WordPress Vulnerability Report — November 19, 2025

Since last week, 149 new vulnerabilities have emerged in the WordPress ecosystem, including 148 plugins and 1 theme. Of those, 82 remain unpatched, but Solid Security Pro users are protected by virtual patching from Patchstack.

Sarah Ulmer

Published:Nov 19, 2025

Filed Under:WordPress Vulnerability Report

Reading Time:27 min.

In this report, 149 vulnerabilities have been publicly disclosed. Security patches for 67 of these plugins and themes are now available. Please run these updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Currently, 82 plugin and theme vulnerabilities remain unpatched. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

Along with poor user account security, vulnerable plugins and themes are among the top reasons why WordPress websites get hacked. Unfortunately, cyberattacks are increasing in volume and sophistication. They’re also increasingly aimed at small to mid-sized businesses.

1. WordPress Core
2. WordPress Plugins — 67 Patched / 81 Unpatched

2.1 Enable SVG, WebP, and ICO Upload
2.2 Enable SVG, WebP, and ICO Upload
2.3 Gutenify – Visual Site Builder Blocks & Site Templates.
2.4 Stock Management for WooCommerce by Shelf Planner
2.5 Stock Management for WooCommerce by Shelf Planner
2.6 Simple User Import Export
2.7 ACF Flexible Layouts Manager
2.8 Add Multiple Marker
2.9 Auto Amazon Links
2.10 ArtiBot
2.11 Authors List
2.12 Restrictions for BuddyPress
2.13 Category and Product Woocommerce Tabs
2.14 Chart Expert
2.15 Coil Web Monetization
2.16 Coon Google Maps
2.17 WP????????? for CPI
2.18 Crypto
2.19 Crypto
2.20 CSV to SortTable
2.21 CTL Arcade Lite
2.22 Document Pro Elementor
2.23 Download Panel (Biggiko Team)
2.24 Elastic Theme Editor
2.25 Eventbee Ticketing Widget
2.26 everviz
2.27 Find Unused Images
2.28 Five9 Live Chat
2.29 Fleet Manager
2.30 Geopost
2.31 Astra Security Suite
2.32 GitHub Gist Shortcode
2.33 Holiday class post calendar
2.34 Jeba Cute forkit
2.35 Like-it
2.36 Live Photos on WordPress
2.37 Local Syndication
2.38 Make Email Customizer for WooCommerce
2.39 Mementor Core
2.40 Meta Display Block
2.41 Multiple Roles per User
2.42 My Geo Posts Free
2.43 Ninja Countdown
2.44 Nonaki
2.45 Twitter Feed
2.46 Paypal Donation Shortcode
2.47 Drag & Drop Builder
2.48 Precise Columns
2.49 Preload Current Images
2.50 Premmerce Wholesale Pricing for WooCommerce
2.51 Progress Bar Blocks for Gutenberg
2.52 Project Honey Pot Spam Trap
2.53 Quicq
2.54 RandomQuotr
2.55 Save as PDF Button
2.56 Share to Google Classroom
2.57 Simple Donate
2.58 Skip to Timestamp
2.59 Slippy Slider
2.60 Squirrels Auto Inventory
2.61 The Permalinks Cascade
2.62 The Total Book Project
2.63 Top Friends
2.64 Cryptocurrency Payment Gateway for WooCommerce
2.65 WP Twitter Auto Publish
2.66 Ungapped Widgets
2.67 USB Qr Code Scanner For Woocommerce
2.68 Wisly
2.69 Woocommerce – Products By Custom Tax
2.70 WP Admin Microblog
2.71 WP BBCode
2.72 WP Bootstrap Tabs
2.73 WP Count Down Timer
2.74 WP Custom Admin Login Page Logo
2.75 Flickr Show
2.76 WordPress Content Flipper
2.77 WP-Iconics
2.78 WP-OAuth
2.79 WP Headless CMS Framework
2.80 WP-Walla
2.81 YSlider
2.82 All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic
2.83 Page Builder: Pagelayer – Drag and Drop website builder
2.84 Blocksy Companion
2.85 Broken Link Checker by AIOSEO – Easily Fix/Monitor Internal and External links
2.86 SureForms – Contact Form, Custom Form Builder, Calculator & More
2.87 WP Go Maps (formerly WP Google Maps)
2.88 Post Type Switcher
2.89 WP Migrate Lite – WordPress Migration Made Easy
2.90 AI Engine
2.91 AI Engine
2.92 Element Pack Addons for Elementor
2.93 Gallery Plugin for WordPress – Envira Photo Gallery
2.94 Image Gallery – Photo Grid & Video Gallery
2.95 VK All in One Expansion Unit
2.96 Import any XML, CSV or Excel File to WordPress
2.97 Booking for Appointments and Events Calendar – Amelia
2.98 Qi Blocks
2.99 Booking Calendar
2.100 Live sales notification for WooCommerce
2.101 Pixel Manager for WooCommerce – Track Conversions and Analytics, Google Ads, TikTok and more
2.102 WP Duplicate Page
2.103 RTMKit
2.104 Data Tables Generator by Supsystic
2.105 Welcart e-Commerce
2.106 WP Import – Ultimate CSV XML Importer for WordPress
2.107 Asgaros Forum
2.108 Classified Listing – AI-Powered Classified ads & Business Directory Plugin
2.109 Classified Listing – AI-Powered Classified ads & Business Directory Plugin
2.110 Contact Form Email
2.111 Passster – Password Protect Pages and Content
2.112 GeoDirectory – WP Business Directory Plugin and Classified Listings Directory
2.113 LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes
2.114 MasterStudy LMS WordPress Plugin – for Online Courses and Education
2.115 Photonic Gallery & Lightbox for Flickr, SmugMug & Others
2.116 Checkout Files Upload for WooCommerce
2.117 Poll Maker – Versus Polls, Anonymous Polls, Image Polls
2.118 Project Management & Task Manager with Kanban Board & Gantt Chart – WP Project Manager
2.119 Survey Maker
2.120 Survey Maker
2.121 Booking Calendar | Appointment Booking | Bookit
2.122 Icon List Block – Add Icon-Based Lists with Custom Styles
2.123 Specific Content For Mobile – Customize the mobile version without redirections
2.124 Team Members Showcase
2.125 CoSchedule
2.126 Payment Plugins Braintree For WooCommerce
2.127 WP Plugin Manager – Deactivate plugins per page
2.128 Hydra Booking — Appointment Scheduling & Booking Calendar
2.129 Hydra Booking — Appointment Scheduling & Booking Calendar
2.130 MembershipWorks – Membership, Events & Directory
2.131 Comment Edit Core – Simple Comment Editing
2.132 PDF Builder for WooCommerce. Create invoices,packing slips and more
2.133 School Management System – WPSchoolPress
2.134 Appointment Booking Calendar
2.135 Contest Gallery – Upload, Vote & Sell with PayPal and Stripe
2.136 Creta Testimonial Showcase
2.137 TNC Toolbox: Web Performance
2.138 Thumbnail Slider With Lightbox
2.139 Theater for WordPress
2.140 SNORDIAN’s H5PxAPIkatchu
2.141 WP Dropzone
2.142 Wishlist and Save for later for Woocommerce
2.143 EasyCommerce – AI-Powered Ecommerce To Sell Physical & Digital Products
2.144 Magazine Companion
2.145 Alt Text Generator AI – Auto Generate & Bulk Update Alt Texts For Images
2.146 0 Day Analytics
2.147 Easy Email Subscription
2.148 Gravity Forms

3. WordPress Themes — 0 Patched / 1 Unpatched

3.1 Angel

Our WordPress Vulnerability Report covers the latest emerging WordPress plugin, theme, and core vulnerabilities. Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure of vulnerabilities is essential to keeping the WordPress community safe. Please share this report to help spread the word and make WordPress — and the web — more secure.

WordPress Core

WordPress 6.8.3 was released on September 30, 2025. This is a security release that features two fixes. As this is a security release, we recommend updating your sites immediately. For more information on WordPress 6.8.3, please visit the version page on the HelpHub site.

WordPress 6.9 Release Candidate 2 (RC2) is now available for testing. This version is still under development and should not be installed on production or mission-critical websites. Instead, test RC2 on a staging or test site. You can read more on the WordPress Core blog for details on how to download and test this release.

The final release of WordPress 6.9 is scheduled for December 2, 2025. For updates, testing information, and release announcements, visit the Make WordPress Core blog.

WordPress Plugins — 67 Patched / 81 Unpatched

Plugin:: Enable SVG, WebP, and ICO Upload
Plugin Slug:: enable-svg-webp-ico-upload
Installations: 10,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-13069

Plugin:: Enable SVG, WebP, and ICO Upload
Plugin Slug:: enable-svg-webp-ico-upload
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12457

Plugin:: Gutenify – Visual Site Builder Blocks & Site Templates.
Plugin Slug:: gutenify
Installations: 6,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-8605

Plugin:: Stock Management for WooCommerce by Shelf Planner
Plugin Slug:: shelf-planner
Installations: 100+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11894

Plugin:: Stock Management for WooCommerce by Shelf Planner
Plugin Slug:: shelf-planner
Installations: 100+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11891

Plugin:: Simple User Import Export
Plugin Slug:: a3-user-importer
Vulnerability:: CSV Injection
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13133

Plugin:: ACF Flexible Layouts Manager
Plugin Slug:: acf-flexible-layouts-manager
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12937

Plugin:: Add Multiple Marker
Plugin Slug:: add-multiple-marker
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11999

Plugin:: Auto Amazon Links
Plugin Slug:: amazon-auto-links
Vulnerability:: Arbitrary File Download
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-11451

Plugin:: ArtiBot
Plugin Slug:: artibot
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-12078

Plugin:: Authors List
Plugin Slug:: authors-list
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12010

Plugin:: Restrictions for BuddyPress
Plugin Slug:: bp-restrict
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12391

Plugin:: Category and Product Woocommerce Tabs
Plugin Slug:: category-and-product-woocommerce-tabs
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-13088

Plugin:: Chart Expert
Plugin Slug:: chart-expert
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12753

Plugin:: Coil Web Monetization
Plugin Slug:: coil-web-monetization
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-9625

Plugin:: Coon Google Maps
Plugin Slug:: coon-google-maps
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12662

Plugin:: WP????????? for CPI
Plugin Slug:: cpi-wp-migration
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-11170

Plugin:: Crypto
Plugin Slug:: crypto
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11986

Plugin:: Crypto
Plugin Slug:: crypto
Vulnerability:: Arbitrary File Deletion
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11988

Plugin:: CSV to SortTable
Plugin Slug:: csv-to-sorttable
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12823

Plugin:: CTL Arcade Lite
Plugin Slug:: ctl-arcade-lite
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11886

Plugin:: Document Pro Elementor
Plugin Slug:: document-pro-elementor
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11997

Plugin:: Download Panel (Biggiko Team)
Plugin Slug:: download-panel
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12961

Plugin:: Elastic Theme Editor
Plugin Slug:: elastic-theme-editor
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-12637

Plugin:: Eventbee Ticketing Widget
Plugin Slug:: eventbee-ticketing-widget
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11856

Plugin:: everviz
Plugin Slug:: everviz
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11868

Plugin:: Find Unused Images
Plugin Slug:: find-unused-images
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11996

Plugin:: Five9 Live Chat
Plugin Slug:: five9
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11829

Plugin:: Fleet Manager
Plugin Slug:: fleet
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12538

Plugin:: Geopost
Plugin Slug:: geopost
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12754

Plugin:: Astra Security Suite
Plugin Slug:: getastra
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-11521

Plugin:: GitHub Gist Shortcode
Plugin Slug:: github-gist-shortcode
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12667

Plugin:: Holiday class post calendar
Plugin Slug:: holiday-class-post-calendar
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-12813

Plugin:: Jeba Cute forkit
Plugin Slug:: jeba-cute-forkit
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12663

Plugin:: Like-it
Plugin Slug:: like-it
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-12404

Plugin:: Live Photos on WordPress
Plugin Slug:: live-photos
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12651

Plugin:: Local Syndication
Plugin Slug:: local-syndication
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12962

Plugin:: Make Email Customizer for WooCommerce
Plugin Slug:: make-email-customizer-for-woocommerce
Vulnerability:: Settings Change
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-11237

Plugin:: Mementor Core
Plugin Slug:: mementor-core
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-11168

Plugin:: Meta Display Block
Plugin Slug:: meta-display-block
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12088

Plugin:: Multiple Roles per User
Plugin Slug:: multiple-roles-per-user
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-11620

Plugin:: My Geo Posts Free
Plugin Slug:: my-geo-posts-free
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11863

Plugin:: Ninja Countdown
Plugin Slug:: ninja-countdown
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12665

Plugin:: Nonaki
Plugin Slug:: nonaki-email-template-customizer
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12644

Plugin:: Twitter Feed
Plugin Slug:: ot-twitter-feed
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11860

Plugin:: Paypal Donation Shortcode
Plugin Slug:: paypal-donation-shortcode
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11859

Plugin:: Drag & Drop Builder
Plugin Slug:: pie-forms-for-wp
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-12528

Plugin:: Precise Columns
Plugin Slug:: precise-columns
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11869

Plugin:: Preload Current Images
Plugin Slug:: preload-current-images
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12658

Plugin:: Premmerce Wholesale Pricing for WooCommerce
Plugin Slug:: premmerce-woocommerce-wholesale-pricing
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-12411

Plugin:: Progress Bar Blocks for Gutenberg
Plugin Slug:: progressmatify-blocks
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12880

Plugin:: Project Honey Pot Spam Trap
Plugin Slug:: project-honey-pot-spam-trap
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-12406

Plugin:: Quicq
Plugin Slug:: quicq
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12015

Plugin:: RandomQuotr
Plugin Slug:: randomquotr
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12632

Plugin:: Save as PDF Button
Plugin Slug:: save-as-pdf
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-8397

Plugin:: Share to Google Classroom
Plugin Slug:: share-to-google-classroom
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12711

Plugin:: Simple Donate
Plugin Slug:: simple-donate
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11882

Plugin:: Skip to Timestamp
Plugin Slug:: skip-to-timestamp
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11805

Plugin:: Slippy Slider
Plugin Slug:: slippy-slider-responsive-touch-navigation-slider
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11874

Plugin:: Squirrels Auto Inventory
Plugin Slug:: squirrels-auto-inventory
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12631

Plugin:: The Permalinks Cascade
Plugin Slug:: the-permalinks-cascade
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12372

Plugin:: The Total Book Project
Plugin Slug:: the-total-book-project
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12126

Plugin:: Top Friends
Plugin Slug:: top-friends
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12827

Plugin:: Cryptocurrency Payment Gateway for WooCommerce
Plugin Slug:: triplea-cryptocurrency-payment-gateway-for-woocommerce
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12392

Plugin:: WP Twitter Auto Publish
Plugin Slug:: twitter-auto-publish
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-12079

Plugin:: Ungapped Widgets
Plugin Slug:: ungapped-widgets
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12652

Plugin:: USB Qr Code Scanner For Woocommerce
Plugin Slug:: usb-qr-code-scanner-for-woocommerce
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12588

Plugin:: Wisly
Plugin Slug:: wisly
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11532

Plugin:: Woocommerce – Products By Custom Tax
Plugin Slug:: woocommerce-products-by-custom-tax
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11821

Plugin:: WP Admin Microblog
Plugin Slug:: wp-admin-microblog
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12173

Plugin:: WP BBCode
Plugin Slug:: wp-bbcode
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11873

Plugin:: WP Bootstrap Tabs
Plugin Slug:: wp-bootstrap-tabs
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11822

Plugin:: WP Count Down Timer
Plugin Slug:: wp-count-down-timer
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12668

Plugin:: WP Custom Admin Login Page Logo
Plugin Slug:: wp-custom-login-page-logo
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12132

Plugin:: Flickr Show
Plugin Slug:: wp-flickrshow
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12672

Plugin:: WordPress Content Flipper
Plugin Slug:: wp-flipper
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11769

Plugin:: WP-Iconics
Plugin Slug:: wp-iconics
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12671

Plugin:: WP-OAuth
Plugin Slug:: wp-oauth
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-12021

Plugin:: WP Headless CMS Framework
Plugin Slug:: wp-rest-headless
Vulnerability:: Bypass Vulnerability
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11260

Plugin:: WP-Walla
Plugin Slug:: wp-walla
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-12589

Plugin:: YSlider
Plugin Slug:: yslider
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-12590

Plugin:: All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic
Plugin Slug:: all-in-one-seo-pack
Installations: 3,000,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.9.0
Severity Score:: Medium
CVE:: 2025-12847

Plugin:: Page Builder: Pagelayer – Drag and Drop website builder
Plugin Slug:: pagelayer
Installations: 400,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 2.0.6
Severity Score:: Medium
CVE:: 2025-12366

Plugin:: Blocksy Companion
Plugin Slug:: blocksy-companion
Installations: 300,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 2.1.20
Severity Score:: Critical
CVE:: 2025-12846

Plugin:: Broken Link Checker by AIOSEO – Easily Fix/Monitor Internal and External links
Plugin Slug:: broken-link-checker-seo
Installations: 300,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.2.6
Severity Score:: Medium
CVE:: 2025-11734

Plugin:: SureForms – Contact Form, Custom Form Builder, Calculator & More
Plugin Slug:: sureforms
Installations: 300,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.13.2
Severity Score:: Medium
CVE:: 2025-12536

Plugin:: WP Go Maps (formerly WP Google Maps)
Plugin Slug:: wp-google-maps
Installations: 300,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 9.0.48
Severity Score:: High
CVE:: 2025-11307

Plugin:: Post Type Switcher
Plugin Slug:: post-type-switcher
Installations: 200,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 4.0.1
Severity Score:: Medium
CVE:: 2025-12524

Plugin:: WP Migrate Lite – WordPress Migration Made Easy
Plugin Slug:: wp-migrate-db
Installations: 200,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 2.7.7
Severity Score:: High
CVE:: 2025-11427

Plugin:: AI Engine
Plugin Slug:: ai-engine
Installations: 100,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 3.1.9
Severity Score:: Medium
CVE:: 2025-8084

Plugin:: AI Engine
Plugin Slug:: ai-engine
Installations: 100,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 3.1.9
Severity Score:: High
CVE:: 2025-12844

Plugin:: Element Pack Addons for Elementor
Plugin Slug:: bdthemes-element-pack-lite
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 8.3.5
Severity Score:: Medium
CVE:: 2025-13196

Plugin:: Gallery Plugin for WordPress – Envira Photo Gallery
Plugin Slug:: envira-gallery-lite
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.12.1
Severity Score:: Medium
CVE:: 2025-12377

Plugin:: Image Gallery – Photo Grid & Video Gallery
Plugin Slug:: modula-best-grid-gallery
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.12.29
Severity Score:: Medium
CVE:: 2025-12494

Plugin:: VK All in One Expansion Unit
Plugin Slug:: vk-all-in-one-expansion-unit
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 9.112.2
Severity Score:: Medium
CVE:: 2025-11265

Plugin:: Import any XML, CSV or Excel File to WordPress
Plugin Slug:: wp-all-import
Installations: 100,000+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 4.0.0
Severity Score:: Critical
CVE:: 2025-12733

Plugin:: Booking for Appointments and Events Calendar – Amelia
Plugin Slug:: ameliabooking
Installations: 90,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.2.36
Severity Score:: Critical
CVE:: 2025-12482

Plugin:: Qi Blocks
Plugin Slug:: qi-blocks
Installations: 60,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.4.4
Severity Score:: Medium
CVE:: 2025-12182

Plugin:: Booking Calendar
Plugin Slug:: booking
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 10.14.8
Severity Score:: Medium
CVE:: 2025-64381

Plugin:: Live sales notification for WooCommerce
Plugin Slug:: live-sales-notifications-for-woocommerce
Installations: 50,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.3.40
Severity Score:: High
CVE:: 2025-12955

Plugin:: Pixel Manager for WooCommerce – Track Conversions and Analytics, Google Ads, TikTok and more
Plugin Slug:: woocommerce-google-adwords-conversion-tracking-tag
Installations: 50,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 1.49.3
Severity Score:: Medium
CVE:: 2025-12545

Plugin:: WP Duplicate Page
Plugin Slug:: wp-duplicate-page
Installations: 50,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.8
Severity Score:: Medium
CVE:: 2025-12481

Plugin:: RTMKit
Plugin Slug:: rometheme-for-elementor
Installations: 40,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.6.6
Severity Score:: Medium
CVE:: 2025-8609

Plugin:: Data Tables Generator by Supsystic
Plugin Slug:: data-tables-generator-by-supsystic
Installations: 20,000+
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 1.10.46
Severity Score:: Medium
CVE:: 2025-12089

Plugin:: Welcart e-Commerce
Plugin Slug:: usc-e-shop
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.11.25
Severity Score:: Medium
CVE:: 2025-12979

Plugin:: WP Import – Ultimate CSV XML Importer for WordPress
Plugin Slug:: wp-ultimate-csv-importer
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 7.33.1
Severity Score:: Medium
CVE:: 2025-12732

Plugin:: Asgaros Forum
Plugin Slug:: asgaros-forum
Installations: 10,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 3.3.0
Severity Score:: Medium
CVE:: 2025-12901

Plugin:: Classified Listing – AI-Powered Classified ads & Business Directory Plugin
Plugin Slug:: classified-listing
Installations: 10,000+
Vulnerability:: Content Spoofing
Patched in Version:: 5.0.4
Severity Score:: Medium
CVE:: 2025-7711

Plugin:: Classified Listing – AI-Powered Classified ads & Business Directory Plugin
Plugin Slug:: classified-listing
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 5.2.1
Severity Score:: Medium
CVE:: 2025-12953

Plugin:: Contact Form Email
Plugin Slug:: contact-form-to-email
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.3.59
Severity Score:: Medium
CVE:: 2025-64369

Plugin:: Passster – Password Protect Pages and Content
Plugin Slug:: content-protector
Installations: 10,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 4.2.20
Severity Score:: High
CVE:: 2025-64218

Plugin:: GeoDirectory – WP Business Directory Plugin and Classified Listings Directory
Plugin Slug:: geodirectory
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.8.140
Severity Score:: Medium
CVE:: 2025-12833

Plugin:: LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes
Plugin Slug:: lifterlms
Installations: 10,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 9.1.1
Severity Score:: High
CVE:: 2025-11923

Plugin:: MasterStudy LMS WordPress Plugin – for Online Courses and Education
Plugin Slug:: masterstudy-lms-learning-management-system
Installations: 10,000+
Vulnerability:: SQL Injection
Patched in Version:: 3.6.28
Severity Score:: High
CVE:: 2025-64366

Plugin:: Photonic Gallery & Lightbox for Flickr, SmugMug & Others
Plugin Slug:: photonic
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.22
Severity Score:: Medium
CVE:: 2025-12691

Plugin:: Checkout Files Upload for WooCommerce
Plugin Slug:: checkout-files-upload-woocommerce
Installations: 7,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.2.2
Severity Score:: High
CVE:: 2025-4212

Plugin:: Poll Maker – Versus Polls, Anonymous Polls, Image Polls
Plugin Slug:: poll-maker
Installations: 7,000+
Vulnerability:: SQL Injection
Patched in Version:: 6.0.8
Severity Score:: High
CVE:: 2025-12620

Plugin:: Project Management & Task Manager with Kanban Board & Gantt Chart – WP Project Manager
Plugin Slug:: wedevs-project-manager
Installations: 7,000+
Vulnerability:: SQL Injection
Patched in Version:: 2.6.27
Severity Score:: High
CVE:: 2025-8994

Plugin:: Survey Maker
Plugin Slug:: survey-maker
Installations: 6,000+
Vulnerability:: Broken Access Control
Patched in Version:: 5.1.9.5
Severity Score:: Medium
CVE:: 2025-64276

Plugin:: Survey Maker
Plugin Slug:: survey-maker
Installations: 6,000+
Vulnerability:: Broken Access Control
Patched in Version:: 5.1.9.5
Severity Score:: Medium
CVE:: 2025-12891

Plugin:: Booking Calendar | Appointment Booking | Bookit
Plugin Slug:: bookit
Installations: 5,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.5.1
Severity Score:: High
CVE:: 2025-12633

Plugin:: Icon List Block – Add Icon-Based Lists with Custom Styles
Plugin Slug:: icon-list-block
Installations: 5,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 1.2.2
Severity Score:: Medium
CVE:: 2025-12376

Plugin:: Specific Content For Mobile – Customize the mobile version without redirections
Plugin Slug:: specific-content-for-mobile
Installations: 5,000+
Vulnerability:: SQL Injection
Patched in Version:: 0.5.6
Severity Score:: High
CVE:: 2025-11454

Plugin:: Team Members Showcase
Plugin Slug:: wps-team
Installations: 4,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.5.0
Severity Score:: High
CVE:: 2025-11560

Plugin:: CoSchedule
Plugin Slug:: coschedule-by-todaymade
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.4.1
Severity Score:: Medium
CVE:: 2025-49913

Plugin:: Payment Plugins Braintree For WooCommerce
Plugin Slug:: woo-payment-gateway
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.2.79
Severity Score:: High
CVE:: 2025-12903

Plugin:: WP Plugin Manager – Deactivate plugins per page
Plugin Slug:: wp-plugin-manager
Installations: 3,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.4.8
Severity Score:: Medium
CVE:: 2025-64271

Plugin:: Hydra Booking — Appointment Scheduling & Booking Calendar
Plugin Slug:: hydra-booking
Installations: 2,000+
Vulnerability:: Bypass Vulnerability
Patched in Version:: 1.1.28
Severity Score:: Medium
CVE:: 2025-12788

Plugin:: Hydra Booking — Appointment Scheduling & Booking Calendar
Plugin Slug:: hydra-booking
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.1.28
Severity Score:: Medium
CVE:: 2025-12787

Plugin:: MembershipWorks – Membership, Events & Directory
Plugin Slug:: memberfindme
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.15
Severity Score:: Medium
CVE:: 2025-12018

Plugin:: Comment Edit Core – Simple Comment Editing
Plugin Slug:: simple-comment-editing
Installations: 2,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 3.2.0
Severity Score:: Medium
CVE:: 2025-12681

Plugin:: PDF Builder for WooCommerce. Create invoices,packing slips and more
Plugin Slug:: woo-pdf-invoice-builder
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.2.151
Severity Score:: Medium
CVE:: 2025-64269

Plugin:: School Management System – WPSchoolPress
Plugin Slug:: wpschoolpress
Installations: 2,000+
Vulnerability:: SQL Injection
Patched in Version:: 2.2.24
Severity Score:: High
CVE:: 2025-11981

Plugin:: Appointment Booking Calendar
Plugin Slug:: appointment-booking-calendar
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.3.96
Severity Score:: Medium
CVE:: 2025-64261

Plugin:: Contest Gallery – Upload, Vote & Sell with PayPal and Stripe
Plugin Slug:: contest-gallery
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 28.0.3
Severity Score:: Medium
CVE:: 2025-12849

Plugin:: Creta Testimonial Showcase
Plugin Slug:: creta-testimonial-showcase
Installations: 1,000+
Vulnerability:: Local File Inclusion
Patched in Version:: 1.2.4
Severity Score:: High
CVE:: 2025-10686

Plugin:: TNC Toolbox: Web Performance
Plugin Slug:: tnc-toolbox
Installations: 1,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 2.0.0
Severity Score:: Critical
CVE:: 2025-12539

Plugin:: Thumbnail Slider With Lightbox
Plugin Slug:: wp-responsive-slider-with-lightbox
Installations: 800+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.0.22
Severity Score:: Medium
CVE:: 2024-5020

Plugin:: Theater for WordPress
Plugin Slug:: theatre
Installations: 600+
Vulnerability:: Broken Access Control
Patched in Version:: 0.19
Severity Score:: Medium
CVE:: 2025-64259

Plugin:: SNORDIAN’s H5PxAPIkatchu
Plugin Slug:: h5pxapikatchu
Installations: 500+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 0.4.18
Severity Score:: High
CVE:: 2025-12904

Plugin:: WP Dropzone
Plugin Slug:: wp-dropzone
Installations: 100+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 1.1.1
Severity Score:: Critical
CVE:: 2025-12775

Plugin:: Wishlist and Save for later for Woocommerce
Plugin Slug:: aco-wishlist-for-woocommerce
Installations: 80+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 1.1.23
Severity Score:: Medium
CVE:: 2025-12087

Plugin:: EasyCommerce – AI-Powered Ecommerce To Sell Physical & Digital Products
Plugin Slug:: easycommerce
Installations: 70+
Vulnerability:: Privilege Escalation
Patched in Version:: 1.8.3
Severity Score:: Critical
CVE:: 2025-11457

Plugin:: Magazine Companion
Plugin Slug:: bnm-blocks
Installations: 60+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.2.4
Severity Score:: Medium
CVE:: 2025-11828

Plugin:: Alt Text Generator AI – Auto Generate & Bulk Update Alt Texts For Images
Plugin Slug:: alt-text-generator
Installations: 40+
Vulnerability:: Broken Access Control
Patched in Version:: 1.8.4
Severity Score:: Medium
CVE:: 2025-12113

Plugin:: 0 Day Analytics
Plugin Slug:: 0-day-analytics
Installations: 30+
Vulnerability:: SQL Injection
Patched in Version:: 4.1.0
Severity Score:: High
CVE:: 2025-64293

Plugin:: Easy Email Subscription
Plugin Slug:: email-subscription-with-secure-captcha
Installations: 30+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.1
Severity Score:: High
CVE:: 2025-11994

Plugin:: Gravity Forms
Plugin Slug:: gravityforms
Vulnerability:: Arbitrary File Upload
Patched in Version:: 2.9.22
Severity Score:: Critical
CVE:: 2025-12974

WordPress Themes — 0 Patched / 1 Unpatched

Theme:: Angel
Theme Slug:: angel
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-10295

Solid Security is part of Solid Suite — The best foundation for WordPress websites.

Every WordPress site needs security, backups, and management tools. That’s Solid Suite — an integrated bundle of three plugins: Solid Security, Solid Backups, and Solid Central. You also get access to Solid Academy’s learning resources for WordPress professionals. Build your next WordPress website on a solid foundation with Solid Suite!

Get Solid Security

Author:

Sarah Ulmer

Sarah has been with SolidWP since 2015. Thanks to her deep connection to the brand, its products, and its users, Sarah was tapped as Solid’s primary Product Marketer in 2023. Sarah helps ensure that Solid’s product development team understands our users’ needs. When not at work, Sarah can be found at home with her husband, their three boys, and their dogs. Sarah enjoys long family walks, running with her lab, and watching her three boys play soccer. Sarah is originally from Texas and loves watching football games (Go Longhorns!)

Browse all of Sarah's articles

Sign up

Placeholder text

Thanks

Oops something went wrong, please try submitting again

Solid Suite

Protect

Repair

Manage

Free Plugins

Solid Suite

Academy

Solid Academy

Guides

Livestreams

Tutorials Academy

Resources

Blog

Vulnerability Report

Support

Documentation

Table of Contents

WordPress Core

WordPress Plugins — 67 Patched / 81 Unpatched