Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.
To help educate website owners about potential threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.
The vulnerabilities listed below are virtually patched by the Sucuri Firewall and existing clients are protected. If you don’t have it installed yet, you can use our web application firewall to protect your site against known vulnerabilities.
Plugins
Ultimate Addons for Elementor (Formerly Elementor Header & Footer Builder) – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Author or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-9703 Number of Installations: 2,000,000+ Affected Software: Ultimate Addons for Elementor (Formerly Elementor Header & Footer Builder) <= 2.4.9 Patched Versions: Ultimate Addons for Elementor (Formerly Elementor Header & Footer Builder) 2.5.0
Mitigation steps: Update to Ultimate Addons for Elementor (Formerly Elementor Header & Footer Builder) plugin version 2.5.0 or greater.
Enable Media Replace – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-9496 Number of Installations: 600,000+ Affected Software: Enable Media Replace <= 4.1.6 Patched Versions: Enable Media Replace 4.1.7
Mitigation steps: Update to Enable Media Replace plugin version 4.1.7 or greater.
BackWPup – WordPress Backup & Restore Plugin – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-10579 Number of Installations: 500,000+ Affected Software: BackWPup – WordPress Backup & Restore Plugin <= 5.5.0 Patched Versions: BackWPup – WordPress Backup & Restore Plugin 5.5.1
Mitigation steps: Update to BackWPup – WordPress Backup & Restore Plugin version 5.5.1 or greater.
PixelYourSite – Your smart PIXEL (TAG) & API Manager – Local File Inclusion
Security Risk: High Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Local File Inclusion CVE: CVE-2025-10723 Number of Installations: 500,000+ Affected Software: PixelYourSite – Your smart PIXEL (TAG) & API Manager <= 11.1.1 Patched Versions: PixelYourSite – Your smart PIXEL (TAG) & API Manager 11.1.2
Mitigation steps: Update to PixelYourSite – Your smart PIXEL (TAG) & API Manager plugin version 11.1.2 or greater.
WP Reset – Sensitive Data Exposure
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Sensitive Data Exposure CVE: CVE-2025-10645 Number of Installations: 400,000+ Affected Software: WP Reset <= 2.05 Patched Versions: WP Reset 2.06
Mitigation steps: Update to WP Reset plugin version 2.06 or greater.
ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-11378 Number of Installations: 300,000+ Affected Software: ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF <= 6.3.4 Patched Versions: ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF 6.3.5
Mitigation steps: Update to ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF plugin version 6.3.5 or greater.
Blocksy Companion – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-12475 Number of Installations: 300,000+ Affected Software: Blocksy Companion <= 2.1.14 Patched Versions: Blocksy Companion 2.1.15
Mitigation steps: Update to Blocksy Companion plugin version 2.1.15 or greater.
SureForms – Drag and Drop Contact Form Builder – Multi-step Forms, Conversational Forms and more – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-10732 Number of Installations: 300,000+ Affected Software: SureForms – Drag and Drop Contact Form Builder – Multi-step Forms, Conversational Forms and more <= 1.12.1 Patched Versions: SureForms – Drag and Drop Contact Form Builder – Multi-step Forms, Conversational Forms and more 1.12.2
Mitigation steps: Update to SureForms – Drag and Drop Contact Form Builder – Multi-step Forms, Conversational Forms and more plugin version 1.12.2 or greater.
WP Go Maps (formerly WP Google Maps) – Content Injection
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Content Injection CVE: CVE-2025-11703 Number of Installations: 300,000+ Affected Software: WP Go Maps (formerly WP Google Maps) <= 9.0.48 Patched Versions: WP Go Maps (formerly WP Google Maps) 9.0.49
Mitigation steps: Update to WP Go Maps (formerly WP Google Maps) plugin version 9.0.49 or greater.
Redirection for Contact Form 7 – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-9562 Number of Installations: 300,000+ Affected Software: Redirection for Contact Form 7 <= 3.2.6 Patched Versions: Redirection for Contact Form 7 3.2.7
Mitigation steps: Update to Redirection for Contact Form 7 plugin version 3.2.7 or greater.
Jeg Kit for Elementor – Powerful Elementor Addons, Widgets & Templates for WordPress – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Author or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-9978 Number of Installations: 300,000+ Affected Software: Jeg Kit for Elementor – Powerful Elementor Addons, Widgets & Templates for WordPress <= 2.6.9 Patched Versions: Jeg Kit for Elementor – Powerful Elementor Addons, Widgets & Templates for WordPress 2.7.0
Mitigation steps: Update to Jeg Kit for Elementor – Powerful Elementor Addons, Widgets & Templates for WordPress plugin version 2.7.0 or greater.
Password Protected — Lock Entire Site, Pages, Posts, Categories, and Partial Content – Bypass Vulnerability
Security Risk: Low Exploitation Level: No authentication required. Vulnerability: Bypass Vulnerability CVE: CVE-2025-11244 Number of Installations: 300,000+ Affected Software: Password Protected — Lock Entire Site, Pages, Posts, Categories, and Partial Content <= 2.7.11 Patched Versions: Password Protected — Lock Entire Site, Pages, Posts, Categories, and Partial Content 2.7.12
Mitigation steps: Update to Password Protected — Lock Entire Site, Pages, Posts, Categories, and Partial Content plugin version 2.7.12 or greater.
GenerateBlocks – Sensitive Data Exposure
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Sensitive Data Exposure CVE: CVE-2025-11879 Number of Installations: 200,000+ Affected Software: GenerateBlocks <= 2.1.1 Patched Versions: GenerateBlocks 2.1.2
Mitigation steps: Update to GenerateBlocks plugin version 2.1.2 or greater.
User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2025-10694 Number of Installations: 200,000+ Affected Software: User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds <= 1.8.9 Patched Versions: User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds 1.9.0
Mitigation steps: Update to User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds plugin version 1.9.0 or greater.
Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-11270 Number of Installations: 200,000+ Affected Software: Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns <= 5.7.1 Patched Versions: Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns 5.7.2
Mitigation steps: Update to Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns plugin version 5.7.2 or greater.
Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns – Server Side Request Forgery (SSRF)
Security Risk: Medium Exploitation Level: Requires Author or higher level authentication. Vulnerability: Server Side Request Forgery (SSRF) CVE: CVE-2025-11361 Number of Installations: 200,000+ Affected Software: Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns <= 5.7.1 Patched Versions: Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns 5.7.2
Mitigation steps: Update to Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns plugin version 5.7.2 or greater.
FileBird – WordPress Media Library Folders & File Manager – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Author or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-11510 Number of Installations: 200,000+ Affected Software: FileBird – WordPress Media Library Folders & File Manager <= 6.4.9 Patched Versions: FileBird – WordPress Media Library Folders & File Manager 6.5.0
Mitigation steps: Update to FileBird – WordPress Media Library Folders & File Manager plugin version 6.5.0 or greater.
Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization – Insecure Direct Object References (IDOR)
Security Risk: Medium Exploitation Level: Requires Author or higher level authentication. Vulnerability: Insecure Direct Object References (IDOR) CVE: CVE-2025-11519 Number of Installations: 200,000+ Affected Software: Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization <= 4.1.0 Patched Versions: Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization 4.1.1
Mitigation steps: Update to Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization plugin version 4.1.1 or greater.
Element Pack Addons for Elementor – Server Side Request Forgery (SSRF)
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Server Side Request Forgery (SSRF) CVE: CVE-2025-11536 Number of Installations: 100,000+ Affected Software: Element Pack Addons for Elementor <= 8.2.5 Patched Versions: Element Pack Addons for Elementor 8.2.6
Mitigation steps: Update to Element Pack Addons for Elementor plugin version 8.2.6 or greater.
WPC Smart Quick View for WooCommerce – Insecure Direct Object References (IDOR)
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Insecure Direct Object References (IDOR) CVE: CVE-2025-11741 Number of Installations: 100,000+ Affected Software: WPC Smart Quick View for WooCommerce <= 4.2.5 Patched Versions: WPC Smart Quick View for WooCommerce 4.2.6
Mitigation steps: Update to WPC Smart Quick View for WooCommerce plugin version 4.2.6 or greater.
WPC Smart Wishlist for WooCommerce – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-11742 Number of Installations: 100,000+ Affected Software: WPC Smart Wishlist for WooCommerce <= 5.0.4 Patched Versions: WPC Smart Wishlist for WooCommerce 5.0.5
Mitigation steps: Update to WPC Smart Wishlist for WooCommerce plugin version 5.0.5 or greater.
GiveWP – Donation Plugin and Fundraising Platform – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2025-11227 Number of Installations: 100,000+ Affected Software: GiveWP – Donation Plugin and Fundraising Platform <= 4.10.0 Patched Versions: GiveWP – Donation Plugin and Fundraising Platform 4.10.1
Mitigation steps: Update to GiveWP – Donation Plugin and Fundraising Platform plugin version 4.10.1 or greater.
GiveWP – Donation Plugin and Fundraising Platform – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2025-11228 Number of Installations: 100,000+ Affected Software: GiveWP – Donation Plugin and Fundraising Platform <= 4.10.0 Patched Versions: GiveWP – Donation Plugin and Fundraising Platform 4.10.1
Mitigation steps: Update to GiveWP – Donation Plugin and Fundraising Platform plugin version 4.10.1 or greater.
Responsive Lightbox & Gallery – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-9710 Number of Installations: 100,000+ Affected Software: Responsive Lightbox & Gallery <= 2.5.2 Patched Versions: Responsive Lightbox & Gallery 2.5.3
Mitigation steps: Update to Responsive Lightbox & Gallery plugin version 2.5.3 or greater.
Schema & Structured Data for WP & AMP – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-9512 Number of Installations: 100,000+ Affected Software: Schema & Structured Data for WP & AMP <= 1.49 Patched Versions: Schema & Structured Data for WP & AMP 1.50
Mitigation steps: Update to Schema & Structured Data for WP & AMP plugin version 1.50 or greater.
Colibri Page Builder – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-9560 Number of Installations: 100,000+ Affected Software: Colibri Page Builder <= 1.0.334 Patched Versions: Colibri Page Builder 1.0.335
Mitigation steps: Update to Colibri Page Builder plugin version 1.0.335 or greater.
The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Author or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-9698 Number of Installations: 100,000+ Affected Software: The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce <= 6.3.15 Patched Versions: The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce 6.3.16
Mitigation steps: Update to The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin version 6.3.16 or greater.
WPC Smart Wishlist for WooCommerce – Insecure Direct Object References (IDOR)
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Insecure Direct Object References (IDOR) CVE: CVE-2025-11518 Number of Installations: 100,000+ Affected Software: WPC Smart Wishlist for WooCommerce <= 5.0.3 Patched Versions: WPC Smart Wishlist for WooCommerce 5.0.4
Mitigation steps: Update to WPC Smart Wishlist for WooCommerce plugin version 5.0.4 or greater.
Real Cookie Banner: GDPR & ePrivacy Cookie Consent – Server Side Request Forgery (SSRF)
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Server Side Request Forgery (SSRF) CVE: CVE-2025-12136 Number of Installations: 100,000+ Affected Software: Real Cookie Banner: GDPR & ePrivacy Cookie Consent <= 5.2.4 Patched Versions: Real Cookie Banner: GDPR & ePrivacy Cookie Consent 5.2.5
Mitigation steps: Update to Real Cookie Banner: GDPR & ePrivacy Cookie Consent plugin version 5.2.5 or greater.
Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More – Server Side Request Forgery (SSRF)
Security Risk: Medium Exploitation Level: Requires Author or higher level authentication. Vulnerability: Server Side Request Forgery (SSRF) CVE: CVE-2025-10874 Number of Installations: 100,000+ Affected Software: Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More <= 3.0.1 Patched Versions: Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More 3.0.2
Mitigation steps: Update to Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More plugin version 3.0.2 or greater.
Tutor LMS – eLearning and online course solution – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2025-11564 Number of Installations: 100,000+ Affected Software: Tutor LMS – eLearning and online course solution <= 3.8.9 Patched Versions: Tutor LMS – eLearning and online course solution 3.9.0
Mitigation steps: Update to Tutor LMS – eLearning and online course solution plugin version 3.9.0 or greater.
Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-10580 Number of Installations: 100,000+ Affected Software: Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets <= 4.1.2 Patched Versions: Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets 4.1.3
Mitigation steps: Update to Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets plugin version 4.1.3 or greater.
ShopLentor – WooCommerce Builder for Elementor & Gutenberg +21 Modules – All in One Solution (formerly WooLentor) – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-11823 Number of Installations: 100,000+ Affected Software: ShopLentor – WooCommerce Builder for Elementor & Gutenberg +21 Modules – All in One Solution (formerly WooLentor) <= 3.2.4 Patched Versions: ShopLentor – WooCommerce Builder for Elementor & Gutenberg +21 Modules – All in One Solution (formerly WooLentor) 3.2.5
Mitigation steps: Update to ShopLentor – WooCommerce Builder for Elementor & Gutenberg +21 Modules – All in One Solution (formerly WooLentor) plugin version 3.2.5 or greater.
Event Tickets and Registration – Broken Authentication
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Broken Authentication CVE: CVE-2025-11517 Number of Installations: 90,000+ Affected Software: Event Tickets and Registration <= 5.26.5 Patched Versions: Event Tickets and Registration 5.26.6
Mitigation steps: Update to Event Tickets and Registration plugin version 5.26.6 or greater.
Event Tickets and Registration – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-62027 Number of Installations: 90,000+ Affected Software: Event Tickets and Registration <= 5.26.3 Patched Versions: Event Tickets and Registration 5.26.4
Mitigation steps: Update to Event Tickets and Registration plugin version 5.26.4 or greater.
Social Feed Gallery – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2025-10637 Number of Installations: 90,000+ Affected Software: Social Feed Gallery <= 4.9.2 Patched Versions: Social Feed Gallery 4.9.3
Mitigation steps: Update to Social Feed Gallery plugin version 4.9.3 or greater.
Ajax Search Lite – Live Search & Filter – PHP Object Injection
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: PHP Object Injection CVE: CVE-2025-48086 Number of Installations: 80,000+ Affected Software: Ajax Search Lite – Live Search & Filter <= 4.13.3 Patched Versions: Ajax Search Lite – Live Search & Filter 4.13.4
Mitigation steps: Update to Ajax Search Lite – Live Search & Filter plugin version 4.13.4 or greater.
LearnPress – WordPress LMS Plugin – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2025-11372 Number of Installations: 80,000+ Affected Software: LearnPress – WordPress LMS Plugin <= 4.2.9.3 Patched Versions: LearnPress – WordPress LMS Plugin 4.2.9.4
Mitigation steps: Update to LearnPress – WordPress LMS Plugin version 4.2.9.4 or greater.
Featured Image from URL (FIFU) – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-7400 Number of Installations: 80,000+ Affected Software: Featured Image from URL (FIFU) <= 5.2.7 Patched Versions: Featured Image from URL (FIFU) 5.2.8
Mitigation steps: Update to Featured Image from URL (FIFU) plugin version 5.2.8 or greater.
Meta Tag Manager – Open Redirection
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Open Redirection CVE: CVE-2025-5983 Number of Installations: 80,000+ Affected Software: Meta Tag Manager <= 3.2 Patched Versions: Meta Tag Manager 3.3
Mitigation steps: Update to Meta Tag Manager plugin version 3.3 or greater.
ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution – Broken Access Control
Security Risk: Low Exploitation Level: Requires Editor or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-11888 Number of Installations: 70,000+ Affected Software: ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution <= 4.8.4 Patched Versions: ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution 4.8.5
Mitigation steps: Update to ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution plugin version 4.8.5 or greater.
All In One Login — WP Admin Login Page Security and Customization with Google reCAPTCHA, Social Login, Limit Login Attempt, 2FA, and more. – Bypass Vulnerability
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Bypass Vulnerability CVE: CVE-2025-58595 Number of Installations: 70,000+ Affected Software: All In One Login — WP Admin Login Page Security and Customization with Google reCAPTCHA, Social Login, Limit Login Attempt, 2FA, and more. <= 2.0.8 Patched Versions: All In One Login — WP Admin Login Page Security and Customization with Google reCAPTCHA, Social Login, Limit Login Attempt, 2FA, and more. 2.0.9
Mitigation steps: Update to All In One Login — WP Admin Login Page Security and Customization with Google reCAPTCHA, Social Login, Limit Login Attempt, 2FA, and more. plugin version 2.0.9 or greater.
Media Library Assistant – Arbitrary File Download
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Arbitrary File Download CVE: CVE-2025-11738 Number of Installations: 70,000+ Affected Software: Media Library Assistant <= 3.29 Patched Versions: Media Library Assistant 3.30
Mitigation steps: Update to Media Library Assistant plugin version 3.30 or greater.
Product Filter by WBW – SQL Injection
Security Risk: Critical Exploitation Level: No authentication required. Vulnerability: SQL Injection CVE: CVE-2025-8416 Number of Installations: 60,000+ Affected Software: Product Filter by WBW <= 2.9.7 Patched Versions: Product Filter by WBW 2.9.8
Mitigation steps: Update to Product Filter by WBW plugin version 2.9.8 or greater.
Product Filter by WBW – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2025-11269 Number of Installations: 60,000+ Affected Software: Product Filter by WBW <= 3.0.0 Patched Versions: Product Filter by WBW 3.0.1
Mitigation steps: Update to Product Filter by WBW plugin version 3.0.1 or greater.
Quick Featured Images – Insecure Direct Object References (IDOR)
Security Risk: Medium Exploitation Level: Requires Author or higher level authentication. Vulnerability: Insecure Direct Object References (IDOR) CVE: CVE-2025-11176 Number of Installations: 50,000+ Affected Software: Quick Featured Images <= 13.7.2 Patched Versions: Quick Featured Images 13.7.3
Mitigation steps: Update to Quick Featured Images plugin version 13.7.3 or greater.
Bold Page Builder – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-7730 Number of Installations: 50,000+ Affected Software: Bold Page Builder <= 5.4.5 Patched Versions: Bold Page Builder 5.4.6
Mitigation steps: Update to Bold Page Builder plugin version 5.4.6 or greater.
RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator – Server Side Request Forgery (SSRF)
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Server Side Request Forgery (SSRF) CVE: CVE-2025-11128 Number of Installations: 50,000+ Affected Software: RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator <= 5.1.0 Patched Versions: RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator 5.1.1
Mitigation steps: Update to RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin version 5.1.1 or greater.
Simple Banner – Easily add multiple Banners/Bars/Notifications/Announcements to the top or bottom of your website – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-12033 Number of Installations: 50,000+ Affected Software: Simple Banner – Easily add multiple Banners/Bars/Notifications/Announcements to the top or bottom of your website <= 3.0.9 Patched Versions: Simple Banner – Easily add multiple Banners/Bars/Notifications/Announcements to the top or bottom of your website 3.1.0
Mitigation steps: Update to Simple Banner – Easily add multiple Banners/Bars/Notifications/Announcements to the top or bottom of your website plugin version 3.1.0 or greater.
Themes
Newsup – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-8682 Number of Downloads: 2,613,735 Affected Software: Newsup <= 5.0.10 Patched Versions: Newsup 5.0.11
Mitigation steps: Update to Newsup theme version 5.0.11 or greater.
Update your website software to mitigate risk. Users who are not able to update their software with the latest version are encouraged to use a web application firewall to help virtually patch known vulnerabilities and protect their website.
Alycia Mitchell
Rianna MacLeod
Cesar Anjos
Luke Leal
Keith Petkus
Denis Sinegubko
Ahmad Azizan Idris
Fernando Barbosa