WordPress Vulnerability Report — July 9, 2025

Since last week, 149 new vulnerabilities emerged in the WordPress ecosystem, including 126 plugins and 23 themes. 84 of the vulnerable plugins and themes remain unpatched, but Solid Security Pro users are protected by virtual patching from Patchstack.

Sarah Ulmer

Published:Jul 9, 2025

Filed Under:WordPress Vulnerability Report

Reading Time:2 min.

In this report, 149 vulnerabilities have been publicly disclosed. Security patches for 65 of these plugins and themes are available now, so run those updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Additionally, there are 84 plugin and theme vulnerabilities, and no patch has been available yet. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

Along with poor user account security, vulnerable plugins and themes are among the top reasons why WordPress websites get hacked. Unfortunately, cyberattacks are increasing in volume and sophistication. They’re also increasingly aimed at small to mid-sized businesses.

1. WordPress Core
2. WordPress Plugins — 51 Patched / 75 Unpatched

2.1 Soumettre.fr
2.2 Contact Form 7 reCAPTCHA
2.3 AI Bud – AI Content Generator, AI Chatbot, ChatGPT, Gemini, GPT-4o
2.4 Chatra Live Chat + ChatBot + Cart Saver
2.5 (Simply) Guest Author Name
2.6 MyRewards – Loyalty Points and Rewards for WooCommerce – Reward orders, referrals, product reviews and more
2.7 Leyka
2.8 WC Pickup Store
2.9 Frontend File Manager Plugin
2.10 Video Gallery Block – Display your videos as a gallery in a professional way
2.11 WP fancybox
2.12 Bulk Featured Image
2.13 URL Shortener Plugin For WordPress
2.14 Gallery Widget
2.15 OwnerRez
2.16 MobiLoud – WordPress Mobile Apps – Convert your WordPress Website to Native Mobile Apps
2.17 Easy Elements Hider
2.18 Aviation Weather from NOAA
2.19 Contact Form 7 Editor Button
2.20 LMSACE Connect – WooCommerce Moodle™ LMS Integration
2.21 bSecure – Your Universal Checkout
2.22 Dot html,php,xml etc pages
2.23 fluXtore Funnel Builder for WordPress – Earn More with Highly Converting Sales Funnels
2.24 SMu Manual DoFollow
2.25 Media Folder
2.26 Pay with Contact Form 7
2.27 Printcart Web to Print Product Designer for WooCommerce
2.28 Tennis Court Bookings
2.29 Video List Manager
2.30 Infility Global
2.31 Paytiko for WooCommerce
2.32 Smart Docs
2.33 Ultimate Push Notifications ( Mobile / Desktop ), Receive Notification From WooCommerce, BuddyPress, WordPress Default Events & Many More
2.34 Torod – The smart shipping and delivery portal for e-shops and retailers
2.35 CoSchool LMS – A complete Learning Management System to Create and Sell Your Courses Online
2.36 Posts Slider Shortcode
2.37 Cool fade popup
2.38 Card flip image slideshow
2.39 Custom Login And Signup Widget
2.40 Pixelating image slideshow gallery
2.41 iFrame Images Gallery
2.42 CF7 7 Mailchimp Add-on
2.43 WooCommerce Product Multi-Action
2.44 Allmart
2.45 Ads Pro Plugin
2.46 Ads Pro Plugin
2.47 Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer)
2.48 Booking X
2.49 Contact Us page – Contact people LITE
2.50 DocCheck Login
2.51 WooCommerce Shop Page Builder
2.52 EventON
2.53 FW Gallery
2.54 GoZen Forms
2.55 WP Human Resource Management
2.56 WP Human Resource Management
2.57 Amazon Products to WooCommerce
2.58 JKDEVKIT
2.59 LoginWP – Pro
2.60 Magic Buttons for Elementor
2.61 MF Plus WPML
2.62 Opal Estate Pro
2.63 PrivateContent – Mail Actions
2.64 ProcessingJS for WordPress
2.65 Profiler – What Slowing Down Your WP
2.66 RD Contacto
2.67 Multi-language Responsive Contact Form
2.68 Service Finder Booking
2.69 Super Store Finder
2.70 Email Address Security by WebEmailProtector
2.71 PayMaster for WooCommerce
2.72 WordPress Auto Spinner
2.73 WP Firebase Push Notification
2.74 WPQuiz
2.75 yContributors
2.76 Essential Addons for Elementor – Popular Elementor Templates & Widgets
2.77 Premium Addons for Elementor
2.78 Migration, Backup, Staging – WPvivid Backup & Migration
2.79 Contact Form 7 Database Addon – CFDB7
2.80 Forminator Forms – Contact Form, Payment Form & Custom Form Builder
2.81 Forminator Forms – Contact Form, Payment Form & Custom Form Builder
2.82 WP Shortcodes Plugin — Shortcodes Ultimate
2.83 SureForms – Drag and Drop Form Builder for WordPress
2.84 Dear Flipbook – PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer
2.85 AI Engine
2.86 AI Engine
2.87 Element Pack Elementor Addons and Templates
2.88 Contact Form by Everest Forms – Simple Contact Form to Advanced Contact Form, Quiz, Survey, & Custom Contact Form Builder for WordPress
2.89 Ultra Addons for Contact Form 7
2.90 Beautiful Cookie Consent Banner
2.91 Download Plugin
2.92 WP Visitor Statistics (Real Time Traffic)
2.93 Gutenberg Blocks – PublishPress Blocks Controls, Visibility, Reusable Blocks
2.94 Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder
2.95 LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes
2.96 Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction
2.97 Portfolio for Elementor & Image Gallery | PowerFolio
2.98 All-in-One Addons for Elementor – WidgetKit
2.99 WP Compress – Instant Performance & Speed Optimization
2.100 Melapress File Monitor
2.101 Booking calendar, Appointment Booking System
2.102 VikRentCar Car Rental Management System
2.103 WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg
2.104 Radio Station by netmix® – Manage and play your Show Schedule in WordPress!
2.105 WP Travel Gutenberg Blocks
2.106 Booking Calendar Contact Form
2.107 NGG Smart Image Search
2.108 PW WooCommerce On Sale!
2.109 Easy restaurant menu manager
2.110 Trust Payments Gateway for WooCommerce (JavaScript Library)
2.111 Click & Pledge Connect
2.112 Easy Stripe – Tips, Payments, and Donations
2.113 Guest Support – Complete customer support ticket system for WordPress
2.114 Site Chat on Telegram
2.115 All In One Slider Responsive
2.116 Case Theme User
2.117 CMSMasters Content Composer
2.118 CouponXxL Custom Post Types
2.119 CSS3 Vertical Web Pricing Tables
2.120 CSS3 Compare Pricing Tables for WordPress
2.121 Drag and Drop Multiple File Upload (Pro) – WooCommerce
2.122 eventlist
2.123 Masteriyo LMS PRO
2.124 PeepSo Core: Groups
2.125 Testimonials Showcase
2.126 Uncode Core

3. WordPress Themes — 14 Patched / 9 Unpatched

3.1 Electrician – Electrical Service WordPress
3.2 Easy Video Player WordPress & WooCommerce
3.3 Home Villas
3.4 Invico – WordPress Consulting Business Theme
3.5 Kossy – Minimalist eCommerce WordPress Theme
3.6 ListingEasy
3.7 LMS
3.8 LogisticsHub
3.9 Ofiz – WordPress Business Consulting Theme
3.10 Alone
3.11 Amwerk
3.12 Classiera
3.13 CouponXxL
3.14 Diza
3.15 Education Center
3.16 Elessi
3.17 Houzez
3.18 Networker
3.19 RealHomes
3.20 Vikinger
3.21 WoodMart
3.22 WoodMart
3.23 WoodMart

Our WordPress Vulnerability Report covers the latest emerging WordPress plugin, theme, and core vulnerabilities. Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure of vulnerabilities is essential to keeping the WordPress community safe. Please share this report to help spread the word and make WordPress — and the web — more secure.

WordPress Core

WordPress 6.8.1 was released on April 30, 2025. This maintenance release includes fixes for 15 bugs throughout Core and the Block Editor, addressing issues affecting multiple areas of WordPress, including the block editor, multisite, and REST API. For a full list, refer to the release candidate announcement.

WordPress Plugins — 51 Patched / 75 Unpatched

Plugin:: Soumettre.fr
Plugin Slug:: soumettre-fr
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Low
CVE:: 2025-4654

Plugin:: Contact Form 7 reCAPTCHA
Plugin Slug:: contact-form-7-recaptcha
Installations: 6,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-23972

Plugin:: AI Bud – AI Content Generator, AI Chatbot, ChatGPT, Gemini, GPT-4o
Plugin Slug:: aibuddy-openai-chatgpt
Installations: 4,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-23968

Plugin:: Chatra Live Chat + ChatBot + Cart Saver
Plugin Slug:: chatra-live-chat
Installations: 4,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-24735

Plugin:: (Simply) Guest Author Name
Plugin Slug:: guest-author-name
Installations: 3,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-24764

Plugin:: MyRewards – Loyalty Points and Rewards for WooCommerce – Reward orders, referrals, product reviews and more
Plugin Slug:: woorewards
Installations: 3,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-24757

Plugin:: Leyka
Plugin Slug:: leyka
Installations: 2,000+
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-52805

Plugin:: WC Pickup Store
Plugin Slug:: wc-pickup-store
Installations: 2,000+
Vulnerability:: Settings Change
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-47634

Plugin:: Frontend File Manager Plugin
Plugin Slug:: nmedia-user-file-uploader
Installations: 1,000+
Vulnerability:: Content Injection
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-27358

Plugin:: Video Gallery Block – Display your videos as a gallery in a professional way
Plugin Slug:: video-gallery-block
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-27326

Plugin:: WP fancybox
Plugin Slug:: wp-fancybox
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-26591

Plugin:: Bulk Featured Image
Plugin Slug:: bulk-featured-image
Installations: 900+
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-28951

Plugin:: URL Shortener Plugin For WordPress
Plugin Slug:: exact-links
Installations: 700+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-28963

Plugin:: Gallery Widget
Plugin Slug:: gallery-widget
Installations: 600+
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-28969

Plugin:: OwnerRez
Plugin Slug:: ownerrez
Installations: 600+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-28957

Plugin:: MobiLoud – WordPress Mobile Apps – Convert your WordPress Website to Native Mobile Apps
Plugin Slug:: mobiloud-mobile-app-plugin
Installations: 500+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-52813

Plugin:: Easy Elements Hider
Plugin Slug:: easy-elements-hider
Installations: 400+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-28971

Plugin:: Aviation Weather from NOAA
Plugin Slug:: aviation-weather-from-noaa
Installations: 200+
Vulnerability:: Arbitrary File Deletion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-28980

Plugin:: Contact Form 7 Editor Button
Plugin Slug:: cf7-editor-button
Installations: 200+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-48345

Plugin:: LMSACE Connect – WooCommerce Moodle™ LMS Integration
Plugin Slug:: lmsace-connect
Installations: 200+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-29007

Plugin:: bSecure – Your Universal Checkout
Plugin Slug:: bsecure
Installations: 100+
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-52830

Plugin:: Dot html,php,xml etc pages
Plugin Slug:: dot-htmlphpxml-etc-pages
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-52779

Plugin:: fluXtore Funnel Builder for WordPress – Earn More with Highly Converting Sales Funnels
Plugin Slug:: fluxtore
Installations: 100+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-30929

Plugin:: SMu Manual DoFollow
Plugin Slug:: manuall-dofollow
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-49031

Plugin:: Media Folder
Plugin Slug:: media-folder
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-52786

Plugin:: Pay with Contact Form 7
Plugin Slug:: pay-with-contact-form-7
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-52777

Plugin:: Printcart Web to Print Product Designer for WooCommerce
Plugin Slug:: printcart-integration
Installations: 100+
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-24780

Plugin:: Tennis Court Bookings
Plugin Slug:: tennis-court-bookings
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-52787

Plugin:: Video List Manager
Plugin Slug:: video-list-manager
Installations: 100+
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-52831

Plugin:: Infility Global
Plugin Slug:: infility-global
Installations: 80+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-47652

Plugin:: Paytiko for WooCommerce
Plugin Slug:: paytiko
Installations: 80+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-50032

Plugin:: Smart Docs
Plugin Slug:: smart-docs
Installations: 80+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-6787

Plugin:: Ultimate Push Notifications ( Mobile / Desktop ), Receive Notification From WooCommerce, BuddyPress, WordPress Default Events & Many More
Plugin Slug:: ultimate-push-notifications
Installations: 80+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-50028

Plugin:: Torod – The smart shipping and delivery portal for e-shops and retailers
Plugin Slug:: torod
Installations: 70+
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-30936

Plugin:: CoSchool LMS – A complete Learning Management System to Create and Sell Your Courses Online
Plugin Slug:: coschool
Installations: 40+
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-30973

Plugin:: Posts Slider Shortcode
Plugin Slug:: posts-slider-shortcode
Installations: 40+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-30943

Plugin:: Cool fade popup
Plugin Slug:: cool-fade-popup
Installations: 30+
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-30947

Plugin:: Card flip image slideshow
Plugin Slug:: card-flip-image-slideshow
Installations: 10+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-30983

Plugin:: Custom Login And Signup Widget
Plugin Slug:: custom-login-and-signup-widget
Installations: 10+
Vulnerability:: Arbitrary Code Execution
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-49029

Plugin:: Pixelating image slideshow gallery
Plugin Slug:: pixelating-image-slideshow-gallery
Installations: 10+
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-30979

Plugin:: iFrame Images Gallery
Plugin Slug:: wp-iframe-images-gallery
Installations: 10+
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-30969

Plugin:: CF7 7 Mailchimp Add-on
Plugin Slug:: CF7-mailchimp-addon
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-29012

Plugin:: WooCommerce Product Multi-Action
Plugin Slug:: Woo-product-multiaction
Vulnerability:: Deserialization of untrusted data
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-49417

Plugin:: Allmart
Plugin Slug:: allmart-core
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-49418

Plugin:: Ads Pro Plugin
Plugin Slug:: ap-plugin-scripteo
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-6437

Plugin:: Ads Pro Plugin
Plugin Slug:: ap-plugin-scripteo
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-6459

Plugin:: Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer)
Plugin Slug:: azon-addon-js-composer
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-30628

Plugin:: Booking X
Plugin Slug:: booking-x
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-6814

Plugin:: Contact Us page – Contact people LITE
Plugin Slug:: contact-us-page-contact-people
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-28967

Plugin:: DocCheck Login
Plugin Slug:: doccheck-login
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-6786

Plugin:: WooCommerce Shop Page Builder
Plugin Slug:: dzs-wootable
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-29001

Plugin:: EventON
Plugin Slug:: eventon
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-47565

Plugin:: FW Gallery
Plugin Slug:: fw-gallery
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-49414

Plugin:: GoZen Forms
Plugin Slug:: gozen-forms
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-6782

Plugin:: WP Human Resource Management
Plugin Slug:: hrm
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-5953

Plugin:: WP Human Resource Management
Plugin Slug:: hrm
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-5956

Plugin:: Amazon Products to WooCommerce
Plugin Slug:: import-products-to-wc
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-5817

Plugin:: JKDEVKIT
Plugin Slug:: jkdevkit
Vulnerability:: Arbitrary File Deletion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-2932

Plugin:: LoginWP – Pro
Plugin Slug:: loginwp-pro
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-39561

Plugin:: Magic Buttons for Elementor
Plugin Slug:: magic-buttons-for-elementor
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-6687

Plugin:: MF Plus WPML
Plugin Slug:: mf-plus-wpml
Vulnerability:: Settings Change
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49431

Plugin:: Opal Estate Pro
Plugin Slug:: opal-estate-pro
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-6934

Plugin:: PrivateContent – Mail Actions
Plugin Slug:: private-content-mail-actions
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-47627

Plugin:: ProcessingJS for WordPress
Plugin Slug:: processingjs-for-wp
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-6039

Plugin:: Profiler – What Slowing Down Your WP
Plugin Slug:: profiler-what-slowing-down
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-48339

Plugin:: RD Contacto
Plugin Slug:: rd-wapp
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-5933

Plugin:: Multi-language Responsive Contact Form
Plugin Slug:: responsive-contact-form
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-29000

Plugin:: Service Finder Booking
Plugin Slug:: sf-booking
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-23970

Plugin:: Super Store Finder
Plugin Slug:: superstorefinder-wp
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-47571

Plugin:: Email Address Security by WebEmailProtector
Plugin Slug:: webemailprotector
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-28976

Plugin:: PayMaster for WooCommerce
Plugin Slug:: woocommerce-paymaster-gateway-019
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-6729

Plugin:: WordPress Auto Spinner
Plugin Slug:: wp-auto-spinner
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-46500

Plugin:: WP Firebase Push Notification
Plugin Slug:: wp-push-notification-firebase
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-5924

Plugin:: WPQuiz
Plugin Slug:: wpquiz
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-6739

Plugin:: yContributors
Plugin Slug:: ycontributors
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-6041

Plugin:: Essential Addons for Elementor – Popular Elementor Templates & Widgets
Plugin Slug:: essential-addons-for-elementor-lite
Installations: 2,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.1.20
Severity Score:: Medium
CVE:: 2025-6244

Plugin:: Premium Addons for Elementor
Plugin Slug:: premium-addons-for-elementor
Installations: 700,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.10.70
Severity Score:: Medium
CVE:: 2024-11937

Plugin:: Migration, Backup, Staging – WPvivid Backup & Migration
Plugin Slug:: wpvivid-backuprestore
Installations: 700,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 0.9.117
Severity Score:: Critical
CVE:: 2025-5961

Plugin:: Contact Form 7 Database Addon – CFDB7
Plugin Slug:: contact-form-cfdb7
Installations: 600,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.2
Severity Score:: High
CVE:: 2025-6740

Plugin:: Forminator Forms – Contact Form, Payment Form & Custom Form Builder
Plugin Slug:: forminator
Installations: 600,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 1.44.3
Severity Score:: High
CVE:: 2025-6464

Plugin:: Forminator Forms – Contact Form, Payment Form & Custom Form Builder
Plugin Slug:: forminator
Installations: 600,000+
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 1.44.3
Severity Score:: High
CVE:: 2025-6463

Plugin:: WP Shortcodes Plugin — Shortcodes Ultimate
Plugin Slug:: shortcodes-ultimate
Installations: 500,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 7.4.1
Severity Score:: Medium
CVE:: 2025-5567

Plugin:: SureForms – Drag and Drop Form Builder for WordPress
Plugin Slug:: sureforms
Installations: 200,000+
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 1.7.4
Severity Score:: High

Plugin:: Dear Flipbook – PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer
Plugin Slug:: 3d-flipbook-dflip-lite
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.3.67
Severity Score:: High
CVE:: 2025-5314

Plugin:: AI Engine
Plugin Slug:: ai-engine
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.8.5
Severity Score:: Medium
CVE:: 2025-5570

Plugin:: AI Engine
Plugin Slug:: ai-engine
Installations: 100,000+
Vulnerability:: Open Redirection
Patched in Version:: 2.8.5
Severity Score:: High
CVE:: 2025-6238

Plugin:: Element Pack Elementor Addons and Templates
Plugin Slug:: bdthemes-element-pack-lite
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 8.1.0
Severity Score:: Medium
CVE:: 2025-5944

Plugin:: Contact Form by Everest Forms – Simple Contact Form to Advanced Contact Form, Quiz, Survey, & Custom Contact Form Builder for WordPress
Plugin Slug:: everest-forms
Installations: 100,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 3.2.3
Severity Score:: Critical
CVE:: 2025-52709

Plugin:: Ultra Addons for Contact Form 7
Plugin Slug:: ultimate-addons-for-contact-form-7
Installations: 60,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.5.22
Severity Score:: Medium
CVE:: 2025-6756

Plugin:: Beautiful Cookie Consent Banner
Plugin Slug:: beautiful-and-responsive-cookie-consent
Installations: 40,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.6.2
Severity Score:: High
CVE:: 2025-49866

Plugin:: Download Plugin
Plugin Slug:: download-plugin
Installations: 40,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 2.2.9
Severity Score:: Critical
CVE:: 2025-6586

Plugin:: WP Visitor Statistics (Real Time Traffic)
Plugin Slug:: wp-stats-manager
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 7.9
Severity Score:: Medium
CVE:: 2025-53566

Plugin:: Gutenberg Blocks – PublishPress Blocks Controls, Visibility, Reusable Blocks
Plugin Slug:: advanced-gutenberg
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.3.2
Severity Score:: Medium
CVE:: 2025-49032

Plugin:: Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder
Plugin Slug:: bit-form
Installations: 10,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 2.17.6
Severity Score:: Medium
CVE:: 2024-13451

Plugin:: LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes
Plugin Slug:: lifterlms
Installations: 10,000+
Vulnerability:: SQL Injection
Patched in Version:: 8.0.7
Severity Score:: Critical
CVE:: 2025-52717

Plugin:: Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction
Plugin Slug:: paid-member-subscriptions
Installations: 10,000+
Vulnerability:: SQL Injection
Patched in Version:: 2.15.2
Severity Score:: High
CVE:: 2025-49870

Plugin:: Portfolio for Elementor & Image Gallery | PowerFolio
Plugin Slug:: portfolio-elementor
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.2.1
Severity Score:: Medium
CVE:: 2025-7046

Plugin:: All-in-One Addons for Elementor – WidgetKit
Plugin Slug:: widgetkit-for-elementor
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.5.5
Severity Score:: Medium
CVE:: 2025-2330

Plugin:: WP Compress – Instant Performance & Speed Optimization
Plugin Slug:: wp-compress-image-optimizer
Installations: 9,000+
Vulnerability:: Broken Authentication
Patched in Version:: 6.30.31
Severity Score:: Medium
CVE:: 2025-47479

Plugin:: Melapress File Monitor
Plugin Slug:: website-file-changes-monitor
Installations: 5,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.2.0
Severity Score:: Medium
CVE:: 2025-3702

Plugin:: Booking calendar, Appointment Booking System
Plugin Slug:: booking-calendar
Installations: 4,000+
Vulnerability:: SQL Injection
Patched in Version:: 3.2.18
Severity Score:: Critical

Plugin:: VikRentCar Car Rental Management System
Plugin Slug:: vikrentcar
Installations: 4,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 1.4.4
Severity Score:: Critical
CVE:: 2025-5322

Plugin:: WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg
Plugin Slug:: groundhogg
Installations: 2,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 4.2.2
Severity Score:: Critical
CVE:: 2025-48300

Plugin:: Radio Station by netmix® – Manage and play your Show Schedule in WordPress!
Plugin Slug:: radio-station
Installations: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.5.13
Severity Score:: Medium
CVE:: 2025-53568

Plugin:: WP Travel Gutenberg Blocks
Plugin Slug:: wp-travel-blocks
Installations: 1,000+
Vulnerability:: Local File Inclusion
Patched in Version:: 3.9.1
Severity Score:: High
CVE:: 2025-53207

Plugin:: Booking Calendar Contact Form
Plugin Slug:: booking-calendar-contact-form
Installations: 600+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.2.59
Severity Score:: Medium
CVE:: 2025-48231

Plugin:: NGG Smart Image Search
Plugin Slug:: ngg-smart-image-search
Installations: 500+
Vulnerability:: SQL Injection
Patched in Version:: 3.4.3
Severity Score:: Critical
CVE:: 2025-52832

Plugin:: PW WooCommerce On Sale!
Plugin Slug:: pw-woocommerce-on-sale
Installations: 400+
Vulnerability:: Broken Access Control
Patched in Version:: 1.40
Severity Score:: High
CVE:: 2025-49888

Plugin:: Easy restaurant menu manager
Plugin Slug:: easy-pdf-restaurant-menu-upload
Installations: 300+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.2
Severity Score:: Medium
CVE:: 2025-6673

Plugin:: Trust Payments Gateway for WooCommerce (JavaScript Library)
Plugin Slug:: trust-payments-gateway-3ds2
Installations: 300+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.3.7
Severity Score:: Medium
CVE:: 2025-53569

Plugin:: Click & Pledge Connect
Plugin Slug:: click-pledge-connect
Installations: 200+
Vulnerability:: Privilege Escalation
Patched in Version:: 25.07000000-WP6.8.1
Severity Score:: Critical
CVE:: 2025-28983

Plugin:: Easy Stripe – Tips, Payments, and Donations
Plugin Slug:: easy-stripe
Installations: 40+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 1.2
Severity Score:: Critical
CVE:: 2025-49302

Plugin:: Guest Support – Complete customer support ticket system for WordPress
Plugin Slug:: guest-support
Installations: 30+
Vulnerability:: Broken Access Control
Patched in Version:: 1.2.3
Severity Score:: Medium
CVE:: 2025-5957

Plugin:: Site Chat on Telegram
Plugin Slug:: site-chat-on-telegram
Installations: 20+
Vulnerability:: PHP Object Injection
Patched in Version:: 1.0.6
Severity Score:: Critical
CVE:: 2025-30949

Plugin:: All In One Slider Responsive
Plugin Slug:: all_in_one_carousel
Vulnerability:: SQL Injection
Patched in Version:: 3.8
Severity Score:: High
CVE:: 2025-24748

Plugin:: Case Theme User
Plugin Slug:: case-theme-user
Vulnerability:: Local File Inclusion
Patched in Version:: 1.0.4
Severity Score:: High
CVE:: 2025-5804

Plugin:: CMSMasters Content Composer
Plugin Slug:: cmsmasters-content-composer
Vulnerability:: Local File Inclusion
Patched in Version:: 2.5.7
Severity Score:: High
CVE:: 2025-4414

Plugin:: CouponXxL Custom Post Types
Plugin Slug:: couponxxl-cpt
Vulnerability:: Privilege Escalation
Patched in Version:: 3.1
Severity Score:: High
CVE:: 2025-52726

Plugin:: CSS3 Vertical Web Pricing Tables
Plugin Slug:: css3_vertical_web_pricing_tables
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0
Severity Score:: High
CVE:: 2025-52727

Plugin:: CSS3 Compare Pricing Tables for WordPress
Plugin Slug:: css3_web_pricing_tables_grids
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 11.7
Severity Score:: High
CVE:: 2025-47554

Plugin:: Drag and Drop Multiple File Upload (Pro) – WooCommerce
Plugin Slug:: drag-and-drop-file-uploads-wc-pro
Vulnerability:: Arbitrary File Upload
Patched in Version:: 1.7.2,5.0.7
Severity Score:: Critical
CVE:: 2025-5746

Plugin:: eventlist
Plugin Slug:: eventlist
Vulnerability:: Local File Inclusion
Patched in Version:: 2.0.2
Severity Score:: High
CVE:: 2025-53204

Plugin:: Masteriyo LMS PRO
Plugin Slug:: learning-management-system-pro
Vulnerability:: Privilege Escalation
Patched in Version:: 2.20.1
Severity Score:: Critical
CVE:: 2025-53209

Plugin:: PeepSo Core: Groups
Plugin Slug:: peepso-groups
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.4.6.1
Severity Score:: Medium
CVE:: 2024-9017

Plugin:: Testimonials Showcase
Plugin Slug:: testimonials-showcase
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.9.18
Severity Score:: High
CVE:: 2025-49245

Plugin:: Uncode Core
Plugin Slug:: uncode-core
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.9.4.3
Severity Score:: Medium
CVE:: 2025-6944

WordPress Themes — 14 Patched / 9 Unpatched

Theme:: Electrician – Electrical Service WordPress
Theme Slug:: electrician
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-31055

Theme:: Easy Video Player WordPress & WooCommerce
Theme Slug:: fwdevp
Vulnerability:: Arbitrary File Download
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-28955

Theme:: Home Villas
Theme Slug:: homevillas-real-estate
Vulnerability:: Arbitrary File Deletion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-5014

Theme:: Invico – WordPress Consulting Business Theme
Theme Slug:: invico
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-31427

Theme:: Kossy – Minimalist eCommerce WordPress Theme
Theme Slug:: kossy
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-52807

Theme:: ListingEasy
Theme Slug:: listingeasy
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-30955

Theme:: LMS
Theme Slug:: lms
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-52833

Theme:: LogisticsHub
Theme Slug:: logistics-hub
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-30933

Theme:: Ofiz – WordPress Business Consulting Theme
Theme Slug:: ofiz
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-31072

Theme:: Alone
Theme Slug:: alone
Vulnerability:: Arbitrary Code Execution
Patched in Version:: 7.8.5
Severity Score:: High
CVE:: 2025-52718

Theme:: Amwerk
Theme Slug:: amwerk
Vulnerability:: PHP Object Injection
Patched in Version:: 1.3.0
Severity Score:: Critical
CVE:: 2025-52724

Theme:: Classiera
Theme Slug:: classiera
Vulnerability:: SQL Injection
Patched in Version:: 4.0.35
Severity Score:: Critical
CVE:: 2025-52722

Theme:: CouponXxL
Theme Slug:: couponxxl
Vulnerability:: PHP Object Injection
Patched in Version:: 3.1.0
Severity Score:: Critical
CVE:: 2025-52725

Theme:: Diza
Theme Slug:: diza
Vulnerability:: Local File Inclusion
Patched in Version:: 1.3.11
Severity Score:: High
CVE:: 2025-52729

Theme:: Education Center
Theme Slug:: education
Vulnerability:: PHP Object Injection
Patched in Version:: 3.6.11
Severity Score:: Critical
CVE:: 2024-13786

Theme:: Elessi
Theme Slug:: elessi-theme
Vulnerability:: Local File Inclusion
Patched in Version:: 6.4.1
Severity Score:: High
CVE:: 2025-49070

Theme:: Houzez
Theme Slug:: houzez
Vulnerability:: Local File Inclusion
Patched in Version:: 4.0.8
Severity Score:: High
CVE:: 2025-53198

Theme:: Networker
Theme Slug:: networker
Vulnerability:: Local File Inclusion
Patched in Version:: 1.2.2
Severity Score:: High
CVE:: 2025-52723

Theme:: RealHomes
Theme Slug:: realhomes
Vulnerability:: Privilege Escalation
Patched in Version:: 4.4.1
Severity Score:: Critical
CVE:: 2025-49867

Theme:: Vikinger
Theme Slug:: vikinger
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 1.9.33
Severity Score:: High
CVE:: 2025-4946

Theme:: WoodMart
Theme Slug:: woodmart
Vulnerability:: Content Injection
Patched in Version:: 8.2.4
Severity Score:: High
CVE:: 2025-6744

Theme:: WoodMart
Theme Slug:: woodmart
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 8.2.4
Severity Score:: Medium
CVE:: 2025-6743

Theme:: WoodMart
Theme Slug:: woodmart
Vulnerability:: Local File Inclusion
Patched in Version:: 8.2.4
Severity Score:: High
CVE:: 2025-6746

Solid Security is part of Solid Suite — The best foundation for WordPress websites.

Every WordPress site needs security, backups, and management tools. That’s Solid Suite — an integrated bundle of three plugins: Solid Security, Solid Backups, and Solid Central. You also get access to Solid Academy’s learning resources for WordPress professionals. Build your next WordPress website on a solid foundation with Solid Suite!

Get Solid Security

Author:

Sarah Ulmer

Sarah has been with SolidWP since 2015. Thanks to her deep connection to the brand, its products, and its users, Sarah was tapped as Solid’s primary Product Marketer in 2023. Sarah helps ensure that Solid’s product development team understands our users’ needs. When not at work, Sarah can be found at home with her husband, their three boys, and their dogs. Sarah enjoys long family walks, running with her lab, and watching her three boys play soccer. Sarah is originally from Texas and loves watching football games (Go Longhorns!)

Browse all of Sarah's articles

Sign up

Placeholder text

Thanks

Oops something went wrong, please try submitting again

Solid Suite

Protect

Repair

Manage

Free Plugins

Solid Suite

Academy

Solid Academy

Guides

Livestreams

Tutorials Academy

Resources

Blog

Vulnerability Report

Support

Documentation

Table of Contents

WordPress Core

WordPress Plugins — 51 Patched / 75 Unpatched

WordPress Themes — 14 Patched / 9 Unpatched