| WordPress <= 6.8.2 – Authenticated (Author+) Stored Cross-Site Scripting | CVE-2025-58674 | 6.4 | September 22, 2025 |
| Woostify <= 2.4.2 – Authenticated (Shop manager+) Stored Cross-Site Scripting | CVE-2025-60101 | 4.4 | September 26, 2025 |
| Colibri Page Builder < 1.0.334 – Authenticated (Shop manager+) Stored Cross-Site Scripting | CVE-2025-59593 | 4.4 | September 22, 2025 |
| Blocksy <= 2.0.97 – Missing Authorization | CVE-2025-47465 | 2.7 | May 7, 2025 |
| Advanced Woo Labels <= 2.15 – Authenticated (Contributor+) Stored Cross-Site Scripting | CVE-2025-32188 | 6.4 | April 4, 2025 |
| CMP – Coming Soon & Maintenance <= 4.1.13 – Authenticated (Admin+) Arbitrary File Upload | CVE-2025-32118 | 7.2 | April 4, 2025 |
| WP Proposals <= 2.3 – Authenticated (Editor+) Stored Cross-Site Scripting | CVE-2025-31837 | 4.4 | April 1, 2025 |
| TablePress – Tables in WordPress made easy <= 3.0.4 – Authenticated (Author+) Stored Cross-Site Scripting | CVE-2025-2685 | 6.4 | March 26, 2025 |
| WooCommerce <= 9.7.0 – Authenticated (Shop Manager+) Stored Cross-Site Scripting | CVE-2025-26762 | 4.4 | March 12, 2025 |
| Document Block – Upload & Embed Docs <= 1.1.0 – Missing Authorization | CVE-2025-22696 | 4.3 | January 31, 2025 |
| PPOM for WooCommerce <= 33.0.8 – Authenticated (Administrator+) Stored Cross-Site Scripting | CVE-2025-24668 | 4.4 | January 24, 2025 |
| WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels <= 4.7.1 – Authenticated (Shop Manager+) Stored Cross-Site Scripting | CVE-2025-24644 | 4.4 | January 24, 2025 |
| Popup Maker <= 1.20.2 – Authenticated (Contributor+) Stored Cross-Site Scripting | CVE-2025-24746 | 6.4 | January 24, 2025 |
| Icegram <= 3.1.31 – Authenticated (Contributor+) Stored Cross-Site Scripting | CVE-2025-24542 | 6.4 | January 24, 2025 |
| Flexible PDF Coupons <= 1.10.2 – Authenticated (Contributor+) Stored Cross-Site Scripting | CVE-2025-22825 | 6.4 | January 15, 2025 |
| Htaccess File Editor <= 1.0.19 – Unauthenticated Information Exposure | CVE-2025-22773 | 5.3 | January 14, 2025 |
| WebToffee WP Backup and Migration <= 1.5.3 – Unauthenticated Sensitive Information Exposure | CVE-2025-24651 | 5.3 | January 13, 2025 |
| Modula Image Gallery <= 2.11.10 – Authenticated (Author+) Arbitrary File Upload | CVE-2024-12853 | 8.8 | January 7, 2025 |
| Email Templates Customizer for WordPress – Drag And Drop Email Templates Builder – YeeMail <= 2.1.4 – Authenticated (Contributor+) Stored Cross-Site Scripting | CVE-2025-22802 | 6.4 | January 7, 2025 |
| Typing Text <= 1.2.7 – Authenticated (Contributor+) Stored Cross-Site Scripting | CVE-2025-22315 | 6.4 | January 6, 2025 |
| New User Approve <= 2.6.2 – Missing Authorization | CVE-2024-54323 | 4.3 | December 11, 2024 |
| Landing Page Cat <= 1.7.4 – Missing Authorization | CVE-2024-49686 | 4.3 | October 21, 2024 |
| Email Template Customizer for WooCommerce <= 1.2.9.1 – Authenticated (Shop manager+) Stored Cross-Site Scripting | CVE-2024-49288 | 4.4 | October 15, 2024 |
| Htaccess File Editor <= 1.0.18 – Missing Authorization | CVE-2024-49256 | 4.3 | October 14, 2024 |
| Essential Blocks for Gutenberg <= 4.8.4 – Authenticated (Contributor+) Stored Cross-Site Scripting | CVE-2024-47385 | 6.4 | September 30, 2024 |
| Depicter Slider <= 3.2.2 – Authenticated (Editor+) Stored Cross-Site Scripting | CVE-2024-47381 | 4.4 | September 30, 2024 |
| Advanced Woo Labels <= 2.01 – Authenticated (Contributor+) Stored Cross-Site Scripting | CVE-2024-47622 | 6.4 | September 30, 2024 |
| WS Form LITE <= 1.9.238 – Unauthenticated Stored Cross-Site Scripting | CVE-2024-47320 | 6.1 | September 25, 2024 |
| Icegram <= 3.1.25 – Authenticated (Contributor+) Stored Cross-Site Scripting | CVE-2024-43344 | 6.4 | August 16, 2024 |
| WP Table Builder – WordPress Table Plugin <= 1.4.15 – Authenticated (Contributor+) Stored Cross-Site Scripting | CVE-2024-43125 | 6.4 | August 7, 2024 |
| 3D FlipBook – PDF Flipbook Viewer, Flipbook Image Gallery <= 1.15.6 – Authenticated (Editor+) Stored Cross-Site Scripting | CVE-2024-43152 | 4.4 | August 7, 2024 |
| Depicter Slider <= 3.1.2 – Authenticated (Editor+) Stored Cross-Site Scripting | CVE-2024-43161 | 4.4 | August 7, 2024 |
| VK All in One Expansion Unit <= 9.99.1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting | CVE-2024-37956 | 6.4 | July 10, 2024 |
| Fusion <= 1.6.1 – Authenticated (Contributor+) Stored Cross-Site Scripting | CVE-2024-37962 | 6.4 | July 10, 2024 |
| WooCommerce <= 8.9.2 – Authenticated (Shop Manager+) Content Injection | CVE-2024-35777 | 2.7 | June 27, 2024 |
| Page Builder Sandwich – Front-End Page Builder <= 5.1.0 – Missing Authorization | CVE-2024-37218 | 4.3 | June 21, 2024 |
| Page Builder Sandwich – Front-End Page Builder <= 5.1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting | CVE-2024-37219 | 6.4 | June 21, 2024 |
| Page Builder: Live Composer <= 1.5.47 – Authenticated (Author+) Stored Cross-Site Scripting | CVE-2024-35768 | 6.4 | June 18, 2024 |
| PPOM for WooCommerce <= 32.0.20 – Unauthenticated Content Injection Vulnerability | CVE-2024-35728 | 5.3 | June 6, 2024 |
| YITH WooCommerce Product Add-Ons <= 4.9.2 – Unauthenticated Content Injection | CVE-2024-35680 | 5.3 | June 6, 2024 |
| Woody code snippets – Insert Header Footer Code, AdSense Ads <= 2.4.10 – Authenticated (Admin+) Stored Cross-Site Scripting | CVE-2024-35751 | 4.4 | June 6, 2024 |
| YITH WooCommerce Tab Manager <= 1.35.0 – Authenticated (Editor+) Stored Cross-Site Scripting | CVE-2024-35698 | 4.4 | June 6, 2024 |
| Advanced Woo Labels – Product Labels for WooCommerce <= 1.93 – Authenticated (Contributor+) Stored Cross-Site Scripting | CVE-2024-35675 | 6.4 | June 5, 2024 |
| Visual Composer Website Builder <= 45.8.0 – Authenticated (Editor+) Stored Cross-Site Scripting | CVE-2024-35653 | 4.4 | June 3, 2024 |
| Brave – Create Popup, Optins, Lead Generation, Survey, Sticky Elements & Interactive Content <= 0.6.9 – Authenticated (Admin+) Stored Cross-Site Scripting | CVE-2024-35655 | 4.4 | June 3, 2024 |
| YITH WooCommerce Wishlist <= 3.32.0 – Authenticated (Admin+) Stored Cross-Site Scripting | CVE-2024-34385 | 4.4 | May 30, 2024 |
| Pootle Pagebuilder – WordPress Page builder <= 5.7.1 – Authenticated (Contributor+) Stored Cross-Site Scripting | CVE-2024-34573 | 6.4 | May 7, 2024 |
| Page Builder: Live Composer <= 1.5.38 – Missing Authorization | CVE-2024-32957 | 4.3 | April 23, 2024 |
| Fixed HTML Toolbar <= 1.0.7 – Authenticated (Admin+) Stored Cross-Site Scripting | CVE-2024-32540 | 4.4 | April 15, 2024 |
| Remove Footer Credit <= 1.0.13 – Authenticated (Administrator+) Stored Cross-Site Scripting | CVE-2024-32429 | 4.4 | April 12, 2024 |
| WordPress Page Builder – Zion Builder <= 3.6.9 – Authenticated (Editor+) Stored Cross-Site Scripting | CVE-2024-30444 | 4.4 | March 28, 2024 |
| Astra <= 4.6.4 – Authenticated (Editor+) Stored Cross-Site Scripting via Theme Header/Footer | CVE-2024-29768 | 5.5 | March 25, 2024 |
| Post and Page Builder by BoldGrid – Visual Drag and Drop Editor Plugin <= 1.26.2 – Authenticated (Contributor+) Stored Cross-Site Scripting | CVE-2024-2888 | 6.4 | March 25, 2024 |
| Visual Composer Website Builder <= 45.6.0 – Authenticated (Editor+) Stored Cross-Site Scripting | CVE-2024-27997 | 4.4 | March 15, 2024 |
| Blocksy <= 2.0.19 – Authenticated (Editor+) Stored Cross-Site Scripting | CVE-2024-24871 | 4.4 | February 5, 2024 |
| Scroll Triggered Box <= 2.3 – Authenticated (Editor+) Stored Cross-Site Scripting | CVE-2024-24865 | 5.5 | February 2, 2024 |