WordPress Vulnerability Report — August 20, 2025

In this report, 191 vulnerabilities have been publicly disclosed. Security patches for 93 of these plugins and themes are now available, so please run those updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Additionally, there are 98 plugin and theme vulnerabilities, and no patch has been available yet. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

Along with poor user account security, vulnerable plugins and themes are among the top reasons why WordPress websites get hacked. Unfortunately, cyberattacks are increasing in volume and sophistication. They’re also increasingly aimed at small to mid-sized businesses.

3. WordPress Themes — 13 Patched / 11 Unpatched

Our WordPress Vulnerability Report covers the latest emerging WordPress plugin, theme, and core vulnerabilities. Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure of vulnerabilities is essential to keeping the WordPress community safe. Please share this report to help spread the word and make WordPress — and the web — more secure.

WordPress Core

WordPress 6.8.2 was released on July 15, 2025. This maintenance release includes fixes for 20 Core tickets and 15 Block Editor issues. For a full list of bug fixes, please refer to the release candidate announcement.

WordPress Plugins — 81 Patched / 93 Unpatched

Plugin:: Awesome Support – WordPress HelpDesk & Support Plugin
Plugin Slug:: awesome-support
Installations: 8,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-53340

Plugin:: EventON – Events Calendar
Plugin Slug:: eventon-lite
Installations: 6,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-8091

Plugin:: Simple Login Log
Plugin Slug:: simple-login-log
Installations: 6,000+
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-49438

Plugin:: Thank You Page Customizer for WooCommerce – Increase Your Sales
Plugin Slug:: woo-thank-you-page-customizer
Installations: 4,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-30993

Plugin:: WP Emmet
Plugin Slug:: wp-emmet
Installations: 3,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49894

Plugin:: Contact Info Widget
Plugin Slug:: simple-contact-info-widget
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49891

Plugin:: Add Custom Codes – Insert Header, Footer, Custom PHP Snippets, CSS, Javascript
Plugin Slug:: add-custom-codes
Installations: 1,000+
Vulnerability:: Arbitrary Code Execution
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-30975

Plugin:: StoryChief
Plugin Slug:: story-chief
Installations: 1,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-7441

Plugin:: Cookie Warning
Plugin Slug:: cookie-warning
Installations: 900+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49426

Plugin:: Cookie Warning
Plugin Slug:: cookie-warning
Installations: 900+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49428

Plugin:: Page Transition
Plugin Slug:: page-transition
Installations: 900+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49412

Plugin:: WP Discord Post Plus – Supports Unlimited Channels
Plugin Slug:: wp-discord-post-plus
Installations: 900+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49896

Plugin:: AL Pack
Plugin Slug:: alpack
Installations: 800+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-7664

Plugin:: DigitalOcean Spaces Sync
Plugin Slug:: do-spaces-sync
Installations: 800+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49047

Plugin:: Inspectlet – User Session Recording and Heatmaps
Plugin Slug:: inspectlet-heatmaps-and-user-session-recording
Installations: 800+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49048

Plugin:: Terms of Service & Privacy Policy Generator
Plugin Slug:: terms-of-service-and-privacy-policy
Installations: 800+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49413

Plugin:: iframe Wrapper
Plugin Slug:: iframe-wrapper
Installations: 600+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49422

Plugin:: Essential Doo Components for Visual Composer
Plugin Slug:: animated-icon-banner-for-visual-composer
Installations: 500+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49424

Plugin:: Build App Online
Plugin Slug:: build-app-online
Installations: 500+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-53249

Plugin:: Custom Menu
Plugin Slug:: custom-menu
Installations: 500+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49436

Plugin:: Hide Text Shortcode
Plugin Slug:: hide-text-shortcode
Installations: 500+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49051

Plugin:: Laposta WooCommerce
Plugin Slug:: laposta-woocommerce
Installations: 500+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49434

Plugin:: WP Pipes
Plugin Slug:: wp-pipes
Installations: 500+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-28977

Plugin:: CF7 Spreadsheets
Plugin Slug:: cf7-spreadsheets
Installations: 400+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-50040

Plugin:: CodeablePress: Simple Frontend Profile Picture Upload
Plugin Slug:: codeablepress-simple-frontend-profile-picture-upload
Installations: 100+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-53221

Plugin:: Embed Bokun
Plugin Slug:: embed-bokun
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-6221

Plugin:: Forms
Plugin Slug:: forms-by-made-it
Installations: 100+
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-24775

Plugin:: Netease Music
Plugin Slug:: netease-music
Installations: 100+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49052

Plugin:: Project Cost Calculator
Plugin Slug:: project-cost-calculator
Installations: 100+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-52775

Plugin:: Time Sheets
Plugin Slug:: time-sheets
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-49054

Plugin:: WP-Database-Optimizer-Tools
Plugin Slug:: wp-database-optimizer-tools
Installations: 100+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-53219

Plugin:: WP Dynamic Links
Plugin Slug:: wp-dynamic-links
Installations: 90+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-49038

Plugin:: Authentication and xmlrpc log writer
Plugin Slug:: authentication-and-xmlrpc-log-writer
Installations: 80+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-49037

Plugin:: Infility Global
Plugin Slug:: infility-global
Installations: 80+
Vulnerability:: Arbitrary File Download
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-47650

Plugin:: Premium Addons for KingComposer
Plugin Slug:: premium-addons-for-kingcomposer
Installations: 70+
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-49036

Plugin:: Simplified Plugin
Plugin Slug:: simplified
Installations: 70+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-53241

Plugin:: WP Voting
Plugin Slug:: wp-voting
Installations: 70+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-49057

Plugin:: Jenga Payment Gateway for WooCommerce
Plugin Slug:: woo-jenga-payment-gateway
Installations: 50+
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49432

Plugin:: WordPress StoryMap Plugin
Plugin Slug:: wp-storymap
Installations: 50+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-52797

Plugin:: AWStats Script
Plugin Slug:: awstats-script
Installations: 40+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49890

Plugin:: Custom Comment
Plugin Slug:: customcomment
Installations: 40+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49889

Plugin:: WP Airdrop Manager
Plugin Slug:: airdrop
Installations: 30+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49053

Plugin:: Elizaibots
Plugin Slug:: elizaibot-chatbots
Installations: 20+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49893

Plugin:: Vertical scroll slideshow gallery v2
Plugin Slug:: vertical-scroll-slideshow-gallery-v2
Installations: 20+
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-49897

Plugin:: Dropshix
Plugin Slug:: dropshipping-xox
Installations: 10+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49898

Plugin:: Simple Poll
Plugin Slug:: simple-poll
Installations: 10+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-49044

Plugin:: SoundSt SEO Search
Plugin Slug:: soundst-seo-search
Installations: 10+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-49058

Plugin:: Video Expander
Plugin Slug:: video-expander
Installations: 10+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-52771

Plugin:: Add User Meta
Plugin Slug:: add-user-meta
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-7688

Plugin:: Simple Responsive Slider
Plugin Slug:: addi-simple-slider
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-8690

Plugin:: Alobaidi Captcha
Plugin Slug:: alobaidi-captcha
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-8080

Plugin:: Anber Elementor Addon
Plugin Slug:: anber-elementor-addon
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-7440

Plugin:: Assistant for NextGEN Gallery
Plugin Slug:: assistant-for-nextgen-gallery
Vulnerability:: Path Traversal
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-7641

Plugin:: bizcalendar-web
Plugin Slug:: bizcalendar-web
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-7650

Plugin:: Blog Designer PRO
Plugin Slug:: blog-designer-pro
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-47695

Plugin:: CBX Restaurant Booking
Plugin Slug:: cbx-restaurant-booking
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-7965

Plugin:: CleverReach® WP
Plugin Slug:: cleverreach-wp
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-7036

Plugin:: CleverReach® WP
Plugin Slug:: cleverreach-wp
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-49059

Plugin:: Earnware Connect
Plugin Slug:: earnware-connect
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-7651

Plugin:: elink – Embed Content
Plugin Slug:: elink-embed-content
Vulnerability:: Other Vulnerability Type
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-7507

Plugin:: flexo-social-gallery
Plugin Slug:: flexo-social-gallery
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-52769

Plugin:: Ultimate Video Player
Plugin Slug:: fwduvp
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49432

Plugin:: Gestion de tarifs
Plugin Slug:: gestion-tarifs
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-7662

Plugin:: GMap Generator
Plugin Slug:: gmap-venturit
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-8568

Plugin:: WPGYM
Plugin Slug:: gym-management
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-3671

Plugin:: WPGYM
Plugin Slug:: gym-management
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-6080

Plugin:: Icons Factory
Plugin Slug:: icons-factory
Vulnerability:: Arbitrary File Deletion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-7778

Plugin:: Inline Stock Quotes
Plugin Slug:: inline-stock-quotes
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-8688

Plugin:: Intl DateTime Calendar
Plugin Slug:: intl-datetime-calendar
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-8293

Plugin:: Last.fm Recent Album Artwork
Plugin Slug:: lastfm-recent-album-artwork
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-7684

Plugin:: LatestCheckins
Plugin Slug:: latestcheckins
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-7683

Plugin:: Linux Promotional Plugin
Plugin Slug:: linux-promotional-plugin
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-7668

Plugin:: Mosaic Generator
Plugin Slug:: mosaic-generator
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-8621

Plugin:: NetInsight Analytics Implementation Plugin
Plugin Slug:: netinsight-analytics-implementation-plugin
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-52765

Plugin:: NetInsight Analytics Implementation Plugin
Plugin Slug:: netinsight-analytics-implementation-plugin
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-52767

Plugin:: Pending Order Bot
Plugin Slug:: pending-order-bot
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49892

Plugin:: Radius Blocks
Plugin Slug:: radius-blocks
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-5844

Plugin:: RT Easy Builder – Advanced addons for Elementor
Plugin Slug:: rt-easy-builder-advanced-addons-for-elementor
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-8462

Plugin:: School Management
Plugin Slug:: school-management
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2024-12612

Plugin:: School Management
Plugin Slug:: school-management
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49895

Plugin:: School Management
Plugin Slug:: school-management
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49896

Plugin:: School Management
Plugin Slug:: school-management
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-49898

Plugin:: School Management
Plugin Slug:: school-management
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-31100

Plugin:: ServerBuddy by PluginBuddy.com
Plugin Slug:: serverbuddy-by-pluginbuddy
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-49895

Plugin:: Surbma | Recent Comments Shortcode
Plugin Slug:: surbma-recent-comments-shortcode
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-7649

Plugin:: Thim Core
Plugin Slug:: thim-core
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-53344

Plugin:: Thim Core
Plugin Slug:: thim-core
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-53346

Plugin:: WooCommerce Purchase Orders
Plugin Slug:: wc-purchase-orders
Vulnerability:: Arbitrary File Deletion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-5391

Plugin:: weichuncai(WP???)
Plugin Slug:: weichuncai
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-7686

Plugin:: Wp chart generator
Plugin Slug:: wp-chart-generator
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-8685

Plugin:: JobSearch
Plugin Slug:: wp-jobsearch
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-52806

Plugin:: WP Private Content Plus
Plugin Slug:: wp-private-content-plus
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-4390

Plugin:: Plugin README Parser
Plugin Slug:: wp-readme-parser
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-8720

Plugin:: Elementor Website Builder – More Than Just a Page Builder
Plugin Slug:: elementor
Installations: 10,000,000+
Vulnerability:: Path Traversal
Patched in Version:: 3.30.3
Severity Score:: Medium
CVE:: 2025-8081

Plugin:: Essential Addons for Elementor – Popular Elementor Templates & Widgets
Plugin Slug:: essential-addons-for-elementor-lite
Installations: 2,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.2.3
Severity Score:: Medium
CVE:: 2025-8451

Plugin:: WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin
Plugin Slug:: wp-statistics
Installations: 600,000+
Vulnerability:: Broken Access Control
Patched in Version:: 14.15.2
Severity Score:: Medium
CVE:: 2025-55716

Plugin:: Advanced File Manager – Ultimate WP File Manager And Document Library Solution
Plugin Slug:: file-manager-advanced
Installations: 200,000+
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 5.4.0
Severity Score:: Medium
CVE:: 2025-0818

Plugin:: File Manager Pro – Filester
Plugin Slug:: filester
Installations: 100,000+
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 1.9
Severity Score:: Medium
CVE:: 2025-0818

Plugin:: Kadence WooCommerce Email Designer
Plugin Slug:: kadence-woocommerce-email-designer
Installations: 100,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 1.5.17
Severity Score:: High
CVE:: 2025-54697

Plugin:: Simple Local Avatars
Plugin Slug:: simple-local-avatars
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.8.5
Severity Score:: Medium
CVE:: 2025-8482

Plugin:: The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce
Plugin Slug:: the-plus-addons-for-elementor-page-builder
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 6.3.14
Severity Score:: Medium
CVE:: 2025-55712

Plugin:: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
Plugin Slug:: wp-user-avatar
Installations: 100,000+
Vulnerability:: Content Injection
Patched in Version:: 4.16.5
Severity Score:: Medium
CVE:: 2025-8878

Plugin:: LatePoint – Calendar Booking Plugin for Appointments and Events
Plugin Slug:: latepoint
Installations: 80,000+
Vulnerability:: Local File Inclusion
Patched in Version:: 5.1.94
Severity Score:: High
CVE:: 2025-6715

Plugin:: Media Library Assistant
Plugin Slug:: media-library-assistant
Installations: 70,000+
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 3.28
Severity Score:: Medium
CVE:: 2025-8357

Plugin:: WPC Smart Compare for WooCommerce
Plugin Slug:: woo-smart-compare
Installations: 70,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.4.8
Severity Score:: Medium
CVE:: 2025-7496

Plugin:: Drag and Drop Multiple File Upload for Contact Form 7
Plugin Slug:: drag-and-drop-multiple-file-upload-contact-form-7
Installations: 60,000+
Vulnerability:: Directory Traversal
Patched in Version:: 1.3.9.1
Severity Score:: Medium
CVE:: 2025-8464

Plugin:: WP Table Builder – WordPress Table Plugin
Plugin Slug:: wp-table-builder
Installations: 60,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.13
Severity Score:: Medium
CVE:: 2025-55711

Plugin:: Advanced iFrame
Plugin Slug:: advanced-iframe
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2025.7
Severity Score:: Medium
CVE:: 2025-8089

Plugin:: User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor
Plugin Slug:: profile-builder
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.14.4
Severity Score:: Medium
CVE:: 2025-8896

Plugin:: Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI
Plugin Slug:: simple-tags
Installations: 50,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 3.37.3
Severity Score:: Medium
CVE:: 2025-55710

Plugin:: Structured Content (JSON-LD) #wpsc
Plugin Slug:: structured-content
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.7.0
Severity Score:: Medium
CVE:: 2025-3414

Plugin:: Visual Composer Website Builder
Plugin Slug:: visualcomposer
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 45.15.0
Severity Score:: Medium
CVE:: 2025-55709

Plugin:: BetterDocs – Advanced AI-Driven Documentation, FAQ & Knowledge Base Tool for Elementor & Gutenberg with Encyclopedia, AI Support, Instant Answers
Plugin Slug:: betterdocs
Installations: 40,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.1.2
Severity Score:: Medium
CVE:: 2025-7499

Plugin:: Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations
Plugin Slug:: master-addons
Installations: 40,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.9.1
Severity Score:: Medium
CVE:: 2025-8874

Plugin:: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker
Plugin Slug:: quiz-master-next
Installations: 40,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 10.2.3
Severity Score:: Medium
CVE:: 2025-6790

Plugin:: Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker
Plugin Slug:: quiz-master-next
Installations: 40,000+
Vulnerability:: SQL Injection
Patched in Version:: 10.2.5
Severity Score:: High
CVE:: 2025-55708

Plugin:: UiCore Elements – Free Elementor widgets and templates
Plugin Slug:: uicore-elements
Installations: 40,000+
Vulnerability:: Arbitrary File Download
Patched in Version:: 1.3.1
Severity Score:: High
CVE:: 2025-6253

Plugin:: FunnelKit – Funnel Builder for WooCommerce Checkout
Plugin Slug:: funnel-builder
Installations: 30,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 3.11.1
Severity Score:: High
CVE:: 2025-7654

Plugin:: PPWP – Password Protect WordPress | #1 Most-Reviewed Password Plugin
Plugin Slug:: password-protect-page
Installations: 30,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 1.9.11
Severity Score:: Medium
CVE:: 2025-5998

Plugin:: Welcart e-Commerce
Plugin Slug:: usc-e-shop
Installations: 20,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 2.11.17
Severity Score:: High
CVE:: 2025-54012

Plugin:: FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce
Plugin Slug:: wp-marketing-automations
Installations: 20,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 3.6.4
Severity Score:: High
CVE:: 2025-7654

Plugin:: Frontend Admin by DynamiApps
Plugin Slug:: acf-frontend-form-element
Installations: 10,000+
Vulnerability:: SQL Injection
Patched in Version:: 3.28.5
Severity Score:: High
CVE:: 2025-49267

Plugin:: Bit Form – Custom Contact Form, Multi Step, Conversational, Payment & Quiz Form builder
Plugin Slug:: bit-form
Installations: 10,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 2.20.4
Severity Score:: Critical
CVE:: 2025-6679

Plugin:: Graphina – Elementor Charts and Graphs
Plugin Slug:: graphina-elementor-charts-and-graphs
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.1.4
Severity Score:: Medium
CVE:: 2025-8867

Plugin:: Quttera Web Malware Scanner
Plugin Slug:: quttera-web-malware-scanner
Installations: 10,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 3.5.2.1
Severity Score:: Low
CVE:: 2025-8013

Plugin:: Shortcode Redirect
Plugin Slug:: shortcode-redirect
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.0.03
Severity Score:: Medium
CVE:: 2025-54746

Plugin:: Eventin – AI Powered Event Manager, Events Calendar, Booking and Tickets Plugin
Plugin Slug:: wp-event-solution
Installations: 10,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 4.0.32
Severity Score:: High
CVE:: 2025-49869

Plugin:: Nexter Blocks – WordPress Gutenberg Blocks & 1000+ Starter Templates
Plugin Slug:: the-plus-addons-for-block-editor
Installations: 8,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.5.5
Severity Score:: Medium
CVE:: 2025-8567

Plugin:: Nexter Blocks – WordPress Gutenberg Blocks & 1000+ Starter Templates
Plugin Slug:: the-plus-addons-for-block-editor
Installations: 8,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.5.5
Severity Score:: Medium
CVE:: 2025-54739

Plugin:: Flexible Map
Plugin Slug:: wp-flexible-map
Installations: 8,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.19.0
Severity Score:: Medium
CVE:: 2025-8622

Plugin:: Dynamic Pricing With Discount Rules for WooCommerce
Plugin Slug:: aco-woo-dynamic-pricing
Installations: 7,000+
Vulnerability:: Arbitrary Code Execution
Patched in Version:: 4.5.10
Severity Score:: Critical
CVE:: 2025-47588

Plugin:: Poll Maker – Versus Polls, Anonymous Polls, Image Polls
Plugin Slug:: poll-maker
Installations: 7,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 5.9.0
Severity Score:: Medium
CVE:: 2024-12575

Plugin:: Print My Blog – Print, PDF, & eBook Converter WordPress Plugin
Plugin Slug:: print-my-blog
Installations: 7,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.27.10
Severity Score:: Medium
CVE:: 2025-54740

Plugin:: B Slider – Responsive Image Slider
Plugin Slug:: b-slider
Installations: 5,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 2.0.1
Severity Score:: Medium
CVE:: 2025-8680

Plugin:: B Slider – Responsive Image Slider
Plugin Slug:: b-slider
Installations: 5,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 2.0.1
Severity Score:: Medium
CVE:: 2025-8676

Plugin:: CM Search And Replace – Optimize content edits with a powerful search and replace tool
Plugin Slug:: cm-on-demand-search-and-replace
Installations: 3,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.5.3
Severity Score:: Medium
CVE:: 2025-54727

Plugin:: CM Search And Replace – Optimize content edits with a powerful search and replace tool
Plugin Slug:: cm-on-demand-search-and-replace
Installations: 3,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.5.3
Severity Score:: Medium
CVE:: 2025-54728

Plugin:: Embedder for Google Reviews
Plugin Slug:: embedder-for-google-reviews
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.7.4
Severity Score:: Medium
CVE:: 2025-54730

Plugin:: Appointment Booking & Scheduling Plugin — Webba Booking Calendar
Plugin Slug:: webba-booking-lite
Installations: 3,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.0.6
Severity Score:: Medium
CVE:: 2025-54729

Plugin:: WP Shopify
Plugin Slug:: wp-shopify
Installations: 3,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.5.4
Severity Score:: High
CVE:: 2025-7808

Plugin:: Premium Packages – Sell Digital Products Securely
Plugin Slug:: wpdm-premium-packages
Installations: 3,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 6.0.3
Severity Score:: Medium
CVE:: 2025-54732

Plugin:: Online Booking & Scheduling Calendar for WordPress by vcita
Plugin Slug:: meeting-scheduler-by-vcita
Installations: 2,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 4.5.5
Severity Score:: Critical
CVE:: 2025-54677

Plugin:: oik
Plugin Slug:: oik
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.15.3
Severity Score:: High
CVE:: 2025-54670

Plugin:: Order Tip for WooCommerce
Plugin Slug:: order-tip-woo
Installations: 2,000+
Vulnerability:: Other Vulnerability Type
Patched in Version:: 1.5.5
Severity Score:: High
CVE:: 2025-6025

Plugin:: Barcode Scanner (+Mobile App) – Inventory manager, Order fulfillment system, POS (Point of Sale)
Plugin Slug:: barcode-scanner-lite-pos-to-manage-products-inventory-and-orders
Installations: 1,000+
Vulnerability:: Arbitrary File Download
Patched in Version:: 1.9.1
Severity Score:: Medium
CVE:: 2025-54715

Plugin:: Easy Elementor Addons
Plugin Slug:: easy-elementor-addons
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.2.8
Severity Score:: Medium
CVE:: 2025-54712

Plugin:: AnWP Football Leagues
Plugin Slug:: football-leagues-by-anwppro
Installations: 1,000+
Vulnerability:: CSV Injection
Patched in Version:: 0.16.18
Severity Score:: Medium
CVE:: 2025-8767

Plugin:: Injection Guard
Plugin Slug:: injection-guard
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.2.8
Severity Score:: High
CVE:: 2025-8046

Plugin:: Markup Markdown
Plugin Slug:: markup-markdown
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.20.7
Severity Score:: Medium
CVE:: 2025-49420

Plugin:: Membership For WooCommerce – WordPress Membership Plugin, Restrict Content, Build Online Communities, Paywall & Content Dripping
Plugin Slug:: membership-for-woocommerce
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.0.0
Severity Score:: High
CVE:: 2025-54692

Plugin:: MDTF – Meta Data and Taxonomies Filter
Plugin Slug:: wp-meta-data-filter-and-taxonomy-filter
Installations: 1,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.3.3.8
Severity Score:: Critical
CVE:: 2025-54707

Plugin:: 12 Step Meeting List
Plugin Slug:: 12-step-meeting-list
Installations: 800+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.18.4
Severity Score:: Medium
CVE:: 2025-54054

Plugin:: B Blocks – Essential Gutenberg Blocks & Patterns Collection
Plugin Slug:: b-blocks
Installations: 800+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.6
Severity Score:: Medium
CVE:: 2025-54708

Plugin:: B Blocks – Essential Gutenberg Blocks & Patterns Collection
Plugin Slug:: b-blocks
Installations: 800+
Vulnerability:: Privilege Escalation
Patched in Version:: 2.0.7
Severity Score:: Critical
CVE:: 2025-8059

Plugin:: RSS Feed Pro
Plugin Slug:: rss-feed-pro
Installations: 500+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.1.9
Severity Score:: Medium
CVE:: 2025-53581

Plugin:: WordLift – AI powered SEO – Schema
Plugin Slug:: wordlift
Installations: 500+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.54.6
Severity Score:: Medium
CVE:: 2025-53582

Plugin:: Cloudflare Image Resizing – Optimize & Accelerate Your Images
Plugin Slug:: cf-image-resizing
Installations: 300+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 1.5.7
Severity Score:: Critical
CVE:: 2025-8723

Plugin:: Easy restaurant menu manager
Plugin Slug:: easy-pdf-restaurant-menu-upload
Installations: 300+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.0.3
Severity Score:: Medium
CVE:: 2025-8491

Plugin:: WooCommerce Fortnox Integration
Plugin Slug:: woocommerce-fortnox-integration
Installations: 300+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.5.7
Severity Score:: Medium
CVE:: 2025-47610

Plugin:: Primer MyData for Woocommerce
Plugin Slug:: primer-mydata
Installations: 100+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 4.2.6
Severity Score:: High
CVE:: 2025-53575

Plugin:: Neon Channel Product Customizer Free
Plugin Slug:: neon-channel-product-customizer-free
Installations: 40+
Vulnerability:: Arbitrary Content Deletion
Patched in Version:: 3.0
Severity Score:: High
CVE:: 2025-54679

Plugin:: Project Management, Bug and Issue Tracking Plugin – Software Issue Manager
Plugin Slug:: software-issue-manager
Installations: 20+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.0.1
Severity Score:: Medium
CVE:: 2025-8314

Plugin:: Billplz Addon for Contact Form 7
Plugin Slug:: billplz-for-contact-form-7
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.2.1
Severity Score:: High
CVE:: 2025-31007

Plugin:: WordPress Event Manager, Event Calendar and Booking Plugin
Plugin Slug:: eventin-pro
Vulnerability:: Arbitrary Content Deletion
Patched in Version:: 4.0.25
Severity Score:: High
CVE:: 2025-52731

Plugin:: WordPress Event Manager, Event Calendar and Booking Plugin
Plugin Slug:: eventin-pro
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.0.25
Severity Score:: Medium
CVE:: 2025-52730

Plugin:: JetElements For Elementor
Plugin Slug:: jet-elements
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.7.9.1
Severity Score:: Medium
CVE:: 2025-55714

Plugin:: JetProductGallery
Plugin Slug:: jet-woo-product-gallery
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.2.0.3
Severity Score:: Medium
CVE:: 2025-54749

Plugin:: Login with phone number
Plugin Slug:: login-with-phone-number
Vulnerability:: Broken Authentication
Patched in Version:: 1.8.48
Severity Score:: High
CVE:: 2025-8342

Plugin:: Real Estate Manager Pro
Plugin Slug:: real-estate-manager-pro
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 12.7.4
Severity Score:: High
CVE:: 2025-54032

Plugin:: Responsive Posts Carousel WordPress Plugin
Plugin Slug:: responsive-posts-carousel-pro
Vulnerability:: Local File Inclusion
Patched in Version:: 15.1
Severity Score:: High
CVE:: 2025-52728

Plugin:: Templatera
Plugin Slug:: templatera
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.4.0
Severity Score:: Medium
CVE:: 2025-54747

Plugin:: Tutor LMS Pro
Plugin Slug:: tutor-pro
Vulnerability:: SQL Injection
Patched in Version:: 3.7.1
Severity Score:: High
CVE:: 2025-6184

Plugin:: File Manager Pro
Plugin Slug:: wp-file-manager-pro
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 8.4.3
Severity Score:: Medium
CVE:: 2025-0818

Plugin:: WP Membership
Plugin Slug:: wp-membership
Vulnerability:: Settings Change
Patched in Version:: 1.6.4
Severity Score:: Medium
CVE:: 2025-54717

WordPress Themes — 12 Patched / 5 Unpatched

Theme:: modernize
Theme Slug:: modernize
Downloads: 59,351
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-53342

Theme:: modernize
Theme Slug:: modernize
Downloads: 59,351
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-53343

Theme:: Kalium
Theme Slug:: kalium
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-53347

Theme:: Stratus
Theme Slug:: stratus
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-53341

Theme:: WP Rentals
Theme Slug:: wprentals
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-53330

Theme:: Blocksy
Theme Slug:: blocksy
Downloads: 4,877,063
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.1.7
Severity Score:: Medium
CVE:: 2025-55713

Theme:: OceanWP
Theme Slug:: oceanwp
Downloads: 8,737,187
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 4.1.2
Severity Score:: Medium
CVE:: 2025-8891

Theme:: The7
Theme Slug:: dt-the7
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 12.7.0
Severity Score:: Medium
CVE:: 2025-7726

Theme:: Findgo
Theme Slug:: findgo
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.3.58
Severity Score:: High
CVE:: 2025-53587

Theme:: Makeaholic
Theme Slug:: makeaholic
Vulnerability:: Local File Inclusion
Patched in Version:: 1.8.5
Severity Score:: High
CVE:: 2025-54700

Theme:: Real Spaces
Theme Slug:: real-spaces
Vulnerability:: Privilege Escalation
Patched in Version:: 3.6.1
Severity Score:: Critical
CVE:: 2025-6758

Theme:: Real Spaces
Theme Slug:: real-spaces
Vulnerability:: Privilege Escalation
Patched in Version:: 3.6
Severity Score:: High
CVE:: 2025-8218

Theme:: Savoy
Theme Slug:: savoy
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 3.0.9
Severity Score:: Medium
CVE:: 2025-54736

Theme:: Soledad
Theme Slug:: soledad
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 8.6.8
Severity Score:: Medium
CVE:: 2025-8143

Theme:: Soledad
Theme Slug:: soledad
Vulnerability:: Local File Inclusion
Patched in Version:: 8.6.8
Severity Score:: High
CVE:: 2025-8142

Theme:: Soledad
Theme Slug:: soledad
Vulnerability:: Content Injection
Patched in Version:: 8.6.8
Severity Score:: High
CVE:: 2025-8105

Theme:: Unicamp
Theme Slug:: unicamp
Vulnerability:: Local File Inclusion
Patched in Version:: 2.6.4
Severity Score:: High
CVE:: 2025-54701

Solid Security is part of Solid Suite — The best foundation for WordPress websites.

Every WordPress site needs security, backups, and management tools. That’s Solid Suite — an integrated bundle of three plugins: Solid Security, Solid Backups, and Solid Central. You also get access to Solid Academy’s learning resources for WordPress professionals. Build your next WordPress website on a solid foundation with Solid Suite!

Get Solid Security

The post WordPress Vulnerability Report — August 20, 2025 appeared first on SolidWP.

Click here to continue reading this article.

Your WordPress News Dashboard

WordPress Vulnerability Report — August 20, 2025

Table of Contents

WordPress Core

WordPress Plugins — 81 Patched / 93 Unpatched