Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Syed Balkhi — Vulnerabilities & Security Advisories 35

Browse all 35 CVE security advisories affecting Syed Balkhi. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Syed Balkhi is primarily known as the founder of WP Engine and the creator of the popular WordPress plugin ecosystem, including WPForms and OptinMonster. His associated software products have historically been linked to thirty-five Common Vulnerabilities and Exposures (CVEs), reflecting the scale of his digital footprint. The most prevalent vulnerability classes affecting his platforms include Cross-Site Scripting (XSS), SQL Injection, and Remote Code Execution (RCE), often stemming from insufficient input validation in widely deployed plugins. Notable incidents involve critical flaws in WPForms that allowed unauthenticated attackers to execute arbitrary code or access sensitive database information. These security issues highlight the risks inherent in large-scale WordPress plugin development, where a single oversight can impact millions of users. Balkhi’s companies have generally responded to these disclosures with patches, though the volume of CVEs underscores the challenges of maintaining security across extensive, third-party-integrated software suites.

Top products by Syed Balkhi: aThemes Addons for Elementor User Feedback Contact Form by WPForms All In One SEO Pack Charitable Beacon Lead Magnets and Lead Capture Giveaways and Contests by RafflePress Sugar Calendar (Lite) WP Lightbox 2 WPForms Feeds for YouTube Smash Balloon Social Post Feed AffiliateWP – External Referral Links Compact Archives Floating Social Bar Simple Post Expiration ExactMetrics Easy Digital Downloads Custom Twitter Feeds (Tweets Widget) Table of Contents Plus
CVE IDTitleCVSSSeverityPublished
CVE-2026-40764 WordPress Contact Form by WPForms plugin <= 1.10.0.2 - Cross Site Request Forgery (CSRF) vulnerability — Contact Form by WPFormsCWE-352 8.1 High2026-04-15
CVE-2026-39475 WordPress User Feedback plugin <= 1.10.1 - SQL Injection vulnerability — User FeedbackCWE-89 7.6 High2026-04-08
CVE-2026-39476 WordPress User Feedback plugin <= 1.10.1 - Broken Access Control vulnerability — User FeedbackCWE-862 4.3 Medium2026-04-08
CVE-2026-25339 WordPress Contact Form by WPForms plugin <= 1.9.8.7 - Sensitive Data Exposure vulnerability — Contact Form by WPFormsCWE-201 6.5 Medium2026-03-25
CVE-2026-32446 WordPress Contact Form by WPForms plugin <= 1.9.9.3 - Broken Access Control vulnerability — Contact Form by WPFormsCWE-862 4.3 Medium2026-03-13
CVE-2026-24636 WordPress Sugar Calendar (Lite) plugin <= 3.9.1 - Broken Access Control vulnerability — Sugar Calendar (Lite)CWE-862 4.3 Medium2026-01-23
CVE-2020-36919 WPForms 1.7.8 - Cross-Site Scripting (XSS) — WPFormsCWE-79 6.1 Medium2026-01-13
CVE-2025-68496 WordPress User Feedback plugin <= 1.10.0 - SQL Injection vulnerability — User FeedbackCWE-89 7.6 High2025-12-24
CVE-2025-64295 WordPress All In One SEO Pack plugin <= 4.8.6.1 - Sensitive Data Exposure vulnerability — All In One SEO PackCWE-201 6.5 Medium2025-12-18
CVE-2025-67950 WordPress All In One SEO Pack plugin <= 4.9.1 - SQL Injection vulnerability — All In One SEO PackCWE-89 8.5 High2025-12-16
CVE-2025-64635 WordPress Feeds for YouTube plugin <= 2.4.0 - Broken Access Control vulnerability — Feeds for YouTubeCWE-862 5.3 Medium2025-12-16
CVE-2025-66064 WordPress Giveaways and Contests by RafflePress plugin <= 1.12.20 - Cross Site Request Forgery (CSRF) vulnerability — Giveaways and Contests by RafflePressCWE-352 4.3 Medium2025-11-21
CVE-2025-49937 WordPress Smash Balloon Social Post Feed plugin <= 4.3.2 - Broken Access Control vulnerability — Smash Balloon Social Post FeedCWE-862 4.3 Medium2025-10-22
CVE-2025-60112 WordPress aThemes Addons for Elementor Plugin <= 1.1.2 - Cross Site Scripting (XSS) Vulnerability — aThemes Addons for ElementorCWE-79 6.5 Medium2025-09-26
CVE-2025-53460 WordPress AffiliateWP – External Referral Links Plugin <= 1.2.0 - Cross Site Scripting (XSS) Vulnerability — AffiliateWP – External Referral LinksCWE-79 5.9 Medium2025-09-22
CVE-2025-58001 WordPress Compact Archives plugin <= 4.1.0 - Cross Site Scripting (XSS) vulnerability — Compact ArchivesCWE-79 6.5 Medium2025-09-22
CVE-2025-58649 WordPress All In One SEO Pack Plugin <= 4.8.7.1 - Sensitive Data Exposure Vulnerability — All In One SEO PackCWE-201 4.3 Medium2025-09-22
CVE-2025-58650 WordPress All In One SEO Pack Plugin <= 4.8.7.1 - Broken Access Control Vulnerability — All In One SEO PackCWE-862 5.4 Medium2025-09-22
CVE-2025-49997 WordPress Giveaways and Contests by RafflePress plugin <= 1.12.18 - Broken Access Control + CSRF Vulnerability — Giveaways and Contests by RafflePressCWE-862 5.3 Medium2025-06-20
CVE-2025-47596 WordPress Beacon Lead Magnets and Lead Capture plugin <= 1.5.8 - Cross Site Request Forgery (CSRF) vulnerability — Beacon Lead Magnets and Lead CaptureCWE-352 4.3 Medium2025-05-07
CVE-2025-47520 WordPress Charitable plugin <= 1.8.5.1 - Cross Site Scripting (XSS) Vulnerability — CharitableCWE-79 5.9 Medium2025-05-07
CVE-2025-46451 WordPress Floating Social Bar plugin <= 1.1.7 - Cross Site Scripting (XSS) Vulnerability — Floating Social BarCWE-79 5.9 Medium2025-04-24
CVE-2025-24637 WordPress Beacon Lead Magnets and Lead Capture Plugin <= 1.5.7 - Reflected Cross Site Scripting (XSS) vulnerability — Beacon Lead Magnets and Lead CaptureCWE-79 7.1 High2025-04-17
CVE-2025-32158 WordPress aThemes Addons for Elementor plugin <= 1.1.3 - Local File Inclusion vulnerability — aThemes Addons for ElementorCWE-98 7.5 High2025-04-10
CVE-2025-31734 WordPress Simple Post Expiration plugin <= 1.0.1 - Cross Site Scripting (XSS) vulnerability — Simple Post ExpirationCWE-79 6.5 Medium2025-04-01
CVE-2025-22646 WordPress aThemes Addons for Elementor plugin <= 1.0.8 - Stored Cross Site Scripting (XSS) vulnerability — aThemes Addons for ElementorCWE-79 6.5 Medium2025-03-27
CVE-2025-30770 WordPress Charitable plugin <= 1.8.4.7 - Cross Site Scripting (XSS) Vulnerability — CharitableCWE-79 6.5 Medium2025-03-27
CVE-2025-24750 WordPress ExactMetrics plugin <= 8.1.0 - Broken Access Control vulnerability — ExactMetricsCWE-862 5.4 Medium2025-01-24
CVE-2024-56276 WordPress WPForms Lite plugin <= 1.9.2.2 - Broken Access Control vulnerability — Contact Form by WPFormsCWE-862 4.3 Medium2025-01-07
CVE-2023-40005 WordPress Easy Digital Downloads plugin <= 3.1.5 - Broken Access Control — Easy Digital DownloadsCWE-862 5.3 Medium2024-12-13

This page lists every published CVE security advisory associated with Syed Balkhi. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.