The WordPress Flo Forms plugin (10,000+ installations) fixed a critical zero-day vulnerability affecting version 1.0.35 and below that could allow the attacker to take over the website and its database.
The WordPress WP Quick FrontEnd Editor plugin (1,000+ active installations) is prone to a broken access control vulnerability affecting version 5.5 and below that could lead to authenticated content injection, stored XSS and settings change.
The WordPress ListingPro theme, which has 19,000+ sales on Envato Market, fixed a critical vulnerability that could allow an unauthenticated user to upload any file on the blog, among other issues.
The WordPress Ultimate Reviews plugin (2,000+ active installations) fixed an insecure deserialization vulnerability affecting version 2.1.32 and below that could lead to unauthenticated PHP object injection.
Fifteen WordPress themes were prone to critical unauthenticated function injection and privilege escalation vulnerabilities.