WordPress Vulnerability Report — December 3, 2025

Since last week, 106 new vulnerabilities have emerged in the WordPress ecosystem, including 102 plugins and 4 themes. Of those, 41 remain unpatched, but Solid Security Pro users are protected by virtual patching from Patchstack.

Sarah Ulmer

Published:Dec 3, 2025

Filed Under:WordPress Vulnerability Report

Reading Time:20 min.

In this report, 106 vulnerabilities have been publicly disclosed. Security patches for 65 of these plugins and themes are now available. Please run these updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Currently, 41 plugin and theme vulnerabilities remain unpatched. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

Along with poor user account security, vulnerable plugins and themes are among the top reasons why WordPress websites get hacked. Unfortunately, cyberattacks are increasing in volume and sophistication. They’re also increasingly aimed at small to mid-sized businesses.

1. WordPress Core
2. WordPress Plugins — 63 Patched / 39 Unpatched

2.1 UiPress lite | Effortless custom dashboards, admin themes and pages
2.2 UiPress lite | Effortless custom dashboards, admin themes and pages
2.3 Arconix Shortcodes
2.4 Feeds for TikTok – Display Video Feeds in Grid Layouts
2.5 Wishlist for WooCommerce
2.6 Job Board by BestWebSoft
2.7 Ace Post Type Builder
2.8 OrderConvo
2.9 OrderConvo
2.10 Attention Bar
2.11 Autochat Automatic Conversation
2.12 Bookme – Free Online Appointment Booking and Scheduling Plugin
2.13 Chamber Dashboard Business Directory
2.14 YouTube Subscribe
2.15 EduKart Pro
2.16 Flo Forms
2.17 Google Drive upload and download link
2.18 Inline frame – Iframe
2.19 Just Highlight
2.20 AI Engine for WordPress: ChatGPT, GPT Content Generator
2.21 Locker Content
2.22 Conditionnal Maintenance Mode for WordPress
2.23 Mstore Mobile App
2.24 Frontend File Manager
2.25 Peer Publish
2.26 ProjectList
2.27 ProjectList
2.28 Realty Portal
2.29 Refund Request for WooCommerce
2.30 Reuters Direct
2.31 Reuters Direct
2.32 Shouty
2.33 Social Images Widget
2.34 SortTable Post
2.35 Soundslides
2.36 Mstore Mobile App
2.37 WP AUDIO GALLERY
2.38 wp-twitpic
2.39 Zweb Social Mobile
2.40 All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic
2.41 WP Fastest Cache
2.42 Unlimited Elements For Elementor
2.43 Nextend Social Login and Register
2.44 Beaver Builder Page Builder – Drag and Drop Website Builder
2.45 Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager
2.46 JetFormBuilder — Dynamic Blocks Form Builder
2.47 Blog2Social: Social Media Auto Post & Scheduler
2.48 Bold Page Builder
2.49 Search Exclude
2.50 OneClick Chat to Order
2.51 Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem
2.52 PowerPress Podcasting plugin by Blubrry
2.53 UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP
2.54 Visualizer: Tables and Charts Manager for WordPress
2.55 WP Webhooks – Automate repetitive tasks by creating powerful automation workflows directly within WordPress
2.56 BlockArt Blocks – Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library
2.57 eRoom – Webinar & Meeting Plugin for Zoom, Google Meet, Microsoft Teams
2.58 Gutenverse Form – Contact Form Builder, Booking, Reservation, Subscribe for Block Editor
2.59 QODE Wishlist for WooCommerce
2.60 Export All Posts, Products, Orders, Refunds & Users
2.61 Analytics Germanized for Google Analytics (GDPR / DSGVO)
2.62 Event Booking Manager for WooCommerce
2.63 FluentCommunity – Ultra-Fast High-Performance Social Network, Community, LMS & Online Courses
2.64 Poll, Survey & Quiz Maker Plugin by Opinion Stage
2.65 Customer Reviews Collector for WooCommerce
2.66 VikRentCar Car Rental Management System
2.67 Property Hive
2.68 WP Directory Kit
2.69 WP Directory Kit
2.70 Photo Gallery by Ays – Responsive Image Gallery
2.71 KiviCare – Clinic & Patient Management System (EHR)
2.72 Vitepos – Point of Sale (POS) for WooCommerce
2.73 Quick View for WooCommerce
2.74 CP Contact Form with PayPal
2.75 Featured Post Creative
2.76 Subscriptions & Memberships for PayPal
2.77 Tainacan
2.78 TNC Toolbox: Web Performance
2.79 Cart Weight for WooCommerce
2.80 Telegram Bot & Channel
2.81 AI ChatBot with ChatGPT and Content Generator by AYS
2.82 AI ChatBot with ChatGPT and Content Generator by AYS
2.83 Show Variations as Single Products Woocommerce
2.84 ELEX WordPress HelpDesk & Customer Ticketing System
2.85 Simple User Registration
2.86 Guest posting / Frontend Posting / Front Editor – WP Front User Submit
2.87 Hide Category by User Role for WooCommerce
2.88 Zigaform – Price Calculator & Cost Estimation Form Builder Lite
2.89 EchBay Admin Security
2.90 StaffList
2.91 CIBELES AI
2.92 S2B AI Assistant – ChatBot, ChatGPT, OpenAI, Content & Image Generator
2.93 AI Feeds
2.94 Simple Folio
2.95 WPBookit
2.96 SKT PayPal for WooCommerce
2.97 atec Duplicate Page & Post
2.98 FindAll Membership
2.99 Sneeit Framework
2.100 Tiare Membership
2.101 Unlimited Elements for Elementor (Premium)
2.102 WavePlayer

3. WordPress Themes — 2 Patched / 2 Unpatched

3.1 Tiger
3.2 Tiger
3.3 Houzez
3.4 Houzez

Our WordPress Vulnerability Report covers the latest emerging WordPress plugin, theme, and core vulnerabilities. Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure of vulnerabilities is essential to keeping the WordPress community safe. Please share this report to help spread the word and make WordPress — and the web — more secure.

WordPress Core

WordPress 6.9 “Gene” was released on December 2, 2025. This release brings major upgrades to how teams collaborate and create. The new Notes feature adds block-level commenting for posts and pages, streamlining editorial reviews, while an expanded Command Palette helps power users navigate and operate across the dashboard even faster. The introduction of the Abilities API delivers a standardized, machine-readable permissions system that lays the groundwork for next-generation AI-powered and automated workflows. WordPress 6.9 also includes notable performance improvements for faster page loads, several new practical blocks, and more visual drag-and-drop tools to help creators build richer, more dynamic content.

Following a major release, you should not update live sites without first taking backups and testing the update in a non-production environment.

WordPress Plugins — 63 Patched / 39 Unpatched

Plugin:: UiPress lite | Effortless custom dashboards, admin themes and pages
Plugin Slug:: uipress-lite
Installations: 10,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-10938

Plugin:: UiPress lite | Effortless custom dashboards, admin themes and pages
Plugin Slug:: uipress-lite
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11003

Plugin:: Arconix Shortcodes
Plugin Slug:: arconix-shortcodes
Installations: 4,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13835

Plugin:: Feeds for TikTok – Display Video Feeds in Grid Layouts
Plugin Slug:: b-tiktok-feed
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-66110

Plugin:: Wishlist for WooCommerce
Plugin Slug:: th-wishlist
Installations: 500+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12040

Plugin:: Job Board by BestWebSoft
Plugin Slug:: job-board
Installations: 80+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-13383

Plugin:: Ace Post Type Builder
Plugin Slug:: ace-post-type-builder
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13405

Plugin:: OrderConvo
Plugin Slug:: admin-and-client-message-after-order-for-woocommerce
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13389

Plugin:: OrderConvo
Plugin Slug:: admin-and-client-message-after-order-for-woocommerce
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13452

Plugin:: Attention Bar
Plugin Slug:: attention-bar
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-12502

Plugin:: Autochat Automatic Conversation
Plugin Slug:: auyautochat-for-wp
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12043

Plugin:: Bookme – Free Online Appointment Booking and Scheduling Plugin
Plugin Slug:: bookme-free-appointment-booking-system
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-13385

Plugin:: Chamber Dashboard Business Directory
Plugin Slug:: chamber-dashboard-business-directory
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13414

Plugin:: YouTube Subscribe
Plugin Slug:: easy-youtube-subscribe
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12025

Plugin:: EduKart Pro
Plugin Slug:: edukart-pro
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-13559

Plugin:: Flo Forms
Plugin Slug:: flo-forms
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-13159

Plugin:: Google Drive upload and download link
Plugin Slug:: google-drive-upload-and-download-link
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12666

Plugin:: Inline frame – Iframe
Plugin Slug:: inline-frame-iframe
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12645

Plugin:: Just Highlight
Plugin Slug:: just-highlight
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13311

Plugin:: AI Engine for WordPress: ChatGPT, GPT Content Generator
Plugin Slug:: liquid-chatgpt
Vulnerability:: Arbitrary File Download
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13380

Plugin:: Locker Content
Plugin Slug:: locker-content
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12525

Plugin:: Conditionnal Maintenance Mode for WordPress
Plugin Slug:: maintenance-mode-based-on-user-roles
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12586

Plugin:: Mstore Mobile App
Plugin Slug:: mstoreapp-mobile-app
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-11127

Plugin:: Frontend File Manager
Plugin Slug:: nmedia-user-file-uploader
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13382

Plugin:: Peer Publish
Plugin Slug:: peer-publish
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12587

Plugin:: ProjectList
Plugin Slug:: projectlist
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-13370

Plugin:: ProjectList
Plugin Slug:: projectlist
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-13376

Plugin:: Realty Portal
Plugin Slug:: realty-portal
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-11985

Plugin:: Refund Request for WooCommerce
Plugin Slug:: refund-request-for-woocommerce
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12634

Plugin:: Reuters Direct
Plugin Slug:: reuters-direct
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12579

Plugin:: Reuters Direct
Plugin Slug:: reuters-direct
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12578

Plugin:: Shouty
Plugin Slug:: shouty
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12712

Plugin:: Social Images Widget
Plugin Slug:: social-images-widget
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13386

Plugin:: SortTable Post
Plugin Slug:: sorttable-post
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12649

Plugin:: Soundslides
Plugin Slug:: soundslides
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12713

Plugin:: Mstore Mobile App
Plugin Slug:: woo-mstoreapp-mobile-app
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-11127

Plugin:: WP AUDIO GALLERY
Plugin Slug:: wp-audio-gallery
Vulnerability:: Arbitrary File Deletion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-13322

Plugin:: wp-twitpic
Plugin Slug:: wp-twitpic
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12670

Plugin:: Zweb Social Mobile
Plugin Slug:: zweb-social-mobile
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12032

Plugin:: All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic
Plugin Slug:: all-in-one-seo-pack
Installations: 3,000,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 4.8.7
Severity Score:: Medium
CVE:: 2025-64295

Plugin:: WP Fastest Cache
Plugin Slug:: wp-fastest-cache
Installations: 1,000,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.4.1
Severity Score:: Medium
CVE:: 2025-10476

Plugin:: Unlimited Elements For Elementor
Plugin Slug:: unlimited-elements-for-elementor
Installations: 300,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.1
Severity Score:: High
CVE:: 2025-13692

Plugin:: Nextend Social Login and Register
Plugin Slug:: nextend-facebook-connect
Installations: 200,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 3.1.22
Severity Score:: Medium
CVE:: 2025-13737

Plugin:: Beaver Builder Page Builder – Drag and Drop Website Builder
Plugin Slug:: beaver-builder-lite-version
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.9.4.1
Severity Score:: Medium
CVE:: 2025-11726

Plugin:: Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager
Plugin Slug:: folders
Installations: 90,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.1.6
Severity Score:: Medium
CVE:: 2025-12971

Plugin:: JetFormBuilder — Dynamic Blocks Form Builder
Plugin Slug:: jetformbuilder
Installations: 80,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.5.4
Severity Score:: Medium
CVE:: 2025-64384

Plugin:: Blog2Social: Social Media Auto Post & Scheduler
Plugin Slug:: blog2social
Installations: 50,000+
Vulnerability:: Broken Access Control
Patched in Version:: 8.7.1
Severity Score:: Medium
CVE:: 2025-13558

Plugin:: Bold Page Builder
Plugin Slug:: bold-page-builder
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.5.3
Severity Score:: Medium
CVE:: 2025-66057

Plugin:: Search Exclude
Plugin Slug:: search-exclude
Installations: 50,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.5.8
Severity Score:: Medium
CVE:: 2025-10646

Plugin:: OneClick Chat to Order
Plugin Slug:: oneclick-whatsapp-order
Installations: 40,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 1.0.9
Severity Score:: High
CVE:: 2025-13526

Plugin:: Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem
Plugin Slug:: gutenverse
Installations: 30,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.3.0
Severity Score:: Medium
CVE:: 2025-66065

Plugin:: PowerPress Podcasting plugin by Blubrry
Plugin Slug:: powerpress
Installations: 30,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 11.15.3
Severity Score:: Critical
CVE:: 2025-13536

Plugin:: UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP
Plugin Slug:: userswp
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.2.48
Severity Score:: Medium
CVE:: 2025-66072

Plugin:: Visualizer: Tables and Charts Manager for WordPress
Plugin Slug:: visualizer
Installations: 20,000+
Vulnerability:: SQL Injection
Patched in Version:: 3.11.13
Severity Score:: High
CVE:: 2025-12483

Plugin:: WP Webhooks – Automate repetitive tasks by creating powerful automation workflows directly within WordPress
Plugin Slug:: wp-webhooks
Installations: 20,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 3.3.9
Severity Score:: High
CVE:: 2025-66073

Plugin:: BlockArt Blocks – Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library
Plugin Slug:: blockart-blocks
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.2.14
Severity Score:: Medium
CVE:: 2025-13697

Plugin:: eRoom – Webinar & Meeting Plugin for Zoom, Google Meet, Microsoft Teams
Plugin Slug:: eroom-zoom-meetings-webinar
Installations: 10,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 1.5.7
Severity Score:: Medium
CVE:: 2025-49919

Plugin:: Gutenverse Form – Contact Form Builder, Booking, Reservation, Subscribe for Block Editor
Plugin Slug:: gutenverse-form
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.3.0
Severity Score:: Medium
CVE:: 2025-66079

Plugin:: QODE Wishlist for WooCommerce
Plugin Slug:: qode-wishlist-for-woocommerce
Installations: 10,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 1.2.8
Severity Score:: Medium
CVE:: 2025-13157

Plugin:: Export All Posts, Products, Orders, Refunds & Users
Plugin Slug:: wp-ultimate-exporter
Installations: 10,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.20
Severity Score:: Medium
CVE:: 2025-13606

Plugin:: Analytics Germanized for Google Analytics (GDPR / DSGVO)
Plugin Slug:: ga-germanized
Installations: 8,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.6.3
Severity Score:: Medium
CVE:: 2025-64292

Plugin:: Event Booking Manager for WooCommerce
Plugin Slug:: mage-eventpress
Installations: 8,000+
Vulnerability:: Broken Access Control
Patched in Version:: 5.0.5
Severity Score:: Medium
CVE:: 2025-66082

Plugin:: FluentCommunity – Ultra-Fast High-Performance Social Network, Community, LMS & Online Courses
Plugin Slug:: fluent-community
Installations: 7,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.1.0
Severity Score:: Medium
CVE:: 2025-66084

Plugin:: Poll, Survey & Quiz Maker Plugin by Opinion Stage
Plugin Slug:: social-polls-by-opinionstage
Installations: 7,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 19.12.1
Severity Score:: Medium
CVE:: 2025-13143

Plugin:: Customer Reviews Collector for WooCommerce
Plugin Slug:: customer-reviews-collector-for-woocommerce
Installations: 5,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.7
Severity Score:: High
CVE:: 2025-12123

Plugin:: VikRentCar Car Rental Management System
Plugin Slug:: vikrentcar
Installations: 4,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.4.5
Severity Score:: High
CVE:: 2025-13724

Plugin:: Property Hive
Plugin Slug:: propertyhive
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.1.13
Severity Score:: Medium
CVE:: 2025-66087

Plugin:: WP Directory Kit
Plugin Slug:: wpdirectorykit
Installations: 3,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.4.7
Severity Score:: High
CVE:: 2025-13090

Plugin:: WP Directory Kit
Plugin Slug:: wpdirectorykit
Installations: 3,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.4.6
Severity Score:: High
CVE:: 2025-13525

Plugin:: Photo Gallery by Ays – Responsive Image Gallery
Plugin Slug:: gallery-photo-gallery
Installations: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 6.4.9
Severity Score:: Medium
CVE:: 2025-13685

Plugin:: KiviCare – Clinic & Patient Management System (EHR)
Plugin Slug:: kivicare-clinic-management-system
Installations: 2,000+
Vulnerability:: SQL Injection
Patched in Version:: 3.6.14
Severity Score:: High
CVE:: 2025-66095

Plugin:: Vitepos – Point of Sale (POS) for WooCommerce
Plugin Slug:: vitepos-lite
Installations: 2,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 3.3.1
Severity Score:: Critical
CVE:: 2025-13156

Plugin:: Quick View for WooCommerce
Plugin Slug:: woo-quickview
Installations: 2,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 2.2.18
Severity Score:: Medium
CVE:: 2025-12584

Plugin:: CP Contact Form with PayPal
Plugin Slug:: cp-contact-form-with-paypal
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.3.57
Severity Score:: High
CVE:: 2025-13384

Plugin:: Featured Post Creative
Plugin Slug:: featured-post-creative
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.5.6
Severity Score:: Medium
CVE:: 2025-66106

Plugin:: Subscriptions & Memberships for PayPal
Plugin Slug:: subscriptions-memberships-for-paypal
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.1.8
Severity Score:: Medium
CVE:: 2025-66107

Plugin:: Tainacan
Plugin Slug:: tainacan
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.0.1
Severity Score:: High
CVE:: 2025-12746

Plugin:: TNC Toolbox: Web Performance
Plugin Slug:: tnc-toolbox
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.0.5
Severity Score:: Medium
CVE:: 2025-66108

Plugin:: Cart Weight for WooCommerce
Plugin Slug:: woo-cart-weight
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.9.12
Severity Score:: Medium
CVE:: 2025-66109

Plugin:: Telegram Bot & Channel
Plugin Slug:: telegram-bot
Installations: 600+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.1.1
Severity Score:: High
CVE:: 2025-13068

Plugin:: AI ChatBot with ChatGPT and Content Generator by AYS
Plugin Slug:: ays-chatgpt-assistant
Installations: 500+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 2.7.1
Severity Score:: High
CVE:: 2025-13378

Plugin:: AI ChatBot with ChatGPT and Content Generator by AYS
Plugin Slug:: ays-chatgpt-assistant
Installations: 500+
Vulnerability:: Broken Access Control
Patched in Version:: 2.7.1
Severity Score:: Medium
CVE:: 2025-13381

Plugin:: Show Variations as Single Products Woocommerce
Plugin Slug:: woo-show-single-variations-shop-category
Installations: 500+
Vulnerability:: Broken Access Control
Patched in Version:: 3.0
Severity Score:: Medium
CVE:: 2025-66114

Plugin:: ELEX WordPress HelpDesk & Customer Ticketing System
Plugin Slug:: elex-helpdesk-customer-support-ticket-system
Installations: 300+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 3.3.2
Severity Score:: Critical
CVE:: 2025-11456

Plugin:: Simple User Registration
Plugin Slug:: wp-registration
Installations: 300+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.7
Severity Score:: High
CVE:: 2025-12160

Plugin:: Guest posting / Frontend Posting / Front Editor – WP Front User Submit
Plugin Slug:: front-editor
Installations: 200+
Vulnerability:: Open Redirection
Patched in Version:: 5.0.0
Severity Score:: Medium
CVE:: 2025-12569

Plugin:: Hide Category by User Role for WooCommerce
Plugin Slug:: hide-category-by-user-role-for-woocommerce
Installations: 200+
Vulnerability:: Broken Access Control
Patched in Version:: 2.3.2
Severity Score:: Medium
CVE:: 2025-13441

Plugin:: Zigaform – Price Calculator & Cost Estimation Form Builder Lite
Plugin Slug:: zigaform-calculator-cost-estimation-form-builder-lite
Installations: 200+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 7.6.7
Severity Score:: Medium
CVE:: 2025-13696

Plugin:: EchBay Admin Security
Plugin Slug:: echbay-admin-security
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.1
Severity Score:: High
CVE:: 2025-11885

Plugin:: StaffList
Plugin Slug:: stafflist
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.2.7
Severity Score:: Medium
CVE:: 2025-12185

Plugin:: CIBELES AI
Plugin Slug:: cibeles-ai
Installations: 80+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 1.10.9
Severity Score:: Critical
CVE:: 2025-13595

Plugin:: S2B AI Assistant – ChatBot, ChatGPT, OpenAI, Content & Image Generator
Plugin Slug:: s2b-ai-assistant
Installations: 70+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 1.7.9
Severity Score:: Critical
CVE:: 2025-12973

Plugin:: AI Feeds
Plugin Slug:: ai-feeds
Installations: 60+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 1.0.12
Severity Score:: Critical
CVE:: 2025-13597

Plugin:: Simple Folio
Plugin Slug:: simple-folio
Installations: 40+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.1.1
Severity Score:: Medium
CVE:: 2025-12151

Plugin:: WPBookit
Plugin Slug:: wpbookit
Installations: 20+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.0.7
Severity Score:: High
CVE:: 2025-12135

Plugin:: SKT PayPal for WooCommerce
Plugin Slug:: skt-paypal-for-woocommerce
Installations: 10+
Vulnerability:: Bypass Vulnerability
Patched in Version:: 1.5
Severity Score:: High
CVE:: 2025-7820

Plugin:: atec Duplicate Page & Post
Plugin Slug:: atec-duplicate-page-post
Vulnerability:: Broken Access Control
Patched in Version:: 1.2.21
Severity Score:: Medium
CVE:: 2025-13404

Plugin:: FindAll Membership
Plugin Slug:: findall-membership
Vulnerability:: Broken Authentication
Patched in Version:: 1.1
Severity Score:: Critical
CVE:: 2025-13539

Plugin:: Sneeit Framework
Plugin Slug:: sneeit-framework
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 8.4
Severity Score:: Critical
CVE:: 2025-6389

Plugin:: Tiare Membership
Plugin Slug:: tiare-membership
Vulnerability:: Privilege Escalation
Patched in Version:: 1.3
Severity Score:: Critical
CVE:: 2025-13540

Plugin:: Unlimited Elements for Elementor (Premium)
Plugin Slug:: unlimited-elements-for-elementor-premium
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.1
Severity Score:: High
CVE:: 2025-13692

Plugin:: WavePlayer
Plugin Slug:: waveplayer
Vulnerability:: Arbitrary File Upload
Patched in Version:: 3.8.0
Severity Score:: Critical
CVE:: 2025-12057

WordPress Themes — 2 Patched / 2 Unpatched

Theme:: Tiger
Theme Slug:: tiger
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-13675

Theme:: Tiger
Theme Slug:: tiger
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-13680

Theme:: Houzez
Theme Slug:: houzez
Vulnerability:: PHP Object Injection
Patched in Version:: 4.1.7
Severity Score:: High
CVE:: 2025-9191

Theme:: Houzez
Theme Slug:: houzez
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.1.7
Severity Score:: High
CVE:: 2025-9163

Solid Security is part of Solid Suite — The best foundation for WordPress websites.

Every WordPress site needs security, backups, and management tools. That’s Solid Suite — an integrated bundle of three plugins: Solid Security, Solid Backups, and Solid Central. You also get access to Solid Academy’s learning resources for WordPress professionals. Build your next WordPress website on a solid foundation with Solid Suite!

Get Solid Security

Author:

Sarah Ulmer

Sarah has been with SolidWP since 2015. Thanks to her deep connection to the brand, its products, and its users, Sarah was tapped as Solid’s primary Product Marketer in 2023. Sarah helps ensure that Solid’s product development team understands our users’ needs. When not at work, Sarah can be found at home with her husband, their three boys, and their dogs. Sarah enjoys long family walks, running with her lab, and watching her three boys play soccer. Sarah is originally from Texas and loves watching football games (Go Longhorns!)

Browse all of Sarah's articles

Sign up

Placeholder text

Thanks

Oops something went wrong, please try submitting again

Solid Suite

Protect

Repair

Manage

Free Plugins

Solid Suite

Academy

Solid Academy

Guides

Livestreams

Tutorials Academy

Resources

Blog

Vulnerability Report

Support

Documentation

Table of Contents

WordPress Core

WordPress Plugins — 63 Patched / 39 Unpatched

WordPress Themes — 2 Patched / 2 Unpatched

Solid Security is part of Solid Suite — The best foundation for WordPress websites.

Author:

Join us for the next Solid Academy Webinar!

What is a WordPress Phishing Attack?

Website Protection: 5 Ways to Keep Your Website Safe

23 Ideas To Grow Your WordPress Business in 2023

Author:

Sign up now — Get SolidWP updates and valuable content straight to your inbox

Sign up

Related Posts

WordPress Vulnerability Report — April 22, 2026

WordPress Vulnerability Report — April 15, 2026

WordPress Vulnerability Report — April 8, 2026

WordPress Vulnerability Report — April 1, 2026