Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.
To help educate website owners about potential threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.
The vulnerabilities listed below are virtually patched by the Sucuri Firewall and existing clients are protected. If you don’t have it installed yet, you can use our web application firewall to protect your site against known vulnerabilities.
Plugins
All in One SEO – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-14384 Number of Installations: 3,000,000+ Affected Software: All in One SEO <= 4.9.2 Patched Versions: All in One SEO 4.9.3
Mitigation steps: Update to All in One SEO plugin version 4.9.3 or greater.
Essential Addons for Elementor – Cross Site Scripting
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-69092 Number of Installations: 2,000,000+ Affected Software: Essential Addons for Elementor <= 6.5.3 Patched Versions: Essential Addons for Elementor 6.5.4
Mitigation steps: Update to Essential Addons for Elementor plugin version 6.5.4 or greater.
The Events Calendar – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-15043 Number of Installations: 700,000+ Affected Software: The Events Calendar <= 6.15.13.0 Patched Versions: The Events Calendar 6.15.13.1
Mitigation steps: Update to The Events Calendar plugin version 6.15.13.1 or greater.
The Events Calendar – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-69352 Number of Installations: 700,000+ Affected Software: The Events Calendar <= 6.15.12 Patched Versions: The Events Calendar 6.15.13
Mitigation steps: Update to The Events Calendar plugin version 6.15.13 or greater.
MetForm – Broken Authentication
Security Risk: Low Exploitation Level: No authentication required. Vulnerability: Broken Authentication CVE: CVE-2026-0633 Number of Installations: 600,000+ Affected Software: MetForm <= 4.1.0 Patched Versions: MetForm 4.1.1
Mitigation steps: Update to MetForm plugin version 4.1.1 or greater.
Fluent Forms – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-13722 Number of Installations: 600,000+ Affected Software: Fluent Forms <= 6.1.7 Patched Versions: Fluent Forms 6.1.8
Mitigation steps: Update to Fluent Forms plugin version 6.1.8 or greater.
Forminator Forms – Broken Access Control
Security Risk: Medium Exploitation Level: Requires User or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-14782 Number of Installations: 600,000+ Affected Software: Forminator Forms <= 1.49.1 Patched Versions: Forminator Forms 1.49.2
Mitigation steps: Update to Forminator Forms plugin version 1.49.2 or greater.
Breeze Cache – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2025-69364 Number of Installations: 400,000+ Affected Software: Breeze Cache <= 2.2.21 Patched Versions: Breeze Cache 2.2.22
Mitigation steps: Update to Breeze Cache plugin version 2.2.22 or greater.
Happy Addons for Elementor – SQL Injection
Security Risk: High Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: SQL Injection CVE: CVE-2025-68999 Number of Installations: 400,000+ Affected Software: Happy Addons for Elementor <= 3.20.5 Patched Versions: Happy Addons for Elementor 3.20.6
Mitigation steps: Update to Happy Addons for Elementor plugin version 3.20.6 or greater.
Jeg Kit for Elementor – Cross Site Scripting
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-14275 Number of Installations: 400,000+ Affected Software: Jeg Kit for Elementor <= 3.0.1 Patched Versions: Jeg Kit for Elementor 3.0.2
Mitigation steps: Update to Jeg Kit for Elementor plugin version 3.0.2 or greater.
Templately – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2026-0831 Number of Installations: 400,000+ Affected Software: Templately <= 3.4.8 Patched Versions: Templately 3.4.9
Mitigation steps: Update to Templately plugin version 3.4.9 or greater.
Custom Fonts – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2025-14351 Number of Installations: 300,000+ Affected Software: Custom Fonts <= 2.1.16 Patched Versions: Custom Fonts 2.1.17
Mitigation steps: Update to Custom Fonts plugin version 2.1.17 or greater.
WP Go Maps (formerly WP Google Maps) – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2026-0593 Number of Installations: 300,000+ Affected Software: WP Go Maps <= 10.0.04 Patched Versions: WP Go Maps 10.0.05
Mitigation steps: Update to WP Go Maps plugin version 10.0.05 or greater.
Photo Gallery by 10Web – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2026-1036 Number of Installations: 200,000+ Affected Software: Photo Gallery by 10Web <= 1.8.36 Patched Versions: Photo Gallery by 10Web 1.8.37
Mitigation steps: Update to Photo Gallery by 10Web plugin version 1.8.37 or greater.
Supreme Modules Lite – Arbitrary File Upload
Security Risk: Critical Exploitation Level: Requires Author or higher level authentication. Vulnerability: Arbitrary File Upload CVE: CVE-2025-13062 Number of Installations: 200,000+ Affected Software: Supreme Modules Lite <= 2.5.62 Patched Versions: Supreme Modules Lite 2.5.63
Mitigation steps: Update to Supreme Modules Lite plugin version 2.5.63 or greater.
Advanced Custom Fields: Extended – Privilege Escalation
Security Risk: Critical Exploitation Level: No authentication required. Vulnerability: Privilege Escalation CVE: CVE-2025-14533 Number of Installations: 100,000+ Affected Software: Advanced Custom Fields: Extended <= 0.9.2.1 Patched Versions: Advanced Custom Fields: Extended 0.9.2.2
Mitigation steps: Update to Advanced Custom Fields: Extended plugin version 0.9.2.2 or greater.
Beaver Builder Page Builder – Arbitrary Code Execution
Security Risk: High Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Arbitrary Code Execution CVE: CVE-2025-69319 Number of Installations: 100,000+ Affected Software: Beaver Builder Page Builder <= 2.9.4.1 Patched Versions: Beaver Builder Page Builder 2.9.4.2
Mitigation steps: Update to Beaver Builder Page Builder plugin version 2.9.4.2 or greater.
BuddyPress – Arbitrary Code Execution
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Arbitrary Code Execution CVE: CVE-2024-11976 Number of Installations: 100,000+ Affected Software: BuddyPress <= 14.3.3 Patched Versions: BuddyPress 14.3.4
Mitigation steps: Update to BuddyPress plugin version 14.3.4 or greater.
Schema & Structured Data for WP & AMP – Cross Site Scripting
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-14069 Number of Installations: 100,000+ Affected Software: Schema & Structured Data for WP & AMP <= 1.54.0 Patched Versions: Schema & Structured Data for WP & AMP 1.54.1
Mitigation steps: Update to Schema & Structured Data for WP & AMP plugin version 1.54.1 or greater.
Advanced Ads – SQL Injection
Security Risk: High Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: SQL Injection CVE: CVE-2025-12984 Number of Installations: 100,000+ Affected Software: Advanced Ads <= 2.0.15 Patched Versions: Advanced Ads 2.0.16
Mitigation steps: Update to Advanced Ads plugin version 2.0.16 or greater.
GiveWP – Content Injection
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Content Injection CVE: CVE-2025-66533 Number of Installations: 100,000+ Affected Software: GiveWP <= 4.13.1 Patched Versions: GiveWP 4.13.2
Mitigation steps: Update to GiveWP plugin version 4.13.2 or greater.
PublishPress Future – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-14718 Number of Installations: 100,000+ Affected Software: PublishPress Future <= 4.9.3 Patched Versions: PublishPress Future 4.9.4
Mitigation steps: Update to PublishPress Future plugin version 4.9.4 or greater.
PublishPress Future – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-69361 Number of Installations: 100,000+ Affected Software: PublishPress Future <= 4.9.3 Patched Versions: PublishPress Future 4.9.4
Mitigation steps: Update to PublishPress Future plugin version 4.9.4 or greater.
Tutor LMS – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2026-0548 Number of Installations: 100,000+ Affected Software: Tutor LMS <= 3.9.4 Patched Versions: Tutor LMS 3.9.5
Mitigation steps: Update to Tutor LMS plugin version 3.9.5 or greater.
Tutor LMS – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-13628 Number of Installations: 100,000+ Affected Software: Tutor LMS <= 3.9.3 Patched Versions: Tutor LMS 3.9.4
Mitigation steps: Update to Tutor LMS plugin version 3.9.4 or greater.
Tutor LMS – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-13934 Number of Installations: 100,000+ Affected Software: Tutor LMS <= 3.9.3 Patched Versions: Tutor LMS 3.9.4
Mitigation steps: Update to Tutor LMS plugin version 3.9.4 or greater.
Tutor LMS – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-13679 Number of Installations: 100,000+ Affected Software: Tutor LMS <= 3.9.3 Patched Versions: Tutor LMS 3.9.4
Mitigation steps: Update to Tutor LMS plugin version 3.9.4 or greater.
Download Manager – Privilege Escalation
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Privilege Escalation CVE: CVE-2025-15364 Number of Installations: 100,000+ Affected Software: Download Manager <= 3.3.40 Patched Versions: Download Manager 3.3.41
Mitigation steps: Update to Download Manager plugin version 3.3.41 or greater.
Aruba HiSpeed Cache – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2025-67913 Number of Installations: 100,000+ Affected Software: Aruba HiSpeed Cache <= 3.0.2 Patched Versions: Aruba HiSpeed Cache 3.0.3
Mitigation steps: Update to Aruba HiSpeed Cache plugin version 3.0.3 or greater.
Depicter – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2025-11370 Number of Installations: 90,000+ Affected Software: Depicter <= 4.6.9 Patched Versions: Depicter 4.7.0
Mitigation steps: Update to Depicter plugin version 4.7.0 or greater.
Depicter – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2025-68558 Number of Installations: 90,000+ Affected Software: Depicter <= 4.0.4 Patched Versions: Depicter 4.0.5
Mitigation steps: Update to Depicter plugin version 4.0.5 or greater.
AMP for WP – Cross Site Scripting
Security Risk: Medium Exploitation Level: Requires Author or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2026-0627 Number of Installations: 90,000+ Affected Software: AMP for WP <= 1.1.10 Patched Versions: AMP for WP 1.1.11
Mitigation steps: Update to AMP for WP plugin version 1.1.11 or greater.
Folders – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Author or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-12640 Number of Installations: 90,000+ Affected Software: Folders <= 3.1.5 Patched Versions: Folders 3.1.6
Mitigation steps: Update to Folders plugin version 3.1.6 or greater.
Customer Reviews for WooCommerce – Cross Site Scripting
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-14891 Number of Installations: 80,000+ Affected Software: Customer Reviews for WooCommerce <= 5.93.0 Patched Versions: Customer Reviews for WooCommerce 5.94.0
Mitigation steps: Update to Customer Reviews for WooCommerce plugin version 5.94.0 or greater.
Jupiter X Core – PHP Object Injection
Security Risk: High Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: PHP Object Injection CVE: CVE-2025-50004 Number of Installations: 80,000+ Affected Software: Jupiter X Core <= 4.10.0 Patched Versions: Jupiter X Core 4.11.0
Mitigation steps: Update to Jupiter X Core plugin version 4.11.0 or greater.
LearnPress – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2025-14798 Number of Installations: 80,000+ Affected Software: LearnPress <= 4.3.2.4 Patched Versions: LearnPress 4.3.2.5
Mitigation steps: Update to LearnPress plugin version 4.3.2.5 or greater.
LearnPress – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2025-13964 Number of Installations: 80,000+ Affected Software: LearnPress <= 4.3.2.0 Patched Versions: LearnPress 4.3.2.1
Mitigation steps: Update to LearnPress plugin version 4.3.2.1 or greater.
Ninja Tables – SQL Injection
Security Risk: High Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: SQL Injection CVE: CVE-2025-69351 Number of Installations: 80,000+ Affected Software: Ninja Tables <= 5.2.4 Patched Versions: Ninja Tables 5.2.5
Mitigation steps: Update to Ninja Tables plugin version 5.2.5 or greater.
Comments – wpDiscuz – Privilege Escalation
Security Risk: Critical Exploitation Level: No authentication required. Vulnerability: Privilege Escalation CVE: CVE-2025-13820 Number of Installations: 80,000+ Affected Software: wpDiscuz <= 7.6.39 Patched Versions: wpDiscuz 7.6.40
Mitigation steps: Update to wpDiscuz plugin version 7.6.40 or greater.
WooCommerce Square – Insecure Direct Object References
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Insecure Direct Object References (IDOR) CVE: CVE-2025-13457 Number of Installations: 80,000+ Affected Software: WooCommerce Square <= 5.1.1 Patched Versions: WooCommerce Square 5.1.2
Mitigation steps: Update to WooCommerce Square plugin version 5.1.2 or greater.
SlimStat Analytics – Cross Site Scripting
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-15057 Number of Installations: 80,000+ Affected Software: SlimStat Analytics <= 5.3.3 Patched Versions: SlimStat Analytics 5.3.4
Mitigation steps: Update to SlimStat Analytics plugin version 5.3.4 or greater.
SlimStat Analytics – Cross Site Scripting
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-15055 Number of Installations: 80,000+ Affected Software: SlimStat Analytics <= 5.3.4 Patched Versions: SlimStat Analytics 5.3.5
Mitigation steps: Update to SlimStat Analytics plugin version 5.3.5 or greater.
Appointment Booking Calendar – SQL Injection
Security Risk: Critical Exploitation Level: No authentication required. Vulnerability: SQL Injection CVE: CVE-2025-12166 Number of Installations: 70,000+ Affected Software: Appointment Booking Calendar <= 1.6.9.12 Patched Versions: Appointment Booking Calendar 1.6.9.13
Mitigation steps: Update to Appointment Booking Calendar plugin version 1.6.9.13 or greater.
Appointment Booking Calendar – Sensitive Data Exposure
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Sensitive Data Exposure CVE: CVE-2025-11723 Number of Installations: 60,000+ Affected Software: Appointment Booking Calendar <= 1.6.9.5 Patched Versions: Appointment Booking Calendar 1.6.9.6
Mitigation steps: Update to Appointment Booking Calendar plugin version 1.6.9.6 or greater.
Appointment Booking Calendar – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2025-69315 Number of Installations: 60,000+ Affected Software: Appointment Booking Calendar <= 1.6.9.16 Patched Versions: Appointment Booking Calendar 1.6.9.17
Mitigation steps: Update to Appointment Booking Calendar plugin version 1.6.9.17 or greater.
Koko Analytics – SQL Injection
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: SQL Injection CVE: CVE-2026-22850 Number of Installations: 60,000+ Affected Software: Koko Analytics <= 2.1.2 Patched Versions: Koko Analytics 2.1.3
Mitigation steps: Update to Koko Analytics plugin version 2.1.3 or greater.
Drag and Drop Multiple File Upload for Contact Form 7 – Broken Access Control
Security Risk: Low Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2025-14457 Number of Installations: 60,000+ Affected Software: Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.9.2 Patched Versions: Drag and Drop Multiple File Upload for Contact Form 7 1.3.9.3
Mitigation steps: Update to Drag and Drop Multiple File Upload for Contact Form 7 plugin version 1.3.9.3 or greater.
Drag and Drop Multiple File Upload for Contact Form 7 – Arbitrary File Upload
Security Risk: Critical Exploitation Level: No authentication required. Vulnerability: Arbitrary File Upload CVE: CVE-2025-14842 Number of Installations: 60,000+ Affected Software: Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.9.2 Patched Versions: Drag and Drop Multiple File Upload for Contact Form 7 1.3.9.3
Mitigation steps: Update to Drag and Drop Multiple File Upload for Contact Form 7 plugin version 1.3.9.3 or greater.
Post and Page Builder by BoldGrid – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-69345 Number of Installations: 60,000+ Affected Software: Post and Page Builder by BoldGrid <= 1.27.9 Patched Versions: Post and Page Builder by BoldGrid 1.27.10
Mitigation steps: Update to Post and Page Builder by BoldGrid plugin version 1.27.10 or greater.
User Registration & Membership – Broken Access Control
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2025-67956 Number of Installations: 60,000+ Affected Software: User Registration & Membership <= 4.4.6 Patched Versions: User Registration & Membership 4.4.7
Mitigation steps: Update to User Registration & Membership plugin version 4.4.7 or greater.
Uncanny Automator – Cross Site Scripting
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-15522 Number of Installations: 50,000+ Affected Software: Uncanny Automator <= 6.9.9 Patched Versions: Uncanny Automator 7.0.0
Mitigation steps: Update to Uncanny Automator plugin version 7.0.0 or greater.
RSS Aggregator – Cross Site Scripting
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-14745 Number of Installations: 50,000+ Affected Software: RSS Aggregator <= 5.0.10 Patched Versions: RSS Aggregator 5.0.11
Mitigation steps: Update to RSS Aggregator plugin version 5.0.11 or greater.
RSS Aggregator – Cross Site Scripting
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-14375 Number of Installations: 50,000+ Affected Software: RSS Aggregator <= 5.0.10 Patched Versions: RSS Aggregator 5.0.11
Mitigation steps: Update to RSS Aggregator plugin version 5.0.11 or greater.
Booking Calendar – Sensitive Data Exposure
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Sensitive Data Exposure CVE: CVE-2025-14982 Number of Installations: 50,000+ Affected Software: Booking Calendar <= 10.14.11 Patched Versions: Booking Calendar 10.14.12
Mitigation steps: Update to Booking Calendar plugin version 10.14.12 or greater.
WP Duplicate Page – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-14001 Number of Installations: 50,000+ Affected Software: WP Duplicate Page <= 1.8.0 Patched Versions: WP Duplicate Page 1.8.1
Mitigation steps: Update to WP Duplicate Page plugin version 1.8.1 or greater.
WP-Members Membership Plugin – Cross Site Scripting
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-14448 Number of Installations: 50,000+ Affected Software: WP-Members Membership Plugin <= 3.5.4.3 Patched Versions: WP-Members Membership Plugin 3.5.4.4
Mitigation steps: Update to WP-Members Membership Plugin version 3.5.4.4 or greater.
Blog2Social – Sensitive Data Exposure
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Sensitive Data Exposure CVE: CVE-2025-14943 Number of Installations: 50,000+ Affected Software: Blog2Social <= 8.7.2 Patched Versions: Blog2Social 8.7.3
Mitigation steps: Update to Blog2Social plugin version 8.7.3 or greater.
Booking Calendar – Sensitive Data Exposure
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Sensitive Data Exposure CVE: CVE-2025-14146 Number of Installations: 50,000+ Affected Software: Booking Calendar <= 10.14.10 Patched Versions: Booking Calendar 10.14.11
Mitigation steps: Update to Booking Calendar plugin version 10.14.11 or greater.
EmailKit – Arbitrary File Download
Security Risk: Medium Exploitation Level: Requires Author or higher level authentication. Vulnerability: Arbitrary File Download CVE: CVE-2025-14059 Number of Installations: 50,000+ Affected Software: EmailKit <= 1.6.1 Patched Versions: EmailKit 1.6.2
Mitigation steps: Update to EmailKit plugin version 1.6.2 or greater.
WP-Members Membership Plugin – Sensitive Data Exposure
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Sensitive Data Exposure CVE: CVE-2025-12648 Number of Installations: 50,000+ Affected Software: WP-Members Membership Plugin <= 3.5.4.4 Patched Versions: WP-Members Membership Plugin 3.5.4.5
Mitigation steps: Update to WP-Members Membership Plugin version 3.5.4.5 or greater.
WP Table Builder – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-13753 Number of Installations: 50,000+ Affected Software: WP Table Builder <= 2.0.19 Patched Versions: WP Table Builder 2.0.20
Mitigation steps: Update to WP Table Builder plugin version 2.0.20 or greater.
Table Field Add-on for ACF and SCF – Cross Site Scripting
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-12067 Number of Installations: 50,000+ Affected Software: Table Field Add-on for ACF and SCF <= 1.3.30 Patched Versions: Table Field Add-on for ACF and SCF 1.3.31
Mitigation steps: Update to Table Field Add-on for ACF and SCF plugin version 1.3.31 or greater.
TaxoPress – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-14371 Number of Installations: 50,000+ Affected Software: TaxoPress <= 3.41.0 Patched Versions: TaxoPress 3.42.0
Mitigation steps: Update to TaxoPress plugin version 3.42.0 or greater.
Themes
Phlox – Cross Site Scripting
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-4776 Number of Installations: 1,709,830 Affected Software: Phlox <= 2.17.10 Patched Versions: Phlox 2.17.11
Mitigation steps: Update to Phlox theme version 2.17.11 or greater.
Minamaze – Cross Site Scripting
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-62991 Number of Installations: 1,015,028 Affected Software: Minamaze (all versions) Patched Versions: No fix
Mitigation steps: Since no patched version is available, consider disabling or replacing the Minamaze theme, or applying strict access control and web application firewall rules.
Shuttle – Cross Site Scripting
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-62137 Number of Installations: 555,266 Affected Software: Shuttle (all versions) Patched Versions: No fix
Mitigation steps: Since no patched version is available, consider disabling or replacing the Shuttle theme, or applying strict access control and web application firewall rules.
Melos – Cross Site Scripting
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-62136 Number of Installations: 438,193 Affected Software: Melos (all versions) Patched Versions: No fix
Mitigation steps: Since no patched version is available, consider disabling or replacing the Melos theme, or applying strict access control and web application firewall rules.
Consulting – Cross Site Scripting
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-63032 Number of Installations: 428,660 Affected Software: Consulting (all versions) Patched Versions: No fix
Mitigation steps: Since no patched version is available, consider disabling or replacing the Consulting theme, or applying strict access control and web application firewall rules.
Oneline Lite – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-69344 Number of Installations: 411,275 Affected Software: Oneline Lite <= 6.6 Patched Versions: Oneline Lite 6.7
Mitigation steps: Update to Oneline Lite theme version 6.7 or greater.
Update your website software to mitigate risk. Users who are not able to update their software with the latest version are encouraged to use a web application firewall to help virtually patch known vulnerabilities and protect their website.
Juliana Lewis
Luke Leal
Puja Srivastava
Ben Martin
Pilar Garcia
Justin Channell