WordPress Vulnerability Report — August 13, 2025

In this report, 83 vulnerabilities have been publicly disclosed. Security patches for 51 of these plugins and themes are now available, so please run those updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Additionally, there are 32 plugin and theme vulnerabilities, and no patch has been available yet. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

Along with poor user account security, vulnerable plugins and themes are among the top reasons why WordPress websites get hacked. Unfortunately, cyberattacks are increasing in volume and sophistication. They’re also increasingly aimed at small to mid-sized businesses.

3. WordPress Themes — 13 Patched / 11 Unpatched

Our WordPress Vulnerability Report covers the latest emerging WordPress plugin, theme, and core vulnerabilities. Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure of vulnerabilities is essential to keeping the WordPress community safe. Please share this report to help spread the word and make WordPress — and the web — more secure.

WordPress Core

WordPress 6.8.2 was released on July 15, 2025. This maintenance release includes fixes for 20 Core tickets and 15 Block Editor issues. For a full list of bug fixes, please refer to the release candidate announcement.

WordPress Plugins — 46 Patched / 31 Unpatched

Plugin:: Thank You Page Customizer for WooCommerce – Increase Your Sales
Plugin Slug:: woo-thank-you-page-customizer
Installations: 4,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-30993

Plugin:: Eventer
Plugin Slug:: eventer
Installations: 1,000+
Vulnerability:: Content Injection
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-39483

Plugin:: Porn Videos Embed
Plugin Slug:: porn-videos-embed
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49061

Plugin:: CF7 Spreadsheets
Plugin Slug:: cf7-spreadsheets
Installations: 400+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-50040

Plugin:: Flex Guten – Multile Blocks
Plugin Slug:: flex-guten
Installations: 400+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-6256

Plugin:: WooCommerce Fortnox Integration
Plugin Slug:: woocommerce-fortnox-integration
Installations: 300+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-47610

Plugin:: SMM API
Plugin Slug:: smm-api
Installations: 200+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-52785

Plugin:: Project Cost Calculator
Plugin Slug:: project-cost-calculator
Installations: 100+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-52775

Plugin:: WP-jScrollPane
Plugin Slug:: wp-jscrollpane
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-49062

Plugin:: BaiduXZH Submit(?????)
Plugin Slug:: i3geek-baiduxzh
Installations: 90+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-49063

Plugin:: ????????
Plugin Slug:: duoshuo
Installations: 80+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-49056

Plugin:: User Language Switch
Plugin Slug:: user-language-switch
Installations: 80+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-49064

Plugin:: Visit Counter
Plugin Slug:: visit-counter
Installations: 80+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-49065

Plugin:: Premium Addons for KingComposer
Plugin Slug:: premium-addons-for-kingcomposer
Installations: 70+
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-49036

Plugin:: Simple Responsive Slider
Plugin Slug:: addi-simple-slider
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-8690

Plugin:: CBX Restaurant Booking
Plugin Slug:: cbx-restaurant-booking
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-7965

Plugin:: CleverReach® WP
Plugin Slug:: cleverreach-wp
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-7036

Plugin:: CleverReach® WP
Plugin Slug:: cleverreach-wp
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-49059

Plugin:: esri-map-view
Plugin Slug:: esri-map-view
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-6259

Plugin:: GMap Generator
Plugin Slug:: gmap-venturit
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-8568

Plugin:: IDonatePro
Plugin Slug:: idonate-pro
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-30639

Plugin:: Inline Stock Quotes
Plugin Slug:: inline-stock-quotes
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-8688

Plugin:: WP Lead Capturing Pages
Plugin Slug:: leadcapture
Vulnerability:: Arbitrary Content Deletion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-31425

Plugin:: Mmm Unity Loader
Plugin Slug:: mmm-unity-loader
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-8399

Plugin:: Mosaic Generator
Plugin Slug:: mosaic-generator
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-8621

Plugin:: RT Easy Builder – Advanced addons for Elementor
Plugin Slug:: rt-easy-builder-advanced-addons-for-elementor
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-8462

Plugin:: OpenStreetMap for Gutenberg and WPBakery Page Builder (formerly Visual Composer)
Plugin Slug:: stepbyteservice-openstreetmap
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-6572

Plugin:: WooCommerce Purchase Orders
Plugin Slug:: wc-purchase-orders
Vulnerability:: Arbitrary File Deletion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-5391

Plugin:: Wp chart generator
Plugin Slug:: wp-chart-generator
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-8685

Plugin:: WP Private Content Plus
Plugin Slug:: wp-private-content-plus
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-4390

Plugin:: WP Tournament Registration
Plugin Slug:: wp-tournament-registration
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-6690

Plugin:: Elementor Website Builder – More Than Just a Page Builder
Plugin Slug:: elementor
Installations: 10,000,000+
Vulnerability:: Path Traversal
Patched in Version:: 3.30.3
Severity Score:: Medium
CVE:: 2025-8081

Plugin:: Advanced Custom Fields (ACF®)
Plugin Slug:: advanced-custom-fields
Installations: 2,000,000+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 3.5.2
Severity Score:: Low

Plugin:: Ultimate Addons for Elementor (Formerly Elementor Header & Footer Builder)
Plugin Slug:: header-footer-elementor
Installations: 2,000,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.4.7
Severity Score:: Medium
CVE:: 2025-8488

Plugin:: FileBird – WordPress Media Library Folders & File Manager
Plugin Slug:: filebird
Installations: 200,000+
Vulnerability:: SQL Injection
Patched in Version:: 6.4.9
Severity Score:: High
CVE:: 2025-6986

Plugin:: Qi Addons For Elementor
Plugin Slug:: qi-addons-for-elementor
Installations: 200,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.9.3
Severity Score:: Medium
CVE:: 2025-8146

Plugin:: Element Pack Addons for Elementor – Mega Menu, Header Footer, Dynamic Builder and Ready Templates
Plugin Slug:: bdthemes-element-pack-lite
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 8.1.6
Severity Score:: Medium
CVE:: 2025-8100

Plugin:: Simple Local Avatars
Plugin Slug:: simple-local-avatars
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.8.5
Severity Score:: Medium
CVE:: 2025-8482

Plugin:: Ocean Social Sharing
Plugin Slug:: ocean-social-sharing
Installations: 80,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.2.2
Severity Score:: Medium
CVE:: 2025-7500

Plugin:: Exclusive Addons for Elementor
Plugin Slug:: exclusive-addons-for-elementor
Installations: 60,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.7.9.5
Severity Score:: Medium
CVE:: 2025-7498

Plugin:: WP Import Export Lite
Plugin Slug:: wp-import-export-lite
Installations: 50,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 3.9.30
Severity Score:: Critical
CVE:: 2025-5061

Plugin:: WP Import Export Lite
Plugin Slug:: wp-import-export-lite
Installations: 50,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 3.9.29
Severity Score:: Critical
CVE:: 2025-6207

Plugin:: Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations
Plugin Slug:: master-addons
Installations: 40,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.9.1
Severity Score:: Medium
CVE:: 2025-8874

Plugin:: UiCore Elements – Free Elementor widgets and templates
Plugin Slug:: uicore-elements
Installations: 40,000+
Vulnerability:: Arbitrary File Download
Patched in Version:: 1.3.1
Severity Score:: High
CVE:: 2025-6253

Plugin:: Gutenverse – Ultimate Block Addons and Page Builder for Site Editor
Plugin Slug:: gutenverse
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.1.1
Severity Score:: Medium
CVE:: 2025-7727

Plugin:: Post Grid, Posts Slider, Posts Carousel, Post Filter, Post Masonry
Plugin Slug:: post-grid
Installations: 30,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 2.3.12
Severity Score:: High
CVE:: 2025-54007

Plugin:: Eventin – Event Manager, Events Calendar, Booking, Tickets and Registration
Plugin Slug:: wp-event-solution
Installations: 10,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 4.0.35
Severity Score:: High
CVE:: 2025-4796

Plugin:: Design for Contact Form 7 Style WordPress Plugin – CF7 WOW Styler
Plugin Slug:: cf7-styler
Installations: 4,000+
Vulnerability:: Local File Inclusion
Patched in Version:: 1.7.3
Severity Score:: High
CVE:: 2025-54028

Plugin:: Coupon Affiliates – Affiliate Plugin for WooCommerce
Plugin Slug:: woo-coupon-usage
Installations: 4,000+
Vulnerability:: Settings Change
Patched in Version:: 6.4.2
Severity Score:: Medium
CVE:: 2025-54025

Plugin:: Easy Form Builder – WordPress plugin form builder: contact form, survey form, payment form, and custom form builder
Plugin Slug:: easy-form-builder
Installations: 2,000+
Vulnerability:: SQL Injection
Patched in Version:: 3.8.16
Severity Score:: Critical
CVE:: 2025-54678

Plugin:: GravityWP – Merge Tags
Plugin Slug:: gravitywp-merge-tags
Installations: 2,000+
Vulnerability:: Local File Inclusion
Patched in Version:: 1.4.5
Severity Score:: High
CVE:: 2025-49271

Plugin:: AnWP Football Leagues
Plugin Slug:: football-leagues-by-anwppro
Installations: 1,000+
Vulnerability:: CSV Injection
Patched in Version:: 0.16.18
Severity Score:: Medium
CVE:: 2025-8767

Plugin:: Prevent files / folders access
Plugin Slug:: prevent-file-access
Installations: 1,000+
Vulnerability:: Path Traversal
Patched in Version:: 2.6.1
Severity Score:: Medium
CVE:: 2025-53561

Plugin:: Request a Quote Form Plugin – Price Quote Request Management Made Easy
Plugin Slug:: request-a-quote
Installations: 1,000+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 2.5.3
Severity Score:: High
CVE:: 2025-8420

Plugin:: FundEngine – Donation and Crowdfunding Platform
Plugin Slug:: wp-fundraising-donation
Installations: 1,000+
Vulnerability:: Local File Inclusion
Patched in Version:: 1.7.5
Severity Score:: High
CVE:: 2025-48302

Plugin:: B Blocks – The ultimate block collection
Plugin Slug:: b-blocks
Installations: 800+
Vulnerability:: Privilege Escalation
Patched in Version:: 2.0.7
Severity Score:: Critical
CVE:: 2025-8059

Plugin:: ZoloBlocks – Gutenberg Block Editor Plugin with Advanced Blocks, Dynamic Content, Templates & Patterns
Plugin Slug:: zoloblocks
Installations: 700+
Vulnerability:: Local File Inclusion
Patched in Version:: 2.3.3
Severity Score:: High
CVE:: 2025-53210

Plugin:: Code Engine
Plugin Slug:: code-engine
Installations: 600+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 0.3.4
Severity Score:: Critical
CVE:: 2025-48169

Plugin:: BitFire Security – Firewall, WAF, Bot/Spam Blocker, Login Security
Plugin Slug:: bitfire
Installations: 400+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 4.6
Severity Score:: Medium
CVE:: 2025-6722

Plugin:: Form Block
Plugin Slug:: form-block
Installations: 200+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 1.5.6
Severity Score:: Critical
CVE:: 2025-54693

Plugin:: Employee Directory – Staff Listing & Team Directory Plugin for WordPress
Plugin Slug:: employee-directory
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.5.2
Severity Score:: Medium
CVE:: 2025-8295

Plugin:: RentSyst – CRM solution for fleet management
Plugin Slug:: rentsyst
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.101
Severity Score:: High
CVE:: 2025-48152

Plugin:: Campus Directory – Faculty, Staff & Student Directory Plugin for WordPress
Plugin Slug:: campus-directory
Installations: 80+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.9.2
Severity Score:: Medium
CVE:: 2025-8313

Plugin:: Download Counter
Plugin Slug:: download-counter
Installations: 40+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.4
Severity Score:: Medium
CVE:: 2025-8294

Plugin:: Simple Contact Form Plugin for WordPress – WP Easy Contact
Plugin Slug:: wp-easy-contact
Installations: 40+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.0.2
Severity Score:: Medium
CVE:: 2025-8315

Plugin:: Project Management, Bug and Issue Tracking Plugin – Software Issue Manager
Plugin Slug:: software-issue-manager
Installations: 30+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.0.1
Severity Score:: Medium
CVE:: 2025-8314

Plugin:: Brave Conversion Engine (PRO)
Plugin Slug:: bravepopup-pro
Vulnerability:: Broken Authentication
Patched in Version:: 0.8.0
Severity Score:: Critical
CVE:: 2025-7710

Plugin:: WordPress Event Manager, Event Calendar and Booking Plugin
Plugin Slug:: eventin-pro
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.0.25
Severity Score:: Medium
CVE:: 2025-52730

Plugin:: Global Gallery
Plugin Slug:: global-gallery
Vulnerability:: Broken Access Control
Patched in Version:: 9.2.4
Severity Score:: Medium
CVE:: 2025-52721

Plugin:: Groundhogg
Plugin Slug:: groundhogg
Vulnerability:: PHP Object Injection
Patched in Version:: 4.2.2.1
Severity Score:: Medium
CVE:: 2025-54053

Plugin:: WPBakery Page Builder
Plugin Slug:: js_composer
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 8.6
Severity Score:: Medium
CVE:: 2025-7502

Plugin:: Multimedia Playlist Slider Addon for WPBakery Page Builder
Plugin Slug:: lbg_vp_youtube_vimeo_addon_visual_composer
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.2
Severity Score:: High
CVE:: 2025-48154

Plugin:: MapSVG
Plugin Slug:: mapsvg
Vulnerability:: SQL Injection
Patched in Version:: 8.7.4
Severity Score:: Critical
CVE:: 2025-54669

Plugin:: Cost Calculator
Plugin Slug:: ql-cost-calculator
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 7 .5
Severity Score:: Medium
CVE:: 2025-54046

Plugin:: Reveal Listing
Plugin Slug:: reveal-listing
Vulnerability:: Privilege Escalation
Patched in Version:: 3.4
Severity Score:: Critical
CVE:: 2025-6994

Plugin:: Use-your-Drive
Plugin Slug:: use-your-drive
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.3.2
Severity Score:: High
CVE:: 2025-7050

Plugin:: Woffice Core
Plugin Slug:: woffice-core
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 5.4.27
Severity Score:: Medium
CVE:: 2025-7694

WordPress Themes — 5 Patched / 1 Unpatched

Theme:: Shopo
Theme Slug:: shopo
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-31048

Theme:: Zakra
Theme Slug:: zakra
Downloads: 1,935,472
Vulnerability:: Broken Access Control
Patched in Version:: 4.1.6
Severity Score:: Medium
CVE:: 2025-8595

Theme:: Betheme
Theme Slug:: betheme
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 28.1.4
Severity Score:: Medium
CVE:: 2025-7399

Theme:: The7
Theme Slug:: dt-the7
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 12.7.0
Severity Score:: Medium
CVE:: 2025-7726

Theme:: Urna
Theme Slug:: urna
Vulnerability:: Local File Inclusion
Patched in Version:: 2.5.8
Severity Score:: High
CVE:: 2025-54689

Theme:: Xinterio
Theme Slug:: xinterio
Vulnerability:: Local File Inclusion
Patched in Version:: 4.3
Severity Score:: High
CVE:: 2025-54690

Solid Security is part of Solid Suite — The best foundation for WordPress websites.

Every WordPress site needs security, backups, and management tools. That’s Solid Suite — an integrated bundle of three plugins: Solid Security, Solid Backups, and Solid Central. You also get access to Solid Academy’s learning resources for WordPress professionals. Build your next WordPress website on a solid foundation with Solid Suite!

Get Solid Security

The post WordPress Vulnerability Report — August 13, 2025 appeared first on SolidWP.

Click here to continue reading this article.

Your WordPress News Dashboard

WordPress Vulnerability Report — August 13, 2025

Table of Contents

WordPress Core

WordPress Plugins — 46 Patched / 31 Unpatched

WordPress Themes — 5 Patched / 1 Unpatched

Solid Security is part of Solid Suite — The best foundation for WordPress websites.

Sarah Ulmer

Latest posts

Text widget

Sponsored by WP Mayor

Latest posts

Built with WP RSS Aggregator