The WordPress Brizy Page Builder plugin (60,000+ active installations) fixed a broken access control vulnerability affecting version 1.0.125 and below that could allow any authenticated user to gain full access to the editor.
Avada WordPress Theme (600,000 installations) fixed multiple critical vulnerabilities affecting version 6.2.2 and below.
The WordPress Quick Page/Post Redirect plugin, which has 200,000+ active installations, is prone to multiple unpatched vulnerabilities.
The WordPress Fruitful theme, which has 9,000+ active installations, was prone to an authenticated stored XSS vulnerability in version 3.8.1 and below.
The WordPress GDPR Cookie Consent plugin, which has 700,000+ active installations, fixed a vulnerability affecting version 1.8.2 and below that could lead to authenticated stored XSS and privilege escalation.