WordPress Vulnerability Report � June 4, 2025

In this report, 97 vulnerabilities have been publicly disclosed. Security patches for 59 of these plugins and themes are available now, so run those updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Additionally, there are 38 plugin and theme vulnerabilities, and no patch has been available yet. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

WordPress Core

WordPress 6.8.1 was released on April 30, 2025. This maintenance release includes fixes for 15 bugs�throughout Core�and�the Block Editor,�addressing issues affecting multiple areas of WordPress, including the block editor, multisite, and REST API. For a full list, refer to the�release candidate announcement.

WordPress Plugins � 52 Patched / 29 Unpatched

Plugin:: Uncanny Automator � Easy Automation, Integration, Webhooks & Workflow Builder Plugin
Plugin Slug:: uncanny-automator
Installations: 50,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-48133

Plugin:: Real Time Validation for Gravity Forms
Plugin Slug:: real-time-validation-for-gravity-forms
Installations: 2,000+
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-48330

Plugin:: Real Time Validation for Gravity Forms
Plugin Slug:: real-time-validation-for-gravity-forms
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-48329

Plugin:: Real Time Validation for Gravity Forms
Plugin Slug:: real-time-validation-for-gravity-forms
Installations: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-48328

Plugin:: MaxiBlocks: 2300+ Patterns, 280+ Pages, 14.3K Icons & 100 Styles
Plugin Slug:: maxi-blocks
Installations: 1,000+
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-47601

Plugin:: Featured Image Plus � Quick & Bulk Edit with Unsplash
Plugin Slug:: featured-image-plus
Installations: 700+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-4431

Plugin:: Spreadsheet Price Changer for WooCommerce and WP E-commerce � Light
Plugin Slug:: excel-like-price-change-for-woocommerce-and-wp-e-commerce-light
Installations: 600+
Vulnerability:: Arbitrary File Download
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-48124

Plugin:: History Log by click5
Plugin Slug:: history-log-by-click5
Installations: 500+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-47598

Plugin:: Product Subtitle for WooCommerce
Plugin Slug:: product-subtitle-for-woocommerce
Installations: 400+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-5285

Plugin:: Infility Global
Plugin Slug:: infility-global
Installations: 90+
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-47651

Plugin:: SUMO Affiliates Pro
Plugin Slug:: affs
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-32291

Plugin:: Apptha Slider Gallery
Plugin Slug:: apptha-slider-gallery
Vulnerability:: Arbitrary File Download
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-31050

Plugin:: Blog Designer PRO for WordPress
Plugin Slug:: blog-designer-pro
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-47694

Plugin:: Browse As
Plugin Slug:: browse-as
Vulnerability:: Broken Authentication
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-5190

Plugin:: WPCHURCH
Plugin Slug:: church-management
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-31643

Plugin:: CSV Mass Importer
Plugin Slug:: csv-mass-importer
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-4190

Plugin:: Daisycon prijsvergelijkers
Plugin Slug:: daisycon
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-4590

Plugin:: FastSpring
Plugin Slug:: fastspring
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-4595

Plugin:: Flynax Bridge
Plugin Slug:: flynax-bridge
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-4179

Plugin:: Gearside Developer Dashboard
Plugin Slug:: gearside-developer-dashboard
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-4429

Plugin:: Likes and Dislikes
Plugin Slug:: inprosysmedia-likes-dislikes-post
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-5287

Plugin:: Offsprout Page Builder
Plugin Slug:: offsprout-page-builder
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-4672

Plugin:: QuickCab
Plugin Slug:: quickcab
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-48337

Plugin:: WBW Product Table PRO
Plugin Slug:: woo-producttables-pro
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-31059

Plugin:: Woo Slider Pro
Plugin Slug:: woo-slider-pro-drag-drop-slider-builder-for-woocommerce
Vulnerability:: Arbitrary Content Deletion
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-48334

Plugin:: Woo Slider Pro
Plugin Slug:: woo-slider-pro-drag-drop-slider-builder-for-woocommerce
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-4597

Plugin:: WooCommerce Orders & Customers Exporter
Plugin Slug:: woocommerce-orders-customers-exporter
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-48331

Plugin:: WP-GeoMeta
Plugin Slug:: wp-geometa
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-4103

Plugin:: WP Guppy
Plugin Slug:: wp-guppy
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-31920

Plugin:: Smash Balloon Social Photo Feed � Easy Social Feeds Plugin
Plugin Slug:: instagram-feed
Installations: 1,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.9.1
Severity Score:: Medium
CVE:: 2025-4583

Plugin:: WP-Optimize � Cache, Compress images, Minify & Clean database to boost page speed & performance
Plugin Slug:: wp-optimize
Installations: 1,000,000+
Vulnerability:: SQL Injection
Patched in Version:: 4.2.0
Severity Score:: High
CVE:: 2025-3951

Plugin:: Broken Link Checker
Plugin Slug:: broken-link-checker
Installations: 600,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 2.4.5
Severity Score:: Medium
CVE:: 2025-4047

Plugin:: Ocean Extra
Plugin Slug:: ocean-extra
Installations: 600,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.4.9
Severity Score:: Medium
CVE:: 2025-49068

Plugin:: Royal Elementor Addons and Templates
Plugin Slug:: royal-elementor-addons
Installations: 600,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.7.1021
Severity Score:: Medium
CVE:: 2025-3813

Plugin:: Element Pack Addons for Elementor � Best Elementor addons with Ready Templates, Blocks, Widgets and WooCommerce Builder
Plugin Slug:: bdthemes-element-pack-lite
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.11.3
Severity Score:: Medium
CVE:: 2025-5292

Plugin:: Essential Blocks � AI-Powered Page Builder Gutenberg Blocks, Patterns & Templates
Plugin Slug:: essential-blocks
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.4.1
Severity Score:: Medium
CVE:: 2025-4682

Plugin:: Real Cookie Banner: GDPR & ePrivacy Cookie Consent
Plugin Slug:: real-cookie-banner
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.1.6
Severity Score:: Medium
CVE:: 2025-1485

Plugin:: The Plus Addons for Elementor � Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce
Plugin Slug:: the-plus-addons-for-elementor-page-builder
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.2.8
Severity Score:: Medium
CVE:: 2025-49076

Plugin:: Ninja Tables � Easy Data Table Builder
Plugin Slug:: ninja-tables
Installations: 80,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 5.0.19
Severity Score:: Critical
CVE:: 2025-2939

Plugin:: Exclusive Addons for Elementor
Plugin Slug:: exclusive-addons-for-elementor
Installations: 60,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.7.9.2
Severity Score:: Medium
CVE:: 2025-4783

Plugin:: Bold Page Builder
Plugin Slug:: bold-page-builder
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.3.7
Severity Score:: Medium
CVE:: 2025-5286

Plugin:: Easy Digital Downloads � eCommerce Payments and Subscriptions made easy
Plugin Slug:: easy-digital-downloads
Installations: 40,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.3.9
Severity Score:: Medium
CVE:: 2025-4670

Plugin:: Form Maker by 10Web � Mobile-Friendly Drag & Drop Contact Form Builder
Plugin Slug:: form-maker
Installations: 40,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.15.33
Severity Score:: Medium
CVE:: 2024-13053

Plugin:: PowerPress Podcasting plugin by Blubrry
Plugin Slug:: powerpress
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 11.9.18
Severity Score:: Medium
CVE:: 2024-9227

Plugin:: LA-Studio Element Kit for Elementor
Plugin Slug:: lastudio-element-kit
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.5.3
Severity Score:: Medium
CVE:: 2025-4944

Plugin:: LA-Studio Element Kit for Elementor
Plugin Slug:: lastudio-element-kit
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.5.3
Severity Score:: Medium
CVE:: 2025-4943

Plugin:: Responsive Plus � Starter Templates, Advanced Features and Customizer Settings for Responsive Theme.
Plugin Slug:: responsive-add-ons
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.2.1
Severity Score:: Medium
CVE:: 2025-48335

Plugin:: All-in-One Addons for Elementor � WidgetKit
Plugin Slug:: widgetkit-for-elementor
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.5.5
Severity Score:: Medium
CVE:: 2025-49074

Plugin:: Ultimate Gift Cards for WooCommerce
Plugin Slug:: woo-gift-cards-lite
Installations: 7,000+
Vulnerability:: SQL Injection
Patched in Version:: 3.1.5
Severity Score:: High
CVE:: 2025-5103

Plugin:: Borderless � Elementor Addons and Templates
Plugin Slug:: borderless
Installations: 6,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.7.2
Severity Score:: Medium
CVE:: 2025-5290

Plugin:: Simple Page Access Restriction
Plugin Slug:: simple-page-access-restriction
Installations: 6,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.0.32
Severity Score:: Medium
CVE:: 2025-5142

Plugin:: EU/UK VAT Validation Manager for WooCommerce
Plugin Slug:: eu-vat-for-woocommerce
Installations: 5,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.4.3
Severity Score:: Medium
CVE:: 2025-47504

Plugin:: MStore API � Create Native Android & iOS Apps On The Cloud
Plugin Slug:: mstore-api
Installations: 4,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.17.6
Severity Score:: Medium
CVE:: 2025-4683

Plugin:: Min Max Step Quantity Limits Manager for WooCommerce
Plugin Slug:: product-quantity-for-woocommerce
Installations: 4,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.0.4
Severity Score:: Medium
CVE:: 2025-47504

Plugin:: Shared Files � Frontend File Upload Form & Secure File Sharing
Plugin Slug:: shared-files
Installations: 4,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.7.49
Severity Score:: High
CVE:: 2025-4392

Plugin:: WP Attachments
Plugin Slug:: wp-attachments
Installations: 4,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.1
Severity Score:: High
CVE:: 2025-5082

Plugin:: WP Posts Carousel
Plugin Slug:: wp-posts-carousel
Installations: 4,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 1.3.13
Severity Score:: High
CVE:: 2025-39358

Plugin:: WordPress Comments Import & Export
Plugin Slug:: comments-import-export-woocommerce
Installations: 3,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.4.4
Severity Score:: Medium
CVE:: 2025-3919

Plugin:: Newsletters
Plugin Slug:: newsletters-lite
Installations: 3,000+
Vulnerability:: Local File Inclusion
Patched in Version:: 4.10
Severity Score:: High
CVE:: 2025-4857

Plugin:: Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms
Plugin Slug:: cf7-salesforce
Installations: 2,000+
Vulnerability:: Full Path Disclosure (FPD)
Patched in Version:: 1.4.5
Severity Score:: Medium
CVE:: 2025-4659

Plugin:: Volunteer Sign Up Sheets
Plugin Slug:: pta-volunteer-sign-up-sheets
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.5.5
Severity Score:: Medium
CVE:: 2025-3704

Plugin:: Quick Contact Form
Plugin Slug:: quick-contact-form
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 8.2.2
Severity Score:: High
CVE:: 2025-48245

Plugin:: Dynamic Pricing and Discount Rules
Plugin Slug:: discount-and-dynamic-pricing
Installations: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.3.0
Severity Score:: Medium
CVE:: 2025-49077

Plugin:: Number of Products per Page � Pagination Manager for WooCommerce
Plugin Slug:: products-per-page-for-woocommerce
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.5.0
Severity Score:: Medium
CVE:: 2025-47504

Plugin:: Vayu Blocks � Gutenberg Blocks for WordPress & WooCommerce
Plugin Slug:: vayu-blocks
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.2
Severity Score:: Medium
CVE:: 2025-4420

Plugin:: The Ultimate WordPress Toolkit � WP Extended
Plugin Slug:: wpextended
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.0.16
Severity Score:: Medium
CVE:: 2025-4963

Plugin:: WordPress Contact Forms by Cimatti
Plugin Slug:: contact-forms
Installations: 900+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.9.9
Severity Score:: Medium
CVE:: 2025-49069

Plugin:: Map Block Leaflet
Plugin Slug:: map-block-leaflet
Installations: 700+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.2.2
Severity Score:: Medium
CVE:: 2025-5122

Plugin:: WP Plugin Info Card
Plugin Slug:: wp-plugin-info-card
Installations: 700+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.4.0
Severity Score:: Medium
CVE:: 2025-5116

Plugin:: Verge3D Publishing and E-Commerce
Plugin Slug:: verge3d
Installations: 600+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.9.4
Severity Score:: High
CVE:: 2025-48241

Plugin:: Wishlist
Plugin Slug:: wishlist
Installations: 500+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.0.44
Severity Score:: Medium
CVE:: 2025-49075

Plugin:: WP Pipes
Plugin Slug:: wp-pipes
Installations: 500+
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 1.4.3
Severity Score:: High
CVE:: 2025-48267

Plugin:: NinjaTeam Chat for Telegram
Plugin Slug:: ninjateam-telegram
Installations: 200+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.2
Severity Score:: Medium
CVE:: 2025-5236

Plugin:: Tournamatch
Plugin Slug:: tournamatch
Installations: 200+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.6.2
Severity Score:: Medium
CVE:: 2025-4594

Plugin:: Free Booking Plugin for Hotels, Restaurants and Car Rentals � eaSYNC Booking
Plugin Slug:: easync-booking
Installations: 100+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 1.3.22
Severity Score:: Medium
CVE:: 2025-4691