WordPress Vulnerability Report — December 24, 2025

Since last week, 150 new vulnerabilities have emerged in the WordPress ecosystem, including 140 plugins and 10 themes. Of those, 26 remain unpatched, but Solid Security Pro users are protected by virtual patching from Patchstack.

Sarah Ulmer

Published:Dec 24, 2025

Filed Under:WordPress Vulnerability Report

Reading Time:30 min.

In this report, 150 vulnerabilities have been publicly disclosed. Security patches for 124 of these plugins and themes are now available. Please run these updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Currently, 26 plugin and theme vulnerabilities remain unpatched. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

Along with poor user account security, vulnerable plugins and themes are among the top reasons why WordPress websites get hacked. Unfortunately, cyberattacks are increasing in volume and sophistication. They’re also increasingly aimed at small to mid-sized businesses.

1. WordPress Core
2. WordPress Plugins — 114 Patched / 26 Unpatched

2.1 Health Check & Troubleshooting
2.2 Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings
2.3 WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible
2.4 WCFM Marketplace – Multivendor Marketplace for WooCommerce
2.5 Doubly – Cross Domain Copy Paste for WordPress
2.6 Read More & Accordion
2.7 Protect WP Admin
2.8 Pretty Google Calendar
2.9 Meks Quick Plugin Disabler
2.10 Semrush Content Toolkit
2.11 Yaad Sarig Payment Gateway For WC
2.12 FAPI Member
2.13 JAY Login & Register
2.14 Amazon affiliate lite
2.15 Amazon affiliate lite
2.16 URL Shortener
2.17 F70 Lead Document Download
2.18 HelloLeads CRM Form Shortcode
2.19 ?????? ????? ??????? ??? ???? ?? (????) payamito sms woocommerce
2.20 Postem Ipsum
2.21 Quran Gateway
2.22 RESPONSIVE AND SWIPE SLIDER!
2.23 WooMulti
2.24 WP DB Booster
2.25 WP3D Model Import Viewer
2.26 WPS Visitor Counter
2.27 Elementor Website Builder – More Than Just a Page Builder
2.28 WooCommerce
2.29 Essential Addons for Elementor – Popular Elementor Templates & Widgets
2.30 Premium Addons for Elementor – Powerful Elementor Templates & Widgets
2.31 Ninja Forms – The Contact Form Builder That Grows With You
2.32 Royal Addons for Elementor – Addons and Templates Kit for Elementor
2.33 Converter for Media – Optimize images | Convert WebP & AVIF
2.34 Happy Addons for Elementor
2.35 Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery
2.36 Newsletter – Send awesome emails from WordPress
2.37 Admin and Site Enhancements (ASE)
2.38 Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns
2.39 FileBird – WordPress Media Library Folders & File Manager
2.40 Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
2.41 Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
2.42 Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
2.43 User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds
2.44 Addon Elements for Elementor (formerly Elementor Addon Elements)
2.45 FiboSearch – Ajax Search for WooCommerce
2.46 Prime Slider – Addons for Elementor
2.47 Beaver Builder Page Builder – Drag and Drop Website Builder
2.48 Colibri Page Builder
2.49 Login Lockdown & Protection
2.50 Image Gallery – Photo Grid & Video Gallery
2.51 Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories
2.52 HUSKY – Products Filter Professional for WooCommerce
2.53 Hummingbird Performance – Cache & Page Speed Optimization for Core Web Vitals | Critical CSS | Minify CSS | Defer CSS Javascript | CDN
2.54 LearnPress – WordPress LMS Plugin
2.55 LearnPress – WordPress LMS Plugin
2.56 Ninja Tables – Easy Data Table Builder
2.57 OneSignal – Web Push Notifications
2.58 SlimStat Analytics
2.59 Events Manager – Calendar, Bookings, Tickets, and more!
2.60 Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin
2.61 User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin
2.62 Auto Featured Image (Auto Post Thumbnail)
2.63 Booking Calendar
2.64 Embed Any Document – Embed PDF, Word, PowerPoint and Excel Files
2.65 Pixel Manager for WooCommerce – Track Conversions and Analytics, Google Ads, TikTok and more
2.66 WP Recipe Maker
2.67 Download Plugins and Themes in ZIP from Dashboard
2.68 Themify Portfolio Post
2.69 ThirstyAffiliates – Affiliate Links, Link Branding, Link Tracking & Marketing Plugin
2.70 MailerLite – WooCommerce integration
2.71 WP Social Ninja – Embed Social Feeds, User Reviews & Chat Widgets
2.72 WP Visitor Statistics (Real Time Traffic)
2.73 Image Photo Gallery Final Tiles Grid
2.74 My Calendar – Accessible Event Manager
2.75 UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP
2.76 wpForo Forum
2.77 Animation Addons for Elementor – GSAP Powered Elementor Addons & Website Templates
2.78 BA Book Everything
2.79 Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss
2.80 Business Directory Plugin – Easy Listing Directories for WordPress
2.81 CC Child Pages
2.82 OpenID Connect Generic Client
2.83 Demo Importer Plus
2.84 FluentAuth – The Ultimate Authorization & Security Plugin for WordPress
2.85 Cookie Banner, Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy) : WP Cookie Consent
2.86 Cookie Banner, Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy) : WP Cookie Consent
2.87 Gutenverse Form – Contact Form Builder, Booking, Reservation, Subscribe for Block Editor
2.88 HandL UTM Grabber / Tracker
2.89 HTML Forms – Simple WordPress Forms Plugin
2.90 HTML5 Audio Player – The Ultimate No-Code Podcast, MP3 & Audio Player
2.91 JetWidgets For Elementor
2.92 Lightweight Accordion
2.93 Live Composer – Free WordPress Website Builder
2.94 myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Program.
2.95 Real 3D Flipbook – 3D FlipBook, PDF FlipBook, PDF Viewer, PDF Embedder
2.96 Membership Plugin – Restrict Content
2.97 WP-ShowHide
2.98 RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login
2.99 Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent
2.100 Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent
2.101 Multi-Step Checkout for WooCommerce
2.102 Social Media Auto Publish
2.103 Calendar
2.104 Export WP Pages to HTML & PDF – Simply Create a Static Website
2.105 Booking calendar, Appointment Booking System
2.106 Watu Quiz
2.107 Filter & Grids
2.108 Document Library Lite
2.109 Document Library Lite
2.110 Sitewide Notice WP
2.111 Easy Appointment Booking & Scheduling System – Webba Booking Calendar
2.112 WP Directory Kit
2.113 UseStrict’s Calendly Embedder
2.114 Easy Form Builder – WordPress plugin form builder: contact form, survey form, payment form, and custom form builder
2.115 Simple Link Directory
2.116 Simple Link Directory
2.117 VK Google Job Posting Manager
2.118 CWW Companion
2.119 WP to LinkedIn Auto Publish
2.120 AI-Powered Business Directory and Classified Ads Listings – Listdom
2.121 Request a Quote Form Plugin – Price Quote Request Management Made Easy
2.122 WPCOM Member
2.123 Zephyr Project Manager
2.124 Highlight and Share – Social Text and Image Sharing
2.125 WP eBay Product Feeds
2.126 Appointment Booking and Scheduler Plugin – Truebooker
2.127 Easy Invoice – PDF Invoice Generator & Quote Builder
2.128 Wbcom Designs – Private Community for BuddyPress
2.129 Rencontre – Dating Site
2.130 Sweet Energy Efficiency
2.131 Fox LMS – WordPress LMS Plugin
2.132 Simple Folio
2.133 Photo Block – A Modern Image Block With Lightbox and Caption Support
2.134 Dokan Pro
2.135 Fancy Product Designer
2.136 Fancy Product Designer
2.137 Fancy Product Designer
2.138 Image Caption Hover Pro
2.139 ModelTheme Addons for WPBakery and Elementor
2.140 User Extra Fields

3. WordPress Themes — 10 Patched / 0 Unpatched

3.1 Besa
3.2 ekommart
3.3 Fashion
3.4 Hara
3.5 Kerge
3.6 Sailing
3.7 Sailing
3.8 Sober
3.9 Urna
3.10 Wilmër

Our WordPress Vulnerability Report covers the latest emerging WordPress plugin, theme, and core vulnerabilities. Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure of vulnerabilities is essential to keeping the WordPress community safe. Please share this report to help spread the word and make WordPress — and the web — more secure.

WordPress Core

WordPress 6.9 “Gene” was released on December 2, 2025. This release brings major upgrades to how teams collaborate and create. The new Notes feature adds block-level commenting for posts and pages, streamlining editorial reviews, while an expanded Command Palette helps power users navigate and operate across the dashboard even faster. The introduction of the Abilities API delivers a standardized, machine-readable permissions system that lays the groundwork for next-generation AI-powered and automated workflows. WordPress 6.9 also includes notable performance improvements for faster page loads, several new practical blocks, and more visual drag-and-drop tools to help creators build richer, more dynamic content.

Following a major release, you should not update live sites without first taking backups and testing the update in a non-production environment.

WordPress Plugins — 114 Patched / 26 Unpatched

Plugin:: Health Check & Troubleshooting
Plugin Slug:: health-check
Installations: 300,000+
Vulnerability:: Path Traversal
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-64253

Plugin:: Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings
Plugin Slug:: directorist
Installations: 20,000+
Vulnerability:: Open Redirection
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-64250

Plugin:: WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible
Plugin Slug:: wc-frontend-manager
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Low
CVE:: 2025-54004

Plugin:: WCFM Marketplace – Multivendor Marketplace for WooCommerce
Plugin Slug:: wc-multivendor-marketplace
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-64631

Plugin:: Doubly – Cross Domain Copy Paste for WordPress
Plugin Slug:: doubly
Installations: 10,000+
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-14476

Plugin:: Read More & Accordion
Plugin Slug:: expand-maker
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-64247

Plugin:: Protect WP Admin
Plugin Slug:: protect-wp-admin
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-64249

Plugin:: Pretty Google Calendar
Plugin Slug:: pretty-google-calendar
Installations: 5,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12898

Plugin:: Meks Quick Plugin Disabler
Plugin Slug:: meks-quick-plugin-disabler
Installations: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-68083

Plugin:: Semrush Content Toolkit
Plugin Slug:: semrush-contentshake
Installations: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-68082

Plugin:: Yaad Sarig Payment Gateway For WC
Plugin Slug:: yaad-sarig-payment-gateway-for-wc
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-66131

Plugin:: FAPI Member
Plugin Slug:: fapi-member
Installations: 500+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-66132

Plugin:: JAY Login & Register
Plugin Slug:: jay-login-register
Installations: 40+
Vulnerability:: Broken Authentication
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-14440

Plugin:: Amazon affiliate lite
Plugin Slug:: afiliados-de-amazon-lite
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14734

Plugin:: Amazon affiliate lite
Plugin Slug:: afiliados-de-amazon-lite
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14735

Plugin:: URL Shortener
Plugin Slug:: exact-links
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-10738

Plugin:: F70 Lead Document Download
Plugin Slug:: f70-lead-document-download
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14633

Plugin:: HelloLeads CRM Form Shortcode
Plugin Slug:: hls-crm-form-shortcode
Vulnerability:: Settings Change
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12696

Plugin:: ?????? ????? ??????? ??? ???? ?? (????) payamito sms woocommerce
Plugin Slug:: payamito-sms-woocommerce
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-13077

Plugin:: Postem Ipsum
Plugin Slug:: postem-ipsum
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-14397

Plugin:: Quran Gateway
Plugin Slug:: quran-gateway
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14164

Plugin:: RESPONSIVE AND SWIPE SLIDER!
Plugin Slug:: responsive-and-swipe-slider
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14721

Plugin:: WooMulti
Plugin Slug:: woomulti
Vulnerability:: Arbitrary File Deletion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-12835

Plugin:: WP DB Booster
Plugin Slug:: wp-db-booster
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-14168

Plugin:: WP3D Model Import Viewer
Plugin Slug:: wp3d-model-import-block
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-13094

Plugin:: WPS Visitor Counter
Plugin Slug:: wps-visitor-counter
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-9116

Plugin:: Elementor Website Builder – More Than Just a Page Builder
Plugin Slug:: elementor
Installations: 10,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.33.4
Severity Score:: Medium
CVE:: 2025-11220

Plugin:: WooCommerce
Plugin Slug:: woocommerce
Installations: 7,000,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 10.4.3
Severity Score:: Medium
CVE:: 2025-15033

Plugin:: Essential Addons for Elementor – Popular Elementor Templates & Widgets
Plugin Slug:: essential-addons-for-elementor-lite
Installations: 2,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.5.4
Severity Score:: Medium
CVE:: 2025-13977

Plugin:: Premium Addons for Elementor – Powerful Elementor Templates & Widgets
Plugin Slug:: premium-addons-for-elementor
Installations: 700,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 4.11.54
Severity Score:: Medium
CVE:: 2025-14163

Plugin:: Ninja Forms – The Contact Form Builder That Grows With You
Plugin Slug:: ninja-forms
Installations: 600,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 3.13.3
Severity Score:: High
CVE:: 2025-11924

Plugin:: Royal Addons for Elementor – Addons and Templates Kit for Elementor
Plugin Slug:: royal-elementor-addons
Installations: 600,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.7.1037
Severity Score:: Medium
CVE:: 2025-11363

Plugin:: Converter for Media – Optimize images | Convert WebP & AVIF
Plugin Slug:: webp-converter-for-media
Installations: 500,000+
Vulnerability:: Broken Access Control
Patched in Version:: 6.4.0
Severity Score:: Medium
CVE:: 2025-13750

Plugin:: Happy Addons for Elementor
Plugin Slug:: happy-elementor-addons
Installations: 400,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.20.4
Severity Score:: Medium
CVE:: 2025-14635

Plugin:: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery
Plugin Slug:: nextgen-gallery
Installations: 400,000+
Vulnerability:: Local File Inclusion
Patched in Version:: 4.0.0
Severity Score:: High
CVE:: 2025-13641

Plugin:: Newsletter – Send awesome emails from WordPress
Plugin Slug:: newsletter
Installations: 300,000+
Vulnerability:: SQL Injection
Patched in Version:: 9.1.0
Severity Score:: High
CVE:: 2025-67999

Plugin:: Admin and Site Enhancements (ASE)
Plugin Slug:: admin-site-enhancements
Installations: 200,000+
Vulnerability:: Broken Access Control
Patched in Version:: 8.1.0
Severity Score:: Low
CVE:: 2025-64255

Plugin:: Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns
Plugin Slug:: essential-blocks
Installations: 200,000+
Vulnerability:: Broken Access Control
Patched in Version:: 5.7.3
Severity Score:: Medium
CVE:: 2025-11369

Plugin:: FileBird – WordPress Media Library Folders & File Manager
Plugin Slug:: filebird
Installations: 200,000+
Vulnerability:: Broken Access Control
Patched in Version:: 6.5.2
Severity Score:: Medium
CVE:: 2025-12900

Plugin:: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
Plugin Slug:: ultimate-member
Installations: 200,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 2.11.1
Severity Score:: Medium
CVE:: 2025-12492

Plugin:: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
Plugin Slug:: ultimate-member
Installations: 200,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.11.1
Severity Score:: Medium
CVE:: 2025-14081

Plugin:: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
Plugin Slug:: ultimate-member
Installations: 200,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.11.1
Severity Score:: Medium
CVE:: 2025-13217

Plugin:: User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds
Plugin Slug:: userfeedback-lite
Installations: 200,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.10.1
Severity Score:: High
CVE:: 2025-68496

Plugin:: Addon Elements for Elementor (formerly Elementor Addon Elements)
Plugin Slug:: addon-elements-for-elementor-page-builder
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.14.4
Severity Score:: Medium
CVE:: 2025-12537

Plugin:: FiboSearch – Ajax Search for WooCommerce
Plugin Slug:: ajax-search-for-woocommerce
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.32.1
Severity Score:: Medium
CVE:: 2025-14298

Plugin:: Prime Slider – Addons for Elementor
Plugin Slug:: bdthemes-prime-slider-lite
Installations: 100,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 4.1.0
Severity Score:: Medium
CVE:: 2025-14277

Plugin:: Beaver Builder Page Builder – Drag and Drop Website Builder
Plugin Slug:: beaver-builder-lite-version
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.9.4.2
Severity Score:: High
CVE:: 2025-12934

Plugin:: Colibri Page Builder
Plugin Slug:: colibri-page-builder
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.0.358
Severity Score:: Medium
CVE:: 2025-11747

Plugin:: Login Lockdown & Protection
Plugin Slug:: login-lockdown
Installations: 100,000+
Vulnerability:: Bypass Vulnerability
Patched in Version:: 2.15
Severity Score:: Medium
CVE:: 2025-11707

Plugin:: Image Gallery – Photo Grid & Video Gallery
Plugin Slug:: modula-best-grid-gallery
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.13.4
Severity Score:: Medium
CVE:: 2025-14003

Plugin:: Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories
Plugin Slug:: post-expirator
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.9.3
Severity Score:: Medium
CVE:: 2025-13741

Plugin:: HUSKY – Products Filter Professional for WooCommerce
Plugin Slug:: woocommerce-products-filter
Installations: 100,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 1.3.7.4
Severity Score:: Medium
CVE:: 2025-13110

Plugin:: Hummingbird Performance – Cache & Page Speed Optimization for Core Web Vitals | Critical CSS | Minify CSS | Defer CSS Javascript | CDN
Plugin Slug:: hummingbird-performance
Installations: 80,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 3.18.1
Severity Score:: High
CVE:: 2025-14437

Plugin:: LearnPress – WordPress LMS Plugin
Plugin Slug:: learnpress
Installations: 80,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.3.2
Severity Score:: Medium
CVE:: 2025-14387

Plugin:: LearnPress – WordPress LMS Plugin
Plugin Slug:: learnpress
Installations: 80,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.3.2
Severity Score:: Medium
CVE:: 2025-13956

Plugin:: Ninja Tables – Easy Data Table Builder
Plugin Slug:: ninja-tables
Installations: 80,000+
Vulnerability:: SQL Injection
Patched in Version:: 5.2.4
Severity Score:: High
CVE:: 2025-67519

Plugin:: OneSignal – Web Push Notifications
Plugin Slug:: onesignal-free-web-push-notifications
Installations: 80,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.6.2
Severity Score:: Medium
CVE:: 2025-13950

Plugin:: SlimStat Analytics
Plugin Slug:: wp-slimstat
Installations: 80,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.3.3
Severity Score:: High
CVE:: 2025-14151

Plugin:: Events Manager – Calendar, Bookings, Tickets, and more!
Plugin Slug:: events-manager
Installations: 70,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 7.2.3
Severity Score:: Medium
CVE:: 2025-12976

Plugin:: Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin
Plugin Slug:: simply-schedule-appointments
Installations: 70,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.6.9.17
Severity Score:: Medium
CVE:: 2025-13754

Plugin:: User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin
Plugin Slug:: user-registration
Installations: 60,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.4.7
Severity Score:: Medium
CVE:: 2025-13367

Plugin:: Auto Featured Image (Auto Post Thumbnail)
Plugin Slug:: auto-post-thumbnail
Installations: 50,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.2.2
Severity Score:: Medium
CVE:: 2025-13794

Plugin:: Booking Calendar
Plugin Slug:: booking
Installations: 50,000+
Vulnerability:: SQL Injection
Patched in Version:: 10.14.9
Severity Score:: Critical
CVE:: 2025-14383

Plugin:: Embed Any Document – Embed PDF, Word, PowerPoint and Excel Files
Plugin Slug:: embed-any-document
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.7.11
Severity Score:: Medium
CVE:: 2025-12885

Plugin:: Pixel Manager for WooCommerce – Track Conversions and Analytics, Google Ads, TikTok and more
Plugin Slug:: woocommerce-google-adwords-conversion-tracking-tag
Installations: 50,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 1.52.0
Severity Score:: Medium
CVE:: 2025-67564

Plugin:: WP Recipe Maker
Plugin Slug:: wp-recipe-maker
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 10.2.4
Severity Score:: Medium
CVE:: 2025-14385

Plugin:: Download Plugins and Themes in ZIP from Dashboard
Plugin Slug:: download-plugins-dashboard
Installations: 30,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.9.7
Severity Score:: Medium
CVE:: 2025-14399

Plugin:: Themify Portfolio Post
Plugin Slug:: themify-portfolio-post
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.1
Severity Score:: High
CVE:: 2025-67533

Plugin:: ThirstyAffiliates – Affiliate Links, Link Branding, Link Tracking & Marketing Plugin
Plugin Slug:: thirstyaffiliates
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.11.9
Severity Score:: Medium
CVE:: 2025-67537

Plugin:: MailerLite – WooCommerce integration
Plugin Slug:: woo-mailerlite
Installations: 30,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.1.4
Severity Score:: Medium

Plugin:: WP Social Ninja – Embed Social Feeds, User Reviews & Chat Widgets
Plugin Slug:: wp-social-reviews
Installations: 30,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.0.2
Severity Score:: Medium
CVE:: 2025-13880

Plugin:: WP Visitor Statistics (Real Time Traffic)
Plugin Slug:: wp-stats-manager
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 8.4
Severity Score:: Medium
CVE:: 2025-67983

Plugin:: Image Photo Gallery Final Tiles Grid
Plugin Slug:: final-tiles-grid-gallery-lite
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.6.8
Severity Score:: Medium
CVE:: 2025-14455

Plugin:: My Calendar – Accessible Event Manager
Plugin Slug:: my-calendar
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.6.17
Severity Score:: Medium
CVE:: 2025-67592

Plugin:: UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP
Plugin Slug:: userswp
Installations: 20,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.2.49
Severity Score:: Medium
CVE:: 2025-67593

Plugin:: wpForo Forum
Plugin Slug:: wpforo
Installations: 20,000+
Vulnerability:: SQL Injection
Patched in Version:: 2.4.13
Severity Score:: Critical
CVE:: 2025-13126

Plugin:: Animation Addons for Elementor – GSAP Powered Elementor Addons & Website Templates
Plugin Slug:: animation-addons-for-elementor
Installations: 10,000+
Vulnerability:: Arbitrary Content Deletion
Patched in Version:: 2.4.6
Severity Score:: Medium
CVE:: 2025-67540

Plugin:: BA Book Everything
Plugin Slug:: ba-book-everything
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.8.15
Severity Score:: Medium
CVE:: 2025-14449

Plugin:: Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss
Plugin Slug:: bp-better-messages
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.10.3
Severity Score:: High
CVE:: 2025-14154

Plugin:: Business Directory Plugin – Easy Listing Directories for WordPress
Plugin Slug:: business-directory-plugin
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 6.4.20
Severity Score:: Medium
CVE:: 2025-64630

Plugin:: CC Child Pages
Plugin Slug:: cc-child-pages
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.1
Severity Score:: Medium
CVE:: 2025-13608

Plugin:: OpenID Connect Generic Client
Plugin Slug:: daggerhart-openid-connect-generic
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.10.1
Severity Score:: Medium
CVE:: 2025-13730

Plugin:: Demo Importer Plus
Plugin Slug:: demo-importer-plus
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.0.9
Severity Score:: High
CVE:: 2025-14364

Plugin:: FluentAuth – The Ultimate Authorization & Security Plugin for WordPress
Plugin Slug:: fluent-security
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.1.0
Severity Score:: Medium
CVE:: 2025-13728

Plugin:: Cookie Banner, Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy) : WP Cookie Consent
Plugin Slug:: gdpr-cookie-consent
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.0.8
Severity Score:: Medium
CVE:: 2025-14061

Plugin:: Cookie Banner, Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy) : WP Cookie Consent
Plugin Slug:: gdpr-cookie-consent
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.0.8
Severity Score:: Medium
CVE:: 2025-66133

Plugin:: Gutenverse Form – Contact Form Builder, Booking, Reservation, Subscribe for Block Editor
Plugin Slug:: gutenverse-form
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.3.2
Severity Score:: Medium
CVE:: 2025-68511

Plugin:: HandL UTM Grabber / Tracker
Plugin Slug:: handl-utm-grabber
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.8.1
Severity Score:: High
CVE:: 2025-13073

Plugin:: HTML Forms – Simple WordPress Forms Plugin
Plugin Slug:: html-forms
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.6.1
Severity Score:: High
CVE:: 2025-13861

Plugin:: HTML5 Audio Player – The Ultimate No-Code Podcast, MP3 & Audio Player
Plugin Slug:: html5-audio-player
Installations: 10,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 2.5.2
Severity Score:: High
CVE:: 2025-13999

Plugin:: JetWidgets For Elementor
Plugin Slug:: jetwidgets-for-elementor
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.0.21
Severity Score:: Medium
CVE:: 2025-8195

Plugin:: Lightweight Accordion
Plugin Slug:: lightweight-accordion
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.6.0
Severity Score:: Medium
CVE:: 2025-13740

Plugin:: Live Composer – Free WordPress Website Builder
Plugin Slug:: live-composer-page-builder
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.3
Severity Score:: Medium
CVE:: 2025-13537

Plugin:: myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Program.
Plugin Slug:: mycred
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.9.7.2
Severity Score:: Medium
CVE:: 2025-12361

Plugin:: Real 3D Flipbook – 3D FlipBook, PDF FlipBook, PDF Viewer, PDF Embedder
Plugin Slug:: real3d-flipbook-lite
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.16.4
Severity Score:: Medium
CVE:: 2025-68512

Plugin:: Membership Plugin – Restrict Content
Plugin Slug:: restrict-content
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.2.16
Severity Score:: Medium
CVE:: 2025-14000

Plugin:: WP-ShowHide
Plugin Slug:: wp-showhide
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.06
Severity Score:: Medium
CVE:: 2025-67541

Plugin:: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login
Plugin Slug:: custom-registration-form-builder-with-submission-manager
Installations: 9,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.0.6.8
Severity Score:: Medium
CVE:: 2025-13610

Plugin:: Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent
Plugin Slug:: tablesome
Installations: 9,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.1.35.2
Severity Score:: Medium
CVE:: 2025-68517

Plugin:: Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent
Plugin Slug:: tablesome
Installations: 9,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 1.1.35.2
Severity Score:: Medium
CVE:: 2025-68516

Plugin:: Multi-Step Checkout for WooCommerce
Plugin Slug:: wp-multi-step-checkout
Installations: 9,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.34
Severity Score:: Medium
CVE:: 2025-67542

Plugin:: Social Media Auto Publish
Plugin Slug:: social-media-auto-publish
Installations: 7,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.6.6
Severity Score:: High
CVE:: 2025-12076

Plugin:: Calendar
Plugin Slug:: calendar
Installations: 5,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.17
Severity Score:: Medium
CVE:: 2025-14548

Plugin:: Export WP Pages to HTML & PDF – Simply Create a Static Website
Plugin Slug:: export-wp-page-to-static-html
Installations: 5,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 5.0.0
Severity Score:: Critical
CVE:: 2025-11693

Plugin:: Booking calendar, Appointment Booking System
Plugin Slug:: booking-calendar
Installations: 4,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.2.31
Severity Score:: Medium
CVE:: 2025-67574

Plugin:: Watu Quiz
Plugin Slug:: watu
Installations: 4,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.4.5.1
Severity Score:: Medium
CVE:: 2025-67976

Plugin:: Filter & Grids
Plugin Slug:: ymc-smart-filter
Installations: 4,000+
Vulnerability:: SQL Injection
Patched in Version:: 3.2.1
Severity Score:: Critical
CVE:: 2025-10289

Plugin:: Document Library Lite
Plugin Slug:: document-library-lite
Installations: 3,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.2.0
Severity Score:: Medium
CVE:: 2025-67986

Plugin:: Document Library Lite
Plugin Slug:: document-library-lite
Installations: 3,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 1.2.0
Severity Score:: Medium
CVE:: 2025-67985

Plugin:: Sitewide Notice WP
Plugin Slug:: sitewide-notice-wp
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.4.2
Severity Score:: Medium
CVE:: 2025-67575

Plugin:: Easy Appointment Booking & Scheduling System – Webba Booking Calendar
Plugin Slug:: webba-booking-lite
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: 6.2.2
Severity Score:: Medium
CVE:: 2025-66530

Plugin:: WP Directory Kit
Plugin Slug:: wpdirectorykit
Installations: 3,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.4.8
Severity Score:: Critical
CVE:: 2025-13089

Plugin:: UseStrict’s Calendly Embedder
Plugin Slug:: cal-embedder-lite
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.2
Severity Score:: Medium
CVE:: 2025-67555

Plugin:: Easy Form Builder – WordPress plugin form builder: contact form, survey form, payment form, and custom form builder
Plugin Slug:: easy-form-builder
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.8.21
Severity Score:: Medium
CVE:: 2025-67577

Plugin:: Simple Link Directory
Plugin Slug:: simple-link-directory
Installations: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 8.8.4
Severity Score:: Medium
CVE:: 2025-67465

Plugin:: Simple Link Directory
Plugin Slug:: simple-link-directory
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: 8.8.4
Severity Score:: Medium
CVE:: 2025-67576

Plugin:: VK Google Job Posting Manager
Plugin Slug:: vk-google-job-posting-manager
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.2.23
Severity Score:: Medium
CVE:: 2025-68070

Plugin:: CWW Companion
Plugin Slug:: cww-companion
Installations: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.3.3
Severity Score:: Medium
CVE:: 2025-67473

Plugin:: WP to LinkedIn Auto Publish
Plugin Slug:: linkedin-auto-publish
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.9.9
Severity Score:: High
CVE:: 2025-12077

Plugin:: AI-Powered Business Directory and Classified Ads Listings – Listdom
Plugin Slug:: listdom
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 5.1.0
Severity Score:: Medium
CVE:: 2025-67560

Plugin:: Request a Quote Form Plugin – Price Quote Request Management Made Easy
Plugin Slug:: request-a-quote
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.5.4
Severity Score:: Medium
CVE:: 2025-64248

Plugin:: WPCOM Member
Plugin Slug:: wpcom-member
Installations: 1,000+
Vulnerability:: Broken Authentication
Patched in Version:: 1.7.17
Severity Score:: High
CVE:: 2025-14002

Plugin:: Zephyr Project Manager
Plugin Slug:: zephyr-project-manager
Installations: 1,000+
Vulnerability:: Arbitrary File Download
Patched in Version:: 3.3.204
Severity Score:: Medium
CVE:: 2025-12496

Plugin:: Highlight and Share – Social Text and Image Sharing
Plugin Slug:: highlight-and-share
Installations: 900+
Vulnerability:: Broken Access Control
Patched in Version:: 5.3.0
Severity Score:: Medium
CVE:: 2025-67586

Plugin:: WP eBay Product Feeds
Plugin Slug:: ebay-feeds-for-wordpress
Installations: 800+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.4.10
Severity Score:: Medium
CVE:: 2025-67557

Plugin:: Appointment Booking and Scheduler Plugin – Truebooker
Plugin Slug:: truebooker-appointment-booking
Installations: 600+
Vulnerability:: Broken Access Control
Patched in Version:: 1.1.1
Severity Score:: Medium
CVE:: 2025-67581

Plugin:: Easy Invoice – PDF Invoice Generator & Quote Builder
Plugin Slug:: easy-invoice
Installations: 500+
Vulnerability:: Local File Inclusion
Patched in Version:: 2.1.5
Severity Score:: Medium
CVE:: 2025-66115

Plugin:: Wbcom Designs – Private Community for BuddyPress
Plugin Slug:: lock-my-bp
Installations: 400+
Vulnerability:: Broken Access Control
Patched in Version:: 2.1.2
Severity Score:: Medium
CVE:: 2025-67582

Plugin:: Rencontre – Dating Site
Plugin Slug:: rencontre
Installations: 400+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.13.8
Severity Score:: Medium
CVE:: 2025-67558

Plugin:: Sweet Energy Efficiency
Plugin Slug:: sweet-energy-efficiency
Installations: 100+
Vulnerability:: Broken Access Control
Patched in Version:: 1.0.7
Severity Score:: Medium
CVE:: 2025-14618

Plugin:: Fox LMS – WordPress LMS Plugin
Plugin Slug:: fox-lms
Installations: 40+
Vulnerability:: Privilege Escalation
Patched in Version:: 1.0.5.2
Severity Score:: Critical
CVE:: 2025-14156

Plugin:: Simple Folio
Plugin Slug:: simple-folio
Installations: 40+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.1.1
Severity Score:: Medium
CVE:: 2025-64256

Plugin:: Photo Block – A Modern Image Block With Lightbox and Caption Support
Plugin Slug:: photo-block
Installations: 10+
Vulnerability:: Broken Access Control
Patched in Version:: 1.6.0
Severity Score:: Low
CVE:: 2025-64254

Plugin:: Dokan Pro
Plugin Slug:: dokan-pro
Vulnerability:: Broken Access Control
Patched in Version:: 4.2.0
Severity Score:: Medium
CVE:: 2025-12809

Plugin:: Fancy Product Designer
Plugin Slug:: fancy-product-designer
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 6.5.0
Severity Score:: Medium

Plugin:: Fancy Product Designer
Plugin Slug:: fancy-product-designer
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 6.5.0
Severity Score:: High
CVE:: 2025-13231

Plugin:: Fancy Product Designer
Plugin Slug:: fancy-product-designer
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 6.5.0
Severity Score:: Medium
CVE:: 2025-13439

Plugin:: Image Caption Hover Pro
Plugin Slug:: image-caption-hover-pro
Vulnerability:: Broken Access Control
Patched in Version:: 20.0
Severity Score:: Medium
CVE:: 2025-67562

Plugin:: ModelTheme Addons for WPBakery and Elementor
Plugin Slug:: modeltheme-addons-for-wpbakery
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.5.6
Severity Score:: Medium
CVE:: 2025-68532

Plugin:: User Extra Fields
Plugin Slug:: wp-user-extra-fields
Vulnerability:: Broken Access Control
Patched in Version:: 16.9
Severity Score:: Medium
CVE:: 2025-67579

WordPress Themes — 10 Patched / 0 Unpatched

Theme:: Besa
Theme Slug:: besa
Vulnerability:: Local File Inclusion
Patched in Version:: 2.3.16
Severity Score:: High
CVE:: 2025-67530

Theme:: ekommart
Theme Slug:: ekommart
Vulnerability:: Local File Inclusion
Patched in Version:: 4.3.1
Severity Score:: High
CVE:: 2025-67525

Theme:: Fashion
Theme Slug:: fashion2
Vulnerability:: Local File Inclusion
Patched in Version:: 5.3.0
Severity Score:: High
CVE:: 2025-67529

Theme:: Hara
Theme Slug:: hara
Vulnerability:: Local File Inclusion
Patched in Version:: 1.2.18
Severity Score:: High
CVE:: 2025-67532

Theme:: Kerge
Theme Slug:: kerge
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 4.1.4
Severity Score:: Medium
CVE:: 2025-67989

Theme:: Sailing
Theme Slug:: sailing
Vulnerability:: Broken Access Control
Patched in Version:: 4.4.6
Severity Score:: Medium
CVE:: 2025-67573

Theme:: Sailing
Theme Slug:: sailing
Vulnerability:: Local File Inclusion
Patched in Version:: 4.4.6
Severity Score:: High
CVE:: 2025-67526

Theme:: Sober
Theme Slug:: sober
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 3.5.12
Severity Score:: Medium
CVE:: 2025-67567

Theme:: Urna
Theme Slug:: urna
Vulnerability:: Local File Inclusion
Patched in Version:: 2.5.13
Severity Score:: High
CVE:: 2025-67528

Theme:: Wilmër
Theme Slug:: wilmer
Vulnerability:: Local File Inclusion
Patched in Version:: 3.5
Severity Score:: High
CVE:: 2025-67515

Solid Security is part of Solid Suite — The best foundation for WordPress websites.

Every WordPress site needs security, backups, and management tools. That’s Solid Suite — an integrated bundle of three plugins: Solid Security, Solid Backups, and Solid Central. You also get access to Solid Academy’s learning resources for WordPress professionals. Build your next WordPress website on a solid foundation with Solid Suite!

Get Solid Security

Author:

Sarah Ulmer

Sarah has been with SolidWP since 2015. Thanks to her deep connection to the brand, its products, and its users, Sarah was tapped as Solid’s primary Product Marketer in 2023. Sarah helps ensure that Solid’s product development team understands our users’ needs. When not at work, Sarah can be found at home with her husband, their three boys, and their dogs. Sarah enjoys long family walks, running with her lab, and watching her three boys play soccer. Sarah is originally from Texas and loves watching football games (Go Longhorns!)

Browse all of Sarah's articles

Sign up

Placeholder text

Thanks

Oops something went wrong, please try submitting again

Solid Suite

Protect

Repair

Manage

Free Plugins

Solid Suite

Academy

Solid Academy

Guides

Livestreams

Tutorials Academy

Resources

Blog

Vulnerability Report

Support

Documentation

Table of Contents

WordPress Core

WordPress Plugins — 114 Patched / 26 Unpatched