The WordPress KingComposer Page Builder plugin (100,000+ active installations), fixed multiple critical vulnerabilities affecting version 2.9.2 and below that could lead to authenticated WordPress options change, content injection, stored XSS, arbitrary file deletion and remote code execution among other issues.
The WordPress Brizy Page Builder plugin (60,000+ active installations) fixed a broken access control vulnerability affecting version 1.0.125 and below that could allow any authenticated user to gain full access to the editor.
The Visual Composer plugin for WordPress (80,000+ active installations) fixed multiple stored XSS vulnerabilities affecting version 26.0 and below.
The WordPress Login/Signup Popup plugin, which has 10,000+ active installations, fixed a zero-day vulnerability affecting version 1.4 and below.
The Elementor Pro plugin for WordPress is prone to a critical zero-day vulnerability affecting version 2.9.3 and below.