WordPress Vulnerability Report � November 5, 2025

In this report, 108 vulnerabilities have been publicly disclosed. Security patches for 77 of these plugins and themes are now available. Please run these updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Currently, 31 plugin and theme vulnerabilities remain unpatched. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

WordPress Core

WordPress 6.8.3 was released on September 30, 2025. This is a security release that features two fixes. As this is a security release, we recommend updating your sites immediately. For more information on WordPress 6.8.3, please visit the version page on the HelpHub site.

WordPress 6.9 Beta 3 is now ready for testing! This beta version of WordPress is still under development, so please avoid using it on production or mission-critical sites. Instead, test Beta 3 on a staging or test site.

The final release of WordPress 6.9 is scheduled for December 2, 2025. You can find the full release schedule and testing information on the WordPress Core blog. Your help testing Beta and RC versions is essential to ensuring a stable and powerful release.

WordPress Plugins � 68 Patched / 30 Unpatched

Plugin:: WP Snow Effect
Plugin Slug:: wp-snow-effect
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-64294

Plugin:: Multi-language Responsive Portfolio
Plugin Slug:: bootstrap-multi-language-responsive-portfolio
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11753

Plugin:: Associados Amazon
Plugin Slug:: brzon
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-12403

Plugin:: CE21 Suite
Plugin Slug:: ce21-suite
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-11008

Plugin:: Centangle Team Showcase
Plugin Slug:: centangle-team
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-12456

Plugin:: Clubmember
Plugin Slug:: clubmember
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12396

Plugin:: Crypto Payment Gateway with Payeer for WooCommerce
Plugin Slug:: crypto-payment-gateway-with-payeer-for-woocommerce
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-11890

Plugin:: DominoKit
Plugin Slug:: dominokit
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12350

Plugin:: Elegance Menu
Plugin Slug:: elegance-menu
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-11704

Plugin:: EM Beer Manager
Plugin Slug:: em-beer-manager
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-11724

Plugin:: Free Quotation
Plugin Slug:: free-quotation
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12393

Plugin:: Import Export For WooCommerce
Plugin Slug:: import-export-for-woocommerce
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12389

Plugin:: Label Plugins
Plugin Slug:: label-plugins
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-12401

Plugin:: LinkedIn Resume
Plugin Slug:: linkedin-resume
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-12402

Plugin:: LMB^Box Smileys
Plugin Slug:: lmbbox-smileys
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-12400

Plugin:: MapMap
Plugin Slug:: mapmap
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-12415

Plugin:: MeetingList
Plugin Slug:: meeting-list
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12184

Plugin:: Nari Accountant
Plugin Slug:: nari-accountant
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12371

Plugin:: NS Maintenance Mode for WP
Plugin Slug:: ns-maintenance-mode-for-wp
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-10636

Plugin:: Pagerank Tools
Plugin Slug:: pagerank-tools
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-12416

Plugin:: Posts Navigation Links for Sections and Headings
Plugin Slug:: posts-navigation-links-for-sections-and-headings-free-by-wp-masters
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12188

Plugin:: Reuse Builder
Plugin Slug:: reuse-builder
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11812

Plugin:: SH Contextual Help
Plugin Slug:: sh-contextual-help
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-12410

Plugin:: Simple User Capabilities
Plugin Slug:: simple-user-capabilities
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-12158

Plugin:: Simple User Capabilities
Plugin Slug:: simple-user-capabilities
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12157

Plugin:: ViaAds
Plugin Slug:: viaads
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12070

Plugin:: WooCommerce Designer Pro
Plugin Slug:: wc-designer-pro
Vulnerability:: Arbitrary File Download
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-10897

Plugin:: WP Carticon
Plugin Slug:: wp-carticon
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12065

Plugin:: WP Global Screen Options
Plugin Slug:: wp-global-screen-options
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12069

Plugin:: Social Media WPCF7 Stop Words
Plugin Slug:: wpcf7-stop-words
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-12413

Plugin:: LiteSpeed Cache
Plugin Slug:: litespeed-cache
Installations: 7,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 7.6
Severity Score:: High
CVE:: 2025-12450

Plugin:: WooCommerce
Plugin Slug:: woocommerce
Installations: 7,000,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 7.9.0
Severity Score:: Medium
CVE:: 2023-7320

Plugin:: WooCommerce
Plugin Slug:: woocommerce
Installations: 7,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 10.0.3
Severity Score:: Medium
CVE:: 2025-49042

Plugin:: Polylang
Plugin Slug:: polylang
Installations: 800,000+
Vulnerability:: Deserialization of untrusted data
Patched in Version:: 3.7.4
Severity Score:: High
CVE:: 2025-64353

Plugin:: TablePress � Tables in WordPress made easy
Plugin Slug:: tablepress
Installations: 700,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.2.5
Severity Score:: Medium
CVE:: 2025-12324

Plugin:: The Events Calendar
Plugin Slug:: the-events-calendar
Installations: 700,000+
Vulnerability:: Broken Access Control
Patched in Version:: 6.15.10
Severity Score:: Medium
CVE:: 2025-12175

Plugin:: Facebook for WooCommerce
Plugin Slug:: facebook-for-woocommerce
Installations: 500,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.5.8
Severity Score:: Medium
CVE:: 2025-64296

Plugin:: Post SMTP � Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App
Plugin Slug:: post-smtp
Installations: 400,000+
Vulnerability:: Broken Authentication
Patched in Version:: 3.6.1
Severity Score:: Critical
CVE:: 2025-11833

Plugin:: SiteSEO � SEO Simplified
Plugin Slug:: siteseo
Installations: 400,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.3.2
Severity Score:: Low
CVE:: 2025-12367

Plugin:: Call Now Button � The #1 Click to Call Button for WordPress
Plugin Slug:: call-now-button
Installations: 200,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.5.5
Severity Score:: Medium
CVE:: 2025-11632

Plugin:: Call Now Button � The #1 Click to Call Button for WordPress
Plugin Slug:: call-now-button
Installations: 200,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.5.4
Severity Score:: Medium
CVE:: 2025-11587

Plugin:: Advanced Ads ��Ad Manager & AdSense
Plugin Slug:: advanced-ads
Installations: 100,000+
Vulnerability:: Arbitrary Code Execution
Patched in Version:: 2.0.13
Severity Score:: High
CVE:: 2025-10487

Plugin:: Advanced Database Cleaner
Plugin Slug:: advanced-database-cleaner
Installations: 100,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 3.1.7
Severity Score:: Medium
CVE:: 2025-64357

Plugin:: Advanced Database Cleaner
Plugin Slug:: advanced-database-cleaner
Installations: 100,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 3.1.7
Severity Score:: Medium
CVE:: 2025-11497

Plugin:: Anti-Malware Security and Brute-Force Firewall
Plugin Slug:: gotmls
Installations: 100,000+
Vulnerability:: Arbitrary File Download
Patched in Version:: 4.23.83
Severity Score:: Medium
CVE:: 2025-11705

Plugin:: Insert PHP Code Snippet
Plugin Slug:: insert-php-code-snippet
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.4.4
Severity Score:: Medium
CVE:: 2025-64356

Plugin:: Schema & Structured Data for WP & AMP
Plugin Slug:: schema-and-structured-data-for-wp
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.52
Severity Score:: Medium
CVE:: 2025-11502

Plugin:: HUSKY � Products Filter Professional for WooCommerce
Plugin Slug:: woocommerce-products-filter
Installations: 100,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.3.7.2
Severity Score:: Critical
CVE:: 2025-11735

Plugin:: List category posts
Plugin Slug:: list-category-posts
Installations: 90,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 0.93.0
Severity Score:: Medium
CVE:: 2025-11377

Plugin:: Greenshift � animation and page builder blocks
Plugin Slug:: greenshift-animation-and-page-builder-blocks
Installations: 60,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 12.2.8
Severity Score:: Medium
CVE:: 2025-11841

Plugin:: Qi Blocks
Plugin Slug:: qi-blocks
Installations: 60,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.4.4
Severity Score:: Medium
CVE:: 2025-12180

Plugin:: Translate WordPress and go Multilingual � Weglot
Plugin Slug:: weglot
Installations: 60,000+
Vulnerability:: Broken Access Control
Patched in Version:: 5.2
Severity Score:: Medium
CVE:: 2025-10008

Plugin:: Auto Featured Image (Auto Post Thumbnail)
Plugin Slug:: auto-post-thumbnail
Installations: 50,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 4.2.0
Severity Score:: Medium
CVE:: 2025-10145

Plugin:: Popup Box � Create Countdown, Coupon, Video, Contact Form Popups
Plugin Slug:: ays-popup-box
Installations: 50,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 5.5.5
Severity Score:: Medium
CVE:: 2025-57931

Plugin:: Smart Coupons For WooCommerce Coupons
Plugin Slug:: wt-smart-coupons-for-woocommerce
Installations: 30,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.2.4
Severity Score:: Medium
CVE:: 2025-64358

Plugin:: Inactive Logout
Plugin Slug:: inactive-logout
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.6.0
Severity Score:: Medium
CVE:: 2025-11922

Plugin:: wpForo Forum
Plugin Slug:: wpforo
Installations: 20,000+
Vulnerability:: SQL Injection
Patched in Version:: 2.4.10
Severity Score:: High
CVE:: 2025-11740

Plugin:: CSS & JavaScript Toolbox
Plugin Slug:: css-javascript-toolbox
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 12.0.6
Severity Score:: Medium
CVE:: 2025-11928

Plugin:: Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WP Legal Pages
Plugin Slug:: wplegalpages
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.5.2
Severity Score:: Medium
CVE:: 2025-11816

Plugin:: Tablesome Table � Contact Form DB � WPForms, CF7, Gravity, Forminator, Fluent
Plugin Slug:: tablesome
Installations: 9,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 1.3.33
Severity Score:: Critical
CVE:: 2025-11499

Plugin:: WP Delicious � Recipe Plugin for Food Bloggers (formerly Delicious Recipes)
Plugin Slug:: delicious-recipes
Installations: 5,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 1.9.1
Severity Score:: Critical
CVE:: 2025-11755

Plugin:: Import WP � Export and Import CSV and XML files to WordPress
Plugin Slug:: jc-importer
Installations: 5,000+
Vulnerability:: Arbitrary File Download
Patched in Version:: 2.14.17
Severity Score:: Medium
CVE:: 2025-12137

Plugin:: Flying Images: Optimize and Lazy Load Images for Faster Page Speed
Plugin Slug:: nazy-load
Installations: 5,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.4.15
Severity Score:: Medium
CVE:: 2025-11927

Plugin:: OOPSpam Anti-Spam: Spam Protection for WordPress Forms & Comments (No CAPTCHA)
Plugin Slug:: oopspam-anti-spam
Installations: 5,000+
Vulnerability:: Bypass Vulnerability
Patched in Version:: 1.2.54
Severity Score:: Medium
CVE:: 2025-12094

Plugin:: WPC Name Your Price for WooCommerce
Plugin Slug:: wpc-name-your-price
Installations: 5,000+
Vulnerability:: Bypass Vulnerability
Patched in Version:: 2.2.0
Severity Score:: High
CVE:: 2025-12115

Plugin:: Document Library Lite
Plugin Slug:: document-library-lite
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.1.7
Severity Score:: Medium
CVE:: 2025-11174

Plugin:: Extensions for Leaflet Map
Plugin Slug:: extensions-leaflet-map
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.8
Severity Score:: Medium
CVE:: 2025-12369

Plugin:: Footnotes Made Easy
Plugin Slug:: footnotes-made-easy
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.0.8
Severity Score:: High
CVE:: 2025-11733

Plugin:: FuseWP � WordPress User Sync to Email List & Marketing Automation (Mailchimp, Constant Contact, ActiveCampaign etc.)
Plugin Slug:: fusewp
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.1.23.1
Severity Score:: Medium
CVE:: 2025-11975

Plugin:: FuseWP � WordPress User Sync to Email List & Marketing Automation (Mailchimp, Constant Contact, ActiveCampaign etc.)
Plugin Slug:: fusewp
Installations: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.1.23.1
Severity Score:: Medium
CVE:: 2025-11976

Plugin:: AppPresser � Mobile App Framework
Plugin Slug:: apppresser
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.5.1
Severity Score:: Medium
CVE:: 2025-11881

Plugin:: Booking and Rental Manager for Bike | Car | Resort | Appointment | Dress | Equipment
Plugin Slug:: booking-and-rental-manager-for-woocommerce
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.5.4
Severity Score:: High
CVE:: 2025-49904

Plugin:: Range Slider Addon for Gravity Forms
Plugin Slug:: range-slider-addon-for-gravity-forms
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.1.7
Severity Score:: High
CVE:: 2025-49905

Plugin:: WP Discourse
Plugin Slug:: wp-discourse
Installations: 1,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 2.6.0
Severity Score:: Low
CVE:: 2025-11983

Plugin:: WPCOM Member
Plugin Slug:: wpcom-member
Installations: 1,000+
Vulnerability:: Local File Inclusion
Patched in Version:: 1.7.15
Severity Score:: High
CVE:: 2025-11920

Plugin:: Easy Testimonial Slider and Form
Plugin Slug:: easy-testimonial-rotator
Installations: 900+
Vulnerability:: SQL Injection
Patched in Version:: 1.0.3
Severity Score:: High
CVE:: 2015-10147

Plugin:: All in One Time Clock Lite � Tracking Employee Time Has Never Been Easier
Plugin Slug:: aio-time-clock-lite
Installations: 800+
Vulnerability:: Broken Access Control
Patched in Version:: 2.0.4
Severity Score:: Medium
CVE:: 2025-11758

Plugin:: Thumbnail Slider With Lightbox
Plugin Slug:: wp-responsive-slider-with-lightbox
Installations: 800+
Vulnerability:: SQL Injection
Patched in Version:: 1.0.5
Severity Score:: High
CVE:: 2015-10146

Plugin:: Doppler Forms
Plugin Slug:: doppler-form
Installations: 700+
Vulnerability:: Broken Access Control
Patched in Version:: 2.6.0
Severity Score:: Medium
CVE:: 2025-9544

Plugin:: Employee Spotlight � Team Member Showcase & Meet the Team Plugin
Plugin Slug:: employee-spotlight
Installations: 500+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.1.3
Severity Score:: Medium
CVE:: 2025-12090

Plugin:: RealPress � Real Estate Plugin
Plugin Slug:: realpress
Installations: 500+
Vulnerability:: Broken Access Control
Patched in Version:: 1.1.0
Severity Score:: Medium
CVE:: 2025-11191

Plugin:: IDonate � Blood Donation, Request And Donor Management System
Plugin Slug:: idonate
Installations: 100+
Vulnerability:: Broken Access Control
Patched in Version:: 2.1.13
Severity Score:: Medium
CVE:: 2025-11154

Plugin:: Site Checkup Debug AI Troubleshooting with Wizard and Tips for Each Issue
Plugin Slug:: site-checkup
Installations: 100+
Vulnerability:: Broken Access Control
Patched in Version:: 1.48
Severity Score:: Medium
CVE:: 2025-11627