WordPress Vulnerability Report — June 4, 2025

Since last week, 97 new vulnerabilities emerged in the WordPress ecosystem, including 81 plugins and 16 themes. 38 of the vulnerable plugins and themes remain unpatched, but Solid Security Pro users are protected by virtual patching from Patchstack.

Sarah Ulmer

Published:Jun 4, 2025

Filed Under:WordPress Vulnerability Report

Reading Time:18 min.

In this report, 97 vulnerabilities have been publicly disclosed. Security patches for 59 of these plugins and themes are available now, so run those updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Additionally, there are 38 plugin and theme vulnerabilities, and no patch has been available yet. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

Along with poor user account security, vulnerable plugins and themes are among the top reasons why WordPress websites get hacked. Unfortunately, cyberattacks are increasing in volume and sophistication. They’re also increasingly aimed at small to mid-sized businesses.

1. WordPress Core
2. WordPress Plugins — 52 Patched / 29 Unpatched

2.1 Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin
2.2 Real Time Validation for Gravity Forms
2.3 Real Time Validation for Gravity Forms
2.4 Real Time Validation for Gravity Forms
2.5 MaxiBlocks: 2300+ Patterns, 280+ Pages, 14.3K Icons & 100 Styles
2.6 Featured Image Plus – Quick & Bulk Edit with Unsplash
2.7 Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light
2.8 History Log by click5
2.9 Product Subtitle for WooCommerce
2.10 Infility Global
2.11 SUMO Affiliates Pro
2.12 Apptha Slider Gallery
2.13 Blog Designer PRO for WordPress
2.14 Browse As
2.15 WPCHURCH
2.16 CSV Mass Importer
2.17 Daisycon prijsvergelijkers
2.18 FastSpring
2.19 Flynax Bridge
2.20 Gearside Developer Dashboard
2.21 Likes and Dislikes
2.22 Offsprout Page Builder
2.23 QuickCab
2.24 WBW Product Table PRO
2.25 Woo Slider Pro
2.26 Woo Slider Pro
2.27 WooCommerce Orders & Customers Exporter
2.28 WP-GeoMeta
2.29 WP Guppy
2.30 Smash Balloon Social Photo Feed – Easy Social Feeds Plugin
2.31 WP-Optimize – Cache, Compress images, Minify & Clean database to boost page speed & performance
2.32 Broken Link Checker
2.33 Ocean Extra
2.34 Royal Elementor Addons and Templates
2.35 Element Pack Addons for Elementor – Best Elementor addons with Ready Templates, Blocks, Widgets and WooCommerce Builder
2.36 Essential Blocks – AI-Powered Page Builder Gutenberg Blocks, Patterns & Templates
2.37 Real Cookie Banner: GDPR & ePrivacy Cookie Consent
2.38 The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce
2.39 Ninja Tables – Easy Data Table Builder
2.40 Exclusive Addons for Elementor
2.41 Bold Page Builder
2.42 Easy Digital Downloads – eCommerce Payments and Subscriptions made easy
2.43 Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder
2.44 PowerPress Podcasting plugin by Blubrry
2.45 LA-Studio Element Kit for Elementor
2.46 LA-Studio Element Kit for Elementor
2.47 Responsive Plus – Starter Templates, Advanced Features and Customizer Settings for Responsive Theme.
2.48 All-in-One Addons for Elementor – WidgetKit
2.49 Ultimate Gift Cards for WooCommerce
2.50 Borderless – Elementor Addons and Templates
2.51 Simple Page Access Restriction
2.52 EU/UK VAT Validation Manager for WooCommerce
2.53 MStore API – Create Native Android & iOS Apps On The Cloud
2.54 Min Max Step Quantity Limits Manager for WooCommerce
2.55 Shared Files – Frontend File Upload Form & Secure File Sharing
2.56 WP Attachments
2.57 WP Posts Carousel
2.58 WordPress Comments Import & Export
2.59 Newsletters
2.60 Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms
2.61 Volunteer Sign Up Sheets
2.62 Quick Contact Form
2.63 Dynamic Pricing and Discount Rules
2.64 Number of Products per Page – Pagination Manager for WooCommerce
2.65 Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce
2.66 The Ultimate WordPress Toolkit – WP Extended
2.67 WordPress Contact Forms by Cimatti
2.68 Map Block Leaflet
2.69 WP Plugin Info Card
2.70 Verge3D Publishing and E-Commerce
2.71 Wishlist
2.72 WP Pipes
2.73 NinjaTeam Chat for Telegram
2.74 Tournamatch
2.75 Free Booking Plugin for Hotels, Restaurants and Car Rentals – eaSYNC Booking
2.76 Minimal Share Buttons
2.77 OpenSheetMusicDisplay
2.78 Property – Real Estate Directory Listing
2.79 MasterStudy LMS Pro
2.80 Real Cookie Banner Pro
2.81 wpForo Advanced Attachments

3. WordPress Themes — 7 Patched / 9 Unpatched

3.1 Arlo
3.2 FLAP – Business WordPress Theme
3.3 FlatNews
3.4 Krowd
3.5 PIMP – Creative MultiPurpose
3.6 PressGrid – Frontend Publish Reaction & Multimedia Theme
3.7 Revo
3.8 Soho Hotel
3.9 Spare
3.10 Courtney
3.11 Lesya
3.12 Lettery
3.13 Minterio
3.14 Mr. Murphy
3.15 Starbelly
3.16 Sweet Dessert

Our WordPress Vulnerability Report covers the latest emerging WordPress plugin, theme, and core vulnerabilities. Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure of vulnerabilities is essential to keeping the WordPress community safe. Please share this report to help spread the word and make WordPress — and the web — more secure.

WordPress Core

WordPress 6.8.1 was released on April 30, 2025. This maintenance release includes fixes for 15 bugs throughout Core and the Block Editor, addressing issues affecting multiple areas of WordPress, including the block editor, multisite, and REST API. For a full list, refer to the release candidate announcement.

WordPress Plugins — 52 Patched / 29 Unpatched

Plugin:: Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin
Plugin Slug:: uncanny-automator
Installations: 50,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-48133

Plugin:: Real Time Validation for Gravity Forms
Plugin Slug:: real-time-validation-for-gravity-forms
Installations: 2,000+
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-48330

Plugin:: Real Time Validation for Gravity Forms
Plugin Slug:: real-time-validation-for-gravity-forms
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-48329

Plugin:: Real Time Validation for Gravity Forms
Plugin Slug:: real-time-validation-for-gravity-forms
Installations: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-48328

Plugin:: MaxiBlocks: 2300+ Patterns, 280+ Pages, 14.3K Icons & 100 Styles
Plugin Slug:: maxi-blocks
Installations: 1,000+
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-47601

Plugin:: Featured Image Plus – Quick & Bulk Edit with Unsplash
Plugin Slug:: featured-image-plus
Installations: 700+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-4431

Plugin:: Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light
Plugin Slug:: excel-like-price-change-for-woocommerce-and-wp-e-commerce-light
Installations: 600+
Vulnerability:: Arbitrary File Download
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-48124

Plugin:: History Log by click5
Plugin Slug:: history-log-by-click5
Installations: 500+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-47598

Plugin:: Product Subtitle for WooCommerce
Plugin Slug:: product-subtitle-for-woocommerce
Installations: 400+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-5285

Plugin:: Infility Global
Plugin Slug:: infility-global
Installations: 90+
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-47651

Plugin:: SUMO Affiliates Pro
Plugin Slug:: affs
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-32291

Plugin:: Apptha Slider Gallery
Plugin Slug:: apptha-slider-gallery
Vulnerability:: Arbitrary File Download
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-31050

Plugin:: Blog Designer PRO for WordPress
Plugin Slug:: blog-designer-pro
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-47694

Plugin:: Browse As
Plugin Slug:: browse-as
Vulnerability:: Broken Authentication
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-5190

Plugin:: WPCHURCH
Plugin Slug:: church-management
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-31643

Plugin:: CSV Mass Importer
Plugin Slug:: csv-mass-importer
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-4190

Plugin:: Daisycon prijsvergelijkers
Plugin Slug:: daisycon
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-4590

Plugin:: FastSpring
Plugin Slug:: fastspring
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-4595

Plugin:: Flynax Bridge
Plugin Slug:: flynax-bridge
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-4179

Plugin:: Gearside Developer Dashboard
Plugin Slug:: gearside-developer-dashboard
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-4429

Plugin:: Likes and Dislikes
Plugin Slug:: inprosysmedia-likes-dislikes-post
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-5287

Plugin:: Offsprout Page Builder
Plugin Slug:: offsprout-page-builder
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-4672

Plugin:: QuickCab
Plugin Slug:: quickcab
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-48337

Plugin:: WBW Product Table PRO
Plugin Slug:: woo-producttables-pro
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-31059

Plugin:: Woo Slider Pro
Plugin Slug:: woo-slider-pro-drag-drop-slider-builder-for-woocommerce
Vulnerability:: Arbitrary Content Deletion
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-48334

Plugin:: Woo Slider Pro
Plugin Slug:: woo-slider-pro-drag-drop-slider-builder-for-woocommerce
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-4597

Plugin:: WooCommerce Orders & Customers Exporter
Plugin Slug:: woocommerce-orders-customers-exporter
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-48331

Plugin:: WP-GeoMeta
Plugin Slug:: wp-geometa
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-4103

Plugin:: WP Guppy
Plugin Slug:: wp-guppy
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-31920

Plugin:: Smash Balloon Social Photo Feed – Easy Social Feeds Plugin
Plugin Slug:: instagram-feed
Installations: 1,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.9.1
Severity Score:: Medium
CVE:: 2025-4583

Plugin:: WP-Optimize – Cache, Compress images, Minify & Clean database to boost page speed & performance
Plugin Slug:: wp-optimize
Installations: 1,000,000+
Vulnerability:: SQL Injection
Patched in Version:: 4.2.0
Severity Score:: High
CVE:: 2025-3951

Plugin:: Broken Link Checker
Plugin Slug:: broken-link-checker
Installations: 600,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 2.4.5
Severity Score:: Medium
CVE:: 2025-4047

Plugin:: Ocean Extra
Plugin Slug:: ocean-extra
Installations: 600,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.4.9
Severity Score:: Medium
CVE:: 2025-49068

Plugin:: Royal Elementor Addons and Templates
Plugin Slug:: royal-elementor-addons
Installations: 600,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.7.1021
Severity Score:: Medium
CVE:: 2025-3813

Plugin:: Element Pack Addons for Elementor – Best Elementor addons with Ready Templates, Blocks, Widgets and WooCommerce Builder
Plugin Slug:: bdthemes-element-pack-lite
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.11.3
Severity Score:: Medium
CVE:: 2025-5292

Plugin:: Essential Blocks – AI-Powered Page Builder Gutenberg Blocks, Patterns & Templates
Plugin Slug:: essential-blocks
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.4.1
Severity Score:: Medium
CVE:: 2025-4682

Plugin:: Real Cookie Banner: GDPR & ePrivacy Cookie Consent
Plugin Slug:: real-cookie-banner
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.1.6
Severity Score:: Medium
CVE:: 2025-1485

Plugin:: The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce
Plugin Slug:: the-plus-addons-for-elementor-page-builder
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.2.8
Severity Score:: Medium
CVE:: 2025-49076

Plugin:: Ninja Tables – Easy Data Table Builder
Plugin Slug:: ninja-tables
Installations: 80,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 5.0.19
Severity Score:: Critical
CVE:: 2025-2939

Plugin:: Exclusive Addons for Elementor
Plugin Slug:: exclusive-addons-for-elementor
Installations: 60,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.7.9.2
Severity Score:: Medium
CVE:: 2025-4783

Plugin:: Bold Page Builder
Plugin Slug:: bold-page-builder
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.3.7
Severity Score:: Medium
CVE:: 2025-5286

Plugin:: Easy Digital Downloads – eCommerce Payments and Subscriptions made easy
Plugin Slug:: easy-digital-downloads
Installations: 40,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.3.9
Severity Score:: Medium
CVE:: 2025-4670

Plugin:: Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder
Plugin Slug:: form-maker
Installations: 40,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.15.33
Severity Score:: Medium
CVE:: 2024-13053

Plugin:: PowerPress Podcasting plugin by Blubrry
Plugin Slug:: powerpress
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 11.9.18
Severity Score:: Medium
CVE:: 2024-9227

Plugin:: LA-Studio Element Kit for Elementor
Plugin Slug:: lastudio-element-kit
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.5.3
Severity Score:: Medium
CVE:: 2025-4944

Plugin:: LA-Studio Element Kit for Elementor
Plugin Slug:: lastudio-element-kit
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.5.3
Severity Score:: Medium
CVE:: 2025-4943

Plugin:: Responsive Plus – Starter Templates, Advanced Features and Customizer Settings for Responsive Theme.
Plugin Slug:: responsive-add-ons
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.2.1
Severity Score:: Medium
CVE:: 2025-48335

Plugin:: All-in-One Addons for Elementor – WidgetKit
Plugin Slug:: widgetkit-for-elementor
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.5.5
Severity Score:: Medium
CVE:: 2025-49074

Plugin:: Ultimate Gift Cards for WooCommerce
Plugin Slug:: woo-gift-cards-lite
Installations: 7,000+
Vulnerability:: SQL Injection
Patched in Version:: 3.1.5
Severity Score:: High
CVE:: 2025-5103

Plugin:: Borderless – Elementor Addons and Templates
Plugin Slug:: borderless
Installations: 6,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.7.2
Severity Score:: Medium
CVE:: 2025-5290

Plugin:: Simple Page Access Restriction
Plugin Slug:: simple-page-access-restriction
Installations: 6,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.0.32
Severity Score:: Medium
CVE:: 2025-5142

Plugin:: EU/UK VAT Validation Manager for WooCommerce
Plugin Slug:: eu-vat-for-woocommerce
Installations: 5,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.4.3
Severity Score:: Medium
CVE:: 2025-47504

Plugin:: MStore API – Create Native Android & iOS Apps On The Cloud
Plugin Slug:: mstore-api
Installations: 4,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.17.6
Severity Score:: Medium
CVE:: 2025-4683

Plugin:: Min Max Step Quantity Limits Manager for WooCommerce
Plugin Slug:: product-quantity-for-woocommerce
Installations: 4,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.0.4
Severity Score:: Medium
CVE:: 2025-47504

Plugin:: Shared Files – Frontend File Upload Form & Secure File Sharing
Plugin Slug:: shared-files
Installations: 4,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.7.49
Severity Score:: High
CVE:: 2025-4392

Plugin:: WP Attachments
Plugin Slug:: wp-attachments
Installations: 4,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.1
Severity Score:: High
CVE:: 2025-5082

Plugin:: WP Posts Carousel
Plugin Slug:: wp-posts-carousel
Installations: 4,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 1.3.13
Severity Score:: High
CVE:: 2025-39358

Plugin:: WordPress Comments Import & Export
Plugin Slug:: comments-import-export-woocommerce
Installations: 3,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.4.4
Severity Score:: Medium
CVE:: 2025-3919

Plugin:: Newsletters
Plugin Slug:: newsletters-lite
Installations: 3,000+
Vulnerability:: Local File Inclusion
Patched in Version:: 4.10
Severity Score:: High
CVE:: 2025-4857

Plugin:: Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms
Plugin Slug:: cf7-salesforce
Installations: 2,000+
Vulnerability:: Full Path Disclosure (FPD)
Patched in Version:: 1.4.5
Severity Score:: Medium
CVE:: 2025-4659

Plugin:: Volunteer Sign Up Sheets
Plugin Slug:: pta-volunteer-sign-up-sheets
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.5.5
Severity Score:: Medium
CVE:: 2025-3704

Plugin:: Quick Contact Form
Plugin Slug:: quick-contact-form
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 8.2.2
Severity Score:: High
CVE:: 2025-48245

Plugin:: Dynamic Pricing and Discount Rules
Plugin Slug:: discount-and-dynamic-pricing
Installations: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.3.0
Severity Score:: Medium
CVE:: 2025-49077

Plugin:: Number of Products per Page – Pagination Manager for WooCommerce
Plugin Slug:: products-per-page-for-woocommerce
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.5.0
Severity Score:: Medium
CVE:: 2025-47504

Plugin:: Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce
Plugin Slug:: vayu-blocks
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.2
Severity Score:: Medium
CVE:: 2025-4420

Plugin:: The Ultimate WordPress Toolkit – WP Extended
Plugin Slug:: wpextended
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.0.16
Severity Score:: Medium
CVE:: 2025-4963

Plugin:: WordPress Contact Forms by Cimatti
Plugin Slug:: contact-forms
Installations: 900+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.9.9
Severity Score:: Medium
CVE:: 2025-49069

Plugin:: Map Block Leaflet
Plugin Slug:: map-block-leaflet
Installations: 700+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.2.2
Severity Score:: Medium
CVE:: 2025-5122

Plugin:: WP Plugin Info Card
Plugin Slug:: wp-plugin-info-card
Installations: 700+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.4.0
Severity Score:: Medium
CVE:: 2025-5116

Plugin:: Verge3D Publishing and E-Commerce
Plugin Slug:: verge3d
Installations: 600+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.9.4
Severity Score:: High
CVE:: 2025-48241

Plugin:: Wishlist
Plugin Slug:: wishlist
Installations: 500+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.0.44
Severity Score:: Medium
CVE:: 2025-49075

Plugin:: WP Pipes
Plugin Slug:: wp-pipes
Installations: 500+
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 1.4.3
Severity Score:: High
CVE:: 2025-48267

Plugin:: NinjaTeam Chat for Telegram
Plugin Slug:: ninjateam-telegram
Installations: 200+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.2
Severity Score:: Medium
CVE:: 2025-5236

Plugin:: Tournamatch
Plugin Slug:: tournamatch
Installations: 200+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.6.2
Severity Score:: Medium
CVE:: 2025-4594

Plugin:: Free Booking Plugin for Hotels, Restaurants and Car Rentals – eaSYNC Booking
Plugin Slug:: easync-booking
Installations: 100+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 1.3.22
Severity Score:: Medium
CVE:: 2025-4691

Plugin:: Minimal Share Buttons
Plugin Slug:: minimal-share-buttons
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.7.4
Severity Score:: Medium
CVE:: 2025-5259

Plugin:: OpenSheetMusicDisplay
Plugin Slug:: opensheetmusicdisplay
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.4.1
Severity Score:: Medium
CVE:: 2025-5235

Plugin:: Property – Real Estate Directory Listing
Plugin Slug:: property
Installations: 20+
Vulnerability:: Privilege Escalation
Patched in Version:: 1.0.7
Severity Score:: High
CVE:: 2025-5117

Plugin:: MasterStudy LMS Pro
Plugin Slug:: masterstudy-lms-learning-management-system-pro
Vulnerability:: Arbitrary File Upload
Patched in Version:: 4.7.1
Severity Score:: Critical
CVE:: 2025-4800

Plugin:: Real Cookie Banner Pro
Plugin Slug:: real-cookie-banner-pro
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.1.6
Severity Score:: Medium
CVE:: 2025-1485

Plugin:: wpForo Advanced Attachments
Plugin Slug:: wpforo-advanced-attachments
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.2.0
Severity Score:: High
CVE:: 2025-4224

WordPress Themes — 7 Patched / 9 Unpatched

Theme:: Arlo
Theme Slug:: arlo
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-39475

Theme:: FLAP – Business WordPress Theme
Theme Slug:: flap
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-31396

Theme:: FlatNews
Theme Slug:: flatnews
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-32305

Theme:: Krowd
Theme Slug:: krowd
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-32595

Theme:: PIMP – Creative MultiPurpose
Theme Slug:: pimp
Vulnerability:: Deserialization of untrusted data
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-31398

Theme:: PressGrid – Frontend Publish Reaction & Multimedia Theme
Theme Slug:: press-grid
Vulnerability:: Deserialization of untrusted data
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-31429

Theme:: Revo
Theme Slug:: revo
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-39476

Theme:: Soho Hotel
Theme Slug:: soho-hotel
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-39539

Theme:: Spare
Theme Slug:: spare
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-31638

Theme:: Courtney
Theme Slug:: courtney
Vulnerability:: Local File Inclusion
Patched in Version:: 1.3.1
Severity Score:: High
CVE:: 2025-48290

Theme:: Lesya
Theme Slug:: lesya
Vulnerability:: Local File Inclusion
Patched in Version:: 1.7.3
Severity Score:: High
CVE:: 2025-48290

Theme:: Lettery
Theme Slug:: lettery
Vulnerability:: Local File Inclusion
Patched in Version:: 1.1.8
Severity Score:: High
CVE:: 2025-48290

Theme:: Minterio
Theme Slug:: minterio
Vulnerability:: Local File Inclusion
Patched in Version:: 1.4.1
Severity Score:: High
CVE:: 2025-48290

Theme:: Mr. Murphy
Theme Slug:: mr-murphy
Vulnerability:: PHP Object Injection
Patched in Version:: 1.2.12.1
Severity Score:: Critical
CVE:: 2025-49072

Theme:: Starbelly
Theme Slug:: starbelly
Vulnerability:: Local File Inclusion
Patched in Version:: 1.3.7
Severity Score:: High
CVE:: 2025-48290

Theme:: Sweet Dessert
Theme Slug:: sweet-dessert
Vulnerability:: PHP Object Injection
Patched in Version:: 1.1.13
Severity Score:: Critical
CVE:: 2025-49073

Solid Security is part of Solid Suite — The best foundation for WordPress websites.

Every WordPress site needs security, backups, and management tools. That’s Solid Suite — an integrated bundle of three plugins: Solid Security, Solid Backups, and Solid Central. You also get access to Solid Academy’s learning resources for WordPress professionals. Build your next WordPress website on a solid foundation with Solid Suite!

Get Solid Security

Author:

Sarah Ulmer

Sarah has been with SolidWP since 2015. Thanks to her deep connection to the brand, its products, and its users, Sarah was tapped as Solid’s primary Product Marketer in 2023. Sarah helps ensure that Solid’s product development team understands our users’ needs. When not at work, Sarah can be found at home with her husband, their three boys, and their dogs. Sarah enjoys long family walks, running with her lab, and watching her three boys play soccer. Sarah is originally from Texas and loves watching football games (Go Longhorns!)

Browse all of Sarah's articles

Sign up

Placeholder text

Thanks

Oops something went wrong, please try submitting again

Solid Suite

Protect

Repair

Manage

Free Plugins

Solid Suite

Academy

Solid Academy

Guides

Livestreams

Tutorials Academy

Resources

Blog

Vulnerability Report

Support

Documentation

Table of Contents

WordPress Core

WordPress Plugins — 52 Patched / 29 Unpatched

WordPress Themes — 7 Patched / 9 Unpatched

Solid Security is part of Solid Suite — The best foundation for WordPress websites.

Author:

Join us for the next Solid Academy Webinar!

What is a WordPress Phishing Attack?

Website Protection: 5 Ways to Keep Your Website Safe

23 Ideas To Grow Your WordPress Business in 2023

Author:

Sign up now — Get SolidWP updates and valuable content straight to your inbox

Sign up

Related Posts

WordPress Vulnerability Report — April 22, 2026

WordPress Vulnerability Report — April 15, 2026

WordPress Vulnerability Report — April 8, 2026

WordPress Vulnerability Report — April 1, 2026