Elementor Page Builder (4+ million installations), was prone to a broken access control vulnerability affecting version 2.9.7 and below that could lead to stored XSS vulnerability via SVG image upload.

Avada WordPress Theme (600,000 installations) fixed multiple critical vulnerabilities affecting version 6.2.2 and below.

The WordPress Quick Page/Post Redirect plugin, which has 200,000+ active installations, is prone to multiple unpatched vulnerabilities.

The WordPress WP GDPR plugin, which has 6,000+ active installations, is prone to multiple unpatched critical vulnerabilities.

The WordPress Ultimate Addons for Gutenberg plugin (200,000+ active installations) fixed an authenticated settings change vulnerability affecting version 1.14.7 and below.