations: 80,000+ Affected Software: HT Mega < 2.5.1 Patched Versions: HT Mega 2.5.1
Mitigation steps: Update to HT Mega version 2.5.1 or greater.
HT Mega – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-5173 Number of Installations: 80,000+ Affected Software: HT Mega < 2.5.6 Patched Versions: HT Mega 2.5.6
Mitigation steps: Update to HT Mega version 2.5.6 or greater.
Import and export users and customers – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-4734 Number of Installations: 80,000+ Affected Software: Import and export users and customers < 1.26.7 Patched Versions: Import and export users and customers 1.26.7
Mitigation steps: Update to Import and export users and customers version 1.26.7 or greater.
StatCounter – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-13048 Number of Installations: 70,000+ Affected Software: StatCounter < 2.1.1 Patched Versions: StatCounter 2.1.1
Mitigation steps: Update to StatCounter version 2.1.1 or greater.
Advanced Contact form 7 DB – Sensitive Data Exposure
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Sensitive Data Exposure CVE: CVE-2024-3723 Number of Installations: 70,000+ Affected Software: Advanced Contact form 7 DB < 2.0.3 Patched Versions: Advanced Contact form 7 DB 2.0.3
Mitigation steps: Update to Advanced Contact form 7 DB version 2.0.3 or greater.
Brizy – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-1164 Number of Installations: 70,000+ Affected Software: Brizy < 2.4.44 Patched Versions: Brizy 2.4.44
Mitigation steps: Update to Brizy version 2.4.44 or greater.
Brizy – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-1161 Number of Installations: 70,000+ Affected Software: Brizy < 2.4.44 Patched Versions: Brizy 2.4.44
Mitigation steps: Update to Brizy version 2.4.44 or greater.
Brizy – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-1293 Number of Installations: 70,000+ Affected Software: Brizy < 2.4.41 Patched Versions: Brizy 2.4.41
Mitigation steps: Update to Brizy version 2.4.41 or greater.
Brizy – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-1940 Number of Installations: 70,000+ Affected Software: Brizy < 2.4.42 Patched Versions: Brizy 2.4.42
Mitigation steps: Update to Brizy version 2.4.42 or greater.
Featured Image from URL (FIFU) – Server Side Request Forgery (SSRF)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Server Side Request Forgery (SSRF) CVE: CVE-2025-13393 Number of Installations: 70,000+ Affected Software: Featured Image from URL (FIFU) < 5.3.2 Patched Versions: Featured Image from URL (FIFU) 5.3.2
Mitigation steps: Update to Featured Image from URL (FIFU) version 5.3.2 or greater.
WP ULike – Insecure Direct Object References (IDOR)
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Insecure Direct Object References (IDOR) CVE: CVE-2026-0909 Number of Installations: 70,000+ Affected Software: WP ULike < 5.0.0 Patched Versions: WP ULike 5.0.0
Mitigation steps: Update to WP ULike version 5.0.0 or greater.
Product Feed Manager for WooCommerce – Broken Access Control
Security Risk: High Exploitation Level: Requires Shop Manager or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-12975 Number of Installations: 70,000+ Affected Software: Product Feed Manager for WooCommerce < 6.6.12 Patched Versions: Product Feed Manager for WooCommerce 6.6.12
Mitigation steps: Update to Product Feed Manager for WooCommerce version 6.6.12 or greater.
Email Subscribers & Newsletters – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2024-3626 Number of Installations: 60,000+ Affected Software: Email Subscribers & Newsletters < 5.7.18 Patched Versions: Email Subscribers & Newsletters 5.7.18
Mitigation steps: Update to Email Subscribers & Newsletters version 5.7.18 or greater.
Exclusive Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-2503 Number of Installations: 60,000+ Affected Software: Exclusive Addons for Elementor < 2.6.9.3 Patched Versions: Exclusive Addons for Elementor 2.6.9.3
Mitigation steps: Update to Exclusive Addons for Elementor version 2.6.9.3 or greater.
Exclusive Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-3985 Number of Installations: 60,000+ Affected Software: Exclusive Addons for Elementor < 2.6.9.5 Patched Versions: Exclusive Addons for Elementor 2.6.9.5
Mitigation steps: Update to Exclusive Addons for Elementor version 2.6.9.5 or greater.
Post and Page Builder by BoldGrid – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-6848 Number of Installations: 60,000+ Affected Software: Post and Page Builder by BoldGrid < 1.26.7 Patched Versions: Post and Page Builder by BoldGrid 1.26.7
Mitigation steps: Update to Post and Page Builder by BoldGrid version 1.26.7 or greater.
Greenshift – Sensitive Data Exposure
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Sensitive Data Exposure CVE: CVE-2026-1927 Number of Installations: 60,000+ Affected Software: Greenshift < 12.6 Patched Versions: Greenshift 12.6
Mitigation steps: Update to Greenshift version 12.6 or greater.
Mesmerize Companion – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-12027 Number of Installations: 60,000+ Affected Software: Mesmerize Companion < 1.6.162 Patched Versions: Mesmerize Companion 1.6.162
Mitigation steps: Update to Mesmerize Companion version 1.6.162 or greater.
ACF Photo Gallery Field – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-12081 Number of Installations: 60,000+ Affected Software: ACF Photo Gallery Field < 3.1 Patched Versions: ACF Photo Gallery Field 3.1
Mitigation steps: Update to ACF Photo Gallery Field version 3.1 or greater.
WP Maps – Local File Inclusion
Security Risk: High Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Local File Inclusion CVE: CVE-2025-12062 Number of Installations: 60,000+ Affected Software: WP Maps < 4.8.7 Patched Versions: WP Maps 4.8.7
Mitigation steps: Update to WP Maps version 4.8.7 or greater.
Zarinpal Gateway – Broken Access Control
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2026-2592 Number of Installations: 60,000+ Affected Software: Zarinpal Gateway < 5.0.17 Patched Versions: Zarinpal Gateway 5.0.17
Mitigation steps: Update to Zarinpal Gateway version 5.0.17 or greater.
Bold Page Builder – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-3266 Number of Installations: 50,000+ Affected Software: Bold Page Builder < 4.8.9 Patched Versions: Bold Page Builder 4.8.9
Mitigation steps: Update to Bold Page Builder version 4.8.9 or greater.
Getwid – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2024-6489 Number of Installations: 50,000+ Affected Software: Getwid < 2.0.11 Patched Versions: Getwid 2.0.11
Mitigation steps: Update to Getwid version 2.0.11 or greater.
Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-14895 Number of Installations: 50,000+ Affected Software: Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers < 2.2.1 Patched Versions: Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers 2.2.1
Mitigation steps: Update to popup-builder-block plugin version 2.2.1 or greater.
Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers – SQL Injection
Security Risk: High Exploitation Level: No authentication required. Vulnerability: SQL Injection CVE: CVE-2025-13192 Number of Installations: 50,000+ Affected Software: Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers < 2.2.1 Patched Versions: Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers 2.2.1
Mitigation steps: Update to popup-builder-block plugin version 2.2.1 or greater.
User Profile Builder – Privilege Escalation
Security Risk: Critical Exploitation Level: No authentication required. Vulnerability: Privilege Escalation CVE: CVE-2025-15030 Number of Installations: 50,000+ Affected Software: User Profile Builder < 3.15.2 Patched Versions: User Profile Builder 3.15.2
Mitigation steps: Update to User Profile Builder version 3.15.2 or greater.
Sina Extension for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-4333 Number of Installations: 50,000+ Affected Software: Sina Extension for Elementor < 3.5.4 Patched Versions: Sina Extension for Elementor 3.5.4
Mitigation steps: Update to Sina Extension for Elementor version 3.5.4 or greater.
Themesflat Addons For Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-2922 Number of Installations: 50,000+ Affected Software: Themesflat Addons For Elementor < 2.1.3 Patched Versions: Themesflat Addons For Elementor 2.1.3
Mitigation steps: Update to Themesflat Addons For Elementor version 2.1.3 or greater.
Themesflat Addons For Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-4458 Number of Installations: 50,000+ Affected Software: Themesflat Addons For Elementor < 2.1.3 Patched Versions: Themesflat Addons For Elementor 2.1.3
Mitigation steps: Update to Themesflat Addons For Elementor version 2.1.3 or greater.
Themesflat Addons For Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-4459 Number of Installations: 50,000+ Affected Software: Themesflat Addons For Elementor < 2.1.3 Patched Versions: Themesflat Addons For Elementor 2.1.3
Mitigation steps: Update to Themesflat Addons For Elementor version 2.1.3 or greater.
Themesflat Addons For Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-4212 Number of Installations: 50,000+ Affected Software: Themesflat Addons For Elementor < 2.1.3 Patched Versions: Themesflat Addons For Elementor 2.1.3
Mitigation steps: Update to Themesflat Addons For Elementor version 2.1.3 or greater.
Ultimate Blocks – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-4268 Number of Installations: 50,000+ Affected Software: Ultimate Blocks < 3.2.0 Patched Versions: Ultimate Blocks 3.2.0
Mitigation steps: Update to Ultimate Blocks version 3.2.0 or greater.
Bold Page Builder – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-12159 Number of Installations: 50,000+ Affected Software: Bold Page Builder (All Versions) Patched Versions: No fix available
Mitigation steps: No patch is currently available. Consider disabling or replacing the Bold Page Builder plugin until a security update is released.
Bold Page Builder – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Author or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-13463 Number of Installations: 50,000+ Affected Software: Bold Page Builder (All Versions) Patched Versions: No fix available
Mitigation steps: No patch is currently available. Consider disabling or replacing the Bold Page Builder plugin until a security update is released.
Bold Page Builder – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-15267 Number of Installations: 50,000+ Affected Software: Bold Page Builder (All Versions) Patched Versions: No fix available
Mitigation steps: No patch is currently available. Consider disabling or replacing the Bold Page Builder plugin until a security update is released.
Bold Page Builder – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-12803 Number of Installations: 50,000+ Affected Software: Bold Page Builder (All Versions) Patched Versions: No fix available
Mitigation steps: No patch is currently available. Consider disabling or replacing the Bold Page Builder plugin until a security update is released.
WP Recipe Maker – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-0383 Number of Installations: 50,000+ Affected Software: WP Recipe Maker < 9.1.1 Patched Versions: WP Recipe Maker 9.1.1
Mitigation steps: Update to WP Recipe Maker version 9.1.1 or greater.
WP Recipe Maker – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-0381 Number of Installations: 50,000+ Affected Software: WP Recipe Maker < 9.1.1 Patched Versions: WP Recipe Maker 9.1.1
Mitigation steps: Update to WP Recipe Maker version 9.1.1 or greater.
Persian WooCommerce SMS – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-22352 Number of Installations: 50,000+ Affected Software: Persian WooCommerce SMS (All Versions) Patched Versions: No fix available
Mitigation steps: No patch is currently available. Consider disabling or replacing the Persian WooCommerce SMS plugin until a security update is released.
Auto Featured Image (Auto Post Thumbnail) – Server Side Request Forgery (SSRF)
Security Risk: Medium Exploitation Level: Requires Author or higher level authentication. Vulnerability: Server Side Request Forgery (SSRF) CVE: CVE-2023-7073 Number of Installations: 50,000+ Affected Software: Auto Featured Image (Auto Post Thumbnail) < 4.2.0 Patched Versions: Auto Featured Image (Auto Post Thumbnail) 4.2.0
Mitigation steps: Update to Auto Featured Image (Auto Post Thumbnail) version 4.2.0 or greater.
WP-Members Membership Plugin – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2023-6733 Number of Installations: 50,000+ Affected Software: WP-Members Membership Plugin < 3.4.9 Patched Versions: WP-Members Membership Plugin 3.4.9
Mitigation steps: Update to WP-Members Membership Plugin version 3.4.9 or greater.
Blog2Social: Social Media Auto Post & Scheduler – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2026-1942 Number of Installations: 50,000+ Affected Software: Blog2Social: Social Media Auto Post & Scheduler < 8.7.5 Patched Versions: Blog2Social: Social Media Auto Post & Scheduler 8.7.5
Mitigation steps: Update to Blog2Social: Social Media Auto Post & Scheduler version 8.7.5 or greater.
Booking Calendar – Insecure Direct Object References (IDOR)
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Insecure Direct Object References (IDOR) CVE: CVE-2026-2230 Number of Installations: 50,000+ Affected Software: Booking Calendar < 10.14.15 Patched Versions: Booking Calendar 10.14.15
Mitigation steps: Update to Booking Calendar version 10.14.15 or greater.
Printful Integration for WooCommerce – Server Side Request Forgery (SSRF)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Server Side Request Forgery (SSRF) CVE: CVE-2025-12375 Number of Installations: 50,000+ Affected Software: Printful Integration for WooCommerce < 2.2.12 Patched Versions: Printful Integration for WooCommerce 2.2.12
Mitigation steps: Update to Printful Integration for WooCommerce version 2.2.12 or greater.
Advanced AJAX Product Filters – PHP Object Injection
Security Risk: High Exploitation Level: Requires Author or higher level authentication. Vulnerability: PHP Object Injection CVE: CVE-2026-1426 Number of Installations: 50,000+ Affected Software: Advanced AJAX Product Filters < 3.1.9.7 Patched Versions: Advanced AJAX Product Filters 3.1.9.7
Mitigation steps: Update to Advanced AJAX Product Filters version 3.1.9.7 or greater.
Super Page Cache – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-1843 Number of Installations: 50,000+ Affected Software: Super Page Cache < 5.2.3 Patched Versions: Super Page Cache 5.2.3
Mitigation steps: Update to Super Page Cache version 5.2.3 or greater.
RSS Aggregator – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-1216 Number of Installations: 50,000+ Affected Software: RSS Aggregator < 5.0.11 Patched Versions: RSS Aggregator 5.0.11
Mitigation steps: Update to RSS Aggregator version 5.0.11 or greater.
YayMail – Broken Access Control
Security Risk: Low Exploitation Level: Requires Shop Manager or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2026-1938 Number of Installations: 50,000+ Affected Software: YayMail < 4.3.3 Patched Versions: YayMail 4.3.3
Mitigation steps: Update to YayMail version 4.3.3 or greater.
YayMail – Broken Access Control
Security Risk: Low Exploitation Level: Requires Shop Manager or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2026-1831 Number of Installations: 50,000+ Affected Software: YayMail < 4.3.3 Patched Versions: YayMail 4.3.3
Mitigation steps: Update to YayMail version 4.3.3 or greater.
YayMail – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Shop Manager or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-1943 Number of Installations: 50,000+ Affected Software: YayMail < 4.3.3 Patched Versions: YayMail 4.3.3
Mitigation steps: Update to YayMail version 4.3.3 or greater.
YayMail – Broken Access Control
Security Risk: High Exploitation Level: Requires Shop Manager or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2026-1937 Number of Installations: 50,000+ Affected Software: YayMail < 4.3.3 Patched Versions: YayMail 4.3.3
Mitigation steps: Update to YayMail version 4.3.3 or greater.
Themes
Royal Elementor Kit – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2024-0835 Number of Installations: 986,469 Affected Software: Royal Elementor Kit < 1.0.117 Patched Versions: Royal Elementor Kit 1.0.117
Mitigation steps: Update to Royal Elementor Kit theme version 1.0.117 or greater.
Spa and Salon – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2026-25374 Number of Installations: 165,530 Affected Software: Spa and Salon < 1.3.3 Patched Versions: Spa and Salon 1.3.3
Mitigation steps: Update to Spa and Salon theme version 1.3.3 or greater.
Context Blog – Sensitive Data Exposure
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Sensitive Data Exposure CVE: CVE-2025-12074 Number of Installations: 84,231 Affected Software: Context Blog < 1.2.6 Patched Versions: Context Blog 1.2.6
Mitigation steps: Update to Context Blog theme version 1.2.6 or greater.
Shopire – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-13091 Number of Installations: 89,293 Affected Software: Shopire < 1.0.58 Patched Versions: Shopire 1.0.58
Mitigation steps: Update to Shopire theme version 1.0.58 or greater.
Update your website software to mitigate risk. Users who are not able to update their software with the latest version are encouraged to use a web application firewall to help virtually patch known vulnerabilities and protect their website.
Luke Leal
Victor Santoyo
Keir Desailly
Samuel Odendaal
Ben Martin
Marc-Alexandre Montpas
Gerson Ruiz