The WordPress Elementor plugin, which is installed on 4+ million blogs, fixed a high severity vulnerability affecting version 2.9.5 and below.
The WordPress Fruitful theme, which has 9,000+ active installations, was prone to an authenticated stored XSS vulnerability in version 3.8.1 and below.
The WordPress MStore API plugin, which has 1,000+ active installations, fixed critical a vulnerability affecting version 2.1.6 and below that could allow an unauthenticated user to create or edit administrator accounts.
The WordPressWP Security Audit Log plugin, (100,000+ active installations), fixed a vulnerability that could lead to privilege escalation, sensitive data exposure and insecure deserialization.
A few days ago, a developer fixed a vulnerability in several of their WooCommerce addon plugins. The vulnerability is severe because it allows the creation of new administrators, products, comments, orders and a few other things as well. It affects between 50,000 to 70,000 active installations.