WordPress Vulnerability Report — July 16, 2025

Since last week, 109 new vulnerabilities have emerged in the WordPress ecosystem, including 89 plugins and 20 themes. 44 of the vulnerable plugins and themes remain unpatched, but Solid Security Pro users are protected by virtual patching from Patchstack.

Sarah Ulmer

Published:Jul 16, 2025

Filed Under:WordPress Vulnerability Report

Reading Time:2 min.

In this report, 109 vulnerabilities have been publicly disclosed. Security patches for 65 of these plugins and themes are available now, so run those updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Additionally, there are 44 plugin and theme vulnerabilities, and no patch has been available yet. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

Along with poor user account security, vulnerable plugins and themes are among the top reasons why WordPress websites get hacked. Unfortunately, cyberattacks are increasing in volume and sophistication. They’re also increasingly aimed at small to mid-sized businesses.

1. WordPress Core
2. WordPress Plugins — 56 Patched / 33 Unpatched

2.1 URL Shortener Plugin For WordPress
2.2 URL Shortener Plugin For WordPress
2.3 WP Pipes
2.4 Contact Form 7 Editor Button
2.5 Tennis Court Bookings
2.6 Dot html,php,xml etc pages
2.7 SMu Manual DoFollow
2.8 Media Folder
2.9 Pay with Contact Form 7
2.10 Infility Global
2.11 Ultimate Push Notifications ( Mobile / Desktop ), Receive Notification From WooCommerce, BuddyPress, WordPress Default Events & Many More
2.12 Torod – The smart shipping and delivery portal for e-shops and retailers
2.13 WordPress-WPJobBoard
2.14 WP-BusinessDirectory – Business directory plugin for WordPress
2.15 CoSchool LMS – A complete Learning Management System to Create and Sell Your Courses Online
2.16 Pakke Envíos
2.17 Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer)
2.18 GoZen Forms
2.19 WPGYM
2.20 WP Human Resource Management
2.21 LoginWP – Pro
2.22 Medical Prescription Attachment Plugin for WooCommerce
2.23 Premium SEO Pack
2.24 Profiler – What Slowing Down Your WP
2.25 The E-Commerce ERP
2.26 Multi-language Responsive Contact Form
2.27 Short URL
2.28 Simple Featured Image
2.29 smart SEO
2.30 Super Store Finder
2.31 Responsive Coming Soon Landing Page / Holding Page for WordPress
2.32 WordPress Auto Spinner
2.33 WP Firebase Push Notification
2.34 Essential Addons for Elementor – Popular Elementor Templates & Widgets
2.35 Contact Form 7 Database Addon – CFDB7
2.36 Gutenberg Blocks with AI by Kadence WP – Page Builder Features
2.37 Newsletter – Send awesome emails from WordPress
2.38 SureForms – Drag and Drop Form Builder for WordPress
2.39 AI Engine
2.40 FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel
2.41 Strong Testimonials
2.42 Events Manager – Calendar, Bookings, Tickets, and more!
2.43 Events Manager – Calendar, Bookings, Tickets, and more!
2.44 Events Manager – Calendar, Bookings, Tickets, and more!
2.45 WPC Smart Compare for WooCommerce
2.46 Companion Auto Update
2.47 FunnelKit – Funnel Builder for WooCommerce Checkout
2.48 Gwolle Guestbook
2.49 WP Lightbox 2
2.50 WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible
2.51 wpForo Forum
2.52 GeoDirectory – WP Business Directory Plugin and Classified Listings Directory
2.53 HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder.
2.54 HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder.
2.55 HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder.
2.56 Portfolio for Elementor & Image Gallery | PowerFolio
2.57 ProfileGrid – User Profiles, Groups and Communities
2.58 RSFirewall!
2.59 Contact Form Plugin
2.60 Internal Linking of Related Contents
2.61 Lana Downloads Manager
2.62 Wishlist for WooCommerce: Multi Wishlists Per Customer
2.63 Custom Post Carousels with Owl
2.64 Broken Link Notifier
2.65 Broken Link Notifier
2.66 Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal or Stripe, Social Share Buttons, OpenAI
2.67 Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal or Stripe, Social Share Buttons, OpenAI
2.68 Friends
2.69 Product XML Feed Manager for WooCommerce – Google Shopping, Social Sites, Skroutz & More
2.70 WP Register Profile With Shortcode
2.71 Easy restaurant menu manager
2.72 PW WooCommerce On Sale!
2.73 Sharable Password Protected Posts
2.74 Hostel
2.75 Hostel
2.76 Guest Support – Complete customer support ticket system for WordPress
2.77 GB Forms DB
2.78 Site Chat on Telegram
2.79 WPBookit
2.80 WPBookit
2.81 BeeTeam368 Extensions
2.82 CSS3 Compare Pricing Tables for WordPress
2.83 JetEngine
2.84 HTML5 Radio Player – WPBakery Page Builder Addon
2.85 Modern Events Calendar Lite
2.86 Order Delivery Date for WP e-Commerce
2.87 Support Board
2.88 Support Board
2.89 WP File Download

3. WordPress Themes — 9 Patched / 11 Unpatched

3.1 Electrician – Electrical Service WordPress
3.2 Easy Video Player WordPress & WooCommerce
3.3 Hillter
3.4 Invico – WordPress Consulting Business Theme
3.5 ListingEasy
3.6 Nuss
3.7 Ofiz – WordPress Business Consulting Theme
3.8 Pro Bulk Watermark Plugin for WordPress
3.9 Sala
3.10 Sala
3.11 Yogi
3.12 Alone
3.13 Alone
3.14 Noisa
3.15 Nokri
3.16 Traveler
3.17 WoodMart
3.18 WoodMart
3.19 WoodMart
3.20 WoodMart

Our WordPress Vulnerability Report covers the latest emerging WordPress plugin, theme, and core vulnerabilities. Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure of vulnerabilities is essential to keeping the WordPress community safe. Please share this report to help spread the word and make WordPress — and the web — more secure.

WordPress Core

WordPress 6.8.2 is now available! This maintenance release includes fixes for 20 Core tickets and 15 Block Editor issues. For a full list of bug fixes, please refer to the release candidate announcement.

WordPress Plugins — 56 Patched / 33 Unpatched

Plugin:: URL Shortener Plugin For WordPress
Plugin Slug:: exact-links
Installations: 600+
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-28959

Plugin:: URL Shortener Plugin For WordPress
Plugin Slug:: exact-links
Installations: 600+
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-28961

Plugin:: WP Pipes
Plugin Slug:: wp-pipes
Installations: 500+
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-28982

Plugin:: Contact Form 7 Editor Button
Plugin Slug:: cf7-editor-button
Installations: 200+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-48345

Plugin:: Tennis Court Bookings
Plugin Slug:: tennis-court-bookings
Installations: 200+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-52787

Plugin:: Dot html,php,xml etc pages
Plugin Slug:: dot-htmlphpxml-etc-pages
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-52779

Plugin:: SMu Manual DoFollow
Plugin Slug:: manuall-dofollow
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-49031

Plugin:: Media Folder
Plugin Slug:: media-folder
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-52786

Plugin:: Pay with Contact Form 7
Plugin Slug:: pay-with-contact-form-7
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-52777

Plugin:: Infility Global
Plugin Slug:: infility-global
Installations: 80+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-47652

Plugin:: Ultimate Push Notifications ( Mobile / Desktop ), Receive Notification From WooCommerce, BuddyPress, WordPress Default Events & Many More
Plugin Slug:: ultimate-push-notifications
Installations: 80+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-50028

Plugin:: Torod – The smart shipping and delivery portal for e-shops and retailers
Plugin Slug:: torod
Installations: 70+
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-30936

Plugin:: WordPress-WPJobBoard
Plugin Slug:: click-pledge-wpjobboard
Installations: 50+
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-49455

Plugin:: WP-BusinessDirectory – Business directory plugin for WordPress
Plugin Slug:: wp-businessdirectory
Installations: 50+
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-24759

Plugin:: CoSchool LMS – A complete Learning Management System to Create and Sell Your Courses Online
Plugin Slug:: coschool
Installations: 40+
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-30973

Plugin:: Pakke Envíos
Plugin Slug:: pakke
Installations: 40+
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-52819

Plugin:: Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer)
Plugin Slug:: azon-addon-js-composer
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-30628

Plugin:: GoZen Forms
Plugin Slug:: gozen-forms
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-6782

Plugin:: WPGYM
Plugin Slug:: gym-management
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-32574

Plugin:: WP Human Resource Management
Plugin Slug:: hrm
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-5953

Plugin:: LoginWP – Pro
Plugin Slug:: loginwp-pro
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-39561

Plugin:: Medical Prescription Attachment Plugin for WooCommerce
Plugin Slug:: medical-prescription-attachment-plugin-for-woocommerce
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-29009

Plugin:: Premium SEO Pack
Plugin Slug:: premium-seo-pack
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-31044

Plugin:: Profiler – What Slowing Down Your WP
Plugin Slug:: profiler-what-slowing-down
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-48339

Plugin:: The E-Commerce ERP
Plugin Slug:: profitori
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-52836

Plugin:: Multi-language Responsive Contact Form
Plugin Slug:: responsive-contact-form
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-29000

Plugin:: Short URL
Plugin Slug:: shorten-url
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-2921

Plugin:: Simple Featured Image
Plugin Slug:: simple-featured-image
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-7059

Plugin:: smart SEO
Plugin Slug:: smartSEO
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-28953

Plugin:: Super Store Finder
Plugin Slug:: superstorefinder-wp
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-47571

Plugin:: Responsive Coming Soon Landing Page / Holding Page for WordPress
Plugin Slug:: wordpress-flat-countdown
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-29004

Plugin:: WordPress Auto Spinner
Plugin Slug:: wp-auto-spinner
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-46500

Plugin:: WP Firebase Push Notification
Plugin Slug:: wp-push-notification-firebase
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-5924

Plugin:: Essential Addons for Elementor – Popular Elementor Templates & Widgets
Plugin Slug:: essential-addons-for-elementor-lite
Installations: 2,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.1.20
Severity Score:: Medium
CVE:: 2025-6244

Plugin:: Contact Form 7 Database Addon – CFDB7
Plugin Slug:: contact-form-cfdb7
Installations: 600,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.2
Severity Score:: High
CVE:: 2025-6740

Plugin:: Gutenberg Blocks with AI by Kadence WP – Page Builder Features
Plugin Slug:: kadence-blocks
Installations: 500,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.5.11
Severity Score:: Medium
CVE:: 2025-5678

Plugin:: Newsletter – Send awesome emails from WordPress
Plugin Slug:: newsletter
Installations: 300,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 8.8.5
Severity Score:: Medium
CVE:: 2025-3582

Plugin:: SureForms – Drag and Drop Form Builder for WordPress
Plugin Slug:: sureforms
Installations: 200,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 1.7.4
Severity Score:: High
CVE:: 2025-6742

Plugin:: AI Engine
Plugin Slug:: ai-engine
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.8.5
Severity Score:: Medium
CVE:: 2025-5570

Plugin:: FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel
Plugin Slug:: foogallery
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.4.32
Severity Score:: Medium
CVE:: 2025-6068

Plugin:: Strong Testimonials
Plugin Slug:: strong-testimonials
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.2.12
Severity Score:: Medium
CVE:: 2025-7367

Plugin:: Events Manager – Calendar, Bookings, Tickets, and more!
Plugin Slug:: events-manager
Installations: 80,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 7.0.4
Severity Score:: Medium
CVE:: 2025-6976

Plugin:: Events Manager – Calendar, Bookings, Tickets, and more!
Plugin Slug:: events-manager
Installations: 80,000+
Vulnerability:: SQL Injection
Patched in Version:: 7.0.4
Severity Score:: Critical
CVE:: 2025-6970

Plugin:: Events Manager – Calendar, Bookings, Tickets, and more!
Plugin Slug:: events-manager
Installations: 80,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 7.0.4
Severity Score:: High
CVE:: 2025-6975

Plugin:: WPC Smart Compare for WooCommerce
Plugin Slug:: woo-smart-compare
Installations: 70,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.4.7
Severity Score:: Medium
CVE:: 2025-5530

Plugin:: Companion Auto Update
Plugin Slug:: companion-auto-update
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.9.3
Severity Score:: Medium
CVE:: 2025-4369

Plugin:: FunnelKit – Funnel Builder for WooCommerce Checkout
Plugin Slug:: funnel-builder
Installations: 30,000+
Vulnerability:: SQL Injection
Patched in Version:: 3.11.0
Severity Score:: High
CVE:: 2025-49034

Plugin:: Gwolle Guestbook
Plugin Slug:: gwolle-gb
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.9.3
Severity Score:: High
CVE:: 2025-5807

Plugin:: WP Lightbox 2
Plugin Slug:: wp-lightbox-2
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.0.6.8
Severity Score:: High
CVE:: 2025-3745

Plugin:: WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible
Plugin Slug:: wc-frontend-manager
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 6.7.17
Severity Score:: Medium
CVE:: 2025-3780

Plugin:: wpForo Forum
Plugin Slug:: wpforo
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.4.6
Severity Score:: Medium
CVE:: 2025-4406

Plugin:: GeoDirectory – WP Business Directory Plugin and Classified Listings Directory
Plugin Slug:: geodirectory
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.8.120
Severity Score:: Medium
CVE:: 2025-6200

Plugin:: HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder.
Plugin Slug:: ht-contactform
Installations: 10,000+
Vulnerability:: Directory Traversal
Patched in Version:: 2.2.2
Severity Score:: Critical
CVE:: 2025-7360

Plugin:: HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder.
Plugin Slug:: ht-contactform
Installations: 10,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 2.2.2
Severity Score:: Critical
CVE:: 2025-7340

Plugin:: HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder.
Plugin Slug:: ht-contactform
Installations: 10,000+
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 2.2.2
Severity Score:: High
CVE:: 2025-7341

Plugin:: Portfolio for Elementor & Image Gallery | PowerFolio
Plugin Slug:: portfolio-elementor
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.2.1
Severity Score:: Medium
CVE:: 2025-7046

Plugin:: ProfileGrid – User Profiles, Groups and Communities
Plugin Slug:: profilegrid-user-profiles-groups-and-communities
Installations: 7,000+
Vulnerability:: SQL Injection
Patched in Version:: 5.9.5.3
Severity Score:: High
CVE:: 2025-49876

Plugin:: RSFirewall!
Plugin Slug:: rsfirewall
Installations: 4,000+
Vulnerability:: Arbitrary File Download
Patched in Version:: 1.1.43
Severity Score:: Medium
CVE:: 2025-7518

Plugin:: Contact Form Plugin
Plugin Slug:: contact-form-lite
Installations: 3,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.1.29
Severity Score:: Medium
CVE:: 2025-5730

Plugin:: Internal Linking of Related Contents
Plugin Slug:: internal-linking-of-related-contents
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.1.9
Severity Score:: Medium
CVE:: 2025-49884

Plugin:: Lana Downloads Manager
Plugin Slug:: lana-downloads-manager
Installations: 3,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.11.0
Severity Score:: Medium
CVE:: 2025-7387

Plugin:: Wishlist for WooCommerce: Multi Wishlists Per Customer
Plugin Slug:: wish-list-for-woocommerce
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.2.4
Severity Score:: Medium
CVE:: 2025-49319

Plugin:: Custom Post Carousels with Owl
Plugin Slug:: dd-post-carousel
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.4.12
Severity Score:: Medium
CVE:: 2025-5125

Plugin:: Broken Link Notifier
Plugin Slug:: broken-link-notifier
Installations: 1,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 1.3.1
Severity Score:: High
CVE:: 2025-6851

Plugin:: Broken Link Notifier
Plugin Slug:: broken-link-notifier
Installations: 1,000+
Vulnerability:: CSV Injection
Patched in Version:: 1.3.1
Severity Score:: Medium
CVE:: 2025-6838

Plugin:: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal or Stripe, Social Share Buttons, OpenAI
Plugin Slug:: contest-gallery
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 26.0.7
Severity Score:: High
CVE:: 2025-48291

Plugin:: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal or Stripe, Social Share Buttons, OpenAI
Plugin Slug:: contest-gallery
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 26.0.9
Severity Score:: Medium
CVE:: 2025-6716

Plugin:: Friends
Plugin Slug:: friends
Installations: 1,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 3.5.2
Severity Score:: High
CVE:: 2025-7504

Plugin:: Product XML Feed Manager for WooCommerce – Google Shopping, Social Sites, Skroutz & More
Plugin Slug:: product-xml-feeds-for-woocommerce
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.9.3
Severity Score:: Medium
CVE:: 2025-30959

Plugin:: WP Register Profile With Shortcode
Plugin Slug:: wp-register-profile-with-shortcode
Installations: 500+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 3.6.3
Severity Score:: Medium
CVE:: 2025-4593

Plugin:: Easy restaurant menu manager
Plugin Slug:: easy-pdf-restaurant-menu-upload
Installations: 300+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.2
Severity Score:: Medium
CVE:: 2025-6673

Plugin:: PW WooCommerce On Sale!
Plugin Slug:: pw-woocommerce-on-sale
Installations: 300+
Vulnerability:: Broken Access Control
Patched in Version:: 1.40
Severity Score:: High
CVE:: 2025-49888

Plugin:: Sharable Password Protected Posts
Plugin Slug:: sharable-password-protected-posts
Installations: 100+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 1.1.1
Severity Score:: Medium
CVE:: 2025-5920

Plugin:: Hostel
Plugin Slug:: hostel
Installations: 50+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.1.5.9
Severity Score:: Medium
CVE:: 2025-6236

Plugin:: Hostel
Plugin Slug:: hostel
Installations: 50+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.1.5.8
Severity Score:: High
CVE:: 2025-6234

Plugin:: Guest Support – Complete customer support ticket system for WordPress
Plugin Slug:: guest-support
Installations: 40+
Vulnerability:: Broken Access Control
Patched in Version:: 1.2.3
Severity Score:: Medium
CVE:: 2025-5957

Plugin:: GB Forms DB
Plugin Slug:: gb-forms-db
Installations: 30+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 1.0.3
Severity Score:: Critical
CVE:: 2025-5392

Plugin:: Site Chat on Telegram
Plugin Slug:: site-chat-on-telegram
Installations: 30+
Vulnerability:: PHP Object Injection
Patched in Version:: 1.0.6
Severity Score:: Critical
CVE:: 2025-30949

Plugin:: WPBookit
Plugin Slug:: wpbookit
Installations: 30+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 1.0.5
Severity Score:: Critical
CVE:: 2025-6057

Plugin:: WPBookit
Plugin Slug:: wpbookit
Installations: 30+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 1.0.5
Severity Score:: Critical
CVE:: 2025-6058

Plugin:: BeeTeam368 Extensions
Plugin Slug:: beeteam368-extensions
Vulnerability:: Arbitrary File Upload
Patched in Version:: 2.3.6
Severity Score:: Critical
CVE:: 2025-6423

Plugin:: CSS3 Compare Pricing Tables for WordPress
Plugin Slug:: css3_web_pricing_tables_grids
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 11.7
Severity Score:: High
CVE:: 2025-47554

Plugin:: JetEngine
Plugin Slug:: jet-engine
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 3.7.1.1
Severity Score:: High
CVE:: 2025-53194

Plugin:: HTML5 Radio Player – WPBakery Page Builder Addon
Plugin Slug:: lbg-cleverbakery
Vulnerability:: Arbitrary File Download
Patched in Version:: 2.5.3
Severity Score:: High
CVE:: 2025-31070

Plugin:: Modern Events Calendar Lite
Plugin Slug:: modern-events-calendar-lite
Vulnerability:: SQL Injection
Patched in Version:: 6.4.0
Severity Score:: Critical
CVE:: 2021-4458

Plugin:: Order Delivery Date for WP e-Commerce
Plugin Slug:: order-delivery-date
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 12.6.0
Severity Score:: Medium
CVE:: 2025-2942

Plugin:: Support Board
Plugin Slug:: supportboard
Vulnerability:: Broken Access Control
Patched in Version:: 3.8.1
Severity Score:: Critical
CVE:: 2025-4855

Plugin:: Support Board
Plugin Slug:: supportboard
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 3.8.1
Severity Score:: High
CVE:: 2025-4828

Plugin:: WP File Download
Plugin Slug:: wp-file-download
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.2.6
Severity Score:: High
CVE:: 2025-5034

WordPress Themes — 9 Patched / 11 Unpatched

Theme:: Electrician – Electrical Service WordPress
Theme Slug:: electrician
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-31055

Theme:: Easy Video Player WordPress & WooCommerce
Theme Slug:: fwdevp
Vulnerability:: Arbitrary File Download
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-28955

Theme:: Hillter
Theme Slug:: hillter
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-24777

Theme:: Invico – WordPress Consulting Business Theme
Theme Slug:: invico
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-31427

Theme:: ListingEasy
Theme Slug:: listingeasy
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-30955

Theme:: Nuss
Theme Slug:: nuss
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-52804

Theme:: Ofiz – WordPress Business Consulting Theme
Theme Slug:: ofiz
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-31072

Theme:: Pro Bulk Watermark Plugin for WordPress
Theme Slug:: pro-watermark
Vulnerability:: Path Traversal
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-28973

Theme:: Sala
Theme Slug:: sala
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-4606

Theme:: Sala
Theme Slug:: sala
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-52803

Theme:: Yogi
Theme Slug:: yogi
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-24779

Theme:: Alone
Theme Slug:: alone
Vulnerability:: Arbitrary File Upload
Patched in Version:: 7.8.5
Severity Score:: Critical
CVE:: 2025-5394

Theme:: Alone
Theme Slug:: alone
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 7.8.5
Severity Score:: High
CVE:: 2025-5393

Theme:: Noisa
Theme Slug:: noisa
Vulnerability:: PHP Object Injection
Patched in Version:: 2.6.2
Severity Score:: High
CVE:: 2025-53560

Theme:: Nokri
Theme Slug:: nokri
Vulnerability:: Privilege Escalation
Patched in Version:: 1.6.4
Severity Score:: High
CVE:: 2025-1313

Theme:: Traveler
Theme Slug:: traveler
Vulnerability:: SQL Injection
Patched in Version:: 3.2.2
Severity Score:: Critical
CVE:: 2025-52714

Theme:: WoodMart
Theme Slug:: woodmart
Vulnerability:: Broken Access Control
Patched in Version:: 8.2.6
Severity Score:: Medium
CVE:: 2025-6745

Theme:: WoodMart
Theme Slug:: woodmart
Vulnerability:: Content Injection
Patched in Version:: 8.2.4
Severity Score:: High
CVE:: 2025-6744

Theme:: WoodMart
Theme Slug:: woodmart
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 8.2.4
Severity Score:: Medium
CVE:: 2025-6743

Theme:: WoodMart
Theme Slug:: woodmart
Vulnerability:: Local File Inclusion
Patched in Version:: 8.2.4
Severity Score:: High
CVE:: 2025-6746

Solid Security is part of Solid Suite — The best foundation for WordPress websites.

Every WordPress site needs security, backups, and management tools. That’s Solid Suite — an integrated bundle of three plugins: Solid Security, Solid Backups, and Solid Central. You also get access to Solid Academy’s learning resources for WordPress professionals. Build your next WordPress website on a solid foundation with Solid Suite!

Get Solid Security

Author:

Sarah Ulmer

Sarah has been with SolidWP since 2015. Thanks to her deep connection to the brand, its products, and its users, Sarah was tapped as Solid’s primary Product Marketer in 2023. Sarah helps ensure that Solid’s product development team understands our users’ needs. When not at work, Sarah can be found at home with her husband, their three boys, and their dogs. Sarah enjoys long family walks, running with her lab, and watching her three boys play soccer. Sarah is originally from Texas and loves watching football games (Go Longhorns!)

Browse all of Sarah's articles

Sign up

Placeholder text

Thanks

Oops something went wrong, please try submitting again

Solid Suite

Protect

Repair

Manage

Free Plugins

Solid Suite

Academy

Solid Academy

Guides

Livestreams

Tutorials Academy

Resources

Blog

Vulnerability Report

Support

Documentation

Table of Contents

WordPress Core

WordPress Plugins — 56 Patched / 33 Unpatched

WordPress Themes — 9 Patched / 11 Unpatched

Solid Security is part of Solid Suite — The best foundation for WordPress websites.

Author:

Join us for the next Solid Academy Webinar!

What is a WordPress Phishing Attack?

Website Protection: 5 Ways to Keep Your Website Safe

23 Ideas To Grow Your WordPress Business in 2023

Author:

Sign up now — Get SolidWP updates and valuable content straight to your inbox

Sign up

Related Posts

WordPress Vulnerability Report — April 22, 2026

WordPress Vulnerability Report — April 15, 2026

WordPress Vulnerability Report — April 8, 2026

WordPress Vulnerability Report — April 1, 2026