Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.
To help educate website owners about potential threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.
The vulnerabilities listed below are virtually patched by the Sucuri Firewall and existing clients are protected. If you don’t have it installed yet, you can use our web application firewall to protect your site against known vulnerabilities.
Plugins
WooCommerce – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Shop Manager or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-26762 Number of Installations: 8,000,000+ Affected Software: WooCommerce <= 9.7.0 Patched Versions: WooCommerce 9.7.1
Mitigation steps: Update to WooCommerce plugin version 9.7.1 or greater.
All-in-One WP Migration and Backup – PHP Object Injection
Security Risk: High Exploitation Level: No authentication required. Vulnerability: PHP Object Injection CVE: CVE-2024-10942 Number of Installations: 5,000,000+ Affected Software: All-in-One WP Migration and Backup <= 7.89 Patched Versions: All-in-One WP Migration and Backup 7.90
Mitigation steps: Update to All-in-One WP Migration and Backup plugin version 7.90 or greater.
Page Builder by SiteOrigin – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-1459 Number of Installations: 600,000+ Affected Software: Page Builder by SiteOrigin <= 2.31.4 Patched Versions: Page Builder by SiteOrigin 2.31.5
Mitigation steps: Update to Page Builder by SiteOrigin plugin version 2.31.5 or greater.
Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Editor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-1062 Number of Installations: 600,000+ Affected Software: Slider, Gallery, and Carousel by MetaSlider <= 3.94.9 Patched Versions: Slider, Gallery, and Carousel by MetaSlider 3.95.0
Mitigation steps: Update to MetaSlider plugin version 3.95.0 or greater.
Gutenberg Blocks with AI by Kadence WP – Page Builder Features – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-1291 Number of Installations: 500,000+ Affected Software: Gutenberg Blocks with AI by Kadence WP – Page Builder Features <= 3.4.9 Patched Versions: Gutenberg Blocks with AI by Kadence WP – Page Builder Features 3.4.10
Mitigation steps: Update to Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin version 3.4.10 or greater.
WP Shortcodes Plugin — Shortcodes Ultimate – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-0370 Number of Installations: 500,000+ Affected Software: WP Shortcodes Plugin — Shortcodes Ultimate <= 7.3.3 Patched Versions: WP Shortcodes Plugin — Shortcodes Ultimate 7.3.4
Mitigation steps: Update to WP Shortcodes Plugin — Shortcodes Ultimate plugin version 7.3.4 or greater.
Post SMTP – WP SMTP Plugin with Email Logs and Mobile App for Failure Notifications – Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES and more – SQL Injection
Security Risk: High Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: SQL Injection CVE: CVE-2024-13844 Number of Installations: 400,000+ Affected Software: Post SMTP – WP SMTP Plugin with Email Logs and Mobile App for Failure Notifications – Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES and more <= 3.1.2 Patched Versions: Post SMTP – WP SMTP Plugin with Email Logs and Mobile App for Failure Notifications – Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES and more 3.1.3
Mitigation steps: Update to Post SMTP plugin version 3.1.3 or greater.
Ad Inserter – Ad Manager & AdSense Ads – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-22623 Number of Installations: 300,000+ Affected Software: Ad Inserter – Ad Manager & AdSense Ads <= 2.8.0 Patched Versions: Ad Inserter – Ad Manager & AdSense Ads 2.8.1
Mitigation steps: Update to Ad Inserter plugin version 2.8.1 or greater.
GDPR Cookie Compliance – Cookie Banner, Cookie Consent, Cookie Notice – CCPA, DSGVO, RGPD – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-1622 Number of Installations: 300,000+ Affected Software: GDPR Cookie Compliance <= 4.15.6 Patched Versions: GDPR Cookie Compliance 4.15.7
Mitigation steps: Update to GDPR Cookie Compliance plugin version 4.15.7 or greater.
Page Builder: Pagelayer – Drag and Drop website builder – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-2104 Number of Installations: 300,000+ Affected Software: Page Builder: Pagelayer – Drag and Drop website builder <= 1.9.9 Patched Versions: Page Builder: Pagelayer – Drag and Drop website builder 2.0.0
Mitigation steps: Update to Page Builder: Pagelayer plugin version 2.0.0 or greater.
GDPR Cookie Compliance – Cookie Banner, Cookie Consent, Cookie Notice – CCPA, DSGVO, RGPD – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-1623 Number of Installations: 300,000+ Affected Software: GDPR Cookie Compliance <= 4.15.8 Patched Versions: GDPR Cookie Compliance 4.15.9
Mitigation steps: Update to GDPR Cookie Compliance plugin version 4.15.9 or greater.
GenerateBlocks – Sensitive Data Exposure
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Sensitive Data Exposure CVE: CVE-2024-13546 Number of Installations: 200,000+ Affected Software: GenerateBlocks <= 1.9.9 Patched Versions: GenerateBlocks 2.0.0
Mitigation steps: Update to GenerateBlocks plugin version 2.0.0 or greater.
WP Ghost (Hide My WP Ghost) – Security & Firewall – Local File Inclusion
Security Risk: Critical Exploitation Level: No authentication required. Vulnerability: Local File Inclusion CVE: CVE-2025-26909 Number of Installations: 200,000+ Affected Software: WP Ghost (Hide My WP Ghost) <= 5.4.01 Patched Versions: WP Ghost (Hide My WP Ghost) 5.4.02
Mitigation steps: Update to WP Ghost plugin version 5.4.02 or greater.
Photo Gallery by 10Web – Mobile-Friendly Image Gallery – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-13124 Number of Installations: 200,000+ Affected Software: Photo Gallery by 10Web <= 1.8.32 Patched Versions: Photo Gallery by 10Web 1.8.33
Mitigation steps: Update to Photo Gallery by 10Web plugin version 1.8.33 or greater.
Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin – SQL Injection
Security Risk: Critical Exploitation Level: No authentication required. Vulnerability: SQL Injection CVE: CVE-2025-1702 Number of Installations: 200,000+ Affected Software: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin <= 2.10.0 Patched Versions: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin 2.10.1
Mitigation steps: Update to Ultimate Member plugin version 2.10.1 or greater.
SEO Plugin by Squirrly SEO – Broken Access Control
Security Risk: High Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-24654 Number of Installations: 100,000+ Affected Software: SEO Plugin by Squirrly SEO <= 12.4.07 Patched Versions: SEO Plugin by Squirrly SEO 12.4.08
Mitigation steps: Update to SEO Plugin by Squirrly SEO version 12.4.08 or greater.
GiveWP – Donation Plugin and Fundraising Platform – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-2331 Number of Installations: 100,000+ Affected Software: GiveWP – Donation Plugin and Fundraising Platform <= 3.22.1 Patched Versions: GiveWP – Donation Plugin and Fundraising Platform 3.22.2
Mitigation steps: Update to GiveWP plugin version 3.22.2 or greater.
GiveWP – Donation Plugin and Fundraising Platform – PHP Object Injection
Security Risk: Critical Exploitation Level: No authentication required. Vulnerability: PHP Object Injection CVE: CVE-2025-0912 Number of Installations: 100,000+ Affected Software: GiveWP – Donation Plugin and Fundraising Platform <= 3.19.9 Patched Versions: GiveWP – Donation Plugin and Fundraising Platform 3.20.0
Mitigation steps: Update to GiveWP plugin version 3.20.0 or greater.
Pods – Custom Content Types and Fields – SQL Injection
Security Risk: High Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: SQL Injection CVE: CVE-2025-1446 Number of Installations: 100,000+ Affected Software: Pods – Custom Content Types and Fields <= 3.2.8.1 Patched Versions: Pods – Custom Content Types and Fields 3.2.8.2
Mitigation steps: Update to Pods plugin version 3.2.8.2 or greater.
Admin and Site Enhancements (ASE) – Bypass Vulnerability
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Bypass Vulnerability CVE: CVE-2024-13685 Number of Installations: 100,000+ Affected Software: Admin and Site Enhancements (ASE) <= 7.6.9 Patched Versions: Admin and Site Enhancements (ASE) 7.6.10
Mitigation steps: Update to Admin and Site Enhancements (ASE) plugin version 7.6.10 or greater.
Cookie banner plugin for WordPress – Cookiebot CMP by Usercentrics – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-1666 Number of Installations: 100,000+ Affected Software: Cookie banner plugin for WordPress – Cookiebot CMP by Usercentrics <= 4.4.1 Patched Versions: Cookie banner plugin for WordPress – Cookiebot CMP by Usercentrics 4.4.2
Mitigation steps: Update to Cookiebot CMP by Usercentrics plugin version 4.4.2 or greater.
Download Manager – Sensitive Data Exposure
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Sensitive Data Exposure CVE: CVE-2024-13126 Number of Installations: 100,000+ Affected Software: Download Manager <= 3.3.06 Patched Versions: Download Manager 3.3.07
Mitigation steps: Update to Download Manager plugin version 3.3.07 or greater.
Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-1664 Number of Installations: 100,000+ Affected Software: Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates <= 5.3.1 Patched Versions: Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates 5.3.2
Mitigation steps: Update to Essential Blocks plugin version 5.3.2 or greater.
Advanced File Manager — Ultimate WordPress File Manager and Document Library Plugin – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-13805 Number of Installations: 100,000+ Affected Software: Advanced File Manager — Ultimate WordPress File Manager and Document Library Plugin <= 5.2.9 Patched Versions: Advanced File Manager — Ultimate WordPress File Manager and Document Library Plugin 5.3.0
Mitigation steps: Update to Advanced File Manager plugin version 5.3.0 or greater.
SEO Plugin by Squirrly SEO – SQL Injection
Security Risk: High Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: SQL Injection CVE: CVE-2025-1768 Number of Installations: 100,000+ Affected Software: SEO Plugin by Squirrly SEO <= 12.4.05 Patched Versions: SEO Plugin by Squirrly SEO 12.4.06
Mitigation steps: Update to SEO Plugin by Squirrly SEO plugin version 12.4.06 or greater.
The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-1287 Number of Installations: 100,000+ Affected Software: The Plus Addons for Elementor <= 6.2.2 Patched Versions: The Plus Addons for Elementor 6.2.3
Mitigation steps: Update to The Plus Addons for Elementor plugin version 6.2.3 or greater.
VK Blocks – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2024-13635 Number of Installations: 100,000+ Affected Software: VK Blocks <= 1.95.0.2 Patched Versions: VK Blocks 1.95.0.3
Mitigation steps: Update to VK Blocks plugin version 1.95.0.3 or greater.
HUSKY – Products Filter Professional for WooCommerce – Local File Inclusion
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Local File Inclusion CVE: CVE-2025-1661 Number of Installations: 100,000+ Affected Software: HUSKY – Products Filter Professional for WooCommerce <= 1.3.6.5 Patched Versions: HUSKY – Products Filter Professional for WooCommerce 1.3.6.6
Mitigation steps: Update to HUSKY – Products Filter Professional for WooCommerce plugin version 1.3.6.6 or greater.
Download Manager – Path Traversal
Security Risk: Low Exploitation Level: Requires Author or higher level authentication. Vulnerability: Path Traversal CVE: CVE-2025-1785 Number of Installations: 100,000+ Affected Software: Download Manager <= 3.3.08 Patched Versions: Download Manager 3.3.09
Mitigation steps: Update to Download Manager plugin version 3.3.09 or greater.
ShareThis Dashboard for Google Analytics – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2025-1507 Number of Installations: 100,000+ Affected Software: ShareThis Dashboard for Google Analytics <= 3.2.1 Patched Versions: ShareThis Dashboard for Google Analytics 3.2.2
Mitigation steps: Update to ShareThis Dashboard for Google Analytics plugin version 3.2.2 or greater.
HUSKY – Products Filter Professional for WooCommerce – Local File Inclusion
Security Risk: High Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Local File Inclusion CVE: CVE-2025-26890 Number of Installations: 100,000+ Affected Software: HUSKY – Products Filter Professional for WooCommerce <= 1.3.6.4 Patched Versions: HUSKY – Products Filter Professional for WooCommerce 1.3.6.5
Mitigation steps: Update to HUSKY – Products Filter Professional for WooCommerce plugin version 1.3.6.5 or greater.
ShopLentor – WooCommerce Builder for Elementor & Gutenberg +20 Modules – All in One Solution (formerly WooLentor) – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-1527 Number of Installations: 100,000+ Affected Software: ShopLentor <= 3.1.0 Patched Versions: ShopLentor 3.1.1
Mitigation steps: Update to ShopLentor plugin version 3.1.1 or greater.
HT Mega – Absolute Addons For Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-1261 Number of Installations: 90,000+ Affected Software: HT Mega – Absolute Addons For Elementor <= 2.8.2 Patched Versions: HT Mega – Absolute Addons For Elementor 2.8.3
Mitigation steps: Update to HT Mega – Absolute Addons For Elementor plugin version 2.8.3 or greater.
Nested Pages – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-0718 Number of Installations: 90,000+ Affected Software: Nested Pages <= 3.2.12 Patched Versions: Nested Pages 3.2.13
Mitigation steps: Update to Nested Pages plugin version 3.2.13 or greater.
Master Slider – Responsive Touch Slider – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-11731 Number of Installations: 80,000+ Affected Software: Master Slider – Responsive Touch Slider Patched Versions: No Fix
Mitigation steps: No fix available. Consider using alternative security measures or plugins.
Site Reviews – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-1232 Number of Installations: 60,000+ Affected Software: Site Reviews <= 7.2.4 Patched Versions: Site Reviews 7.2.5
Mitigation steps: Update to Site Reviews plugin version 7.2.5 or greater.
Export and Import Users and Customers – Arbitrary File Download
Security Risk: Low Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Arbitrary File Download CVE: CVE-2025-1973 Number of Installations: 60,000+ Affected Software: Export and Import Users and Customers <= 2.6.2 Patched Versions: Export and Import Users and Customers 2.6.3
Mitigation steps: Update to Export and Import Users and Customers plugin version 2.6.3 or greater.
Export and Import Users and Customers – PHP Object Injection
Security Risk: High Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: PHP Object Injection CVE: CVE-2025-1971 Number of Installations: 60,000+ Affected Software: Export and Import Users and Customers <= 2.6.2 Patched Versions: Export and Import Users and Customers 2.6.3
Mitigation steps: Update to Export and Import Users and Customers plugin version 2.6.3 or greater.
Export and Import Users and Customers – Arbitrary File Deletion
Security Risk: Low Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Arbitrary File Deletion CVE: CVE-2025-1972 Number of Installations: 60,000+ Affected Software: Export and Import Users and Customers <= 2.6.2 Patched Versions: Export and Import Users and Customers 2.6.3
Mitigation steps: Update to Export and Import Users and Customers plugin version 2.6.3 or greater.
Export and Import Users and Customers – Server Side Request Forgery (SSRF)
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Server Side Request Forgery (SSRF) CVE: CVE-2025-1970 Number of Installations: 60,000+ Affected Software: Export and Import Users and Customers <= 2.6.2 Patched Versions: Export and Import Users and Customers 2.6.3
Mitigation steps: Update to Export and Import Users and Customers plugin version 2.6.3 or greater.
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-13431 Number of Installations: 50,000+ Affected Software: Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin <= 1.6.8.4 Patched Versions: Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin 1.6.8.5
Mitigation steps: Update to Appointment Booking Calendar plugin version 1.6.8.5 or greater.
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin – Content Injection
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Content Injection CVE: CVE-2025-1119 Number of Installations: 50,000+ Affected Software: Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin <= 1.6.8.6 Patched Versions: Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin 1.6.8.7
Mitigation steps: Update to Appointment Booking Calendar plugin version 1.6.8.7 or greater.
Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin – Server Side Request Forgery (SSRF)
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Server Side Request Forgery (SSRF) CVE: CVE-2024-13838 Number of Installations: 50,000+ Affected Software: Uncanny Automator <= 6.2 Patched Versions: Uncanny Automator 6.3
Mitigation steps: Update to Uncanny Automator plugin version 6.3 or greater.
WP Recipe Maker – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-1503 Number of Installations: 50,000+ Affected Software: WP Recipe Maker <= 9.8.0 Patched Versions: WP Recipe Maker 9.8.1
Mitigation steps: Update to WP Recipe Maker plugin version 9.8.1 or greater.
Easy Digital Downloads – eCommerce Payments and Subscriptions made easy – Sensitive Data Exposure
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Sensitive Data Exposure CVE: CVE-2025-2252 Number of Installations: 50,000+ Affected Software: Easy Digital Downloads <= 3.3.6 Patched Versions: Easy Digital Downloads 3.3.7
Mitigation steps: Update to Easy Digital Downloads plugin version 3.3.7 or greater.
Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-10558 Number of Installations: 50,000+ Affected Software: Form Maker by 10Web <= 1.15.29 Patched Versions: Form Maker by 10Web 1.15.30
Mitigation steps: Update to Form Maker by 10Web plugin version 1.15.30 or greater.
Order Export & Order Import for WooCommerce – Arbitrary File Download
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Arbitrary File Download CVE: CVE-2024-13920 Number of Installations: 50,000+ Affected Software: Order Export & Order Import for WooCommerce <= 2.6.0 Patched Versions: Order Export & Order Import for WooCommerce 2.6.1
Mitigation steps: Update to Order Export & Order Import for WooCommerce plugin version 2.6.1 or greater.
Order Export & Order Import for WooCommerce – PHP Object Injection
Security Risk: High Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: PHP Object Injection CVE: CVE-2024-13921 Number of Installations: 50,000+ Affected Software: Order Export & Order Import for WooCommerce <= 2.6.0 Patched Versions: Order Export & Order Import for WooCommerce 2.6.1
Mitigation steps: Update to Order Export & Order Import for WooCommerce plugin version 2.6.1 or greater.
Order Export & Order Import for WooCommerce – Arbitrary File Deletion
Security Risk: Low Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Arbitrary File Deletion CVE: CVE-2024-13922 Number of Installations: 50,000+ Affected Software: Order Export & Order Import for WooCommerce <= 2.6.0 Patched Versions: Order Export & Order Import for WooCommerce 2.6.1
Mitigation steps: Update to Order Export & Order Import for WooCommerce plugin version 2.6.1 or greater.
Order Export & Order Import for WooCommerce – Server Side Request Forgery (SSRF)
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Server Side Request Forgery (SSRF) CVE: CVE-2024-13923 Number of Installations: 50,000+ Affected Software: Order Export & Order Import for WooCommerce <= 2.6.0 Patched Versions: Order Export & Order Import for WooCommerce 2.6.1
Mitigation steps: Update to Order Export & Order Import for WooCommerce plugin version 2.6.1 or greater.
Themes
Sparkling – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2024-13423 Number of Downloads: 1,345,012 Affected Software: Sparkling Patched Versions: No Fix
Mitigation steps: No fix available. Consider using alternative security measures or themes.
Newscrunch – Arbitrary File Upload
Security Risk: Critical Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Arbitrary File Upload CVE: CVE-2025-1307 Number of Downloads: 175,636 Affected Software: Newscrunch <= 1.8.4.0 Patched Versions: Newscrunch 1.8.4.1
Mitigation steps: Update to Newscrunch theme version 1.8.4.1 or greater.
StoreBiz – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-26732 Number of Downloads: 102,239 Affected Software: StoreBiz Patched Versions: No Fix
Mitigation steps: No fix available. Consider using alternative security measures or themes.
VW Storefront – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2024-13686 Number of Downloads: 60,130 Affected Software: VW Storefront <= 0.9.9 Patched Versions: VW Storefront 1.0.0
Mitigation steps: Update to VW Storefront theme version 1.0.0 or greater.
Update your website software to mitigate risk. Users who are not able to update their software with the latest version are encouraged to use a web application firewall to help virtually patch known vulnerabilities and protect their website.
Luke Leal
Douglas Santos
Puja Srivastava
Stephen Johnston
Denis Sinegubko
Gerson Ruiz
Allison Bondi
Rianna MacLeod