Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.
To help educate website owners about potential threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.
The vulnerabilities listed below are virtually patched by the Sucuri Firewall and existing clients are protected. If you don’t have it installed yet, you can use our web application firewall to protect your site against known vulnerabilities.
Plugins
Contact Form 7 – Order Replay Vulnerability
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Order Replay Vulnerability CVE: CVE-2025-3247 Number of Installations: 10,000,000+ Affected Software: Contact Form 7 <= 6.0.5 Patched Versions: Contact Form 7 6.0.6
Mitigation steps: Update to Contact Form 7 plugin version 6.0.6 or greater.
Essential Addons for Elementor – Sensitive Data Exposure
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Sensitive Data Exposure CVE: CVE-2025-39589 Number of Installations: 2,000,000+ Affected Software: Essential Addons for Elementor <= 6.1.9 Patched Versions: Essential Addons for Elementor 6.1.10
Mitigation steps: Update to Essential Addons for Elementor plugin version 6.1.10 or greater.
Essential Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-39590 Number of Installations: 2,000,000+ Affected Software: Essential Addons for Elementor <= 6.1.9 Patched Versions: Essential Addons for Elementor 6.1.10
Mitigation steps: Update to Essential Addons for Elementor plugin version 6.1.10 or greater.
Ocean Extra – Content Injection
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Content Injection CVE: CVE-2025-3472 Number of Installations: 600,000+ Affected Software: Ocean Extra <= 2.4.6 Patched Versions: Ocean Extra 2.4.7
Mitigation steps: Update to Ocean Extra plugin version 2.4.7 or greater.
Ocean Extra – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-3457 Number of Installations: 600,000+ Affected Software: Ocean Extra <= 2.4.6 Patched Versions: Ocean Extra 2.4.7
Mitigation steps: Update to Ocean Extra plugin version 2.4.7 or greater.
Royal Elementor Addons and Templates – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-39543 Number of Installations: 600,000+ Affected Software: Royal Elementor Addons and Templates <= 1.3.978 Patched Versions: Royal Elementor Addons and Templates 1.3.979
Mitigation steps: Update to Royal Elementor Addons and Templates plugin version 1.3.979 or greater.
Fluent Forms – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-3615 Number of Installations: 500,000+ Affected Software: Fluent Forms <= 6.0.2 Patched Versions: Fluent Forms 6.0.3
Mitigation steps: Update to Fluent Forms plugin version 6.0.3 or greater.
Forminator Forms – Order Replay Vulnerability
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Order Replay Vulnerability CVE: CVE-2025-3479 Number of Installations: 500,000+ Affected Software: Forminator Forms <= 1.42.0 Patched Versions: Forminator Forms 1.42.1
Mitigation steps: Update to Forminator Forms plugin version 1.42.1 or greater.
Forminator Forms – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-3487 Number of Installations: 500,000+ Affected Software: Forminator Forms <= 1.42.0 Patched Versions: Forminator Forms 1.42.1
Mitigation steps: Update to Forminator Forms plugin version 1.42.1 or greater.
Password Protected – Sensitive Data Exposure
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Sensitive Data Exposure CVE: CVE-2025-3453 Number of Installations: 300,000+ Affected Software: Password Protected <= 2.7.7 Patched Versions: Password Protected 2.7.8
Mitigation steps: Update to Password Protected plugin version 2.7.8 or greater.
Ultimate Member – SQL Injection
Security Risk: Critical Exploitation Level: No authentication required. Vulnerability: SQL Injection CVE: CVE-2025-0308 Number of Installations: 200,000+ Affected Software: Ultimate Member <= 2.10.1 Patched Versions: Ultimate Member 2.10.2
Mitigation steps: Update to Ultimate Member plugin version 2.10.2 or greater.
Element Pack Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-1457 Number of Installations: 100,000+ Affected Software: Element Pack Addons for Elementor <= 5.10.28 Patched Versions: Element Pack Addons for Elementor 5.10.29
Mitigation steps: Update to Element Pack Addons for Elementor plugin version 5.10.29 or greater.
Element Pack Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-1458 Number of Installations: 100,000+ Affected Software: Element Pack Addons for Elementor – Best Elementor addons with Ready Templates, Blocks, Widgets and WooCommerce Builder <= 5.10.29 Patched Versions: Element Pack Addons for Elementor – Best Elementor addons with Ready Templates, Blocks, Widgets and WooCommerce Builder 5.10.30
Mitigation steps: Update to Element Pack Addons for Elementor plugin version 5.10.30 or greater.
Download Manager – Arbitrary File Deletion
Security Risk: Medium Exploitation Level: Requires Author or higher level authentication. Vulnerability: Arbitrary File Deletion CVE: CVE-2025-3404 Number of Installations: 100,000+ Affected Software: Download Manager <= 3.3.12 Patched Versions: Download Manager 3.3.13
Mitigation steps: Update to Download Manager plugin version 3.3.13 or greater.
Download Manager – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Author or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-3056 Number of Installations: 100,000+ Affected Software: Download Manager <= 3.3.12 Patched Versions: Download Manager 3.3.13
Mitigation steps: Update to Download Manager plugin version 3.3.13 or greater.
Kadence WooCommerce Email Designer – Arbitrary File Upload
Security Risk: Critical Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Arbitrary File Upload CVE: CVE-2025-39557 Number of Installations: 100,000+ Affected Software: Kadence WooCommerce Email Designer <= 1.5.14 Patched Versions: Kadence WooCommerce Email Designer 1.5.15
Mitigation steps: Update to Kadence WooCommerce Email Designer plugin version 1.5.15 or greater.
Social Sharing Plugin – Sassy Social Share – Open Redirection
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Open Redirection CVE: CVE-2025-39404 Number of Installations: 100,000+ Affected Software: Social Sharing Plugin – Sassy Social Share <= 3.3.73 Patched Versions: Social Sharing Plugin – Sassy Social Share 3.3.74
Mitigation steps: Update to Sassy Social Share plugin version 3.3.74 or greater.
WordPress Button Plugin MaxButtons – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-39444 Number of Installations: 90,000+ Affected Software: WordPress Button Plugin MaxButtons <= 9.8.3 Patched Versions: WordPress Button Plugin MaxButtons 9.8.4
Mitigation steps: Update to MaxButtons plugin version 9.8.4 or greater.
Event Tickets and Registration – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-30794 Number of Installations: 90,000+ Affected Software: Event Tickets and Registration <= 5.20.0 Patched Versions: Event Tickets and Registration 5.20.1
Mitigation steps: Update to Event Tickets and Registration plugin version 5.20.1 or greater.
PowerPack Elementor Addons – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-1512 Number of Installations: 90,000+ Affected Software: PowerPack Elementor Addons <= 2.9.0 Patched Versions: PowerPack Elementor Addons 2.9.1
Mitigation steps: Update to PowerPack Elementor Addons plugin version 2.9.1 or greater.
Jupiter X Core – PHP Object Injection
Security Risk: Critical Exploitation Level: No authentication required. Vulnerability: PHP Object Injection CVE: CVE-2025-2105 Number of Installations: 90,000+ Affected Software: Jupiter X Core <= 4.8.11 Patched Versions: Jupiter X Core 4.8.12
Mitigation steps: Update to Jupiter X Core plugin version 4.8.12 or greater.
Icegram Express – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-11924 Number of Installations: 80,000+ Affected Software: Icegram Express <= 5.7.51 Patched Versions: Icegram Express 5.7.52
Mitigation steps: Update to Icegram Express plugin version 5.7.52 or greater.
Icegram Express – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-0671 Number of Installations: 80,000+ Affected Software: Icegram Express <= 5.7.49 Patched Versions: Icegram Express 5.7.50
Mitigation steps: Update to Icegram Express plugin version 5.7.50 or greater.
Master Slider – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-39412 Number of Installations: 70,000+ Affected Software: All versions, no fix available Patched Versions: No Fix
Mitigation steps: Consider disabling or replacing the plugin until a patch is released.
Simple Sitemap – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-39413 Number of Installations: 70,000+ Affected Software: All versions, no fix available Patched Versions: No Fix
Mitigation steps: Consider disabling or replacing the plugin until a patch is released.
User Registration & Membership – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-39400 Number of Installations: 70,000+ Affected Software: User Registration & Membership <= 4.1.9 Patched Versions: User Registration & Membership 4.2.0
Mitigation steps: Update to User Registration & Membership plugin version 4.2.0 or greater.
User Registration & Membership – Privilege Escalation
Security Risk: Critical Exploitation Level: No authentication required. Vulnerability: Privilege Escalation CVE: CVE-2025-2563 Number of Installations: 60,000+ Affected Software: User Registration & Membership <= 4.1.1 Patched Versions: User Registration & Membership 4.1.2
Mitigation steps: Update to User Registration & Membership plugin version 4.1.2 or greater.
Widget for Social Page Feeds – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-13207 Number of Installations: 60,000+ Affected Software: Widget for Social Page Feeds <= 6.4.1 Patched Versions: Widget for Social Page Feeds 6.4.2
Mitigation steps: Update to Widget for Social Page Feeds plugin version 6.4.2 or greater.
Ultimate Dashboard – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-1523 Number of Installations: 60,000+ Affected Software: Ultimate Dashboard <= 3.8.5 Patched Versions: Ultimate Dashboard 3.8.6
Mitigation steps: Update to Ultimate Dashboard plugin version 3.8.6 or greater.
Greenshift – Arbitrary File Upload
Security Risk: High Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Arbitrary File Upload CVE: CVE-2025-3616 Number of Installations: 50,000+ Affected Software: Greenshift <= 11.4.5 Patched Versions: Greenshift 11.4.6
Mitigation steps: Update to Greenshift plugin version 11.4.6 or greater.
User Profile Builder – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-2314 Number of Installations: 50,000+ Affected Software: User Profile Builder <= 3.13.6 Patched Versions: User Profile Builder 3.13.7
Mitigation steps: Update to User Profile Builder plugin version 3.13.7 or greater.
WP Import Export Lite – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-2839 Number of Installations: 50,000+ Affected Software: WP Import Export Lite <= 3.9.27 Patched Versions: WP Import Export Lite 3.9.28
Mitigation steps: Update to WP Import Export Lite plugin version 3.9.28 or greater.
Category Posts Widget – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-1453 Number of Installations: 50,000+ Affected Software: Category Posts Widget <= 4.9.19 Patched Versions: Category Posts Widget 4.9.20
Mitigation steps: Update to Category Posts Widget plugin version 4.9.20 or greater.
WordPress Tag, Category, and Taxonomy Manager – AI Autotagger – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-0627 Number of Installations: 50,000+ Affected Software: WordPress Tag, Category, and Taxonomy Manager – AI Autotagger <= 3.29.9 Patched Versions: WordPress Tag, Category, and Taxonomy Manager – AI Autotagger 3.30.0
Mitigation steps: Update to WordPress Tag, Category, and Taxonomy Manager – AI Autotagger plugin version 3.30.0 or greater.
Visual Composer Website Builder – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-46254 Number of Installations: 50,000+ Affected Software: Visual Composer Website Builder <= 45.10.0 Patched Versions: Visual Composer Website Builder 45.11.0
Mitigation steps: Update to Visual Composer Website Builder plugin version 45.11.0 or greater.
Themes
Arrival – Local File Inclusion
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Local File Inclusion CVE: CVE-2025-32921 Number of Downloads: 126,390 Affected Software: All versions, no fix available Patched Versions: No Fix
Mitigation steps: Consider replacing the Arrival theme until a patch is released.
CWW Portfolio – Local File Inclusion
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Local File Inclusion CVE: CVE-2025-39359 Number of Downloads: 85,610 Affected Software: All versions, no fix available Patched Versions: No Fix
Mitigation steps: Consider replacing the CWW Portfolio theme until a patch is released.
Grace Mag – Local File Inclusion
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Local File Inclusion CVE: CVE-2025-39360 Number of Downloads: 70,093 Affected Software: All versions, no fix available Patched Versions: No Fix
Mitigation steps: Consider replacing the Grace Mag theme until a patch is released.
Opstore – Local File Inclusion
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Local File Inclusion CVE: CVE-2025-39387 Number of Downloads: 82,183 Affected Software: All versions, no fix available Patched Versions: No Fix
Mitigation steps: Consider replacing the Opstore theme until a patch is released.
Sirat – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-39385 Number of Downloads: 355,294 Affected Software: All versions, no fix available Patched Versions: No Fix
Mitigation steps: Consider replacing the Sirat theme until a patch is released.
Update your website software to mitigate risk. Users who are not able to update their software with the latest version are encouraged to use a web application firewall to help virtually patch known vulnerabilities and protect their website.
Ashley Sand
Douglas Santos
John Booker
Sucuri Malware Research Team
Luke Leal
Denis Sinegubko
Antony Garand
Rianna MacLeod
John Castro