WordPress Vulnerability Report — July 2, 2025

Since last week, 213 new vulnerabilities emerged in the WordPress ecosystem, including 175 plugins and 38 themes. 149 of the vulnerable plugins and themes remain unpatched, but Solid Security Pro users are protected by virtual patching from Patchstack.

Sarah Ulmer

Published:Jul 2, 2025

Filed Under:WordPress Vulnerability Report

Reading Time:2 min.

In this report, 213 vulnerabilities have been publicly disclosed. Security patches for 64 of these plugins and themes are available now, so run those updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Additionally, there are 149 plugin and theme vulnerabilities, and no patch has been available yet. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

Along with poor user account security, vulnerable plugins and themes are among the top reasons why WordPress websites get hacked. Unfortunately, cyberattacks are increasing in volume and sophistication. They’re also increasingly aimed at small to mid-sized businesses.

1. WordPress Core
2. WordPress Plugins — 49 Patched / 126 Unpatched

2.1 Mollie Payments for WooCommerce
2.2 WP Edit
2.3 Cyrlitera – transliteration of links and file names
2.4 HurryTimer – An Scarcity and Urgency Countdown Timer for WordPress & WooCommerce
2.5 YaySMTP and Email Logs: Amazon SES, SendGrid, Outlook, Mailgun, Brevo, Google and Any SMTP Service
2.6 Gmedia Photo Gallery
2.7 Hover Effects – easily create any hover effect
2.8 Additional Order Filters for WooCommerce
2.9 Cron Logger
2.10 WP CTA – Call To Action Plugin, Sticky CTA, Sticky Buttons
2.11 Address Autocomplete via Google for Gravity Forms
2.12 Hide Admin Bar From Front End
2.13 Image Cleanup
2.14 Import external attachments
2.15 Leyka
2.16 My Wp Brand – Hide menu & Hide Plugin
2.17 ONet Regenerate Thumbnails
2.18 Slickstream: Engagement and Conversions
2.19 Virusdie – One-click website security
2.20 WP Permalink Translator
2.21 WP YouTube Live
2.22 Writesonic
2.23 Omnipress
2.24 IS-theme-companion
2.25 Football Pool
2.26 WPB Category Slider for WooCommerce – Product Categories Carousel Slider & Grid with Icon and Images
2.27 PlatiOnline Payments
2.28 Spreadconnect
2.29 Add & Replace Affiliate Links for Amazon
2.30 Thumbnail Editor
2.31 Trusty Whistleblowing Solution
2.32 WP DataTable
2.33 Dashboard Widget Sidebar
2.34 iCount Payment Gateway
2.35 MobiLoud – WordPress Mobile Apps – Convert your WordPress Website to Native Mobile Apps
2.36 EC Stars Rating
2.37 Theme Junkie Team Content
2.38 Abandoned Contact Form 7
2.39 Accept Stripe Payments Using Contact Form 7
2.40 Aviation Weather from NOAA
2.41 Osom Blocks
2.42 Accept Authorize.NET Payments Using Contact Form 7
2.43 Content Manager Light
2.44 WP Forum Server
2.45 WP Forum Server
2.46 HidePost
2.47 National Weather Service Alerts
2.48 Navayan Subscribe
2.49 OnionBuzz
2.50 Pre-Publish Post Checklist
2.51 Raise The Money
2.52 Relocate Upload
2.53 Twitch TV Embed Suite
2.54 Video List Manager
2.55 WP DB Booster
2.56 WP Optimizer
2.57 WPShapere Lite
2.58 xili-dictionary
2.59 Infility Global
2.60 MDJM Event Management
2.61 Track Everything
2.62 Photo Express for Google
2.63 My Resume Builder
2.64 DirectIQ Email Marketing
2.65 A/B Testing for WordPress
2.66 Aioseo Multibyte Descriptions
2.67 Backwp
2.68 Beauty Contact Popup Form
2.69 CMS Blocks
2.70 Contact Form – 7 : Hide Success Message
2.71 CTUsers
2.72 Davenport – Versatile Blog and Magazine WordPress Theme
2.73 Devnex Addons For Elementor
2.74 Drive Folder Embedder
2.75 enigma-buttons
2.76 Evangelische Termine
2.77 File Manager Plugin For WordPress
2.78 FL3R Accessibility Suite
2.79 Flexo Counter
2.80 Free Downloads EDD
2.81 FW Food Menu
2.82 FW Gallery
2.83 FW Gallery
2.84 Game Users Share Buttons
2.85 GC Social Wall
2.86 GG Bought Together for WooCommerce
2.87 Homerunner
2.88 Image Shadow
2.89 Image Slider With Description
2.90 Amazon Products to WooCommerce
2.91 Namasha By Mdesign
2.92 Opal Estate Pro
2.93 Plugin Inspector
2.94 Podcast Feed Player Widget and Shortcode
2.95 Post Rating and Review
2.96 PT Project Notebooks
2.97 Simple Link Directory
2.98 Quick Favicon
2.99 re.place
2.100 Responsive Food and Drink Menu
2.101 Owl carousel responsive
2.102 RSS Digest
2.103 SB Breadcrumbs
2.104 WP SmartPay
2.105 Spo?eczno?ciowa 6 PL 2013
2.106 The Countdown – Block Countdown Timer
2.107 The Pack Elementor addons
2.108 TimeZoneCalculator
2.109 Tournament Bracket Generator
2.110 Rankie
2.111 VG WORT METIS
2.112 VG WORT METIS
2.113 VR Calendar
2.114 web-cam
2.115 Email Address Security by WebEmailProtector
2.116 Event RSVP and Simple Event Management Plugin
2.117 WP GDPR Cookie Consent
2.118 JobSearch
2.119 WP Optimize By xTraffic
2.120 WP-PhotoNav
2.121 WP-Recall
2.122 WP SoundSystem
2.123 WP Visual Sitemap
2.124 WP Wall
2.125 WPCRM – CRM for Contact form CF7 & WooCommerce
2.126 WPKit For Elementor
2.127 Ninja Forms – The Contact Form Builder That Grows With You
2.128 Royal Elementor Addons and Templates
2.129 SiteOrigin Widgets Bundle
2.130 Burst Statistics – Privacy-Friendly Analytics for WordPress
2.131 Firelight Lightbox
2.132 Qi Addons For Elementor
2.133 Usercentrics Cookiebot – Automatic Cookie Banner for GDPR/CCPA & Google Consent Mode
2.134 Responsive Lightbox & Gallery
2.135 Ninja Tables – Easy Data Table Builder
2.136 Ultra Addons for Contact Form 7
2.137 Ultra Addons for Contact Form 7
2.138 HT Slider For Elementor
2.139 WP Map Block – Gutenberg Map Block for Google Map and OpenStreet Map by aBlocks
2.140 Frontend Admin by DynamiApps
2.141 Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More
2.142 Event Manager, Events Calendar, Booking, Registrations and Tickets – Eventin
2.143 BuddyPress Docs
2.144 AI ChatBot for WordPress – WPBot
2.145 Hotel Booking
2.146 Post Carousel Slider for Elementor
2.147 Responsive Blocks – WordPress Gutenberg Blocks
2.148 PDF Builder for WooCommerce. Create invoices,packing slips and more
2.149 HT Mega – Absolute Addons for WPBakery Page Builder
2.150 Off-Canvas Sidebars & Menus (Slidebars)
2.151 Popup addon for Ninja Forms
2.152 WP AdCenter – Ad Manager & Adsense Ads
2.153 Image Editor by Pixo
2.154 Booking Calendar Contact Form
2.155 SmartAgenda – Prise de rendez-vous en ligne
2.156 Conference Scheduler
2.157 Content No Cache | Serve uncached partial content even when you add it to a page that is fully cached.
2.158 Audio Editor & Recorder
2.159 Euro FxRef Currency Converter
2.160 Guest posting / Frontend Posting / Front Editor – WP Front User Submit
2.161 SERPed.net
2.162 WP Masonry & Infinite Scroll
2.163 isMobile() Shortcode for WordPress
2.164 Modern Design Library
2.165 MicroPayments – Fans Paysite: Paid Creator Subscriptions, Digital Assets, Wallet
2.166 Simple Payment
2.167 Aiomatic
2.168 BeeTeam368 Extensions
2.169 BeeTeam368 Extensions Pro
2.170 Drag and Drop Multiple File Upload (Pro) – WooCommerce
2.171 Everest Forms Pro
2.172 JetEngine
2.173 BRW
2.174 Team Showcase
2.175 Zikzag Core

3. WordPress Themes — 15 Patched / 23 Unpatched

3.1 Constructor
3.2 Zita
3.3 PrintXtore
3.4 Zenny
3.5 CityGov
3.6 Domnoo
3.7 Homey
3.8 Homey
3.9 Katerio – Magazine
3.10 LMS
3.11 LMS
3.12 LogisticsHub
3.13 MagOne
3.14 MBStore – Digital WooCommerce WordPress Theme
3.15 Nuss
3.16 Pressroom – News Magazine WordPress Theme
3.17 RealtyElite
3.18 Red Art
3.19 Sala
3.20 Samex – Clean, Minimal Shop WooCommerce WordPress Theme
3.21 Seven Stars
3.22 SNS Vicky
3.23 Sofass
3.24 Blogbyte
3.25 Blogmine
3.26 Blogprise
3.27 Blogty
3.28 Blogvy
3.29 Magty
3.30 Magways
3.31 Magze
3.32 Neom Blog
3.33 Amely
3.34 DWT – Directory & Listing
3.35 Elessi
3.36 Greenmart
3.37 Litho
3.38 Puca

Our WordPress Vulnerability Report covers the latest emerging WordPress plugin, theme, and core vulnerabilities. Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure of vulnerabilities is essential to keeping the WordPress community safe. Please share this report to help spread the word and make WordPress — and the web — more secure.

WordPress Core

WordPress 6.8.1 was released on April 30, 2025. This maintenance release includes fixes for 15 bugs throughout Core and the Block Editor, addressing issues affecting multiple areas of WordPress, including the block editor, multisite, and REST API. For a full list, refer to the release candidate announcement.

WordPress Plugins — 49 Patched / 126 Unpatched

Plugin:: Mollie Payments for WooCommerce
Plugin Slug:: mollie-payments-for-woocommerce
Installations: 100,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-39362

Plugin:: WP Edit
Plugin Slug:: wp-edit
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-53253

Plugin:: Cyrlitera – transliteration of links and file names
Plugin Slug:: cyrlitera
Installations: 40,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-53254

Plugin:: HurryTimer – An Scarcity and Urgency Countdown Timer for WordPress & WooCommerce
Plugin Slug:: hurrytimer
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-53255

Plugin:: YaySMTP and Email Logs: Amazon SES, SendGrid, Outlook, Mailgun, Brevo, Google and Any SMTP Service
Plugin Slug:: yaysmtp
Installations: 10,000+
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-53256

Plugin:: Gmedia Photo Gallery
Plugin Slug:: grand-media
Installations: 9,000+
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-53257

Plugin:: Hover Effects – easily create any hover effect
Plugin Slug:: hover-effects
Installations: 8,000+
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-53258

Plugin:: Additional Order Filters for WooCommerce
Plugin Slug:: additional-order-filters-for-woocommerce
Installations: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-53271

Plugin:: Cron Logger
Plugin Slug:: cron-logger
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-53266

Plugin:: WP CTA – Call To Action Plugin, Sticky CTA, Sticky Buttons
Plugin Slug:: easy-sticky-sidebar
Installations: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-53270

Plugin:: Address Autocomplete via Google for Gravity Forms
Plugin Slug:: gf-google-address-autocomplete
Installations: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-53263

Plugin:: Hide Admin Bar From Front End
Plugin Slug:: hide-admin-bar-from-front-end
Installations: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-53267

Plugin:: Image Cleanup
Plugin Slug:: image-cleanup
Installations: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-53272

Plugin:: Import external attachments
Plugin Slug:: import-external-attachments
Installations: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-53268

Plugin:: Leyka
Plugin Slug:: leyka
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-53275

Plugin:: My Wp Brand – Hide menu & Hide Plugin
Plugin Slug:: my-wp-brand
Installations: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-53269

Plugin:: ONet Regenerate Thumbnails
Plugin Slug:: onet-regenerate-thumbnails
Installations: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-53264

Plugin:: Slickstream: Engagement and Conversions
Plugin Slug:: slick-engagement
Installations: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-53273

Plugin:: Virusdie – One-click website security
Plugin Slug:: virusdie
Installations: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-53265

Plugin:: WP Permalink Translator
Plugin Slug:: wp-permalink-translator
Installations: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-53274

Plugin:: WP YouTube Live
Plugin Slug:: wp-youtube-live
Installations: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-53261

Plugin:: Writesonic
Plugin Slug:: writesonic
Installations: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-53262

Plugin:: Omnipress
Plugin Slug:: omnipress
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-53276

Plugin:: IS-theme-companion
Plugin Slug:: weblizar-companion
Installations: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-53277

Plugin:: Football Pool
Plugin Slug:: football-pool
Installations: 900+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-53280

Plugin:: WPB Category Slider for WooCommerce – Product Categories Carousel Slider & Grid with Icon and Images
Plugin Slug:: wpb-woocommerce-category-slider
Installations: 900+
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-53281

Plugin:: PlatiOnline Payments
Plugin Slug:: plationline
Installations: 800+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-53288

Plugin:: Spreadconnect
Plugin Slug:: wc-spod
Installations: 800+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-53291

Plugin:: Add & Replace Affiliate Links for Amazon
Plugin Slug:: add-replace-affiliate-links-for-amazon
Installations: 700+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-53285

Plugin:: Thumbnail Editor
Plugin Slug:: thumbnail-editor
Installations: 700+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-53282

Plugin:: Trusty Whistleblowing Solution
Plugin Slug:: trusty-whistleblowing-solution
Installations: 600+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-52818

Plugin:: WP DataTable
Plugin Slug:: wp-datatable
Installations: 600+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-53292

Plugin:: Dashboard Widget Sidebar
Plugin Slug:: dashboard-widget-sidebar
Installations: 500+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-53293

Plugin:: iCount Payment Gateway
Plugin Slug:: icount
Installations: 500+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-53295

Plugin:: MobiLoud – WordPress Mobile Apps – Convert your WordPress Website to Native Mobile Apps
Plugin Slug:: mobiloud-mobile-app-plugin
Installations: 500+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-52813

Plugin:: EC Stars Rating
Plugin Slug:: ec-stars-rating
Installations: 400+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-53296

Plugin:: Theme Junkie Team Content
Plugin Slug:: theme-junkie-team-content
Installations: 400+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-53301

Plugin:: Abandoned Contact Form 7
Plugin Slug:: abandoned-contact-form-7
Installations: 200+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-52817

Plugin:: Accept Stripe Payments Using Contact Form 7
Plugin Slug:: accept-stripe-payments-using-contact-form-7
Installations: 200+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-53309

Plugin:: Aviation Weather from NOAA
Plugin Slug:: aviation-weather-from-noaa
Installations: 200+
Vulnerability:: Arbitrary File Deletion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-28980

Plugin:: Osom Blocks
Plugin Slug:: osomblocks
Installations: 200+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-5940

Plugin:: Accept Authorize.NET Payments Using Contact Form 7
Plugin Slug:: accept-authorize-net-payments-using-contact-form-7
Installations: 100+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-53322

Plugin:: Content Manager Light
Plugin Slug:: content-manager-light
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-24771

Plugin:: WP Forum Server
Plugin Slug:: forum-server
Installations: 100+
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-53306

Plugin:: WP Forum Server
Plugin Slug:: forum-server
Installations: 100+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-53305

Plugin:: HidePost
Plugin Slug:: hidepost
Installations: 100+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-53310

Plugin:: National Weather Service Alerts
Plugin Slug:: national-weather-service-alerts
Installations: 100+
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-52809

Plugin:: Navayan Subscribe
Plugin Slug:: navayan-subscribe
Installations: 100+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-53311

Plugin:: OnionBuzz
Plugin Slug:: onionbuzz-viral-quiz
Installations: 100+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-53312

Plugin:: Pre-Publish Post Checklist
Plugin Slug:: pre-publish-post-checklist
Installations: 100+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-53323

Plugin:: Raise The Money
Plugin Slug:: raise-the-money
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-53321

Plugin:: Relocate Upload
Plugin Slug:: relocate-upload
Installations: 100+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-53315

Plugin:: Twitch TV Embed Suite
Plugin Slug:: twitch-tv-embed-suite
Installations: 100+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-53313

Plugin:: Video List Manager
Plugin Slug:: video-list-manager
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-52776

Plugin:: WP DB Booster
Plugin Slug:: wp-db-booster
Installations: 100+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-53318

Plugin:: WP Optimizer
Plugin Slug:: wp-optimizer
Installations: 100+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-53314

Plugin:: WPShapere Lite
Plugin Slug:: wpshapere-lite
Installations: 100+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-53317

Plugin:: xili-dictionary
Plugin Slug:: xili-dictionary
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-52778

Plugin:: Infility Global
Plugin Slug:: infility-global
Installations: 90+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-52774

Plugin:: MDJM Event Management
Plugin Slug:: mobile-dj-manager
Installations: 90+
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-52824

Plugin:: Track Everything
Plugin Slug:: track-everything
Installations: 90+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-53332

Plugin:: Photo Express for Google
Plugin Slug:: photo-express-for-google
Installations: 80+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-27361

Plugin:: My Resume Builder
Plugin Slug:: my-resume-builder
Installations: 70+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-53336

Plugin:: DirectIQ Email Marketing
Plugin Slug:: directiq-wp
Installations: 40+
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-52829

Plugin:: A/B Testing for WordPress
Plugin Slug:: ab-testing-for-wp
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-4587

Plugin:: Aioseo Multibyte Descriptions
Plugin Slug:: aioseo-multibyte-descriptions
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-53327

Plugin:: Backwp
Plugin Slug:: backwp
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-28956

Plugin:: Beauty Contact Popup Form
Plugin Slug:: beauty-contact-popup-form
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-53325

Plugin:: CMS Blocks
Plugin Slug:: cms-blocks
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-53284

Plugin:: Contact Form – 7 : Hide Success Message
Plugin Slug:: contact-form-7-hide-success-message
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-53304

Plugin:: CTUsers
Plugin Slug:: ctuser
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-32298

Plugin:: Davenport – Versatile Blog and Magazine WordPress Theme
Plugin Slug:: davenport
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-52811

Plugin:: Devnex Addons For Elementor
Plugin Slug:: devnex-addons-for-elementor
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-53339

Plugin:: Drive Folder Embedder
Plugin Slug:: drive-folder-embeder
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-6546

Plugin:: enigma-buttons
Plugin Slug:: e.nigma buttons
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-5535

Plugin:: Evangelische Termine
Plugin Slug:: evangtermine
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-28960

Plugin:: File Manager Plugin For WordPress
Plugin Slug:: file-manager-plugin-for-wordpress
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-53260

Plugin:: FL3R Accessibility Suite
Plugin Slug:: fl3r-accessibility-suite
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-6689

Plugin:: Flexo Counter
Plugin Slug:: flexo-countdown
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-50052

Plugin:: Free Downloads EDD
Plugin Slug:: free-downloads-edd
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-53320

Plugin:: FW Food Menu
Plugin Slug:: fw-food-menu
Vulnerability:: Arbitrary File Deletion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-49448

Plugin:: FW Gallery
Plugin Slug:: fw-gallery
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-49414

Plugin:: FW Gallery
Plugin Slug:: fw-gallery
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-49416

Plugin:: Game Users Share Buttons
Plugin Slug:: game-users-share-buttons
Vulnerability:: Arbitrary File Deletion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-6755

Plugin:: GC Social Wall
Plugin Slug:: gc-social-wall
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-5564

Plugin:: GG Bought Together for WooCommerce
Plugin Slug:: gg-bought-together
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-23967

Plugin:: Homerunner
Plugin Slug:: homerunner-smartcheckout
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-5932

Plugin:: Image Shadow
Plugin Slug:: image-shadow
Vulnerability:: Arbitrary File Deletion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-24765

Plugin:: Image Slider With Description
Plugin Slug:: image-slider-with-description
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-53308

Plugin:: Amazon Products to WooCommerce
Plugin Slug:: import-products-to-wc
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-5813

Plugin:: Namasha By Mdesign
Plugin Slug:: namasha-by-mdesign
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-6537

Plugin:: Opal Estate Pro
Plugin Slug:: opal-estate-pro
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-6934

Plugin:: Plugin Inspector
Plugin Slug:: plugin-inspector
Vulnerability:: Arbitrary File Download
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-53298

Plugin:: Podcast Feed Player Widget and Shortcode
Plugin Slug:: podcast-feed-player-widget
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-53300

Plugin:: Post Rating and Review
Plugin Slug:: post-rating-and-review
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-6538

Plugin:: PT Project Notebooks
Plugin Slug:: project-notebooks
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-5304

Plugin:: Simple Link Directory
Plugin Slug:: qc-simple-link-directory
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-32297

Plugin:: Quick Favicon
Plugin Slug:: quick-favicon
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-53287

Plugin:: re.place
Plugin Slug:: replace
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-53338

Plugin:: Responsive Food and Drink Menu
Plugin Slug:: responsive-food-and-drink-menu
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-6378

Plugin:: Owl carousel responsive
Plugin Slug:: responsive-owl-carousel
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-5590

Plugin:: RSS Digest
Plugin Slug:: rss-digest
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-53331

Plugin:: SB Breadcrumbs
Plugin Slug:: sb-breadcrumbs
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-28978

Plugin:: WP SmartPay
Plugin Slug:: smartpay
Vulnerability:: Broken Authentication
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-25171

Plugin:: Spo?eczno?ciowa 6 PL 2013
Plugin Slug:: spolecznosciowa-6-pl-2013
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-53329

Plugin:: The Countdown – Block Countdown Timer
Plugin Slug:: the-countdown
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-5929

Plugin:: The Pack Elementor addons
Plugin Slug:: the-pack-addon
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-6550

Plugin:: TimeZoneCalculator
Plugin Slug:: timezonecalculator
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-5559

Plugin:: Tournament Bracket Generator
Plugin Slug:: tournament-bracket-generator
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-6290

Plugin:: Rankie
Plugin Slug:: valvepress-rankie
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-39487

Plugin:: VG WORT METIS
Plugin Slug:: vgw-metis
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-5812

Plugin:: VG WORT METIS
Plugin Slug:: vgw-metis
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-50039

Plugin:: VR Calendar
Plugin Slug:: vr-calendar-sync
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-5936

Plugin:: web-cam
Plugin Slug:: web-cam
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-6540

Plugin:: Email Address Security by WebEmailProtector
Plugin Slug:: webemailprotector
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-28976

Plugin:: Event RSVP and Simple Event Management Plugin
Plugin Slug:: wp-easy-events
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-5540

Plugin:: WP GDPR Cookie Consent
Plugin Slug:: wp-gdpr-cookie-consen
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-53316

Plugin:: JobSearch
Plugin Slug:: wp-jobsearch
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-52798

Plugin:: WP Optimize By xTraffic
Plugin Slug:: wp-optimize-by-xtraffic
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-28970

Plugin:: WP-PhotoNav
Plugin Slug:: wp-photonav
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-6383

Plugin:: WP-Recall
Plugin Slug:: wp-recall
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-52796

Plugin:: WP SoundSystem
Plugin Slug:: wp-soundsystem
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-6258

Plugin:: WP Visual Sitemap
Plugin Slug:: wp-visual-sitemap
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-53290

Plugin:: WP Wall
Plugin Slug:: wp-wall
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-28968

Plugin:: WPCRM – CRM for Contact form CF7 & WooCommerce
Plugin Slug:: wpcrm
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-24774

Plugin:: WPKit For Elementor
Plugin Slug:: wpkit-elementor
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-32281

Plugin:: Ninja Forms – The Contact Form Builder That Grows With You
Plugin Slug:: ninja-forms
Installations: 700,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.10.2.2
Severity Score:: Medium
CVE:: 2025-5398

Plugin:: Royal Elementor Addons and Templates
Plugin Slug:: royal-elementor-addons
Installations: 600,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.7.1025
Severity Score:: Medium
CVE:: 2025-5338

Plugin:: SiteOrigin Widgets Bundle
Plugin Slug:: so-widgets-bundle
Installations: 500,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.69.0
Severity Score:: Medium
CVE:: 2025-5585

Plugin:: Burst Statistics – Privacy-Friendly Analytics for WordPress
Plugin Slug:: burst-statistics
Installations: 300,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.0.8
Severity Score:: Medium
CVE:: 2025-53193

Plugin:: Firelight Lightbox
Plugin Slug:: easy-fancybox
Installations: 200,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.3.16
Severity Score:: Medium
CVE:: 2025-5035

Plugin:: Qi Addons For Elementor
Plugin Slug:: qi-addons-for-elementor
Installations: 200,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.9.2
Severity Score:: Medium
CVE:: 2025-6252

Plugin:: Usercentrics Cookiebot – Automatic Cookie Banner for GDPR/CCPA & Google Consent Mode
Plugin Slug:: cookiebot
Installations: 100,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 4.5.9
Severity Score:: Medium
CVE:: 2025-53197

Plugin:: Responsive Lightbox & Gallery
Plugin Slug:: responsive-lightbox
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.5.2
Severity Score:: Medium
CVE:: 2025-5093

Plugin:: Ninja Tables – Easy Data Table Builder
Plugin Slug:: ninja-tables
Installations: 80,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 5.0.19
Severity Score:: High
CVE:: 2025-2940

Plugin:: Ultra Addons for Contact Form 7
Plugin Slug:: ultimate-addons-for-contact-form-7
Installations: 60,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.5.22
Severity Score:: Medium
CVE:: 2025-6756

Plugin:: Ultra Addons for Contact Form 7
Plugin Slug:: ultimate-addons-for-contact-form-7
Installations: 60,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.5.20
Severity Score:: High
CVE:: 2025-6212

Plugin:: HT Slider For Elementor
Plugin Slug:: ht-slider-for-elementor
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.6.6
Severity Score:: Medium
CVE:: 2025-53199

Plugin:: WP Map Block – Gutenberg Map Block for Google Map and OpenStreet Map by aBlocks
Plugin Slug:: wp-map-block
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.3
Severity Score:: Medium
CVE:: 2025-5194

Plugin:: Frontend Admin by DynamiApps
Plugin Slug:: acf-frontend-form-element
Installations: 10,000+
Vulnerability:: Arbitrary File Download
Patched in Version:: 3.28.8
Severity Score:: Medium
CVE:: 2025-49303

Plugin:: Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More
Plugin Slug:: charitable
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.8.6.2
Severity Score:: Medium
CVE:: 2025-5275

Plugin:: Event Manager, Events Calendar, Booking, Registrations and Tickets – Eventin
Plugin Slug:: wp-event-solution
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.0.29
Severity Score:: High
CVE:: 2025-49321

Plugin:: BuddyPress Docs
Plugin Slug:: buddypress-docs
Installations: 8,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.2.5
Severity Score:: Medium
CVE:: 2025-5526

Plugin:: AI ChatBot for WordPress – WPBot
Plugin Slug:: chatbot
Installations: 7,000+
Vulnerability:: Broken Access Control
Patched in Version:: 6.7.5
Severity Score:: Medium
CVE:: 2025-53200

Plugin:: Hotel Booking
Plugin Slug:: nd-booking
Installations: 5,000+
Vulnerability:: Local File Inclusion
Patched in Version:: 3.8
Severity Score:: High
CVE:: 2025-53259

Plugin:: Post Carousel Slider for Elementor
Plugin Slug:: post-carousel-slider-for-elementor
Installations: 4,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.7.0
Severity Score:: Medium
CVE:: 2025-3863

Plugin:: Responsive Blocks – WordPress Gutenberg Blocks
Plugin Slug:: responsive-block-editor-addons
Installations: 4,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.7
Severity Score:: Medium
CVE:: 2025-53202

Plugin:: PDF Builder for WooCommerce. Create invoices,packing slips and more
Plugin Slug:: woo-pdf-invoice-builder
Installations: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.2.149
Severity Score:: Medium
CVE:: 2025-53203

Plugin:: HT Mega – Absolute Addons for WPBakery Page Builder
Plugin Slug:: ht-mega-for-wpbakery
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.0.9
Severity Score:: Medium
CVE:: 2025-53206

Plugin:: Off-Canvas Sidebars & Menus (Slidebars)
Plugin Slug:: off-canvas-sidebars
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 0.5.8.5
Severity Score:: High
CVE:: 2025-49290

Plugin:: Popup addon for Ninja Forms
Plugin Slug:: popup-addon-for-ninja-forms
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.5
Severity Score:: Medium
CVE:: 2025-53279

Plugin:: WP AdCenter – Ad Manager & Adsense Ads
Plugin Slug:: wpadcenter
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.6.1
Severity Score:: Medium
CVE:: 2025-53278

Plugin:: Image Editor by Pixo
Plugin Slug:: image-editor-by-pixo
Installations: 800+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.3.7
Severity Score:: Medium
CVE:: 2025-5588

Plugin:: Booking Calendar Contact Form
Plugin Slug:: booking-calendar-contact-form
Installations: 700+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.2.59
Severity Score:: Medium
CVE:: 2025-48231

Plugin:: SmartAgenda – Prise de rendez-vous en ligne
Plugin Slug:: smart-agenda-prise-de-rendez-vous-en-ligne
Installations: 500+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.0
Severity Score:: Medium
CVE:: 2025-53294

Plugin:: Conference Scheduler
Plugin Slug:: conference-scheduler
Installations: 300+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.5.2
Severity Score:: Medium
CVE:: 2025-5258

Plugin:: Content No Cache | Serve uncached partial content even when you add it to a page that is fully cached.
Plugin Slug:: content-no-cache
Installations: 300+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 0.1.5
Severity Score:: High
CVE:: 2025-28993

Plugin:: Audio Editor & Recorder
Plugin Slug:: audio-editor-recorder
Installations: 200+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 2.2.4
Severity Score:: Medium
CVE:: 2025-53211

Plugin:: Euro FxRef Currency Converter
Plugin Slug:: euro-fxref-currency-converter
Installations: 200+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.3
Severity Score:: Medium
CVE:: 2025-6257

Plugin:: Guest posting / Frontend Posting / Front Editor – WP Front User Submit
Plugin Slug:: front-editor
Installations: 200+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.9.4
Severity Score:: High
CVE:: 2025-28988

Plugin:: SERPed.net
Plugin Slug:: serped-net
Installations: 200+
Vulnerability:: Local File Inclusion
Patched in Version:: 4.7
Severity Score:: High
CVE:: 2025-28998

Plugin:: WP Masonry & Infinite Scroll
Plugin Slug:: wp-masonry-infinite-scroll
Installations: 200+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.3
Severity Score:: Medium
CVE:: 2025-5488

Plugin:: isMobile() Shortcode for WordPress
Plugin Slug:: ismobile
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.1.2
Severity Score:: Medium
CVE:: 2025-6488

Plugin:: Modern Design Library
Plugin Slug:: mdl-shortcodes
Installations: 60+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.1.5
Severity Score:: Medium
CVE:: 2025-5842

Plugin:: MicroPayments – Fans Paysite: Paid Creator Subscriptions, Digital Assets, Wallet
Plugin Slug:: paid-membership
Installations: 40+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 3.2.1
Severity Score:: Medium
CVE:: 2025-5937

Plugin:: Simple Payment
Plugin Slug:: simple-payment
Installations: 40+
Vulnerability:: Bypass Vulnerability
Patched in Version:: 2.3.9
Severity Score:: Critical
CVE:: 2025-6688

Plugin:: Aiomatic
Plugin Slug:: aiomatic-automatic-ai-content-writer
Vulnerability:: Arbitrary File Upload
Patched in Version:: 2.5.1
Severity Score:: High
CVE:: 2025-6206

Plugin:: BeeTeam368 Extensions
Plugin Slug:: beeteam368-extensions
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 2.3.5
Severity Score:: High
CVE:: 2025-6381

Plugin:: BeeTeam368 Extensions Pro
Plugin Slug:: beeteam368-extensions-pro
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 2.3.5
Severity Score:: High
CVE:: 2025-6379

Plugin:: Drag and Drop Multiple File Upload (Pro) – WooCommerce
Plugin Slug:: drag-and-drop-file-upload-wc-pro
Vulnerability:: Arbitrary File Upload
Patched in Version:: 5.0.7
Severity Score:: Critical
CVE:: 2025-49885

Plugin:: Everest Forms Pro
Plugin Slug:: everest-forms-pro
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 1.9.5
Severity Score:: High
CVE:: 2025-5927

Plugin:: JetEngine
Plugin Slug:: jet-engine
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.7.1.1
Severity Score:: Medium
CVE:: 2025-53195

Plugin:: BRW
Plugin Slug:: ova-brw
Vulnerability:: Local File Inclusion
Patched in Version:: 1.8.8
Severity Score:: High
CVE:: 2025-52814

Plugin:: Team Showcase
Plugin Slug:: team-showcase-cm
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 25.05.13
Severity Score:: High
CVE:: 2025-49247

Plugin:: Zikzag Core
Plugin Slug:: zikzag-core
Vulnerability:: Local File Inclusion
Patched in Version:: 1.4.6
Severity Score:: High
CVE:: 2025-49886

WordPress Themes — 15 Patched / 23 Unpatched

Theme:: Constructor
Theme Slug:: constructor
Downloads: 435,600
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-53302

Theme:: Zita
Theme Slug:: zita
Downloads: 405,845
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-52816

Theme:: PrintXtore
Theme Slug:: bw-printxtore
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-28946

Theme:: Zenny
Theme Slug:: bw-zenny
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-24769

Theme:: CityGov
Theme Slug:: citygov
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-52815

Theme:: Domnoo
Theme Slug:: domnoo
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-52812

Theme:: Homey
Theme Slug:: homey
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-31037

Theme:: Homey
Theme Slug:: homey
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-52834

Theme:: Katerio – Magazine
Theme Slug:: katerio
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-52810

Theme:: LMS
Theme Slug:: lms
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-52833

Theme:: LMS
Theme Slug:: lms
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-52799

Theme:: LogisticsHub
Theme Slug:: logistics-hub
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-30933

Theme:: MagOne
Theme Slug:: magone
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-39488

Theme:: MBStore – Digital WooCommerce WordPress Theme
Theme Slug:: mbstore
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-28947

Theme:: Nuss
Theme Slug:: nuss
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-52827

Theme:: Pressroom – News Magazine WordPress Theme
Theme Slug:: pressroom
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-32311

Theme:: RealtyElite
Theme Slug:: realtyelite
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-52808

Theme:: Red Art
Theme Slug:: redart
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-52828

Theme:: Sala
Theme Slug:: sala
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-52826

Theme:: Samex – Clean, Minimal Shop WooCommerce WordPress Theme
Theme Slug:: samex
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-25998

Theme:: Seven Stars
Theme Slug:: sevenstars
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-31067

Theme:: SNS Vicky
Theme Slug:: snsvicky
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-28990

Theme:: Sofass
Theme Slug:: sofass
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-24760

Theme:: Blogbyte
Theme Slug:: blogbyte
Downloads: 5,082
Vulnerability:: Local File Inclusion
Patched in Version:: 1.1.2
Severity Score:: High
CVE:: 2025-49275

Theme:: Blogmine
Theme Slug:: blogmine
Downloads: 3,498
Vulnerability:: Local File Inclusion
Patched in Version:: 1.1.8
Severity Score:: High
CVE:: 2025-49276

Theme:: Blogprise
Theme Slug:: blogprise
Downloads: 5,171
Vulnerability:: Local File Inclusion
Patched in Version:: 1.0.10
Severity Score:: High
CVE:: 2025-49277

Theme:: Blogty
Theme Slug:: blogty
Downloads: 3,128
Vulnerability:: Local File Inclusion
Patched in Version:: 1.0.12
Severity Score:: High
CVE:: 2025-49278

Theme:: Blogvy
Theme Slug:: blogvy
Downloads: 4,752
Vulnerability:: Local File Inclusion
Patched in Version:: 1.0.8
Severity Score:: High
CVE:: 2025-49279

Theme:: Magty
Theme Slug:: magty
Downloads: 2,670
Vulnerability:: Local File Inclusion
Patched in Version:: 1.0.7
Severity Score:: High
CVE:: 2025-49280

Theme:: Magways
Theme Slug:: magways
Downloads: 1,899
Vulnerability:: Local File Inclusion
Patched in Version:: 1.2.2
Severity Score:: High
CVE:: 2025-49281

Theme:: Magze
Theme Slug:: magze
Downloads: 3,707
Vulnerability:: Local File Inclusion
Patched in Version:: 1.0.10
Severity Score:: High
CVE:: 2025-49282

Theme:: Neom Blog
Theme Slug:: neom-blog
Downloads: 22,211
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 0.1.0
Severity Score:: High
CVE:: 2025-49274

Theme:: Amely
Theme Slug:: amely
Vulnerability:: SQL Injection
Patched in Version:: 3.2.0
Severity Score:: Critical
CVE:: 2025-39474

Theme:: DWT – Directory & Listing
Theme Slug:: dwt-listing
Vulnerability:: Privilege Escalation
Patched in Version:: 3.3.7
Severity Score:: Critical
CVE:: 2024-12827

Theme:: Elessi
Theme Slug:: elessi-theme
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.4.1
Severity Score:: High
CVE:: 2025-49873

Theme:: Greenmart
Theme Slug:: greenmart
Vulnerability:: Local File Inclusion
Patched in Version:: 4.2.4
Severity Score:: High
CVE:: 2025-49883

Theme:: Litho
Theme Slug:: litho
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 3.1
Severity Score:: High
CVE:: 2025-49879

Theme:: Puca
Theme Slug:: puca
Vulnerability:: Local File Inclusion
Patched in Version:: 2.6.34
Severity Score:: High
CVE:: 2025-30992

Solid Security is part of Solid Suite — The best foundation for WordPress websites.

Every WordPress site needs security, backups, and management tools. That’s Solid Suite — an integrated bundle of three plugins: Solid Security, Solid Backups, and Solid Central. You also get access to Solid Academy’s learning resources for WordPress professionals. Build your next WordPress website on a solid foundation with Solid Suite!

Get Solid Security

Author:

Sarah Ulmer

Sarah has been with SolidWP since 2015. Thanks to her deep connection to the brand, its products, and its users, Sarah was tapped as Solid’s primary Product Marketer in 2023. Sarah helps ensure that Solid’s product development team understands our users’ needs. When not at work, Sarah can be found at home with her husband, their three boys, and their dogs. Sarah enjoys long family walks, running with her lab, and watching her three boys play soccer. Sarah is originally from Texas and loves watching football games (Go Longhorns!)

Browse all of Sarah's articles

Sign up

Placeholder text

Thanks

Oops something went wrong, please try submitting again

Solid Suite

Protect

Repair

Manage

Free Plugins

Solid Suite

Academy

Solid Academy

Guides

Livestreams

Tutorials Academy

Resources

Blog

Vulnerability Report

Support

Documentation

Table of Contents

WordPress Core

WordPress Plugins — 49 Patched / 126 Unpatched