Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.
To help educate website owners about potential threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.
The vulnerabilities listed below are virtually patched by the Sucuri Firewall and existing clients are protected. If you don’t have it installed yet, you can use our web application firewall to protect your site against known vulnerabilities.
Elementor Website Builder – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-11220 Number of Installations: 10,000,000+ Affected Software: Elementor Website Builder <= 3.33.3 Patched Versions: Elementor Website Builder 3.33.4
Mitigation steps: Update to Elementor Website Builder plugin version 3.33.4 or greater.
WooCommerce – Sensitive Data Exposure
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Sensitive Data Exposure CVE: CVE-2025-15033 Number of Installations: 7,000,000+ Affected Software: WooCommerce <= 10.4.2 Patched Versions: WooCommerce 10.4.3
Mitigation steps: Update to WooCommerce plugin version 10.4.3 or greater.
All in One SEO – Sensitive Data Exposure
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Sensitive Data Exposure CVE: CVE-2025-64295 Number of Installations: 3,000,000+ Affected Software: All in One SEO <= 4.8.6 Patched Versions: All in One SEO 4.8.7
Mitigation steps: Update to All in One SEO plugin version 4.8.7 or greater.
Essential Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-13977 Number of Installations: 2,000,000+ Affected Software: Essential Addons for Elementor <= 6.5.3 Patched Versions: Essential Addons for Elementor 6.5.4
Mitigation steps: Update to Essential Addons for Elementor plugin version 6.5.4 or greater.
Starter Templates – Arbitrary File Upload
Security Risk: Critical Exploitation Level: Requires Author or higher level authentication. Vulnerability: Arbitrary File Upload CVE: CVE-2025-13065 Number of Installations: 2,000,000+ Affected Software: Starter Templates <= 4.4.41 Patched Versions: Starter Templates 4.4.42
Mitigation steps: Update to Starter Templates plugin version 4.4.42 or greater.
Custom Post Type UI – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-12826 Number of Installations: 1,000,000+ Affected Software: Custom Post Type UI <= 1.18.0 Patched Versions: Custom Post Type UI 1.18.1
Mitigation steps: Update to Custom Post Type UI plugin version 1.18.1 or greater.
Custom Post Type UI – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-14056 Number of Installations: 1,000,000+ Affected Software: Custom Post Type UI <= 1.18.1 Patched Versions: Custom Post Type UI 1.18.2
Mitigation steps: Update to Custom Post Type UI plugin version 1.18.2 or greater.
Redux Framework – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-9488 Number of Installations: 1,000,000+ Affected Software: Redux Framework <= 4.5.8 Patched Versions: Redux Framework 4.5.9
Mitigation steps: Update to Redux Framework plugin version 4.5.9 or greater.
Autoptimize – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-13401 Number of Installations: 900,000+ Affected Software: Autoptimize <= 3.1.13 Patched Versions: Autoptimize 3.1.14
Mitigation steps: Update to Autoptimize plugin version 3.1.14 or greater.
Widgets for Google Reviews – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-9436 Number of Installations: 800,000+ Affected Software: Widgets for Google Reviews <= 13.2.1 Patched Versions: Widgets for Google Reviews 13.2.2
Mitigation steps: Update to Widgets for Google Reviews plugin version 13.2.2 or greater.
Widgets for Google Reviews – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-12510 Number of Installations: 800,000+ Affected Software: Widgets for Google Reviews <= 13.2.4 Patched Versions: Widgets for Google Reviews 13.2.5
Mitigation steps: Update to Widgets for Google Reviews plugin version 13.2.5 or greater.
Widgets for Google Reviews – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-12510 Number of Installations: 800,000+ Affected Software: Widgets for Google Reviews <= 13.2.4 Patched Versions: Widgets for Google Reviews 13.2.5
Mitigation steps: Update to Widgets for Google Reviews plugin version 13.2.5 or greater.
Ninja Forms – Sensitive Data Exposure
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Sensitive Data Exposure CVE: CVE-2025-11924 Number of Installations: 600,000+ Affected Software: Ninja Forms <= 3.13.2 Patched Versions: Ninja Forms 3.13.3
Mitigation steps: Update to Ninja Forms plugin version 3.13.3 or greater.
Royal Addons for Elementor – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2025-11363 Number of Installations: 600,000+ Affected Software: Royal Addons for Elementor <= 1.7.1036 Patched Versions: Royal Addons for Elementor 1.7.1037
Mitigation steps: Update to Royal Addons for Elementor plugin version 1.7.1037 or greater.
Fluent Forms – Insecure Direct Object References (IDOR)
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Insecure Direct Object References (IDOR) CVE: CVE-2025-13748 Number of Installations: 600,000+ Affected Software: Fluent Forms <= 6.1.7 Patched Versions: Fluent Forms 6.1.8
Mitigation steps: Update to Fluent Forms plugin version 6.1.8 or greater.
PixelYourSite – Sensitive Data Exposure
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Sensitive Data Exposure CVE: CVE-2025-14280 Number of Installations: 500,000+ Affected Software: PixelYourSite <= 11.1.5 Patched Versions: PixelYourSite 11.1.5.1
Mitigation steps: Update to PixelYourSite plugin version 11.1.5.1 or greater.
Converter for Media – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-13750 Number of Installations: 500,000+ Affected Software: Converter for Media <= 6.3.9 Patched Versions: Converter for Media 6.4.0
Mitigation steps: Update to Converter for Media plugin version 6.4.0 or greater.
Happy Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-14635 Number of Installations: 400,000+ Affected Software: Happy Addons for Elementor <= 3.20.3 Patched Versions: Happy Addons for Elementor 3.20.4
Mitigation steps: Update to Happy Addons for Elementor plugin version 3.20.4 or greater.
NextGEN Gallery – Local File Inclusion
Security Risk: High Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Local File Inclusion CVE: CVE-2025-13641 Number of Installations: 400,000+ Affected Software: NextGEN Gallery <= 3.59 Patched Versions: NextGEN Gallery 4.0.0
Mitigation steps: Update to NextGEN Gallery plugin version 4.0.0 or greater.
Post SMTP – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2025-67563 Number of Installations: 400,000+ Affected Software: Post SMTP <= 3.6.1 Patched Versions: Post SMTP 3.6.2
Mitigation steps: Update to Post SMTP plugin version 3.6.2 or greater.
Post SMTP – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-12887 Number of Installations: 400,000+ Affected Software: Post SMTP <= 3.6.1 Patched Versions: Post SMTP 3.6.2
Mitigation steps: Update to Post SMTP plugin version 3.6.2 or greater.
Happy Addons for Elementor – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-63077 Number of Installations: 400,000+ Affected Software: Happy Addons for Elementor (all versions, no fixed version available) Patched Versions: No Fix
Mitigation steps: Since no patched version is available, consider disabling or replacing Happy Addons for Elementor, or applying strict access control and web application firewall rules.
Broken Link Checker by AIOSEO – SQL Injection
Security Risk: High Exploitation Level: Requires Author or higher level authentication. Vulnerability: SQL Injection CVE: CVE-2025-67962 Number of Installations: 300,000+ Affected Software: Broken Link Checker by AIOSEO <= 1.2.6 Patched Versions: Broken Link Checker by AIOSEO 1.2.7
Mitigation steps: Update to Broken Link Checker by AIOSEO plugin version 1.2.7 or greater.
Newsletter – SQL Injection
Security Risk: High Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: SQL Injection CVE: CVE-2025-67999 Number of Installations: 300,000+ Affected Software: Newsletter <= 9.0.9 Patched Versions: Newsletter 9.1.0
Mitigation steps: Update to Newsletter plugin version 9.1.0 or greater.
PDF Invoices & Packing Slips for WooCommerce – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-67589 Number of Installations: 300,000+ Affected Software: PDF Invoices & Packing Slips for WooCommerce <= 4.9.9 Patched Versions: PDF Invoices & Packing Slips for WooCommerce 5.0.0
Mitigation steps: Update to PDF Invoices & Packing Slips for WooCommerce plugin version 5.0.0 or greater.
Health Check & Troubleshooting – Path Traversal
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Path Traversal CVE: CVE-2025-64253 Number of Installations: 300,000+ Affected Software: Health Check & Troubleshooting (all versions, no fixed version available) Patched Versions: No Fix
Mitigation steps: Since no patched version is available, consider disabling or replacing Health Check & Troubleshooting, or applying strict access control and web application firewall rules.
Astra Widgets – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Editor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-68497 Number of Installations: 200,000+ Affected Software: Astra Widgets <= 1.2.16 Patched Versions: Astra Widgets 1.2.17
Mitigation steps: Update to Astra Widgets plugin version 1.2.17 or greater.
Gutenberg Essential Blocks – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Author or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-11369 Number of Installations: 200,000+ Affected Software: Gutenberg Essential Blocks <= 5.7.2 Patched Versions: Gutenberg Essential Blocks 5.7.3
Mitigation steps: Update to Gutenberg Essential Blocks plugin version 5.7.3 or greater.
Ultimate Member – Sensitive Data Exposure
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Sensitive Data Exposure CVE: CVE-2025-12492 Number of Installations: 200,000+ Affected Software: Ultimate Member <= 2.11.0 Patched Versions: Ultimate Member 2.11.1
Mitigation steps: Update to Ultimate Member plugin version 2.11.1 or greater.
Ultimate Member – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-14081 Number of Installations: 200,000+ Affected Software: Ultimate Member <= 2.11.0 Patched Versions: Ultimate Member 2.11.1
Mitigation steps: Update to Ultimate Member plugin version 2.11.1 or greater.
Ultimate Member – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-13217 Number of Installations: 200,000+ Affected Software: Ultimate Member <= 2.11.0 Patched Versions: Ultimate Member 2.11.1
Mitigation steps: Update to Ultimate Member plugin version 2.11.1 or greater.
User Feedback – SQL Injection
Security Risk: High Exploitation Level: Requires Editor or higher level authentication. Vulnerability: SQL Injection CVE: CVE-2025-68496 Number of Installations: 200,000+ Affected Software: User Feedback <= 1.10.0 Patched Versions: User Feedback 1.10.1
Mitigation steps: Update to User Feedback plugin version 1.10.1 or greater.
Admin and Site Enhancements (ASE) – Broken Access Control
Security Risk: Low Exploitation Level: Requires Author or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-64255 Number of Installations: 200,000+ Affected Software: Admin and Site Enhancements (ASE) <= 8.0.9 Patched Versions: Admin and Site Enhancements (ASE) 8.1.0
Mitigation steps: Update to Admin and Site Enhancements (ASE) plugin version 8.1.0 or greater.
FileBird – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Author or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-12900 Number of Installations: 200,000+ Affected Software: FileBird <= 6.5.1 Patched Versions: FileBird 6.5.2
Mitigation steps: Update to FileBird plugin version 6.5.2 or greater.
GenerateBlocks – Sensitive Data Exposure
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Sensitive Data Exposure CVE: CVE-2025-12512 Number of Installations: 200,000+ Affected Software: GenerateBlocks <= 2.1.9 Patched Versions: GenerateBlocks 2.2.0
Mitigation steps: Update to GenerateBlocks plugin version 2.2.0 or greater.
Popup Builder – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-9856 Number of Installations: 200,000+ Affected Software: Popup Builder <= 4.4.1 Patched Versions: Popup Builder 4.4.2
Mitigation steps: Update to Popup Builder plugin version 4.4.2 or greater.
SureMail – Arbitrary File Upload
Security Risk: Critical Exploitation Level: No authentication required. Vulnerability: Arbitrary File Upload CVE: CVE-2025-13516 Number of Installations: 200,000+ Affected Software: SureMail <= 1.9.0 Patched Versions: SureMail 1.9.1
Mitigation steps: Update to SureMail plugin version 1.9.1 or greater.
Advanced Ads – Remote Code Execution (RCE)
Security Risk: Critical Exploitation Level: Requires Editor or higher level authentication. Vulnerability: Remote Code Execution (RCE) CVE: CVE-2025-13592 Number of Installations: 100,000+ Affected Software: Advanced Ads <= 2.0.14 Patched Versions: Advanced Ads 2.0.15
Mitigation steps: Update to Advanced Ads plugin version 2.0.15 or greater.
FiboSearch – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-14298 Number of Installations: 100,000+ Affected Software: FiboSearch <= 1.32.0 Patched Versions: FiboSearch 1.32.1
Mitigation steps: Update to FiboSearch plugin version 1.32.1 or greater.
Prime Slider – Server Side Request Forgery (SSRF)
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Server Side Request Forgery (SSRF) CVE: CVE-2025-14277 Number of Installations: 100,000+ Affected Software: Prime Slider <= 4.0.9 Patched Versions: Prime Slider 4.1.0
Mitigation steps: Update to Prime Slider plugin version 4.1.0 or greater.
Beaver Builder Page Builder – Broken Access Control
Security Risk: High Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-12934 Number of Installations: 100,000+ Affected Software: Beaver Builder Page Builder <= 2.9.4.1 Patched Versions: Beaver Builder Page Builder 2.9.4.2
Mitigation steps: Update to Beaver Builder Page Builder plugin version 2.9.4.2 or greater.
Colibri Page Builder – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-11747 Number of Installations: 100,000+ Affected Software: Colibri Page Builder <= 1.0.357 Patched Versions: Colibri Page Builder 1.0.358
Mitigation steps: Update to Colibri Page Builder plugin version 1.0.358 or greater.
Login Lockdown & Protection – Bypass Vulnerability
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Bypass Vulnerability CVE: CVE-2025-11707 Number of Installations: 100,000+ Affected Software: Login Lockdown & Protection <= 2.14 Patched Versions: Login Lockdown & Protection 2.15
Mitigation steps: Update to Login Lockdown & Protection plugin version 2.15 or greater.
a3 Lazy Load – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-9873 Number of Installations: 100,000+ Affected Software: a3 Lazy Load <= 2.7.5 Patched Versions: a3 Lazy Load 2.7.6
Mitigation steps: Update to a3 Lazy Load plugin version 2.7.6 or greater.
Addon Elements for Elementor (formerly Elementor Addon Elements) – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-12537 Number of Installations: 100,000+ Affected Software: Addon Elements for Elementor (formerly Elementor Addon Elements) <= 1.14.3 Patched Versions: Addon Elements for Elementor (formerly Elementor Addon Elements) 1.14.4
Mitigation steps: Update to Addon Elements for Elementor (formerly Elementor Addon Elements) plugin version 1.14.4 or greater.
Beaver Builder Page Builder – Sensitive Data Exposure
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Sensitive Data Exposure CVE: CVE-2025-12558 Number of Installations: 100,000+ Affected Software: Beaver Builder Page Builder <= 2.9.4.0 Patched Versions: Beaver Builder Page Builder 2.9.4.1
Mitigation steps: Update to Beaver Builder Page Builder plugin version 2.9.4.1 or greater.
Colibri Page Builder – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-11376 Number of Installations: 100,000+ Affected Software: Colibri Page Builder <= 1.0.341 Patched Versions: Colibri Page Builder 1.0.342
Mitigation steps: Update to Colibri Page Builder plugin version 1.0.342 or greater.
Image Gallery – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Author or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-14003 Number of Installations: 100,000+ Affected Software: Image Gallery <= 2.13.3 Patched Versions: Image Gallery 2.13.4
Mitigation steps: Update to Image Gallery plugin version 2.13.4 or greater.
PublishPress Future – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-13741 Number of Installations: 100,000+ Affected Software: PublishPress Future <= 4.9.2 Patched Versions: PublishPress Future 4.9.3
Mitigation steps: Update to PublishPress Future plugin version 4.9.3 or greater.
HUSKY – Insecure Direct Object References (IDOR)
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Insecure Direct Object References (IDOR) CVE: CVE-2025-13110 Number of Installations: 100,000+ Affected Software: HUSKY <= 1.3.7.3 Patched Versions: HUSKY 1.3.7.4
Mitigation steps: Update to HUSKY plugin version 1.3.7.4 or greater.
TI WooCommerce Wishlist – Content Injection
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Content Injection CVE: CVE-2025-9207 Number of Installations: 100,000+ Affected Software: TI WooCommerce Wishlist <= 2.10.9 Patched Versions: TI WooCommerce Wishlist 2.11.0
Mitigation steps: Update to TI WooCommerce Wishlist plugin version 2.11.0 or greater.
Advanced Custom Fields: Extended – Remote Code Execution (RCE)
Security Risk: Critical Exploitation Level: No authentication required. Vulnerability: Remote Code Execution (RCE) CVE: CVE-2025-13486 Number of Installations: 100,000+ Affected Software: Advanced Custom Fields: Extended <= 0.9.1 Patched Versions: Advanced Custom Fields: Extended 0.9.2
Mitigation steps: Update to Advanced Custom Fields: Extended plugin version 0.9.2 or greater.
Beaver Builder Page Builder – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-12782 Number of Installations: 100,000+ Affected Software: Beaver Builder Page Builder <= 2.9.4.0 Patched Versions: Beaver Builder Page Builder 2.9.4.1
Mitigation steps: Update to Beaver Builder Page Builder plugin version 2.9.4.1 or greater.
Kadence WooCommerce Email Designer – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-13387 Number of Installations: 100,000+ Affected Software: Kadence WooCommerce Email Designer <= 1.5.17 Patched Versions: Kadence WooCommerce Email Designer 1.5.18
Mitigation steps: Update to Kadence WooCommerce Email Designer plugin version 1.5.18 or greater.
Image Gallery – Arbitrary File Upload
Security Risk: Medium Exploitation Level: Requires Author or higher level authentication. Vulnerability: Arbitrary File Upload CVE: CVE-2025-13646 Number of Installations: 100,000+ Affected Software: Image Gallery <= 2.13.2 Patched Versions: Image Gallery 2.13.3
Mitigation steps: Update to Image Gallery plugin version 2.13.3 or greater.
Image Gallery – Arbitrary File Deletion
Security Risk: Medium Exploitation Level: Requires Author or higher level authentication. Vulnerability: Arbitrary File Deletion CVE: CVE-2025-13645 Number of Installations: 100,000+ Affected Software: Image Gallery <= 2.13.2 Patched Versions: Image Gallery 2.13.3
Mitigation steps: Update to Image Gallery plugin version 2.13.3 or greater.
YITH WooCommerce Quick View – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-8617 Number of Installations: 100,000+ Affected Software: YITH WooCommerce Quick View <= 2.7.0 Patched Versions: YITH WooCommerce Quick View 2.7.1
Mitigation steps: Update to YITH WooCommerce Quick View plugin version 2.7.1 or greater.
MailerLite – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-13993 Number of Installations: 90,000+ Affected Software: MailerLite <= 1.7.16 Patched Versions: MailerLite 1.7.17
Mitigation steps: Update to MailerLite plugin version 1.7.17 or greater.
ProfilePress – Content Injection
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Content Injection CVE: CVE-2025-13642 Number of Installations: 100,000+ Affected Software: ProfilePress <= 4.16.7 Patched Versions: ProfilePress 4.16.8
Mitigation steps: Update to ProfilePress plugin version 4.16.8 or greater.
Rich Shortcodes for Google Reviews – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-12499 Number of Installations: 100,000+ Affected Software: Rich Shortcodes for Google Reviews <= 6.8.0 Patched Versions: Rich Shortcodes for Google Reviews 6.8.1
Mitigation steps: Update to Rich Shortcodes for Google Reviews plugin version 6.8.1 or greater.
HUSKY – Insecure Direct Object References (IDOR)
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Insecure Direct Object References (IDOR) CVE: CVE-2025-13109 Number of Installations: 100,000+ Affected Software: HUSKY <= 1.3.7.2 Patched Versions: HUSKY 1.3.7.3
Mitigation steps: Update to HUSKY plugin version 1.3.7.3 or greater.
Shortcodes and extra features for Phlox theme – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-69016 Number of Installations: 100,000+ Affected Software: Shortcodes and extra features for Phlox theme (all versions, no fixed version available) Patched Versions: No Fix
Mitigation steps: Since no patched version is available, consider disabling or replacing Shortcodes and extra features for Phlox theme, or applying strict access control and web application firewall rules.
Crowdsignal Forms – Broken Access Control
Security Risk: Low Exploitation Level: Requires Author or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-69015 Number of Installations: 100,000+ Affected Software: Crowdsignal Forms (all versions, no fixed version available) Patched Versions: No Fix
Mitigation steps: Since no patched version is available, consider disabling or replacing Crowdsignal Forms, or applying strict access control and web application firewall rules.
Beaver Builder Page Builder – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-11726 Number of Installations: 100,000+ Affected Software: Beaver Builder Page Builder <= 2.9.4.0 Patched Versions: Beaver Builder Page Builder 2.9.4.1
Mitigation steps: Update to Beaver Builder Page Builder plugin version 2.9.4.1 or greater.
10Web Booster – Arbitrary File Deletion
Security Risk: Critical Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Arbitrary File Deletion CVE: CVE-2025-13377 Number of Installations: 90,000+ Affected Software: 10Web Booster <= 2.32.10 Patched Versions: 10Web Booster 2.32.11
Mitigation steps: Update to 10Web Booster plugin version 2.32.11 or greater.
Comments – wpDiscuz – Insecure Direct Object References (IDOR)
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Insecure Direct Object References (IDOR) CVE: CVE-2025-68997 Number of Installations: 80,000+ Affected Software: Comments – wpDiscuz (all versions, no fixed version available) Patched Versions: No Fix
Mitigation steps: Since no patched version is available, consider disabling or replacing Comments – wpDiscuz, or applying strict access control and web application firewall rules.
Hummingbird Performance – Sensitive Data Exposure
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Sensitive Data Exposure CVE: CVE-2025-14437 Number of Installations: 80,000+ Affected Software: Hummingbird Performance <= 3.18.0 Patched Versions: Hummingbird Performance 3.18.1
Mitigation steps: Update to Hummingbird Performance plugin version 3.18.1 or greater.
LearnPress – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-14387 Number of Installations: 80,000+ Affected Software: LearnPress <= 4.3.1 Patched Versions: LearnPress 4.3.2
Mitigation steps: Update to LearnPress plugin version 4.3.2 or greater.
Ninja Tables – SQL Injection
Security Risk: High Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: SQL Injection CVE: CVE-2025-67519 Number of Installations: 80,000+ Affected Software: Ninja Tables <= 5.2.3 Patched Versions: Ninja Tables 5.2.4
Mitigation steps: Update to Ninja Tables plugin version 5.2.4 or greater.
OneSignal – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2025-13950 Number of Installations: 80,000+ Affected Software: OneSignal <= 3.6.1 Patched Versions: OneSignal 3.6.2
Mitigation steps: Update to OneSignal 3.6.2 or greater.
LearnPress – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2025-13956 Number of Installations: 80,000+ Affected Software: LearnPress <= 4.3.1 Patched Versions: LearnPress 4.3.2
Mitigation steps: Update to LearnPress plugin version 4.3.2 or greater.
List category posts – SQL Injection
Security Risk: High Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: SQL Injection CVE: CVE-2025-10163 Number of Installations: 80,000+ Affected Software: List category posts <= 0.91.9 Patched Versions: List category posts 0.92.0
Mitigation steps: Update to List category posts plugin version 0.92.0 or greater.
SlimStat Analytics – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-14151 Number of Installations: 80,000+ Affected Software: SlimStat Analytics <= 5.3.2 Patched Versions: SlimStat Analytics 5.3.3
Mitigation steps: Update to SlimStat Analytics plugin version 5.3.3 or greater.
Events Manager – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-12976 Number of Installations: 70,000+ Affected Software: Events Manager <= 7.2.2 Patched Versions: Events Manager 7.2.3
Mitigation steps: Update to Events Manager plugin version 7.2.3 or greater.
Appointment Booking Calendar – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2025-13754 Number of Installations: 70,000+ Affected Software: Appointment Booking Calendar <= 1.6.9.16 Patched Versions: Appointment Booking Calendar 1.6.9.17
Mitigation steps: Update to Appointment Booking Calendar plugin version 1.6.9.17 or greater.
Brizy – Page Builder – Sensitive Data Exposure
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Sensitive Data Exposure CVE: CVE-2025-0969 Number of Installations: 70,000+ Affected Software: Brizy – Page Builder <= 2.7.16 Patched Versions: Brizy – Page Builder 2.7.17
Mitigation steps: Update to Brizy – Page Builder plugin version 2.7.17 or greater.
Email Subscribers & Newsletters – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2025-12348 Number of Installations: 70,000+ Affected Software: Email Subscribers & Newsletters <= 5.9.10 Patched Versions: Email Subscribers & Newsletters 5.9.11
Mitigation steps: Update to Email Subscribers & Newsletters plugin version 5.9.11 or greater.
Events Manager – Sensitive Data Exposure
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Sensitive Data Exposure CVE: CVE-2025-12408 Number of Installations: 70,000+ Affected Software: Events Manager <= 7.2.2.2 Patched Versions: Events Manager 7.2.2.3
Mitigation steps: Update to Events Manager plugin version 7.2.2.3 or greater.
Ultra Addons for Contact Form 7 – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-14356 Number of Installations: 60,000+ Affected Software: Ultra Addons for Contact Form 7 <= 3.5.33 Patched Versions: Ultra Addons for Contact Form 7 3.5.34
Mitigation steps: Update to Ultra Addons for Contact Form 7 plugin version 3.5.34 or greater.
User Registration & Membership – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2025-13367 Number of Installations: 60,000+ Affected Software: User Registration & Membership <= 4.4.6 Patched Versions: User Registration & Membership 4.4.7
Mitigation steps: Update to User Registration & Membership plugin version 4.4.7 or greater.
Wp Social Login and Register Social Counter – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2025-13620 Number of Installations: 60,000+ Affected Software: Wp Social Login and Register Social Counter <= 3.1.3 Patched Versions: Wp Social Login and Register Social Counter 3.1.4
Mitigation steps: Update to Wp Social Login and Register Social Counter plugin version 3.1.4 or greater.
Yandex.Metrica – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2025-63063 Number of Installations: 60,000+ Affected Software: Yandex.Metrica (all versions, no fixed version available) Patched Versions: No Fix
Mitigation steps: Since no patched version is available, consider disabling or replacing Yandex.Metrica, or applying strict access control and web application firewall rules.
Auto Featured Image (Auto Post Thumbnail) – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-13794 Number of Installations: 50,000+ Affected Software: Auto Featured Image (Auto Post Thumbnail) <= 4.2.1 Patched Versions: Auto Featured Image (Auto Post Thumbnail) 4.2.2
Mitigation steps: Update to Auto Featured Image (Auto Post Thumbnail) plugin version 4.2.2 or greater.
Pixel Manager for WooCommerce – Sensitive Data Exposure
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Sensitive Data Exposure CVE: CVE-2025-67564 Number of Installations: 50,000+ Affected Software: Pixel Manager for WooCommerce <= 1.51.9 Patched Versions: Pixel Manager for WooCommerce 1.52.0
Mitigation steps: Update to Pixel Manager for WooCommerce plugin version 1.52.0 or greater.
Tag, Category, and Taxonomy Manager – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-13354 Number of Installations: 50,000+ Affected Software: Tag, Category, and Taxonomy Manager <= 3.40.9 Patched Versions: Tag, Category, and Taxonomy Manager 3.41.0
Mitigation steps: Update to Tag, Category, and Taxonomy Manager plugin version 3.41.0 or greater.
Tag, Category, and Taxonomy Manager – SQL Injection
Security Risk: High Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: SQL Injection CVE: CVE-2025-13359 Number of Installations: 50,000+ Affected Software: Tag, Category, and Taxonomy Manager <= 3.40.9 Patched Versions: Tag, Category, and Taxonomy Manager 3.41.0
Mitigation steps: Update to Tag, Category, and Taxonomy Manager plugin version 3.41.0 or greater.
WP Recipe Maker – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-14385 Number of Installations: 50,000+ Affected Software: WP Recipe Maker <= 10.2.3 Patched Versions: WP Recipe Maker 10.2.4
Mitigation steps: Update to WP Recipe Maker plugin version 10.2.4 or greater.
WP Ultimate Review – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-63057 Number of Installations: 50,000+ Affected Software: WP Ultimate Review (all versions, no fixed version available) Patched Versions: No Fix
Mitigation steps: Since no patched version is available, consider disabling or replacing WP Ultimate Review, or applying strict access control and web application firewall rules.
Booking Calendar – SQL Injection
Security Risk: Critical Exploitation Level: No authentication required. Vulnerability: SQL Injection CVE: CVE-2025-14383 Number of Installations: 50,000+ Affected Software: Booking Calendar <= 10.14.8 Patched Versions: Booking Calendar 10.14.9
Mitigation steps: Update to Booking Calendar plugin version 10.14.9 or greater.
Embed Any Document – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-12885 Number of Installations: 50,000+ Affected Software: Embed Any Document <= 2.7.10 Patched Versions: Embed Any Document 2.7.11
Mitigation steps: Update to Embed Any Document plugin version 2.7.11 or greater.
Update your website software to mitigate risk. Users who are not able to update their software with the latest version are encouraged to use a web application firewall to help virtually patch known vulnerabilities and protect their website.
Ashley Sand
Juliana Lewis
Luke Leal
Antony Garand
Ahmad Azizan Idris
Ben Martin
Puja Srivastava
Matt Morrow
Rianna MacLeod
John Castro