In this report, 64 vulnerabilities have been publicly disclosed. Security patches for 46 of these plugins and themes are now available. Please run these updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.
Currently, 18 plugin and theme vulnerabilities remain unpatched. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.
WordPress Core
WordPress 6.8.3 was released on September 30, 2025! This is a security release that features two fixes. As this is a security release, we recommend updating your sites immediately. For more information on WordPress 6.8.3, please visit the version page on the HelpHub site.
WordPress Plugins � 43 Patched / 18 Unpatched
WP Gmail SMTP
- Plugin:
-
WP Gmail SMTP
- Plugin Slug:
- wp-gmail-smtp
- Installations
- 1,000+
- Vulnerability:
- Sensitive Data Exposure
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2025-53232
Block Country
- Plugin:
-
Block Country
- Plugin Slug:
- block-country
- Installations
- 70+
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
-
2025-48077
Simple Stripe
- Plugin:
-
Simple Stripe
- Plugin Slug:
- simple-stripe
- Installations
- 70+
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
-
2025-48085
APPExperts � Mobile App Builder for WordPress | WooCommerce to iOS and Android Apps
- Plugin Slug:
- appexperts
- Installations
- 60+
- Vulnerability:
- Sensitive Data Exposure
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2025-53218
Slick Google Map
- Plugin:
-
Slick Google Map
- Plugin Slug:
- slick-google-map
- Installations
- 60+
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
-
2025-48078
Stock History & Reports Manager for WooCommerce
- Plugin Slug:
- stock-snapshot-for-woocommerce
- Installations
- 60+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2025-10167
wpNamedUsers
- Plugin:
-
wpNamedUsers
- Plugin Slug:
- wpnamedusers
- Installations
- 60+
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
-
2025-48083
Code Quality Control Tool
- Plugin:
Code Quality Control Tool
- Plugin Slug:
- code-quality-control-tool
- Vulnerability:
- Sensitive Data Exposure
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2025-8484
Course Redirects for Learndash
- Plugin:
Course Redirects for Learndash
- Plugin Slug:
- course-redirects-for-learndash
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2025-10376
Custom 404 Pro
- Plugin:
Custom 404 Pro
- Plugin Slug:
- custom-404-pro
- Vulnerability:
- SQL Injection
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
-
2025-9947
Easy Plugin Stats
- Plugin:
Easy Plugin Stats
- Plugin Slug:
- easy-plugin-stats
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2025-7652
Find Me On
- Plugin:
Find Me On
- Plugin Slug:
- find-me-on
- Vulnerability:
- SQL Injection
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
-
2025-10635
Page Blocks
- Plugin:
Page Blocks
- Plugin Slug:
- page-blocks
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2025-9626
TwentyFourth WP Scraper
- Plugin:
TwentyFourth WP Scraper
- Plugin Slug:
- twentyfourth-wp-scraper
- Vulnerability:
- Server Side Request Forgery (SSRF)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2025-9975
WooCommerce Designer Pro
- Plugin:
WooCommerce Designer Pro
- Plugin Slug:
- wc-designer-pro
- Vulnerability:
- Arbitrary File Deletion
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
-
2025-6439
WidgetPack Comment System
- Plugin:
WidgetPack Comment System
- Plugin Slug:
- widgetpack-comment-system
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2025-9621
WP Easy Toggles
- Plugin:
WP Easy Toggles
- Plugin Slug:
- wp-easy-toggles
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2025-10190
WordPress Live Webcam Widget & Shortcode
- Plugin:
WordPress Live Webcam Widget & Shortcode
- Plugin Slug:
- wp-webcam-widget-shortcode
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
-
2025-10129
Ultimate Addons for Elementor (Formerly Elementor Header & Footer Builder)
- Plugin Slug:
- header-footer-elementor
- Installations
- 2,000,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 2.5.0
- Severity Score:
- Medium
- CVE:
-
2025-9703
Enable Media Replace
- Plugin:
-
Enable Media Replace
- Plugin Slug:
- enable-media-replace
- Installations
- 600,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 4.1.7
- Severity Score:
- Medium
- CVE:
-
2025-9496
WP Reset
- Plugin:
-
WP Reset
- Plugin Slug:
- wp-reset
- Installations
- 400,000+
- Vulnerability:
- Sensitive Data Exposure
- Patched in Version:
- 2.06
- Severity Score:
- Medium
- CVE:
-
2025-10645
Blocksy Companion
- Plugin:
-
Blocksy Companion
- Plugin Slug:
- blocksy-companion
- Installations
- 300,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 2.1.15
- Severity Score:
- Medium
SureForms � Drag and Drop Contact Form Builder � Multi-step Forms, Conversational Forms and more
- Plugin:
-
SureForms � Drag and Drop Contact Form Builder � Multi-step Forms, Conversational Forms and more
- Plugin Slug:
- sureforms
- Installations
- 300,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 1.12.2
- Severity Score:
- Medium
- CVE:
-
2025-10732
WP Go Maps (formerly WP Google Maps)
- Plugin Slug:
- wp-google-maps
- Installations
- 300,000+
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- 9.0.47
- Severity Score:
- Medium
- CVE:
-
2025-11166
Colibri Page Builder
- Plugin:
-
Colibri Page Builder
- Plugin Slug:
- colibri-page-builder
- Installations
- 100,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 1.0.335
- Severity Score:
- Medium
- CVE:
-
2025-9560
Responsive Lightbox & Gallery
- Plugin:
-
Responsive Lightbox & Gallery
- Plugin Slug:
- responsive-lightbox
- Installations
- 100,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 2.5.3
- Severity Score:
- High
- CVE:
-
2025-9710
The Plus Addons for Elementor � Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce
- Plugin:
-
The Plus Addons for Elementor � Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce
- Plugin Slug:
- the-plus-addons-for-elementor-page-builder
- Installations
- 100,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 6.3.16
- Severity Score:
- Medium
- CVE:
-
2025-9698
WPC Smart Wishlist for WooCommerce
- Plugin Slug:
- woo-smart-wishlist
- Installations
- 100,000+
- Vulnerability:
- Insecure Direct Object References (IDOR)
- Patched in Version:
- 5.0.4
- Severity Score:
- Medium
- CVE:
-
2025-11518
Featured Image from URL (FIFU)
- Plugin:
-
Featured Image from URL (FIFU)
- Plugin Slug:
- featured-image-from-url
- Installations
- 80,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 5.2.8
- Severity Score:
- Medium
- CVE:
-
2025-7400
All In One Login � WP Admin Login Page Security and Customization with Google reCAPTCHA, Social Login, Limit Login Attempt, 2FA, and more.
- Plugin Slug:
- change-wp-admin-login
- Installations
- 70,000+
- Vulnerability:
- Bypass Vulnerability
- Patched in Version:
- 2.0.9
- Severity Score:
- Medium
- CVE:
-
2025-58595
Search & Filter
- Plugin:
-
Search & Filter
- Plugin Slug:
- search-filter
- Installations
- 50,000+
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- 1.2.18
- Severity Score:
- Medium
- CVE:
-
2025-48099
Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers
- Plugin:
-
Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers
- Plugin Slug:
- popup-builder-block
- Installations
- 30,000+
- Vulnerability:
- SQL Injection
- Patched in Version:
- 2.1.4
- Severity Score:
- Critical
- CVE:
-
2025-10862
Welcart e-Commerce
- Plugin:
-
Welcart e-Commerce
- Plugin Slug:
- usc-e-shop
- Installations
- 20,000+
- Vulnerability:
- SQL Injection
- Patched in Version:
- 2.11.22
- Severity Score:
- High
- CVE:
-
2025-10649
WP Travel Engine � Tour Booking Plugin � Tour Operator Software
- Plugin Slug:
- wp-travel-engine
- Installations
- 20,000+
- Vulnerability:
- Local File Inclusion
- Patched in Version:
- 6.6.8
- Severity Score:
- High
- CVE:
-
2025-7634
WP Travel Engine � Tour Booking Plugin � Tour Operator Software
- Plugin Slug:
- wp-travel-engine
- Installations
- 20,000+
- Vulnerability:
- Arbitrary File Deletion
- Patched in Version:
- 6.6.8
- Severity Score:
- High
- CVE:
-
2025-7526
Web Accessibility by accessiBe
- Plugin:
-
Web Accessibility by accessiBe
- Plugin Slug:
- accessibe
- Installations
- 10,000+
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- 2.11
- Severity Score:
- Medium
- CVE:
-
2025-10375
RegistrationMagic � Custom Registration Forms, User Registration, Payment, and User Login
- Plugin Slug:
- custom-registration-form-builder-with-submission-manager
- Installations
- 10,000+
- Vulnerability:
- SQL Injection
- Patched in Version:
- 6.0.6.3
- Severity Score:
- High
- CVE:
-
2025-11204
Motors � Car Dealership & Classified Listings Plugin
- Plugin Slug:
- motors-car-dealership-classified-listings
- Installations
- 10,000+
- Vulnerability:
- Arbitrary File Deletion
- Patched in Version:
- 1.4.90
- Severity Score:
- High
- CVE:
-
2025-10494
NEX-Forms � Ultimate Forms Plugin for WordPress
- Plugin Slug:
- nex-forms-express-wp-form-builder
- Installations
- 9,000+
- Vulnerability:
- SQL Injection
- Patched in Version:
- 9.1.7
- Severity Score:
- High
- CVE:
-
2025-10185
Error Log Viewer by BestWebSoft
- Plugin:
-
Error Log Viewer by BestWebSoft
- Plugin Slug:
- error-log-viewer
- Installations
- 6,000+
- Vulnerability:
- Arbitrary File Download
- Patched in Version:
- 1.1.7
- Severity Score:
- Medium
- CVE:
-
2025-9950
Survey Maker
- Plugin:
-
Survey Maker
- Plugin Slug:
- survey-maker
- Installations
- 6,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 5.1.8.9
- Severity Score:
- Medium
- CVE:
-
2025-48095
Chartify � WordPress Chart Plugin
- Plugin Slug:
- chart-builder
- Installations
- 4,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 3.6.0
- Severity Score:
- Medium
- CVE:
-
2025-11171
Everest Backup � WordPress Cloud Backup, Migration, Restore & Cloning Plugin
- Plugin Slug:
- everest-backup
- Installations
- 4,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 2.3.6
- Severity Score:
- Medium
- CVE:
-
2025-11380
Trinity Audio � Text to Speech AI audio player to convert content into audio
- Plugin Slug:
- trinity-audio
- Installations
- 2,000+
- Vulnerability:
- Sensitive Data Exposure
- Patched in Version:
- 5.22.0
- Severity Score:
- Medium
- CVE:
-
2025-9196
Contest Gallery � Upload, Vote & Sell with PayPal and Stripe
- Plugin Slug:
- contest-gallery
- Installations
- 1,000+
- Vulnerability:
- CSV Injection
- Patched in Version:
- 28.0.0
- Severity Score:
- Medium
- CVE:
-
2025-11254
Cookie Notice & Consent
- Plugin:
-
Cookie Notice & Consent
- Plugin Slug:
- cookie-notice-consent
- Installations
- 1,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 1.6.6
- Severity Score:
- High
- CVE:
-
2025-10496
GSheetConnector For Gravity Forms
- Plugin Slug:
- gsheetconnector-gravity-forms
- Installations
- 1,000+
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- 1.3.24
- Severity Score:
- Medium
- CVE:
-
2025-8606
GSheetConnector For Gravity Forms
- Plugin Slug:
- gsheetconnector-gravity-forms
- Installations
- 1,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 1.3.28
- Severity Score:
- High
- CVE:
-
2025-8593
My auctions allegro
- Plugin:
-
My auctions allegro
- Plugin Slug:
- my-auctions-allegro-free-edition
- Installations
- 500+
- Vulnerability:
- SQL Injection
- Patched in Version:
- 3.6.32
- Severity Score:
- High
- CVE:
-
2025-10048
Admin and Customer Messages After Order for WooCommerce: OrderConvo
- Plugin Slug:
- admin-and-client-message-after-order-for-woocommerce
- Installations
- 300+
- Vulnerability:
- Arbitrary File Download
- Patched in Version:
- 14
- Severity Score:
- High
- CVE:
-
2025-10162
Draft List
- Plugin:
-
Draft List
- Plugin Slug:
- simple-draft-list
- Installations
- 50+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 2.6.2
- Severity Score:
- Medium
- CVE:
-
2025-11197
Community Events
- Plugin:
-
Community Events
- Plugin Slug:
- community-events
- Installations
- 40+
- Vulnerability:
- SQL Injection
- Patched in Version:
- 1.5.2
- Severity Score:
- Critical
- CVE:
-
2025-10587
CM Registration � Tailored tool for seamless login and invitation-based registrations
- Plugin Slug:
- cm-invitation-codes
- Installations
- 30+
- Vulnerability:
- Open Redirection
- Patched in Version:
- 2.5.7
- Severity Score:
- Medium
- CVE:
-
2025-11167
Lisfinity Core
- Plugin:
Lisfinity Core
- Plugin Slug:
- lisfinity-core
- Vulnerability:
- Privilege Escalation
- Patched in Version:
- 1.5.0
- Severity Score:
- High
- CVE:
-
2025-6038
Ovatheme Events Manager
- Plugin:
Ovatheme Events Manager
- Plugin Slug:
- ova-events-manager
- Vulnerability:
- Arbitrary File Upload
- Patched in Version:
- 1.8.6
- Severity Score:
- Critical
- CVE:
-
2025-6553
Slider Revolution
- Plugin:
Slider Revolution
- Plugin Slug:
- revslider
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 6.7.38
- Severity Score:
- Medium
- CVE:
-
2025-10249
Service Finder Booking
- Plugin:
Service Finder Booking
- Plugin Slug:
- sf-booking
- Vulnerability:
- Broken Authentication
- Patched in Version:
- 6.1
- Severity Score:
- Critical
- CVE:
-
2025-5947
Ultimate Addons for WPBakery Page Builder
- Plugin:
Ultimate Addons for WPBakery Page Builder
- Plugin Slug:
- ultimate_vc_addons
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 3.21.1
- Severity Score:
- Medium
- CVE:
-
2025-48088
WP Freeio
- Plugin:
WP Freeio
- Plugin Slug:
- wp-freeio
- Vulnerability:
- Privilege Escalation
- Patched in Version:
- 1.2.22
- Severity Score:
- Critical
- CVE:
-
2025-11533
WP JobHunt
- Plugin:
WP JobHunt
- Plugin Slug:
- wp-jobhunt
- Vulnerability:
- Broken Authentication
- Patched in Version:
- 7.7
- Severity Score:
- Medium
- CVE:
-
2025-7374
WP JobHunt
- Plugin:
WP JobHunt
- Plugin Slug:
- wp-jobhunt
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 7.7
- Severity Score:
- Medium
- CVE:
-
2025-7781
WordPress Themes � 3 Patched / 0 Unpatched
Newsup
Betheme
- Theme:
Betheme
- Theme Slug:
- betheme
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 28.1.7
- Severity Score:
- Medium
- CVE:
-
2025-9371
Search & Go
- Theme:
Search & Go
- Theme Slug:
- search-and-go
- Vulnerability:
- Privilege Escalation
- Patched in Version:
- 2.8
- Severity Score:
- Critical
- CVE:
-
2025-11522