WordPress Vulnerability Report � May 28, 2025

In this report, 180 vulnerabilities have been publicly disclosed. Security patches for 88 of these plugins and themes are available now, so run those updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Additionally, there are 92 plugin and theme vulnerabilities, and no patch has been available yet. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

WordPress Core

WordPress 6.8.1 has been released! This maintenance release includes fixes for 15 bugs throughout Core and the Block Editor, addressing issues affecting multiple areas of WordPress, including the block editor, multisite, and REST API. For a full list, refer to the release candidate announcement.

Plus, WordCamp Europe 2025 lands in Basel, Switzerland, June 5-7! Connect with WordPress enthusiasts, developers, and pros for three days of learning, networking, and collaboration with the global community.

WordPress Plugins � 74 Patched / 60 Unpatched

Plugin:: Form Maker by 10Web � Mobile-Friendly Drag & Drop Contact Form Builder
Plugin Slug:: form-maker
Installations: 40,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-48341

Plugin:: WP Event Manager � Events Calendar, Registrations, Sell Tickets with WooCommerce
Plugin Slug:: wp-event-manager
Installations: 30,000+
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-48125

Plugin:: miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn)
Plugin Slug:: miniorange-login-openid
Installations: 20,000+
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-47670

Plugin:: Essential Real Estate
Plugin Slug:: essential-real-estate
Installations: 9,000+
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-48126

Plugin:: Simplelightbox
Plugin Slug:: simplelightbox
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-5878

Plugin:: User Meta � User Profile Builder and User management plugin
Plugin Slug:: user-meta
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-47611

Plugin:: StyleAI
Plugin Slug:: relentlosoftware
Installations: 700+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-48139

Plugin:: Spreadsheet Price Changer for WooCommerce and WP E-commerce � Light
Plugin Slug:: excel-like-price-change-for-woocommerce-and-wp-e-commerce-light
Installations: 600+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-48123

Plugin:: Spreadsheet Price Changer for WooCommerce and WP E-commerce � Light
Plugin Slug:: excel-like-price-change-for-woocommerce-and-wp-e-commerce-light
Installations: 600+
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-48129

Plugin:: Dynamic Pricing & Discounts Lite for WooCommerce
Plugin Slug:: woo-dynamic-pricing-discounts-lite
Installations: 600+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-48342

Plugin:: CryptoCloud � Crypto Payment Gateway
Plugin Slug:: cryptocloud-crypto-payment-gateway
Installations: 500+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-48147

Plugin:: MetalpriceAPI
Plugin Slug:: metalpriceapi
Installations: 400+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-48140

Plugin:: Embed and Integrate Etsy Shop
Plugin Slug:: embed-and-integrate-etsy-shop
Installations: 200+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-48346

Plugin:: miniOrange Discord Integration
Plugin Slug:: miniorange-discord-integration
Installations: 100+
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-47672

Plugin:: Splitit
Plugin Slug:: splitit-installment-payments
Installations: 100+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-4105

Plugin:: Binary MLM Plan
Plugin Slug:: binary-mlm-plan
Installations: 60+
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-47671

Plugin:: 4stats
Plugin Slug:: 4stats
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-3869

Plugin:: WhatsCart – Whatsapp Abandoned Cart Recovery, Order Notifications, Chat Box, OTP for WooCommerce
Plugin Slug:: WhatsCart-for-WooCommerce
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-31056

Plugin:: Animated Buttons
Plugin Slug:: animated-buttons
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-4221

Plugin:: Ads Pro Plugin
Plugin Slug:: ap-plugin-scripteo
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-46444

Plugin:: Blog Designer PRO for WordPress
Plugin Slug:: blog-designer-pro
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-47696

Plugin:: WPCHURCH
Plugin Slug:: church-management
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-31642

Plugin:: DPEPress
Plugin Slug:: dpepress
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-4219

Plugin:: DZS Video Gallery
Plugin Slug:: dzs-videogallery
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-32300

Plugin:: DZS Video Gallery
Plugin Slug:: dzs-videogallery
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-47553

Plugin:: DZS Video Gallery
Plugin Slug:: dzs-videogallery
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-47552

Plugin:: ZoomSounds
Plugin Slug:: dzs-zoomsounds
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-47568

Plugin:: Formulario de contacto SalesUp!
Plugin Slug:: formularios-de-contacto-salesup
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-48143

Plugin:: Goodlayers Hostel
Plugin Slug:: gdlr-hostel
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-39501

Plugin:: Goodlayers Hostel
Plugin Slug:: gdlr-hostel
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-39502

Plugin:: Goodlayers Hostel
Plugin Slug:: gdlr-hostel
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-39500

Plugin:: Goodlayers Hotel
Plugin Slug:: gdlr-hotel
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-39504

Plugin:: Goodlayers Hotel
Plugin Slug:: gdlr-hotel
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-39505

Plugin:: Goodlayers Hotel
Plugin Slug:: gdlr-hotel
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-39503

Plugin:: Hospital Management System
Plugin Slug:: hospital-management
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-47631

Plugin:: Hospital Management System
Plugin Slug:: hospital-management
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-47663

Plugin:: JobHunt Job Alerts
Plugin Slug:: jobhunt-notifications
Vulnerability:: Arbitrary Content Deletion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-39536

Plugin:: JP Students Result Management System Premium
Plugin Slug:: jp-students-result-system-premium
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-31916

Plugin:: KBx Pro Ultimate
Plugin Slug:: knowledgebase-helpdesk-pro
Vulnerability:: Arbitrary File Deletion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-31053

Plugin:: MapSVG
Plugin Slug:: mapsvg
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-47558

Plugin:: MapSVG
Plugin Slug:: mapsvg
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-9544

Plugin:: Nasa Core
Plugin Slug:: nasa-core
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-39506

Plugin:: Posts Extended
Plugin Slug:: network-posts-extended
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-3750

Plugin:: Pixel WordPress Form BuilderPlugin & Autoresponder
Plugin Slug:: pixel-formbuilder
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-31914

Plugin:: Raisely Donation Form
Plugin Slug:: raisely-donation-form
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-3781

Plugin:: Rootspersona
Plugin Slug:: rootspersona
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-39368

Plugin:: Rootspersona
Plugin Slug:: rootspersona
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-48344

Plugin:: School Management
Plugin Slug:: school-management
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-47575

Plugin:: School Management
Plugin Slug:: school-management
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-47613

Plugin:: Bus Ticket Booking with Seat Reservation for WooCommerce
Plugin Slug:: scw-bus-seat-reservation
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-31397

Plugin:: Simple Business Directory Pro
Plugin Slug:: simple-business-directory-pro
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-31918

Plugin:: Smart Forms
Plugin Slug:: smart-forms
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-5055

Plugin:: eMagicOne Store Manager
Plugin Slug:: store-manager-connector
Vulnerability:: Arbitrary File Deletion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-4603

Plugin:: eMagicOne Store Manager
Plugin Slug:: store-manager-connector
Vulnerability:: Arbitrary File Download
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-4602

Plugin:: eMagicOne Store Manager
Plugin Slug:: store-manager-connector
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-4336

Plugin:: User Profile Meta Manager
Plugin Slug:: user-profile-meta
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-48340

Plugin:: Affiliate Sales in Google Analytics and other tools
Plugin Slug:: wecantrack
Vulnerability:: Open Redirection
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-12561

Plugin:: WP Post Modules for Elementor
Plugin Slug:: wp-post-modules-el
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-31636

Plugin:: WP YouTube Video Optimizer
Plugin Slug:: wp-youtube-video-optimizer
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-4217

Plugin:: Glossary by WPPedia
Plugin Slug:: wppedia
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-4803

Plugin:: WooCommerce
Plugin Slug:: woocommerce
Installations: 8,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 9.3.4
Severity Score:: High
CVE:: 2025-5062

Plugin:: All in One SEO � Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic
Plugin Slug:: all-in-one-seo-pack
Installations: 3,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.8.2
Severity Score:: Medium
CVE:: 2025-2892

Plugin:: Ninja Forms � The Contact Form Builder That Grows With You
Plugin Slug:: ninja-forms
Installations: 700,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.10.1
Severity Score:: Medium
CVE:: 2025-2524

Plugin:: TablePress � Tables in WordPress made easy
Plugin Slug:: tablepress
Installations: 700,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.1.3
Severity Score:: Medium
CVE:: 2025-5096

Plugin:: The Events Calendar
Plugin Slug:: the-events-calendar
Installations: 700,000+
Vulnerability:: Broken Access Control
Patched in Version:: 6.12.0
Severity Score:: Medium
CVE:: 2025-48246

Plugin:: Photo Gallery, Sliders, Proofing and Themes � NextGEN Gallery
Plugin Slug:: nextgen-gallery
Installations: 400,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.59.5
Severity Score:: Medium
CVE:: 2024-5878

Plugin:: Page Builder: Pagelayer � Drag and Drop website builder
Plugin Slug:: pagelayer
Installations: 300,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.1
Severity Score:: High
CVE:: 2025-4223

Plugin:: Page Builder: Pagelayer � Drag and Drop website builder
Plugin Slug:: pagelayer
Installations: 300,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.1
Severity Score:: Medium
CVE:: 2024-13427

Plugin:: PrettyLinks � Affiliate Links, Link Branding, Link Tracking, Marketing and Stripe Payments Plugin
Plugin Slug:: pretty-link
Installations: 300,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.6.16
Severity Score:: Medium
CVE:: 2025-48247

Plugin:: Essential Blocks � AI-Powered Page Builder Gutenberg Blocks, Patterns & Templates
Plugin Slug:: essential-blocks
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.4.1
Severity Score:: Medium
CVE:: 2025-4682

Plugin:: Solid Mail � SMTP email and logging made by SolidWP
Plugin Slug:: wp-smtp
Installations: 70,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.1.6
Severity Score:: High
CVE:: 2025-1123

Plugin:: Exclusive Addons for Elementor
Plugin Slug:: exclusive-addons-for-elementor
Installations: 60,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.7.9.2
Severity Score:: Medium
CVE:: 2025-4783

Plugin:: Exclusive Addons for Elementor
Plugin Slug:: exclusive-addons-for-elementor
Installations: 60,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.7.9.1
Severity Score:: Medium
CVE:: 2025-48244

Plugin:: Qi Blocks
Plugin Slug:: qi-blocks
Installations: 60,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.4
Severity Score:: Medium
CVE:: 2025-1625

Plugin:: Blog2Social: Social Media Auto Post & Scheduler
Plugin Slug:: blog2social
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 8.4.0
Severity Score:: Medium
CVE:: 2025-4133

Plugin:: Slim SEO � Fast & Automated WordPress SEO Plugin
Plugin Slug:: slim-seo
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.5.4
Severity Score:: Medium
CVE:: 2025-4611

Plugin:: Ultimate Blocks � WordPress Blocks Plugin
Plugin Slug:: ultimate-blocks
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.3.1
Severity Score:: Medium
CVE:: 2025-48234

Plugin:: Visual Composer Website Builder
Plugin Slug:: visualcomposer
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 45.12.0
Severity Score:: Medium
CVE:: 2025-48276

Plugin:: Cost Calculator Builder
Plugin Slug:: cost-calculator-builder
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.5.0
Severity Score:: Medium
CVE:: 2025-48277

Plugin:: bunny.net � WordPress CDN Plugin
Plugin Slug:: bunnycdn
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.3.1
Severity Score:: High
CVE:: 2025-48236

Plugin:: Cost of Goods: Product Cost & Profit Calculator for WooCommerce
Plugin Slug:: cost-of-goods-for-woocommerce
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.7.1
Severity Score:: Medium
CVE:: 2025-48240

Plugin:: EAN Barcode Generator for WooCommerce: UPC, ISBN & GTIN Inventory
Plugin Slug:: ean-for-woocommerce
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.4.7
Severity Score:: Medium
CVE:: 2025-48249

Plugin:: Legal Pages � Privacy Policy, Terms & Conditions, GDPR, CCPA, and Cookie Notice Generator
Plugin Slug:: legal-pages
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.4.6
Severity Score:: Medium
CVE:: 2025-48242

Plugin:: Japanized for WooCommerce
Plugin Slug:: woocommerce-for-japan
Installations: 10,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.6.41
Severity Score:: Medium
CVE:: 2025-48284

Plugin:: AutomatorWP � Automator plugin for no-code automations, webhooks & custom integrations in WordPress
Plugin Slug:: automatorwp
Installations: 9,000+
Vulnerability:: SQL Injection
Patched in Version:: 5.2.2
Severity Score:: High
CVE:: 2025-48280

Plugin:: WP Job Portal � A Complete Recruitment System for Company or Job Board website
Plugin Slug:: wp-job-portal
Installations: 7,000+
Vulnerability:: Arbitrary File Download
Patched in Version:: 2.3.3
Severity Score:: High
CVE:: 2025-48273

Plugin:: WP Job Portal � A Complete Recruitment System for Company or Job Board website
Plugin Slug:: wp-job-portal
Installations: 7,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 2.3.3
Severity Score:: Medium
CVE:: 2025-48272

Plugin:: Back Button Widget
Plugin Slug:: back-button-widget
Installations: 6,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.7.0
Severity Score:: Medium
CVE:: 2025-48252

Plugin:: Leadinfo
Plugin Slug:: leadinfo
Installations: 6,000+
Vulnerability:: Settings Change
Patched in Version:: 2.1
Severity Score:: Medium
CVE:: 2025-48271

Plugin:: ElementInvader Addons for Elementor
Plugin Slug:: elementinvader-addons-for-elementor
Installations: 5,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.6
Severity Score:: Medium
CVE:: 2025-48288

Plugin:: WPAdverts � Classifieds Plugin
Plugin Slug:: wpadverts
Installations: 5,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.2.4
Severity Score:: Medium
CVE:: 2025-48269

Plugin:: MultiVendorX � WooCommerce Multivendor Marketplace Solutions
Plugin Slug:: dc-woocommerce-multi-vendor
Installations: 4,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.2.23
Severity Score:: Medium
CVE:: 2025-48263

Plugin:: Import Social Events
Plugin Slug:: import-facebook-events
Installations: 4,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.8.6
Severity Score:: Medium
CVE:: 2025-48256

Plugin:: MStore API � Create Native Android & iOS Apps On The Cloud
Plugin Slug:: mstore-api
Installations: 4,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.17.6
Severity Score:: Medium
CVE:: 2025-4683

Plugin:: Free Shipping Bar: Amount Left for Free Shipping for WooCommerce
Plugin Slug:: amount-left-free-shipping-woocommerce
Installations: 3,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.4.7
Severity Score:: Medium
CVE:: 2025-48253

Plugin:: Hot Random Image
Plugin Slug:: hot-random-image
Installations: 3,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.9.3
Severity Score:: Medium
CVE:: 2025-4405

Plugin:: Hot Random Image
Plugin Slug:: hot-random-image
Installations: 3,000+
Vulnerability:: Path Traversal
Patched in Version:: 1.9.3
Severity Score:: Medium
CVE:: 2025-4419

Plugin:: Majestic Support � The Leading-Edge Help Desk & Customer Support Plugin
Plugin Slug:: majestic-support
Installations: 3,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.1.1
Severity Score:: Critical
CVE:: 2025-48283

Plugin:: Majestic Support � The Leading-Edge Help Desk & Customer Support Plugin
Plugin Slug:: majestic-support
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.1.1
Severity Score:: Medium
CVE:: 2025-48282

Plugin:: Wishlist for WooCommerce: Multi Wishlists Per Customer
Plugin Slug:: wish-list-for-woocommerce
Installations: 3,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.2.3
Severity Score:: Medium
CVE:: 2025-48237

Plugin:: Additional Custom Emails & Recipients for WooCommerce
Plugin Slug:: custom-emails-for-woocommerce
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.5.2
Severity Score:: Medium
CVE:: 2025-48251

Plugin:: Active Products Tables for WooCommerce. Use constructor to create tables�
Plugin Slug:: profit-products-tables-for-woocommerce
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.0.6.9
Severity Score:: Medium
CVE:: 2025-48266

Plugin:: SKT Blocks � Gutenberg based Page Builder
Plugin Slug:: skt-blocks
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.3
Severity Score:: Medium
CVE:: 2025-48270

Plugin:: Coupons & Add to Cart by URL Links for WooCommerce
Plugin Slug:: url-coupons-for-woocommerce-by-algoritmika
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.7.8
Severity Score:: Medium
CVE:: 2025-48250

Plugin:: Change Add to Cart Button Text for WooCommerce
Plugin Slug:: add-to-cart-button-labels-for-woocommerce
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.2.3
Severity Score:: Medium
CVE:: 2025-48254

Plugin:: Booking and Rental Manager for Bike | Car | Resort | Appointment | Dress | Equipment
Plugin Slug:: booking-and-rental-manager-for-woocommerce
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.3.9
Severity Score:: Medium
CVE:: 2025-47585

Plugin:: Falang multilanguage for WordPress
Plugin Slug:: falang
Installations: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.3.62
Severity Score:: Medium
CVE:: 2025-48285

Plugin:: WordPress Mega Menu Block
Plugin Slug:: getwid-megamenu
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.0.7
Severity Score:: Medium
CVE:: 2025-48258

Plugin:: GDPR CCPA Compliance & Cookie Consent Banner
Plugin Slug:: ninja-gdpr-compliance
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.7.4
Severity Score:: Medium
CVE:: 2025-48260

Plugin:: Product Code for WooCommerce
Plugin Slug:: product-code-for-woocommerce
Installations: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.5.1
Severity Score:: Medium
CVE:: 2025-48264

Plugin:: Product Notes Tab & Private Admin Notes for WooCommerce
Plugin Slug:: product-notes-for-woocommerce
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.1.1
Severity Score:: Medium
CVE:: 2025-48239

Plugin:: WP Smart Import : Import any XML File to WordPress
Plugin Slug:: wp-smart-import
Installations: 1,000+
Vulnerability:: Local File Inclusion
Patched in Version:: 1.1.4
Severity Score:: High
CVE:: 2025-47453

Plugin:: Year Make Model Search for WooCommerce
Plugin Slug:: ymm-search
Installations: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.0.12
Severity Score:: Medium
CVE:: 2025-48265

Plugin:: ReDi Restaurant Reservation � Instant Availability & Confirmation
Plugin Slug:: redi-restaurant-reservation
Installations: 900+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 25.0513
Severity Score:: High
CVE:: 2025-48286

Plugin:: Cloudflare Turnstile or reCAPTCHA For any Pages, to Block Spam and Hackers Attack.
Plugin Slug:: recaptcha-for-all
Installations: 700+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.27
Severity Score:: Medium
CVE:: 2025-48243

Plugin:: Broadcast Live Video � Live Streaming : WebRTC, HLS, RTSP, RTMP
Plugin Slug:: videowhisper-live-streaming-integration
Installations: 700+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 6.2.5
Severity Score:: Medium
CVE:: 2025-48255

Plugin:: Sitewide Discount for WooCommerce: Apply Discount to All Products
Plugin Slug:: global-shop-discount-for-woocommerce
Installations: 600+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.2.2
Severity Score:: Medium
CVE:: 2025-48248

Plugin:: Xpro Addons For Beaver Builder � Lite
Plugin Slug:: xpro-addons-beaver-builder-elementor
Installations: 600+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.5.6
Severity Score:: Medium
CVE:: 2025-48232

Plugin:: Affiliates Manager Google reCAPTCHA Integration
Plugin Slug:: affiliates-manager-google-recaptcha-integration
Installations: 500+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.0.7
Severity Score:: High
CVE:: 2025-48233

Plugin:: Visual Header
Plugin Slug:: visual-header
Installations: 500+
Vulnerability:: Broken Access Control
Patched in Version:: 1.5
Severity Score:: Medium
CVE:: 2025-48275

Plugin:: WP Mapa Politico Espa�a
Plugin Slug:: wp-mapa-politico-spain
Installations: 500+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 3.8.1
Severity Score:: Medium
CVE:: 2025-48259

Plugin:: Url Rewrite Analyzer
Plugin Slug:: url-rewrite-analyzer
Installations: 400+
Vulnerability:: Broken Access Control
Patched in Version:: 1.3.4
Severity Score:: Medium
CVE:: 2025-48262

Plugin:: Bot for Telegram on WooCommerce
Plugin Slug:: bot-for-telegram-on-woocommerce
Installations: 300+
Vulnerability:: Broken Access Control
Patched in Version:: 1.2.7
Severity Score:: Medium
CVE:: 2025-48268

Plugin:: Projectopia � WordPress Project Management
Plugin Slug:: projectopia-core
Installations: 300+
Vulnerability:: Broken Access Control
Patched in Version:: 5.1.18
Severity Score:: Medium
CVE:: 2025-48257

Plugin:: RSVPMaker
Plugin Slug:: rsvpmaker
Installations: 300+
Vulnerability:: SQL Injection
Patched in Version:: 11.5.7
Severity Score:: High
CVE:: 2025-48278

Plugin:: AWcode Toolkit
Plugin Slug:: awcode-toolkit
Installations: 200+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.0.19
Severity Score:: High
CVE:: 2025-48238

Plugin:: WP Image Mask
Plugin Slug:: wp-post-459213 wp-image-mask
Installations: 200+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.1.3
Severity Score:: Medium
CVE:: 2025-48235

Plugin:: Infocob CRM Forms
Plugin Slug:: infocob-crm-forms
Installations: 100+
Vulnerability:: Arbitrary File Download
Patched in Version:: 2.4.1
Severity Score:: Medium
CVE:: 2025-47513

Plugin:: Pix 4x sem juros � Pagaleve
Plugin Slug:: wc-pagaleve
Installations: 100+
Vulnerability:: PHP Object Injection
Patched in Version:: 1.6.10
Severity Score:: Critical
CVE:: 2025-48287

Plugin:: Property � Real Estate Directory Listing
Plugin Slug:: property
Installations: 30+
Vulnerability:: Privilege Escalation
Patched in Version:: 1.0.7
Severity Score:: High
CVE:: 2025-5117

Plugin:: Advanced Database Cleaner PRO
Plugin Slug:: advanced-database-cleaner-pro
Vulnerability:: Path Traversal
Patched in Version:: 3.2.11
Severity Score:: Medium
CVE:: 2025-46256

Plugin:: Digits
Plugin Slug:: digits
Vulnerability:: Privilege Escalation
Patched in Version:: 8.4.6.1
Severity Score:: Critical
CVE:: 2025-4094

Plugin:: Order Delivery Date for WP e-Commerce
Plugin Slug:: order-delivery-date
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 12.4.0
Severity Score:: High
CVE:: 2025-2929

Plugin:: Tourmaster
Plugin Slug:: tourmaster
Vulnerability:: Local File Inclusion
Patched in Version:: 5.3.9
Severity Score:: High
CVE:: 2025-48292

WordPress Themes � 14 Patched / 32 Unpatched

Theme:: Acerola
Theme Slug:: acerola
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-31927

Theme:: Avantage
Theme Slug:: avantage
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-39495

Theme:: Backpack Traveler
Theme Slug:: backpacktraveler
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-39490

Theme:: Bloggie
Theme Slug:: bloggie
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-31054

Theme:: Butcher
Theme Slug:: butcher
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-32285

Theme:: Butcher
Theme Slug:: butcher
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-32286

Theme:: Capie
Theme Slug:: capie
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-31060

Theme:: Car Dealer
Theme Slug:: cardealer
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-39480

Theme:: CouponXL
Theme Slug:: couponxl
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-39489

Theme:: Crafts & Arts
Theme Slug:: crafts-and-arts
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-31924

Theme:: Dash
Theme Slug:: dash
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-31049

Theme:: Entrada
Theme Slug:: entrada
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-39484

Theme:: Enzio – Responsive Business WordPress Theme
Theme Slug:: enzio
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-31912

Theme:: Finance Consultant
Theme Slug:: finance
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-32293

Theme:: Fish House
Theme Slug:: fish-house
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-31631

Theme:: Grand Tour | Travel Agency WordPress
Theme Slug:: grandtour
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-39485

Theme:: Healsoul
Theme Slug:: healsoul
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-32309

Theme:: HotStar � Multi-Purpose Business Theme
Theme Slug:: hotstar
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-31069

Theme:: Insurance
Theme Slug:: insurance
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-31634

Theme:: Jarvis � Night Club, Concert, Festival WordPress
Theme Slug:: jarvis
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-32292

Theme:: Kiamo – Responsive Business Service WordPress Theme
Theme Slug:: kiamo
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-31633

Theme:: La Boom
Theme Slug:: laboom
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-31632

Theme:: Medicare
Theme Slug:: medicare
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-39499

Theme:: The Business
Theme Slug:: nrgbusiness
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-31430

Theme:: Ogami
Theme Slug:: ogami
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-31913

Theme:: Oxpitan
Theme Slug:: oxpitan
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-32294

Theme:: Pet World
Theme Slug:: petsworld
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-32284

Theme:: Photography
Theme Slug:: photography
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: High

Theme:: Umberto
Theme Slug:: umberto
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-31423

Theme:: Vizeon – Business Consulting
Theme Slug:: vizeon
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-31064

Theme:: Winnex
Theme Slug:: winnex
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-32302

Theme:: Yozi
Theme Slug:: yozi
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-32289

Theme:: Ashley
Theme Slug:: ashley
Vulnerability:: Local File Inclusion
Patched in Version:: 1.8.0
Severity Score:: High
CVE:: 2025-48290

Theme:: Builty
Theme Slug:: builty
Vulnerability:: Local File Inclusion
Patched in Version:: 1.5.0
Severity Score:: High
CVE:: 2025-48290

Theme:: ITSulu
Theme Slug:: itsulu
Vulnerability:: Local File Inclusion
Patched in Version:: 1.5.0
Severity Score:: High
CVE:: 2025-48290

Theme:: Kaffen
Theme Slug:: kaffen
Vulnerability:: Local File Inclusion
Patched in Version:: 1.2.6
Severity Score:: High
CVE:: 2025-48290

Theme:: Kids Planet
Theme Slug:: kidsplanet
Vulnerability:: PHP Object Injection
Patched in Version:: 2.2.14.1
Severity Score:: Critical
CVE:: 2025-48289

Theme:: Kinsley
Theme Slug:: kinsley
Vulnerability:: Local File Inclusion
Patched in Version:: 3.4.5
Severity Score:: High
CVE:: 2025-48290

Theme:: Larson
Theme Slug:: larson
Vulnerability:: Local File Inclusion
Patched in Version:: 1.6.0
Severity Score:: High
CVE:: 2025-48290

Theme:: Luique
Theme Slug:: luique
Vulnerability:: Local File Inclusion
Patched in Version:: 1.3.1
Severity Score:: High
CVE:: 2025-48290

Theme:: Madara
Theme Slug:: madara
Vulnerability:: Local File Inclusion
Patched in Version:: 2.2.2.1
Severity Score:: High
CVE:: 2025-4524

Theme:: Motors
Theme Slug:: motors
Vulnerability:: Privilege Escalation
Patched in Version:: 5.6.68
Severity Score:: Critical
CVE:: 2025-4322

Theme:: Ober
Theme Slug:: ober
Vulnerability:: Local File Inclusion
Patched in Version:: 1.3.4
Severity Score:: High
CVE:: 2025-48290

Theme:: Ruizarch
Theme Slug:: ruizarch
Vulnerability:: Local File Inclusion
Patched in Version:: 1.2.0
Severity Score:: High
CVE:: 2025-48290

Theme:: Samantha
Theme Slug:: samantha
Vulnerability:: Local File Inclusion
Patched in Version:: 1.2.0
Severity Score:: High
CVE:: 2025-48290

Theme:: Wilm�r
Theme Slug:: wilmer
Vulnerability:: Local File Inclusion
Patched in Version:: 3.4.2
Severity Score:: High
CVE:: 2025-39494