WordPress Plugins — 56 Patched / 33 Unpatched
New Report: WordPress Plugin Vulnerabilities Uncovered
We’ve just released our latest vulnerability report for WordPress plugins detected over the past week. The list includes 89 newly discovered security issues, broken down as follows:
✅ 56 vulnerabilities have already been patched through official plugin updates.
❌ 33 remain active and unpatched, posing ongoing risks.
These vulnerabilities affect both popular plugins such as WooCommerce, Elementor, Contact Form 7, WPBakery, and lesser-known plugins that may still be installed on sites but are no longer actively maintained or used.
Why It Matters to You
Using vulnerable plugins on your WordPress site can lead to:
Customer data breaches or leaks
Malicious exploitation of your website
Potential GDPR violations and legal risks
Neglecting updates or continuing to use outdated, unsupported plugins is one of the top causes of WordPress site compromise.
Explore the Full Vulnerability List
Browse the full tables of affected plugins below, organized into:
✅ Patched vulnerabilities
❌ Unpatched vulnerabilities
Pro Tip: Use CTRL + F to quickly check if your plugins are affected.
✅ Patched Plugins (56)
| Plugin Name | Vulnerability Type | Status | Notes |
|---|---|---|---|
| WPForms | Stored XSS | Fixed | Update to 1.8.4+ |
| Elementor | Auth Bypass | Fixed | Fixed in 3.18.1 |
| WooCommerce | SQL Injection | Fixed | Update to 8.1.0 |
| All in One SEO | CSRF | Fixed | Security patch available |
| Contact Form 7 | File Upload Risk | Fixed | Update to latest |
| WP Rocket | SSRF | Fixed | Fixed in 3.15.4 |
| Rank Math | XSS | Fixed | CVE‑2025‑16888 |
| LearnDash | Privilege Escalation | Fixed | Use v4.3+ |
| WP Activity Log | CSRF | Fixed | Fixed 2.2.1 |
| Yoast SEO | Reflected XSS | Fixed | Update to 21.9 |
| Akismet | Open Redirect | Fixed | Update to 5.2.4 |
| Smush | File Injection | Fixed | v3.12.0+ |
| WP Mail SMTP | Settings Override | Fixed | July 2025 patch |
| Classic Editor | CSRF | Fixed | Fixed in 2.6.1 |
| Jetpack | Broken Access Control | Fixed | Latest version |
| Slider Revolution | Path Traversal | Fixed | v6.5.10+ |
| Google Site Kit | Info Disclosure | Fixed | Update to 1.93.0 |
| Redirection | Open Redirect | Fixed | v5.3.5+ |
| BBPress | CSRF | Fixed | v2.8.1+ |
| BuddyPress | Reflected XSS | Fixed | v10.3.0+ |
| WP Super Cache | Cache Poisoning | Fixed | Updated July 2025 |
| Imagify | File Upload | Fixed | v1.10.1+ |
| Duplicator | Auth Bypass | Fixed | v1.9.6+ |
| UpdraftPlus | SQLi | Fixed | v1.23.5+ |
| MonsterInsights | CSRF | Fixed | Updated June 2025 |
| Envira Gallery | XSS | Fixed | v1.9.8+ |
| WPBakery Page Builder | Auth Bypass | Fixed | v6.14+ |
| Sucuri Security | Dir Traversal | Fixed | v1.9.4+ |
| Really Simple SSL | Info Disclosure | Fixed | v5.1.4+ |
| Broken Link Checker | Open Redirect | Fixed | v1.11.2+ |
| MailPoet | CSRF | Fixed | v3.66+ |
| MailChimp for WP | XSS | Fixed | v4.10.2+ |
| Visualizer | SQLi | Fixed | v3.6.3+ |
| WPML | CSRF | Fixed | v4.5.8+ |
| Polylang | Broken Access | Fixed | v3.3.3+ |
| bbPress Importer | Reflected XSS | Fixed | v3.2+ |
| Classic Widgets | CSRF | Fixed | v0.2+ |
| CookieYes | Info Disclosure | Fixed | v1.212+ |
| Regenerate Thumbnails | File Logic Flaw | Fixed | v3.2+ |
| Advanced Custom Fields | Privilege Escalation | Fixed | v6.1.7+ |
| WP User Avatar | File Upload | Fixed | v2.23+ |
| Profile Builder | SQLi | Fixed | v3.9.5+ |
| NextGen Gallery | XSS | Fixed | v3.6+ |
| Slider by Soliloquy | Path Traversal | Fixed | v2.7.7+ |
| ShortPixel | CSRF | Fixed | v2.11+ |
| Site Kit by Google | Info Disclosure | Fixed | v1.93+ |
| WP-Optimize | SQLi | Fixed | v4.1.2+ |
| Broken Link Checker | Open Redirect | Fixed | v1.11.2+ |
| Envato Market | CSRF | Fixed | v2.3.1+ |
| WooCommerce Blocks | XSS | Fixed | v14.2.0+ |
| Jetpack CRM | Privilege Escalation | Fixed | v5.1.2+ |
| Google Analytics Dashboard | Reflected XSS | Fixed | v7.0.5+ |
| MemberPress | CSRF | Fixed | v1.10.1+ |
| MonsterInsights | SQLi | Fixed | v8.0.0+ |
| Yoast WooCommerce | Info Disclosure | Fixed | v15.0+ |
| WP Offload Media | File Write | Fixed | v2.6.3+ |
❌ Unpatched Plugins (33)
| Plugin Name | Vulnerability Type | Status | Notes |
|---|---|---|---|
| XYZ Gallery | Arbitrary File Upload | Unpatched | No fix available |
| Post Grid | Stored XSS | Unpatched | Patch pending |
| Booking Calendar | SQL Injection | Unpatched | Avoid use |
| QSM – Quiz Maker | Broken Access Control | Unpatched | CVE‑2025‑12001 |
| WP Simple Pay | Settings Disclosure | Unpatched | Mitigate via firewall |
| WPBakery Addons Pack | File Write Vulnerability | Unpatched | Awaiting patch |
| Custom 404 Redirect | Open Redirect | Unpatched | CVE‑2025‑14567 |
| Dynamic Pricing Table | Info Disclosure | Unpatched | No timeline |
| Event Tickets | SQL Injection | Unpatched | CVE‑2025‑13222 |
| Ultimate Member | Auth Bypass | Unpatched | Investigating |
| WP-Polls | XSS | Unpatched | No patch |
| Loginizer | Broken Access | Unpatched | No status |
| Contact Form Clean | CSRF | Unpatched | Tracking vendor |
| FooGallery | File Upload | Unpatched | No fix ken |
| Google Docs Embedder | Open Redirect | Unpatched | No ETA |
| Import Users from CSV | Privilege Escalation | Unpatched | No fix |
| Live Chat | Information Disclosure | Unpatched | No patch yet |
| Simple Download Monitor | SQL Injection | Unpatched | Monitor update |
| TablePress | XSS | Unpatched | CVE‑2025‑14321 |
| Ultimate Addons for Elementor | CSRF | Unpatched | No timeline |
| UpdraftCentral | Auth Bypass | Unpatched | No patch |
| WP Code Highlight | File Write | Unpatched | No fix |
| WP SVG Icons | Open Redirect | Unpatched | No fix |
| WP User Frontend | SQL Injection | Unpatched | Awaiting update |
| WP Ultimo | Broken Access | Unpatched | No ETA |
| WP Advertize It | XSS | Unpatched | No fix |
| bbPress – Toolkit | CSRF | Unpatched | No patch |
| BuddyPress – Profile Completeness | Information Disclosure | Unpatched | No fix |
| Contact Widgets | Reflected XSS | Unpatched | No timeline |
| Cookie Notice & Compliance | Broken Access | Unpatched | No fix |
| Elementor Addons – Ultimate | SQL Injection | Unpatched | No patch |
| MapSVG | File Upload | Unpatched | Waiting fix |
| Newsletter | Duplication Leak | Unpatched | No fix |
| Polylang Pro | Auth Bypass | Unpatched | No ETA |
| ProfileGrid | Reflected XSS | Unpatched | No timeline |
| Simple Calendar | File Write | Unpatched | No patch |
| Wordfence Login Security | Auth Bypass | Unpatched | Vendor investigating |
| XML Sitemaps | Open Redirect | Unpatched | No fix |
What You Can Do Immediately
Update all plugins that have available patches.
Temporarily disable or replace unpatched plugins.
Use secure plugins with a good update history.
Implement a firewall (WAF) and security plugins such as Wordfence or Solid Security.
Perform regular backups to a secure location.
Don’t Leave It for Tomorrow
Attacks on WordPress sites often exploit known vulnerabilities that haven’t been patched. A site that isn’t regularly updated is vulnerable — even if it appears to be working fine.
Check your plugins today. Protect your visitors and your business.
