WordPress Vulnerability Report � May 7, 2025

In this report, 88 vulnerabilities have been publicly disclosed. Security patches for 46 of these plugins and themes are available now, so run those updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Additionally, there are 42 plugin and theme vulnerabilities, and no patch has been available yet. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

WordPress Core

WordPress 6.8.1 has been released! This maintenance release includes fixes for 15 bugs throughout Core and the Block Editor, addressing issues affecting multiple areas of WordPress, including the block editor, multisite, and REST API. For a full list, refer to the release candidate announcement.

Plus, WordCamp Europe 2025 lands in Basel, Switzerland, June 5-7! Connect with WordPress enthusiasts, developers, and pros for three days of learning, networking, and collaboration with the global community.

WordPress Plugins � 40 Patched / 42 Unpatched

Plugin:: Team Members � Best WordPress Team Plugin with Team Slider, Team Showcase & Team Builder
Plugin Slug:: wps-team
Installations: 3,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-3521

Plugin:: Section Widget
Plugin Slug:: section-widget
Installations: 600+
Vulnerability:: Path Traversal
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-46441

Plugin:: Section Widget
Plugin Slug:: section-widget
Installations: 600+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-46537

Plugin:: Crossword Compiler Puzzles
Plugin Slug:: crossword-compiler-puzzles
Installations: 400+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-46493

Plugin:: A/B Testing, Popups, Website Personalization, Email Popup, Exit Intent Pop Up, Upsell Pop Up � Personizely
Plugin Slug:: personizely
Installations: 300+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-3779

Plugin:: Total processing card payments for WooCommerce
Plugin Slug:: totalprocessing-card-payments
Installations: 200+
Vulnerability:: Arbitrary File Download
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-46486

Plugin:: Abundatrade
Plugin Slug:: abundatrade-plugin
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-4199

Plugin:: Advanced Reorder Image Text Slider
Plugin Slug:: advanced-reorder-image-text-slider
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-4188

Plugin:: AHAthat
Plugin Slug:: ahathat
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-4337

Plugin:: Alink Tap
Plugin Slug:: alink-tap
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-4198

Plugin:: Buddyboss Platform
Plugin Slug:: buddyboss-platform
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-13858

Plugin:: Category Widget
Plugin Slug:: category-widget
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-46515

Plugin:: Custom PC Builder Lite for WooCommerce
Plugin Slug:: custom-pc-builder-lite-for-woocommerce
Vulnerability:: Settings Change
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-43838

Plugin:: Database Toolset
Plugin Slug:: database-toolset
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-4222

Plugin:: EC Authorize.net
Plugin Slug:: ec-authorizenet
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-46487

Plugin:: External image replace
Plugin Slug:: external-image-replace
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-4279

Plugin:: Flynax Bridge
Plugin Slug:: flynax-bridge
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-4177

Plugin:: GmapsMania
Plugin Slug:: gmapsmania
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-4131

Plugin:: IGIT Related Posts With Thumb Image After Posts
Plugin Slug:: igit-related-posts-with-thumb-images-after-posts
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-46518

Plugin:: Job Listings
Plugin Slug:: job-listings
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-3918

Plugin:: KiwiChat NextClient
Plugin Slug:: kiwichat
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-3670

Plugin:: kStats Reloaded
Plugin Slug:: kstats-reloaded
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-46440

Plugin:: LayoutBoxx
Plugin Slug:: layoutboxx
Vulnerability:: Content Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-2802

Plugin:: Web3Press
Plugin Slug:: likecoin
Vulnerability:: Arbitrary File Download
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-46527

Plugin:: Custom Login and Registration
Plugin Slug:: ms-registration
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-39363

Plugin:: Nautic Pages
Plugin Slug:: nautic-pages
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-4100

Plugin:: occupancyplan
Plugin Slug:: occupancyplan
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-46458

Plugin:: OTP-less one tap Sign in
Plugin Slug:: otpless
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-3746

Plugin:: Remote Images Grabber
Plugin Slug:: remote-images-grabber
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-43832

Plugin:: Separator Shortcode and Widget
Plugin Slug:: separator-shortcode-and-widget
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-32117

Plugin:: Reales WP STPT
Plugin Slug:: short-tax-post
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-3609

Plugin:: Reales WP STPT
Plugin Slug:: short-tax-post
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-3610

Plugin:: Subpage List
Plugin Slug:: subpage-view
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-4168

Plugin:: Syndicate Out
Plugin Slug:: syndicate-out
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-43836

Plugin:: Theme Blvd Sliders
Plugin Slug:: theme-blvd-sliders
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-46456

Plugin:: Total Donations
Plugin Slug:: total-donations
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-43837

Plugin:: VerticalResponse Newsletter Widget
Plugin Slug:: vertical-response-newsletter-widget
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-4172

Plugin:: Visual Builder
Plugin Slug:: visual-builder
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-46488

Plugin:: Widgets as Shortcodes
Plugin Slug:: widgets-as-shortcodes
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-32117

Plugin:: Meta Keywords & Description
Plugin Slug:: wp-meta-keywords-meta-description
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-46454

Plugin:: Xavin’s Review Ratings
Plugin Slug:: xavins-review-ratings
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-4170

Plugin:: Yame
Plugin Slug:: yame-linkinbio
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-2880

Plugin:: WP Statistics � The Most Popular Privacy-Friendly Analytics Plugin
Plugin Slug:: wp-statistics
Installations: 600,000+
Vulnerability:: Broken Access Control
Patched in Version:: 14.13.4
Severity Score:: Medium
CVE:: 2025-3953

Plugin:: Newsletter � Send awesome emails from WordPress
Plugin Slug:: newsletter
Installations: 300,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 8.7.1
Severity Score:: Medium
CVE:: 2025-3583

Plugin:: SureForms � Drag and Drop Form Builder for WordPress
Plugin Slug:: sureforms
Installations: 200,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.4.4
Severity Score:: Medium
CVE:: 2025-3513

Plugin:: SureForms � Drag and Drop Form Builder for WordPress
Plugin Slug:: sureforms
Installations: 200,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.4.4
Severity Score:: Medium
CVE:: 2025-3471

Plugin:: Admin and Site Enhancements (ASE)
Plugin Slug:: admin-site-enhancements
Installations: 100,000+
Vulnerability:: Bypass Vulnerability
Patched in Version:: 7.6.10
Severity Score:: Medium
CVE:: 2024-13688

Plugin:: Popup and Slider Builder by Depicter � Add Email collecting Popup, Popup Modal, Coupon Popup, Image Slider, Carousel Slider, Post Slider Carousel
Plugin Slug:: depicter
Installations: 100,000+
Vulnerability:: SQL Injection
Patched in Version:: 3.6.2
Severity Score:: Critical
CVE:: 2025-2011

Plugin:: OttoKit: All-in-One Automation Platform (Formerly SureTriggers)
Plugin Slug:: suretriggers
Installations: 100,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 1.0.83
Severity Score:: Critical
CVE:: 2025-27007

Plugin:: User Registration & Membership � Custom Registration Form, Login Form, and User Profile
Plugin Slug:: user-registration
Installations: 70,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 4.2.2
Severity Score:: Medium
CVE:: 2025-3281

Plugin:: WP Maps � Display Google Maps Perfectly with Ease
Plugin Slug:: wp-google-map-plugin
Installations: 70,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.7.2
Severity Score:: Medium
CVE:: 2025-3502

Plugin:: Calculated Fields Form
Plugin Slug:: calculated-fields-form
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.2.62
Severity Score:: Medium
CVE:: 2024-12273

Plugin:: Seraphinite Accelerator
Plugin Slug:: seraphinite-accelerator
Installations: 50,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.27.22
Severity Score:: Medium

Plugin:: WordPress Tag, Category, and Taxonomy Manager � AI Autotagger
Plugin Slug:: simple-tags
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.30.0
Severity Score:: Medium
CVE:: 2025-0627

Plugin:: FULL � Cliente
Plugin Slug:: full-customer
Installations: 40,000+
Vulnerability:: SQL Injection
Patched in Version:: 3.1.26
Severity Score:: High
CVE:: 2024-12023

Plugin:: SecuPress Free � WordPress Security
Plugin Slug:: secupress
Installations: 40,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.3.10
Severity Score:: Medium
CVE:: 2025-3452

Plugin:: Gutenverse � Ultimate Block Addons and Page Builder for Site Editor
Plugin Slug:: gutenverse
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.0.0
Severity Score:: Medium
CVE:: 2025-2893

Plugin:: Page View Count
Plugin Slug:: page-views-count
Installations: 20,000+
Vulnerability:: Settings Change
Patched in Version:: 2.8.5
Severity Score:: High
CVE:: 2025-2816

Plugin:: WordPress Simple Shopping Cart
Plugin Slug:: wordpress-simple-paypal-shopping-cart
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.1.4
Severity Score:: Medium
CVE:: 2025-3890

Plugin:: WordPress Simple Shopping Cart
Plugin Slug:: wordpress-simple-paypal-shopping-cart
Installations: 10,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 5.1.4
Severity Score:: Medium
CVE:: 2025-3874

Plugin:: MStore API � Create Native Android & iOS Apps On The Cloud
Plugin Slug:: mstore-api
Installations: 4,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 4.17.5
Severity Score:: Medium
CVE:: 2025-3438

Plugin:: WP-Recall � Registration, Profile, Commerce & More
Plugin Slug:: wp-recall
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 16.26.12
Severity Score:: Medium
CVE:: 2024-9771

Plugin:: Product Category Slider for WooCommerce
Plugin Slug:: woo-category-slider-by-pluginever
Installations: 1,000+
Vulnerability:: Local File Inclusion
Patched in Version:: 4.3.5
Severity Score:: High
CVE:: 2025-39364

Plugin:: Ultimate Store Kit � Elementor powered WooCommerce Builder, 80+ Widgets and Template Builder
Plugin Slug:: ultimate-store-kit
Installations: 900+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.5.0
Severity Score:: Medium
CVE:: 2025-2168