Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.
To help educate website owners about potential threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.
The vulnerabilities listed below are virtually patched by the Sucuri Firewall and existing clients are protected. If you don’t have it installed yet, you can use our web application firewall to protect your site against known vulnerabilities.
Plugins
All in One SEO – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-12847 Number of Installations: 3,000,000+ Affected Software: All in One SEO <= 4.8.9 Patched Versions: All in One SEO 4.9.0
Mitigation steps: Update to All in One SEO plugin version 4.9.0 or greater.
Code Snippets – Remote Code Execution (RCE)
Security Risk: High Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Remote Code Execution (RCE) CVE: CVE-2025-13035 Number of Installations: 1,000,000+ Affected Software: Code Snippets <= 3.9.1 Patched Versions: Code Snippets 3.9.2
Mitigation steps: Update to Code Snippets plugin version 3.9.2 or greater.
W3 Total Cache – Remote Code Execution (RCE)
Security Risk: Critical Exploitation Level: No authentication required. Vulnerability: Remote Code Execution (RCE) CVE: CVE-2025-9501 Number of Installations: 1,000,000+ Affected Software: W3 Total Cache <= 2.8.12 Patched Versions: W3 Total Cache 2.8.13
Mitigation steps: Update to W3 Total Cache plugin version 2.8.13 or greater.
Spectra Gutenberg Blocks – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-11162 Number of Installations: 1,000,000+ Affected Software: Spectra Gutenberg Blocks <= 2.19.14 Patched Versions: Spectra Gutenberg Blocks 2.19.15
Mitigation steps: Update to Spectra Gutenberg Blocks plugin version 2.19.15 or greater.
The Events Calendar – SQL Injection
Security Risk: Critical Exploitation Level: No authentication required. Vulnerability: SQL Injection CVE: CVE-2025-12197 Number of Installations: 700,000+ Affected Software: The Events Calendar <= 6.15.9 Patched Versions: The Events Calendar 6.15.10
Mitigation steps: Update to The Events Calendar plugin version 6.15.10 or greater.
The Events Calendar – Sensitive Data Exposure
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Sensitive Data Exposure CVE: CVE-2025-12192 Number of Installations: 700,000+ Affected Software: The Events Calendar <= 6.15.9 Patched Versions: The Events Calendar 6.15.10
Mitigation steps: Update to The Events Calendar plugin version 6.15.10 or greater.
TablePress – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-12324 Number of Installations: 700,000+ Affected Software: TablePress <= 3.2.4 Patched Versions: TablePress 3.2.5
Mitigation steps: Update to TablePress plugin version 3.2.5 or greater.
Royal Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-5092 Number of Installations: 600,000+ Affected Software: Royal Addons for Elementor <= 1.7.1031 Patched Versions: Royal Addons for Elementor 1.7.1032
Mitigation steps: Update to Royal Addons for Elementor plugin version 1.7.1032 or greater.
Royal Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-6251 Number of Installations: 600,000+ Affected Software: Royal Addons for Elementor <= 1.7.1036 Patched Versions: Royal Addons for Elementor 1.7.1037
Mitigation steps: Update to Royal Addons for Elementor plugin version 1.7.1037 or greater.
YITH WooCommerce Wishlist – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2025-12777 Number of Installations: 500,000+ Affected Software: YITH WooCommerce Wishlist <= 4.10.0 Patched Versions: YITH WooCommerce Wishlist 4.10.1
Mitigation steps: Update to YITH WooCommerce Wishlist plugin version 4.10.1 or greater.
YITH WooCommerce Wishlist – Insecure Direct Object References (IDOR)
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Insecure Direct Object References (IDOR) CVE: CVE-2025-12427 Number of Installations: 500,000+ Affected Software: YITH WooCommerce Wishlist <= 4.10.0 Patched Versions: YITH WooCommerce Wishlist 4.10.1
Mitigation steps: Update to YITH WooCommerce Wishlist plugin version 4.10.1 or greater.
SiteSEO – Insecure Direct Object References (IDOR)
Security Risk: Medium Exploitation Level: Requires Author or higher level authentication. Vulnerability: Insecure Direct Object References (IDOR) CVE: CVE-2025-13085 Number of Installations: 400,000+ Affected Software: SiteSEO <= 1.3.2 Patched Versions: SiteSEO 1.3.3
Mitigation steps: Update to SiteSEO plugin version 1.3.3 or greater.
SiteSEO – Broken Authentication
Security Risk: Medium Vulnerability: Broken Authentication CVE: CVE-2025-12814 Number of Installations: 400,000+ Affected Software: SiteSEO <= 1.3.2 Patched Versions: SiteSEO 1.3.3
Mitigation steps: Update to SiteSEO plugin version 1.3.3 or greater.
SiteSEO – Broken Access Control
Security Risk: Low Exploitation Level: Requires Author or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-12367 Number of Installations: 400,000+ Affected Software: SiteSEO <= 1.3.1 Patched Versions: SiteSEO 1.3.2
Mitigation steps: Update to SiteSEO plugin version 1.3.2 or greater.
Post SMTP – Broken Authentication
Security Risk: Critical Exploitation Level: No authentication required. Vulnerability: Broken Authentication CVE: CVE-2025-11833 Number of Installations: 400,000+ Affected Software: Post SMTP <= 3.6.0 Patched Versions: Post SMTP 3.6.1
Mitigation steps: Update to Post SMTP plugin version 3.6.1 or greater.
Page Builder: Pagelayer – Insecure Direct Object References (IDOR)
Security Risk: Medium Exploitation Level: Requires Author or higher level authentication. Vulnerability: Insecure Direct Object References (IDOR) CVE: CVE-2025-12366 Number of Installations: 400,000+ Affected Software: Page Builder: Pagelayer <= 2.0.5 Patched Versions: Page Builder: Pagelayer 2.0.6
Mitigation steps: Update to Page Builder: Pagelayer plugin version 2.0.6 or greater.
Broken Link Checker by AIOSEO – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-11734 Number of Installations: 300,000+ Affected Software: Broken Link Checker by AIOSEO <= 1.2.5 Patched Versions: Broken Link Checker by AIOSEO 1.2.6
Mitigation steps: Update to Broken Link Checker by AIOSEO plugin version 1.2.6 or greater.
SureForms – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2025-12536 Number of Installations: 300,000+ Affected Software: SureForms <= 1.13.1 Patched Versions: SureForms 1.13.2
Mitigation steps: Update to SureForms plugin version 1.13.2 or greater.
WP Go Maps (formerly WP Google Maps) – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-11307 Number of Installations: 300,000+ Affected Software: WP Go Maps (formerly WP Google Maps) <= 9.0.47 Patched Versions: WP Go Maps (formerly WP Google Maps) 9.0.48
Mitigation steps: Update to WP Go Maps (formerly WP Google Maps) plugin version 9.0.48 or greater.
Ad Inserter – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-11745 Number of Installations: 300,000+ Affected Software: Ad Inserter <= 2.8.7 Patched Versions: Ad Inserter 2.8.8
Mitigation steps: Update to Ad Inserter plugin version 2.8.8 or greater.
Blocksy Companion – Arbitrary File Upload
Security Risk: Critical Exploitation Level: Requires Author or higher level authentication. Vulnerability: Arbitrary File Upload CVE: CVE-2025-12846 Number of Installations: 300,000+ Affected Software: Blocksy Companion <= 2.1.19 Patched Versions: Blocksy Companion 2.1.20
Mitigation steps: Update to Blocksy Companion plugin version 2.1.20 or greater.
Post Type Switcher – Insecure Direct Object References (IDOR)
Security Risk: Medium Exploitation Level: Requires Author or higher level authentication. Vulnerability: Insecure Direct Object References (IDOR) CVE: CVE-2025-12524 Number of Installations: 200,000+ Affected Software: Post Type Switcher <= 4.0.0 Patched Versions: Post Type Switcher 4.0.1
Mitigation steps: Update to Post Type Switcher plugin version 4.0.1 or greater.
AI Engine – PHP Object Injection
Security Risk: High Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: PHP Object Injection CVE: CVE-2025-12844 Number of Installations: 100,000+ Affected Software: AI Engine <= 3.1.8 Patched Versions: AI Engine 3.1.9
Mitigation steps: Update to AI Engine plugin version 3.1.9 or greater.
Element Pack Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-13196 Number of Installations: 100,000+ Affected Software: Element Pack Addons for Elementor <= 8.3.4 Patched Versions: Element Pack Addons for Elementor 8.3.5
Mitigation steps: Update to Element Pack Addons for Elementor plugin version 8.3.5 or greater.
Gallery Plugin for WordPress – Envira Photo Gallery – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Author or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-12377 Number of Installations: 100,000+ Affected Software: Gallery Plugin for WordPress – Envira Photo Gallery <= 1.12.0 Patched Versions: Gallery Plugin for WordPress – Envira Photo Gallery 1.12.1
Mitigation steps: Update to Gallery Plugin for WordPress – Envira Photo Gallery plugin version 1.12.1 or greater.
Image Gallery – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Author or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-12494 Number of Installations: 100,000+ Affected Software: Image Gallery <= 2.12.28 Patched Versions: Image Gallery 2.12.29
Mitigation steps: Update to Image Gallery plugin version 2.12.29 or greater.
VK All in One Expansion Unit – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-11265 Number of Installations: 100,000+ Affected Software: VK All in One Expansion Unit <= 9.112.1 Patched Versions: VK All in One Expansion Unit 9.112.2
Mitigation steps: Update to VK All in One Expansion Unit plugin version 9.112.2 or greater.
Import any XML, CSV or Excel File to WordPress – Remote Code Execution (RCE)
Security Risk: Critical Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Remote Code Execution (RCE) CVE: CVE-2025-12733 Number of Installations: 100,000+ Affected Software: Import any XML, CSV or Excel File to WordPress <= 3.7.5 Patched Versions: Import any XML, CSV or Excel File to WordPress 4.0.0
Mitigation steps: Update to Import any XML, CSV or Excel File to WordPress plugin version 4.0.0 or greater.
AI Engine – Privilege Escalation
Security Risk: Critical Exploitation Level: No authentication required. Vulnerability: Privilege Escalation CVE: CVE-2025-11749 Number of Installations: 100,000+ Affected Software: AI Engine <= 3.1.3 Patched Versions: AI Engine 3.1.4
Mitigation steps: Update to AI Engine plugin version 3.1.4 or greater.
Popup and Slider Builder by Depicter – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-11373 Number of Installations: 100,000+ Affected Software: Popup and Slider Builder by Depicter <= 4.0.4 Patched Versions: Popup and Slider Builder by Depicter 4.0.5
Mitigation steps: Update to Popup and Slider Builder by Depicter plugin version 4.0.5 or greater.
Download Manager – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2025-12177 Number of Installations: 100,000+ Affected Software: Download Manager <= 3.3.30 Patched Versions: Download Manager 3.3.31
Mitigation steps: Update to Download Manager plugin version 3.3.31 or greater.
Envira Photo Gallery – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-11448 Number of Installations: 100,000+ Affected Software: Envira Photo Gallery <= 1.11.9 Patched Versions: Envira Photo Gallery 1.12.0
Mitigation steps: Update to Envira Photo Gallery plugin version 1.12.0 or greater.
Orbit Fox – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Author or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-12045 Number of Installations: 100,000+ Affected Software: Orbit Fox <= 3.0.2 Patched Versions: Orbit Fox 3.0.3
Mitigation steps: Update to Orbit Fox plugin version 3.0.3 or greater.
ShopLentor (formerly WooLentor) – Local File Inclusion
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Local File Inclusion CVE: CVE-2025-12493 Number of Installations: 100,000+ Affected Software: ShopLentor (formerly WooLentor) <= 3.2.5 Patched Versions: ShopLentor (formerly WooLentor) 3.2.6
Mitigation steps: Update to ShopLentor – WooCommerce Builder for Elementor & Gutenberg +21 Modules – All in One Solution (formerly WooLentor) plugin version 3.2.6 or greater.
Advanced Ads – Arbitrary Code Execution
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Arbitrary Code Execution CVE: CVE-2025-10487 Number of Installations: 100,000+ Affected Software: Advanced Ads <= 2.0.12 Patched Versions: Advanced Ads 2.0.13
Mitigation steps: Update to Advanced Ads plugin version 2.0.13 or greater.
Schema & Structured Data for WP & AMP – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-11502 Number of Installations: 100,000+ Affected Software: Schema & Structured Data for WP & AMP <= 1.51 Patched Versions: Schema & Structured Data for WP & AMP 1.52
Mitigation steps: Update to Schema & Structured Data for WP & AMP plugin version 1.52 or greater.
GiveWP – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-13206 Number of Installations: 100,000+ Affected Software: GiveWP <= 4.13.0 Patched Versions: GiveWP 4.13.1
Mitigation steps: Update to GiveWP plugin version 4.13.1 or greater.
PublishPress Future – Broken Access Control
Security Risk: Low Exploitation Level: Requires Author or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-13149 Number of Installations: 100,000+ Affected Software: PublishPress Future <= 4.9.1 Patched Versions: PublishPress Future 4.9.2
Mitigation steps: Update to PublishPress Future plugin version 4.9.2 or greater.
Amelia – Sensitive Data Exposure
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Sensitive Data Exposure CVE: CVE-2023-49282 Number of Installations: 90,000+ Affected Software: Amelia <= 1.2.36 Patched Versions: Amelia 1.2.37
Mitigation steps: Update to Amelia plugin version 1.2.37 or greater.
Amelia – SQL Injection
Security Risk: Critical Exploitation Level: No authentication required. Vulnerability: SQL Injection CVE: CVE-2025-12482 Number of Installations: 90,000+ Affected Software: Amelia <= 1.2.35 Patched Versions: Amelia 1.2.36
Mitigation steps: Update to Amelia plugin version 1.2.36 or greater.
Strong Testimonials – Content Injection
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Content Injection CVE: CVE-2025-11268 Number of Installations: 90,000+ Affected Software: Strong Testimonials <= 3.2.16 Patched Versions: Strong Testimonials 3.2.17
Mitigation steps: Update to Strong Testimonials plugin version 3.2.17 or greater.
List category posts – Sensitive Data Exposure
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Sensitive Data Exposure CVE: CVE-2025-11377 Number of Installations: 90,000+ Affected Software: List category posts <= 0.92.9 Patched Versions: List category posts 0.93.0
Mitigation steps: Update to List category posts plugin version 0.93.0 or greater.
List category posts – Sensitive Data Exposure
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Sensitive Data Exposure CVE: CVE-2025-11377 Number of Installations: 80,000+ Affected Software: List category posts <= 0.92.9 Patched Versions: List category posts 0.93.0
Mitigation steps: Update to List category posts plugin version 0.93.0 or greater.
HT Mega – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-13141 Number of Installations: 80,000+ Affected Software: HT Mega <= 3.0.0 Patched Versions: HT Mega 3.0.1
Mitigation steps: Update to HT Mega plugin version 3.0.1 or greater.
LearnPress – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2025-11368 Number of Installations: 80,000+ Affected Software: LearnPress <= 4.2.5.9 Patched Versions: LearnPress 4.3.0
Mitigation steps: Update to LearnPress plugin version 4.3.0 or greater.
Email Subscribers & Newsletters – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2025-12349 Number of Installations: 70,000+ Affected Software: Email Subscribers & Newsletters <= 5.9.10 Patched Versions: Email Subscribers & Newsletters 5.9.11
Mitigation steps: Update to Email Subscribers & Newsletters plugin version 5.9.11 or greater.
FluentCRM – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-12935 Number of Installations: 70,000+ Affected Software: FluentCRM <= 2.9.84 Patched Versions: FluentCRM 2.9.85
Mitigation steps: Update to FluentCRM plugin version 2.9.85 or greater.
Greenshift – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-11841 Number of Installations: 60,000+ Affected Software: Greenshift <= 12.2.7 Patched Versions: Greenshift 12.2.8
Mitigation steps: Update to Greenshift plugin version 12.2.8 or greater.
Qi Blocks – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-12180 Number of Installations: 60,000+ Affected Software: Qi Blocks <= 1.4.3 Patched Versions: Qi Blocks 1.4.4
Mitigation steps: Update to Qi Blocks plugin version 1.4.4 or greater.
Qi Blocks – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-12182 Number of Installations: 60,000+ Affected Software: Qi Blocks <= 1.4.3 Patched Versions: Qi Blocks 1.4.4
Mitigation steps: Update to Qi Blocks plugin version 1.4.4 or greater.
Premium Portfolio Features for Phlox theme – Local File Inclusion
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Local File Inclusion CVE: CVE-2025-12497 Number of Installations: 50,000+ Affected Software: Premium Portfolio Features for Phlox theme <= 2.3.11 Patched Versions: Premium Portfolio Features for Phlox theme 2.3.12
Mitigation steps: Update to Premium Portfolio Features for Phlox theme plugin version 2.3.12 or greater.
Blog2Social – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-13558 Number of Installations: 50,000+ Affected Software: Blog2Social <= 8.7.0 Patched Versions: Blog2Social 8.7.1
Mitigation steps: Update to Blog2Social plugin version 8.7.1 or greater.
Blog2Social – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-12563 Number of Installations: 50,000+ Affected Software: Blog2Social <= 8.6.0 Patched Versions: Blog2Social 8.6.1
Mitigation steps: Update to Blog2Social plugin version 8.6.1 or greater.
Easy Digital Downloads – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2025-11271 Number of Installations: 50,000+ Affected Software: Easy Digital Downloads <= 3.5.2 Patched Versions: Easy Digital Downloads 3.5.3
Mitigation steps: Update to Easy Digital Downloads plugin version 3.5.3 or greater.
Quick Featured Images – SQL Injection
Security Risk: High Exploitation Level: Requires Editor or higher level authentication. Vulnerability: SQL Injection CVE: CVE-2025-11980 Number of Installations: 50,000+ Affected Software: Quick Featured Images <= 13.7.3 Patched Versions: Quick Featured Images 13.7.4
Mitigation steps: Update to Quick Featured Images plugin version 13.7.4 or greater.
Better Find and Replace – Arbitrary Code Execution
Security Risk: High Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Arbitrary Code Execution CVE: CVE-2025-9334 Number of Installations: 50,000+ Affected Software: Better Find and Replace <= 1.7.7 Patched Versions: Better Find and Replace 1.7.8
Mitigation steps: Update to Better Find and Replace plugin version 1.7.8 or greater.
Better Find and Replace – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-12360 Number of Installations: 50,000+ Affected Software: Better Find and Replace <= 1.7.7 Patched Versions: Better Find and Replace 1.7.8
Mitigation steps: Update to Better Find and Replace plugin version 1.7.8 or greater.
Tag, Category, and Taxonomy Manager – SQL Injection
Security Risk: High Exploitation Level: Requires Editor or higher level authentication. Vulnerability: SQL Injection CVE: CVE-2025-11972 Number of Installations: 50,000+ Affected Software: Tag, Category, and Taxonomy Manager <= 3.40.0 Patched Versions: Tag, Category, and Taxonomy Manager 3.40.1
Mitigation steps: Update to Tag, Category, and Taxonomy Manager plugin version 3.40.1 or greater.
Booking Calendar – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-64381 Number of Installations: 50,000+ Affected Software: Booking Calendar <= 10.14.7 Patched Versions: Booking Calendar 10.14.8
Mitigation steps: Update to Booking Calendar plugin version 10.14.8 or greater.
Live sales notification for WooCommerce – Broken Access Control
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2025-12955 Number of Installations: 50,000+ Affected Software: Live sales notification for WooCommerce <= 2.3.39 Patched Versions: Live sales notification for WooCommerce 2.3.40
Mitigation steps: Update to Live sales notification for WooCommerce plugin version 2.3.40 or greater.
Pixel Manager for WooCommerce – Sensitive Data Exposure
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Sensitive Data Exposure CVE: CVE-2025-12545 Number of Installations: 50,000+ Affected Software: Pixel Manager for WooCommerce <= 1.49.2 Patched Versions: Pixel Manager for WooCommerce 1.49.3
Mitigation steps: Update to Pixel Manager for WooCommerce plugin version 1.49.3 or greater.
WP Duplicate Page – Broken Access Control
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Broken Access Control CVE: CVE-2025-12481 Number of Installations: 50,000+ Affected Software: WP Duplicate Page <= 1.7 Patched Versions: WP Duplicate Page 1.8
Mitigation steps: Update to WP Duplicate Page plugin version 1.8 or greater.
User Profile Builder – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-13054 Number of Installations: 50,000+ Affected Software: User Profile Builder <= 3.14.8 Patched Versions: User Profile Builder 3.14.9
Mitigation steps: Update to User Profile Builder plugin version 3.14.9 or greater.
Themes
OnePress – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-5092 Number of Downloads: 2,469,341 Affected Software: OnePress (all versions) Patched Versions: No fix available
Mitigation steps: Consider switching to an alternative theme, as no patch is currently available for OnePress. Disable or remove the theme if possible.
Update your website software to mitigate risk. Users who are not able to update their software with the latest version are encouraged to use a web application firewall to help virtually patch known vulnerabilities and protect their website.
Luke Leal
Denis Sinegubko
Tony Perez
Art Martori
Celise Davison
Ben Martin
Krasimir Konov