Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.
To help educate website owners about potential threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.
The vulnerabilities listed below are virtually patched by the Sucuri Firewall and existing clients are protected. If you don’t have it installed yet, you can use our web application firewall to protect your site against known vulnerabilities.
Core
WordPress Core – Sensitive Data Exposure
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Sensitive Data Exposure CVE: CVE-2025-58246 Affected Software: WordPress Core (No fix available) Patched Versions: No fix available
Mitigation steps: Monitor for updates and apply security best practices.
WordPress Core – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Author or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-58674 Affected Software: WordPress Core (No fix available) Patched Versions: No fix available
Mitigation steps: Monitor for updates and apply security best practices.
Plugins
All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic – Sensitive Data Exposure
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Sensitive Data Exposure CVE: CVE-2025-58649 Number of Installations: 3,000,000+ Affected Software: All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic (No fix available) Patched Versions: No fix available
Mitigation steps: Consider disabling the plugin until a fix is released or seek alternative solutions.
All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-58650 Number of Installations: 3,000,000+ Affected Software: All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic (No fix available) Patched Versions: No fix available
Mitigation steps: Consider disabling the plugin until a fix is released or seek alternative solutions.
The Events Calendar – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2025-9808 Number of Installations: 700,000+ Affected Software: The Events Calendar <= 6.15.2 Patched Versions: The Events Calendar 6.15.3
Mitigation steps: Update to The Events Calendar plugin version 6.15.3 or greater.
The Events Calendar – SQL Injection
Security Risk: Critical Exploitation Level: No authentication required. Vulnerability: SQL Injection CVE: CVE-2025-9807 Number of Installations: 700,000+ Affected Software: The Events Calendar <= 6.15.1 Patched Versions: The Events Calendar 6.15.1.1
Mitigation steps: Update to The Events Calendar plugin version 6.15.1.1 or greater.
Ninja Forms – The Contact Form Builder That Grows With You – PHP Object Injection
Security Risk: Critical Exploitation Level: No authentication required. Vulnerability: PHP Object Injection CVE: CVE-2025-9083 Number of Installations: 600,000+ Affected Software: Ninja Forms – The Contact Form Builder That Grows With You <= 3.11.0 Patched Versions: Ninja Forms – The Contact Form Builder That Grows With You 3.11.1
Mitigation steps: Update to Ninja Forms plugin version 3.11.1 or greater.
Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder – PHP Object Injection
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: PHP Object Injection CVE: CVE-2025-9260 Number of Installations: 600,000+ Affected Software: Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder <= 6.1.1 Patched Versions: Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder 6.1.2
Mitigation steps: Update to Fluent Forms plugin version 6.1.2 or greater.
Admin Menu Editor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-9493 Number of Installations: 400,000+ Affected Software: Admin Menu Editor <= 1.14.0 Patched Versions: Admin Menu Editor 1.14.1
Mitigation steps: Update to Admin Menu Editor plugin version 1.14.1 or greater.
Post SMTP – WP SMTP Plugin with Email Logs and Mobile App for Failure Notifications – Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES and more – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-9219 Number of Installations: 400,000+ Affected Software: Post SMTP – WP SMTP Plugin with Email Logs and Mobile App for Failure Notifications – Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES and more <= 3.4.1 Patched Versions: Post SMTP – WP SMTP Plugin with Email Logs and Mobile App for Failure Notifications – Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES and more 3.4.2
Mitigation steps: Update to Post SMTP plugin version 3.4.2 or greater.
Sticky Header Effects for Elementor – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-58251 Number of Installations: 300,000+ Affected Software: Sticky Header Effects for Elementor (No fix available) Patched Versions: No fix available
Mitigation steps: Consider disabling the plugin until a fix is released or seek alternative solutions.
Blocksy Companion – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-9565 Number of Installations: 300,000+ Affected Software: Blocksy Companion <= 2.1.10 Patched Versions: Blocksy Companion 2.1.11
Mitigation steps: Update to Blocksy Companion plugin version 2.1.11 or greater.
SureForms – Drag and Drop Contact Form Builder – Multi-step Forms, Conversational Forms and more – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-10489 Number of Installations: 300,000+ Affected Software: SureForms – Drag and Drop Contact Form Builder – Multi-step Forms, Conversational Forms and more <= 1.12.0 Patched Versions: SureForms – Drag and Drop Contact Form Builder – Multi-step Forms, Conversational Forms and more 1.12.1
Mitigation steps: Update to SureForms plugin version 1.12.1 or greater.
Admin and Site Enhancements (ASE) – Cross Site Scripting (XSS)
Security Risk: Medium Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-9487 Number of Installations: 200,000+ Affected Software: Admin and Site Enhancements (ASE) <= 7.9.7 Patched Versions: Admin and Site Enhancements (ASE) 7.9.8
Mitigation steps: Update to Admin and Site Enhancements (ASE) plugin version 7.9.8 or greater.
Nextend Social Login and Register – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-58031 Number of Installations: 200,000+ Affected Software: Nextend Social Login and Register (No fix available) Patched Versions: No fix available
Mitigation steps: Consider disabling the plugin until a fix is released or seek alternative solutions.
Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-58593 Number of Installations: 200,000+ Affected Software: Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More <= 3.0.0 Patched Versions: Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More 3.0.1
Mitigation steps: Update to Orbit Fox plugin version 3.0.1 or greater.
TI WooCommerce Wishlist – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2025-58247 Number of Installations: 100,000+ Affected Software: TI WooCommerce Wishlist (No fix available) Patched Versions: No fix available
Mitigation steps: Consider disabling the plugin until a fix is released or seek alternative solutions.
AI Engine – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2025-8268 Number of Installations: 100,000+ Affected Software: AI Engine <= 2.9.5 Patched Versions: AI Engine 2.9.6
Mitigation steps: Update to AI Engine plugin version 2.9.6 or greater.
Content Views – Post Grid & Filter, Recent Posts, Category Posts … (Shortcode, Blocks, and Elementor Widgets) – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-8722 Number of Installations: 100,000+ Affected Software: Content Views – Post Grid & Filter, Recent Posts, Category Posts … (Shortcode, Blocks, and Elementor Widgets) <= 4.1.9 Patched Versions: Content Views – Post Grid & Filter, Recent Posts, Category Posts … (Shortcode, Blocks, and Elementor Widgets) 4.2
Mitigation steps: Update to Content Views plugin version 4.2 or greater.
NitroPack – Caching & Speed Optimization for Core Web Vitals, Defer CSS & JS, Lazy load Images and CDN – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-8778 Number of Installations: 100,000+ Affected Software: NitroPack – Caching & Speed Optimization for Core Web Vitals, Defer CSS & JS, Lazy load Images and CDN <= 1.18.4 Patched Versions: NitroPack – Caching & Speed Optimization for Core Web Vitals, Defer CSS & JS, Lazy load Images and CDN 1.18.5
Mitigation steps: Update to NitroPack plugin version 1.18.5 or greater.
Tutor LMS – eLearning and online course solution – SQL Injection
Security Risk: High Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: SQL Injection CVE: CVE-2025-58993 Number of Installations: 100,000+ Affected Software: Tutor LMS – eLearning and online course solution <= 3.7.9 Patched Versions: Tutor LMS – eLearning and online course solution 3.8.0
Mitigation steps: Update to Tutor LMS plugin version 3.8.0 or greater.
ShopLentor – WooCommerce Builder for Elementor & Gutenberg +21 Modules – All in One Solution (formerly WooLentor) – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-58990 Number of Installations: 100,000+ Affected Software: ShopLentor – WooCommerce Builder for Elementor & Gutenberg +21 Modules – All in One Solution (formerly WooLentor) <= 3.2.0 Patched Versions: ShopLentor – WooCommerce Builder for Elementor & Gutenberg +21 Modules – All in One Solution (formerly WooLentor) 3.2.1
Mitigation steps: Update to ShopLentor plugin version 3.2.1 or greater.
Import any XML, CSV or Excel File to WordPress – Arbitrary File Upload
Security Risk: High Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Arbitrary File Upload CVE: CVE-2025-10001 Number of Installations: 100,000+ Affected Software: Import any XML, CSV or Excel File to WordPress <= 3.9.3 Patched Versions: Import any XML, CSV or Excel File to WordPress 3.9.4
Mitigation steps: Update to Import any XML, CSV or Excel File to WordPress plugin version 3.9.4 or greater.
Colibri Page Builder – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Shop Manager or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-59593 Number of Installations: 100,000+ Affected Software: Colibri Page Builder <= 1.0.333 Patched Versions: Colibri Page Builder 1.0.334
Mitigation steps: Update to Colibri Page Builder plugin version 1.0.334 or greater.
Download Manager – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-10146 Number of Installations: 100,000+ Affected Software: Download Manager <= 3.3.23 Patched Versions: Download Manager 3.3.24
Mitigation steps: Update to Download Manager plugin version 3.3.24 or greater.
Kubio AI Page Builder – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-8487 Number of Installations: 100,000+ Affected Software: Kubio AI Page Builder <= 2.6.4 Patched Versions: Kubio AI Page Builder 2.6.5
Mitigation steps: Update to Kubio AI Page Builder plugin version 2.6.5 or greater.
Make Column Clickable for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-59592 Number of Installations: 100,000+ Affected Software: Make Column Clickable for Elementor <= 1.6.0 Patched Versions: Make Column Clickable for Elementor 1.6.1
Mitigation steps: Update to Make Column Clickable for Elementor plugin version 1.6.1 or greater.
Duplicate Page and Post – SQL Injection
Security Risk: High Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: SQL Injection CVE: CVE-2025-6189 Number of Installations: 90,000+ Affected Software: Duplicate Page and Post (No fix available) Patched Versions: No fix available
Mitigation steps: Consider disabling or replacing the Duplicate Page and Post plugin until a fix is released.
PowerPack Addons for Elementor (Free Widgets, Extensions and Templates) – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-8388 Number of Installations: 90,000+ Affected Software: PowerPack Addons for Elementor (Free Widgets, Extensions and Templates) <= 2.9.4 Patched Versions: PowerPack Addons for Elementor (Free Widgets, Extensions and Templates) 2.9.5
Mitigation steps: Update to PowerPack Addons for Elementor plugin version 2.9.5 or greater.
3D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery – Sensitive Data Exposure
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Sensitive Data Exposure CVE: CVE-2025-58226 Number of Installations: 80,000+ Affected Software: 3D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery (No fix available) Patched Versions: No fix available
Mitigation steps: Consider disabling the plugin until a fix is released or seek alternative solutions.
Jupiter X Core – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-58264 Number of Installations: 80,000+ Affected Software: Jupiter X Core (No fix available) Patched Versions: No fix available
Mitigation steps: Consider disabling the plugin until a fix is released or seek alternative solutions.
Comments – wpDiscuz – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-59591 Number of Installations: 80,000+ Affected Software: Comments – wpDiscuz <= 7.6.33 Patched Versions: Comments – wpDiscuz 7.6.34
Mitigation steps: Update to Comments – wpDiscuz plugin version 7.6.34 or greater.
Media Library Assistant – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Author or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-59590 Number of Installations: 70,000+ Affected Software: Media Library Assistant <= 3.28 Patched Versions: Media Library Assistant 3.29
Mitigation steps: Update to Media Library Assistant plugin version 3.29 or greater.
Master Slider – Responsive Touch Slider – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-58025 Number of Installations: 70,000+ Affected Software: Master Slider – Responsive Touch Slider (No fix available) Patched Versions: No fix available
Mitigation steps: Consider disabling the plugin until a fix is released or seek alternative solutions.
Brizy – Page Builder – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-58594 Number of Installations: 70,000+ Affected Software: Brizy – Page Builder <= 2.7.12 Patched Versions: Brizy – Page Builder 2.7.13
Mitigation steps: Update to Brizy – Page Builder plugin version 2.7.13 or greater.
User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin – SQL Injection
Security Risk: High Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: SQL Injection CVE: CVE-2025-9085 Number of Installations: 60,000+ Affected Software: User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin <= 4.3.9 Patched Versions: User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin 4.4.0
Mitigation steps: Update to User Registration & Membership plugin version 4.4.0 or greater.
WP-Members Membership Plugin – Content Injection
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Content Injection CVE: CVE-2025-9489 Number of Installations: 60,000+ Affected Software: WP-Members Membership Plugin <= 3.5.4.2 Patched Versions: WP-Members Membership Plugin 3.5.4.3
Mitigation steps: Update to WP-Members Membership Plugin version 3.5.4.3 or greater.
WP-Members Membership Plugin – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-57973 Number of Installations: 60,000+ Affected Software: WP-Members Membership Plugin <= 3.5.4.2 Patched Versions: WP-Members Membership Plugin 3.5.4.3
Mitigation steps: Update to WP-Members Membership Plugin version 3.5.4.3 or greater.
Getwid – Gutenberg Blocks – Sensitive Data Exposure
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Sensitive Data Exposure CVE: CVE-2025-58252 Number of Installations: 50,000+ Affected Software: Getwid – Gutenberg Blocks (No fix available) Patched Versions: No fix available
Mitigation steps: Consider disabling the plugin until a fix is released or seek alternative solutions.
Image Hover Effects – Elementor Addon – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-57939 Number of Installations: 50,000+ Affected Software: Image Hover Effects – Elementor Addon (No fix available) Patched Versions: No fix available
Mitigation steps: Consider disabling the plugin until a fix is released or seek alternative solutions.
Perfect Brands for WooCommerce – SQL Injection
Security Risk: High Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: SQL Injection CVE: CVE-2025-58686 Number of Installations: 50,000+ Affected Software: Perfect Brands for WooCommerce (No fix available) Patched Versions: No fix available
Mitigation steps: Consider disabling the plugin until a fix is released or seek alternative solutions.
Better Find and Replace – AI-Powered Suggestions – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-53466 Number of Installations: 50,000+ Affected Software: Better Find and Replace – AI-Powered Suggestions (No fix available) Patched Versions: No fix available
Mitigation steps: Consider disabling the plugin until a fix is released or seek alternative solutions.
Themes
OceanWP – Settings Change
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Settings Change CVE: CVE-2025-8944 Number of Downloads: 8,786,658 Affected Software: OceanWP <= 4.1.1 Patched Versions: OceanWP 4.1.2
Mitigation steps: Update to OceanWP theme version 4.1.2 or greater.
Sydney – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-8999 Number of Downloads: 4,661,099 Affected Software: Sydney <= 2.56 Patched Versions: Sydney 2.57
Mitigation steps: Update to Sydney theme version 2.57 or greater.
ColorWay – Sensitive Data Exposure
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Sensitive Data Exposure CVE: CVE-2025-59003 Number of Downloads: 1,314,146 Affected Software: ColorWay (No fix available) Patched Versions: No fix available
Mitigation steps: Consider disabling the theme until a fix is released and seek alternative solutions.
ConsultStreet – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-58813 Number of Downloads: 581,213 Affected Software: ConsultStreet (No fix available) Patched Versions: No fix available
Mitigation steps: Consider disabling the theme until a fix is released and seek alternative solutions.
Themia Lite – Sensitive Data Exposure
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Sensitive Data Exposure CVE: CVE-2025-59003 Number of Downloads: 194,918 Affected Software: Themia Lite (No fix available) Patched Versions: No fix available
Mitigation steps: Consider disabling the theme until a fix is released and seek alternative solutions.
SoftMe – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-58817 Number of Downloads: 155,328 Affected Software: SoftMe (No fix available) Patched Versions: No fix available
Mitigation steps: Consider disabling the theme until a fix is released and seek alternative solutions.
Dzonia Lite – Sensitive Data Exposure
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Sensitive Data Exposure CVE: CVE-2025-59003 Number of Downloads: 114,483 Affected Software: Dzonia Lite (No fix available) Patched Versions: No fix available
Mitigation steps: Consider disabling the theme until a fix is released and seek alternative solutions.
Cloriato Lite – Sensitive Data Exposure
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Sensitive Data Exposure CVE: CVE-2025-59003 Number of Downloads: 111,776 Affected Software: Cloriato Lite (No fix available) Patched Versions: No fix available
Mitigation steps: Consider disabling the theme until a fix is released and seek alternative solutions.
Shk Corporate – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-58824 Number of Downloads: 105,547 Affected Software: Shk Corporate (No fix available) Patched Versions: No fix available
Mitigation steps: Consider disabling the theme until a fix is released and seek alternative solutions.
Road Fighter – Sensitive Data Exposure
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Sensitive Data Exposure CVE: CVE-2025-59003 Number of Downloads: 82,748 Affected Software: Road Fighter (No fix available) Patched Versions: No fix available
Mitigation steps: Consider disabling the theme until a fix is released and seek alternative solutions.
Poloray – Sensitive Data Exposure
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Sensitive Data Exposure CVE: CVE-2025-59003 Number of Downloads: 71,063 Affected Software: Poloray (No fix available) Patched Versions: No fix available
Mitigation steps: Consider disabling the theme until a fix is released and seek alternative solutions.
ButterBelly – Sensitive Data Exposure
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Sensitive Data Exposure CVE: CVE-2025-59003 Number of Downloads: 70,694 Affected Software: ButterBelly (No fix available) Patched Versions: No fix available
Mitigation steps: Consider disabling the theme until a fix is released and seek alternative solutions.
SaasLauncher – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-58606 Number of Downloads: 67,440 Affected Software: SaasLauncher <= 1.3.0 Patched Versions: SaasLauncher 1.3.1
Mitigation steps: Update to SaasLauncher theme version 1.3.1 or greater.
Compass – Sensitive Data Exposure
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Sensitive Data Exposure CVE: CVE-2025-59003 Number of Downloads: 65,712 Affected Software: Compass (No fix available) Patched Versions: No fix available
Mitigation steps: Consider disabling the theme until a fix is released and seek alternative solutions.
Update your website software to mitigate risk. Users who are not able to update their software with the latest version are encouraged to use a web application firewall to help virtually patch known vulnerabilities and protect their website.
Marc-Alexandre Montpas
Denis Sinegubko
Ben Martin
Antony Garand
Jose Martinez
Fernando Barbosa
Cesar Anjos
Kayleigh Martin