Which WP Extended – The Ultimate WordPress Toolkit CVEs are tracked?

WP Extended – The Ultimate WordPress Toolkit tracked CVEs include CVE-2026-4314, CVE-2024-11816, CVE-2024-8102, CVE-2024-8104, and CVE-2024-13184.

Where should operators start on this Plugin hub?

Start with the priority CVE quick links, then open the full report for affected versions, remediation notes, CVSS vectors, and source references.

Plugin Vulnerability Hub

Plugin 17 known issues Latest disclosed Mar 21, 2026

WP Extended – The Ultimate WordPress Toolkit Vulnerabilities

Q: How many WP Extended – The Ultimate WordPress Toolkit vulnerabilities have patch guidance?

17 of 17 tracked WP Extended – The Ultimate WordPress Toolkit records include a published patch path.

Review known vulnerability records for the WordPress plugin WP Extended – The Ultimate WordPress Toolkit (`wpextended`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2026-4314, CVE-2025-4963 and CVE-2025-30796, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed

Known Records

High or Critical

Patch Coverage

100%

Last Updated

Mar 22, 2026

Related Security Guides

Use these guides while reviewing WP Extended – The Ultimate WordPress Toolkit fixes

Pair this plugin vulnerability hub with practical WordPress hardening, scanner, and patch workflow guidance.

Hardening

WordPress hardening checklist for exposed plugins

Review patch cadence, privileged access, XML-RPC exposure, backups, and monitoring controls.

Plugin Security

WordPress plugin security basics for patch decisions

Use ownership, update testing, least privilege, and removal criteria to reduce plugin risk.

Scanning

WordPress vulnerability scanner buyer's guide

Compare scanner coverage for plugin CVEs, version detection, alert noise, and remediation workflow.

Patch Decision Workflow

How to prioritize WP Extended – The Ultimate WordPress Toolkit remediation

Use the hub as a decision layer before opening individual records: confirm whether the issue has a CVE, whether a fixed version exists, and whether the affected range overlaps production installs.

Search-Ready Records

1. Match the Package

Confirm the installed WordPress plugin slug is wpextended before acting on any CVE from this cluster.

2. Sort by Severity

Start with 6 high or critical records, then review medium and unrated findings with public references.

3. Check Patch Evidence

17 records include a patch path; verify compatibility before closing the finding.

4. Monitor Gaps

0 records still lack a listed fixed release, so keep this hub in the review queue.

High-Signal Remediation Targets

CVE-2026-4314 High

Privilege Escalation remediation for WP Extended – The Ultimate WordPress Toolkit

Affected range: Versions up to 3.2.4. Fixed version: 3.2.5.

CVE-2024-11816 High

Remote Code Execution remediation for WP Extended – The Ultimate WordPress Toolkit

Affected range: Versions up to 3.0.11. Fixed version: 3.0.12.

CVE-2024-8102 High

Privilege Escalation remediation for WP Extended – The Ultimate WordPress Toolkit

Affected range: Versions up to 3.0.8. Fixed version: 3.0.9.

CVE-2024-8104 High

Vulnerability remediation for WP Extended – The Ultimate WordPress Toolkit

Affected range: Versions up to 3.0.8. Fixed version: 3.0.9.

Priority CVE Quick Links

Fast paths into WP Extended – The Ultimate WordPress Toolkit CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs

Tracked CVE	Issue Type	Affected Versions	Fixed Version	CVSS
CVE-2026-4314 The Ultimate WordPress Toolkit – WP Extended <= 3.2.4 - Authenticated (Subscriber+)...	Privilege Escalation	Versions up to 3.2.4	3.2.5	CVSS 8.8
CVE-2024-11816 The Ultimate WordPress Toolkit – WP Extended <= 3.0.11 - Missing Authorization to Au...	Remote Code Execution	Versions up to 3.0.11	3.0.12	CVSS 8.8
CVE-2024-8102 The Ultimate WordPress Toolkit – WP Extended <= 3.0.8 - Authenticated (Subscriber+)...	Privilege Escalation	Versions up to 3.0.8	3.0.9	CVSS 8.8
CVE-2024-8104 The Ultimate WordPress Toolkit – WP Extended <= 3.0.8 - Directory Traversal to Authe...	Vulnerability	Versions up to 3.0.8	3.0.9	CVSS 8.8
CVE-2024-13184 The Ultimate WordPress Toolkit – WP Extended <= 3.0.12 - Unauthenticated SQL Injecti...	SQL Injection	Versions up to 3.0.12	3.0.13	CVSS 7.5
CVE-2024-11916 The Ultimate WordPress Toolkit – WP Extended <= 3.0.11 - Missing Authorization to Au...	Stored Cross-Site Scripting	Versions up to 3.0.11	3.0.12	CVSS 7.4
CVE-2024-8106 The Ultimate WordPress Toolkit – WP Extended <= 3.0.8 - Authenticated (Subscriber+)...	Sensitive Information Exposure	Versions up to 3.0.8	3.0.9	CVSS 6.5
CVE-2025-4963 WP Extended <= 3.0.15 - Authenticated (Author+) Stored Cross-Site Scripting via SVG...	File Upload	Versions up to 3.0.15	3.0.16	CVSS 6.4

CVE-2026-4314 High 3.2.5

CVE-2026-4314 WP Extended – The Ultimate WordPress Toolkit Privilege Escalation

The Ultimate WordPress Toolkit – WP Extended <= 3.2.4 - Authenticated (Subscriber+) Privilege Escalation via Menu Editor Module

CVE-2024-11816 High 3.0.12

CVE-2024-11816 WP Extended – The Ultimate WordPress Toolkit Remote Code Execution

The Ultimate WordPress Toolkit – WP Extended <= 3.0.11 - Missing Authorization to Authenticated (Subscriber+) Remote Code Execution

CVE-2024-8102 High 3.0.9

CVE-2024-8102 WP Extended – The Ultimate WordPress Toolkit Privilege Escalation

The Ultimate WordPress Toolkit – WP Extended <= 3.0.8 - Authenticated (Subscriber+) Arbitrary Options Update

CVE-2024-8104 High 3.0.9

CVE-2024-8104 WP Extended – The Ultimate WordPress Toolkit Vulnerability

The Ultimate WordPress Toolkit – WP Extended <= 3.0.8 - Directory Traversal to Authenticated (Subscriber+) Arbitrary File Download

CVE-2024-13184 High 3.0.13

CVE-2024-13184 WP Extended – The Ultimate WordPress Toolkit SQL Injection

The Ultimate WordPress Toolkit – WP Extended <= 3.0.12 - Unauthenticated SQL Injection via Login Attempts Module

CVE-2024-11916 High 3.0.12

CVE-2024-11916 WP Extended – The Ultimate WordPress Toolkit Stored Cross-Site Scripting

The Ultimate WordPress Toolkit – WP Extended <= 3.0.11 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting

CVE-2024-8106 Medium 3.0.9

CVE-2024-8106 WP Extended – The Ultimate WordPress Toolkit Sensitive Information Exposure

The Ultimate WordPress Toolkit – WP Extended <= 3.0.8 - Authenticated (Subscriber+) Sensitive Information Exposure

CVE-2025-4963 Medium 3.0.16

CVE-2025-4963 WP Extended – The Ultimate WordPress Toolkit File Upload

WP Extended <= 3.0.15 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

Coverage Snapshot

What this page helps you verify fast

This hub clusters tracked records for WP Extended – The Ultimate WordPress Toolkit so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility

17 records include a published patch path, leaving 0 with no listed safe release yet.

Severity Mix

0 critical and 6 high severity findings.

Recent CVEs

CVE-2026-4314, CVE-2025-4963 and CVE-2025-30796

Reference Workflow

Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.

Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

CVE-2026-4314 High Patch path listed

CVE-2026-4314: The Ultimate WordPress Toolkit – WP Extended <= 3.2.4 - Authenticated (Subscriber+) Privilege Escalation via Menu Editor Module

The 'The Ultimate WordPress Toolkit – WP Extended' plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.2.4. This is due to the `isDashboardOrPr...

Published

Mar 21, 2026

Patch Status

3.2.5

Review CVE-2026-4314 affected versions

CVE-2025-4963 Medium Patch path listed

CVE-2025-4963: WP Extended <= 3.0.15 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

The WP Extended plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 3.0.15 due to insufficient input sanitization and...

Published

May 27, 2025

Patch Status

3.0.16

Review CVE-2025-4963 affected versions

CVE-2025-30796 Medium Patch path listed

CVE-2025-30796: The Ultimate WordPress Toolkit – WP Extended <= 3.0.14 - Reflected Cross-Site Scripting

The The Ultimate WordPress Toolkit – WP Extended plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 3.0.14 due to insufficient input s...

Published

Mar 27, 2025

Patch Status

3.0.15

Review CVE-2025-30796 affected versions

Known Vulnerabilities

Reports for WP Extended – The Ultimate WordPress Toolkit

Sorted by latest disclosure date so newly published issues surface first.

Plugin High Patched: Yes CVE-2026-4314

CVE-2026-4314: The Ultimate WordPress Toolkit – WP Extended <= 3.2.4 - Authenticated (Subscriber+) Privilege Escalation via Menu Editor Module

The 'The Ultimate WordPress Toolkit – WP Extended' plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.2.4. This is due to the `isDashboardOrProfileRequest()` method in the Menu Editor module using an insecure `strpos()` check agains...

Published

Mar 21, 2026

Patched Release

3.2.5

Affected Versions

Versions up to 3.2.4

Next Step

Update to 3.2.5 or newer if supported.

Review CVE-2026-4314 fixed version details Open CVE Reference

Plugin Medium Patched: Yes CVE-2025-4963

CVE-2025-4963: WP Extended <= 3.0.15 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

The WP Extended plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 3.0.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level ac...

Published

May 27, 2025

Patched Release

3.0.16

Affected Versions

Versions up to 3.0.15

Next Step

Update to 3.0.16 or newer if supported.

Review CVE-2025-4963 fixed version details Open CVE Reference

Plugin Medium Patched: Yes CVE-2025-30796

CVE-2025-30796: The Ultimate WordPress Toolkit – WP Extended <= 3.0.14 - Reflected Cross-Site Scripting

The The Ultimate WordPress Toolkit – WP Extended plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 3.0.14 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to i...

Published

Mar 27, 2025

Patched Release

3.0.15

Affected Versions

Versions up to 3.0.14

Next Step

Update to 3.0.15 or newer if supported.

Review CVE-2025-30796 fixed version details Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-13554

CVE-2024-13554: The Ultimate WordPress Toolkit – WP Extended <= 3.0.13 - Missing Authorization to Unauthenticated Post Order Manipulation

The The Ultimate WordPress Toolkit – WP Extended plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the reorder_route() function in all versions up to, and including, 3.0.13. This makes it possible for unauthenticated atta...

Published

Feb 11, 2025

Patched Release

3.0.14

Affected Versions

Versions up to 3.0.13

Next Step

Update to 3.0.14 or newer if supported.

Review CVE-2024-13554 fixed version details Open CVE Reference

Plugin High Patched: Yes CVE-2024-13184

CVE-2024-13184: The Ultimate WordPress Toolkit – WP Extended <= 3.0.12 - Unauthenticated SQL Injection via Login Attempts Module

The The Ultimate WordPress Toolkit – WP Extended plugin for WordPress is vulnerable to time-based SQL Injection via the Login Attempts module in all versions up to, and including, 3.0.12 due to insufficient escaping on the user supplied parameter and lack of sufficient preparatio...

Published

Jan 17, 2025

Patched Release

3.0.13

Affected Versions

Versions up to 3.0.12

Next Step

Update to 3.0.13 or newer if supported.

Review CVE-2024-13184 fixed version details Open CVE Reference

Plugin High Patched: Yes CVE-2024-11816

CVE-2024-11816: The Ultimate WordPress Toolkit – WP Extended <= 3.0.11 - Missing Authorization to Authenticated (Subscriber+) Remote Code Execution

The Ultimate WordPress Toolkit – WP Extended plugin for WordPress is vulnerable to Remote Code Execution in version 3.0.11. This is due to a missing capability check on the 'wpext_handle_snippet_update' function. This makes it possible for authenticated attackers, with Subscriber...

Published

Jan 07, 2025

Patched Release

3.0.12

Affected Versions

Versions up to 3.0.11

Next Step

Update to 3.0.12 or newer if supported.

Review CVE-2024-11816 fixed version details Open CVE Reference

Plugin High Patched: Yes CVE-2024-11916

CVE-2024-11916: The Ultimate WordPress Toolkit – WP Extended <= 3.0.11 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting

The The Ultimate WordPress Toolkit – WP Extended plugin for WordPress is vulnerable to unauthorized modification and retrieval of data due to a missing capability check on several functions in all versions up to, and including, 3.0.11. This makes it possible for authenticated att...

Published

Jan 07, 2025

Patched Release

3.0.12

Affected Versions

Versions up to 3.0.11

Next Step

Update to 3.0.12 or newer if supported.

Review CVE-2024-11916 fixed version details Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-9347

CVE-2024-9347: The Ultimate WordPress Toolkit – WP Extended <= 3.0.9 - Reflected Cross-Site Scripting

The The Ultimate WordPress Toolkit – WP Extended plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'wpext-export' parameter in all versions up to, and including, 3.0.9 due to insufficient input sanitization and output escaping. This makes it possible fo...

Published

Oct 16, 2024

Patched Release

3.0.10

Affected Versions

Versions up to 3.0.9

Next Step

Update to 3.0.10 or newer if supported.

Review CVE-2024-9347 fixed version details Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-47386

CVE-2024-47386: The Ultimate WordPress Toolkit – WP Extended <= 3.0.8 - Reflected Cross-Site Scripting

The The Ultimate WordPress Toolkit – WP Extended plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 3.0.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

Published

Sep 30, 2024

Patched Release

3.0.9

Affected Versions

Versions up to 3.0.8

Next Step

Update to 3.0.9 or newer if supported.

Review CVE-2024-47386 fixed version details Open CVE Reference

Plugin High Patched: Yes CVE-2024-8102

CVE-2024-8102: The Ultimate WordPress Toolkit – WP Extended <= 3.0.8 - Authenticated (Subscriber+) Arbitrary Options Update

The The Ultimate WordPress Toolkit – WP Extended plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the module_all_toggle_ajax() function in all versions up to, and including, 3.0.8. T...

Published

Sep 03, 2024

Patched Release

3.0.9

Affected Versions

Versions up to 3.0.8

Next Step

Update to 3.0.9 or newer if supported.

Review CVE-2024-8102 fixed version details Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-8106

CVE-2024-8106: The Ultimate WordPress Toolkit – WP Extended <= 3.0.8 - Authenticated (Subscriber+) Sensitive Information Exposure

The The Ultimate WordPress Toolkit – WP Extended plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.0.8 via the download_user_ajax function. This makes it possible for authenticated attackers, with Subscriber-level access...

Published

Sep 03, 2024

Patched Release

3.0.9

Affected Versions

Versions up to 3.0.8

Next Step

Update to 3.0.9 or newer if supported.

Review CVE-2024-8106 fixed version details Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-8121

CVE-2024-8121: The Ultimate WordPress Toolkit – WP Extended <= 3.0.8 - Missing Authorization to Admin Username Change

The The Ultimate WordPress Toolkit – WP Extended plugin for WordPress is vulnerable to unauthorized modification of user names due to a missing capability check on the wpext_change_admin_name() function in all versions up to, and including, 3.0.8. This makes it possible for authe...

Published

Sep 03, 2024

Patched Release

3.0.9

Affected Versions

Versions up to 3.0.8

Next Step

Update to 3.0.9 or newer if supported.

Review CVE-2024-8121 fixed version details Open CVE Reference