WordPress Vulnerability Report — September 3, 2025

Since last week, 114 new vulnerabilities have emerged in the WordPress ecosystem, including 96 plugins and 18 themes. Of those, 39 remain unpatched, but Solid Security Pro users are protected by virtual patching from Patchstack.

Sarah Ulmer

Published:Sep 3, 2025

Filed Under:WordPress Vulnerability Report

Reading Time:2 min.

In this report, 114 vulnerabilities have been publicly disclosed. Security patches for 75 of these plugins and themes are now available, so please run those updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Additionally, there are 39 plugin and theme vulnerabilities, and no patch has been available yet. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

Along with poor user account security, vulnerable plugins and themes are among the top reasons why WordPress websites get hacked. Unfortunately, cyberattacks are increasing in volume and sophistication. They’re also increasingly aimed at small to mid-sized businesses.

1. WordPress Core
2. WordPress Plugins — 68 Patched / 28 Unpatched

2.1 Poll, Survey & Quiz Maker Plugin by Opinion Stage
2.2 Gutenify – Visual Site Builder Blocks & Site Templates.
2.3 Chartbeat
2.4 Post Type Converter
2.5 Link View
2.6 Employee Directory – Staff Listing & Team Directory Plugin for WordPress
2.7 NextGEN Gallery Search
2.8 Page Manager for Elementor
2.9 Theme Switcher Reloaded
2.10 XmasB Quotes
2.11 Google XML News Sitemap plugin
2.12 SEO For Images
2.13 WooCommerce Payment Gateway for Saferpay
2.14 XM-Backup
2.15 bidorbuy Store Integrator
2.16 Yahoo! WebPlayer
2.17 Savyour Affiliate Partner
2.18 Goal Tracker for Patreon
2.19 Premium Age Verification / Restriction for WordPress
2.20 Premium Age Verification / Restriction for WordPress
2.21 Exertio Framework
2.22 iATS Online Forms
2.23 Printeers Print & Ship
2.24 List Subpages
2.25 OSM Map Widget for Elementor
2.26 Related Posts Lite
2.27 Theme Blvd Widget Areas
2.28 Ultimate Tag Warrior Importer
2.29 All-in-One WP Migration and Backup
2.30 TablePress – Tables in WordPress made easy
2.31 Ocean Extra
2.32 SiteSEO – SEO Simplified
2.33 Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE
2.34 Unlimited Elements For Elementor
2.35 Beaver Builder – WordPress Page Builder
2.36 WP Bulk Delete
2.37 Ajax Search Lite – Live Search & Filter
2.38 Bold Page Builder
2.39 Booking Calendar
2.40 Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin
2.41 UiCore Elements – Free Elementor widgets and templates
2.42 Booster for WooCommerce – PDF Invoices, Abandoned Cart, Variation Swatches & 100+ Tools
2.43 140+ Widgets | Xpro Addons For Elementor – FREE
2.44 Simple Download Monitor
2.45 Simple Download Monitor
2.46 UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP
2.47 Lazy Load for Videos
2.48 Xpro Theme Builder For Elementor – FREE
2.49 AfterShip Tracking – All-In-One WooCommerce Order Tracking (Free plan available)
2.50 Events Addon for Elementor
2.51 LWSCache
2.52 Event Booking Manager for WooCommerce – WpEvently
2.53 Xagio SEO – AI Powered SEO
2.54 Solace Extra
2.55 Simple Page Access Restriction
2.56 B Slider – Responsive Image Slider
2.57 Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection
2.58 Tourfic — Travel, Hotel & Car Rental Booking for WooCommerce
2.59 All Bootstrap Blocks
2.60 ElementInvader Addons for Elementor
2.61 Podlove Podcast Publisher
2.62 JS Archive List
2.63 Responsive YouTube Video Gallery Plugin for WordPress – YouTube Showcase
2.64 Pronamic Google Maps
2.65 Feeds For TikTok – Show TikTok Videos in Grid or Feed Layout
2.66 E-cab Taxi Booking Manager for Woocommerce
2.67 PDF for Elementor Forms + Drag And Drop Template Builder
2.68 Skyword XMLRPC publishing
2.69 Zephyr Project Manager
2.70 Drag and Drop File Upload for Elementor Forms
2.71 Transcoder
2.72 Employee Spotlight – Team Member Showcase & Meet the Team Plugin
2.73 Epeken All Kurir Plugin for Woocommerce Full Version
2.74 UPC/EAN/GTIN Code Generator
2.75 Chatbox Manager
2.76 Customer Support Ticket System & Helpdesk Plugin for WordPress
2.77 Booking System Trafft
2.78 Captcha.eu
2.79 Dynamic AJAX Product Filters for WooCommerce
2.80 File Manager, Code Editor, and Backup by Managefy
2.81 Vibes
2.82 WP Thumbtack Review Slider
2.83 Video Share VOD – Turnkey Video Site Builder Script
2.84 Instant Breaking News
2.85 Custom Query Shortcode
2.86 Simple Contact Form Plugin for WordPress – WP Easy Contact
2.87 RingCentral Communications Plugin – FREE
2.88 Small Package Quotes – USPS Edition
2.89 Dokan Pro
2.90 eventlist
2.91 WooCommerce csv import export
2.92 Houzez CRM
2.93 Nest Addons
2.94 Slider Revolution
2.95 Automatic
2.96 WP ULike Pro

3. WordPress Themes — 7 Patched / 11 Unpatched

3.1 Magazine Saga
3.2 ArcHub
3.3 Cars4Rent
3.4 Hub
3.5 Jannah
3.6 Jina – Celebration Agency Theme
3.7 The Restaurant
3.8 Nuss
3.9 Pro Bulk Watermark Plugin for WordPress
3.10 Rozario
3.11 Upking – Hiking Club WordPress Theme
3.12 Golo
3.13 Houzez
3.14 Houzez
3.15 Ireca
3.16 Makeaholic
3.17 Neresa
3.18 Pin WP

Our WordPress Vulnerability Report covers the latest emerging WordPress plugin, theme, and core vulnerabilities. Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure of vulnerabilities is essential to keeping the WordPress community safe. Please share this report to help spread the word and make WordPress — and the web — more secure.

WordPress Core

WordPress 6.8.2 was released on July 15, 2025. This maintenance release includes fixes for 20 Core tickets and 15 Block Editor issues. For a full list of bug fixes, please refer to the release candidate announcement.

WordPress Plugins — 68 Patched / 28 Unpatched

Plugin:: Poll, Survey & Quiz Maker Plugin by Opinion Stage
Plugin Slug:: social-polls-by-opinionstage
Installations: 8,000+
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-53328

Plugin:: Gutenify – Visual Site Builder Blocks & Site Templates.
Plugin Slug:: gutenify
Installations: 6,000+
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-53326

Plugin:: Chartbeat
Plugin Slug:: chartbeat
Installations: 1,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-53250

Plugin:: Post Type Converter
Plugin Slug:: post-type-converter
Installations: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-48303

Plugin:: Link View
Plugin Slug:: link-view
Installations: 900+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-48110

Plugin:: Employee Directory – Staff Listing & Team Directory Plugin for WordPress
Plugin Slug:: employee-directory
Installations: 100+
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-53243

Plugin:: NextGEN Gallery Search
Plugin Slug:: nextgen-gallery-search-galleries
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-53224

Plugin:: Page Manager for Elementor
Plugin Slug:: page-manager-for-elementor
Installations: 100+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-53230

Plugin:: Theme Switcher Reloaded
Plugin Slug:: theme-switcher-reloaded
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-53223

Plugin:: XmasB Quotes
Plugin Slug:: xmasb-quotes
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-53220

Plugin:: Google XML News Sitemap plugin
Plugin Slug:: gn-xml-sitemap
Installations: 90+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-48304

Plugin:: SEO For Images
Plugin Slug:: seo-for-images
Installations: 90+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-48307

Plugin:: WooCommerce Payment Gateway for Saferpay
Plugin Slug:: woocommerce-payment-gateway-for-saferpay
Installations: 60+
Vulnerability:: Path Traversal
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-48317

Plugin:: XM-Backup
Plugin Slug:: xm-backup
Installations: 60+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-48109

Plugin:: bidorbuy Store Integrator
Plugin Slug:: bidorbuystoreintegrator
Installations: 50+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-48100

Plugin:: Yahoo! WebPlayer
Plugin Slug:: yahoo-media-player
Installations: 50+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-53215

Plugin:: Savyour Affiliate Partner
Plugin Slug:: savyour-affiliate-partner
Installations: 40+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-48306

Plugin:: Goal Tracker for Patreon
Plugin Slug:: goal-tracker-for-patreon
Installations: 10+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-48305

Plugin:: Premium Age Verification / Restriction for WordPress
Plugin Slug:: age-restriction
Vulnerability:: Arbitrary File Download
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-49403

Plugin:: Premium Age Verification / Restriction for WordPress
Plugin Slug:: age-restriction
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-49408

Plugin:: Exertio Framework
Plugin Slug:: exertio-framework
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-49402

Plugin:: iATS Online Forms
Plugin Slug:: iats-online-forms
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-9441

Plugin:: Printeers Print & Ship
Plugin Slug:: invition-print-ship
Vulnerability:: Directory Traversal
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-48081

Plugin:: List Subpages
Plugin Slug:: list-sub-pages
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-8290

Plugin:: OSM Map Widget for Elementor
Plugin Slug:: osm-map-elementor
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-8619

Plugin:: Related Posts Lite
Plugin Slug:: related-posts-lite
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-9618

Plugin:: Theme Blvd Widget Areas
Plugin Slug:: theme-blvd-widget-areas
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-53289

Plugin:: Ultimate Tag Warrior Importer
Plugin Slug:: utw-importer
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-9374

Plugin:: All-in-One WP Migration and Backup
Plugin Slug:: all-in-one-wp-migration
Installations: 5,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 7.98
Severity Score:: Medium
CVE:: 2025-8490

Plugin:: TablePress – Tables in WordPress made easy
Plugin Slug:: tablepress
Installations: 700,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.2.1
Severity Score:: Medium
CVE:: 2025-9500

Plugin:: Ocean Extra
Plugin Slug:: ocean-extra
Installations: 600,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.5.0
Severity Score:: Medium
CVE:: 2025-9499

Plugin:: SiteSEO – SEO Simplified
Plugin Slug:: siteseo
Installations: 400,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.2.8
Severity Score:: Medium
CVE:: 2025-9277

Plugin:: Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE
Plugin Slug:: otter-blocks
Installations: 300,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 3.1.1
Severity Score:: High
CVE:: 2025-55715

Plugin:: Unlimited Elements For Elementor
Plugin Slug:: unlimited-elements-for-elementor
Installations: 300,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.5.149
Severity Score:: Medium
CVE:: 2025-8603

Plugin:: Beaver Builder – WordPress Page Builder
Plugin Slug:: beaver-builder-lite-version
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.9.3.1
Severity Score:: High
CVE:: 2025-8897

Plugin:: WP Bulk Delete
Plugin Slug:: wp-bulk-delete
Installations: 90,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.3.7
Severity Score:: Medium
CVE:: 2025-58192

Plugin:: Ajax Search Lite – Live Search & Filter
Plugin Slug:: ajax-search-lite
Installations: 80,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.13.2
Severity Score:: Medium
CVE:: 2025-7956

Plugin:: Bold Page Builder
Plugin Slug:: bold-page-builder
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.4.4
Severity Score:: Medium
CVE:: 2025-58194

Plugin:: Booking Calendar
Plugin Slug:: booking
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 10.14.2
Severity Score:: Medium
CVE:: 2025-9346

Plugin:: Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin
Plugin Slug:: uncanny-automator
Installations: 50,000+
Vulnerability:: Broken Access Control
Patched in Version:: 6.8.0
Severity Score:: Medium
CVE:: 2025-58193

Plugin:: UiCore Elements – Free Elementor widgets and templates
Plugin Slug:: uicore-elements
Installations: 40,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.5
Severity Score:: Medium
CVE:: 2025-58196

Plugin:: Booster for WooCommerce – PDF Invoices, Abandoned Cart, Variation Swatches & 100+ Tools
Plugin Slug:: woocommerce-jetpack
Installations: 40,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 7.2.5
Severity Score:: High
CVE:: 2024-13342

Plugin:: 140+ Widgets | Xpro Addons For Elementor – FREE
Plugin Slug:: xpro-elementor-addons
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.4.18
Severity Score:: Medium
CVE:: 2025-58195

Plugin:: Simple Download Monitor
Plugin Slug:: simple-download-monitor
Installations: 20,000+
Vulnerability:: SQL Injection
Patched in Version:: 3.9.34
Severity Score:: High
CVE:: 2025-8977

Plugin:: Simple Download Monitor
Plugin Slug:: simple-download-monitor
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.9.35
Severity Score:: Medium
CVE:: 2025-58197

Plugin:: UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP
Plugin Slug:: userswp
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.2.43
Severity Score:: Medium
CVE:: 2025-9344

Plugin:: Lazy Load for Videos
Plugin Slug:: lazy-load-for-videos
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.18.8
Severity Score:: Medium
CVE:: 2025-7732

Plugin:: Xpro Theme Builder For Elementor – FREE
Plugin Slug:: xpro-theme-builder
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.2.10
Severity Score:: Medium
CVE:: 2025-58198

Plugin:: AfterShip Tracking – All-In-One WooCommerce Order Tracking (Free plan available)
Plugin Slug:: aftership-woocommerce-tracking
Installations: 9,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.17.18
Severity Score:: Medium
CVE:: 2025-58201

Plugin:: Events Addon for Elementor
Plugin Slug:: events-addon-for-elementor
Installations: 8,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.3.0
Severity Score:: Medium
CVE:: 2025-8150

Plugin:: LWSCache
Plugin Slug:: lwscache
Installations: 8,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.9
Severity Score:: Medium
CVE:: 2025-8147

Plugin:: Event Booking Manager for WooCommerce – WpEvently
Plugin Slug:: mage-eventpress
Installations: 8,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 4.4.9
Severity Score:: High
CVE:: 2025-54742

Plugin:: Xagio SEO – AI Powered SEO
Plugin Slug:: xagio-seo
Installations: 8,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 7.1.0.6
Severity Score:: High
CVE:: 2024-13807

Plugin:: Solace Extra
Plugin Slug:: solace-extra
Installations: 7,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 1.3.3
Severity Score:: Medium
CVE:: 2025-58203

Plugin:: Simple Page Access Restriction
Plugin Slug:: simple-page-access-restriction
Installations: 6,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.0.33
Severity Score:: Medium
CVE:: 2025-58202

Plugin:: B Slider – Responsive Image Slider
Plugin Slug:: b-slider
Installations: 5,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.0.0
Severity Score:: Medium
CVE:: 2025-54734

Plugin:: Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection
Plugin Slug:: stopbadbots
Installations: 5,000+
Vulnerability:: Broken Authentication
Patched in Version:: 11.59
Severity Score:: Medium
CVE:: 2025-9376

Plugin:: Tourfic — Travel, Hotel & Car Rental Booking for WooCommerce
Plugin Slug:: tourfic
Installations: 5,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.15.0
Severity Score:: Medium
CVE:: 2024-8860

Plugin:: All Bootstrap Blocks
Plugin Slug:: all-bootstrap-blocks
Installations: 4,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.3.29
Severity Score:: Medium
CVE:: 2025-54733

Plugin:: ElementInvader Addons for Elementor
Plugin Slug:: elementinvader-addons-for-elementor
Installations: 4,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.7
Severity Score:: Medium
CVE:: 2025-58205

Plugin:: Podlove Podcast Publisher
Plugin Slug:: podlove-podcasting-plugin-for-wordpress
Installations: 4,000+
Vulnerability:: Open Redirection
Patched in Version:: 4.2.6
Severity Score:: Medium
CVE:: 2025-58204

Plugin:: JS Archive List
Plugin Slug:: jquery-archive-list-widget
Installations: 3,000+
Vulnerability:: SQL Injection
Patched in Version:: 6.1.6
Severity Score:: Critical
CVE:: 2025-54726

Plugin:: Responsive YouTube Video Gallery Plugin for WordPress – YouTube Showcase
Plugin Slug:: youtube-showcase
Installations: 3,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 3.5.2
Severity Score:: High
CVE:: 2025-54731

Plugin:: Pronamic Google Maps
Plugin Slug:: pronamic-google-maps
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.4.2
Severity Score:: Medium
CVE:: 2025-9352

Plugin:: Feeds For TikTok – Show TikTok Videos in Grid or Feed Layout
Plugin Slug:: b-tiktok-feed
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.0.22
Severity Score:: High
CVE:: 2025-54710

Plugin:: E-cab Taxi Booking Manager for Woocommerce
Plugin Slug:: ecab-taxi-booking-manager
Installations: 1,000+
Vulnerability:: Broken Authentication
Patched in Version:: 1.3.1
Severity Score:: Critical
CVE:: 2025-54713

Plugin:: PDF for Elementor Forms + Drag And Drop Template Builder
Plugin Slug:: pdf-for-elementor-forms
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.3.0
Severity Score:: Medium
CVE:: 2025-58208

Plugin:: Skyword XMLRPC publishing
Plugin Slug:: skyword-plugin
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.5.3
Severity Score:: Medium
CVE:: 2024-11907

Plugin:: Zephyr Project Manager
Plugin Slug:: zephyr-project-manager
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.3.202
Severity Score:: High
CVE:: 2025-54714

Plugin:: Drag and Drop File Upload for Elementor Forms
Plugin Slug:: drag-and-drop-file-upload-for-elementor-forms
Installations: 800+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 1.5.4
Severity Score:: Critical
CVE:: 2025-49387

Plugin:: Transcoder
Plugin Slug:: transcoder
Installations: 700+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.4.1
Severity Score:: Medium
CVE:: 2025-58209

Plugin:: Employee Spotlight – Team Member Showcase & Meet the Team Plugin
Plugin Slug:: employee-spotlight
Installations: 500+
Vulnerability:: PHP Object Injection
Patched in Version:: 5.1.2
Severity Score:: High
CVE:: 2025-53583

Plugin:: Epeken All Kurir Plugin for Woocommerce Full Version
Plugin Slug:: epeken-all-kurir
Installations: 500+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.2
Severity Score:: Medium
CVE:: 2025-58212

Plugin:: UPC/EAN/GTIN Code Generator
Plugin Slug:: upc-ean-barcode-generator
Installations: 500+
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 2.0.3
Severity Score:: High
CVE:: 2025-53588

Plugin:: Chatbox Manager
Plugin Slug:: wa-chatbox-manager
Installations: 500+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.2.7
Severity Score:: Medium
CVE:: 2025-58211

Plugin:: Customer Support Ticket System & Helpdesk Plugin for WordPress
Plugin Slug:: wp-ticket
Installations: 500+
Vulnerability:: PHP Object Injection
Patched in Version:: 6.0.3
Severity Score:: High
CVE:: 2025-53584

Plugin:: Booking System Trafft
Plugin Slug:: booking-system-trafft
Installations: 400+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.0.15
Severity Score:: Medium
CVE:: 2025-58213

Plugin:: Captcha.eu
Plugin Slug:: captcha-eu
Installations: 200+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.0.61
Severity Score:: High
CVE:: 2025-53579

Plugin:: Dynamic AJAX Product Filters for WooCommerce
Plugin Slug:: dynamic-ajax-product-filters-for-woocommerce
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.8
Severity Score:: Medium
CVE:: 2025-8073

Plugin:: File Manager, Code Editor, and Backup by Managefy
Plugin Slug:: softdiscover-db-file-manager
Installations: 100+
Vulnerability:: Path Traversal
Patched in Version:: 1.5.0
Severity Score:: Medium
CVE:: 2025-9345

Plugin:: Vibes
Plugin Slug:: vibes
Installations: 100+
Vulnerability:: SQL Injection
Patched in Version:: 2.2.1
Severity Score:: Critical
CVE:: 2025-9172

Plugin:: WP Thumbtack Review Slider
Plugin Slug:: wp-thumbtack-review-slider
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.7
Severity Score:: Medium
CVE:: 2025-58216

Plugin:: Video Share VOD – Turnkey Video Site Builder Script
Plugin Slug:: video-share-vod
Installations: 90+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.7.7
Severity Score:: High
CVE:: 2025-7812

Plugin:: Instant Breaking News
Plugin Slug:: instant-breaking-news
Installations: 60+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.0.1
Severity Score:: High
CVE:: 2025-58217

Plugin:: Custom Query Shortcode
Plugin Slug:: custom-query-shortcode
Installations: 40+
Vulnerability:: Directory Traversal
Patched in Version:: 0.5.0
Severity Score:: Medium
CVE:: 2025-8562

Plugin:: Simple Contact Form Plugin for WordPress – WP Easy Contact
Plugin Slug:: wp-easy-contact
Installations: 40+
Vulnerability:: PHP Object Injection
Patched in Version:: 4.0.2
Severity Score:: High
CVE:: 2025-53572

Plugin:: RingCentral Communications Plugin – FREE
Plugin Slug:: rccp-free
Installations: 30+
Vulnerability:: Broken Authentication
Patched in Version:: 1.7.0
Severity Score:: Critical
CVE:: 2025-7955

Plugin:: Small Package Quotes – USPS Edition
Plugin Slug:: small-package-quotes-usps-edition
Installations: 10+
Vulnerability:: PHP Object Injection
Patched in Version:: 1.3.10
Severity Score:: High
CVE:: 2025-58218

Plugin:: Dokan Pro
Plugin Slug:: dokan-pro
Vulnerability:: Privilege Escalation
Patched in Version:: 4.0.6
Severity Score:: High
CVE:: 2025-5931

Plugin:: eventlist
Plugin Slug:: eventlist
Vulnerability:: Privilege Escalation
Patched in Version:: 2.0.5
Severity Score:: High
CVE:: 2025-6366

Plugin:: WooCommerce csv import export
Plugin Slug:: extendons-eo-wooimport-export
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 2.0.7
Severity Score:: High
CVE:: 2025-54029

Plugin:: Houzez CRM
Plugin Slug:: houzez-crm
Vulnerability:: Broken Access Control
Patched in Version:: 1.5.0
Severity Score:: Medium
CVE:: 2025-49402

Plugin:: Nest Addons
Plugin Slug:: nest-addons
Vulnerability:: SQL Injection
Patched in Version:: 1.6.4
Severity Score:: Critical
CVE:: 2025-54720

Plugin:: Slider Revolution
Plugin Slug:: revslider
Vulnerability:: Arbitrary File Download
Patched in Version:: 6.7.37
Severity Score:: Medium
CVE:: 2025-9217

Plugin:: Automatic
Plugin Slug:: wp-automatic
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 3.119.0
Severity Score:: High
CVE:: 2025-6247

Plugin:: WP ULike Pro
Plugin Slug:: wp-ulike-pro
Vulnerability:: Arbitrary File Upload
Patched in Version:: 1.9.4
Severity Score:: Medium
CVE:: 2024-9648

WordPress Themes — 7 Patched / 11 Unpatched

Theme:: Magazine Saga
Theme Slug:: magazine-saga
Downloads: 39,662
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-53227

Theme:: ArcHub
Theme Slug:: archub
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-0951

Theme:: Cars4Rent
Theme Slug:: cars4rent
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-49434

Theme:: Hub
Theme Slug:: hub
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-0951

Theme:: Jannah
Theme Slug:: jannah
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-53334

Theme:: Jina – Celebration Agency Theme
Theme Slug:: jina
Vulnerability:: Deserialization of untrusted data
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-31927

Theme:: The Restaurant
Theme Slug:: nrgrestaurant
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-31927

Theme:: Nuss
Theme Slug:: nuss
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-49894

Theme:: Pro Bulk Watermark Plugin for WordPress
Theme Slug:: pro-watermark
Vulnerability:: Path Traversal
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-4956

Theme:: Rozario
Theme Slug:: rozario
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-31927

Theme:: Upking – Hiking Club WordPress Theme
Theme Slug:: upking
Vulnerability:: Deserialization of untrusted data
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-31927

Theme:: Golo
Theme Slug:: golo
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.7.2
Severity Score:: High
CVE:: 2025-54724

Theme:: Houzez
Theme Slug:: houzez
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.1.4
Severity Score:: High
CVE:: 2025-49407

Theme:: Houzez
Theme Slug:: houzez
Vulnerability:: Local File Inclusion
Patched in Version:: 4.1.4
Severity Score:: High
CVE:: 2025-49405

Theme:: Ireca
Theme Slug:: ireca
Vulnerability:: Local File Inclusion
Patched in Version:: 1.8.6
Severity Score:: High
CVE:: 2025-54716

Theme:: Makeaholic
Theme Slug:: makeaholic
Vulnerability:: Broken Access Control
Patched in Version:: 1.8.7
Severity Score:: Medium
CVE:: 2025-58210

Theme:: Neresa
Theme Slug:: neresa-wp
Vulnerability:: Local File Inclusion
Patched in Version:: 1.4
Severity Score:: High
CVE:: 2025-49383

Theme:: Pin WP
Theme Slug:: pin-wp
Vulnerability:: Arbitrary File Upload
Patched in Version:: 7.2
Severity Score:: Critical
CVE:: 2025-53251

Solid Security is part of Solid Suite — The best foundation for WordPress websites.

Every WordPress site needs security, backups, and management tools. That’s Solid Suite — an integrated bundle of three plugins: Solid Security, Solid Backups, and Solid Central. You also get access to Solid Academy’s learning resources for WordPress professionals. Build your next WordPress website on a solid foundation with Solid Suite!

Get Solid Security

Author:

Sarah Ulmer

Sarah has been with SolidWP since 2015. Thanks to her deep connection to the brand, its products, and its users, Sarah was tapped as Solid’s primary Product Marketer in 2023. Sarah helps ensure that Solid’s product development team understands our users’ needs. When not at work, Sarah can be found at home with her husband, their three boys, and their dogs. Sarah enjoys long family walks, running with her lab, and watching her three boys play soccer. Sarah is originally from Texas and loves watching football games (Go Longhorns!)

Browse all of Sarah's articles

Sign up

Placeholder text

Thanks

Oops something went wrong, please try submitting again

Solid Suite

Protect

Repair

Manage

Free Plugins

Solid Suite

Academy

Solid Academy

Guides

Livestreams

Tutorials Academy

Resources

Blog

Vulnerability Report

Support

Documentation

Table of Contents

WordPress Core

WordPress Plugins — 68 Patched / 28 Unpatched

WordPress Themes — 7 Patched / 11 Unpatched

Solid Security is part of Solid Suite — The best foundation for WordPress websites.

Author:

Join us for the next Solid Academy Webinar!

What is a WordPress Phishing Attack?

Website Protection: 5 Ways to Keep Your Website Safe

23 Ideas To Grow Your WordPress Business in 2023

Author:

Sign up now — Get SolidWP updates and valuable content straight to your inbox

Sign up

Related Posts

WordPress Vulnerability Report — April 22, 2026

WordPress Vulnerability Report — April 15, 2026

WordPress Vulnerability Report — April 8, 2026

WordPress Vulnerability Report — April 1, 2026