WordPress Vulnerability Report — October 29, 2025

Since last week, 118 new vulnerabilities have emerged in the WordPress ecosystem, including 113 plugins and 5 themes. Of those, 52 remain unpatched, but Solid Security Pro users are protected by virtual patching from Patchstack.

Sarah Ulmer

Published:Oct 29, 2025

Filed Under:WordPress Vulnerability Report

Reading Time:23 min.

In this report, 118 vulnerabilities have been publicly disclosed. Security patches for 66 of these plugins and themes are now available. Please run these updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Currently, 52 plugin vulnerabilities remain unpatched. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

Along with poor user account security, vulnerable plugins and themes are among the top reasons why WordPress websites get hacked. Unfortunately, cyberattacks are increasing in volume and sophistication. They’re also increasingly aimed at small to mid-sized businesses.

1. WordPress Core
2. WordPress Plugins — 61 Patched / 52 Unpatched

2.1 ACF to REST API
2.2 Dynamic User Directory
2.3 Microsoft Azure Storage for WordPress
2.4 Builderall for WordPress
2.5 Posts By Tag
2.6 Simple Pull Quote
2.7 Slider Templates
2.8 WP AdCenter – Ad Manager & Adsense Ads
2.9 KiotViet Sync
2.10 WP Gravity Forms Zoho CRM and Bigin
2.11 Persian Admnin Fonts
2.12 IndieAuth
2.13 WP-Force Images Download
2.14 FanBridge signup
2.15 Cinza Grid
2.16 Disable Content Editor For Specific Template
2.17 AIO Forms
2.18 Bg Book Publisher
2.19 Check Plagiarism
2.20 Email Tracker
2.21 URL Shortener
2.22 JB News Ticker
2.23 LLM Hubspot Blog Import
2.24 Material Design Iconic Font Integration
2.25 Multi Item Responsive Slider
2.26 Mixlr Shortcode
2.27 NGINX Cache Optimizer
2.28 NS Maintenance Mode for WP
2.29 Oboxmedia Ads
2.30 Originality.ai AI Checker
2.31 Originality.ai AI Checker
2.32 Photographers galleries
2.33 Playerzbr
2.34 Print Button Shortcode
2.35 qnotsquiz
2.36 Quickcreator – AI Blog Writer
2.37 RapidResult
2.38 Responsive iframe GoogleMap
2.39 Responsive Progress Bar
2.40 Simple Business Data
2.41 Simple Excel Pricelist for WooCommerce
2.42 Simple Tableau Viz
2.43 Simple Youtube Shortcode
2.44 SM CountDown Widget
2.45 ST Categories Widget
2.46 This-or-That
2.47 VNPAY Payment gateway
2.48 WooCommerce Designer Pro
2.49 WP AD Gallery
2.50 WP Responsive Meet The Team
2.51 WP Restaurant Listings
2.52 WP-Thumbnail
2.53 BackWPup – WordPress Backup & Restore Plugin
2.54 PixelYourSite – Your smart PIXEL (TAG) & API Manager
2.55 PixelYourSite – Your smart PIXEL (TAG) & API Manager
2.56 Jeg Kit for Elementor – Powerful Elementor Addons, Widgets & Templates for WordPress
2.57 Password Protected — Lock Entire Site, Pages, Posts, Categories, and Partial Content
2.58 GenerateBlocks
2.59 User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds
2.60 Element Pack Addons for Elementor
2.61 Real Cookie Banner: GDPR & ePrivacy Cookie Consent
2.62 Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More
2.63 Tutor LMS – eLearning and online course solution
2.64 Tutor LMS – eLearning and online course solution
2.65 Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets
2.66 ShopLentor – WooCommerce Builder for Elementor & Gutenberg +21 Modules – All in One Solution (formerly WooLentor)
2.67 Social Feed Gallery
2.68 Ajax Search Lite – Live Search & Filter
2.69 Meta Tag Manager
2.70 ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution
2.71 Product Filter by WBW
2.72 Product Filter by WBW
2.73 Bold Page Builder
2.74 RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator
2.75 Simple Banner – Easily add multiple Banners/Bars/Notifications/Announcements to the top or bottom of your website
2.76 Fast Velocity Minify
2.77 Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers
2.78 Gutenberg Blocks – PublishPress Blocks Controls, Visibility, Reusable Blocks
2.79 Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings
2.80 Welcart e-Commerce
2.81 wpForo Forum
2.82 Web Accessibility by accessiBe
2.83 Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More
2.84 King Addons for Elementor – 4,000+ ready Elementor sections, 650+ templates, 70+ FREE widgets for Elementor
2.85 King Addons for Elementor – 4,000+ ready Elementor sections, 650+ templates, 70+ FREE widgets for Elementor
2.86 Testimonial Carousel For Elementor
2.87 WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress
2.88 VikBooking Hotel Booking Engine & PMS
2.89 Stripe Payment Forms by WP Full Pay – Accept Credit Card Payments, Donations & Subscriptions
2.90 Password Policy Manager | Password Manager
2.91 Simple Registration for WooCommerce
2.92 Watu Quiz
2.93 WPMobile.App
2.94 Email Subscription Popup
2.95 Discussion Board – WordPress Forum Plugin
2.96 Flexible Refund and Return Order for WooCommerce
2.97 Range Slider Addon for Gravity Forms
2.98 MDTF – Meta Data and Taxonomies Filter
2.99 WPComplete
2.100 ZoloBlocks – Gutenberg Block Editor Plugin with Advanced Blocks, Dynamic Content, Templates & Patterns
2.101 All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier
2.102 FormGent – Next-Gen AI Form Builder for WordPress with Multi-Step, Quizzes, Payments & More
2.103 MxChat – AI Chatbot for WordPress
2.104 WhyDonate – FREE Donate button – Crowdfunding – Fundraising
2.105 Time Clock – A WordPress Employee & Volunteer Time Clock Plugin
2.106 AI Chatbot Free Models – Customer Support, Live Chat, Virtual Assistant
2.107 Supervisor
2.108 HAPPY – Helpdesk Support Ticket System
2.109 SpendeOnline.org
2.110 Academy LMS Pro
2.111 Beaver Builder Plugin (Starter Version)
2.112 Stockie Extra
2.113 Tutor LMS Pro

3. WordPress Themes — 5 Patched / 0 Unpatched

3.1 The7
3.2 Genesis Framework
3.3 Listeo
3.4 Sahifa
3.5 wpresidence

Our WordPress Vulnerability Report covers the latest emerging WordPress plugin, theme, and core vulnerabilities. Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure of vulnerabilities is essential to keeping the WordPress community safe. Please share this report to help spread the word and make WordPress — and the web — more secure.

WordPress Core

WordPress 6.8.3 was released on September 30, 2025. This is a security release that features two fixes. As this is a security release, we recommend updating your sites immediately. For more information on WordPress 6.8.3, please visit the version page on the HelpHub site.

WordPress 6.9 Beta 2 is now ready for testing! This beta version of WordPress is still under development, so please avoid using it on production or mission-critical sites. Instead, test Beta 2 on a staging or test site.

The final release of WordPress 6.9 is scheduled for December 2, 2025. You can find the full release schedule and testing information on the WordPress Core blog. Your help testing Beta and RC versions is essential to ensuring a stable and powerful release.

WordPress Plugins — 61 Patched / 52 Unpatched

Plugin:: ACF to REST API
Plugin Slug:: acf-to-rest-api
Installations: 30,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62979

Plugin:: Dynamic User Directory
Plugin Slug:: dynamic-user-directory
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62982

Plugin:: Microsoft Azure Storage for WordPress
Plugin Slug:: windows-azure-storage
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-10749

Plugin:: Builderall for WordPress
Plugin Slug:: builderall-cheetah-for-wp
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62987

Plugin:: Posts By Tag
Plugin Slug:: posts-by-tag
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62983

Plugin:: Simple Pull Quote
Plugin Slug:: simple-pull-quote
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62985

Plugin:: Slider Templates
Plugin Slug:: slider-templates
Installations: 1,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62988

Plugin:: WP AdCenter – Ad Manager & Adsense Ads
Plugin Slug:: wpadcenter
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62984

Plugin:: KiotViet Sync
Plugin Slug:: kiotvietsync
Installations: 600+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62978

Plugin:: WP Gravity Forms Zoho CRM and Bigin
Plugin Slug:: gf-zoho
Installations: 500+
Vulnerability:: Open Redirection
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62981

Plugin:: Persian Admnin Fonts
Plugin Slug:: persian-admin-fonts
Installations: 500+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-62980

Plugin:: IndieAuth
Plugin Slug:: indieauth
Installations: 400+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-12028

Plugin:: WP-Force Images Download
Plugin Slug:: wp-force-images-download
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11809

Plugin:: FanBridge signup
Plugin Slug:: fanbridge-signup
Installations: 60+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-62986

Plugin:: Cinza Grid
Plugin Slug:: cinza-grid
Installations: 50+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11824

Plugin:: Disable Content Editor For Specific Template
Plugin Slug:: disable-contect-editor-for-specific-template
Installations: 30+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12072

Plugin:: AIO Forms
Plugin Slug:: all-in-one-forms
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-11889

Plugin:: Bg Book Publisher
Plugin Slug:: bg-book-publisher
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11867

Plugin:: Check Plagiarism
Plugin Slug:: check-plagiarism
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11172

Plugin:: Email Tracker
Plugin Slug:: email-tracker
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-10047

Plugin:: URL Shortener
Plugin Slug:: exact-links
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-10740

Plugin:: JB News Ticker
Plugin Slug:: jb-news-ticker
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11804

Plugin:: LLM Hubspot Blog Import
Plugin Slug:: llm-hubspot-blog-import
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11257

Plugin:: Material Design Iconic Font Integration
Plugin Slug:: material-design-iconic-font-integration
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11872

Plugin:: Multi Item Responsive Slider
Plugin Slug:: mislider
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-11992

Plugin:: Mixlr Shortcode
Plugin Slug:: mixlr-shortcode
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11807

Plugin:: NGINX Cache Optimizer
Plugin Slug:: nginx-cache-optimizer
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12014

Plugin:: NS Maintenance Mode for WP
Plugin Slug:: ns-maintenance-mode-for-wp
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-10638

Plugin:: Oboxmedia Ads
Plugin Slug:: oboxmedia-ads
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11827

Plugin:: Originality.ai AI Checker
Plugin Slug:: originality-ai
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-10901

Plugin:: Originality.ai AI Checker
Plugin Slug:: originality-ai
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-10902

Plugin:: Photographers galleries
Plugin Slug:: photographers-galleries
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11866

Plugin:: Playerzbr
Plugin Slug:: playerzbr
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11825

Plugin:: Print Button Shortcode
Plugin Slug:: print-button-shortcode
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11810

Plugin:: qnotsquiz
Plugin Slug:: qnotsquiz
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12016

Plugin:: Quickcreator – AI Blog Writer
Plugin Slug:: quickcreator
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-11504

Plugin:: RapidResult
Plugin Slug:: rapidresult
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-10748

Plugin:: Responsive iframe GoogleMap
Plugin Slug:: responsive-iframe-googlemap
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11813

Plugin:: Responsive Progress Bar
Plugin Slug:: responsive-progress-bar
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11883

Plugin:: Simple Business Data
Plugin Slug:: simple-business-data
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11870

Plugin:: Simple Excel Pricelist for WooCommerce
Plugin Slug:: simple-excel-pricelist-for-woocommerce
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12096

Plugin:: Simple Tableau Viz
Plugin Slug:: simple-tableau-viz
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11817

Plugin:: Simple Youtube Shortcode
Plugin Slug:: simple-youtube-shortcode
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11811

Plugin:: SM CountDown Widget
Plugin Slug:: smcountdown
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11880

Plugin:: ST Categories Widget
Plugin Slug:: st-category-wp
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11878

Plugin:: This-or-That
Plugin Slug:: this-or-that
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-10138

Plugin:: VNPAY Payment gateway
Plugin Slug:: vnpay-for-woocommerce
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-12017

Plugin:: WooCommerce Designer Pro
Plugin Slug:: wc-designer-pro
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-6440

Plugin:: WP AD Gallery
Plugin Slug:: wp-ad-gallery
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11834

Plugin:: WP Responsive Meet The Team
Plugin Slug:: wp-responsive-meet-the-team
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11818

Plugin:: WP Restaurant Listings
Plugin Slug:: wp-restaurant-listings
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11830

Plugin:: WP-Thumbnail
Plugin Slug:: wp-thumbnail
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11819

Plugin:: BackWPup – WordPress Backup & Restore Plugin
Plugin Slug:: backwpup
Installations: 500,000+
Vulnerability:: Broken Access Control
Patched in Version:: 5.5.1
Severity Score:: Medium
CVE:: 2025-10579

Plugin:: PixelYourSite – Your smart PIXEL (TAG) & API Manager
Plugin Slug:: pixelyoursite
Installations: 500,000+
Vulnerability:: Local File Inclusion
Patched in Version:: 11.1.2
Severity Score:: High
CVE:: 2025-10723

Plugin:: PixelYourSite – Your smart PIXEL (TAG) & API Manager
Plugin Slug:: pixelyoursite
Installations: 500,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 11.1.3
Severity Score:: Medium
CVE:: 2025-10588

Plugin:: Jeg Kit for Elementor – Powerful Elementor Addons, Widgets & Templates for WordPress
Plugin Slug:: jeg-elementor-kit
Installations: 300,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.7.0
Severity Score:: Medium
CVE:: 2025-9978

Plugin:: Password Protected — Lock Entire Site, Pages, Posts, Categories, and Partial Content
Plugin Slug:: password-protected
Installations: 300,000+
Vulnerability:: Bypass Vulnerability
Patched in Version:: 2.7.12
Severity Score:: Low
CVE:: 2025-11244

Plugin:: GenerateBlocks
Plugin Slug:: generateblocks
Installations: 200,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 2.1.2
Severity Score:: Medium
CVE:: 2025-11879

Plugin:: User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds
Plugin Slug:: userfeedback-lite
Installations: 200,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.9.0
Severity Score:: Medium
CVE:: 2025-10694

Plugin:: Element Pack Addons for Elementor
Plugin Slug:: bdthemes-element-pack-lite
Installations: 100,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 8.2.6
Severity Score:: Medium
CVE:: 2025-11536

Plugin:: Real Cookie Banner: GDPR & ePrivacy Cookie Consent
Plugin Slug:: real-cookie-banner
Installations: 100,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 5.2.5
Severity Score:: Medium
CVE:: 2025-12136

Plugin:: Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More
Plugin Slug:: themeisle-companion
Installations: 100,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 3.0.2
Severity Score:: Medium
CVE:: 2025-10874

Plugin:: Tutor LMS – eLearning and online course solution
Plugin Slug:: tutor
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.9.0
Severity Score:: Medium
CVE:: 2025-6680

Plugin:: Tutor LMS – eLearning and online course solution
Plugin Slug:: tutor
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.9.0
Severity Score:: Medium
CVE:: 2025-11564

Plugin:: Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets
Plugin Slug:: widget-options
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.1.3
Severity Score:: Medium
CVE:: 2025-10580

Plugin:: ShopLentor – WooCommerce Builder for Elementor & Gutenberg +21 Modules – All in One Solution (formerly WooLentor)
Plugin Slug:: woolentor-addons
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.2.5
Severity Score:: Medium
CVE:: 2025-11823

Plugin:: Social Feed Gallery
Plugin Slug:: insta-gallery
Installations: 90,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.9.3
Severity Score:: Medium
CVE:: 2025-10637

Plugin:: Ajax Search Lite – Live Search & Filter
Plugin Slug:: ajax-search-lite
Installations: 80,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 4.13.4
Severity Score:: Medium
CVE:: 2025-48086

Plugin:: Meta Tag Manager
Plugin Slug:: meta-tag-manager
Installations: 80,000+
Vulnerability:: Open Redirection
Patched in Version:: 3.3
Severity Score:: Medium
CVE:: 2025-5983

Plugin:: ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution
Plugin Slug:: shopengine
Installations: 70,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.8.5
Severity Score:: Low
CVE:: 2025-11888

Plugin:: Product Filter by WBW
Plugin Slug:: woo-product-filter
Installations: 60,000+
Vulnerability:: SQL Injection
Patched in Version:: 2.9.8
Severity Score:: Critical
CVE:: 2025-8416

Plugin:: Product Filter by WBW
Plugin Slug:: woo-product-filter
Installations: 60,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.0.1
Severity Score:: Medium
CVE:: 2025-11269

Plugin:: Bold Page Builder
Plugin Slug:: bold-page-builder
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.4.6
Severity Score:: Medium
CVE:: 2025-7730

Plugin:: RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator
Plugin Slug:: feedzy-rss-feeds
Installations: 50,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 5.1.1
Severity Score:: Medium
CVE:: 2025-11128

Plugin:: Simple Banner – Easily add multiple Banners/Bars/Notifications/Announcements to the top or bottom of your website
Plugin Slug:: simple-banner
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.1.0
Severity Score:: Medium
CVE:: 2025-12033

Plugin:: Fast Velocity Minify
Plugin Slug:: fast-velocity-minify
Installations: 40,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.5.2
Severity Score:: Medium
CVE:: 2025-12034

Plugin:: Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers
Plugin Slug:: popup-builder-block
Installations: 30,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 2.1.5
Severity Score:: High
CVE:: 2025-10861

Plugin:: Gutenberg Blocks – PublishPress Blocks Controls, Visibility, Reusable Blocks
Plugin Slug:: advanced-gutenberg
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.4.0
Severity Score:: Medium
CVE:: 2025-8588

Plugin:: Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings
Plugin Slug:: directorist
Installations: 20,000+
Vulnerability:: Path Traversal
Patched in Version:: 8.4.9
Severity Score:: High
CVE:: 2025-10488

Plugin:: Welcart e-Commerce
Plugin Slug:: usc-e-shop
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.11.23
Severity Score:: Medium
CVE:: 2025-10651

Plugin:: wpForo Forum
Plugin Slug:: wpforo
Installations: 20,000+
Vulnerability:: SQL Injection
Patched in Version:: 2.4.9
Severity Score:: Critical
CVE:: 2025-4203

Plugin:: Web Accessibility by accessiBe
Plugin Slug:: accessibe
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.11
Severity Score:: Medium
CVE:: 2025-49920

Plugin:: Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More
Plugin Slug:: charitable
Installations: 10,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.8.8.5
Severity Score:: High
CVE:: 2025-11893

Plugin:: King Addons for Elementor – 4,000+ ready Elementor sections, 650+ templates, 70+ FREE widgets for Elementor
Plugin Slug:: king-addons
Installations: 10,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 51.1.37
Severity Score:: Critical
CVE:: 2025-6325

Plugin:: King Addons for Elementor – 4,000+ ready Elementor sections, 650+ templates, 70+ FREE widgets for Elementor
Plugin Slug:: king-addons
Installations: 10,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 51.1.37
Severity Score:: Critical
CVE:: 2025-6327

Plugin:: Testimonial Carousel For Elementor
Plugin Slug:: testimonials-carousel-elementor
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 11.7.0
Severity Score:: Medium
CVE:: 2025-8666

Plugin:: WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress
Plugin Slug:: wpvr
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 8.5.42
Severity Score:: Medium
CVE:: 2025-12005

Plugin:: VikBooking Hotel Booking Engine & PMS
Plugin Slug:: vikbooking
Installations: 9,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.8.3
Severity Score:: Medium
CVE:: 2025-5803

Plugin:: Stripe Payment Forms by WP Full Pay – Accept Credit Card Payments, Donations & Subscriptions
Plugin Slug:: wp-full-stripe-free
Installations: 9,000+
Vulnerability:: SQL Injection
Patched in Version:: 8.3.2
Severity Score:: Critical
CVE:: 2025-9322

Plugin:: Password Policy Manager | Password Manager
Plugin Slug:: password-policy-manager
Installations: 6,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.0.6
Severity Score:: Medium
CVE:: 2025-11255

Plugin:: Simple Registration for WooCommerce
Plugin Slug:: woocommerce-simple-registration
Installations: 5,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.5.9
Severity Score:: High
CVE:: 2025-12095

Plugin:: Watu Quiz
Plugin Slug:: watu
Installations: 4,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.4.5
Severity Score:: High
CVE:: 2025-11238

Plugin:: WPMobile.App
Plugin Slug:: wpappninja
Installations: 4,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 11.72
Severity Score:: High
CVE:: 2025-62074

Plugin:: Email Subscription Popup
Plugin Slug:: email-subscribe
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.2.27
Severity Score:: Medium
CVE:: 2025-49912

Plugin:: Discussion Board – WordPress Forum Plugin
Plugin Slug:: wp-discussion-board
Installations: 2,000+
Vulnerability:: Content Injection
Patched in Version:: 2.5.6
Severity Score:: Medium
CVE:: 2025-8483

Plugin:: Flexible Refund and Return Order for WooCommerce
Plugin Slug:: flexible-refund-and-return-order-for-woocommerce
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.0.39
Severity Score:: Medium
CVE:: 2025-10570

Plugin:: Range Slider Addon for Gravity Forms
Plugin Slug:: range-slider-addon-for-gravity-forms
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.1.7
Severity Score:: High
CVE:: 2025-49905

Plugin:: MDTF – Meta Data and Taxonomies Filter
Plugin Slug:: wp-meta-data-filter-and-taxonomy-filter
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.3.4
Severity Score:: Medium
CVE:: 2025-49907

Plugin:: WPComplete
Plugin Slug:: wpcomplete
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.9.5.4
Severity Score:: Medium
CVE:: 2025-49906

Plugin:: ZoloBlocks – Gutenberg Block Editor Plugin with Advanced Blocks, Dynamic Content, Templates & Patterns
Plugin Slug:: zoloblocks
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.3.12
Severity Score:: Medium
CVE:: 2025-12134

Plugin:: All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier
Plugin Slug:: aio-time-clock-lite
Installations: 800+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 2.0.1
Severity Score:: Medium
CVE:: 2025-6833

Plugin:: FormGent – Next-Gen AI Form Builder for WordPress with Multi-Step, Quizzes, Payments & More
Plugin Slug:: formgent
Installations: 800+
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 1.0.4
Severity Score:: High
CVE:: 2025-10916

Plugin:: MxChat – AI Chatbot for WordPress
Plugin Slug:: mxchat-basic
Installations: 800+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 2.4.7
Severity Score:: Medium
CVE:: 2025-10705

Plugin:: WhyDonate – FREE Donate button – Crowdfunding – Fundraising
Plugin Slug:: wp-whydonate
Installations: 800+
Vulnerability:: Broken Access Control
Patched in Version:: 4.0.16
Severity Score:: Medium
CVE:: 2025-49899

Plugin:: Time Clock – A WordPress Employee & Volunteer Time Clock Plugin
Plugin Slug:: time-clock
Installations: 600+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.2
Severity Score:: Medium
CVE:: 2025-10701

Plugin:: AI Chatbot Free Models – Customer Support, Live Chat, Virtual Assistant
Plugin Slug:: chatbot-ai-free-models
Installations: 100+
Vulnerability:: CSV Injection
Patched in Version:: 1.6.6
Severity Score:: Medium
CVE:: 2025-11576

Plugin:: Supervisor
Plugin Slug:: supervisor
Installations: 100+
Vulnerability:: Broken Access Control
Patched in Version:: 1.3.3
Severity Score:: Medium
CVE:: 2025-11887

Plugin:: HAPPY – Helpdesk Support Ticket System
Plugin Slug:: happy-helpdesk-support-ticket-system
Installations: 10+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 1.0.8
Severity Score:: Critical
CVE:: 2025-49372

Plugin:: SpendeOnline.org
Plugin Slug:: spendeonline
Installations: 10+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.0.2
Severity Score:: Medium
CVE:: 2025-11875

Plugin:: Academy LMS Pro
Plugin Slug:: academy-pro
Vulnerability:: Privilege Escalation
Patched in Version:: 3.3.8
Severity Score:: High
CVE:: 2025-11086

Plugin:: Beaver Builder Plugin (Starter Version)
Plugin Slug:: bb-plugin
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.9.3.1
Severity Score:: Medium
CVE:: 2025-8427

Plugin:: Stockie Extra
Plugin Slug:: stockie-extra
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.2.12
Severity Score:: Medium
CVE:: 2025-64226

Plugin:: Tutor LMS Pro
Plugin Slug:: tutor-pro
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 3.9.0
Severity Score:: Medium
CVE:: 2025-6639

WordPress Themes — 5 Patched / 0 Unpatched

Theme:: The7
Theme Slug:: dt-the7
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 12.9.2
Severity Score:: Medium
CVE:: 2025-11897

Theme:: Genesis Framework
Theme Slug:: genesis
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.6.1
Severity Score:: Medium
CVE:: 2025-10737

Theme:: Listeo
Theme Slug:: listeo
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.9
Severity Score:: Medium
CVE:: 2025-8413

Theme:: Sahifa
Theme Slug:: sahifa
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.8.6
Severity Score:: Medium
CVE:: 2025-64202

Theme:: wpresidence
Theme Slug:: wpresidence
Vulnerability:: Broken Access Control
Patched in Version:: 5.3.2.1
Severity Score:: Medium
CVE:: 2025-64199

Solid Security is part of Solid Suite — The best foundation for WordPress websites.

Every WordPress site needs security, backups, and management tools. That’s Solid Suite — an integrated bundle of three plugins: Solid Security, Solid Backups, and Solid Central. You also get access to Solid Academy’s learning resources for WordPress professionals. Build your next WordPress website on a solid foundation with Solid Suite!

Get Solid Security

Author:

Sarah Ulmer

Sarah has been with SolidWP since 2015. Thanks to her deep connection to the brand, its products, and its users, Sarah was tapped as Solid’s primary Product Marketer in 2023. Sarah helps ensure that Solid’s product development team understands our users’ needs. When not at work, Sarah can be found at home with her husband, their three boys, and their dogs. Sarah enjoys long family walks, running with her lab, and watching her three boys play soccer. Sarah is originally from Texas and loves watching football games (Go Longhorns!)

Browse all of Sarah's articles

Sign up

Placeholder text

Thanks

Oops something went wrong, please try submitting again

Solid Suite

Protect

Repair

Manage

Free Plugins

Solid Suite

Academy

Solid Academy

Guides

Livestreams

Tutorials Academy

Resources

Blog

Vulnerability Report

Support

Documentation

Table of Contents

WordPress Core

WordPress Plugins — 61 Patched / 52 Unpatched

WordPress Themes — 5 Patched / 0 Unpatched

Solid Security is part of Solid Suite — The best foundation for WordPress websites.

Author:

Join us for the next Solid Academy Webinar!

What is a WordPress Phishing Attack?

Website Protection: 5 Ways to Keep Your Website Safe

23 Ideas To Grow Your WordPress Business in 2023

Author:

Sign up now — Get SolidWP updates and valuable content straight to your inbox

Sign up

Related Posts

WordPress Vulnerability Report — April 22, 2026