Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.
To help educate website owners about potential threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.
The vulnerabilities listed below are virtually patched by the Sucuri Firewall and existing clients are protected. If you don’t have it installed yet, you can use our web application firewall to protect your site against known vulnerabilities.
Dynamic Conditions – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-22642 Number of Installations: 60,000+ Affected Software: Dynamic Conditions Patched Versions: No Fix
Mitigation steps: Currently, there is no fix available. Consider seeking alternative plugins or additional security measures.
WPForms – Easy Form Builder for WordPress – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-13403 Number of Installations: 6,000,000+ Affected Software: WPForms – Easy Form Builder for WordPress <= 1.9.3.1 Patched Versions: WPForms 1.9.3.2
Mitigation steps: Update to WPForms plugin version 1.9.3.2 or greater.
Orbit Fox by ThemeIsle – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-22659 Number of Installations: 200,000+ Affected Software: Orbit Fox by ThemeIsle <= 2.10.44 Patched Versions: Orbit Fox by ThemeIsle 2.10.45
Mitigation steps: Update to Orbit Fox by ThemeIsle plugin version 2.10.45 or greater.
The Plus Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-11829 Number of Installations: 100,000+ Affected Software: The Plus Addons for Elementor <= 6.1.9 Patched Versions: The Plus Addons for Elementor 6.2.0
Mitigation steps: Update to The Plus Addons for Elementor plugin version 6.2.0 or greater.
Import any XML, CSV or Excel File to WordPress – PHP Object Injection
Security Risk: Low Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: PHP Object Injection CVE: CVE-2024-9664 Number of Installations: 100,000+ Affected Software: Import any XML, CSV or Excel File to WordPress <= 3.7.9 Patched Versions: Import any XML, CSV or Excel File to WordPress 3.8.0
Mitigation steps: Update to Import any XML, CSV or Excel File to WordPress plugin version 3.8.0 or greater.
HT Mega – Absolute Addons For Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-12597 Number of Installations: 90,000+ Affected Software: HT Mega – Absolute Addons For Elementor <= 2.7.6 Patched Versions: HT Mega – Absolute Addons For Elementor 2.7.7
Mitigation steps: Update to HT Mega – Absolute Addons For Elementor plugin version 2.7.7 or greater.
Jupiter X Core – Local File Inclusion
Security Risk: High Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Local File Inclusion CVE: CVE-2025-0366 Number of Installations: 90,000+ Affected Software: Jupiter X Core <= 4.8.7 Patched Versions: Jupiter X Core 4.8.8
Mitigation steps: Update to Jupiter X Core plugin version 4.8.8 or greater.
Jupiter X Core – Arbitrary File Download
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Arbitrary File Download CVE: CVE-2025-0365 Number of Installations: 90,000+ Affected Software: Jupiter X Core <= 4.8.7 Patched Versions: Jupiter X Core 4.8.8
Mitigation steps: Update to Jupiter X Core plugin version 4.8.8 or greater.
Qi Addons For Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-13699 Number of Installations: 200,000+ Affected Software: Qi Addons For Elementor <= 1.8.7 Patched Versions: Qi Addons For Elementor 1.8.8
Mitigation steps: Update to Qi Addons For Elementor plugin version 1.8.8 or greater.
HT Mega – Absolute Addons For Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-12599 Number of Installations: 90,000+ Affected Software: HT Mega – Absolute Addons For Elementor <= 2.8.1 Patched Versions: HT Mega – Absolute Addons For Elementor 2.8.2
Mitigation steps: Update to HT Mega – Absolute Addons For Elementor plugin version 2.8.2 or greater.
Post and Page Builder by BoldGrid – Path Traversal
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Path Traversal CVE: CVE-2025-0859 Number of Installations: 70,000+ Affected Software: Post and Page Builder by BoldGrid <= 1.27.6 Patched Versions: Post and Page Builder by BoldGrid 1.27.7
Mitigation steps: Update to Post and Page Builder by BoldGrid plugin version 1.27.7 or greater.
Rank Math SEO – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2024-13229 Number of Installations: 3,000,000+ Affected Software: Rank Math SEO <= 1.0.235 Patched Versions: Rank Math SEO 1.0.236
Mitigation steps: Update to Rank Math SEO plugin version 1.0.236 or greater.
Rank Math SEO – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-13227 Number of Installations: 3,000,000+ Affected Software: Rank Math SEO <= 1.0.235 Patched Versions: Rank Math SEO 1.0.236
Mitigation steps: Update to Rank Math SEO plugin version 1.0.236 or greater.
ElementsKit Elementor addons – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-1005 Number of Installations: 1,000,000+ Affected Software: ElementsKit Elementor addons <= 3.4.0 Patched Versions: ElementsKit Elementor addons 3.4.1
Mitigation steps: Update to ElementsKit Elementor addons plugin version 3.4.1 or greater.
Slider, Gallery, and Carousel by MetaSlider – PHP Object Injection
Security Risk: Medium Exploitation Level: Requires Editor or higher level authentication. Vulnerability: PHP Object Injection CVE: CVE-2025-26763 Number of Installations: 600,000+ Affected Software: Slider, Gallery, and Carousel by MetaSlider <= 3.94.0 Patched Versions: Slider, Gallery, and Carousel by MetaSlider 3.95.0
Mitigation steps: Update to Slider, Gallery, and Carousel by MetaSlider plugin version 3.95.0 or greater.
Forminator Forms – Cross Site Scripting (XSS)
Security Risk: Low Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-7052 Number of Installations: 500,000+ Affected Software: Forminator Forms <= 1.38.2 Patched Versions: Forminator Forms 1.38.3
Mitigation steps: Update to Forminator Forms plugin version 1.38.3 or greater.
Post SMTP – Cross Site Scripting (XSS)
Security Risk: Critical Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-0521 Number of Installations: 400,000+ Affected Software: Post SMTP <= 3.0.9 Patched Versions: Post SMTP 3.1.0
Mitigation steps: Update to Post SMTP plugin version 3.1.0 or greater.
WP Ghost (Hide My WP Ghost) – Bypass Vulnerability
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Bypass Vulnerability CVE: CVE-2024-13794 Number of Installations: 200,000+ Affected Software: WP Ghost (Hide My WP Ghost) <= 5.4.00 Patched Versions: WP Ghost (Hide My WP Ghost) 5.4.01
Mitigation steps: Update to WP Ghost (Hide My WP Ghost) plugin version 5.4.01 or greater.
WP Activity Log – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-0924 Number of Installations: 200,000+ Affected Software: WP Activity Log <= 5.2.9 Patched Versions: WP Activity Log 5.3.0
Mitigation steps: Update to WP Activity Log plugin version 5.3.0 or greater.
ProfilePress – Cross Site Scripting (XSS)
Security Risk: Low Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-13119 Number of Installations: 200,000+ Affected Software: ProfilePress <= 4.15.19 Patched Versions: ProfilePress 4.15.20
Mitigation steps: Update to ProfilePress plugin version 4.15.20 or greater.
Everest Forms – Cross Site Scripting (XSS)
Security Risk: Low Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-13125 Number of Installations: 100,000+ Affected Software: Everest Forms <= 3.0.8 Patched Versions: Everest Forms 3.0.8.1
Mitigation steps: Update to Everest Forms plugin version 3.0.8.1 or greater.
Widget Options – Arbitrary Code Execution
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Arbitrary Code Execution CVE: CVE-2025-22630 Number of Installations: 100,000+ Affected Software: Widget Options <= 4.1.0 Patched Versions: Widget Options 4.1.1
Mitigation steps: Update to Widget Options plugin version 4.1.1 or greater.
Brizy – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Author or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-10322 Number of Installations: 80,000+ Affected Software: Brizy <= 2.6.8 Patched Versions: Brizy 2.6.9
Mitigation steps: Update to Brizy plugin version 2.6.9 or greater.
Brizy – Arbitrary File Upload
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Arbitrary File Upload CVE: CVE-2024-10960 Number of Installations: 80,000+ Affected Software: Brizy <= 2.6.4 Patched Versions: Brizy 2.6.5
Mitigation steps: Update to Brizy plugin version 2.6.5 or greater.
Spotlight Social Feeds – Sensitive Data Exposure
Security Risk: Low Exploitation Level: No authentication required. Vulnerability: Sensitive Data Exposure CVE: CVE-2025-26758 Number of Installations: 60,000+ Affected Software: Spotlight Social Feeds <= 1.7.1 Patched Versions: Spotlight Social Feeds 1.7.2
Mitigation steps: Update to Spotlight Social Feeds plugin version 1.7.2 or greater.
WP Booking Calendar – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2024-13821 Number of Installations: 50,000+ Affected Software: WP Booking Calendar <= 10.10.0 Patched Versions: WP Booking Calendar 10.10.1
Mitigation steps: Update to WP Booking Calendar plugin version 10.10.1 or greater.
Elementor Website Builder – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-54444 Number of Installations: 10,000,000+ Affected Software: Elementor Website Builder <= 3.25.10 Patched Versions: Elementor Website Builder 3.25.11
Mitigation steps: Update to Elementor Website Builder plugin version 3.25.11 or greater.
Elementor Website Builder – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-13445 Number of Installations: 10,000,000+ Affected Software: Elementor Website Builder <= 3.27.4 Patched Versions: Elementor Website Builder 3.27.5
Mitigation steps: Update to Elementor Website Builder plugin version 3.27.5 or greater.
ElementsKit Elementor addons – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2025-0968 Number of Installations: 1,000,000+ Affected Software: ElementsKit Elementor addons <= 3.4.0 Patched Versions: ElementsKit Elementor addons 3.4.1
Mitigation steps: Update to ElementsKit Elementor addons plugin version 3.4.1 or greater.
SVG Support – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2022-23638 Number of Installations: 1,000,000+ Affected Software: SVG Support <= 2.5.8 Patched Versions: SVG Support 2.5.9
Mitigation steps: Update to SVG Support plugin version 2.5.9 or greater.
SVG Support – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Author or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-10222 Number of Installations: 1,000,000+ Affected Software: SVG Support <= 2.5.10 Patched Versions: SVG Support 2.5.11
Mitigation steps: Update to SVG Support plugin version 2.5.11 or greater.
WPvivid Backup & Migration – Arbitrary File Upload
Security Risk: Low Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Arbitrary File Upload CVE: CVE-2024-13869 Number of Installations: 600,000+ Affected Software: WPvivid Backup & Migration <= 0.9.112 Patched Versions: WPvivid Backup & Migration 0.9.113
Mitigation steps: Update to WPvivid Backup & Migration plugin version 0.9.113 or greater.
Head, Footer and Post Injections – Remote Code Execution (RCE)
Security Risk: Low Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Remote Code Execution (RCE) CVE: CVE-2024-13900 Number of Installations: 300,000+ Affected Software: Head, Footer and Post Injections <= 3.3.0 Patched Versions: Head, Footer and Post Injections 3.3.1
Mitigation steps: Update to Head, Footer and Post Injections plugin version 3.3.1 or greater.
Unlimited Elements For Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-13155 Number of Installations: 300,000+ Affected Software: Unlimited Elements For Elementor <= 1.5.140 Patched Versions: Unlimited Elements For Elementor 1.5.141
Mitigation steps: Update to Unlimited Elements For Elementor plugin version 1.5.141 or greater.
FileBird – Insecure Direct Object References (IDOR)
Security Risk: Low Exploitation Level: Requires Author or higher level authentication. Vulnerability: Insecure Direct Object References (IDOR) CVE: CVE-2025-26977 Number of Installations: 200,000+ Affected Software: FileBird <= 6.4.5 Patched Versions: FileBird 6.4.6
Mitigation steps: Update to FileBird plugin version 6.4.6 or greater.
Essential Blocks – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-26871 Number of Installations: 100,000+ Affected Software: Essential Blocks <= 4.8.3 Patched Versions: Essential Blocks 4.8.4
Mitigation steps: Update to Essential Blocks plugin version 4.8.4 or greater.
Everest Forms – Arbitrary File Upload
Security Risk: Critical Exploitation Level: No authentication required. Vulnerability: Arbitrary File Upload CVE: CVE-2025-1128 Number of Installations: 100,000+ Affected Software: Everest Forms <= 3.0.9.4 Patched Versions: Everest Forms 3.0.9.5
Mitigation steps: Update to Everest Forms plugin version 3.0.9.5 or greater.
Strong Testimonials – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2025-26975 Number of Installations: 100,000+ Affected Software: Strong Testimonials <= 3.2.3 Patched Versions: Strong Testimonials 3.2.4
Mitigation steps: Update to Strong Testimonials plugin version 3.2.4 or greater.
Event Tickets and Registration – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-1402 Number of Installations: 90,000+ Affected Software: Event Tickets and Registration <= 5.19.1.1 Patched Versions: Event Tickets and Registration 5.19.1.2
Mitigation steps: Update to Event Tickets and Registration plugin version 5.19.1.2 or greater.
Ajax Search Lite – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-13585 Number of Installations: 80,000+ Affected Software: Ajax Search Lite <= 4.12.4 Patched Versions: Ajax Search Lite 4.12.5
Mitigation steps: Update to Ajax Search Lite plugin version 4.12.5 or greater.
Booking for Appointments and Events Calendar – Insecure Direct Object References (IDOR)
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Insecure Direct Object References (IDOR) CVE: CVE-2025-26965 Number of Installations: 80,000+ Affected Software: Booking for Appointments and Events Calendar <= 1.2.16 Patched Versions: Booking for Appointments and Events Calendar 1.2.17
Mitigation steps: Update to Booking for Appointments and Events Calendar plugin version 1.2.17 or greater.
Events Manager – SQL Injection
Security Risk: Critical Exploitation Level: No authentication required. Vulnerability: SQL Injection CVE: CVE-2024-11260 Number of Installations: 80,000+ Affected Software: Events Manager <= 6.6.3 Patched Versions: Events Manager 6.6.4
Mitigation steps: Update to Events Manager plugin version 6.6.4 or greater.
Master Slider – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Editor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-12173 Number of Installations: 80,000+ Affected Software: Master Slider <= 3.10.4 Patched Versions: Master Slider 3.10.5
Mitigation steps: Update to Master Slider plugin version 3.10.5 or greater.
WP ULike – Cross Site Scripting (XSS)
Security Risk: Low Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-12770 Number of Installations: 80,000+ Affected Software: WP ULike <= 4.7.5 Patched Versions: WP ULike 4.7.6
Mitigation steps: Update to WP ULike plugin version 4.7.6 or greater.
Simple Image Sizes – Cross Site Scripting (XSS)
Security Risk: Low Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-24810 Number of Installations: 70,000+ Affected Software: Simple Image Sizes <= 3.2.2 Patched Versions: Simple Image Sizes 3.2.3
Mitigation steps: Update to Simple Image Sizes plugin version 3.2.3 or greater.
Embed Any Document – Server Side Request Forgery (SSRF)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Server Side Request Forgery (SSRF) CVE: CVE-2025-1043 Number of Installations: 60,000+ Affected Software: Embed Any Document <= 2.7.5 Patched Versions: Embed Any Document 2.7.6
Mitigation steps: Update to Embed Any Document plugin version 2.7.6 or greater.
WP Carousel – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Editor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-4002 Number of Installations: 60,000+ Affected Software: WP Carousel <= 2.6.8 Patched Versions: WP Carousel 2.6.9
Mitigation steps: Update to WP Carousel plugin version 2.6.9 or greater.
WP Carousel – Cross Site Scripting (XSS)
Security Risk: Low Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-13314 Number of Installations: 60,000+ Affected Software: WP Carousel <= 2.7.3 Patched Versions: WP Carousel 2.7.4
Mitigation steps: Update to WP Carousel plugin version 2.7.4 or greater.
Login/Signup Popup – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-1064 Number of Installations: 50,000+ Affected Software: Login/Signup Popup <= 2.8.5 Patched Versions: Login/Signup Popup 2.8.6
Mitigation steps: Update to Login/Signup Popup plugin version 2.8.6 or greater.
Form Maker by 10Web – Cross Site Scripting (XSS)
Security Risk: Low Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-13605 Number of Installations: 50,000+ Affected Software: Form Maker by 10Web <= 1.15.32 Patched Versions: Form Maker by 10Web 1.15.33
Mitigation steps: Update to Form Maker by 10Web plugin version 1.15.33 or greater.
Update your website software to mitigate risk. Users who are not able to update their software with the latest version are encouraged to use a web application firewall to help virtually patch known vulnerabilities and protect their website.
Victor Santoyo
Ben Martin
Denis Sinegubko
Marc-Alexandre Montpas
Luke Leal
Allison Bondi
Val Vesa
Fernando Barbosa
Juliana Lewis