WordPress Vulnerability Report

WordPress Vulnerability Report — October 29, 2025

Since last week, 118 new vulnerabilities have emerged in the WordPress ecosystem, including 113 plugins and 5 themes. Of those, 52 remain unpatched, but Solid Security Pro users are protected by virtual patching from Patchstack.

Avatar photo
Sarah Ulmer

Published:Oct 29, 2025

Filed Under:WordPress Vulnerability Report

Reading Time:23 min.

In this report, 118 vulnerabilities have been publicly disclosed. Security patches for 66 of these plugins and themes are now available. Please run these updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Currently, 52 plugin vulnerabilities remain unpatched. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

Along with poor user account security, vulnerable plugins and themes are among the top reasons why WordPress websites get hacked. Unfortunately, cyberattacks are increasing in volume and sophistication. They’re also increasingly aimed at small to mid-sized businesses.

Our WordPress Vulnerability Report covers the latest emerging WordPress plugin, theme, and core vulnerabilities. Each vulnerability will have a severity rating of LowMediumHigh, or Critical. Responsible disclosure of vulnerabilities is essential to keeping the WordPress community safe. Please share this report to help spread the word and make WordPress — and the web — more secure.

WordPress Core

WordPress 6.8.3 was released on September 30, 2025. This is a security release that features two fixes. As this is a security release, we recommend updating your sites immediately. For more information on WordPress 6.8.3, please visit the version page on the HelpHub site.

WordPress 6.9 Beta 2 is now ready for testing! This beta version of WordPress is still under development, so please avoid using it on production or mission-critical sites. Instead, test Beta 2 on a staging or test site.

The final release of WordPress 6.9 is scheduled for December 2, 2025. You can find the full release schedule and testing information on the WordPress Core blog. Your help testing Beta and RC versions is essential to ensuring a stable and powerful release.

No new core vulnerabilities were disclosed this week.

WordPress Plugins — 61 Patched / 52 Unpatched

ACF to REST API

Plugin:
ACF to REST API
Plugin Slug:
acf-to-rest-api
Installations
30,000+
Vulnerability:
Sensitive Data Exposure
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-62979
The vulnerability has not been patched. You should deactivate the plugin.

Dynamic User Directory

Plugin:
Dynamic User Directory
Plugin Slug:
dynamic-user-directory
Installations
2,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-62982
The vulnerability has not been patched. You should deactivate the plugin.

Microsoft Azure Storage for WordPress

Plugin:
Microsoft Azure Storage for WordPress
Plugin Slug:
windows-azure-storage
Installations
2,000+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-10749
The vulnerability has not been patched. You should deactivate the plugin.

Builderall for WordPress

Plugin:
Builderall for WordPress
Plugin Slug:
builderall-cheetah-for-wp
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-62987
The vulnerability has not been patched. You should deactivate the plugin.

Posts By Tag

Plugin:
Posts By Tag
Plugin Slug:
posts-by-tag
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-62983
The vulnerability has not been patched. You should deactivate the plugin.

Simple Pull Quote

Plugin:
Simple Pull Quote
Plugin Slug:
simple-pull-quote
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-62985
The vulnerability has not been patched. You should deactivate the plugin.

Slider Templates

Plugin:
Slider Templates
Plugin Slug:
slider-templates
Installations
1,000+
Vulnerability:
Server Side Request Forgery (SSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-62988
The vulnerability has not been patched. You should deactivate the plugin.

WP AdCenter – Ad Manager & Adsense Ads

Plugin:
WP AdCenter – Ad Manager & Adsense Ads
Plugin Slug:
wpadcenter
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-62984
The vulnerability has not been patched. You should deactivate the plugin.

KiotViet Sync

Plugin:
KiotViet Sync
Plugin Slug:
kiotvietsync
Installations
600+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-62978
The vulnerability has not been patched. You should deactivate the plugin.

WP Gravity Forms Zoho CRM and Bigin

Plugin:
WP Gravity Forms Zoho CRM and Bigin
Plugin Slug:
gf-zoho
Installations
500+
Vulnerability:
Open Redirection
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-62981
The vulnerability has not been patched. You should deactivate the plugin.

Persian Admnin Fonts

Plugin:
Persian Admnin Fonts
Plugin Slug:
persian-admin-fonts
Installations
500+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-62980
The vulnerability has not been patched. You should deactivate the plugin.

IndieAuth

Plugin:
IndieAuth
Plugin Slug:
indieauth
Installations
400+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-12028
The vulnerability has not been patched. You should deactivate the plugin.

WP-Force Images Download

Plugin:
WP-Force Images Download
Plugin Slug:
wp-force-images-download
Installations
100+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-11809
The vulnerability has not been patched. You should deactivate the plugin.

FanBridge signup

Plugin:
FanBridge signup
Plugin Slug:
fanbridge-signup
Installations
60+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-62986
The vulnerability has not been patched. You should deactivate the plugin.

Cinza Grid

Plugin:
Cinza Grid
Plugin Slug:
cinza-grid
Installations
50+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-11824
The vulnerability has not been patched. You should deactivate the plugin.

Disable Content Editor For Specific Template

Plugin:
Disable Content Editor For Specific Template
Plugin Slug:
disable-contect-editor-for-specific-template
Installations
30+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-12072
The vulnerability has not been patched. You should deactivate the plugin.

AIO Forms

Plugin:
AIO Forms
Plugin Slug:
all-in-one-forms
Vulnerability:
Arbitrary File Upload
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-11889
The vulnerability has not been patched. You should deactivate the plugin.

Bg Book Publisher

Plugin:
Bg Book Publisher
Plugin Slug:
bg-book-publisher
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-11867
The vulnerability has not been patched. You should deactivate the plugin.

Check Plagiarism

Plugin:
Check Plagiarism
Plugin Slug:
check-plagiarism
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-11172
The vulnerability has not been patched. You should deactivate the plugin.

Email Tracker

Plugin:
Email Tracker
Plugin Slug:
email-tracker
Vulnerability:
SQL Injection
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-10047
The vulnerability has not been patched. You should deactivate the plugin.

URL Shortener

Plugin:
URL Shortener
Plugin Slug:
exact-links
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-10740
The vulnerability has not been patched. You should deactivate the plugin.

JB News Ticker

Plugin:
JB News Ticker
Plugin Slug:
jb-news-ticker
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-11804
The vulnerability has not been patched. You should deactivate the plugin.

LLM Hubspot Blog Import

Plugin:
LLM Hubspot Blog Import
Plugin Slug:
llm-hubspot-blog-import
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-11257
The vulnerability has not been patched. You should deactivate the plugin.

Material Design Iconic Font Integration

Plugin:
Material Design Iconic Font Integration
Plugin Slug:
material-design-iconic-font-integration
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-11872
The vulnerability has not been patched. You should deactivate the plugin.

Multi Item Responsive Slider

Plugin:
Multi Item Responsive Slider
Plugin Slug:
mislider
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-11992
The vulnerability has not been patched. You should deactivate the plugin.

Mixlr Shortcode

Plugin:
Mixlr Shortcode
Plugin Slug:
mixlr-shortcode
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-11807
The vulnerability has not been patched. You should deactivate the plugin.

NGINX Cache Optimizer

Plugin:
NGINX Cache Optimizer
Plugin Slug:
nginx-cache-optimizer
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-12014
The vulnerability has not been patched. You should deactivate the plugin.

NS Maintenance Mode for WP

Plugin:
NS Maintenance Mode for WP
Plugin Slug:
ns-maintenance-mode-for-wp
Vulnerability:
Sensitive Data Exposure
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-10638
The vulnerability has not been patched. You should deactivate the plugin.

Oboxmedia Ads

Plugin:
Oboxmedia Ads
Plugin Slug:
oboxmedia-ads
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-11827
The vulnerability has not been patched. You should deactivate the plugin.

Originality.ai AI Checker

Plugin:
Originality.ai AI Checker
Plugin Slug:
originality-ai
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-10901
The vulnerability has not been patched. You should deactivate the plugin.

Originality.ai AI Checker

Plugin:
Originality.ai AI Checker
Plugin Slug:
originality-ai
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-10902
The vulnerability has not been patched. You should deactivate the plugin.

Photographers galleries

Plugin:
Photographers galleries
Plugin Slug:
photographers-galleries
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-11866
The vulnerability has not been patched. You should deactivate the plugin.

Playerzbr

Plugin:
Playerzbr
Plugin Slug:
playerzbr
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-11825
The vulnerability has not been patched. You should deactivate the plugin.

Print Button Shortcode

Plugin:
Print Button Shortcode
Plugin Slug:
print-button-shortcode
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-11810
The vulnerability has not been patched. You should deactivate the plugin.

qnotsquiz

Plugin:
qnotsquiz
Plugin Slug:
qnotsquiz
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-12016
The vulnerability has not been patched. You should deactivate the plugin.

Quickcreator – AI Blog Writer

Plugin:
Quickcreator – AI Blog Writer
Plugin Slug:
quickcreator
Vulnerability:
Sensitive Data Exposure
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-11504
The vulnerability has not been patched. You should deactivate the plugin.

RapidResult

Plugin:
RapidResult
Plugin Slug:
rapidresult
Vulnerability:
SQL Injection
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-10748
The vulnerability has not been patched. You should deactivate the plugin.

Responsive iframe GoogleMap

Plugin:
Responsive iframe GoogleMap
Plugin Slug:
responsive-iframe-googlemap
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-11813
The vulnerability has not been patched. You should deactivate the plugin.

Responsive Progress Bar

Plugin:
Responsive Progress Bar
Plugin Slug:
responsive-progress-bar
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-11883
The vulnerability has not been patched. You should deactivate the plugin.

Simple Business Data

Plugin:
Simple Business Data
Plugin Slug:
simple-business-data
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-11870
The vulnerability has not been patched. You should deactivate the plugin.

Simple Excel Pricelist for WooCommerce

Plugin:
Simple Excel Pricelist for WooCommerce
Plugin Slug:
simple-excel-pricelist-for-woocommerce
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-12096
The vulnerability has not been patched. You should deactivate the plugin.

Simple Tableau Viz

Plugin:
Simple Tableau Viz
Plugin Slug:
simple-tableau-viz
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-11817
The vulnerability has not been patched. You should deactivate the plugin.

Simple Youtube Shortcode

Plugin:
Simple Youtube Shortcode
Plugin Slug:
simple-youtube-shortcode
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-11811
The vulnerability has not been patched. You should deactivate the plugin.

SM CountDown Widget

Plugin:
SM CountDown Widget
Plugin Slug:
smcountdown
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-11880
The vulnerability has not been patched. You should deactivate the plugin.

ST Categories Widget

Plugin:
ST Categories Widget
Plugin Slug:
st-category-wp
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-11878
The vulnerability has not been patched. You should deactivate the plugin.

This-or-That

Plugin:
This-or-That
Plugin Slug:
this-or-that
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-10138
The vulnerability has not been patched. You should deactivate the plugin.

VNPAY Payment gateway

Plugin:
VNPAY Payment gateway
Plugin Slug:
vnpay-for-woocommerce
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2025-12017
The vulnerability has not been patched. You should deactivate the plugin.

WooCommerce Designer Pro

Plugin:
WooCommerce Designer Pro
Plugin Slug:
wc-designer-pro
Vulnerability:
Arbitrary File Upload
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2025-6440
The vulnerability has not been patched. You should deactivate the plugin.

WP AD Gallery

Plugin:
WP AD Gallery
Plugin Slug:
wp-ad-gallery
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-11834
The vulnerability has not been patched. You should deactivate the plugin.

WP Responsive Meet The Team

Plugin:
WP Responsive Meet The Team
Plugin Slug:
wp-responsive-meet-the-team
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-11818
The vulnerability has not been patched. You should deactivate the plugin.

WP Restaurant Listings

Plugin:
WP Restaurant Listings
Plugin Slug:
wp-restaurant-listings
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-11830
The vulnerability has not been patched. You should deactivate the plugin.

WP-Thumbnail

Plugin:
WP-Thumbnail
Plugin Slug:
wp-thumbnail
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2025-11819
The vulnerability has not been patched. You should deactivate the plugin.

BackWPup – WordPress Backup & Restore Plugin

Plugin:
BackWPup – WordPress Backup & Restore Plugin
Plugin Slug:
backwpup
Installations
500,000+
Vulnerability:
Broken Access Control
Patched in Version:
5.5.1
Severity Score:
Medium
CVE:
2025-10579
The vulnerability has been patched, so you should update to version 5.5.1.

PixelYourSite – Your smart PIXEL (TAG) & API Manager

Plugin:
PixelYourSite – Your smart PIXEL (TAG) & API Manager
Plugin Slug:
pixelyoursite
Installations
500,000+
Vulnerability:
Local File Inclusion
Patched in Version:
11.1.2
Severity Score:
High
CVE:
2025-10723
The vulnerability has been patched, so you should update to version 11.1.2.

PixelYourSite – Your smart PIXEL (TAG) & API Manager

Plugin:
PixelYourSite – Your smart PIXEL (TAG) & API Manager
Plugin Slug:
pixelyoursite
Installations
500,000+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
11.1.3
Severity Score:
Medium
CVE:
2025-10588
The vulnerability has been patched, so you should update to version 11.1.3.

GenerateBlocks

Plugin:
GenerateBlocks
Plugin Slug:
generateblocks
Installations
200,000+
Vulnerability:
Sensitive Data Exposure
Patched in Version:
2.1.2
Severity Score:
Medium
CVE:
2025-11879
The vulnerability has been patched, so you should update to version 2.1.2.

Element Pack Addons for Elementor

Plugin:
Element Pack Addons for Elementor
Plugin Slug:
bdthemes-element-pack-lite
Installations
100,000+
Vulnerability:
Server Side Request Forgery (SSRF)
Patched in Version:
8.2.6
Severity Score:
Medium
CVE:
2025-11536
The vulnerability has been patched, so you should update to version 8.2.6.

Real Cookie Banner: GDPR & ePrivacy Cookie Consent

Plugin:
Real Cookie Banner: GDPR & ePrivacy Cookie Consent
Plugin Slug:
real-cookie-banner
Installations
100,000+
Vulnerability:
Server Side Request Forgery (SSRF)
Patched in Version:
5.2.5
Severity Score:
Medium
CVE:
2025-12136
The vulnerability has been patched, so you should update to version 5.2.5.

Tutor LMS – eLearning and online course solution

Plugin:
Tutor LMS – eLearning and online course solution
Plugin Slug:
tutor
Installations
100,000+
Vulnerability:
Broken Access Control
Patched in Version:
3.9.0
Severity Score:
Medium
CVE:
2025-6680
The vulnerability has been patched, so you should update to version 3.9.0.

Tutor LMS – eLearning and online course solution

Plugin:
Tutor LMS – eLearning and online course solution
Plugin Slug:
tutor
Installations
100,000+
Vulnerability:
Broken Access Control
Patched in Version:
3.9.0
Severity Score:
Medium
CVE:
2025-11564
The vulnerability has been patched, so you should update to version 3.9.0.

Social Feed Gallery

Plugin:
Social Feed Gallery
Plugin Slug:
insta-gallery
Installations
90,000+
Vulnerability:
Broken Access Control
Patched in Version:
4.9.3
Severity Score:
Medium
CVE:
2025-10637
The vulnerability has been patched, so you should update to version 4.9.3.

Ajax Search Lite – Live Search & Filter

Plugin:
Ajax Search Lite – Live Search & Filter
Plugin Slug:
ajax-search-lite
Installations
80,000+
Vulnerability:
PHP Object Injection
Patched in Version:
4.13.4
Severity Score:
Medium
CVE:
2025-48086
The vulnerability has been patched, so you should update to version 4.13.4.

Meta Tag Manager

Plugin:
Meta Tag Manager
Plugin Slug:
meta-tag-manager
Installations
80,000+
Vulnerability:
Open Redirection
Patched in Version:
3.3
Severity Score:
Medium
CVE:
2025-5983
The vulnerability has been patched, so you should update to version 3.3.

Product Filter by WBW

Plugin:
Product Filter by WBW
Plugin Slug:
woo-product-filter
Installations
60,000+
Vulnerability:
SQL Injection
Patched in Version:
2.9.8
Severity Score:
Critical
CVE:
2025-8416
The vulnerability has been patched, so you should update to version 2.9.8.

Product Filter by WBW

Plugin:
Product Filter by WBW
Plugin Slug:
woo-product-filter
Installations
60,000+
Vulnerability:
Broken Access Control
Patched in Version:
3.0.1
Severity Score:
Medium
CVE:
2025-11269
The vulnerability has been patched, so you should update to version 3.0.1.

Bold Page Builder

Plugin:
Bold Page Builder
Plugin Slug:
bold-page-builder
Installations
50,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
5.4.6
Severity Score:
Medium
CVE:
2025-7730
The vulnerability has been patched, so you should update to version 5.4.6.

Fast Velocity Minify

Plugin:
Fast Velocity Minify
Plugin Slug:
fast-velocity-minify
Installations
40,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
3.5.2
Severity Score:
Medium
CVE:
2025-12034
The vulnerability has been patched, so you should update to version 3.5.2.

Welcart e-Commerce

Plugin:
Welcart e-Commerce
Plugin Slug:
usc-e-shop
Installations
20,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.11.23
Severity Score:
Medium
CVE:
2025-10651
The vulnerability has been patched, so you should update to version 2.11.23.

wpForo Forum

Plugin:
wpForo Forum
Plugin Slug:
wpforo
Installations
20,000+
Vulnerability:
SQL Injection
Patched in Version:
2.4.9
Severity Score:
Critical
CVE:
2025-4203
The vulnerability has been patched, so you should update to version 2.4.9.

Web Accessibility by accessiBe

Plugin:
Web Accessibility by accessiBe
Plugin Slug:
accessibe
Installations
10,000+
Vulnerability:
Broken Access Control
Patched in Version:
2.11
Severity Score:
Medium
CVE:
2025-49920
The vulnerability has been patched, so you should update to version 2.11.

Testimonial Carousel For Elementor

Plugin:
Testimonial Carousel For Elementor
Plugin Slug:
testimonials-carousel-elementor
Installations
10,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
11.7.0
Severity Score:
Medium
CVE:
2025-8666
The vulnerability has been patched, so you should update to version 11.7.0.

VikBooking Hotel Booking Engine & PMS

Plugin:
VikBooking Hotel Booking Engine & PMS
Plugin Slug:
vikbooking
Installations
9,000+
Vulnerability:
Broken Access Control
Patched in Version:
1.8.3
Severity Score:
Medium
CVE:
2025-5803
The vulnerability has been patched, so you should update to version 1.8.3.

Password Policy Manager | Password Manager

Plugin:
Password Policy Manager | Password Manager
Plugin Slug:
password-policy-manager
Installations
6,000+
Vulnerability:
Broken Access Control
Patched in Version:
2.0.6
Severity Score:
Medium
CVE:
2025-11255
The vulnerability has been patched, so you should update to version 2.0.6.

Simple Registration for WooCommerce

Plugin:
Simple Registration for WooCommerce
Plugin Slug:
woocommerce-simple-registration
Installations
5,000+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
1.5.9
Severity Score:
High
CVE:
2025-12095
The vulnerability has been patched, so you should update to version 1.5.9.

Watu Quiz

Plugin:
Watu Quiz
Plugin Slug:
watu
Installations
4,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
3.4.5
Severity Score:
High
CVE:
2025-11238
The vulnerability has been patched, so you should update to version 3.4.5.

WPMobile.App

Plugin:
WPMobile.App
Plugin Slug:
wpappninja
Installations
4,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
11.72
Severity Score:
High
CVE:
2025-62074
The vulnerability has been patched, so you should update to version 11.72.

Email Subscription Popup

Plugin:
Email Subscription Popup
Plugin Slug:
email-subscribe
Installations
2,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.2.27
Severity Score:
Medium
CVE:
2025-49912
The vulnerability has been patched, so you should update to version 1.2.27.

Discussion Board – WordPress Forum Plugin

Plugin:
Discussion Board – WordPress Forum Plugin
Plugin Slug:
wp-discussion-board
Installations
2,000+
Vulnerability:
Content Injection
Patched in Version:
2.5.6
Severity Score:
Medium
CVE:
2025-8483
The vulnerability has been patched, so you should update to version 2.5.6.

Flexible Refund and Return Order for WooCommerce

Plugin:
Flexible Refund and Return Order for WooCommerce
Plugin Slug:
flexible-refund-and-return-order-for-woocommerce
Installations
1,000+
Vulnerability:
Broken Access Control
Patched in Version:
1.0.39
Severity Score:
Medium
CVE:
2025-10570
The vulnerability has been patched, so you should update to version 1.0.39.

Range Slider Addon for Gravity Forms

Plugin:
Range Slider Addon for Gravity Forms
Plugin Slug:
range-slider-addon-for-gravity-forms
Installations
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.1.7
Severity Score:
High
CVE:
2025-49905
The vulnerability has been patched, so you should update to version 1.1.7.

MDTF – Meta Data and Taxonomies Filter

Plugin:
MDTF – Meta Data and Taxonomies Filter
Plugin Slug:
wp-meta-data-filter-and-taxonomy-filter
Installations
1,000+
Vulnerability:
Broken Access Control
Patched in Version:
1.3.4
Severity Score:
Medium
CVE:
2025-49907
The vulnerability has been patched, so you should update to version 1.3.4.

WPComplete

Plugin:
WPComplete
Plugin Slug:
wpcomplete
Installations
1,000+
Vulnerability:
Broken Access Control
Patched in Version:
2.9.5.4
Severity Score:
Medium
CVE:
2025-49906
The vulnerability has been patched, so you should update to version 2.9.5.4.

MxChat – AI Chatbot for WordPress

Plugin:
MxChat – AI Chatbot for WordPress
Plugin Slug:
mxchat-basic
Installations
800+
Vulnerability:
Server Side Request Forgery (SSRF)
Patched in Version:
2.4.7
Severity Score:
Medium
CVE:
2025-10705
The vulnerability has been patched, so you should update to version 2.4.7.

Supervisor

Plugin:
Supervisor
Plugin Slug:
supervisor
Installations
100+
Vulnerability:
Broken Access Control
Patched in Version:
1.3.3
Severity Score:
Medium
CVE:
2025-11887
The vulnerability has been patched, so you should update to version 1.3.3.

HAPPY – Helpdesk Support Ticket System

Plugin:
HAPPY – Helpdesk Support Ticket System
Plugin Slug:
happy-helpdesk-support-ticket-system
Installations
10+
Vulnerability:
Remote Code Execution (RCE)
Patched in Version:
1.0.8
Severity Score:
Critical
CVE:
2025-49372
The vulnerability has been patched, so you should update to version 1.0.8.

SpendeOnline.org

Plugin:
SpendeOnline.org
Plugin Slug:
spendeonline
Installations
10+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
3.0.2
Severity Score:
Medium
CVE:
2025-11875
The vulnerability has been patched, so you should update to version 3.0.2.

Academy LMS Pro

Plugin:
Academy LMS Pro
Plugin Slug:
academy-pro
Vulnerability:
Privilege Escalation
Patched in Version:
3.3.8
Severity Score:
High
CVE:
2025-11086
The vulnerability has been patched, so you should update to version 3.3.8.

Beaver Builder Plugin (Starter Version)

Plugin:
Beaver Builder Plugin (Starter Version)
Plugin Slug:
bb-plugin
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.9.3.1
Severity Score:
Medium
CVE:
2025-8427
The vulnerability has been patched, so you should update to version 2.9.3.1.

Stockie Extra

Plugin:
Stockie Extra
Plugin Slug:
stockie-extra
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
1.2.12
Severity Score:
Medium
CVE:
2025-64226
The vulnerability has been patched, so you should update to version 1.2.12.

Tutor LMS Pro

Plugin:
Tutor LMS Pro
Plugin Slug:
tutor-pro
Vulnerability:
Insecure Direct Object References (IDOR)
Patched in Version:
3.9.0
Severity Score:
Medium
CVE:
2025-6639
The vulnerability has been patched, so you should update to version 3.9.0.

WordPress Themes — 5 Patched / 0 Unpatched

The7

Theme:
The7
Theme Slug:
dt-the7
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
12.9.2
Severity Score:
Medium
CVE:
2025-11897
The vulnerability has been patched, so you should update to version 12.9.2.

Genesis Framework

Theme:
Genesis Framework
Theme Slug:
genesis
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
3.6.1
Severity Score:
Medium
CVE:
2025-10737
The vulnerability has been patched, so you should update to version 3.6.1.

Listeo

Theme:
Listeo
Theme Slug:
listeo
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.0.9
Severity Score:
Medium
CVE:
2025-8413
The vulnerability has been patched, so you should update to version 2.0.9.

Sahifa

Theme:
Sahifa
Theme Slug:
sahifa
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
5.8.6
Severity Score:
Medium
CVE:
2025-64202
The vulnerability has been patched, so you should update to version 5.8.6.

wpresidence

Theme:
wpresidence
Theme Slug:
wpresidence
Vulnerability:
Broken Access Control
Patched in Version:
5.3.2.1
Severity Score:
Medium
CVE:
2025-64199
The vulnerability has been patched, so you should update to version 5.3.2.1.

Solid Security is part of Solid Suite — The best foundation for WordPress websites.

Every WordPress site needs security, backups, and management tools. That’s Solid Suite — an integrated bundle of three plugins: Solid Security, Solid Backups, and Solid Central. You also get access to Solid Academy’s learning resources for WordPress professionals. Build your next WordPress website on a solid foundation with Solid Suite!

Get Solid Security

Author:

Avatar photoSarah Ulmer

Sarah has been with SolidWP since 2015. Thanks to her deep connection to the brand, its products, and its users, Sarah was tapped as Solid’s primary Product Marketer in 2023. Sarah helps ensure that Solid’s product development team understands our users’ needs. When not at work, Sarah can be found at home with her husband, their three boys, and their dogs. Sarah enjoys long family walks, running with her lab, and watching her three boys play soccer. Sarah is originally from Texas and loves watching football games (Go Longhorns!)

Browse all of Sarah's articles

Author:

Avatar photoSarah Ulmer

Sarah has been with SolidWP since 2015. Thanks to her deep connection to the brand, its products, and its users, Sarah was tapped as Solid’s primary Product Marketer in 2023. Sarah helps ensure that Solid’s product development team understands our users’ needs. When not at work, Sarah can be found at home with her husband, their three boys, and their dogs. Sarah enjoys long family walks, running with her lab, and watching her three boys play soccer. Sarah is originally from Texas and loves watching football games (Go Longhorns!)

Browse all of Sarah's articles