WordPress Vulnerability Report � December 3, 2025

In this report, 106 vulnerabilities have been publicly disclosed. Security patches for 65 of these plugins and themes are now available. Please run these updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Currently, 41 plugin and theme vulnerabilities remain unpatched. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

WordPress Core

WordPress 6.9 “Gene” was released on December 2, 2025. This release brings major upgrades to how teams collaborate and create. The new Notes feature adds block-level commenting for posts and pages, streamlining editorial reviews, while an expanded Command Palette helps power users navigate and operate across the dashboard even faster. The introduction of the Abilities API delivers a standardized, machine-readable permissions system that lays the groundwork for next-generation AI-powered and automated workflows. WordPress 6.9 also includes notable performance improvements for faster page loads, several new practical blocks, and more visual drag-and-drop tools to help creators build richer, more dynamic content.

Following a major release, you should not update live sites without first taking backups and testing the update in a non-production environment.

WordPress Plugins � 63 Patched / 39 Unpatched

Plugin:: UiPress lite | Effortless custom dashboards, admin themes and pages
Plugin Slug:: uipress-lite
Installations: 10,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-10938

Plugin:: UiPress lite | Effortless custom dashboards, admin themes and pages
Plugin Slug:: uipress-lite
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11003

Plugin:: Arconix Shortcodes
Plugin Slug:: arconix-shortcodes
Installations: 4,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13835

Plugin:: Feeds for TikTok � Display Video Feeds in Grid Layouts
Plugin Slug:: b-tiktok-feed
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-66110

Plugin:: Wishlist for WooCommerce
Plugin Slug:: th-wishlist
Installations: 500+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12040

Plugin:: Job Board by BestWebSoft
Plugin Slug:: job-board
Installations: 80+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-13383

Plugin:: Ace Post Type Builder
Plugin Slug:: ace-post-type-builder
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13405

Plugin:: OrderConvo
Plugin Slug:: admin-and-client-message-after-order-for-woocommerce
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13389

Plugin:: OrderConvo
Plugin Slug:: admin-and-client-message-after-order-for-woocommerce
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13452

Plugin:: Attention Bar
Plugin Slug:: attention-bar
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-12502

Plugin:: Autochat Automatic Conversation
Plugin Slug:: auyautochat-for-wp
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12043

Plugin:: Bookme � Free Online Appointment Booking and Scheduling Plugin
Plugin Slug:: bookme-free-appointment-booking-system
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-13385

Plugin:: Chamber Dashboard Business Directory
Plugin Slug:: chamber-dashboard-business-directory
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13414

Plugin:: YouTube Subscribe
Plugin Slug:: easy-youtube-subscribe
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12025

Plugin:: EduKart Pro
Plugin Slug:: edukart-pro
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-13559

Plugin:: Flo Forms
Plugin Slug:: flo-forms
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-13159

Plugin:: Google Drive upload and download link
Plugin Slug:: google-drive-upload-and-download-link
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12666

Plugin:: Inline frame � Iframe
Plugin Slug:: inline-frame-iframe
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12645

Plugin:: Just Highlight
Plugin Slug:: just-highlight
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13311

Plugin:: AI Engine for WordPress: ChatGPT, GPT Content Generator
Plugin Slug:: liquid-chatgpt
Vulnerability:: Arbitrary File Download
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13380

Plugin:: Locker Content
Plugin Slug:: locker-content
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12525

Plugin:: Conditionnal Maintenance Mode for WordPress
Plugin Slug:: maintenance-mode-based-on-user-roles
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12586

Plugin:: Mstore Mobile App
Plugin Slug:: mstoreapp-mobile-app
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-11127

Plugin:: Frontend File Manager
Plugin Slug:: nmedia-user-file-uploader
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13382

Plugin:: Peer Publish
Plugin Slug:: peer-publish
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12587

Plugin:: ProjectList
Plugin Slug:: projectlist
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-13370

Plugin:: ProjectList
Plugin Slug:: projectlist
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-13376

Plugin:: Realty Portal
Plugin Slug:: realty-portal
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-11985

Plugin:: Refund Request for WooCommerce
Plugin Slug:: refund-request-for-woocommerce
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12634

Plugin:: Reuters Direct
Plugin Slug:: reuters-direct
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12579

Plugin:: Reuters Direct
Plugin Slug:: reuters-direct
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12578

Plugin:: Shouty
Plugin Slug:: shouty
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12712

Plugin:: Social Images Widget
Plugin Slug:: social-images-widget
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-13386

Plugin:: SortTable Post
Plugin Slug:: sorttable-post
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12649

Plugin:: Soundslides
Plugin Slug:: soundslides
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12713

Plugin:: Mstore Mobile App
Plugin Slug:: woo-mstoreapp-mobile-app
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-11127

Plugin:: WP AUDIO GALLERY
Plugin Slug:: wp-audio-gallery
Vulnerability:: Arbitrary File Deletion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-13322

Plugin:: wp-twitpic
Plugin Slug:: wp-twitpic
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12670

Plugin:: Zweb Social Mobile
Plugin Slug:: zweb-social-mobile
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12032

Plugin:: All in One SEO � Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic
Plugin Slug:: all-in-one-seo-pack
Installations: 3,000,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 4.8.7
Severity Score:: Medium
CVE:: 2025-64295

Plugin:: WP Fastest Cache
Plugin Slug:: wp-fastest-cache
Installations: 1,000,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.4.1
Severity Score:: Medium
CVE:: 2025-10476

Plugin:: Unlimited Elements For Elementor
Plugin Slug:: unlimited-elements-for-elementor
Installations: 300,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.1
Severity Score:: High
CVE:: 2025-13692

Plugin:: Nextend Social Login and Register
Plugin Slug:: nextend-facebook-connect
Installations: 200,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 3.1.22
Severity Score:: Medium
CVE:: 2025-13737

Plugin:: Beaver Builder Page Builder � Drag and Drop Website Builder
Plugin Slug:: beaver-builder-lite-version
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.9.4.1
Severity Score:: Medium
CVE:: 2025-11726

Plugin:: Folders � Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager
Plugin Slug:: folders
Installations: 90,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.1.6
Severity Score:: Medium
CVE:: 2025-12971

Plugin:: JetFormBuilder � Dynamic Blocks Form Builder
Plugin Slug:: jetformbuilder
Installations: 80,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.5.4
Severity Score:: Medium
CVE:: 2025-64384

Plugin:: Blog2Social: Social Media Auto Post & Scheduler
Plugin Slug:: blog2social
Installations: 50,000+
Vulnerability:: Broken Access Control
Patched in Version:: 8.7.1
Severity Score:: Medium
CVE:: 2025-13558

Plugin:: Bold Page Builder
Plugin Slug:: bold-page-builder
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.5.3
Severity Score:: Medium
CVE:: 2025-66057

Plugin:: Search Exclude
Plugin Slug:: search-exclude
Installations: 50,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.5.8
Severity Score:: Medium
CVE:: 2025-10646

Plugin:: OneClick Chat to Order
Plugin Slug:: oneclick-whatsapp-order
Installations: 40,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 1.0.9
Severity Score:: High
CVE:: 2025-13526

Plugin:: Gutenverse � Ultimate WordPress FSE Blocks Addons & Ecosystem
Plugin Slug:: gutenverse
Installations: 30,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.3.0
Severity Score:: Medium
CVE:: 2025-66065

Plugin:: PowerPress Podcasting plugin by Blubrry
Plugin Slug:: powerpress
Installations: 30,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 11.15.3
Severity Score:: Critical
CVE:: 2025-13536

Plugin:: UsersWP � Front-end login form, User Registration, User Profile & Members Directory plugin for WP
Plugin Slug:: userswp
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.2.48
Severity Score:: Medium
CVE:: 2025-66072

Plugin:: Visualizer: Tables and Charts Manager for WordPress
Plugin Slug:: visualizer
Installations: 20,000+
Vulnerability:: SQL Injection
Patched in Version:: 3.11.13
Severity Score:: High
CVE:: 2025-12483

Plugin:: WP Webhooks � Automate repetitive tasks by creating powerful automation workflows directly within WordPress
Plugin Slug:: wp-webhooks
Installations: 20,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 3.3.9
Severity Score:: High
CVE:: 2025-66073

Plugin:: BlockArt Blocks � Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library
Plugin Slug:: blockart-blocks
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.2.14
Severity Score:: Medium
CVE:: 2025-13697

Plugin:: eRoom � Webinar & Meeting Plugin for Zoom, Google Meet, Microsoft Teams
Plugin Slug:: eroom-zoom-meetings-webinar
Installations: 10,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 1.5.7
Severity Score:: Medium
CVE:: 2025-49919

Plugin:: Gutenverse Form � Contact Form Builder, Booking, Reservation, Subscribe for Block Editor
Plugin Slug:: gutenverse-form
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.3.0
Severity Score:: Medium
CVE:: 2025-66079

Plugin:: QODE Wishlist for WooCommerce
Plugin Slug:: qode-wishlist-for-woocommerce
Installations: 10,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 1.2.8
Severity Score:: Medium
CVE:: 2025-13157

Plugin:: Export All Posts, Products, Orders, Refunds & Users
Plugin Slug:: wp-ultimate-exporter
Installations: 10,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.20
Severity Score:: Medium
CVE:: 2025-13606

Plugin:: Analytics Germanized for Google Analytics (GDPR / DSGVO)
Plugin Slug:: ga-germanized
Installations: 8,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.6.3
Severity Score:: Medium
CVE:: 2025-64292

Plugin:: Event Booking Manager for WooCommerce
Plugin Slug:: mage-eventpress
Installations: 8,000+
Vulnerability:: Broken Access Control
Patched in Version:: 5.0.5
Severity Score:: Medium
CVE:: 2025-66082

Plugin:: FluentCommunity � Ultra-Fast High-Performance Social Network, Community, LMS & Online Courses
Plugin Slug:: fluent-community
Installations: 7,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.1.0
Severity Score:: Medium
CVE:: 2025-66084

Plugin:: Poll, Survey & Quiz Maker Plugin by Opinion Stage
Plugin Slug:: social-polls-by-opinionstage
Installations: 7,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 19.12.1
Severity Score:: Medium
CVE:: 2025-13143

Plugin:: Customer Reviews Collector for WooCommerce
Plugin Slug:: customer-reviews-collector-for-woocommerce
Installations: 5,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.7
Severity Score:: High
CVE:: 2025-12123

Plugin:: VikRentCar Car Rental Management System
Plugin Slug:: vikrentcar
Installations: 4,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.4.5
Severity Score:: High
CVE:: 2025-13724

Plugin:: Property Hive
Plugin Slug:: propertyhive
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.1.13
Severity Score:: Medium
CVE:: 2025-66087

Plugin:: WP Directory Kit
Plugin Slug:: wpdirectorykit
Installations: 3,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.4.7
Severity Score:: High
CVE:: 2025-13090

Plugin:: WP Directory Kit
Plugin Slug:: wpdirectorykit
Installations: 3,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.4.6
Severity Score:: High
CVE:: 2025-13525

Plugin:: Photo Gallery by Ays � Responsive Image Gallery
Plugin Slug:: gallery-photo-gallery
Installations: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 6.4.9
Severity Score:: Medium
CVE:: 2025-13685

Plugin:: KiviCare � Clinic & Patient Management System (EHR)
Plugin Slug:: kivicare-clinic-management-system
Installations: 2,000+
Vulnerability:: SQL Injection
Patched in Version:: 3.6.14
Severity Score:: High
CVE:: 2025-66095

Plugin:: Vitepos � Point of Sale (POS) for WooCommerce
Plugin Slug:: vitepos-lite
Installations: 2,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 3.3.1
Severity Score:: Critical
CVE:: 2025-13156

Plugin:: Quick View for WooCommerce
Plugin Slug:: woo-quickview
Installations: 2,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 2.2.18
Severity Score:: Medium
CVE:: 2025-12584

Plugin:: CP Contact Form with PayPal
Plugin Slug:: cp-contact-form-with-paypal
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.3.57
Severity Score:: High
CVE:: 2025-13384

Plugin:: Featured Post Creative
Plugin Slug:: featured-post-creative
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.5.6
Severity Score:: Medium
CVE:: 2025-66106

Plugin:: Subscriptions & Memberships for PayPal
Plugin Slug:: subscriptions-memberships-for-paypal
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.1.8
Severity Score:: Medium
CVE:: 2025-66107

Plugin:: Tainacan
Plugin Slug:: tainacan
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.0.1
Severity Score:: High
CVE:: 2025-12746

Plugin:: TNC Toolbox: Web Performance
Plugin Slug:: tnc-toolbox
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.0.5
Severity Score:: Medium
CVE:: 2025-66108

Plugin:: Cart Weight for WooCommerce
Plugin Slug:: woo-cart-weight
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.9.12
Severity Score:: Medium
CVE:: 2025-66109

Plugin:: Telegram Bot & Channel
Plugin Slug:: telegram-bot
Installations: 600+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.1.1
Severity Score:: High
CVE:: 2025-13068

Plugin:: AI ChatBot with ChatGPT and Content Generator by AYS
Plugin Slug:: ays-chatgpt-assistant
Installations: 500+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 2.7.1
Severity Score:: High
CVE:: 2025-13378

Plugin:: AI ChatBot with ChatGPT and Content Generator by AYS
Plugin Slug:: ays-chatgpt-assistant
Installations: 500+
Vulnerability:: Broken Access Control
Patched in Version:: 2.7.1
Severity Score:: Medium
CVE:: 2025-13381

Plugin:: Show Variations as Single Products Woocommerce
Plugin Slug:: woo-show-single-variations-shop-category
Installations: 500+
Vulnerability:: Broken Access Control
Patched in Version:: 3.0
Severity Score:: Medium
CVE:: 2025-66114

Plugin:: ELEX WordPress HelpDesk & Customer Ticketing System
Plugin Slug:: elex-helpdesk-customer-support-ticket-system
Installations: 300+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 3.3.2
Severity Score:: Critical
CVE:: 2025-11456

Plugin:: Simple User Registration
Plugin Slug:: wp-registration
Installations: 300+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.7
Severity Score:: High
CVE:: 2025-12160

Plugin:: Guest posting / Frontend Posting / Front Editor � WP Front User Submit
Plugin Slug:: front-editor
Installations: 200+
Vulnerability:: Open Redirection
Patched in Version:: 5.0.0
Severity Score:: Medium
CVE:: 2025-12569

Plugin:: Hide Category by User Role for WooCommerce
Plugin Slug:: hide-category-by-user-role-for-woocommerce
Installations: 200+
Vulnerability:: Broken Access Control
Patched in Version:: 2.3.2
Severity Score:: Medium
CVE:: 2025-13441

Plugin:: Zigaform � Price Calculator & Cost Estimation Form Builder Lite
Plugin Slug:: zigaform-calculator-cost-estimation-form-builder-lite
Installations: 200+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 7.6.7
Severity Score:: Medium
CVE:: 2025-13696

Plugin:: EchBay Admin Security
Plugin Slug:: echbay-admin-security
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.1
Severity Score:: High
CVE:: 2025-11885

Plugin:: StaffList
Plugin Slug:: stafflist
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.2.7
Severity Score:: Medium
CVE:: 2025-12185

Plugin:: CIBELES AI
Plugin Slug:: cibeles-ai
Installations: 80+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 1.10.9
Severity Score:: Critical
CVE:: 2025-13595

Plugin:: S2B AI Assistant � ChatBot, ChatGPT, OpenAI, Content & Image Generator
Plugin Slug:: s2b-ai-assistant
Installations: 70+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 1.7.9
Severity Score:: Critical
CVE:: 2025-12973