Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.
To help educate website owners about potential threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.
The vulnerabilities listed below are virtually patched by the Sucuri Firewall and existing clients are protected. If you don’t have it installed yet, you can use our web application firewall to protect your site against known vulnerabilities.
Smart Custom Fields – Cross Site Scripting (XSS)
Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-22308
Number of Installations: 50,000+
Affected Software: Smart Custom Fields <= 5.0.0
Patched Versions: No FixMitigation steps: Currently, there is no fix available. Consider seeking alternative plugins or additional security measures.
Royal Elementor Addons and Templates – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-0393 Number of Installations: 500,000+ Affected Software: Royal Elementor Addons and Templates <= 1.7.1006 Patched Versions: Royal Elementor Addons and Templates 1.7.1007
Mitigation steps: Update to Royal Elementor Addons and Templates plugin version 1.7.1007 or greater.
Post SMTP – WordPress SMTP Plugin with Email Logs and Mobile App for Failure Notifications – Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES and more – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-22800 Number of Installations: 400,000+ Affected Software: Post SMTP <= 2.9.11 Patched Versions: Post SMTP 2.9.12
Mitigation steps: Update to Post SMTP plugin version 2.9.12 or greater.
Orbit Fox by ThemeIsle – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-0311 Number of Installations: 200,000+ Affected Software: Orbit Fox by ThemeIsle <= 2.10.43 Patched Versions: Orbit Fox by ThemeIsle 2.10.44
Mitigation steps: Update to Orbit Fox by ThemeIsle plugin version 2.10.44 or greater.
GiveWP – Donation Plugin and Fundraising Platform – PHP Object Injection
Security Risk: Critical Exploitation Level: No authentication required. Vulnerability: PHP Object Injection CVE: CVE-2025-22777 Number of Installations: 100,000+ Affected Software: GiveWP <= 3.19.3 Patched Versions: GiveWP 3.19.4
Mitigation steps: Update to GiveWP plugin version 3.19.4 or greater.
Post and Page Builder by BoldGrid – Visual Drag and Drop Editor – Cross Site Scripting (XSS)
Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-22759
Number of Installations: 70,000+
Affected Software: Post and Page Builder by BoldGrid <= 1.27.5
Patched Versions: No FixMitigation steps: Currently, there is no fix available. Consider seeking alternative plugins or additional security measures.
UpdraftPlus: WP Backup & Migration Plugin – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-0215 Number of Installations: 3,000,000+ Affected Software: UpdraftPlus <= 1.25.0 Patched Versions: UpdraftPlus 1.25.1
Mitigation steps: Update to UpdraftPlus plugin version 1.25.1 or greater.
Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin – Sensitive Data Exposure
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Sensitive Data Exposure CVE: CVE-2025-0318 Number of Installations: 200,000+ Affected Software: Ultimate Member <= 2.9.1 Patched Versions: Ultimate Member 2.9.2
Mitigation steps: Update to Ultimate Member plugin version 2.9.2 or greater.
Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin – SQL Injection
Security Risk: Critical Exploitation Level: No authentication required. Vulnerability: SQL Injection CVE: CVE-2025-0308 Number of Installations: 200,000+ Affected Software: Ultimate Member <= 2.9.1 Patched Versions: Ultimate Member 2.9.2
Mitigation steps: Update to Ultimate Member plugin version 2.9.2 or greater.
Widget Options – The #1 WordPress Widget & Block Control Plugin – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-22722 Number of Installations: 100,000+ Affected Software: Widget Options <= 4.0.8 Patched Versions: Widget Options 4.0.9
Mitigation steps: Update to Widget Options plugin version 4.0.9 or greater.
WP ULike – All-in-One Engagement Toolkit – Cross Site Scripting (XSS)
Security Risk: Low Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-22738 Number of Installations: 80,000+ Affected Software: WP ULike <= 4.7.6 Patched Versions: WP ULike 4.7.7
Mitigation steps: Update to WP ULike plugin version 4.7.7 or greater.
Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-24746 Number of Installations: 700,000+ Affected Software: Popup Maker <= 1.20.2 Patched Versions: Popup Maker 1.20.3
Mitigation steps: Update to Popup Maker plugin version 1.20.3 or greater.
Page Builder Gutenberg Blocks – CoBlocks – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-24751 Number of Installations: 400,000+ Affected Software: Page Builder Gutenberg Blocks – CoBlocks <= 3.1.13 Patched Versions: Page Builder Gutenberg Blocks – CoBlocks 3.1.14
Mitigation steps: Update to Page Builder Gutenberg Blocks – CoBlocks plugin version 3.1.14 or greater.
ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-24750 Number of Installations: 400,000+ Affected Software: ExactMetrics <= 8.1.9 Patched Versions: ExactMetrics 8.2.0
Mitigation steps: Update to ExactMetrics plugin version 8.2.0 or greater.
Gutenberg Blocks with AI by Kadence WP – Page Builder Features – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-24753 Number of Installations: 400,000+ Affected Software: Gutenberg Blocks with AI by Kadence WP <= 3.3.1 Patched Versions: Gutenberg Blocks with AI by Kadence WP 3.3.2
Mitigation steps: Update to Gutenberg Blocks with AI by Kadence WP plugin version 3.3.2 or greater.
Page Builder: Pagelayer – Drag and Drop website builder – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-24573 Number of Installations: 200,000+ Affected Software: Page Builder: Pagelayer <= 1.9.4 Patched Versions: Page Builder: Pagelayer 1.9.5
Mitigation steps: Update to Page Builder: Pagelayer plugin version 1.9.5 or greater.
Post Duplicator – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-24736 Number of Installations: 200,000+ Affected Software: Post Duplicator <= 2.35 Patched Versions: Post Duplicator 2.36
Mitigation steps: Update to Post Duplicator plugin version 2.36 or greater.
Admin and Site Enhancements (ASE) – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-24649 Number of Installations: 100,000+ Affected Software: Admin and Site Enhancements (ASE) <= 7.6.2 Patched Versions: Admin and Site Enhancements (ASE) 7.6.3
Mitigation steps: Update to Admin and Site Enhancements (ASE) plugin version 7.6.3 or greater.
LearnPress – WordPress LMS Plugin – Open Redirection
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Open Redirection CVE: CVE-2025-24740 Number of Installations: 90,000+ Affected Software: LearnPress <= 4.2.7.1 Patched Versions: LearnPress 4.2.7.2
Mitigation steps: Update to LearnPress plugin version 4.2.7.2 or greater.
Nested Pages – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-24579 Number of Installations: 90,000+ Affected Software: Nested Pages <= 3.2.9 Patched Versions: Nested Pages 3.2.10
Mitigation steps: Update to Nested Pages plugin version 3.2.10 or greater.
Import and export users and customers – Sensitive Data Exposure
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Sensitive Data Exposure CVE: CVE-2025-24689 Number of Installations: 70,000+ Affected Software: Import and export users and customers <= 1.27.12 Patched Versions: Import and export users and customers 1.27.13
Mitigation steps: Update to Import and export users and customers plugin version 1.27.13 or greater.
WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Shop Manager or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-24644 Number of Installations: 60,000+ Affected Software: WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels <= 4.7.1 Patched Versions: WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels 4.7.2
Mitigation steps: Update to WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels plugin version 4.7.2 or greater.
Better Find and Replace – Privilege Escalation
Security Risk: High Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Privilege Escalation CVE: CVE-2025-24734 Number of Installations: 50,000+ Affected Software: Better Find and Replace <= 1.6.7 Patched Versions: Better Find and Replace 1.6.8
Mitigation steps: Update to Better Find and Replace plugin version 1.6.8 or greater.
Store Commerce – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-22339 Number of Downloads: 50,956 Affected Software: Store Commerce <= 1.2.3 Patched Versions: No Fix
Mitigation steps: Currently, there is no fix available. Consider seeking alternative themes or additional security measures.
StorePress – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-22821 Number of Downloads: 53,724 Affected Software: StorePress <= 1.0.12 Patched Versions: No Fix
Mitigation steps: Currently, there is no fix available. Consider seeking alternative themes or additional security measures.
Update your website software to mitigate risk. Users who are not able to update their software with the latest version are encouraged to use a web application firewall to help virtually patch known vulnerabilities and protect their website.
David Zomaya
Estevao Avillez
Denis Sinegubko
Ben Martin
Luke Leal
Cesar Anjos
Marc-Alexandre Montpas
Justin Channell
John Castro