WordPress Vulnerability Report — August 6, 2025

Since last week, 133 new vulnerabilities have emerged in the WordPress ecosystem, including 119 plugins and 14 themes. 35 of the vulnerable plugins and themes remain unpatched, but Solid Security Pro users are protected by virtual patching from Patchstack.

Sarah Ulmer

Published:Aug 6, 2025

Filed Under:WordPress Vulnerability Report

Reading Time:25 min.

In this report, 133 vulnerabilities have been publicly disclosed. Security patches for 98 of these plugins and themes are now available, so please run those updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Additionally, there are 35 plugin and theme vulnerabilities, and no patch has been available yet. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

Along with poor user account security, vulnerable plugins and themes are among the top reasons why WordPress websites get hacked. Unfortunately, cyberattacks are increasing in volume and sophistication. They’re also increasingly aimed at small to mid-sized businesses.

1. WordPress Core
2. WordPress Plugins — 86 Patched / 33 Unpatched

2.1 Eventer
2.2 PressForward
2.3 360 Photo Spheres
2.4 Advanced Google Universal Analytics
2.5 Affiliate Plus
2.6 April Framework
2.7 April Framework
2.8 April Framework
2.9 Image Gallery
2.10 BeeTeam368 Extensions
2.11 Benaa Framework
2.12 Benaa Framework
2.13 Benaa Framework
2.14 Beyot Framework
2.15 Beyot Framework
2.16 Beyot Framework
2.17 Bonanza – WooCommerce Free Gifts Lite
2.18 Cube Portfolio
2.19 Custom Word Cloud
2.20 Fan Page
2.21 Auteur Framework
2.22 Auteur Framework
2.23 Auteur Framework
2.24 WP LOL Rotation
2.25 Magic Edge – Lite
2.26 Medical Addon for Elementor
2.27 Mmm Unity Loader
2.28 My Reservation System
2.29 SEO Metrics
2.30 Supermalink
2.31 TheBooking
2.32 Amazon Native Shopping Recommendations
2.33 YouTube Embed – YouTube Gallery, Vimeo Gallery – WordPress Plugin
2.34 Elementor Website Builder – More Than Just a Page Builder
2.35 Ultimate Addons for Elementor (Formerly Elementor Header & Footer Builder)
2.36 Smart Slider 3
2.37 MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor
2.38 Qi Addons For Elementor
2.39 AI Engine
2.40 GiveWP – Donation Plugin and Fundraising Platform
2.41 GiveWP – Donation Plugin and Fundraising Platform
2.42 The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce
2.43 Brizy – Page Builder
2.44 Customer Reviews for WooCommerce
2.45 HT Mega – Absolute Addons For Elementor
2.46 HT Mega – Absolute Addons For Elementor
2.47 HT Mega – Absolute Addons For Elementor
2.48 HT Mega – Absolute Addons For Elementor
2.49 Ocean Social Sharing
2.50 Sina Extension for Elementor (Header Builder, Footer Builter, Theme Builder, Slider, Gallery, Form, Modal, Data Table Free Elementor Widgets & Elementor Templates)
2.51 WP Import Export Lite
2.52 WP Import Export Lite
2.53 NinjaScanner – Virus & Malware scan
2.54 Gutenberg Blocks – PublishPress Blocks Controls, Visibility, Reusable Blocks
2.55 Content Egg
2.56 BlockSpare: Gutenberg Blocks & Patterns for Blogs, Magazines, Business Sites – Post Grids, Sliders, Carousels, Counters, Page Builder & Starter Site Imports, No Coding Needed
2.57 Classified Listing – Classified ads & Business Directory Plugin
2.58 Graphina – Elementor Charts and Graphs
2.59 myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program.
2.60 myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program.
2.61 Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction
2.62 ShortPixel Adaptive Images – WebP, AVIF, CDN, Image Optimization
2.63 WP REST Cache
2.64 Motors – Car Dealership & Classified Listings Plugin
2.65 File Manager for Google Drive – Integrate Google Drive with WordPress
2.66 Event Booking Manager for WooCommerce – WpEvently
2.67 Easiest Funnel Builder For WordPress & WooCommerce, Specialized For Digital Creators – WPFunnels
2.68 Button Block – Get fully customizable & multi-functional buttons
2.69 Magical Addons For Elementor ( Header Footer Builder, Free Elementor Widgets, Elementor Templates Library )
2.70 Simple File List
2.71 Memory Usage, Memory Limit, PHP and Server Memory Health Check and Provide Suggestions
2.72 Hydra Booking – All in One Appointment Booking System | Appointment Scheduling, Booking Calendar & WooCommerce Bookings
2.73 Magical Posts Display – Elementor Advanced Posts widgets
2.74 Chartify – WordPress Chart Plugin
2.75 Masteriyo LMS – Online Course Builder for eLearning, LMS & Education
2.76 Product Configurator for WooCommerce
2.77 BerqWP – Automated All-In-One Page Speed Optimization for Core Web Vitals, Cache, CDN, Images, CSS, and JavaScript
2.78 Connector for Gravity Forms and Google Sheets
2.79 Connector for Gravity Forms and Google Sheets
2.80 WP CTA
2.81 Online Booking & Scheduling Calendar for WordPress by vcita
2.82 Newsletters
2.83 oik
2.84 Realtyna Organic IDX plugin + WPL Real Estate
2.85 Sky Addons – Elementor Addons with Widgets & Templates
2.86 WP Modal Popup with Cookie Integration
2.87 Photo Engine (Media Organizer & Lightroom)
2.88 YITH WooCommerce Popup
2.89 Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal or Stripe, Social Share Buttons, OpenAI
2.90 Custom API for WP
2.91 Easy Elementor Addons
2.92 Ebook Store
2.93 Product XML Feed Manager for WooCommerce – Google Shopping, Social Sites, Skroutz & More
2.94 StreamWeasels Twitch Integration
2.95 StreamWeasels YouTube Integration
2.96 All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier
2.97 Integration for Constant Contact and Contact Form 7, WPForms, Elementor, Ninja Forms
2.98 SureDash
2.99 SureDash
2.100 DELUCKS SEO
2.101 BitFire Security – Firewall, WAF, Bot/Spam Blocker, Login Security
2.102 BuddyPress XProfile Custom Image Field
2.103 Employee Directory – Staff Listing & Team Directory Plugin for WordPress
2.104 Google Map Targeting
2.105 Dataverse Integration
2.106 StreamWeasels Kick Integration
2.107 Campus Directory – Faculty, Staff & Student Directory Plugin for WordPress
2.108 StoreKeeper for WooCommerce
2.109 Download Counter
2.110 Simple Contact Form Plugin for WordPress – WP Easy Contact
2.111 Appointment Booking Plugin for WordPress | Efficient Booking, Calendar & Client Scheduling – Bookify
2.112 Service Finder SMS System
2.113 Brave Conversion Engine (PRO)
2.114 JetEngine
2.115 JetTabs
2.116 RT-Theme 18 | Extensions
2.117 Super Store Finder
2.118 Use-your-Drive
2.119 Woffice Core

3. WordPress Themes — 12 Patched / 2 Unpatched

3.1 News Magazine X
3.2 Shopo
3.3 Appzend
3.4 Blogger Buzz
3.5 Alone
3.6 Bricks Builder
3.7 Cook&Meal
3.8 Druco
3.9 Exertio
3.10 KALLYAS – Creative eCommerce Multi-Purpose WordPress Theme
3.11 MediCenter – Health Medical Clinic
3.12 MinimogWP
3.13 Platform
3.14 UpStore

Our WordPress Vulnerability Report covers the latest emerging WordPress plugin, theme, and core vulnerabilities. Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure of vulnerabilities is essential to keeping the WordPress community safe. Please share this report to help spread the word and make WordPress — and the web — more secure.

WordPress Core

WordPress 6.8.2 was released on July 15, 2025. This maintenance release includes fixes for 20 Core tickets and 15 Block Editor issues. For a full list of bug fixes, please refer to the release candidate announcement.

WordPress Plugins — 86 Patched / 33 Unpatched

Plugin:: Eventer
Plugin Slug:: eventer
Installations: 1,000+
Vulnerability:: Content Injection
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-39483

Plugin:: PressForward
Plugin Slug:: pressforward
Installations: 200+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-28987

Plugin:: 360 Photo Spheres
Plugin Slug:: 360-sphere-images
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-4588

Plugin:: Advanced Google Universal Analytics
Plugin Slug:: advanced-google-universal-analytics
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-28962

Plugin:: Affiliate Plus
Plugin Slug:: affiliate-plus
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-7690

Plugin:: April Framework
Plugin Slug:: april-framework
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-13418

Plugin:: April Framework
Plugin Slug:: april-framework
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-13419

Plugin:: April Framework
Plugin Slug:: april-framework
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-13420

Plugin:: Image Gallery
Plugin Slug:: bee-quick-gallery
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-8400

Plugin:: BeeTeam368 Extensions
Plugin Slug:: beeteam368-extensions
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-25174

Plugin:: Benaa Framework
Plugin Slug:: benaa-framework
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-13418

Plugin:: Benaa Framework
Plugin Slug:: benaa-framework
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-13419

Plugin:: Benaa Framework
Plugin Slug:: benaa-framework
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-13420

Plugin:: Beyot Framework
Plugin Slug:: beyot-framework
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-13418

Plugin:: Beyot Framework
Plugin Slug:: beyot-framework
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-13419

Plugin:: Beyot Framework
Plugin Slug:: beyot-framework
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-13420

Plugin:: Bonanza – WooCommerce Free Gifts Lite
Plugin Slug:: bonanza-woocommerce-free-gifts-lite
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-6730

Plugin:: Cube Portfolio
Plugin Slug:: cubeportfolio
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-52823

Plugin:: Custom Word Cloud
Plugin Slug:: custom-word-cloud
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-8317

Plugin:: Fan Page
Plugin Slug:: fan-page
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-6681

Plugin:: Auteur Framework
Plugin Slug:: g5plus-auteur
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-13418

Plugin:: Auteur Framework
Plugin Slug:: g5plus-auteur
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-13419

Plugin:: Auteur Framework
Plugin Slug:: g5plus-auteur
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-13420

Plugin:: WP LOL Rotation
Plugin Slug:: league-of-legends-rotation
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49437

Plugin:: Magic Edge – Lite
Plugin Slug:: magic-edge-lite-image-background-remover
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-8391

Plugin:: Medical Addon for Elementor
Plugin Slug:: medical-addon-for-elementor
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-8212

Plugin:: Mmm Unity Loader
Plugin Slug:: mmm-unity-loader
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-8399

Plugin:: My Reservation System
Plugin Slug:: my-reservation-system
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-7022

Plugin:: SEO Metrics
Plugin Slug:: seo-metrics-helper
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-6754

Plugin:: Supermalink
Plugin Slug:: supermalink
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49433

Plugin:: TheBooking
Plugin Slug:: thebooking
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-52801

Plugin:: Amazon Native Shopping Recommendations
Plugin Slug:: woozone-contextual
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-30633

Plugin:: YouTube Embed – YouTube Gallery, Vimeo Gallery – WordPress Plugin
Plugin Slug:: youram-youtube-embed
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-6692

Plugin:: Elementor Website Builder – More Than Just a Page Builder
Plugin Slug:: elementor
Installations: 10,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.30.3
Severity Score:: Medium
CVE:: 2025-4566

Plugin:: Ultimate Addons for Elementor (Formerly Elementor Header & Footer Builder)
Plugin Slug:: header-footer-elementor
Installations: 2,000,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.4.7
Severity Score:: Medium
CVE:: 2025-8488

Plugin:: Smart Slider 3
Plugin Slug:: smart-slider-3
Installations: 900,000+
Vulnerability:: SQL Injection
Patched in Version:: 3.5.1.29
Severity Score:: High
CVE:: 2025-6348

Plugin:: MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor
Plugin Slug:: metform
Installations: 500,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.0.2
Severity Score:: Medium
CVE:: 2025-5684

Plugin:: Qi Addons For Elementor
Plugin Slug:: qi-addons-for-elementor
Installations: 200,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.9.3
Severity Score:: Medium
CVE:: 2025-8146

Plugin:: AI Engine
Plugin Slug:: ai-engine
Installations: 100,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 2.9.5
Severity Score:: Critical
CVE:: 2025-7847

Plugin:: GiveWP – Donation Plugin and Fundraising Platform
Plugin Slug:: give
Installations: 100,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 4.6.1
Severity Score:: High

Plugin:: GiveWP – Donation Plugin and Fundraising Platform
Plugin Slug:: give
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.6.0
Severity Score:: Medium
CVE:: 2025-7205

Plugin:: The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce
Plugin Slug:: the-plus-addons-for-elementor-page-builder
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.3.11
Severity Score:: Medium
CVE:: 2025-7646

Plugin:: Brizy – Page Builder
Plugin Slug:: brizy
Installations: 80,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.6.21
Severity Score:: Medium
CVE:: 2025-4370

Plugin:: Customer Reviews for WooCommerce
Plugin Slug:: customer-reviews-woocommerce
Installations: 80,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.81.0
Severity Score:: High
CVE:: 2025-5720

Plugin:: HT Mega – Absolute Addons For Elementor
Plugin Slug:: ht-mega-for-elementor
Installations: 80,000+
Vulnerability:: Path Traversal
Patched in Version:: 2.9.2
Severity Score:: Medium
CVE:: 2025-8151

Plugin:: HT Mega – Absolute Addons For Elementor
Plugin Slug:: ht-mega-for-elementor
Installations: 80,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 2.9.2
Severity Score:: Medium
CVE:: 2025-8401

Plugin:: HT Mega – Absolute Addons For Elementor
Plugin Slug:: ht-mega-for-elementor
Installations: 80,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.9.2
Severity Score:: Medium
CVE:: 2025-8068

Plugin:: HT Mega – Absolute Addons For Elementor
Plugin Slug:: ht-mega-for-elementor
Installations: 80,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.9.1
Severity Score:: Medium
CVE:: 2025-54695

Plugin:: Ocean Social Sharing
Plugin Slug:: ocean-social-sharing
Installations: 80,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.2.2
Severity Score:: Medium
CVE:: 2025-7500

Plugin:: Sina Extension for Elementor (Header Builder, Footer Builter, Theme Builder, Slider, Gallery, Form, Modal, Data Table Free Elementor Widgets & Elementor Templates)
Plugin Slug:: sina-extension-for-elementor
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.7.1
Severity Score:: Medium
CVE:: 2025-6228

Plugin:: WP Import Export Lite
Plugin Slug:: wp-import-export-lite
Installations: 50,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 3.9.30
Severity Score:: Critical
CVE:: 2025-5061

Plugin:: WP Import Export Lite
Plugin Slug:: wp-import-export-lite
Installations: 50,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 3.9.29
Severity Score:: Critical
CVE:: 2025-6207

Plugin:: NinjaScanner – Virus & Malware scan
Plugin Slug:: ninjascanner
Installations: 30,000+
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 3.2.6
Severity Score:: Medium
CVE:: 2025-8213

Plugin:: Gutenberg Blocks – PublishPress Blocks Controls, Visibility, Reusable Blocks
Plugin Slug:: advanced-gutenberg
Installations: 20,000+
Vulnerability:: Local File Inclusion
Patched in Version:: 3.3.2
Severity Score:: High
CVE:: 2025-48332

Plugin:: Content Egg
Plugin Slug:: content-egg
Installations: 20,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 8.0.0
Severity Score:: High
CVE:: 2025-47536

Plugin:: BlockSpare: Gutenberg Blocks & Patterns for Blogs, Magazines, Business Sites – Post Grids, Sliders, Carousels, Counters, Page Builder & Starter Site Imports, No Coding Needed
Plugin Slug:: blockspare
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.2.13.2
Severity Score:: Medium
CVE:: 2025-4684

Plugin:: Classified Listing – Classified ads & Business Directory Plugin
Plugin Slug:: classified-listing
Installations: 10,000+
Vulnerability:: Content Injection
Patched in Version:: 5.0.1
Severity Score:: Medium
CVE:: 2025-54698

Plugin:: Graphina – Elementor Charts and Graphs
Plugin Slug:: graphina-elementor-charts-and-graphs
Installations: 10,000+
Vulnerability:: Local File Inclusion
Patched in Version:: 3.1.2
Severity Score:: High
CVE:: 2025-23968

Plugin:: myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program.
Plugin Slug:: mycred
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.9.4.4
Severity Score:: Medium
CVE:: 2025-54668

Plugin:: myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program.
Plugin Slug:: mycred
Installations: 10,000+
Vulnerability:: Race Condition
Patched in Version:: 2.9.4.4
Severity Score:: Medium
CVE:: 2025-54667

Plugin:: Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction
Plugin Slug:: paid-member-subscriptions
Installations: 10,000+
Vulnerability:: Local File Inclusion
Patched in Version:: 2.15.5
Severity Score:: High
CVE:: 2025-54017

Plugin:: ShortPixel Adaptive Images – WebP, AVIF, CDN, Image Optimization
Plugin Slug:: shortpixel-adaptive-images
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.10.5
Severity Score:: Medium
CVE:: 2025-6626

Plugin:: WP REST Cache
Plugin Slug:: wp-rest-cache
Installations: 10,000+
Vulnerability:: Local File Inclusion
Patched in Version:: 2025.1.1
Severity Score:: High
CVE:: 2025-52716

Plugin:: Motors – Car Dealership & Classified Listings Plugin
Plugin Slug:: motors-car-dealership-classified-listings
Installations: 9,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 1.4.81
Severity Score:: Medium
CVE:: 2025-54691

Plugin:: File Manager for Google Drive – Integrate Google Drive with WordPress
Plugin Slug:: integrate-google-drive
Installations: 8,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.5.3
Severity Score:: Medium
CVE:: 2025-54703

Plugin:: Event Booking Manager for WooCommerce – WpEvently
Plugin Slug:: mage-eventpress
Installations: 8,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.4.7
Severity Score:: Medium
CVE:: 2025-54705

Plugin:: Easiest Funnel Builder For WordPress & WooCommerce, Specialized For Digital Creators – WPFunnels
Plugin Slug:: wpfunnels
Installations: 8,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.5.27
Severity Score:: Medium
CVE:: 2025-54696

Plugin:: Button Block – Get fully customizable & multi-functional buttons
Plugin Slug:: button-block
Installations: 5,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.2.1
Severity Score:: Medium
CVE:: 2025-54694

Plugin:: Magical Addons For Elementor ( Header Footer Builder, Free Elementor Widgets, Elementor Templates Library )
Plugin Slug:: magical-addons-for-elementor
Installations: 5,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.9
Severity Score:: Medium
CVE:: 2025-8196

Plugin:: Simple File List
Plugin Slug:: simple-file-list
Installations: 5,000+
Vulnerability:: Arbitrary File Download
Patched in Version:: 6.1.15
Severity Score:: High
CVE:: 2025-54021

Plugin:: Memory Usage, Memory Limit, PHP and Server Memory Health Check and Provide Suggestions
Plugin Slug:: wp-memory
Installations: 5,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 3.99
Severity Score:: Medium
CVE:: 2025-8104

Plugin:: Hydra Booking – All in One Appointment Booking System | Appointment Scheduling, Booking Calendar & WooCommerce Bookings
Plugin Slug:: hydra-booking
Installations: 4,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 1.1.19
Severity Score:: High
CVE:: 2025-7689

Plugin:: Magical Posts Display – Elementor Advanced Posts widgets
Plugin Slug:: magical-posts-display
Installations: 4,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.2.53
Severity Score:: Medium
CVE:: 2025-54706

Plugin:: Chartify – WordPress Chart Plugin
Plugin Slug:: chart-builder
Installations: 3,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 3.5.4
Severity Score:: Medium
CVE:: 2025-54673

Plugin:: Masteriyo LMS – Online Course Builder for eLearning, LMS & Education
Plugin Slug:: learning-management-system
Installations: 3,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.18.4
Severity Score:: Medium
CVE:: 2025-54699

Plugin:: Product Configurator for WooCommerce
Plugin Slug:: product-configurator-for-woocommerce
Installations: 3,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.5.0
Severity Score:: Medium
CVE:: 2025-54674

Plugin:: BerqWP – Automated All-In-One Page Speed Optimization for Core Web Vitals, Cache, CDN, Images, CSS, and JavaScript
Plugin Slug:: searchpro
Installations: 3,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 2.2.44
Severity Score:: Critical
CVE:: 2025-7443

Plugin:: Connector for Gravity Forms and Google Sheets
Plugin Slug:: wp-gravity-forms-spreadsheets
Installations: 3,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.2.5
Severity Score:: Medium
CVE:: 2025-54682

Plugin:: Connector for Gravity Forms and Google Sheets
Plugin Slug:: wp-gravity-forms-spreadsheets
Installations: 3,000+
Vulnerability:: Open Redirection
Patched in Version:: 1.2.5
Severity Score:: Medium
CVE:: 2025-54681

Plugin:: WP CTA
Plugin Slug:: easy-sticky-sidebar
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.7.1
Severity Score:: Medium
CVE:: 2025-8152

Plugin:: Online Booking & Scheduling Calendar for WordPress by vcita
Plugin Slug:: meeting-scheduler-by-vcita
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.5.5
Severity Score:: Medium
CVE:: 2025-54676

Plugin:: Newsletters
Plugin Slug:: newsletters-lite
Installations: 2,000+
Vulnerability:: Local File Inclusion
Patched in Version:: 4.11
Severity Score:: High
CVE:: 2025-54034

Plugin:: oik
Plugin Slug:: oik
Installations: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 4.15.3
Severity Score:: Medium
CVE:: 2025-54671

Plugin:: Realtyna Organic IDX plugin + WPL Real Estate
Plugin Slug:: real-estate-listing-realtyna-wpl
Installations: 2,000+
Vulnerability:: Local File Inclusion
Patched in Version:: 5.0.1
Severity Score:: High
CVE:: 2025-54052

Plugin:: Sky Addons – Elementor Addons with Widgets & Templates
Plugin Slug:: sky-elementor-addons
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.2.0
Severity Score:: Medium
CVE:: 2025-8216

Plugin:: WP Modal Popup with Cookie Integration
Plugin Slug:: wp-modal-popup-with-cookie-integration
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.5
Severity Score:: Medium
CVE:: 2025-54683

Plugin:: Photo Engine (Media Organizer & Lightroom)
Plugin Slug:: wplr-sync
Installations: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 6.4.4
Severity Score:: Medium
CVE:: 2025-54672

Plugin:: YITH WooCommerce Popup
Plugin Slug:: yith-woocommerce-popup
Installations: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.48.1
Severity Score:: Medium
CVE:: 2025-54675

Plugin:: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal or Stripe, Social Share Buttons, OpenAI
Plugin Slug:: contest-gallery
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 26.1.1
Severity Score:: High
CVE:: 2025-7725

Plugin:: Custom API for WP
Plugin Slug:: custom-api-for-wp
Installations: 1,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 4.2.3
Severity Score:: Critical
CVE:: 2025-54049

Plugin:: Easy Elementor Addons
Plugin Slug:: easy-elementor-addons
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.2.7
Severity Score:: Medium
CVE:: 2025-54704

Plugin:: Ebook Store
Plugin Slug:: ebook-store
Installations: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 5.8014
Severity Score:: Medium
CVE:: 2025-54702

Plugin:: Product XML Feed Manager for WooCommerce – Google Shopping, Social Sites, Skroutz & More
Plugin Slug:: product-xml-feeds-for-woocommerce
Installations: 1,000+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 2.9.4
Severity Score:: Critical
CVE:: 2025-49887

Plugin:: StreamWeasels Twitch Integration
Plugin Slug:: streamweasels-twitch-integration
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.9.4
Severity Score:: Medium
CVE:: 2025-7809

Plugin:: StreamWeasels YouTube Integration
Plugin Slug:: streamweasels-youtube-integration
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.4.1
Severity Score:: Medium
CVE:: 2025-7811

Plugin:: All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier
Plugin Slug:: aio-time-clock-lite
Installations: 800+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.1
Severity Score:: High
CVE:: 2025-6832

Plugin:: Integration for Constant Contact and Contact Form 7, WPForms, Elementor, Ninja Forms
Plugin Slug:: cf7-constant-contact
Installations: 800+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.1.8
Severity Score:: Medium
CVE:: 2025-54684

Plugin:: SureDash
Plugin Slug:: suredash
Installations: 600+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 1.2.0
Severity Score:: Medium
CVE:: 2025-54685

Plugin:: SureDash
Plugin Slug:: suredash
Installations: 600+
Vulnerability:: Privilege Escalation
Patched in Version:: 1.1.0
Severity Score:: High
CVE:: 2025-48164

Plugin:: DELUCKS SEO
Plugin Slug:: delucks-seo
Installations: 500+
Vulnerability:: Privilege Escalation
Patched in Version:: 2.6.1
Severity Score:: High
CVE:: 2025-48165

Plugin:: BitFire Security – Firewall, WAF, Bot/Spam Blocker, Login Security
Plugin Slug:: bitfire
Installations: 400+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 4.6
Severity Score:: Medium
CVE:: 2025-6722

Plugin:: BuddyPress XProfile Custom Image Field
Plugin Slug:: buddypress-xprofile-image-field
Installations: 300+
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 3.1.0
Severity Score:: High
CVE:: 2025-48158

Plugin:: Employee Directory – Staff Listing & Team Directory Plugin for WordPress
Plugin Slug:: employee-directory
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.5.2
Severity Score:: Medium
CVE:: 2025-8295

Plugin:: Google Map Targeting
Plugin Slug:: gmap-targeting
Installations: 100+
Vulnerability:: Local File Inclusion
Patched in Version:: 1.1.7
Severity Score:: High
CVE:: 2025-52732

Plugin:: Dataverse Integration
Plugin Slug:: integration-cds
Installations: 100+
Vulnerability:: Privilege Escalation
Patched in Version:: 2.81.1
Severity Score:: High
CVE:: 2025-7695

Plugin:: StreamWeasels Kick Integration
Plugin Slug:: streamweasels-kick-integration
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.1.5
Severity Score:: Medium
CVE:: 2025-7810

Plugin:: Campus Directory – Faculty, Staff & Student Directory Plugin for WordPress
Plugin Slug:: campus-directory
Installations: 80+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.9.2
Severity Score:: Medium
CVE:: 2025-8313

Plugin:: StoreKeeper for WooCommerce
Plugin Slug:: storekeeper-for-woocommerce
Installations: 50+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 14.4.5
Severity Score:: Critical
CVE:: 2025-48148

Plugin:: Download Counter
Plugin Slug:: download-counter
Installations: 40+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.4
Severity Score:: Medium
CVE:: 2025-8294

Plugin:: Simple Contact Form Plugin for WordPress – WP Easy Contact
Plugin Slug:: wp-easy-contact
Installations: 40+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.0.2
Severity Score:: Medium
CVE:: 2025-8315

Plugin:: Appointment Booking Plugin for WordPress | Efficient Booking, Calendar & Client Scheduling – Bookify
Plugin Slug:: bookify
Installations: 20+
Vulnerability:: Privilege Escalation
Patched in Version:: 1.0.10
Severity Score:: High
CVE:: 2025-48142

Plugin:: Service Finder SMS System
Plugin Slug:: aone-sms
Vulnerability:: Privilege Escalation
Patched in Version:: 3.0.0
Severity Score:: Critical
CVE:: 2025-5954

Plugin:: Brave Conversion Engine (PRO)
Plugin Slug:: bravepopup-pro
Vulnerability:: Broken Authentication
Patched in Version:: 0.8.0
Severity Score:: Critical
CVE:: 2025-7710

Plugin:: JetEngine
Plugin Slug:: jet-engine
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.7.2
Severity Score:: Medium
CVE:: 2025-54688

Plugin:: JetTabs
Plugin Slug:: jet-tabs
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.2.9.2
Severity Score:: Medium
CVE:: 2025-54687

Plugin:: RT-Theme 18 | Extensions
Plugin Slug:: rt18-extensions
Vulnerability:: Local File Inclusion
Patched in Version:: 2.5
Severity Score:: High
CVE:: 2025-32288

Plugin:: Super Store Finder
Plugin Slug:: superstorefinder-wp
Vulnerability:: SQL Injection
Patched in Version:: 7.6
Severity Score:: Critical
CVE:: 2025-52720

Plugin:: Use-your-Drive
Plugin Slug:: use-your-drive
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.3.2
Severity Score:: High
CVE:: 2025-7050

Plugin:: Woffice Core
Plugin Slug:: woffice-core
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 5.4.27
Severity Score:: Medium
CVE:: 2025-7694

WordPress Themes — 12 Patched / 2 Unpatched

Theme:: News Magazine X
Theme Slug:: news-magazine-x
Downloads: 28,695
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-24766

Theme:: Shopo
Theme Slug:: shopo
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-31048

Theme:: Appzend
Theme Slug:: appzend
Downloads: 23,837
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.2.7
Severity Score:: Medium
CVE:: 2025-5587

Theme:: Blogger Buzz
Theme Slug:: blogger-buzz
Downloads: 52,137
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.2.7
Severity Score:: Medium
CVE:: 2025-54680

Theme:: Alone
Theme Slug:: alone
Vulnerability:: Arbitrary Code Execution
Patched in Version:: 7.8.5
Severity Score:: Medium
CVE:: 2025-54019

Theme:: Bricks Builder
Theme Slug:: bricks
Vulnerability:: SQL Injection
Patched in Version:: 2.0
Severity Score:: Critical
CVE:: 2025-6495

Theme:: Cook&Meal
Theme Slug:: cookandmeal
Vulnerability:: Local File Inclusion
Patched in Version:: 1.2.4
Severity Score:: High
CVE:: 2025-48149

Theme:: Druco
Theme Slug:: druco
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.5.3
Severity Score:: High
CVE:: 2025-54055

Theme:: Exertio
Theme Slug:: exertio
Vulnerability:: PHP Object Injection
Patched in Version:: 1.3.3
Severity Score:: Critical
CVE:: 2025-54686

Theme:: KALLYAS – Creative eCommerce Multi-Purpose WordPress Theme
Theme Slug:: kallyas
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 4.22.0
Severity Score:: High
CVE:: 2025-6989

Theme:: MediCenter – Health Medical Clinic
Theme Slug:: medicenter
Vulnerability:: PHP Object Injection
Patched in Version:: 15.2
Severity Score:: Critical
CVE:: 2025-54014

Theme:: MinimogWP
Theme Slug:: minimog
Vulnerability:: Content Injection
Patched in Version:: 3.9.1
Severity Score:: High
CVE:: 2025-8198

Theme:: Platform
Theme Slug:: platform
Vulnerability:: Broken Access Control
Patched in Version:: 1.4.4
Severity Score:: Critical
CVE:: 2015-10143

Theme:: UpStore
Theme Slug:: upstore
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.7.1
Severity Score:: High
CVE:: 2025-48296

Solid Security is part of Solid Suite — The best foundation for WordPress websites.

Every WordPress site needs security, backups, and management tools. That’s Solid Suite — an integrated bundle of three plugins: Solid Security, Solid Backups, and Solid Central. You also get access to Solid Academy’s learning resources for WordPress professionals. Build your next WordPress website on a solid foundation with Solid Suite!

Get Solid Security

Author:

Sarah Ulmer

Sarah has been with SolidWP since 2015. Thanks to her deep connection to the brand, its products, and its users, Sarah was tapped as Solid’s primary Product Marketer in 2023. Sarah helps ensure that Solid’s product development team understands our users’ needs. When not at work, Sarah can be found at home with her husband, their three boys, and their dogs. Sarah enjoys long family walks, running with her lab, and watching her three boys play soccer. Sarah is originally from Texas and loves watching football games (Go Longhorns!)

Browse all of Sarah's articles

Sign up

Placeholder text

Thanks

Oops something went wrong, please try submitting again

Solid Suite

Protect

Repair

Manage

Free Plugins

Solid Suite

Academy

Solid Academy

Guides

Livestreams

Tutorials Academy

Resources

Blog

Vulnerability Report

Support

Documentation

Table of Contents

WordPress Core

WordPress Plugins — 86 Patched / 33 Unpatched

WordPress Themes — 12 Patched / 2 Unpatched