WordPress Vulnerability Report � July 16, 2025

In this report, 109 vulnerabilities have been publicly disclosed. Security patches for 65 of these plugins and themes are available now, so run those updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Additionally, there are 44 plugin and theme vulnerabilities, and no patch has been available yet. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

WordPress Core

WordPress 6.8.2 is now available! This maintenance release includes fixes for�20 Core tickets�and�15 Block Editor issues. For a full list of bug fixes, please refer to the�release candidate announcement.

WordPress Plugins � 56 Patched / 33 Unpatched

Plugin:: URL Shortener Plugin For WordPress
Plugin Slug:: exact-links
Installations: 600+
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-28959

Plugin:: URL Shortener Plugin For WordPress
Plugin Slug:: exact-links
Installations: 600+
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-28961

Plugin:: WP Pipes
Plugin Slug:: wp-pipes
Installations: 500+
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-28982

Plugin:: Contact Form 7 Editor Button
Plugin Slug:: cf7-editor-button
Installations: 200+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-48345

Plugin:: Tennis Court Bookings
Plugin Slug:: tennis-court-bookings
Installations: 200+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-52787

Plugin:: Dot html,php,xml etc pages
Plugin Slug:: dot-htmlphpxml-etc-pages
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-52779

Plugin:: SMu Manual DoFollow
Plugin Slug:: manuall-dofollow
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-49031

Plugin:: Media Folder
Plugin Slug:: media-folder
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-52786

Plugin:: Pay with Contact Form 7
Plugin Slug:: pay-with-contact-form-7
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-52777

Plugin:: Infility Global
Plugin Slug:: infility-global
Installations: 80+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-47652

Plugin:: Ultimate Push Notifications ( Mobile / Desktop ), Receive Notification From WooCommerce, BuddyPress, WordPress Default Events & Many More
Plugin Slug:: ultimate-push-notifications
Installations: 80+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-50028

Plugin:: Torod � The smart shipping and delivery portal for e-shops and retailers
Plugin Slug:: torod
Installations: 70+
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-30936

Plugin:: WordPress-WPJobBoard
Plugin Slug:: click-pledge-wpjobboard
Installations: 50+
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-49455

Plugin:: WP-BusinessDirectory � Business directory plugin for WordPress
Plugin Slug:: wp-businessdirectory
Installations: 50+
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-24759

Plugin:: CoSchool LMS � A complete Learning Management System to Create and Sell Your Courses Online
Plugin Slug:: coschool
Installations: 40+
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-30973

Plugin:: Pakke Env�os
Plugin Slug:: pakke
Installations: 40+
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-52819

Plugin:: Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer)
Plugin Slug:: azon-addon-js-composer
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-30628

Plugin:: GoZen Forms
Plugin Slug:: gozen-forms
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-6782

Plugin:: WPGYM
Plugin Slug:: gym-management
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-32574

Plugin:: WP Human Resource Management
Plugin Slug:: hrm
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-5953

Plugin:: LoginWP – Pro
Plugin Slug:: loginwp-pro
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-39561

Plugin:: Medical Prescription Attachment Plugin for WooCommerce
Plugin Slug:: medical-prescription-attachment-plugin-for-woocommerce
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-29009

Plugin:: Premium SEO Pack
Plugin Slug:: premium-seo-pack
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-31044

Plugin:: Profiler – What Slowing Down Your WP
Plugin Slug:: profiler-what-slowing-down
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-48339

Plugin:: The E-Commerce ERP
Plugin Slug:: profitori
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-52836

Plugin:: Multi-language Responsive Contact Form
Plugin Slug:: responsive-contact-form
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-29000

Plugin:: Short URL
Plugin Slug:: shorten-url
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-2921

Plugin:: Simple Featured Image
Plugin Slug:: simple-featured-image
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-7059

Plugin:: smart SEO
Plugin Slug:: smartSEO
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-28953

Plugin:: Super Store Finder
Plugin Slug:: superstorefinder-wp
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-47571

Plugin:: Responsive Coming Soon Landing Page / Holding Page for WordPress
Plugin Slug:: wordpress-flat-countdown
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-29004

Plugin:: WordPress Auto Spinner
Plugin Slug:: wp-auto-spinner
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-46500

Plugin:: WP Firebase Push Notification
Plugin Slug:: wp-push-notification-firebase
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-5924

Plugin:: Essential Addons for Elementor � Popular Elementor Templates & Widgets
Plugin Slug:: essential-addons-for-elementor-lite
Installations: 2,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.1.20
Severity Score:: Medium
CVE:: 2025-6244

Plugin:: Contact Form 7 Database Addon � CFDB7
Plugin Slug:: contact-form-cfdb7
Installations: 600,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.2
Severity Score:: High
CVE:: 2025-6740

Plugin:: Gutenberg Blocks with AI by Kadence WP � Page Builder Features
Plugin Slug:: kadence-blocks
Installations: 500,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.5.11
Severity Score:: Medium
CVE:: 2025-5678

Plugin:: Newsletter � Send awesome emails from WordPress
Plugin Slug:: newsletter
Installations: 300,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 8.8.5
Severity Score:: Medium
CVE:: 2025-3582

Plugin:: SureForms � Drag and Drop Form Builder for WordPress
Plugin Slug:: sureforms
Installations: 200,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 1.7.4
Severity Score:: High
CVE:: 2025-6742

Plugin:: AI Engine
Plugin Slug:: ai-engine
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.8.5
Severity Score:: Medium
CVE:: 2025-5570

Plugin:: FooGallery � Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel
Plugin Slug:: foogallery
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.4.32
Severity Score:: Medium
CVE:: 2025-6068

Plugin:: Strong Testimonials
Plugin Slug:: strong-testimonials
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.2.12
Severity Score:: Medium
CVE:: 2025-7367

Plugin:: Events Manager � Calendar, Bookings, Tickets, and more!
Plugin Slug:: events-manager
Installations: 80,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 7.0.4
Severity Score:: Medium
CVE:: 2025-6976

Plugin:: Events Manager � Calendar, Bookings, Tickets, and more!
Plugin Slug:: events-manager
Installations: 80,000+
Vulnerability:: SQL Injection
Patched in Version:: 7.0.4
Severity Score:: Critical
CVE:: 2025-6970

Plugin:: Events Manager � Calendar, Bookings, Tickets, and more!
Plugin Slug:: events-manager
Installations: 80,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 7.0.4
Severity Score:: High
CVE:: 2025-6975

Plugin:: WPC Smart Compare for WooCommerce
Plugin Slug:: woo-smart-compare
Installations: 70,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.4.7
Severity Score:: Medium
CVE:: 2025-5530

Plugin:: Companion Auto Update
Plugin Slug:: companion-auto-update
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.9.3
Severity Score:: Medium
CVE:: 2025-4369

Plugin:: FunnelKit � Funnel Builder for WooCommerce Checkout
Plugin Slug:: funnel-builder
Installations: 30,000+
Vulnerability:: SQL Injection
Patched in Version:: 3.11.0
Severity Score:: High
CVE:: 2025-49034

Plugin:: Gwolle Guestbook
Plugin Slug:: gwolle-gb
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.9.3
Severity Score:: High
CVE:: 2025-5807

Plugin:: WP Lightbox 2
Plugin Slug:: wp-lightbox-2
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.0.6.8
Severity Score:: High
CVE:: 2025-3745

Plugin:: WCFM � Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible
Plugin Slug:: wc-frontend-manager
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 6.7.17
Severity Score:: Medium
CVE:: 2025-3780

Plugin:: wpForo Forum
Plugin Slug:: wpforo
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.4.6
Severity Score:: Medium
CVE:: 2025-4406

Plugin:: GeoDirectory � WP Business Directory Plugin and Classified Listings Directory
Plugin Slug:: geodirectory
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.8.120
Severity Score:: Medium
CVE:: 2025-6200

Plugin:: HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder.
Plugin Slug:: ht-contactform
Installations: 10,000+
Vulnerability:: Directory Traversal
Patched in Version:: 2.2.2
Severity Score:: Critical
CVE:: 2025-7360

Plugin:: HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder.
Plugin Slug:: ht-contactform
Installations: 10,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 2.2.2
Severity Score:: Critical
CVE:: 2025-7340

Plugin:: HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder.
Plugin Slug:: ht-contactform
Installations: 10,000+
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 2.2.2
Severity Score:: High
CVE:: 2025-7341

Plugin:: Portfolio for Elementor & Image Gallery | PowerFolio
Plugin Slug:: portfolio-elementor
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.2.1
Severity Score:: Medium
CVE:: 2025-7046

Plugin:: ProfileGrid � User Profiles, Groups and Communities
Plugin Slug:: profilegrid-user-profiles-groups-and-communities
Installations: 7,000+
Vulnerability:: SQL Injection
Patched in Version:: 5.9.5.3
Severity Score:: High
CVE:: 2025-49876

Plugin:: RSFirewall!
Plugin Slug:: rsfirewall
Installations: 4,000+
Vulnerability:: Arbitrary File Download
Patched in Version:: 1.1.43
Severity Score:: Medium
CVE:: 2025-7518

Plugin:: Contact Form Plugin
Plugin Slug:: contact-form-lite
Installations: 3,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.1.29
Severity Score:: Medium
CVE:: 2025-5730

Plugin:: Internal Linking of Related Contents
Plugin Slug:: internal-linking-of-related-contents
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.1.9
Severity Score:: Medium
CVE:: 2025-49884

Plugin:: Lana Downloads Manager
Plugin Slug:: lana-downloads-manager
Installations: 3,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.11.0
Severity Score:: Medium
CVE:: 2025-7387

Plugin:: Wishlist for WooCommerce: Multi Wishlists Per Customer
Plugin Slug:: wish-list-for-woocommerce
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.2.4
Severity Score:: Medium
CVE:: 2025-49319

Plugin:: Custom Post Carousels with Owl
Plugin Slug:: dd-post-carousel
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.4.12
Severity Score:: Medium
CVE:: 2025-5125

Plugin:: Broken Link Notifier
Plugin Slug:: broken-link-notifier
Installations: 1,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 1.3.1
Severity Score:: High
CVE:: 2025-6851

Plugin:: Broken Link Notifier
Plugin Slug:: broken-link-notifier
Installations: 1,000+
Vulnerability:: CSV Injection
Patched in Version:: 1.3.1
Severity Score:: Medium
CVE:: 2025-6838

Plugin:: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery � Upload, Vote, Sell via PayPal or Stripe, Social Share Buttons, OpenAI
Plugin Slug:: contest-gallery
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 26.0.7
Severity Score:: High
CVE:: 2025-48291

Plugin:: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery � Upload, Vote, Sell via PayPal or Stripe, Social Share Buttons, OpenAI
Plugin Slug:: contest-gallery
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 26.0.9
Severity Score:: Medium
CVE:: 2025-6716

Plugin:: Friends
Plugin Slug:: friends
Installations: 1,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 3.5.2
Severity Score:: High
CVE:: 2025-7504

Plugin:: Product XML Feed Manager for WooCommerce � Google Shopping, Social Sites, Skroutz & More
Plugin Slug:: product-xml-feeds-for-woocommerce
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.9.3
Severity Score:: Medium
CVE:: 2025-30959

Plugin:: WP Register Profile With Shortcode
Plugin Slug:: wp-register-profile-with-shortcode
Installations: 500+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 3.6.3
Severity Score:: Medium
CVE:: 2025-4593

Plugin:: Easy restaurant menu manager
Plugin Slug:: easy-pdf-restaurant-menu-upload
Installations: 300+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.2
Severity Score:: Medium
CVE:: 2025-6673

Plugin:: PW WooCommerce On Sale!
Plugin Slug:: pw-woocommerce-on-sale
Installations: 300+
Vulnerability:: Broken Access Control
Patched in Version:: 1.40
Severity Score:: High
CVE:: 2025-49888

Plugin:: Sharable Password Protected Posts
Plugin Slug:: sharable-password-protected-posts
Installations: 100+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 1.1.1
Severity Score:: Medium
CVE:: 2025-5920

Plugin:: Hostel
Plugin Slug:: hostel
Installations: 50+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.1.5.9
Severity Score:: Medium
CVE:: 2025-6236

Plugin:: Hostel
Plugin Slug:: hostel
Installations: 50+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.1.5.8
Severity Score:: High
CVE:: 2025-6234

Plugin:: Guest Support � Complete customer support ticket system for WordPress
Plugin Slug:: guest-support
Installations: 40+
Vulnerability:: Broken Access Control
Patched in Version:: 1.2.3
Severity Score:: Medium
CVE:: 2025-5957