WordPress Vulnerability Report — June 18, 2025

Since last week, 138 new vulnerabilities emerged in the WordPress ecosystem, including 101 plugins and 37 themes. 63 of the vulnerable plugins and themes remain unpatched, but Solid Security Pro users are protected by virtual patching from Patchstack.

Sarah Ulmer

Published:Jun 18, 2025

Filed Under:WordPress Vulnerability Report

Reading Time:24 min.

In this report, 138 vulnerabilities have been publicly disclosed. Security patches for 75 of these plugins and themes are available now, so run those updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Additionally, there are 63 plugin and theme vulnerabilities, and no patch has been available yet. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

Along with poor user account security, vulnerable plugins and themes are among the top reasons why WordPress websites get hacked. Unfortunately, cyberattacks are increasing in volume and sophistication. They’re also increasingly aimed at small to mid-sized businesses.

1. WordPress Core
2. WordPress Plugins — 55 Patched / 46 Unpatched

2.1 Woocommerce Partial Shipment
2.2 Track, Analyze & Optimize by WP Tao
2.3 IndieBlocks
2.4 One-Login
2.5 Aeroscroll Gallery – Infinite Scroll Image Gallery & Post Grid with Photo Gallery
2.6 PostaPanduri
2.7 AI Image Lab
2.8 Auto Attachments
2.9 Axle Demo Importer
2.10 Bunny’s Print CSS
2.11 Color Palette
2.12 Contact Us page – Contact people LITE
2.13 Digital Marketing and Agency Templates Addons for Elementor
2.14 Easy Flashcards
2.15 DIOT SCADA with MQTT
2.16 Elite Video Player
2.17 FW Food Menu
2.18 FW Gallery
2.19 WPGYM
2.20 Image Resizer On The Fly
2.21 REST API | Custom API Generator For Cross Platform And Import Export In WP
2.22 IRM Newsroom
2.23 kk Youtube Video
2.24 CLEVER
2.25 MapSVG
2.26 MapSVG
2.27 Nasa Core
2.28 Ovatheme Events Manager
2.29 Reformer for Elementor
2.30 Restrict File Access
2.31 School Management
2.32 School Management
2.33 Smart Notification
2.34 Telegram for WP
2.35 Userpro
2.36 Widget Logic
2.37 WidgetKit Pro
2.38 WP Employee Attendance System
2.39 WP Sliding Login/Dashboard Panel
2.40 WP URL Shortener
2.41 WP2HTML
2.42 WPCRM – CRM for Contact form CF7 & WooCommerce
2.43 XiSearch bar
2.44 Yougler Blogger Profile Page
2.45 Zen Sticky Social
2.46 Zotpress
2.47 Essential Addons for Elementor – Popular Elementor Templates and Widgets
2.48 Premium Addons for Elementor
2.49 The Events Calendar
2.50 Smash Balloon Social Post Feed – Simple Social Feeds for WordPress
2.51 File Manager Pro – Filester
2.52 Social Sharing Plugin – Sassy Social Share
2.53 Slim SEO – Fast & Automated WordPress SEO Plugin
2.54 Meks Flexible Shortcodes
2.55 FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce
2.56 WP Travel Engine – Tour Booking Plugin – Tour Operator Software
2.57 myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program.
2.58 myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program.
2.59 Simple Newsletter Plugin – Noptin
2.60 Responsive Plus – Starter Templates, Advanced Features and Customizer Settings for Responsive Theme.
2.61 Malcure Malware Scanner — #1 Toolset for WordPress Malware Removal
2.62 WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress
2.63 AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress
2.64 Arconix FAQ
2.65 If-So Dynamic Content Personalization
2.66 Event Booking & Management Plugin for WooCommerce – WpEvently – WordPress Plugin
2.67 WP Dummy Content Generator
2.68 WP Job Portal – A Complete Recruitment System for Company or Job Board website
2.69 Xagio SEO – AI Powered SEO
2.70 ProfileGrid – User Profiles, Groups and Communities
2.71 Arconix Shortcodes
2.72 CubeWP – All-in-One Dynamic Content Framework
2.73 CubeWP – All-in-One Dynamic Content Framework
2.74 WPAdverts – Classifieds Plugin
2.75 CubeWP Forms – All-in-One Form Builder
2.76 Responsive Blocks – WordPress Gutenberg Blocks
2.77 WP Zoho for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms – CRM, Bigin
2.78 Majestic Support – The Leading-Edge Help Desk & Customer Support Plugin
2.79 WP-DownloadManager
2.80 WP Views Counter
2.81 YITH PayPal Express Checkout for WooCommerce
2.82 Advanced Sermons
2.83 Ebook Store
2.84 Kama Click Counter
2.85 Membership For WooCommerce
2.86 AFS Analytics
2.87 Broadstreet
2.88 Traffic Monitor
2.89 Ultimate Reviews
2.90 Advanced Settings 3
2.91 ACF Onyx Poll
2.92 Game Review Block
2.93 TicketBAI Facturas para WooCommerce
2.94 WP2LEADS | WordPress und KlickTipp einfach verbinden – WooCommerce und KlickTipp einfach verbinden
2.95 OAuth Single Sign On – SSO (OAuth Client)
2.96 NewsLetter
2.97 Abandoned Cart Pro for WooCommerce
2.98 Workreap (theme’s plugin)
2.99 Workreap (theme’s plugin)
2.100 Automatic
2.101 eForm – WordPress Form Builder

3. WordPress Themes — 20 Patched / 17 Unpatched

3.1 BodyCenter – Gym, Fitness WooCommerce WordPress Theme
3.2 CraftXtore
3.3 Fitrush
3.4 GiftXtore
3.5 Petito
3.6 Zagg
3.7 DSK
3.8 Themify Edmin
3.9 Inset
3.10 Photography
3.11 SNS Anton
3.12 Avaz
3.13 Evon
3.14 Nitan
3.15 Simen
3.16 Spare
3.17 Valen – Sport, Fashion WooCommerce WordPress Theme
3.18 Aora
3.19 Besa
3.20 CozyStay
3.21 CozyStay
3.22 Diza
3.23 Fana
3.24 Flozen
3.25 GrandPrix
3.26 Grill and Chow
3.27 Hara
3.28 Lasa
3.29 Maia
3.30 MediClinic
3.31 Nika
3.32 RealHomes
3.33 Ruza
3.34 Sapa
3.35 TinySalt
3.36 TinySalt
3.37 Zota

Our WordPress Vulnerability Report covers the latest emerging WordPress plugin, theme, and core vulnerabilities. Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure of vulnerabilities is essential to keeping the WordPress community safe. Please share this report to help spread the word and make WordPress — and the web — more secure.

WordPress Core

WordPress 6.8.1 was released on April 30, 2025. This maintenance release includes fixes for 15 bugs throughout Core and the Block Editor, addressing issues affecting multiple areas of WordPress, including the block editor, multisite, and REST API. For a full list, refer to the release candidate announcement.

WordPress Plugins — 55 Patched / 46 Unpatched

Plugin:: Woocommerce Partial Shipment
Plugin Slug:: wc-partial-shipment
Installations: 1,000+
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-48118

Plugin:: Track, Analyze & Optimize by WP Tao
Plugin Slug:: wp-tao
Installations: 700+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-48145

Plugin:: IndieBlocks
Plugin Slug:: indieblocks
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-5950

Plugin:: One-Login
Plugin Slug:: one-login
Installations: 70+
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-23974

Plugin:: Aeroscroll Gallery – Infinite Scroll Image Gallery & Post Grid with Photo Gallery
Plugin Slug:: aeroscroll-gallery
Installations: 50+
Vulnerability:: Directory Traversal
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-49451

Plugin:: PostaPanduri
Plugin Slug:: postapanduri
Installations: 40+
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-49452

Plugin:: AI Image Lab
Plugin Slug:: ai-image-generator-lab
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-4592

Plugin:: Auto Attachments
Plugin Slug:: auto-attachments
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-6012

Plugin:: Axle Demo Importer
Plugin Slug:: axle-demo-importer
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-4954

Plugin:: Bunny’s Print CSS
Plugin Slug:: bunnys-print-css
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-5925

Plugin:: Color Palette
Plugin Slug:: color-palette
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-5233

Plugin:: Contact Us page – Contact people LITE
Plugin Slug:: contact-us-page-contact-people
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-5123

Plugin:: Digital Marketing and Agency Templates Addons for Elementor
Plugin Slug:: digital-marketing-agency-templates-for-elementor
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-5938

Plugin:: Easy Flashcards
Plugin Slug:: easy-flashcards
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-6040

Plugin:: DIOT SCADA with MQTT
Plugin Slug:: ecava-diot-scada
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-4216

Plugin:: Elite Video Player
Plugin Slug:: elite-video-player
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-30988

Plugin:: FW Food Menu
Plugin Slug:: fw-food-menu
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-49447

Plugin:: FW Gallery
Plugin Slug:: fw-gallery
Vulnerability:: Arbitrary File Deletion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-49415

Plugin:: WPGYM
Plugin Slug:: gym-management
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-32549

Plugin:: Image Resizer On The Fly
Plugin Slug:: image-resizer-on-the-fly
Vulnerability:: Arbitrary File Deletion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-6065

Plugin:: REST API | Custom API Generator For Cross Platform And Import Export In WP
Plugin Slug:: import-export-with-custom-rest-api
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-5288

Plugin:: IRM Newsroom
Plugin Slug:: irm-newsroom
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-4585

Plugin:: kk Youtube Video
Plugin Slug:: kk-youtube-video
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-6061

Plugin:: CLEVER
Plugin Slug:: lbg-audio11-html5-shoutcast_history
Vulnerability:: Arbitrary File Download
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-31635

Plugin:: MapSVG
Plugin Slug:: mapsvg
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-47559

Plugin:: MapSVG
Plugin Slug:: mapsvg
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-47561

Plugin:: Nasa Core
Plugin Slug:: nasa-core
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-39508

Plugin:: Ovatheme Events Manager
Plugin Slug:: ova-events-manager
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-32510

Plugin:: Reformer for Elementor
Plugin Slug:: reformer-elementor
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-49444

Plugin:: Restrict File Access
Plugin Slug:: restrict-file-access
Vulnerability:: Arbitrary File Download
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-6070

Plugin:: School Management
Plugin Slug:: school-management
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-47572

Plugin:: School Management
Plugin Slug:: school-management
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-47573

Plugin:: Smart Notification
Plugin Slug:: smio-push-notification
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-39479

Plugin:: Telegram for WP
Plugin Slug:: telegram-for-wp
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-5939

Plugin:: Userpro
Plugin Slug:: userpro
Vulnerability:: Arbitrary File Download
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-4187

Plugin:: Widget Logic
Plugin Slug:: widget-logic
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-32222

Plugin:: WidgetKit Pro
Plugin Slug:: widgetkit-pro
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-46494

Plugin:: WP Employee Attendance System
Plugin Slug:: wp-employee-attendance-system
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-28972

Plugin:: WP Sliding Login/Dashboard Panel
Plugin Slug:: wp-sliding-logindashboard-panel
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-5928

Plugin:: WP URL Shortener
Plugin Slug:: wp-url-shortener
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-6064

Plugin:: WP2HTML
Plugin Slug:: wp2html
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-5930

Plugin:: WPCRM – CRM for Contact form CF7 & WooCommerce
Plugin Slug:: wpcrm
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-24773

Plugin:: XiSearch bar
Plugin Slug:: xisearch-bar
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-6063

Plugin:: Yougler Blogger Profile Page
Plugin Slug:: yougler-blogger-profile-page
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-6062

Plugin:: Zen Sticky Social
Plugin Slug:: zen-social-sticky
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-6055

Plugin:: Zotpress
Plugin Slug:: zotpress
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-4666

Plugin:: Essential Addons for Elementor – Popular Elementor Templates and Widgets
Plugin Slug:: essential-addons-for-elementor-lite
Installations: 2,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.1.13
Severity Score:: Medium
CVE:: 2024-9994

Plugin:: Premium Addons for Elementor
Plugin Slug:: premium-addons-for-elementor
Installations: 700,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.11.9
Severity Score:: Medium
CVE:: 2025-4774

Plugin:: The Events Calendar
Plugin Slug:: the-events-calendar
Installations: 700,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.13.2.1
Severity Score:: Medium
CVE:: 2025-5144

Plugin:: Smash Balloon Social Post Feed – Simple Social Feeds for WordPress
Plugin Slug:: custom-facebook-feed
Installations: 200,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.3.2
Severity Score:: Medium
CVE:: 2025-4577

Plugin:: File Manager Pro – Filester
Plugin Slug:: filester
Installations: 100,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 1.8.9
Severity Score:: Critical
CVE:: 2025-3234

Plugin:: Social Sharing Plugin – Sassy Social Share
Plugin Slug:: sassy-social-share
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.3.76
Severity Score:: High
CVE:: 2025-5528

Plugin:: Slim SEO – Fast & Automated WordPress SEO Plugin
Plugin Slug:: slim-seo
Installations: 50,000+
Vulnerability:: SQL Injection
Patched in Version:: 4.5.5
Severity Score:: High
CVE:: 2025-49854

Plugin:: Meks Flexible Shortcodes
Plugin Slug:: meks-flexible-shortcodes
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.8
Severity Score:: Medium
CVE:: 2025-49855

Plugin:: FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce
Plugin Slug:: wp-marketing-automations
Installations: 20,000+
Vulnerability:: Open Redirection
Patched in Version:: 3.6.1
Severity Score:: Medium
CVE:: 2025-49868

Plugin:: WP Travel Engine – Tour Booking Plugin – Tour Operator Software
Plugin Slug:: wp-travel-engine
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 6.5.2
Severity Score:: Medium
CVE:: 2025-5282

Plugin:: myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program.
Plugin Slug:: mycred
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.9.4.3
Severity Score:: Medium
CVE:: 2025-49872

Plugin:: myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program.
Plugin Slug:: mycred
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.9.4.3
Severity Score:: Medium
CVE:: 2025-49857

Plugin:: Simple Newsletter Plugin – Noptin
Plugin Slug:: newsletter-optin-box
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.0.0
Severity Score:: Medium
CVE:: 2025-49871

Plugin:: Responsive Plus – Starter Templates, Advanced Features and Customizer Settings for Responsive Theme.
Plugin Slug:: responsive-add-ons
Installations: 10,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 3.2.3
Severity Score:: Medium
CVE:: 2025-49856

Plugin:: Malcure Malware Scanner — #1 Toolset for WordPress Malware Removal
Plugin Slug:: wp-malware-removal
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 16.9
Severity Score:: Medium

Plugin:: WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress
Plugin Slug:: wpvr
Installations: 10,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 8.5.27
Severity Score:: Critical
CVE:: 2025-47452

Plugin:: AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress
Plugin Slug:: automatorwp
Installations: 9,000+
Vulnerability:: SQL Injection
Patched in Version:: 5.2.6
Severity Score:: High
CVE:: 2025-5487

Plugin:: Arconix FAQ
Plugin Slug:: arconix-faq
Installations: 8,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.9.7
Severity Score:: Medium
CVE:: 2025-49874

Plugin:: If-So Dynamic Content Personalization
Plugin Slug:: if-so
Installations: 8,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.9.3.2
Severity Score:: Medium
CVE:: 2025-49875

Plugin:: Event Booking & Management Plugin for WooCommerce – WpEvently – WordPress Plugin
Plugin Slug:: mage-eventpress
Installations: 8,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.4.3
Severity Score:: Medium
CVE:: 2025-5568

Plugin:: WP Dummy Content Generator
Plugin Slug:: wp-dummy-content-generator
Installations: 8,000+
Vulnerability:: Arbitrary Content Deletion
Patched in Version:: 4.0.0
Severity Score:: Medium
CVE:: 2025-49234

Plugin:: WP Job Portal – A Complete Recruitment System for Company or Job Board website
Plugin Slug:: wp-job-portal
Installations: 8,000+
Vulnerability:: SQL Injection
Patched in Version:: 2.3.3
Severity Score:: Critical
CVE:: 2025-48274

Plugin:: Xagio SEO – AI Powered SEO
Plugin Slug:: xagio-seo
Installations: 8,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 7.1.0.17
Severity Score:: High
CVE:: 2025-3302

Plugin:: ProfileGrid – User Profiles, Groups and Communities
Plugin Slug:: profilegrid-user-profiles-groups-and-communities
Installations: 7,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 5.9.5.3
Severity Score:: Medium
CVE:: 2025-49877

Plugin:: Arconix Shortcodes
Plugin Slug:: arconix-shortcodes
Installations: 5,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.1.18
Severity Score:: Medium
CVE:: 2025-49858

Plugin:: CubeWP – All-in-One Dynamic Content Framework
Plugin Slug:: cubewp-framework
Installations: 5,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.1.24
Severity Score:: Medium
CVE:: 2025-49882

Plugin:: CubeWP – All-in-One Dynamic Content Framework
Plugin Slug:: cubewp-framework
Installations: 5,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 1.1.24
Severity Score:: High
CVE:: 2025-4315

Plugin:: WPAdverts – Classifieds Plugin
Plugin Slug:: wpadverts
Installations: 5,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.2.5
Severity Score:: Medium
CVE:: 2025-49878

Plugin:: CubeWP Forms – All-in-One Form Builder
Plugin Slug:: cubewp-forms
Installations: 4,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.1.6
Severity Score:: Medium
CVE:: 2025-49880

Plugin:: Responsive Blocks – WordPress Gutenberg Blocks
Plugin Slug:: responsive-block-editor-addons
Installations: 4,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.6
Severity Score:: Medium
CVE:: 2025-49881

Plugin:: WP Zoho for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms – CRM, Bigin
Plugin Slug:: cf7-zoho
Installations: 3,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 1.3.1
Severity Score:: Critical
CVE:: 2025-49330

Plugin:: Majestic Support – The Leading-Edge Help Desk & Customer Support Plugin
Plugin Slug:: majestic-support
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.1.1
Severity Score:: Medium
CVE:: 2025-49860

Plugin:: WP-DownloadManager
Plugin Slug:: wp-downloadmanager
Installations: 3,000+
Vulnerability:: Arbitrary File Download
Patched in Version:: 1.68.11
Severity Score:: Medium
CVE:: 2025-4798

Plugin:: WP Views Counter
Plugin Slug:: wpecounter
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.4
Severity Score:: Medium
CVE:: 2025-49859

Plugin:: YITH PayPal Express Checkout for WooCommerce
Plugin Slug:: yith-paypal-express-checkout-for-woocommerce
Installations: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.49.1
Severity Score:: Medium
CVE:: 2025-48111

Plugin:: Advanced Sermons
Plugin Slug:: advanced-sermons
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.7
Severity Score:: Medium
CVE:: 2025-49863

Plugin:: Ebook Store
Plugin Slug:: ebook-store
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.8009
Severity Score:: Medium
CVE:: 2025-49862

Plugin:: Kama Click Counter
Plugin Slug:: kama-clic-counter
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.0.4
Severity Score:: Medium
CVE:: 2025-49861

Plugin:: Membership For WooCommerce
Plugin Slug:: membership-for-woocommerce
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.8.2
Severity Score:: High
CVE:: 2025-49265

Plugin:: AFS Analytics
Plugin Slug:: addfreestats
Installations: 700+
Vulnerability:: Broken Access Control
Patched in Version:: 4.22
Severity Score:: Medium
CVE:: 2025-49864

Plugin:: Broadstreet
Plugin Slug:: broadstreet
Installations: 700+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.51.8
Severity Score:: High
CVE:: 2025-4652

Plugin:: Traffic Monitor
Plugin Slug:: traffic-monitor
Installations: 700+
Vulnerability:: Broken Access Control
Patched in Version:: 3.2.3
Severity Score:: Medium
CVE:: 2025-5815

Plugin:: Ultimate Reviews
Plugin Slug:: ultimate-reviews
Installations: 700+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.2.15
Severity Score:: High
CVE:: 2025-49266

Plugin:: Advanced Settings 3
Plugin Slug:: advanced-settings
Installations: 200+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 3.0.2
Severity Score:: Medium
CVE:: 2025-49865

Plugin:: ACF Onyx Poll
Plugin Slug:: acf-onyx-poll
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.2.0
Severity Score:: Medium
CVE:: 2025-5841

Plugin:: Game Review Block
Plugin Slug:: game-review-block
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.8.2
Severity Score:: Medium
CVE:: 2025-5923

Plugin:: TicketBAI Facturas para WooCommerce
Plugin Slug:: wp-ticketbai
Installations: 90+
Vulnerability:: SQL Injection
Patched in Version:: 3.21
Severity Score:: Critical
CVE:: 2025-24767

Plugin:: WP2LEADS | WordPress und KlickTipp einfach verbinden – WooCommerce und KlickTipp einfach verbinden
Plugin Slug:: wp2leads
Installations: 70+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.5.1
Severity Score:: High
CVE:: 2025-49316

Plugin:: OAuth Single Sign On – SSO (OAuth Client)
Plugin Slug:: miniorange-oauth-oidc-single-sign-on
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 18.5.4
Severity Score:: Medium
CVE:: 2025-6003

Plugin:: NewsLetter
Plugin Slug:: plugin-newsletter
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 8.8.5
Severity Score:: Medium
CVE:: 2025-3581

Plugin:: Abandoned Cart Pro for WooCommerce
Plugin Slug:: woocommerce-abandon-cart-pro
Vulnerability:: Arbitrary File Upload
Patched in Version:: 9.17.0
Severity Score:: Critical
CVE:: 2025-4387

Plugin:: Workreap (theme’s plugin)
Plugin Slug:: workreap
Vulnerability:: Arbitrary File Upload
Patched in Version:: 3.3.3
Severity Score:: High
CVE:: 2025-5012

Plugin:: Workreap (theme’s plugin)
Plugin Slug:: workreap
Vulnerability:: Broken Authentication
Patched in Version:: 3.3.2
Severity Score:: Critical
CVE:: 2025-4973

Plugin:: Automatic
Plugin Slug:: wp-automatic
Vulnerability:: Arbitrary File Upload
Patched in Version:: 3.116.0
Severity Score:: Critical
CVE:: 2025-5395

Plugin:: eForm – WordPress Form Builder
Plugin Slug:: wp-fsqm-pro
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.19.1
Severity Score:: High
CVE:: 2025-48333

WordPress Themes — 20 Patched / 17 Unpatched

Theme:: BodyCenter – Gym, Fitness WooCommerce WordPress Theme
Theme Slug:: bodycenter
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-25999

Theme:: CraftXtore
Theme Slug:: bw-craftxtore
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-24770

Theme:: Fitrush
Theme Slug:: bw-fitrush
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-26005

Theme:: GiftXtore
Theme Slug:: bw-giftxtore
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-28888

Theme:: Petito
Theme Slug:: bw-petito
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-27362

Theme:: Zagg
Theme Slug:: bw-zagg
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-4200

Theme:: DSK
Theme Slug:: dsk
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-24761

Theme:: Themify Edmin
Theme Slug:: edmin
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-31047

Theme:: Inset
Theme Slug:: inset
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-26592

Theme:: Photography
Theme Slug:: photography
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-47579

Theme:: SNS Anton
Theme Slug:: snsanton
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-28992

Theme:: Avaz
Theme Slug:: snsavaz
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-28944

Theme:: Evon
Theme Slug:: snsevon
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-28991

Theme:: Nitan
Theme Slug:: snsnitan
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-24768

Theme:: Simen
Theme Slug:: snssimen
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-29002

Theme:: Spare
Theme Slug:: spare
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-31919

Theme:: Valen – Sport, Fashion WooCommerce WordPress Theme
Theme Slug:: valen
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-28945

Theme:: Aora
Theme Slug:: aora
Vulnerability:: Local File Inclusion
Patched in Version:: 1.3.10
Severity Score:: High
CVE:: 2025-49260

Theme:: Besa
Theme Slug:: besa
Vulnerability:: Local File Inclusion
Patched in Version:: 2.3.10
Severity Score:: High
CVE:: 2025-49252

Theme:: CozyStay
Theme Slug:: cozystay
Vulnerability:: Local File Inclusion
Patched in Version:: 1.7.1
Severity Score:: High
CVE:: 2025-49508

Theme:: CozyStay
Theme Slug:: cozystay
Vulnerability:: PHP Object Injection
Patched in Version:: 1.7.1
Severity Score:: Critical
CVE:: 2025-49507

Theme:: Diza
Theme Slug:: diza
Vulnerability:: Local File Inclusion
Patched in Version:: 1.3.9
Severity Score:: High
CVE:: 2025-49261

Theme:: Fana
Theme Slug:: fana
Vulnerability:: Local File Inclusion
Patched in Version:: 1.1.29
Severity Score:: High
CVE:: 2025-49251

Theme:: Flozen
Theme Slug:: flozen-theme
Vulnerability:: Arbitrary File Upload
Patched in Version:: 1.5.1
Severity Score:: Critical
CVE:: 2025-49071

Theme:: GrandPrix
Theme Slug:: grandprix
Vulnerability:: Local File Inclusion
Patched in Version:: 1.6.1
Severity Score:: High
CVE:: 2025-49296

Theme:: Grill and Chow
Theme Slug:: grillandchow
Vulnerability:: Local File Inclusion
Patched in Version:: 1.6.1
Severity Score:: High
CVE:: 2025-49297

Theme:: Hara
Theme Slug:: hara
Vulnerability:: Local File Inclusion
Patched in Version:: 1.2.11
Severity Score:: High
CVE:: 2025-49259

Theme:: Lasa
Theme Slug:: lasa
Vulnerability:: Local File Inclusion
Patched in Version:: 1.1.1
Severity Score:: High
CVE:: 2025-49253

Theme:: Maia
Theme Slug:: maia
Vulnerability:: Local File Inclusion
Patched in Version:: 1.1.16
Severity Score:: High
CVE:: 2025-49258

Theme:: MediClinic
Theme Slug:: mediclinic
Vulnerability:: Local File Inclusion
Patched in Version:: 2.2
Severity Score:: High
CVE:: 2025-49295

Theme:: Nika
Theme Slug:: nika
Vulnerability:: Local File Inclusion
Patched in Version:: 1.2.9
Severity Score:: High
CVE:: 2025-49254

Theme:: RealHomes
Theme Slug:: realhomes
Vulnerability:: Privilege Escalation
Patched in Version:: 4.4.1
Severity Score:: High
CVE:: 2025-4601

Theme:: Ruza
Theme Slug:: ruza
Vulnerability:: Local File Inclusion
Patched in Version:: 1.0.8
Severity Score:: High
CVE:: 2025-49255

Theme:: Sapa
Theme Slug:: sapa
Vulnerability:: Local File Inclusion
Patched in Version:: 1.1.15
Severity Score:: High
CVE:: 2025-49256

Theme:: TinySalt
Theme Slug:: tinysalt
Vulnerability:: PHP Object Injection
Patched in Version:: 3.10.0
Severity Score:: Critical
CVE:: 2025-49455

Theme:: TinySalt
Theme Slug:: tinysalt
Vulnerability:: Local File Inclusion
Patched in Version:: 3.10.0
Severity Score:: High
CVE:: 2025-49454

Theme:: Zota
Theme Slug:: zota
Vulnerability:: Local File Inclusion
Patched in Version:: 1.3.9
Severity Score:: High
CVE:: 2025-49257

Solid Security is part of Solid Suite — The best foundation for WordPress websites.

Every WordPress site needs security, backups, and management tools. That’s Solid Suite — an integrated bundle of three plugins: Solid Security, Solid Backups, and Solid Central. You also get access to Solid Academy’s learning resources for WordPress professionals. Build your next WordPress website on a solid foundation with Solid Suite!

Get Solid Security

Author:

Sarah Ulmer

Sarah has been with SolidWP since 2015. Thanks to her deep connection to the brand, its products, and its users, Sarah was tapped as Solid’s primary Product Marketer in 2023. Sarah helps ensure that Solid’s product development team understands our users’ needs. When not at work, Sarah can be found at home with her husband, their three boys, and their dogs. Sarah enjoys long family walks, running with her lab, and watching her three boys play soccer. Sarah is originally from Texas and loves watching football games (Go Longhorns!)

Browse all of Sarah's articles

Sign up

Placeholder text

Thanks

Oops something went wrong, please try submitting again

Solid Suite

Protect

Repair

Manage

Free Plugins

Solid Suite

Academy

Solid Academy

Guides

Livestreams

Tutorials Academy

Resources

Blog

Vulnerability Report

Support

Documentation

Table of Contents

WordPress Core

WordPress Plugins — 55 Patched / 46 Unpatched

WordPress Themes — 20 Patched / 17 Unpatched