WordPress Vulnerability Report � October 22, 2025

In this report, 139 vulnerabilities have been publicly disclosed. Security patches for 87 of these plugins and themes are now available. Please run these updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Currently, 52 plugin and theme vulnerabilities remain unpatched. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

WordPress Core

WordPress 6.8.3 was released on September 30, 2025! This is a security release that features two fixes. As this is a security release, we recommend updating your sites immediately. For more information on WordPress 6.8.3, please visit the version page on the HelpHub site.

WordPress Plugins � 79 Patched / 50 Unpatched

Plugin:: Binary MLM Plan
Plugin Slug:: binary-mlm-plan
Installations: 80+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11895

Plugin:: Block Country
Plugin Slug:: block-country
Installations: 70+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-48077

Plugin:: Simple Stripe
Plugin Slug:: simple-stripe
Installations: 70+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-48085

Plugin:: Stock History & Reports Manager for WooCommerce
Plugin Slug:: stock-snapshot-for-woocommerce
Installations: 70+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-10167

Plugin:: replyMail
Plugin Slug:: replymail
Installations: 60+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-31029

Plugin:: Slick Google Map
Plugin Slug:: slick-google-map
Installations: 60+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-48078

Plugin:: wpNamedUsers
Plugin Slug:: wpnamedusers
Installations: 60+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-48083

Plugin:: WP BookWidgets
Plugin Slug:: wp-bookwidgets
Installations: 50+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-10139

Plugin:: Woocommerce Category and Products Accordion Panel
Plugin Slug:: accordion-panel-for-category-and-products
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-11722

Plugin:: Code Quality Control Tool
Plugin Slug:: code-quality-control-tool
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-8484

Plugin:: Course Redirects for Learndash
Plugin Slug:: course-redirects-for-learndash
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-10376

Plugin:: Custom 404 Pro
Plugin Slug:: custom-404-pro
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-9947

Plugin:: Demo Import Kit
Plugin Slug:: demo-import-kit
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-10051

Plugin:: Dhivehi Text
Plugin Slug:: dhivehi-text
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-10132

Plugin:: Digiseller
Plugin Slug:: digiseller
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-10141

Plugin:: DocoDoco Store Locator
Plugin Slug:: docodoco-store-locator
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-10754

Plugin:: Dynamically Display Posts
Plugin Slug:: dynamically-display-posts
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-11501

Plugin:: External Login
Plugin Slug:: external-login
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-11177

Plugin:: External Login
Plugin Slug:: external-login
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11196

Plugin:: Find And Replace content for WordPress
Plugin Slug:: find-and-replace-content
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-10313

Plugin:: FunKItools
Plugin Slug:: funkitools
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-10301

Plugin:: Keyy Two Factor Authentication (like Clef)
Plugin Slug:: keyy
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-10293

Plugin:: Library Management System
Plugin Slug:: library-management-system
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-10303

Plugin:: YourMembership Single Sign On
Plugin Slug:: login-with-yourmembership
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-10648

Plugin:: Memberlite Shortcodes
Plugin Slug:: memberlite-shortcodes
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-48087

Plugin:: Oceanpayment CreditCard Gateway
Plugin Slug:: oceanpayment-creditcard-gateway
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11728

Plugin:: onOffice for WP-Websites
Plugin Slug:: onoffice-for-wp-websites
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-10045

Plugin:: Orion SMS OTP Verification
Plugin Slug:: orion-sms-otp-verification
Vulnerability:: Broken Authentication
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-9967

Plugin:: OwnID Passwordless Login
Plugin Slug:: ownid-passwordless-login
Vulnerability:: Broken Authentication
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-10294

Plugin:: Page Blocks
Plugin Slug:: page-blocks
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-9626

Plugin:: Quick Social Login
Plugin Slug:: quick-login
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-10140

Plugin:: Related Posts Lite
Plugin Slug:: related-posts-lite
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11926

Plugin:: Shortcode Button
Plugin Slug:: shortcode-button
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-10194

Plugin:: TARIFFUXX
Plugin Slug:: tariffuxx
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-10682

Plugin:: Task Scheduler
Plugin Slug:: task-scheduler
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-10056

Plugin:: Theme Importer
Plugin Slug:: theme-importer
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-10312

Plugin:: TopBar
Plugin Slug:: topbar
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-10300

Plugin:: Truelysell Core
Plugin Slug:: truelysell-core
Vulnerability:: Broken Authentication
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-10742

Plugin:: TwentyFourth WP Scraper
Plugin Slug:: twentyfourth-wp-scraper
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-9975

Plugin:: URLYar URL Shortner
Plugin Slug:: urlyar
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-10133

Plugin:: WooCommerce Designer Pro
Plugin Slug:: wc-designer-pro
Vulnerability:: Arbitrary File Deletion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-6439

Plugin:: WidgetPack Comment System
Plugin Slug:: widgetpack-comment-system
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-9621

Plugin:: WP Dashboard Chat
Plugin Slug:: wp-dashboard-chat
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-10660

Plugin:: WP Easy Toggles
Plugin Slug:: wp-easy-toggles
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-10190

Plugin:: WP Google Map
Plugin Slug:: wp-google-map
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-11365

Plugin:: WP jQuery Pager
Plugin Slug:: wp-jquery-pdf-paged
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-10575

Plugin:: WP Private Content Plus
Plugin Slug:: wp-private-content-plus
Vulnerability:: Broken Authentication
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-10720

Plugin:: WordPress Live Webcam Widget & Shortcode
Plugin Slug:: wp-webcam-widget-shortcode
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-10129

Plugin:: Zip Attachments
Plugin Slug:: zip-attachments
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11701

Plugin:: Zip Attachments
Plugin Slug:: zip-attachments
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-11692

Plugin:: Ally � Web Accessibility & Usability
Plugin Slug:: pojo-accessibility
Installations: 400,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 3.8.1
Severity Score:: Medium
CVE:: 2025-10700

Plugin:: ShortPixel Image Optimizer � Optimize Images, Convert WebP & AVIF
Plugin Slug:: shortpixel-image-optimiser
Installations: 300,000+
Vulnerability:: Broken Access Control
Patched in Version:: 6.3.5
Severity Score:: Medium
CVE:: 2025-11378

Plugin:: SureForms � Drag and Drop Contact Form Builder � Multi-step Forms, Conversational Forms and more
Plugin Slug:: sureforms
Installations: 300,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.12.2
Severity Score:: Medium
CVE:: 2025-10732

Plugin:: WP Go Maps (formerly WP Google Maps)
Plugin Slug:: wp-google-maps
Installations: 300,000+
Vulnerability:: Content Injection
Patched in Version:: 9.0.49
Severity Score:: Medium
CVE:: 2025-11703

Plugin:: Redirection for Contact Form 7
Plugin Slug:: wpcf7-redirect
Installations: 300,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.2.7
Severity Score:: Medium
CVE:: 2025-9562

Plugin:: Gutenberg Essential Blocks � Page Builder for Gutenberg Blocks & Patterns
Plugin Slug:: essential-blocks
Installations: 200,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.7.2
Severity Score:: Medium
CVE:: 2025-11270

Plugin:: Gutenberg Essential Blocks � Page Builder for Gutenberg Blocks & Patterns
Plugin Slug:: essential-blocks
Installations: 200,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 5.7.2
Severity Score:: Medium
CVE:: 2025-11361

Plugin:: FileBird � WordPress Media Library Folders & File Manager
Plugin Slug:: filebird
Installations: 200,000+
Vulnerability:: Broken Access Control
Patched in Version:: 6.5.0
Severity Score:: Medium
CVE:: 2025-11510

Plugin:: Optimole � Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization
Plugin Slug:: optimole-wp
Installations: 200,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 4.1.1
Severity Score:: Medium
CVE:: 2025-11519

Plugin:: Element Pack Addons for Elementor
Plugin Slug:: bdthemes-element-pack-lite
Installations: 100,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 8.2.6
Severity Score:: Medium
CVE:: 2025-11536

Plugin:: Colibri Page Builder
Plugin Slug:: colibri-page-builder
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.0.335
Severity Score:: Medium
CVE:: 2025-9560

Plugin:: The Plus Addons for Elementor � Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce
Plugin Slug:: the-plus-addons-for-elementor-page-builder
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.3.16
Severity Score:: Medium
CVE:: 2025-9698

Plugin:: WPC Smart Quick View for WooCommerce
Plugin Slug:: woo-smart-quick-view
Installations: 100,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 4.2.6
Severity Score:: Medium
CVE:: 2025-11741

Plugin:: WPC Smart Wishlist for WooCommerce
Plugin Slug:: woo-smart-wishlist
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 5.0.5
Severity Score:: Medium
CVE:: 2025-11742

Plugin:: Event Tickets and Registration
Plugin Slug:: event-tickets
Installations: 90,000+
Vulnerability:: Broken Authentication
Patched in Version:: 5.26.6
Severity Score:: High
CVE:: 2025-11517

Plugin:: Event Tickets and Registration
Plugin Slug:: event-tickets
Installations: 90,000+
Vulnerability:: Broken Access Control
Patched in Version:: 5.26.4
Severity Score:: Medium
CVE:: 2025-62027

Plugin:: LearnPress � WordPress LMS Plugin
Plugin Slug:: learnpress
Installations: 80,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.2.9.4
Severity Score:: Medium
CVE:: 2025-11372

Plugin:: Media Library Assistant
Plugin Slug:: media-library-assistant
Installations: 70,000+
Vulnerability:: Arbitrary File Download
Patched in Version:: 3.30
Severity Score:: Medium
CVE:: 2025-11738

Plugin:: Quick Featured Images
Plugin Slug:: quick-featured-images
Installations: 50,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 13.7.3
Severity Score:: Medium
CVE:: 2025-11176

Plugin:: Theme Editor
Plugin Slug:: theme-editor
Installations: 50,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 3.1
Severity Score:: High
CVE:: 2025-9890

Plugin:: Advanced Coupons � WooCommerce Coupons & Store Credit
Plugin Slug:: advanced-coupons-for-woocommerce-free
Installations: 20,000+
Vulnerability:: SQL Injection
Patched in Version:: 4.6.9
Severity Score:: High
CVE:: 2025-62015

Plugin:: One Page Express Companion
Plugin Slug:: one-page-express-companion
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.6.44
Severity Score:: Medium
CVE:: 2025-62052

Plugin:: Pz-LinkCard
Plugin Slug:: pz-linkcard
Installations: 20,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 2.5.7
Severity Score:: Medium
CVE:: 2025-8594

Plugin:: SmartCrawl SEO checker, analyzer & optimizer
Plugin Slug:: smartcrawl-seo
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.14.4
Severity Score:: Medium
CVE:: 2025-62048

Plugin:: PPOM � Product Addons & Custom Fields for WooCommerce
Plugin Slug:: woocommerce-product-addon
Installations: 20,000+
Vulnerability:: SQL Injection
Patched in Version:: 33.0.16
Severity Score:: Critical
CVE:: 2025-11691

Plugin:: PPOM � Product Addons & Custom Fields for WooCommerce
Plugin Slug:: woocommerce-product-addon
Installations: 20,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 33.0.16
Severity Score:: Critical
CVE:: 2025-11391

Plugin:: Web Accessibility by accessiBe
Plugin Slug:: accessibe
Installations: 10,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.11
Severity Score:: Medium
CVE:: 2025-10375

Plugin:: BlockSpare � News, Magazine and Blog Addons for (Gutenberg) Block Editor
Plugin Slug:: blockspare
Installations: 10,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 3.2.14
Severity Score:: Medium
CVE:: 2025-62026

Plugin:: Simple SEO
Plugin Slug:: cds-simple-seo
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.32
Severity Score:: Medium
CVE:: 2025-10357

Plugin:: E2Pdf � Export Pdf Tool for WordPress
Plugin Slug:: e2pdf
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.28.10
Severity Score:: Medium
CVE:: 2025-62068

Plugin:: MasterStudy LMS WordPress Plugin � for Online Courses and Education
Plugin Slug:: masterstudy-lms-learning-management-system
Installations: 10,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 3.6.21
Severity Score:: Medium
CVE:: 2025-59575

Plugin:: Free Follow-Up Emails & Marketing Automation for WooCommerce � ShopMagic
Plugin Slug:: shopmagic-for-woocommerce
Installations: 10,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 4.5.7
Severity Score:: Medium
CVE:: 2025-59578

Plugin:: Simple Job Board
Plugin Slug:: simple-job-board
Installations: 10,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 2.13.8
Severity Score:: High
CVE:: 2025-59579

Plugin:: WP SMS � Ultimate SMS & MMS Notifications, OTP, 2FA, and WooCommerce & Forms Integrations
Plugin Slug:: wp-sms
Installations: 9,000+
Vulnerability:: Broken Access Control
Patched in Version:: 7.0.2
Severity Score:: Medium
CVE:: 2025-62006

Plugin:: UiChemy � Figma Converter for Elementor, Gutenberg and Bricks
Plugin Slug:: uichemy
Installations: 7,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.0.1
Severity Score:: Medium
CVE:: 2025-62013

Plugin:: Error Log Viewer by BestWebSoft
Plugin Slug:: error-log-viewer
Installations: 6,000+
Vulnerability:: Arbitrary File Download
Patched in Version:: 1.1.7
Severity Score:: Medium
CVE:: 2025-9950

Plugin:: Booking Manager � Sync WP Booking Calendar � Import Events, Export Bookings to ICS Calendar
Plugin Slug:: booking-manager
Installations: 5,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.1.15
Severity Score:: Medium
CVE:: 2025-10124

Plugin:: GSpeech TTS � WordPress Text To Speech Plugin
Plugin Slug:: gspeech
Installations: 3,000+
Vulnerability:: SQL Injection
Patched in Version:: 3.18.0
Severity Score:: High
CVE:: 2025-10187

Plugin:: Kognetiks Chatbot
Plugin Slug:: chatbot-chatgpt
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.3.6
Severity Score:: Medium
CVE:: 2025-11256

Plugin:: Easy Post Submission � Frontend Posting, Guest Publishing & Submit Content for WordPress
Plugin Slug:: easy-post-submission
Installations: 1,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 2.0.0
Severity Score:: Medium
CVE:: 2025-62062

Plugin:: Event post
Plugin Slug:: event-post
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.10.4
Severity Score:: Medium
CVE:: 2025-62042

Plugin:: GSheetConnector For Gravity Forms
Plugin Slug:: gsheetconnector-gravity-forms
Installations: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.3.24
Severity Score:: Medium
CVE:: 2025-8606

Plugin:: GSheetConnector For Gravity Forms
Plugin Slug:: gsheetconnector-gravity-forms
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.3.28
Severity Score:: High
CVE:: 2025-8593

Plugin:: Events Calendar Made Simple � Pie Calendar
Plugin Slug:: pie-calendar
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.0
Severity Score:: Medium
CVE:: 2025-62024

Plugin:: Product Catalog Simple
Plugin Slug:: post-type-x
Installations: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.8.5
Severity Score:: Medium
CVE:: 2025-62061

Plugin:: Product Bundles, Quantity/Bulk Discount, BOGO, Buy X Get Y � WowRevenue
Plugin Slug:: revenue
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.2.14
Severity Score:: Medium
CVE:: 2025-62070

Plugin:: Reviews Widgets for Google & 45+ platforms by Repuso
Plugin Slug:: social-testimonials-and-reviews-widget
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 5.30
Severity Score:: Medium
CVE:: 2025-62071

Plugin:: Tab Ultimate
Plugin Slug:: tabs-pro
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.9
Severity Score:: Medium
CVE:: 2025-62060

Plugin:: MDTF � Meta Data and Taxonomies Filter
Plugin Slug:: wp-meta-data-filter-and-taxonomy-filter
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.3.9
Severity Score:: Medium
CVE:: 2025-62069

Plugin:: WP Travel Gutenberg Blocks
Plugin Slug:: wp-travel-blocks
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.9.3
Severity Score:: Medium
CVE:: 2025-62063

Plugin:: WPC Countdown Timer for WooCommerce
Plugin Slug:: wpc-countdown-timer
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.1.5
Severity Score:: Medium
CVE:: 2025-49908

Plugin:: WPCasa
Plugin Slug:: wpcasa
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.4.2
Severity Score:: Medium
CVE:: 2025-62043

Plugin:: WhyDonate � FREE Donate button � Crowdfunding � Fundraising
Plugin Slug:: wp-whydonate
Installations: 800+
Vulnerability:: Broken Access Control
Patched in Version:: 4.0.16
Severity Score:: Medium
CVE:: 2025-49899

Plugin:: Product Table For WooCommerce
Plugin Slug:: product-table-for-woocommerce
Installations: 600+
Vulnerability:: PHP Object Injection
Patched in Version:: 1.2.5
Severity Score:: High
CVE:: 2025-62008

Plugin:: PowerBI Embed Reports
Plugin Slug:: embed-power-bi-reports
Installations: 500+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 1.2.1
Severity Score:: Medium
CVE:: 2025-10750

Plugin:: Front End Users
Plugin Slug:: front-end-only-users
Installations: 500+
Vulnerability:: Broken Access Control
Patched in Version:: 3.2.34
Severity Score:: Medium
CVE:: 2025-62072

Plugin:: MeetingHub for Zoom Meeting, Google Meet, Jitsi Meet, Webex, & Microsoft Teams | The All-in-One Webinar & Video Conference Solution
Plugin Slug:: meetinghub
Installations: 500+
Vulnerability:: Broken Access Control
Patched in Version:: 1.23.10
Severity Score:: Medium
CVE:: 2025-62073

Plugin:: UPC/EAN/GTIN Barcode Generator/Importer
Plugin Slug:: upc-ean-barcode-generator
Installations: 500+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.0.3
Severity Score:: Medium
CVE:: 2025-62009

Plugin:: Content Writer
Plugin Slug:: content-writer
Installations: 300+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 3.6.9
Severity Score:: Medium
CVE:: 2025-10486

Plugin:: Acknowledgify
Plugin Slug:: acknowledgify
Installations: 100+
Vulnerability:: Broken Access Control
Patched in Version:: 1.1.4
Severity Score:: Medium
CVE:: 2025-62021

Plugin:: WPBifr�st � Instant Passwordless Temporary Login Links
Plugin Slug:: create-temporary-login
Installations: 40+
Vulnerability:: Broken Access Control
Patched in Version:: 1.0.8
Severity Score:: Critical
CVE:: 2025-10299

Plugin:: XX2WP Integration Tools
Plugin Slug:: fb2wp-integration-tools
Installations: 30+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.0
Severity Score:: Medium
CVE:: 2025-11857

Plugin:: Flex QR Code Generator
Plugin Slug:: flex-qr-code-generator
Installations: 30+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 1.2.6
Severity Score:: Critical
CVE:: 2025-10041

Plugin:: Voice Feedback � Voice Recorder for Audio Feedback
Plugin Slug:: voice-feedback
Installations: 10+
Vulnerability:: Privilege Escalation
Patched in Version:: 2.0.0
Severity Score:: High
CVE:: 2025-62007

Plugin:: BlindMatrix e-Commerce
Plugin Slug:: window-blinds-solution
Installations: 10+
Vulnerability:: Local File Inclusion
Patched in Version:: 3.1
Severity Score:: High
CVE:: 2025-10406

Plugin:: Felan Framework
Plugin Slug:: felan-framework
Vulnerability:: Broken Access Control
Patched in Version:: 1.1.5
Severity Score:: Medium
CVE:: 2025-10849

Plugin:: Felan Framework
Plugin Slug:: felan-framework
Vulnerability:: Broken Authentication
Patched in Version:: 1.1.5
Severity Score:: Critical
CVE:: 2025-10850

Plugin:: Houzez Theme – Functionality
Plugin Slug:: houzez-theme-functionality
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.2.0
Severity Score:: Medium
CVE:: 2025-62058

Plugin:: Houzez Theme – Functionality
Plugin Slug:: houzez-theme-functionality
Vulnerability:: Local File Inclusion
Patched in Version:: 4.2.0
Severity Score:: High
CVE:: 2025-62054

Plugin:: WPBakery Page Builder
Plugin Slug:: js_composer
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 8.7
Severity Score:: Medium
CVE:: 2025-10006

Plugin:: WPBakery Page Builder
Plugin Slug:: js_composer
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 8.7
Severity Score:: Medium
CVE:: 2025-11161

Plugin:: WPBakery Page Builder
Plugin Slug:: js_composer
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 8.7
Severity Score:: Medium
CVE:: 2025-11160

Plugin:: Lisfinity Core
Plugin Slug:: lisfinity-core
Vulnerability:: Privilege Escalation
Patched in Version:: 1.5.0
Severity Score:: High
CVE:: 2025-6042

Plugin:: Ova Advent
Plugin Slug:: ova-advent
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.1.8
Severity Score:: Medium
CVE:: 2025-8561

Plugin:: SUMO Memberships for WooCommerce
Plugin Slug:: sumomemberships
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 7.8.0
Severity Score:: High
CVE:: 2025-62005

Plugin:: tagDiv Cloud Library
Plugin Slug:: td-cloud-library
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.0
Severity Score:: Medium
CVE:: 2025-62032

Plugin:: tagDiv Composer
Plugin Slug:: td-composer
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.4.2
Severity Score:: Medium
CVE:: 2025-62030

Plugin:: TheGem Theme Elements (for WPBakery)
Plugin Slug:: thegem-elements
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.10.5.2
Severity Score:: Medium
CVE:: 2025-62044

Plugin:: UDesign Core
Plugin Slug:: u-design-core
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.14.2
Severity Score:: Medium
CVE:: 2025-62051

WordPress Themes � 8 Patched / 2 Unpatched

Theme:: ClassifiedPro
Theme Slug:: classified-pro
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-10706

Theme:: Rich Snippet Site Report
Theme Slug:: easysnippet
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-10310

Theme:: HomeLancer
Theme Slug:: homelancer
Downloads: 3,788
Vulnerability:: Broken Access Control
Patched in Version:: 1.0.2
Severity Score:: Medium
CVE:: 2025-49375

Theme:: Newsup
Theme Slug:: newsup
Downloads: 2,628,569
Vulnerability:: Broken Access Control
Patched in Version:: 5.0.11
Severity Score:: Medium
CVE:: 2025-8682

Theme:: Education WordPress Theme | HiStudy
Theme Slug:: histudy
Vulnerability:: SQL Injection
Patched in Version:: 3.1.0
Severity Score:: Critical
CVE:: 2025-48089

Theme:: Kallyas
Theme Slug:: kallyas
Vulnerability:: Broken Access Control
Patched in Version:: 4.23.0
Severity Score:: Medium
CVE:: 2025-62018

Theme:: Kallyas
Theme Slug:: kallyas
Vulnerability:: Broken Access Control
Patched in Version:: 4.23.0
Severity Score:: Medium
CVE:: 2025-62017

Theme:: Salient
Theme Slug:: salient
Vulnerability:: Broken Access Control
Patched in Version:: 17.4.0
Severity Score:: Medium
CVE:: 2025-62028

Theme:: WoodMart
Theme Slug:: woodmart
Vulnerability:: Local File Inclusion
Patched in Version:: 8.3.2
Severity Score:: High
CVE:: 2025-49935

Theme:: XStore
Theme Slug:: xstore
Vulnerability:: Local File Inclusion
Patched in Version:: 9.6
Severity Score:: High
CVE:: 2025-11746

WordPress Vulnerability Report � October 22, 2025

WordPress Core

WordPress Plugins � 79 Patched / 50 Unpatched

WordPress Themes � 8 Patched / 2 Unpatched

Related articles

Wait! Get exclusive hosting insights