Vulnerability & Patch Roundup — August 2025

Sucuri Vulnerability Roundup - August 2025

Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.

To help educate website owners about potential threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.

The vulnerabilities listed below are virtually patched by the Sucuri Firewall and existing clients are protected. If you don’t have it installed yet, you can use our web application firewall to protect your site against known vulnerabilities.


Elementor Website Builder – More Than Just a Page Builder – Path Traversal

Security Risk: Medium
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Path Traversal
CVE: CVE-2025-8081
Number of Installations: 10,000,000+
Affected Software: Elementor Website Builder – More Than Just a Page Builder <= 3.30.2
Patched Versions: Elementor Website Builder – More Than Just a Page Builder 3.30.3

Mitigation steps: Update to Elementor Website Builder – More Than Just a Page Builder plugin version 3.30.3 or greater.


Advanced Custom Fields (ACF®) – Remote Code Execution (RCE)

Security Risk: Low
Vulnerability: Remote Code Execution (RCE)
Number of Installations: 2,000,000+
Affected Software: Advanced Custom Fields (ACF®) <= 3.5.1
Patched Versions: Advanced Custom Fields (ACF®) 3.5.2

Mitigation steps: Update to Advanced Custom Fields (ACF®) plugin version 3.5.2 or greater.


Plugins

Ultimate Addons for Elementor (Formerly Elementor Header & Footer Builder) – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2025-8488
Number of Installations: 2,000,000+
Affected Software: Ultimate Addons for Elementor (Formerly Elementor Header & Footer Builder) <= 2.4.6
Patched Versions: Ultimate Addons for Elementor (Formerly Elementor Header & Footer Builder) 2.4.7

Mitigation steps: Update to Ultimate Addons for Elementor (Formerly Elementor Header & Footer Builder) plugin version 2.4.7 or greater.


Essential Addons for Elementor – Popular Elementor Templates & Widgets – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-8451
Number of Installations: 2,000,000+
Affected Software: Essential Addons for Elementor – Popular Elementor Templates & Widgets <= 6.2.2
Patched Versions: Essential Addons for Elementor – Popular Elementor Templates & Widgets 6.2.3

Mitigation steps: Update to Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin version 6.2.3 or greater.


WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2025-55716
Number of Installations: 600,000+
Affected Software: WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin <= 14.15.1
Patched Versions: WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin 14.15.2

Mitigation steps: Update to WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin version 14.15.2 or greater.


Templately – Elementor & Gutenberg Template Library: 5500+ Free & Pro Ready Templates And Cloud! – Sensitive Data Exposure

Security Risk: Medium
Exploitation Level: Requires Author or higher level authentication.
Vulnerability: Sensitive Data Exposure
CVE: CVE-2025-49408
Number of Installations: 400,000+
Affected Software: Templately – Elementor & Gutenberg Template Library: 5500+ Free & Pro Ready Templates And Cloud! <= 3.2.7
Patched Versions: Templately – Elementor & Gutenberg Template Library: 5500+ Free & Pro Ready Templates And Cloud! 3.2.8

Mitigation steps: Update to Templately – Elementor & Gutenberg Template Library: 5500+ Free & Pro Ready Templates And Cloud! plugin version 3.2.8 or greater.


WP Crontrol – Server Side Request Forgery (SSRF)

Security Risk: Medium
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Server Side Request Forgery (SSRF)
CVE: CVE-2025-8678
Number of Installations: 300,000+
Affected Software: WP Crontrol <= 1.19.1
Patched Versions: WP Crontrol 1.19.2

Mitigation steps: Update to WP Crontrol plugin version 1.19.2 or greater.


Redirection for Contact Form 7 – Arbitrary File Deletion

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Arbitrary File Deletion
CVE: CVE-2025-8141
Number of Installations: 300,000+
Affected Software: Redirection for Contact Form 7 <= 3.2.4
Patched Versions: Redirection for Contact Form 7 3.2.5

Mitigation steps: Update to Redirection for Contact Form 7 plugin version 3.2.5 or greater.


Redirection for Contact Form 7 – PHP Object Injection

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: PHP Object Injection
CVE: CVE-2025-8289
Number of Installations: 300,000+
Affected Software: Redirection for Contact Form 7 <= 3.2.4
Patched Versions: Redirection for Contact Form 7 3.2.5

Mitigation steps: Update to Redirection for Contact Form 7 plugin version 3.2.5 or greater.


Redirection for Contact Form 7 – PHP Object Injection

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: PHP Object Injection
CVE: CVE-2025-8145
Number of Installations: 300,000+
Affected Software: Redirection for Contact Form 7 <= 3.2.4
Patched Versions: Redirection for Contact Form 7 3.2.5

Mitigation steps: Update to Redirection for Contact Form 7 plugin version 3.2.5 or greater.


Qi Addons For Elementor – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-8146
Number of Installations: 200,000+
Affected Software: Qi Addons For Elementor <= 1.9.2
Patched Versions: Qi Addons For Elementor 1.9.3

Mitigation steps: Update to Qi Addons For Elementor plugin version 1.9.3 or greater.


FileBird – WordPress Media Library Folders & File Manager – SQL Injection

Security Risk: High
Exploitation Level: Requires Author or higher level authentication.
Vulnerability: SQL Injection
CVE: CVE-2025-6986
Number of Installations: 200,000+
Affected Software: FileBird – WordPress Media Library Folders & File Manager <= 6.4.8
Patched Versions: FileBird – WordPress Media Library Folders & File Manager 6.4.9

Mitigation steps: Update to FileBird – WordPress Media Library Folders & File Manager plugin version 6.4.9 or greater.


Advanced File Manager – Ultimate WP File Manager And Document Library Solution – Arbitrary File Deletion

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Arbitrary File Deletion
CVE: CVE-2025-0818
Number of Installations: 200,000+
Affected Software: Advanced File Manager – Ultimate WP File Manager And Document Library Solution <= 5.3.9
Patched Versions: Advanced File Manager – Ultimate WP File Manager And Document Library Solution 5.4.0

Mitigation steps: Update to Advanced File Manager – Ultimate WP File Manager And Document Library Solution plugin version 5.4.0 or greater.


Kadence WooCommerce Email Designer – Privilege Escalation

Security Risk: High
Exploitation Level: Requires Shop Manager or higher level authentication.
Vulnerability: Privilege Escalation
CVE: CVE-2025-54697
Number of Installations: 100,000+
Affected Software: Kadence WooCommerce Email Designer <= 1.5.16
Patched Versions: Kadence WooCommerce Email Designer 1.5.17

Mitigation steps: Update to Kadence WooCommerce Email Designer plugin version 1.5.17 or greater.


The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2025-55712
Number of Installations: 100,000+
Affected Software: The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce <= 6.3.13
Patched Versions: The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce 6.3.14

Mitigation steps: Update to The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin version 6.3.14 or greater.


Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress – Content Injection

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Content Injection
CVE: CVE-2025-8878
Number of Installations: 100,000+
Affected Software: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress <= 4.16.4
Patched Versions: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress 4.16.5

Mitigation steps: Update to Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin version 4.16.5 or greater.


Element Pack Addons for Elementor – Mega Menu, Header Footer, Dynamic Builder and Ready Templates – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-8100
Number of Installations: 100,000+
Affected Software: Element Pack Addons for Elementor – Mega Menu, Header Footer, Dynamic Builder and Ready Templates <= 8.1.5
Patched Versions: Element Pack Addons for Elementor – Mega Menu, Header Footer, Dynamic Builder and Ready Templates 8.1.6

Mitigation steps: Update to Element Pack Addons for Elementor – Mega Menu, Header Footer, Dynamic Builder and Ready Templates plugin version 8.1.6 or greater.


Simple Local Avatars – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2025-8482
Number of Installations: 100,000+
Affected Software: Simple Local Avatars <= 2.8.4
Patched Versions: Simple Local Avatars 2.8.5

Mitigation steps: Update to Simple Local Avatars plugin version 2.8.5 or greater.


GiveWP – Donation Plugin and Fundraising Platform – Sensitive Data Exposure

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Sensitive Data Exposure
CVE: CVE-2025-47444
Number of Installations: 100,000+
Affected Software: GiveWP – Donation Plugin and Fundraising Platform <= 4.6.0
Patched Versions: GiveWP – Donation Plugin and Fundraising Platform 4.6.1

Mitigation steps: Update to GiveWP – Donation Plugin and Fundraising Platform plugin version 4.6.1 or greater.


GiveWP – Donation Plugin and Fundraising Platform – Broken Access Control

Security Risk: Medium
Vulnerability: Broken Access Control
CVE: CVE-2025-7221
Number of Installations: 100,000+
Affected Software: GiveWP – Donation Plugin and Fundraising Platform <= 4.6.0
Patched Versions: GiveWP – Donation Plugin and Fundraising Platform 4.6.1

Mitigation steps: Update to GiveWP – Donation Plugin and Fundraising Platform plugin version 4.6.1 or greater.


WPC Smart Quick View for WooCommerce – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-8618
Number of Installations: 100,000+
Affected Software: WPC Smart Quick View for WooCommerce <= 4.2.1
Patched Versions: WPC Smart Quick View for WooCommerce 4.2.2

Mitigation steps: Update to WPC Smart Quick View for WooCommerce plugin version 4.2.2 or greater.


Ocean Social Sharing – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-7500
Number of Installations: 80,000+
Affected Software: Ocean Social Sharing <= 2.2.1
Patched Versions: Ocean Social Sharing 2.2.2

Mitigation steps: Update to Ocean Social Sharing plugin version 2.2.2 or greater.


LatePoint – Calendar Booking Plugin for Appointments and Events – Local File Inclusion

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Local File Inclusion
CVE: CVE-2025-6715
Number of Installations: 80,000+
Affected Software: LatePoint – Calendar Booking Plugin for Appointments and Events <= 5.1.93
Patched Versions: LatePoint – Calendar Booking Plugin for Appointments and Events 5.1.94

Mitigation steps: Update to LatePoint – Calendar Booking Plugin for Appointments and Events plugin version 5.1.94 or greater.


Media Library Assistant – Arbitrary File Deletion

Security Risk: Medium
Exploitation Level: Requires Author or higher level authentication.
Vulnerability: Arbitrary File Deletion
CVE: CVE-2025-8357
Number of Installations: 70,000+
Affected Software: Media Library Assistant <= 3.27
Patched Versions: Media Library Assistant 3.28

Mitigation steps: Update to Media Library Assistant plugin version 3.28 or greater.


WPC Smart Compare for WooCommerce – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-7496
Number of Installations: 70,000+
Affected Software: WPC Smart Compare for WooCommerce <= 6.4.7
Patched Versions: WPC Smart Compare for WooCommerce 6.4.8

Mitigation steps: Update to WPC Smart Compare for WooCommerce plugin version 6.4.8 or greater.


Drag and Drop Multiple File Upload for Contact Form 7 – Directory Traversal

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Directory Traversal
CVE: CVE-2025-8464
Number of Installations: 60,000+
Affected Software: Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.9
Patched Versions: Drag and Drop Multiple File Upload for Contact Form 7 1.3.9.1

Mitigation steps: Update to Drag and Drop Multiple File Upload for Contact Form 7 plugin version 1.3.9.1 or greater.


WP Table Builder – WordPress Table Plugin – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-55711
Number of Installations: 60,000+
Affected Software: WP Table Builder – WordPress Table Plugin <= 2.0.12
Patched Versions: WP Table Builder – WordPress Table Plugin 2.0.13

Mitigation steps: Update to WP Table Builder – WordPress Table Plugin version 2.0.13 or greater.


Exclusive Addons for Elementor – Cross-Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-7498
Number of Installations: 60,000+
Affected Software: Exclusive Addons for Elementor <= 2.7.9.4
Patched Versions: Exclusive Addons for Elementor 2.7.9.5

Mitigation steps: Update to Exclusive Addons for Elementor plugin version 2.7.9.5 or greater.


WP Import Export Lite – Arbitrary File Upload

Security Risk: Critical
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Arbitrary File Upload
CVE: CVE-2025-5061
Number of Installations: 50,000+
Affected Software: WP Import Export Lite <= 3.9.29
Patched Versions: WP Import Export Lite 3.9.30

Mitigation steps: Update to WP Import Export Lite plugin version 3.9.30 or greater.


WP Import Export Lite – Arbitrary File Upload

Security Risk: Critical
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Arbitrary File Upload
CVE: CVE-2025-6207
Number of Installations: 50,000+
Affected Software: WP Import Export Lite <= 3.9.28
Patched Versions: WP Import Export Lite 3.9.29

Mitigation steps: Update to WP Import Export Lite plugin version 3.9.29 or greater.


Advanced iFrame – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-8089
Number of Installations: 50,000+
Affected Software: Advanced iFrame <= 2025.6
Patched Versions: Advanced iFrame 2025.7

Mitigation steps: Update to Advanced iFrame plugin version 2025.7 or greater.


User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-8896
Number of Installations: 50,000+
Affected Software: User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor <= 3.14.3
Patched Versions: User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor 3.14.4

Mitigation steps: Update to User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor plugin version 3.14.4 or greater.


Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI – Sensitive Data Exposure

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Sensitive Data Exposure
CVE: CVE-2025-55710
Number of Installations: 50,000+
Affected Software: Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI <= 3.37.2
Patched Versions: Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI 3.37.3

Mitigation steps: Update to Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI plugin version 3.37.3 or greater.


Structured Content (JSON-LD) #wpsc – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-3414
Number of Installations: 50,000+
Affected Software: Structured Content (JSON-LD) #wpsc <= 1.6.9
Patched Versions: Structured Content (JSON-LD) #wpsc 1.7.0

Mitigation steps: Update to Structured Content (JSON-LD) #wpsc plugin version 1.7.0 or greater.


Visual Composer Website Builder – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-55709
Number of Installations: 50,000+
Affected Software: Visual Composer Website Builder <= 45.14.0
Patched Versions: Visual Composer Website Builder 45.15.0

Mitigation steps: Update to Visual Composer Website Builder plugin version 45.15.0 or greater.


Greenshift – animation and page builder blocks – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2025-57884
Number of Installations: 50,000+
Affected Software: Greenshift – animation and page builder blocks <= 12.1.1
Patched Versions: Greenshift – animation and page builder blocks 12.1.2

Mitigation steps: Update to Greenshift – animation and page builder blocks plugin version 12.1.2 or greater.


Themes

ColorMag – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2025-9202
Number of Downloads: 4,262,710
Affected Software: ColorMag <= 4.0.19
Patched Versions: ColorMag 4.0.20

Mitigation steps: Update to ColorMag theme version 4.0.20 or greater.


Spacious – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2025-9331
Number of Downloads: 2,634,166
Affected Software: Spacious <= 1.9.11
Patched Versions: Spacious 1.9.12

Mitigation steps: Update to Spacious theme version 1.9.12 or greater.


Zakra – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2025-8595
Number of Downloads: 1,935,472
Affected Software: Zakra <= 4.1.5
Patched Versions: Zakra 4.1.6

Mitigation steps: Update to Zakra theme version 4.1.6 or greater.


Eximious Magazine – Local File Inclusion

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Local File Inclusion
CVE: CVE-2025-53248
Number of Downloads: 89,583
Affected Software: Eximious Magazine (all versions)
Patched Versions: No Fix

Mitigation steps: No patch is available. Consider disabling or replacing the Eximious Magazine theme.


modernize – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-53342
Number of Downloads: 59,351
Affected Software: modernize (all versions)
Patched Versions: No Fix

Mitigation steps: No patch is available. Consider disabling or replacing the modernize theme.


modernize – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2025-53343
Number of Downloads: 59,351
Affected Software: modernize (all versions)
Patched Versions: No Fix

Mitigation steps: No patch is available. Consider disabling or replacing the modernize theme.


Update your website software to mitigate risk. Users who are not able to update their software with the latest version are encouraged to use a web application firewall to help virtually patch known vulnerabilities and protect their website.

You May Also Like