WordPress Vulnerability Report — December 31, 2025

Since last week, 139 new vulnerabilities have emerged in the WordPress ecosystem, including 130 plugins and 9 themes. Of those, 73 remain unpatched, but Solid Security Pro users are protected by virtual patching from Patchstack.

Sarah Ulmer

Published:Dec 31, 2025

Filed Under:WordPress Vulnerability Report

Reading Time:27 min.

In this report, 139 vulnerabilities have been publicly disclosed. Security patches for 66 of these plugins and themes are now available. Please run these updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Currently, 73 plugin and theme vulnerabilities remain unpatched. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

Along with poor user account security, vulnerable plugins and themes are among the top reasons why WordPress websites get hacked. Unfortunately, cyberattacks are increasing in volume and sophistication. They’re also increasingly aimed at small to mid-sized businesses.

1. WordPress Core
2. WordPress Plugins — 62 Patched / 68 Unpatched

2.1 Shortcodes and extra features for Phlox theme
2.2 Crowdsignal Forms
2.3 Comments – wpDiscuz
2.4 Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers
2.5 Custom Field Template
2.6 Event Organiser
2.7 Accept Donations with PayPal & Stripe
2.8 Link Library
2.9 Five Star Restaurant Reservations – WordPress Booking Plugin
2.10 Widgets for Social Photo Feed
2.11 Themebeez Toolkit
2.12 Blog Filter Post Filtering
2.13 Poll, Survey & Quiz Maker Plugin by Opinion Stage
2.14 Project Manager – AI-Powered Project & Task Manager with Kanban Board & Gantt Chart
2.15 Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress
2.16 Simple File List
2.17 WP Telegram Widget and Join Link
2.18 Custom Related Posts
2.19 TS Poll – Survey, Versus Poll, Image Poll, Video Poll
2.20 Cooked – Recipe Management
2.21 Wallet System for WooCommerce – Digital Wallet, Buy Now Pay Later (BNPL), Instant Cashback, Referral program, Partial & Subscription Payments
2.22 Fast User Switching
2.23 FlippingBook
2.24 Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free
2.25 Newsletters
2.26 Discussion Board – WordPress Forum Plugin
2.27 YITH Slider for page builders
2.28 BBP Core – Advanced bbPress Forum Management with Voting, Private Replies & Elementor
2.29 GLS Shipping for WooCommerce
2.30 Heateor Social Login WordPress
2.31 Netgsm
2.32 Product Delivery Date for WooCommerce – Lite
2.33 RestroPress – Online Food Ordering System
2.34 Slider Templates
2.35 Booking Ultra Pro Appointments Booking Calendar Plugin
2.36 HR Management Lite
2.37 AM Events
2.38 File Uploader for WooCommerce
2.39 Gift Hunt
2.40 Inboxify Sign Up Form
2.41 Mobile builder
2.42 Popping Sidebars and Widgets Light
2.43 Plugin Optimizer – Speed Up Your WordPress Like Never Before
2.44 CookieHint WP
2.45 Flaming Password Reset
2.46 Wp Text Slider Widget
2.47 Advanced Custom CSS
2.48 CedCommerce Integration for Good Market
2.49 Content Grid Slider
2.50 PRIMER by chloédigital
2.51 Visitor Stats Widget
2.52 Invelity SPS connect
2.53 Scroll rss excerpt
2.54 WP App Bar
2.55 IF AS Shortcode
2.56 Attachments Handler
2.57 Cool Tag Cloud
2.58 Flex Store Users
2.59 Overstock Affiliate Links
2.60 Product Loops for WooCommerce
2.61 Responsive Posts Carousel Pro
2.62 Share, Print and PDF Products for WooCommerce
2.63 Testimonial Slider
2.64 Userpro
2.65 WooMulti
2.66 WP Hallo Welt
2.67 WP JobHunt
2.68 WP JobHunt
2.69 WooCommerce
2.70 Premium Addons for Elementor – Powerful Elementor Templates & Widgets
2.71 PixelYourSite – Your smart PIXEL (TAG) & API Manager
2.72 Happy Addons for Elementor
2.73 Astra Widgets
2.74 User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds
2.75 Advanced Ads – Ad Manager & AdSense
2.76 Beaver Builder Page Builder – Drag and Drop Website Builder
2.77 GiveWP – Donation Plugin and Fundraising Platform
2.78 Popup Box – Create Countdown, Coupon, Video, Contact Form Popups
2.79 Interactive Content – H5P
2.80 All-in-one Sticky Floating Contact Form, Call, Click to Chat, and 50+ Social Icon Tabs – My Sticky Elements
2.81 Stratum Widgets for Elementor
2.82 Print Invoice & Delivery Notes for WooCommerce
2.83 Brave – Create Popup, Optins, Lead Generation, Survey, Sticky Elements & Interactive Content
2.84 Docket Cache – Object Cache Accelerator
2.85 Bold Timeline Lite
2.86 Ocean Modal Window
2.87 PhastPress
2.88 Plugin Organizer
2.89 Membership Plugin – Restrict Content
2.90 URL Shortify – Simple, Powerful and Easy URL Shortener Plugin For WordPress
2.91 URL Shortify – Simple, Powerful and Easy URL Shortener Plugin For WordPress
2.92 weForms – Easy Drag & Drop Contact Form Builder For WordPress
2.93 YaMaps for WordPress Plugin
2.94 Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent
2.95 Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent
2.96 Brands for WooCommerce
2.97 Integration for HubSpot and Contact Form 7, WPForms, Elementor, Ninja Forms
2.98 Calendar
2.99 CubeWP Framework
2.100 WpStream – Live Streaming, Video on Demand, Pay Per View
2.101 WpStream – Live Streaming, Video on Demand, Pay Per View
2.102 Academy LMS – WordPress LMS Plugin for Complete eLearning Solution
2.103 Advanced Classifieds & Directory Pro
2.104 Auto Listings – Car Listings & Car Dealership Plugin for WordPress
2.105 Category Icon
2.106 Vimeotheque – Vimeo WordPress Plugin & Video Gallery
2.107 Frontend Post Submission Manager Lite – Frontend Posting WordPress Plugin
2.108 FV Simpler SEO
2.109 Combo Offers WooCommerce
2.110 WP Document Revisions
2.111 MapSVG – Vector maps, Image maps, Google Maps
2.112 Poptics – Popup Builder, Email Opt-ins, Exit-Intent & WooCommerce Popups Sales
2.113 Print Anywhere & Create PDFs of Order Receipts, Invoices, Labels & More.
2.114 SALESmanago & Leadoo
2.115 WC Builder – WooCommerce Page Builder for WPBakery
2.116 ContentStudio
2.117 Membership For WooCommerce – WordPress Membership Plugin, Restrict Content, Build Online Communities, Paywall & Content Dripping
2.118 Subscribe to Unlock Lite – Opt In Content Locker Plugin for WordPress
2.119 Web Directory Free
2.120 VPSUForm – Drag & Drop Contact Form Builder with Email Automation
2.121 WPBulky – WordPress Bulk Edit Post Types
2.122 Chakra test
2.123 HAPPY – Helpdesk Support Ticket System
2.124 Gravity Forms
2.125 JetBlog
2.126 JetPopup
2.127 JetSearch
2.128 JetTabs
2.129 JetTabs
2.130 Responsive Posts Carousel Pro

3. WordPress Themes — 4 Patched / 5 Unpatched

3.1 Arcane
3.2 Backpack Traveler
3.3 FiveStar
3.4 Medicalequipment
3.5 Struktur
3.6 Diza
3.7 Fana
3.8 Nika
3.9 Zota

Our WordPress Vulnerability Report covers the latest emerging WordPress plugin, theme, and core vulnerabilities. Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure of vulnerabilities is essential to keeping the WordPress community safe. Please share this report to help spread the word and make WordPress — and the web — more secure.

WordPress Core

WordPress 6.9 “Gene” was released on December 2, 2025. This release brings major upgrades to how teams collaborate and create. The new Notes feature adds block-level commenting for posts and pages, streamlining editorial reviews, while an expanded Command Palette helps power users navigate and operate across the dashboard even faster. The introduction of the Abilities API delivers a standardized, machine-readable permissions system that lays the groundwork for next-generation AI-powered and automated workflows. WordPress 6.9 also includes notable performance improvements for faster page loads, several new practical blocks, and more visual drag-and-drop tools to help creators build richer, more dynamic content.

Following a major release, you should not update live sites without first taking backups and testing the update in a non-production environment.

WordPress Plugins — 62 Patched / 68 Unpatched

Plugin:: Shortcodes and extra features for Phlox theme
Plugin Slug:: auxin-elements
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-69016

Plugin:: Crowdsignal Forms
Plugin Slug:: crowdsignal-forms
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Low
CVE:: 2025-69015

Plugin:: Comments – wpDiscuz
Plugin Slug:: wpdiscuz
Installations: 80,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-68997

Plugin:: Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers
Plugin Slug:: popup-builder-block
Installations: 40,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-69026

Plugin:: Custom Field Template
Plugin Slug:: custom-field-template
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-68607

Plugin:: Event Organiser
Plugin Slug:: event-organiser
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-69012

Plugin:: Accept Donations with PayPal & Stripe
Plugin Slug:: easy-paypal-donation
Installations: 10,000+
Vulnerability:: Open Redirection
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-68602

Plugin:: Link Library
Plugin Slug:: link-library
Installations: 10,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-68600

Plugin:: Five Star Restaurant Reservations – WordPress Booking Plugin
Plugin Slug:: restaurant-reservations
Installations: 10,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-68601

Plugin:: Widgets for Social Photo Feed
Plugin Slug:: social-photo-feed-widget
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-68595

Plugin:: Themebeez Toolkit
Plugin Slug:: themebeez-toolkit
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-69010

Plugin:: Blog Filter Post Filtering
Plugin Slug:: blog-filter
Installations: 8,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-69033

Plugin:: Poll, Survey & Quiz Maker Plugin by Opinion Stage
Plugin Slug:: social-polls-by-opinionstage
Installations: 7,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-68594

Plugin:: Project Manager – AI-Powered Project & Task Manager with Kanban Board & Gantt Chart
Plugin Slug:: wedevs-project-manager
Installations: 7,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-68040

Plugin:: Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress
Plugin Slug:: youzify
Installations: 6,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-69014

Plugin:: Simple File List
Plugin Slug:: simple-file-list
Installations: 5,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-68591

Plugin:: WP Telegram Widget and Join Link
Plugin Slug:: wptelegram-widget
Installations: 5,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-68589

Plugin:: Custom Related Posts
Plugin Slug:: custom-related-posts
Installations: 4,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68033

Plugin:: TS Poll – Survey, Versus Poll, Image Poll, Video Poll
Plugin Slug:: poll-wp
Installations: 4,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-68588

Plugin:: Cooked – Recipe Management
Plugin Slug:: cooked
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-68586

Plugin:: Wallet System for WooCommerce – Digital Wallet, Buy Now Pay Later (BNPL), Instant Cashback, Referral program, Partial & Subscription Payments
Plugin Slug:: wallet-system-for-woocommerce
Installations: 3,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-68029

Plugin:: Fast User Switching
Plugin Slug:: fast-user-switching
Installations: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-68583

Plugin:: FlippingBook
Plugin Slug:: flippingbook
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-69019

Plugin:: Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free
Plugin Slug:: funnelforms-free
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-68582

Plugin:: Newsletters
Plugin Slug:: newsletters-lite
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-69020

Plugin:: Discussion Board – WordPress Forum Plugin
Plugin Slug:: wp-discussion-board
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-69023

Plugin:: YITH Slider for page builders
Plugin Slug:: yith-slider-for-page-builders
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-68581

Plugin:: BBP Core – Advanced bbPress Forum Management with Voting, Private Replies & Elementor
Plugin Slug:: bbp-core
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-68572

Plugin:: GLS Shipping for WooCommerce
Plugin Slug:: gls-shipping-for-woocommerce
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68011

Plugin:: Heateor Social Login WordPress
Plugin Slug:: heateor-social-login
Installations: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-68998

Plugin:: Netgsm
Plugin Slug:: netgsm
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68010

Plugin:: Product Delivery Date for WooCommerce – Lite
Plugin Slug:: product-delivery-date-for-woocommerce-lite
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-69027

Plugin:: RestroPress – Online Food Ordering System
Plugin Slug:: restropress
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-69017

Plugin:: Slider Templates
Plugin Slug:: slider-templates
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-68009

Plugin:: Booking Ultra Pro Appointments Booking Calendar Plugin
Plugin Slug:: booking-ultra-pro
Installations: 500+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-68006

Plugin:: HR Management Lite
Plugin Slug:: hr-management-lite
Installations: 300+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-69022

Plugin:: AM Events
Plugin Slug:: am-events
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-69006

Plugin:: File Uploader for WooCommerce
Plugin Slug:: file-uploader-for-woocommerce
Installations: 100+
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-13329

Plugin:: Gift Hunt
Plugin Slug:: gift-hunt
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-67631

Plugin:: Inboxify Sign Up Form
Plugin Slug:: inboxify-sign-up-form
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-69008

Plugin:: Mobile builder
Plugin Slug:: mobile-builder
Installations: 100+
Vulnerability:: Broken Authentication
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-68860

Plugin:: Popping Sidebars and Widgets Light
Plugin Slug:: popping-sidebars-and-widgets-light
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-69007

Plugin:: Plugin Optimizer – Speed Up Your WordPress Like Never Before
Plugin Slug:: plugin-optimizer
Installations: 80+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68861

Plugin:: CookieHint WP
Plugin Slug:: cookiehint-wp
Installations: 70+
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68870

Plugin:: Flaming Password Reset
Plugin Slug:: flaming-password-reset
Installations: 70+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-68875

Plugin:: Wp Text Slider Widget
Plugin Slug:: wp-text-slider-widget
Installations: 70+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-68868

Plugin:: Advanced Custom CSS
Plugin Slug:: advanced-custom-css
Installations: 60+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68878

Plugin:: CedCommerce Integration for Good Market
Plugin Slug:: ced-good-market-integration
Installations: 60+
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68877

Plugin:: Content Grid Slider
Plugin Slug:: content-grid-slider
Installations: 60+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68879

Plugin:: PRIMER by chloédigital
Plugin Slug:: primer-by-chloedigital
Installations: 60+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68873

Plugin:: Visitor Stats Widget
Plugin Slug:: visitor-stats-widget
Installations: 60+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68874

Plugin:: Invelity SPS connect
Plugin Slug:: invelity-sps-connect
Installations: 50+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68876

Plugin:: Scroll rss excerpt
Plugin Slug:: scroll-rss-excerpt
Installations: 50+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68892

Plugin:: WP App Bar
Plugin Slug:: wp-app-bar
Installations: 50+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68891

Plugin:: IF AS Shortcode
Plugin Slug:: if-as-shortcode
Installations: 10+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-68897

Plugin:: Attachments Handler
Plugin Slug:: attachments-handler
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-12581

Plugin:: Cool Tag Cloud
Plugin Slug:: cool-tag-cloud
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-69011

Plugin:: Flex Store Users
Plugin Slug:: flex-store-user
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-13619

Plugin:: Overstock Affiliate Links
Plugin Slug:: overstock-affiliate-links
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-13624

Plugin:: Product Loops for WooCommerce
Plugin Slug:: product-loops
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-68994

Plugin:: Responsive Posts Carousel Pro
Plugin Slug:: responsive-posts-carousel-pro
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68996

Plugin:: Share, Print and PDF Products for WooCommerce
Plugin Slug:: share-print-pdf-woocommerce
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-68993

Plugin:: Testimonial Slider
Plugin Slug:: testimonial
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-68000

Plugin:: Userpro
Plugin Slug:: userpro
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-68608

Plugin:: WooMulti
Plugin Slug:: woomulti
Vulnerability:: Arbitrary File Deletion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-12835

Plugin:: WP Hallo Welt
Plugin Slug:: wp-hallo-welt
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-13365

Plugin:: WP JobHunt
Plugin Slug:: wp-jobhunt
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-7733

Plugin:: WP JobHunt
Plugin Slug:: wp-jobhunt
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-7782

Plugin:: WooCommerce
Plugin Slug:: woocommerce
Installations: 7,000,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 10.4.3
Severity Score:: Medium
CVE:: 2025-15033

Plugin:: Premium Addons for Elementor – Powerful Elementor Templates & Widgets
Plugin Slug:: premium-addons-for-elementor
Installations: 700,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 4.11.54
Severity Score:: Medium
CVE:: 2025-14163

Plugin:: PixelYourSite – Your smart PIXEL (TAG) & API Manager
Plugin Slug:: pixelyoursite
Installations: 500,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 11.1.5.1
Severity Score:: Medium
CVE:: 2025-14280

Plugin:: Happy Addons for Elementor
Plugin Slug:: happy-elementor-addons
Installations: 400,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.20.4
Severity Score:: Medium
CVE:: 2025-14635

Plugin:: Astra Widgets
Plugin Slug:: astra-widgets
Installations: 200,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.2.17
Severity Score:: Medium
CVE:: 2025-68497

Plugin:: User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds
Plugin Slug:: userfeedback-lite
Installations: 200,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.10.1
Severity Score:: High
CVE:: 2025-68496

Plugin:: Advanced Ads – Ad Manager & AdSense
Plugin Slug:: advanced-ads
Installations: 100,000+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 2.0.15
Severity Score:: Critical
CVE:: 2025-13592

Plugin:: Beaver Builder Page Builder – Drag and Drop Website Builder
Plugin Slug:: beaver-builder-lite-version
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.9.4.2
Severity Score:: High
CVE:: 2025-12934

Plugin:: GiveWP – Donation Plugin and Fundraising Platform
Plugin Slug:: give
Installations: 100,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 4.13.2
Severity Score:: Medium
CVE:: 2025-67467

Plugin:: Popup Box – Create Countdown, Coupon, Video, Contact Form Popups
Plugin Slug:: ays-popup-box
Installations: 50,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 6.0.8
Severity Score:: Medium
CVE:: 2025-69021

Plugin:: Interactive Content – H5P
Plugin Slug:: h5p
Installations: 40,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.16.2
Severity Score:: Medium
CVE:: 2025-68505

Plugin:: All-in-one Sticky Floating Contact Form, Call, Click to Chat, and 50+ Social Icon Tabs – My Sticky Elements
Plugin Slug:: mystickyelements
Installations: 40,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.3.4
Severity Score:: Medium
CVE:: 2025-68995

Plugin:: Stratum Widgets for Elementor
Plugin Slug:: stratum
Installations: 30,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.6.2
Severity Score:: Medium
CVE:: 2025-69013

Plugin:: Print Invoice & Delivery Notes for WooCommerce
Plugin Slug:: woocommerce-delivery-notes
Installations: 30,000+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 5.9.0
Severity Score:: Critical
CVE:: 2025-13773

Plugin:: Brave – Create Popup, Optins, Lead Generation, Survey, Sticky Elements & Interactive Content
Plugin Slug:: brave-popup-builder
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 0.8.4
Severity Score:: Medium
CVE:: 2025-68508

Plugin:: Docket Cache – Object Cache Accelerator
Plugin Slug:: docket-cache
Installations: 20,000+
Vulnerability:: Local File Inclusion
Patched in Version:: 24.07.04
Severity Score:: High
CVE:: 2025-68506

Plugin:: Bold Timeline Lite
Plugin Slug:: bold-timeline-lite
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.2.8
Severity Score:: Medium
CVE:: 2025-68513

Plugin:: Ocean Modal Window
Plugin Slug:: ocean-modal-window
Installations: 10,000+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 2.3.3
Severity Score:: Critical
CVE:: 2025-13307

Plugin:: PhastPress
Plugin Slug:: phastpress
Installations: 10,000+
Vulnerability:: Arbitrary File Download
Patched in Version:: 3.8
Severity Score:: High
CVE:: 2025-14388

Plugin:: Plugin Organizer
Plugin Slug:: plugin-organizer
Installations: 10,000+
Vulnerability:: SQL Injection
Patched in Version:: 10.2.4
Severity Score:: High
CVE:: 2025-13417

Plugin:: Membership Plugin – Restrict Content
Plugin Slug:: restrict-content
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.2.16
Severity Score:: Medium
CVE:: 2025-14000

Plugin:: URL Shortify – Simple, Powerful and Easy URL Shortener Plugin For WordPress
Plugin Slug:: url-shortify
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.11.4
Severity Score:: High
CVE:: 2025-13355

Plugin:: URL Shortify – Simple, Powerful and Easy URL Shortener Plugin For WordPress
Plugin Slug:: url-shortify
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.11.3
Severity Score:: High
CVE:: 2025-12684

Plugin:: weForms – Easy Drag & Drop Contact Form Builder For WordPress
Plugin Slug:: weforms
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.6.26
Severity Score:: Medium
CVE:: 2025-69028

Plugin:: YaMaps for WordPress Plugin
Plugin Slug:: yamaps
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 0.6.40
Severity Score:: Medium
CVE:: 2025-13958

Plugin:: Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent
Plugin Slug:: tablesome
Installations: 9,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.1.35.2
Severity Score:: Medium
CVE:: 2025-68517

Plugin:: Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent
Plugin Slug:: tablesome
Installations: 9,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 1.1.35.2
Severity Score:: Medium
CVE:: 2025-68516

Plugin:: Brands for WooCommerce
Plugin Slug:: brands-for-woocommerce
Installations: 6,000+
Vulnerability:: SQL Injection
Patched in Version:: 3.8.6.4
Severity Score:: High
CVE:: 2025-68519

Plugin:: Integration for HubSpot and Contact Form 7, WPForms, Elementor, Ninja Forms
Plugin Slug:: cf7-hubspot
Installations: 6,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.4.3
Severity Score:: High
CVE:: 2025-68590

Plugin:: Calendar
Plugin Slug:: calendar
Installations: 5,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.17
Severity Score:: Medium
CVE:: 2025-14548

Plugin:: CubeWP Framework
Plugin Slug:: cubewp-framework
Installations: 4,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.1.28
Severity Score:: High
CVE:: 2025-68036

Plugin:: WpStream – Live Streaming, Video on Demand, Pay Per View
Plugin Slug:: wpstream
Installations: 4,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.9.6
Severity Score:: Medium
CVE:: 2025-68522

Plugin:: WpStream – Live Streaming, Video on Demand, Pay Per View
Plugin Slug:: wpstream
Installations: 4,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.9.6
Severity Score:: Medium
CVE:: 2025-68521

Plugin:: Academy LMS – WordPress LMS Plugin for Complete eLearning Solution
Plugin Slug:: academy
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.4.1
Severity Score:: Medium
CVE:: 2025-68527

Plugin:: Advanced Classifieds & Directory Pro
Plugin Slug:: advanced-classifieds-and-directory-pro
Installations: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 3.3.0
Severity Score:: Medium
CVE:: 2025-68580

Plugin:: Auto Listings – Car Listings & Car Dealership Plugin for WordPress
Plugin Slug:: auto-listings
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.7.2
Severity Score:: Medium
CVE:: 2025-69089

Plugin:: Category Icon
Plugin Slug:: category-icon
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.0.3
Severity Score:: Medium
CVE:: 2025-68525

Plugin:: Vimeotheque – Vimeo WordPress Plugin & Video Gallery
Plugin Slug:: codeflavors-vimeo-video-post-lite
Installations: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.3.6
Severity Score:: Medium
CVE:: 2025-68584

Plugin:: Frontend Post Submission Manager Lite – Frontend Posting WordPress Plugin
Plugin Slug:: frontend-post-submission-manager-lite
Installations: 2,000+
Vulnerability:: Arbitrary Content Deletion
Patched in Version:: 1.2.7
Severity Score:: Medium
CVE:: 2025-14913

Plugin:: FV Simpler SEO
Plugin Slug:: fv-all-in-one-seo-pack
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.9.7
Severity Score:: Medium
CVE:: 2025-68579

Plugin:: Combo Offers WooCommerce
Plugin Slug:: woo-combo-offers
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.3
Severity Score:: Medium
CVE:: 2025-69088

Plugin:: WP Document Revisions
Plugin Slug:: wp-document-revisions
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.8.0
Severity Score:: Low
CVE:: 2025-68585

Plugin:: MapSVG – Vector maps, Image maps, Google Maps
Plugin Slug:: mapsvg-lite-interactive-vector-maps
Installations: 1,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 8.7.4
Severity Score:: Critical
CVE:: 2025-68562

Plugin:: Poptics – Popup Builder, Email Opt-ins, Exit-Intent & WooCommerce Popups Sales
Plugin Slug:: poptics
Installations: 1,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 1.0.21
Severity Score:: Medium
CVE:: 2025-69025

Plugin:: Print Anywhere & Create PDFs of Order Receipts, Invoices, Labels & More.
Plugin Slug:: print-google-cloud-print-gcp-woocommerce
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.7.1
Severity Score:: Medium
CVE:: 2025-69024

Plugin:: SALESmanago & Leadoo
Plugin Slug:: salesmanago
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.9.1
Severity Score:: Medium
CVE:: 2025-68571

Plugin:: WC Builder – WooCommerce Page Builder for WPBakery
Plugin Slug:: wc-builder
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.2.1
Severity Score:: Medium
CVE:: 2025-68533

Plugin:: ContentStudio
Plugin Slug:: contentstudio
Installations: 900+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 1.4.0
Severity Score:: Critical
CVE:: 2025-67910

Plugin:: Membership For WooCommerce – WordPress Membership Plugin, Restrict Content, Build Online Communities, Paywall & Content Dripping
Plugin Slug:: membership-for-woocommerce
Installations: 900+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 3.0.4
Severity Score:: High
CVE:: 2025-67909

Plugin:: Subscribe to Unlock Lite – Opt In Content Locker Plugin for WordPress
Plugin Slug:: subscribe-to-unlock-lite
Installations: 500+
Vulnerability:: Local File Inclusion
Patched in Version:: 1.3.1
Severity Score:: High
CVE:: 2025-68563

Plugin:: Web Directory Free
Plugin Slug:: web-directory-free
Installations: 400+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.7.13
Severity Score:: Medium
CVE:: 2025-69018

Plugin:: VPSUForm – Drag & Drop Contact Form Builder with Email Automation
Plugin Slug:: v-form
Installations: 300+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 3.2.25
Severity Score:: Medium
CVE:: 2025-68551

Plugin:: WPBulky – WordPress Bulk Edit Post Types
Plugin Slug:: wpbulky-wp-bulk-edit-post-types
Installations: 300+
Vulnerability:: SQL Injection
Patched in Version:: 1.1.14
Severity Score:: High
CVE:: 2025-68550

Plugin:: Chakra test
Plugin Slug:: chakra-test
Installations: 10+
Vulnerability:: Broken Access Control
Patched in Version:: 1.0.2
Severity Score:: Medium
CVE:: 2025-68557

Plugin:: HAPPY – Helpdesk Support Ticket System
Plugin Slug:: happy-helpdesk-support-ticket-system
Installations: 10+
Vulnerability:: Broken Access Control
Patched in Version:: 1.0.10
Severity Score:: Medium
CVE:: 2025-68556

Plugin:: Gravity Forms
Plugin Slug:: gravityforms
Vulnerability:: Arbitrary File Upload
Patched in Version:: 2.9.23.1
Severity Score:: Critical
CVE:: 2025-13407

Plugin:: JetBlog
Plugin Slug:: jet-blog
Vulnerability:: Broken Access Control
Patched in Version:: 2.4.7.1
Severity Score:: Medium
CVE:: 2025-68503

Plugin:: JetPopup
Plugin Slug:: jet-popup
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 2.0.20.2
Severity Score:: Medium
CVE:: 2025-68502

Plugin:: JetSearch
Plugin Slug:: jet-search
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.5.16.1
Severity Score:: Medium
CVE:: 2025-68504

Plugin:: JetTabs
Plugin Slug:: jet-tabs
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.2.12.1
Severity Score:: Medium
CVE:: 2025-68499

Plugin:: JetTabs
Plugin Slug:: jet-tabs
Vulnerability:: Broken Access Control
Patched in Version:: 2.2.12.1
Severity Score:: Medium
CVE:: 2025-68498

Plugin:: Responsive Posts Carousel Pro
Plugin Slug:: responsive-posts-carousel-pro
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 15.3
Severity Score:: Medium
CVE:: 2025-68548

WordPress Themes — 4 Patched / 5 Unpatched

Theme:: Arcane
Theme Slug:: arcane
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-69031

Theme:: Backpack Traveler
Theme Slug:: backpacktraveler
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-69030

Theme:: FiveStar
Theme Slug:: fivestar
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-69032

Theme:: Medicalequipment
Theme Slug:: medicalequipment
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-69009

Theme:: Struktur
Theme Slug:: struktur
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-69029

Theme:: Diza
Theme Slug:: diza
Vulnerability:: Local File Inclusion
Patched in Version:: 1.3.16
Severity Score:: High
CVE:: 2025-68544

Theme:: Fana
Theme Slug:: fana
Vulnerability:: Local File Inclusion
Patched in Version:: 1.1.36
Severity Score:: High
CVE:: 2025-68540

Theme:: Nika
Theme Slug:: nika
Vulnerability:: Local File Inclusion
Patched in Version:: 1.2.15
Severity Score:: High
CVE:: 2025-68546

Theme:: Zota
Theme Slug:: zota
Vulnerability:: Local File Inclusion
Patched in Version:: 1.3.15
Severity Score:: High
CVE:: 2025-68537

Solid Security is part of Solid Suite — The best foundation for WordPress websites.

Every WordPress site needs security, backups, and management tools. That’s Solid Suite — an integrated bundle of three plugins: Solid Security, Solid Backups, and Solid Central. You also get access to Solid Academy’s learning resources for WordPress professionals. Build your next WordPress website on a solid foundation with Solid Suite!

Get Solid Security

Author:

Sarah Ulmer

Sarah has been with SolidWP since 2015. Thanks to her deep connection to the brand, its products, and its users, Sarah was tapped as Solid’s primary Product Marketer in 2023. Sarah helps ensure that Solid’s product development team understands our users’ needs. When not at work, Sarah can be found at home with her husband, their three boys, and their dogs. Sarah enjoys long family walks, running with her lab, and watching her three boys play soccer. Sarah is originally from Texas and loves watching football games (Go Longhorns!)

Browse all of Sarah's articles

Sign up

Placeholder text

Thanks

Oops something went wrong, please try submitting again

Solid Suite

Protect

Repair

Manage

Free Plugins

Solid Suite

Academy

Solid Academy

Guides

Livestreams

Tutorials Academy

Resources

Blog

Vulnerability Report

Support

Documentation

Table of Contents

WordPress Core

WordPress Plugins — 62 Patched / 68 Unpatched