Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.
To help educate website owners about potential threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.
The vulnerabilities listed below are virtually patched by the Sucuri Firewall and existing clients are protected. If you don’t have it installed yet, you can use our web application firewall to protect your site against known vulnerabilities.
Plugins
Newsletter – Send awesome emails from WordPress – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-3583 Number of Installations: 300,000+ Affected Software: Newsletter – Send awesome emails from WordPress <= 8.7.0 Patched Versions: Newsletter – Send awesome emails from WordPress 8.7.1
Mitigation steps: Update to Newsletter – Send awesome emails from WordPress plugin version 8.7.1 or greater.
SureForms – Drag and Drop Form Builder for WordPress – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-3513 Number of Installations: 200,000+ Affected Software: SureForms – Drag and Drop Form Builder for WordPress <= 1.4.3 Patched Versions: SureForms – Drag and Drop Form Builder for WordPress 1.4.4
Mitigation steps: Update to SureForms – Drag and Drop Form Builder for WordPress plugin version 1.4.4 or greater.
Popup and Slider Builder by Depicter – SQL Injection
Security Risk: Critical Exploitation Level: No authentication required. Vulnerability: SQL Injection CVE: CVE-2025-2011 Number of Installations: 100,000+ Affected Software: Popup and Slider Builder by Depicter <= 3.6.1 Patched Versions: Popup and Slider Builder by Depicter 3.6.2
Mitigation steps: Update to Popup and Slider Builder by Depicter plugin version 3.6.2 or greater.
OttoKit: All-in-One Automation Platform (Formerly SureTriggers) – Privilege Escalation
Security Risk: Critical Exploitation Level: No authentication required. Vulnerability: Privilege Escalation CVE: CVE-2025-27007 Number of Installations: 100,000+ Affected Software: OttoKit: All-in-One Automation Platform (Formerly SureTriggers) <= 1.0.82 Patched Versions: OttoKit: All-in-One Automation Platform (Formerly SureTriggers) 1.0.83
Mitigation steps: Update to OttoKit: All-in-One Automation Platform (Formerly SureTriggers) plugin version 1.0.83 or greater.
User Registration & Membership – Custom Registration Form, Login Form, and User Profile – Insecure Direct Object References (IDOR)
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Insecure Direct Object References (IDOR) CVE: CVE-2025-3281 Number of Installations: 70,000+ Affected Software: User Registration & Membership – Custom Registration Form, Login Form, and User Profile <= 4.2.1 Patched Versions: User Registration & Membership – Custom Registration Form, Login Form, and User Profile 4.2.2
Mitigation steps: Update to User Registration & Membership – Custom Registration Form, Login Form, and User Profile plugin version 4.2.2 or greater.
WP Maps – Display Google Maps Perfectly with Ease – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-3502 Number of Installations: 70,000+ Affected Software: WP Maps – Display Google Maps Perfectly with Ease <= 4.7.1 Patched Versions: WP Maps – Display Google Maps Perfectly with Ease 4.7.2
Mitigation steps: Update to WP Maps – Display Google Maps Perfectly with Ease plugin version 4.7.2 or greater.
Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin – Arbitrary Code Execution
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Arbitrary Code Execution CVE: CVE-2025-47691 Number of Installations: 200,000+ Affected Software: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin (all versions) Patched Versions: No Fix
Mitigation steps: No patch is currently available. Consider disabling the plugin until a fix is released.
Inline Related Posts – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-47604 Number of Installations: 100,000+ Affected Software: Inline Related Posts (all versions) Patched Versions: No Fix
Mitigation steps: No patch is currently available. Consider disabling the plugin until a fix is released.
List category posts – Local File Inclusion
Security Risk: High Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Local File Inclusion CVE: CVE-2025-47636 Number of Installations: 90,000+ Affected Software: List category posts (all versions) Patched Versions: No Fix
Mitigation steps: No patch is currently available. Consider disabling the plugin until a fix is released.
WP Maintenance – PHP Object Injection
Security Risk: High Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: PHP Object Injection CVE: CVE-2025-47683 Number of Installations: 50,000+ Affected Software: WP Maintenance (all versions) Patched Versions: No Fix
Mitigation steps: No patch is currently available. Consider disabling the plugin until a fix is released.
LiteSpeed Cache – Server Side Request Forgery (SSRF)
Security Risk: Medium Exploitation Level: Requires Editor or higher level authentication. Vulnerability: Server Side Request Forgery (SSRF) CVE: CVE-2025-47437 Number of Installations: 7,000,000+ Affected Software: LiteSpeed Cache <= 7.0.0 Patched Versions: LiteSpeed Cache 7.1
Mitigation steps: Update to LiteSpeed Cache plugin version 7.1 or greater.
WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-3794 Number of Installations: 6,000,000+ Affected Software: WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More <= 1.9.5 Patched Versions: WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More 1.9.5.1
Mitigation steps: Update to WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More plugin version 1.9.5.1 or greater.
Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-3949 Number of Installations: 800,000+ Affected Software: Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode <= 6.18.15 Patched Versions: Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode 6.18.16
Mitigation steps: Update to Website Builder by SeedProd plugin version 6.18.16 or greater.
MailPoet – Newsletters, Email Marketing, and Automation – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-12743 Number of Installations: 600,000+ Affected Software: MailPoet – Newsletters, Email Marketing, and Automation <= 5.5.1 Patched Versions: MailPoet – Newsletters, Email Marketing, and Automation 5.5.2
Mitigation steps: Update to MailPoet – Newsletters, Email Marketing, and Automation plugin version 5.5.2 or greater.
Royal Elementor Addons and Templates – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-39361 Number of Installations: 600,000+ Affected Software: Royal Elementor Addons and Templates <= 1.7.1017 Patched Versions: Royal Elementor Addons and Templates 1.7.1018
Mitigation steps: Update to Royal Elementor Addons and Templates plugin version 1.7.1018 or greater.
Jeg Elementor Kit – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-2944 Number of Installations: 300,000+ Affected Software: Jeg Elementor Kit <= 2.6.12 Patched Versions: Jeg Elementor Kit 2.6.13
Mitigation steps: Update to Jeg Elementor Kit plugin version 2.6.13 or greater.
Firelight Lightbox – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-3597 Number of Installations: 200,000+ Affected Software: Firelight Lightbox <= 2.3.14 Patched Versions: Firelight Lightbox 2.3.15
Mitigation steps: Update to Firelight Lightbox plugin version 2.3.15 or greater.
Advanced File Manager — Ultimate WordPress File Manager and Document Library Plugin – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2025-47688 Number of Installations: 200,000+ Affected Software: Advanced File Manager — Ultimate WordPress File Manager and Document Library Plugin <= 5.3.1 Patched Versions: Advanced File Manager — Ultimate WordPress File Manager and Document Library Plugin 5.3.2
Mitigation steps: Update to Advanced File Manager — Ultimate WordPress File Manager and Document Library Plugin version 5.3.2 or greater.
Login Lockdown & Protection – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-3766 Number of Installations: 100,000+ Affected Software: Login Lockdown & Protection <= 2.11 Patched Versions: Login Lockdown & Protection 2.12
Mitigation steps: Update to Login Lockdown & Protection plugin version 2.12 or greater.
Relevanssi – A Better Search – SQL Injection
Security Risk: High Exploitation Level: No authentication required. Vulnerability: SQL Injection CVE: CVE-2025-4396 Number of Installations: 100,000+ Affected Software: Relevanssi – A Better Search <= 4.24.4 Patched Versions: Relevanssi – A Better Search 4.24.5
Mitigation steps: Update to Relevanssi – A Better Search plugin version 4.24.5 or greater.
Relevanssi – A Better Search – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-4054 Number of Installations: 100,000+ Affected Software: Relevanssi – A Better Search <= 4.24.3 Patched Versions: Relevanssi – A Better Search 4.24.4
Mitigation steps: Update to Relevanssi – A Better Search plugin version 4.24.4 or greater.
Download Monitor – Local File Inclusion
Security Risk: High Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Local File Inclusion CVE: CVE-2025-47439 Number of Installations: 90,000+ Affected Software: Download Monitor <= 5.0.22 Patched Versions: Download Monitor 5.0.23
Mitigation steps: Update to Download Monitor plugin version 5.0.23 or greater.
Jupiter X Core – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-47475 Number of Installations: 90,000+ Affected Software: Jupiter X Core <= 4.8.11 Patched Versions: Jupiter X Core 4.8.12
Mitigation steps: Update to Jupiter X Core plugin version 4.8.12 or greater.
Contextual Related Posts – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-47506 Number of Installations: 70,000+ Affected Software: Contextual Related Posts <= 4.0.2 Patched Versions: Contextual Related Posts 4.0.3
Mitigation steps: Update to Contextual Related Posts plugin version 4.0.3 or greater.
Bold Page Builder – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-47525 Number of Installations: 50,000+ Affected Software: Bold Page Builder <= 5.3.0 Patched Versions: Bold Page Builder 5.3.1
Mitigation steps: Update to Bold Page Builder plugin version 5.3.1 or greater.
Bold Page Builder – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-47488 Number of Installations: 50,000+ Affected Software: Bold Page Builder <= 5.3.2 Patched Versions: Bold Page Builder 5.3.3
Mitigation steps: Update to Bold Page Builder plugin version 5.3.3 or greater.
Ultimate Blocks – WordPress Blocks Plugin – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-47493 Number of Installations: 50,000+ Affected Software: Ultimate Blocks – WordPress Blocks Plugin <= 3.2.9 Patched Versions: Ultimate Blocks – WordPress Blocks Plugin 3.3.0
Mitigation steps: Update to Ultimate Blocks – WordPress Blocks Plugin version 3.3.0 or greater.
TI WooCommerce Wishlist – Arbitrary File Upload
Security Risk: Critical Exploitation Level: No authentication required. Vulnerability: Arbitrary File Upload CVE: CVE-2025-47577 Number of Installations: 100,000+ Affected Software: TI WooCommerce Wishlist (all versions) Patched Versions: No Fix
Mitigation steps: No patch is currently available. Consider disabling the plugin until a fix is released.
TI WooCommerce Wishlist – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-32920 Number of Installations: 100,000+ Affected Software: TI WooCommerce Wishlist (all versions) Patched Versions: No Fix
Mitigation steps: No patch is currently available. Consider disabling the plugin until a fix is released.
Jetpack – WP Security, Backup, Speed, & Growth – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-10076 Number of Installations: 4,000,000+ Affected Software: Jetpack – WP Security, Backup, Speed, & Growth <= 13.7 Patched Versions: Jetpack – WP Security, Backup, Speed, & Growth 13.8
Mitigation steps: Update to Jetpack – WP Security, Backup, Speed, & Growth plugin version 13.8 or greater.
Jetpack – WP Security, Backup, Speed, & Growth – Content Injection
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Content Injection CVE: CVE-2024-10075 Number of Installations: 4,000,000+ Affected Software: Jetpack – WP Security, Backup, Speed, & Growth <= 13.7 Patched Versions: Jetpack – WP Security, Backup, Speed, & Growth 13.8
Mitigation steps: Update to Jetpack – WP Security, Backup, Speed, & Growth plugin version 13.8 or greater.
All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-2892 Number of Installations: 3,000,000+ Affected Software: All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic <= 4.8.1 Patched Versions: All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic 4.8.2
Mitigation steps: Update to All in One SEO plugin version 4.8.2 or greater.
Ninja Forms – The Contact Form Builder That Grows With You – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-2524 Number of Installations: 700,000+ Affected Software: Ninja Forms – The Contact Form Builder That Grows With You <= 3.10.0 Patched Versions: Ninja Forms – The Contact Form Builder That Grows With You 3.10.1
Mitigation steps: Update to Ninja Forms plugin version 3.10.1 or greater.
The Events Calendar – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-48246 Number of Installations: 700,000+ Affected Software: The Events Calendar <= 6.11.7 Patched Versions: The Events Calendar 6.12.0
Mitigation steps: Update to The Events Calendar plugin version 6.12.0 or greater.
The Events Calendar – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-8493 Number of Installations: 700,000+ Affected Software: The Events Calendar <= 6.6.3 Patched Versions: The Events Calendar 6.6.4
Mitigation steps: Update to The Events Calendar plugin version 6.6.4 or greater.
Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-5878 Number of Installations: 400,000+ Affected Software: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery <= 3.59.4 Patched Versions: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery 3.59.5
Mitigation steps: Update to NextGEN Gallery plugin version 3.59.5 or greater.
Page Builder: Pagelayer – Drag and Drop website builder – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-8618 Number of Installations: 300,000+ Affected Software: Page Builder: Pagelayer – Drag and Drop website builder <= 1.8.9 Patched Versions: Page Builder: Pagelayer – Drag and Drop website builder 1.9.0
Mitigation steps: Update to Pagelayer plugin version 1.9.0 or greater.
PrettyLinks – Affiliate Links, Link Branding, Link Tracking, Marketing and Stripe Payments Plugin – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-48247 Number of Installations: 300,000+ Affected Software: PrettyLinks – Affiliate Links, Link Branding, Link Tracking, Marketing and Stripe Payments Plugin <= 3.6.15 Patched Versions: PrettyLinks – Affiliate Links, Link Branding, Link Tracking, Marketing and Stripe Payments Plugin 3.6.16
Mitigation steps: Update to PrettyLinks plugin version 3.6.16 or greater.
Photo Gallery by 10Web – Mobile-Friendly Image Gallery – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-8670 Number of Installations: 200,000+ Affected Software: Photo Gallery by 10Web – Mobile-Friendly Image Gallery <= 1.8.28 Patched Versions: Photo Gallery by 10Web – Mobile-Friendly Image Gallery 1.8.29
Mitigation steps: Update to Photo Gallery by 10Web plugin version 1.8.29 or greater.
Download Manager – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-8284 Number of Installations: 100,000+ Affected Software: Download Manager <= 3.2.98 Patched Versions: Download Manager 3.2.99
Mitigation steps: Update to Download Manager plugin version 3.2.99 or greater.
Everest Forms – Contact Form, Quiz, Survey, Newsletter & Payment Form Builder for WordPress – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-8542 Number of Installations: 100,000+ Affected Software: Everest Forms – Contact Form, Quiz, Survey, Newsletter & Payment Form Builder for WordPress <= 3.0.3 Patched Versions: Everest Forms – Contact Form, Quiz, Survey, Newsletter & Payment Form Builder for WordPress 3.0.3.1
Mitigation steps: Update to Everest Forms plugin version 3.0.3.1 or greater.
Floating Notification Bar, Sticky Menu on Scroll, Announcement Banner, and Sticky Header for Any Theme – My Sticky Bar (formerly myStickymenu) – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-2643 Number of Installations: 100,000+ Affected Software: Floating Notification Bar, Sticky Menu on Scroll, Announcement Banner, and Sticky Header for Any Theme – My Sticky Bar (formerly myStickymenu) <= 2.6.7 Patched Versions: Floating Notification Bar, Sticky Menu on Scroll, Announcement Banner, and Sticky Header for Any Theme – My Sticky Bar (formerly myStickymenu) 2.6.8
Mitigation steps: Update to My Sticky Bar plugin version 2.6.8 or greater.
Responsive Lightbox & Gallery – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-3742 Number of Installations: 100,000+ Affected Software: Responsive Lightbox & Gallery <= 2.5.0 Patched Versions: Responsive Lightbox & Gallery 2.5.1
Mitigation steps: Update to Responsive Lightbox & Gallery plugin version 2.5.1 or greater.
Simple Lightbox – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-3516 Number of Installations: 100,000+ Affected Software: Simple Lightbox <= 2.9.3 Patched Versions: Simple Lightbox 2.9.4
Mitigation steps: Update to Simple Lightbox plugin version 2.9.4 or greater.
Tracking Code Manager – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-6335 Number of Installations: 100,000+ Affected Software: Tracking Code Manager <= 2.2.9 Patched Versions: Tracking Code Manager 2.3.0
Mitigation steps: Update to Tracking Code Manager plugin version 2.3.0 or greater.
Social Media Share Buttons & Social Sharing Icons – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-10362 Number of Installations: 100,000+ Affected Software: Social Media Share Buttons & Social Sharing Icons <= 2.9.0 Patched Versions: Social Media Share Buttons & Social Sharing Icons 2.9.1
Mitigation steps: Update to Social Media Share Buttons & Social Sharing Icons plugin version 2.9.1 or greater.
Hustle – Email Marketing, Lead Generation, Optins, Popups – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-8492 Number of Installations: 100,000+ Affected Software: Hustle – Email Marketing, Lead Generation, Optins, Popups <= 7.8.4 Patched Versions: Hustle – Email Marketing, Lead Generation, Optins, Popups 7.8.5
Mitigation steps: Update to Hustle plugin version 7.8.5 or greater.
Jupiter X Core – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-3888 Number of Installations: 90,000+ Affected Software: Jupiter X Core <= 4.9.0 Patched Versions: Jupiter X Core 4.9.1
Mitigation steps: Update to Jupiter X Core plugin version 4.9.1 or greater.
LearnPress – WordPress LMS Plugin – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-13128 Number of Installations: 90,000+ Affected Software: LearnPress – WordPress LMS Plugin <= 4.2.7.5 Patched Versions: LearnPress – WordPress LMS Plugin 4.2.7.5.1
Mitigation steps: Update to LearnPress plugin version 4.2.7.5.1 or greater.
Nested Pages – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Editor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-8759 Number of Installations: 90,000+ Affected Software: Nested Pages <= 3.2.8 Patched Versions: Nested Pages 3.2.9
Mitigation steps: Update to Nested Pages plugin version 3.2.9 or greater.
Ajax Search Lite – Live Search & Filter – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-8619 Number of Installations: 80,000+ Affected Software: Ajax Search Lite – Live Search & Filter <= 4.12.2 Patched Versions: Ajax Search Lite – Live Search & Filter 4.12.3
Mitigation steps: Update to Ajax Search Lite – Live Search & Filter plugin version 4.12.3 or greater.
ImageMagick Engine – Remote Code Execution (RCE)
Security Risk: Critical Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Remote Code Execution (RCE) CVE: CVE-2024-6486 Number of Installations: 70,000+ Affected Software: ImageMagick Engine <= 1.7.10 Patched Versions: ImageMagick Engine 1.7.11
Mitigation steps: Update to ImageMagick Engine plugin version 1.7.11 or greater.
Exclusive Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-48244 Number of Installations: 60,000+ Affected Software: Exclusive Addons for Elementor <= 2.7.9 Patched Versions: Exclusive Addons for Elementor 2.7.9.1
Mitigation steps: Update to Exclusive Addons for Elementor plugin version 2.7.9.1 or greater.
Qi Blocks – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-1625 Number of Installations: 60,000+ Affected Software: Qi Blocks <= 1.3.9 Patched Versions: Qi Blocks 1.4
Mitigation steps: Update to Qi Blocks plugin version 1.4 or greater.
WP-Members Membership Plugin – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-4610 Number of Installations: 60,000+ Affected Software: WP-Members Membership Plugin <= 3.5.2 Patched Versions: WP-Members Membership Plugin 3.5.3
Mitigation steps: Update to WP-Members Membership Plugin version 3.5.3 or greater.
Popup Box – Create Countdown, Coupon, Video, Contact Form Popups – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-9599 Number of Installations: 50,000+ Affected Software: Popup Box – Create Countdown, Coupon, Video, Contact Form Popups <= 4.7.7 Patched Versions: Popup Box – Create Countdown, Coupon, Video, Contact Form Popups 4.7.8
Mitigation steps: Update to Popup Box plugin version 4.7.8 or greater.
WP Booking Calendar – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-4669 Number of Installations: 50,000+ Affected Software: WP Booking Calendar <= 10.11.1 Patched Versions: WP Booking Calendar 10.11.2
Mitigation steps: Update to WP Booking Calendar plugin version 10.11.2 or greater.
User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-6708 Number of Installations: 50,000+ Affected Software: User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor <= 3.12.1 Patched Versions: User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor 3.12.2
Mitigation steps: Update to User Profile Builder plugin version 3.12.2 or greater.
Ultimate Blocks – WordPress Blocks Plugin – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-48234 Number of Installations: 50,000+ Affected Software: Ultimate Blocks – WordPress Blocks Plugin <= 3.3.0 Patched Versions: Ultimate Blocks – WordPress Blocks Plugin 3.3.1
Mitigation steps: Update to Ultimate Blocks – WordPress Blocks Plugin version 3.3.1 or greater.
Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-4520 Number of Installations: 50,000+ Affected Software: Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin <= 6.4.9 Patched Versions: Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin 6.5.0
Mitigation steps: Update to Uncanny Automator plugin version 6.5.0 or greater.
Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin – PHP Object Injection
Security Risk: High Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: PHP Object Injection CVE: CVE-2025-3623 Number of Installations: 50,000+ Affected Software: Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin <= 6.4.0.1 Patched Versions: Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin 6.4.0.2
Mitigation steps: Update to Uncanny Automator plugin version 6.4.0.2 or greater.
Visual Composer Website Builder – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-48276 Number of Installations: 50,000+ Affected Software: Visual Composer Website Builder <= 45.11.0 Patched Versions: Visual Composer Website Builder 45.12.0
Mitigation steps: Update to Visual Composer Website Builder plugin version 45.12.0 or greater.
WooCommerce – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-5062 Number of Installations: 8,000,000+ Affected Software: WooCommerce <= 9.3.3 Patched Versions: WooCommerce 9.3.4
Mitigation steps: Update to WooCommerce plugin version 9.3.4 or greater.
TablePress – Tables in WordPress made easy – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-5096 Number of Installations: 700,000+ Affected Software: TablePress – Tables in WordPress made easy <= 3.1.2 Patched Versions: TablePress – Tables in WordPress made easy 3.1.3
Mitigation steps: Update to TablePress plugin version 3.1.3 or greater.
Page Builder: Pagelayer – Drag and Drop website builder – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-4223 Number of Installations: 300,000+ Affected Software: Page Builder: Pagelayer – Drag and Drop website builder <= 2.0.0 Patched Versions: Page Builder: Pagelayer – Drag and Drop website builder 2.0.1
Mitigation steps: Update to Pagelayer plugin version 2.0.1 or greater.
Page Builder: Pagelayer – Drag and Drop website builder – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-13427 Number of Installations: 300,000+ Affected Software: Page Builder: Pagelayer – Drag and Drop website builder <= 2.0.0 Patched Versions: Page Builder: Pagelayer – Drag and Drop website builder 2.0.1
Mitigation steps: Update to Pagelayer plugin version 2.0.1 or greater.
Essential Blocks – AI-Powered Page Builder Gutenberg Blocks, Patterns & Templates – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-4682 Number of Installations: 100,000+ Affected Software: Essential Blocks – AI-Powered Page Builder Gutenberg Blocks, Patterns & Templates <= 5.4.0 Patched Versions: Essential Blocks – AI-Powered Page Builder Gutenberg Blocks, Patterns & Templates 5.4.1
Mitigation steps: Update to Essential Blocks plugin version 5.4.1 or greater.
Solid Mail – SMTP email and logging made by SolidWP – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-1123 Number of Installations: 70,000+ Affected Software: Solid Mail – SMTP email and logging made by SolidWP <= 2.1.5 Patched Versions: Solid Mail – SMTP email and logging made by SolidWP 2.1.6
Mitigation steps: Update to Solid Mail plugin version 2.1.6 or greater.
Exclusive Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-4783 Number of Installations: 60,000+ Affected Software: Exclusive Addons for Elementor <= 2.7.9.1 Patched Versions: Exclusive Addons for Elementor 2.7.9.2
Mitigation steps: Update to Exclusive Addons for Elementor plugin version 2.7.9.2 or greater.
Blog2Social: Social Media Auto Post & Scheduler – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-4133 Number of Installations: 50,000+ Affected Software: Blog2Social: Social Media Auto Post & Scheduler <= 8.3.1 Patched Versions: Blog2Social: Social Media Auto Post & Scheduler 8.4.0
Mitigation steps: Update to Blog2Social plugin version 8.4.0 or greater.
Slim SEO – Fast & Automated WordPress SEO Plugin – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-4611 Number of Installations: 50,000+ Affected Software: Slim SEO – Fast & Automated WordPress SEO Plugin <= 4.5.3 Patched Versions: Slim SEO – Fast & Automated WordPress SEO Plugin 4.5.4
Mitigation steps: Update to Slim SEO plugin version 4.5.4 or greater.
Themes
NewsBlogger – Arbitrary File Upload
Security Risk: High Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Arbitrary File Upload CVE: CVE-2025-1304 Number of Downloads: 100,624 Affected Software: NewsBlogger <= 0.2.5.1 Patched Versions: NewsBlogger 0.2.5.2
Mitigation steps: Update to NewsBlogger theme version 0.2.5.2 or greater.
Blocksy – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-47465 Number of Downloads: 4,484,472 Affected Software: Blocksy <= 2.0.97 Patched Versions: Blocksy 2.0.98
Mitigation steps: Update to Blocksy theme version 2.0.98 or greater.
Update your website software to mitigate risk. Users who are not able to update their software with the latest version are encouraged to use a web application firewall to help virtually patch known vulnerabilities and protect their website.
Josh Hammer
Juliana Lewis
Luke Leal
Tony Perez
Val Vesa
Antony Garand
Art Martori
Ben Martin