Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.
To help educate website owners about potential threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.
The vulnerabilities listed below are virtually patched by the Sucuri Firewall and existing clients are protected. If you don’t have it installed yet, you can use our web application firewall to protect your site against known vulnerabilities.
Plugins
Elementor Website Builder – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: 2024-50555 Number of Installations: 10,000,000+ Affected Software: Elementor Website Builder <= 3.29.0 Patched Versions: Elementor Website Builder 3.29.1
Mitigation steps: Update to Elementor Website Builder plugin version 3.29.1 or greater.
Essential Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: 2024-9994 Number of Installations: 2,000,000+ Affected Software: Essential Addons for Elementor <= 6.1.12 Patched Versions: Essential Addons for Elementor 6.1.13
Mitigation steps: Update to Essential Addons for Elementor plugin version 6.1.13 or greater.
WP-Optimize – SQL Injection
Security Risk: High Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: SQL Injection CVE: 2025-3951 Number of Installations: 1,000,000+ Affected Software: WP-Optimize <= 4.1.9 Patched Versions: WP-Optimize 4.2.0
Mitigation steps: Update to WP-Optimize plugin version 4.2.0 or greater.
ElementsKit Elementor Addons and Templates – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: 2025-4479 Number of Installations: 1,000,000+ Affected Software: ElementsKit Elementor Addons and Templates <= 3.5.2 Patched Versions: ElementsKit Elementor Addons and Templates 3.5.3
Mitigation steps: Update to ElementsKit Elementor Addons and Templates plugin version 3.5.3 or greater.
Premium Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: 2025-4774 Number of Installations: 700,000+ Affected Software: Premium Addons for Elementor <= 4.11.8 Patched Versions: Premium Addons for Elementor 4.11.9
Mitigation steps: Update to Premium Addons for Elementor plugin version 4.11.9 or greater.
The Events Calendar – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: 2025-5144 Number of Installations: 700,000+ Affected Software: The Events Calendar <= 6.13.2 Patched Versions: The Events Calendar 6.13.2.1
Mitigation steps: Update to The Events Calendar plugin version 6.13.2.1 or greater.
Popup Maker – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: 2025-4205 Number of Installations: 700,000+ Affected Software: Popup Maker <= 1.20.4 Patched Versions: Popup Maker 1.20.5
Mitigation steps: Update to Popup Maker plugin version 1.20.5 or greater.
Click to Chat – HoliThemes – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: 2025-5336 Number of Installations: 600,000+ Affected Software: Click to Chat – HoliThemes <= 4.22 Patched Versions: Click to Chat – HoliThemes 4.23
Mitigation steps: Update to Click to Chat – HoliThemes plugin version 4.23 or greater.
Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: 2025-5337 Number of Installations: 600,000+ Affected Software: MetaSlider <= 3.98.9 Patched Versions: MetaSlider 3.99.0
Mitigation steps: Update to MetaSlider plugin version 3.99.0 or greater.
YITH WooCommerce Wishlist – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: 2025-5238 Number of Installations: 600,000+ Affected Software: YITH WooCommerce Wishlist <= 4.5.9 Patched Versions: YITH WooCommerce Wishlist 4.6.0
Mitigation steps: Update to YITH WooCommerce Wishlist plugin version 4.6.0 or greater.
Forminator Forms – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: 2025-5341 Number of Installations: 600,000+ Affected Software: Forminator Forms <= 1.44.1 Patched Versions: Forminator Forms 1.44.2
Mitigation steps: Update to Forminator Forms plugin version 1.44.2 or greater.
Broken Link Checker – Sensitive Data Exposure
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Sensitive Data Exposure CVE: 2025-4047 Number of Installations: 600,000+ Affected Software: Broken Link Checker <= 2.4.4 Patched Versions: Broken Link Checker 2.4.5
Mitigation steps: Update to Broken Link Checker plugin version 2.4.5 or greater.
Ocean Extra – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: 2025-49068 Number of Installations: 600,000+ Affected Software: Ocean Extra <= 2.4.8 Patched Versions: Ocean Extra 2.4.9
Mitigation steps: Update to Ocean Extra plugin version 2.4.9 or greater.
WP Shortcodes Plugin — Shortcodes Ultimate – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: 2025-49244 Number of Installations: 500,000+ Affected Software: Shortcodes Ultimate <= 7.3.9 Patched Versions: Shortcodes Ultimate 7.4.0
Mitigation steps: Update to Shortcodes Ultimate plugin version 7.4.0 or greater.
Breeze – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: 2025-23999 Number of Installations: 400,000+ Affected Software: Breeze <= 2.2.13 Patched Versions: Breeze 2.2.14
Mitigation steps: Update to Breeze plugin version 2.2.14 or greater.
Simple History – Sensitive Data Exposure
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Sensitive Data Exposure CVE: 2025-5760 Number of Installations: 300,000+ Affected Software: Simple History <= 5.8.1 Patched Versions: Simple History 5.8.2
Mitigation steps: Update to Simple History plugin version 5.8.2 or greater.
Smash Balloon Social Post Feed – Simple Social Feeds for WordPress – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: 2025-4577 Number of Installations: 200,000+ Affected Software: Smash Balloon Social Post Feed <= 4.3.1 Patched Versions: Smash Balloon Social Post Feed 4.3.2
Mitigation steps: Update to Smash Balloon Social Post Feed plugin version 4.3.2 or greater.
Firelight Lightbox – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: 2025-52707 Number of Installations: 200,000+ Affected Software: Firelight Lightbox <= 2.3.16 Patched Versions: Firelight Lightbox 2.3.17
Mitigation steps: Update to Firelight Lightbox plugin version 2.3.17 or greater.
File Manager Pro – Filester – Arbitrary File Upload
Security Risk: Critical Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Arbitrary File Upload CVE: 2025-3234 Number of Installations: 100,000+ Affected Software: File Manager Pro – Filester <= 1.8.8 Patched Versions: File Manager Pro – Filester 1.8.9
Mitigation steps: Update to File Manager Pro – Filester plugin version 1.8.9 or greater.
Real Cookie Banner: GDPR & ePrivacy Cookie Consent – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: 2025-1485 Number of Installations: 100,000+ Affected Software: Real Cookie Banner <= 5.1.5 Patched Versions: Real Cookie Banner 5.1.6
Mitigation steps: Update to Real Cookie Banner plugin version 5.1.6 or greater.
The Plus Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: 2025-49076 Number of Installations: 100,000+ Affected Software: The Plus Addons for Elementor <= 6.2.7 Patched Versions: The Plus Addons for Elementor 6.2.8
Mitigation steps: Update to The Plus Addons for Elementor plugin version 6.2.8 or greater.
Widget Logic – Remote Code Execution (RCE)
Security Risk: Critical Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Remote Code Execution (RCE) CVE: 2025-32222 Number of Installations: 100,000+ Affected Software: Widget Logic (No fix available) Patched Versions: No Fix
Mitigation steps: No patch currently available. Consider disabling or removing the plugin until a fix is released.
Social Sharing Plugin – Sassy Social Share – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: 2025-5528 Number of Installations: 100,000+ Affected Software: Sassy Social Share <= 3.3.75 Patched Versions: Sassy Social Share 3.3.76
Mitigation steps: Update to Sassy Social Share plugin version 3.3.76 or greater.
Ivory Search – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: 2025-5209 Number of Installations: 100,000+ Affected Software: Ivory Search <= 5.5.9 Patched Versions: Ivory Search 5.5.10
Mitigation steps: Update to Ivory Search plugin version 5.5.10 or greater.
AI Engine – Broken Access Control
Security Risk: High Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: 2025-5071 Number of Installations: 100,000+ Affected Software: AI Engine <= 2.8.3 Patched Versions: AI Engine 2.8.4
Mitigation steps: Update to AI Engine plugin version 2.8.4 or greater.
Download Manager – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Author or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: 2025-4367 Number of Installations: 100,000+ Affected Software: Download Manager <= 3.3.18 Patched Versions: Download Manager 3.3.19
Mitigation steps: Update to Download Manager plugin version 3.3.19 or greater.
File Manager Pro – Filester – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: 2025-52710 Number of Installations: 100,000+ Affected Software: File Manager Pro – Filester <= 1.8.8 Patched Versions: File Manager Pro – Filester 1.8.9
Mitigation steps: Update to File Manager Pro – Filester plugin version 1.8.9 or greater.
GiveWP – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Broken Access Control CVE: 2025-4571 Number of Installations: 100,000+ Affected Software: GiveWP <= 4.3.0 Patched Versions: GiveWP 4.3.1
Mitigation steps: Update to GiveWP plugin version 4.3.1 or greater.
HUSKY – Local File Inclusion
Security Risk: High Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Local File Inclusion CVE: 2025-52708 Number of Installations: 100,000+ Affected Software: HUSKY <= 1.3.7 Patched Versions: HUSKY 1.3.7.1
Mitigation steps: Update to HUSKY plugin version 1.3.7.1 or greater.
Ninja Tables – PHP Object Injection
Security Risk: Critical Exploitation Level: No authentication required. Vulnerability: PHP Object Injection CVE: 2025-2939 Number of Installations: 80,000+ Affected Software: Ninja Tables <= 5.0.18 Patched Versions: Ninja Tables 5.0.19
Mitigation steps: Update to Ninja Tables plugin version 5.0.19 or greater.
Master Slider – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: 2025-5291 Number of Installations: 70,000+ Affected Software: Master Slider <= 3.10.8 Patched Versions: Master Slider 3.10.9
Mitigation steps: Update to Master Slider plugin version 3.10.9 or greater.
WP Table Builder – WordPress Table Plugin – Cross Site Request Forgery (CSRF)
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Cross Site Request Forgery (CSRF) CVE: 2025-49286 Number of Installations: 60,000+ Affected Software: WP Table Builder <= 2.0.6 Patched Versions: WP Table Builder 2.0.7
Mitigation steps: Update to WP Table Builder plugin version 2.0.7 or greater.
WPtouch – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: 2025-49318 Number of Installations: 60,000+ Affected Software: WPtouch <= 4.3.60 Patched Versions: WPtouch 4.3.61
Mitigation steps: Update to WPtouch plugin version 4.3.61 or greater.
Drag and Drop Multiple File Upload for Contact Form 7 – Arbitrary File Upload
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Arbitrary File Upload CVE: 2025-3515 Number of Installations: 60,000+ Affected Software: Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.8.9 Patched Versions: Drag and Drop Multiple File Upload for Contact Form 7 1.3.9.0
Mitigation steps: Update to Drag and Drop Multiple File Upload for Contact Form 7 plugin version 1.3.9.0 or greater.
Post and Page Builder by BoldGrid – Server Side Request Forgery (SSRF)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Server Side Request Forgery (SSRF) CVE: 2025-52713 Number of Installations: 60,000+ Affected Software: Post and Page Builder by BoldGrid <= 1.27.8 Patched Versions: Post and Page Builder by BoldGrid 1.27.9
Mitigation steps: Update to Post and Page Builder by BoldGrid plugin version 1.27.9 or greater.
Post and Page Builder by BoldGrid – Cross Site Request Forgery (CSRF)
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Cross Site Request Forgery (CSRF) CVE: 2025-52711 Number of Installations: 60,000+ Affected Software: Post and Page Builder by BoldGrid <= 1.27.8 Patched Versions: Post and Page Builder by BoldGrid 1.27.9
Mitigation steps: Update to Post and Page Builder by BoldGrid plugin version 1.27.9 or greater.
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: 2025-4667 Number of Installations: 60,000+ Affected Software: Simply Schedule Appointments <= 1.6.8.31 Patched Versions: Simply Schedule Appointments 1.6.8.32
Mitigation steps: Update to Simply Schedule Appointments plugin version 1.6.8.32 or greater.
Ultra Addons for Contact Form 7 – Arbitrary File Upload
Security Risk: High Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Arbitrary File Upload CVE: 2025-6220 Number of Installations: 60,000+ Affected Software: Ultra Addons for Contact Form 7 <= 3.5.12 Patched Versions: Ultra Addons for Contact Form 7 3.5.13
Mitigation steps: Update to Ultra Addons for Contact Form 7 plugin version 3.5.13 or greater.
WP-Members Membership Plugin – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: 2025-50051 Number of Installations: 60,000+ Affected Software: WP-Members Membership Plugin <= 3.5.4 Patched Versions: WP-Members Membership Plugin 3.5.4.1
Mitigation steps: Update to WP-Members Membership Plugin version 3.5.4.1 or greater.
Calculated Fields Form – Cross Site Request Forgery (CSRF)
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Cross Site Request Forgery (CSRF) CVE: 2025-49291 Number of Installations: 50,000+ Affected Software: Calculated Fields Form <= 5.3.58 Patched Versions: Calculated Fields Form 5.3.59
Mitigation steps: Update to Calculated Fields Form plugin version 5.3.59 or greater.
Greenshift – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: 2025-49301 Number of Installations: 50,000+ Affected Software: Greenshift <= 11.5.6 Patched Versions: Greenshift 11.5.7
Mitigation steps: Update to Greenshift plugin version 11.5.7 or greater.
Uncanny Automator – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: 2025-48133 Number of Installations: 50,000+ Affected Software: Uncanny Automator (No fix available) Patched Versions: No Fix
Mitigation steps: No patch currently available. Consider disabling or removing the plugin until a fix is released.
User Profile Builder – Content Spoofing
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Content Spoofing CVE: 2025-49292 Number of Installations: 50,000+ Affected Software: User Profile Builder <= 3.13.8 Patched Versions: User Profile Builder 3.13.9
Mitigation steps: Update to User Profile Builder plugin version 3.13.9 or greater.
User Profile Builder – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: 2025-4671 Number of Installations: 50,000+ Affected Software: User Profile Builder <= 3.13.8 Patched Versions: User Profile Builder 3.13.9
Mitigation steps: Update to User Profile Builder plugin version 3.13.9 or greater.
Sina Extension for Elementor – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: 2025-49262 Number of Installations: 50,000+ Affected Software: Sina Extension for Elementor <= 3.6.9 Patched Versions: Sina Extension for Elementor 3.7.0
Mitigation steps: Update to Sina Extension for Elementor plugin version 3.7.0 or greater.
Slim SEO – SQL Injection
Security Risk: High Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: SQL Injection CVE: 2025-49854 Number of Installations: 50,000+ Affected Software: Slim SEO <= 4.5.4 Patched Versions: Slim SEO 4.5.5
Mitigation steps: Update to Slim SEO plugin version 4.5.5 or greater.
Zapier for WordPress – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: 2025-50010 Number of Installations: 50,000+ Affected Software: Zapier for WordPress (No fix available) Patched Versions: No Fix
Mitigation steps: No patch currently available. Consider disabling or removing the plugin until a fix is released.
Blog2Social: Social Media Auto Post & Scheduler – SQL Injection
Security Risk: High Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: SQL Injection CVE: 2025-5673 Number of Installations: 50,000+ Affected Software: Blog2Social <= 8.4.4 Patched Versions: Blog2Social 8.4.5
Mitigation steps: Update to Blog2Social plugin version 8.4.5 or greater.
Login & Register Customizer – Popup | Slider | Inline | WooCommerce – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: 2025-50027 Number of Installations: 50,000+ Affected Software: Login & Register Customizer <= 2.9.4 Patched Versions: Login & Register Customizer 2.9.5
Mitigation steps: Update to Login & Register Customizer plugin version 2.9.5 or greater.
Pixel Manager for WooCommerce – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: 2025-6201 Number of Installations: 50,000+ Affected Software: Pixel Manager for WooCommerce <= 1.49.0 Patched Versions: Pixel Manager for WooCommerce 1.49.1
Mitigation steps: Update to Pixel Manager for WooCommerce plugin version 1.49.1 or greater.
Themes
OceanWP – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: 2025-5524 Number of Installations: 8,544,159 downloads Affected Software: OceanWP Theme <= 4.0.9 Patched Versions: OceanWP Theme 4.1.0
Mitigation steps: Update to OceanWP theme version 4.1.0 or greater.
Zita – Local File Inclusion
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Local File Inclusion CVE: 2025-52816 Number of Installations: 405,453 downloads Affected Software: Zita Theme (No fix available) Patched Versions: No Fix
Mitigation steps: No patch currently available. Consider disabling or removing the theme until a fix is released.
Update your website software to mitigate risk. Users who are not able to update their software with the latest version are encouraged to use a web application firewall to help virtually patch known vulnerabilities and protect their website.
Cesar Anjos
Rianna MacLeod
Mike Martens
Rodrigo Escobar
Antony Garand
Denis Sinegubko
Pilar Garcia
Justin Channell
Luke Leal