WordPress Vulnerability Report — August 27, 2025

In this report, 169 vulnerabilities have been publicly disclosed. Security patches for 71 of these plugins and themes are now available, so please run those updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Additionally, there are 98 plugin and theme vulnerabilities, and no patch has been available yet. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

Along with poor user account security, vulnerable plugins and themes are among the top reasons why WordPress websites get hacked. Unfortunately, cyberattacks are increasing in volume and sophistication. They’re also increasingly aimed at small to mid-sized businesses.

3. WordPress Themes — 13 Patched / 11 Unpatched

Our WordPress Vulnerability Report covers the latest emerging WordPress plugin, theme, and core vulnerabilities. Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure of vulnerabilities is essential to keeping the WordPress community safe. Please share this report to help spread the word and make WordPress — and the web — more secure.

WordPress Core

WordPress 6.8.2 was released on July 15, 2025. This maintenance release includes fixes for 20 Core tickets and 15 Block Editor issues. For a full list of bug fixes, please refer to the release candidate announcement.

WordPress Plugins — 58 Patched / 87 Unpatched

Plugin:: Site Offline Or Coming Soon Or Maintenance Mode
Plugin Slug:: site-offline
Installations: 30,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-48348

Plugin:: Video Gallery – Vimeo and YouTube Gallery
Plugin Slug:: smart-grid-gallery
Installations: 8,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-48349

Plugin:: Statify Widget
Plugin Slug:: statify-widget
Installations: 4,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-48322

Plugin:: Add Code To Head
Plugin Slug:: add-code-to-head
Installations: 3,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-48314

Plugin:: Popup for CF7 with Sweet Alert
Plugin Slug:: cf7-sweet-alert-popup
Installations: 3,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-48363

Plugin:: AutoWP – AI Content Writer & Rewriter
Plugin Slug:: autowp-ai-content-writer-rewriter
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-48350

Plugin:: Backup Bolt
Plugin Slug:: backup-bolt
Installations: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49040

Plugin:: Century ToolKit
Plugin Slug:: century-toolkit
Installations: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-48357

Plugin:: Post Type Converter
Plugin Slug:: post-type-converter
Installations: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-48303

Plugin:: Varnish/Nginx Proxy Caching
Plugin Slug:: vcaching
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-48360

Plugin:: WP Mailgun SMTP
Plugin Slug:: wp-mailgun-smtp
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-48327

Plugin:: ??????.??? ?????? / Yandex Site search pinger
Plugin Slug:: yandex-pinger
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-48352

Plugin:: Admin Menu Groups
Plugin Slug:: admin-menu-groups
Installations: 900+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49035

Plugin:: Cookie Warning
Plugin Slug:: cookie-warning
Installations: 900+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49426

Plugin:: Cookie Warning
Plugin Slug:: cookie-warning
Installations: 900+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49428

Plugin:: Link View
Plugin Slug:: link-view
Installations: 900+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-48110

Plugin:: Link View
Plugin Slug:: link-view
Installations: 900+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49039

Plugin:: Page Transition
Plugin Slug:: page-transition
Installations: 900+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49412

Plugin:: WordPress HTML
Plugin Slug:: custom-html-bodyhead
Installations: 800+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-48315

Plugin:: Responsive Mobile-Friendly Tooltip
Plugin Slug:: responsive-mobile-friendly-tooltip
Installations: 800+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-48316

Plugin:: Terms of Service & Privacy Policy Generator
Plugin Slug:: terms-of-service-and-privacy-policy
Installations: 800+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49413

Plugin:: WPAvatar
Plugin Slug:: wpavatar
Installations: 800+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-48312

Plugin:: bxSlider integration for WordPress
Plugin Slug:: bxslider-integration
Installations: 600+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-48347

Plugin:: iFrame Block
Plugin Slug:: iframe-block
Installations: 600+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49411

Plugin:: iframe Wrapper
Plugin Slug:: iframe-wrapper
Installations: 600+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49422

Plugin:: Risk Free Cash On Delivery (COD) – WooCommerce
Plugin Slug:: risk-free-cash-on-delivery-cod-woocommerce
Installations: 600+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-48358

Plugin:: Essential Doo Components for Visual Composer
Plugin Slug:: animated-icon-banner-for-visual-composer
Installations: 500+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49424

Plugin:: Hesabfa Accounting
Plugin Slug:: hesabfa-accounting
Installations: 500+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-48361

Plugin:: Hesabfa Accounting
Plugin Slug:: hesabfa-accounting
Installations: 500+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-48362

Plugin:: Better Post & Filter Widgets for Elementor
Plugin Slug:: better-post-filter-widgets-for-elementor
Installations: 400+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-48354

Plugin:: TC Testimonials
Plugin Slug:: tc-testimonial
Installations: 400+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49410

Plugin:: LifePress
Plugin Slug:: lifepress
Installations: 200+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-53337

Plugin:: Tripadvisor Shortcode
Plugin Slug:: tripadvisor-shortcode
Installations: 200+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-48313

Plugin:: ??????
Plugin Slug:: baidushare-wp
Installations: 100+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-48320

Plugin:: BetPress
Plugin Slug:: betpress
Installations: 100+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-48309

Plugin:: Comments Capcha Box
Plugin Slug:: comments-capcha-box
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-53226

Plugin:: e-Boekhouden.nl
Plugin Slug:: e-boekhoudennl-connector
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-53225

Plugin:: Employee Directory – Staff Listing & Team Directory Plugin for WordPress
Plugin Slug:: employee-directory
Installations: 100+
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-53243

Plugin:: Invisible Optin
Plugin Slug:: invisible-optin
Installations: 100+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-48311

Plugin:: NextGEN Gallery Search
Plugin Slug:: nextgen-gallery-search-galleries
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-53224

Plugin:: Page Manager for Elementor
Plugin Slug:: page-manager-for-elementor
Installations: 100+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-53230

Plugin:: Theme Switcher Reloaded
Plugin Slug:: theme-switcher-reloaded
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-53223

Plugin:: Ultimate twitter profile widget
Plugin Slug:: ultimate-twitter-profile-widget
Installations: 100+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-48321

Plugin:: Table Editor
Plugin Slug:: wp-table-editor
Installations: 100+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-48310

Plugin:: ATT YouTube Widget
Plugin Slug:: att-youtube
Installations: 90+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-48359

Plugin:: Google XML News Sitemap plugin
Plugin Slug:: gn-xml-sitemap
Installations: 90+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-48304

Plugin:: Kento Splash Screen
Plugin Slug:: kento-splash-screen
Installations: 90+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-48351

Plugin:: SEO For Images
Plugin Slug:: seo-for-images
Installations: 90+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-48307

Plugin:: ????????
Plugin Slug:: duoshuo
Installations: 80+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-48318

Plugin:: Newsletter subscription optin module
Plugin Slug:: newsletter-subscription-widget-for-sendblaster
Installations: 70+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-48308

Plugin:: WP Admin Theme
Plugin Slug:: wp-admin-theme
Installations: 70+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-48325

Plugin:: XM-Backup
Plugin Slug:: xm-backup
Installations: 70+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-48109

Plugin:: Clickbank WordPress Plugin (Niche Storefront)
Plugin Slug:: clickbank-niche-storefronts
Installations: 60+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-48353

Plugin:: WPMU Ldap Authentication
Plugin Slug:: wpmuldap
Installations: 60+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-48343

Plugin:: bidorbuy Store Integrator
Plugin Slug:: bidorbuystoreintegrator
Installations: 50+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-48100

Plugin:: rajce
Plugin Slug:: rajce
Installations: 50+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-48364

Plugin:: Savyour Affiliate Partner
Plugin Slug:: savyour-affiliate-partner
Installations: 50+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-48306

Plugin:: SensorPress
Plugin Slug:: sensorpress-uptime-monitoring
Installations: 50+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49409

Plugin:: Custom Comment
Plugin Slug:: customcomment
Installations: 40+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-48365

Plugin:: Simpler Checkout
Plugin Slug:: simpler-checkout
Installations: 40+
Vulnerability:: Broken Authentication
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-7642

Plugin:: Kanpress
Plugin Slug:: kanpress
Installations: 20+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-48356

Plugin:: Goal Tracker for Patreon
Plugin Slug:: goal-tracker-for-patreon
Installations: 10+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-48305

Plugin:: Support Ticket
Plugin Slug:: support-ticket
Installations: 10+
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-49422

Plugin:: tli.tl auto Twitter poster
Plugin Slug:: tlitl-auto-twitter-poster
Installations: 10+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-48324

Plugin:: WP Funnel Manager
Plugin Slug:: wp-funnel-manager
Installations: 10+
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-52761

Plugin:: Advance Food Menu
Plugin Slug:: advance-food-menu
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-48323

Plugin:: Premium Age Verification / Restriction for WordPress
Plugin Slug:: age-restriction
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-49408

Plugin:: Bravis User
Plugin Slug:: bravis-user
Vulnerability:: Broken Authentication
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-5060

Plugin:: Exertio Framework
Plugin Slug:: exertio-framework
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-49402

Plugin:: Silencesoft RSS Reader
Plugin Slug:: external-rss-reader
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-7842

Plugin:: Listeo-Core
Plugin Slug:: listeo-core
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-49404

Plugin:: Mesa Mesa Reservation Widget
Plugin Slug:: mesa-mesa-reservation-widget
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-48319

Plugin:: Ni WooCommerce Customer Product Report
Plugin Slug:: ni-woocommerce-customer-product-report
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-7827

Plugin:: Ogulo – 360° Tour
Plugin Slug:: ogulo-360-tour
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-9131

Plugin:: Portfolio Manager Pro
Plugin Slug:: otw-portfolio-manager
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-49409

Plugin:: Portfolio Manager Pro
Plugin Slug:: otw-portfolio-manager
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-49410

Plugin:: PressApps Knowledge Base Contextual Sidebar Addon
Plugin Slug:: pressapps-knowledge-base
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-49400

Plugin:: ProveSource Social Proof
Plugin Slug:: provesource
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-48355

Plugin:: Restore Permanently delete Post or Page Data
Plugin Slug:: restore-permanently-delete-post-or-page-data
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-7839

Plugin:: ShortcodeHub – MultiPurpose Shortcode Builder
Plugin Slug:: shortcodehub
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-7957

Plugin:: Super Store Finder
Plugin Slug:: superstorefinder-wp
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-49413

Plugin:: ThemeMakers Visual Content Composer
Plugin Slug:: tmm_content_composer
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-53299

Plugin:: WC Plus
Plugin Slug:: wc-plus
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-7821

Plugin:: WP Filter & Combine RSS Feeds
Plugin Slug:: wp-filter-combine-rss-feeds
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-7828

Plugin:: WP Talroo
Plugin Slug:: wp-jobs2careers
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-8281

Plugin:: Wptobe-memberships
Plugin Slug:: wptobe-memberships
Vulnerability:: Arbitrary File Deletion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-9048

Plugin:: WS Theme Addons
Plugin Slug:: ws-theme-addons
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-8062

Plugin:: Templately – Elementor & Gutenberg Template Library: 5500+ Free & Pro Ready Templates And Cloud!
Plugin Slug:: templately
Installations: 400,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 3.2.8
Severity Score:: Medium
CVE:: 2025-49408

Plugin:: WP Crontrol
Plugin Slug:: wp-crontrol
Installations: 300,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 1.19.2
Severity Score:: Medium
CVE:: 2025-8678

Plugin:: Redirection for Contact Form 7
Plugin Slug:: wpcf7-redirect
Installations: 300,000+
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 3.2.5
Severity Score:: High
CVE:: 2025-8141

Plugin:: Redirection for Contact Form 7
Plugin Slug:: wpcf7-redirect
Installations: 300,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 3.2.5
Severity Score:: High
CVE:: 2025-8289

Plugin:: Redirection for Contact Form 7
Plugin Slug:: wpcf7-redirect
Installations: 300,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 3.2.5
Severity Score:: High
CVE:: 2025-8145

Plugin:: GiveWP – Donation Plugin and Fundraising Platform
Plugin Slug:: give
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.6.1
Severity Score:: Medium
CVE:: 2025-7221

Plugin:: WPC Smart Quick View for WooCommerce
Plugin Slug:: woo-smart-quick-view
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.2.2
Severity Score:: Medium
CVE:: 2025-8618

Plugin:: WPC Smart Compare for WooCommerce
Plugin Slug:: woo-smart-compare
Installations: 80,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.4.8
Severity Score:: Medium
CVE:: 2025-7496

Plugin:: Media Library Assistant
Plugin Slug:: media-library-assistant
Installations: 70,000+
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 3.28
Severity Score:: Medium
CVE:: 2025-8357

Plugin:: Easy Digital Downloads – eCommerce Payments and Subscriptions made easy
Plugin Slug:: easy-digital-downloads
Installations: 50,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 3.5.1
Severity Score:: Medium
CVE:: 2025-8102

Plugin:: Greenshift – animation and page builder blocks
Plugin Slug:: greenshift-animation-and-page-builder-blocks
Installations: 50,000+
Vulnerability:: Broken Access Control
Patched in Version:: 12.1.2
Severity Score:: Medium
CVE:: 2025-57884

Plugin:: FunnelKit – Funnel Builder for WooCommerce Checkout
Plugin Slug:: funnel-builder
Installations: 30,000+
Vulnerability:: Local File Inclusion
Patched in Version:: 3.12.0
Severity Score:: High
CVE:: 2025-54750

Plugin:: FunnelKit – Funnel Builder for WooCommerce Checkout
Plugin Slug:: funnel-builder
Installations: 30,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 3.11.1
Severity Score:: High
CVE:: 2025-7654

Plugin:: WP Visitor Statistics (Real Time Traffic)
Plugin Slug:: wp-stats-manager
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 8.3
Severity Score:: Medium
CVE:: 2025-49400

Plugin:: FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce
Plugin Slug:: wp-marketing-automations
Installations: 20,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 3.6.4
Severity Score:: High
CVE:: 2025-7654

Plugin:: WP Webhooks – Automate repetitive tasks by creating powerful automation workflows directly within WordPress
Plugin Slug:: wp-webhooks
Installations: 20,000+
Vulnerability:: Path Traversal
Patched in Version:: 3.3.6
Severity Score:: Critical
CVE:: 2025-8895

Plugin:: Fluent Support – Helpdesk & Customer Support Ticket System
Plugin Slug:: fluent-support
Installations: 10,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.9.2
Severity Score:: Medium
CVE:: 2025-57885

Plugin:: NEX-Forms – Ultimate Forms Plugin for WordPress
Plugin Slug:: nex-forms-express-wp-form-builder
Installations: 9,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 9.1.4
Severity Score:: High
CVE:: 2025-49399

Plugin:: Nexter Blocks – WordPress Gutenberg Blocks & 1000+ Starter Templates
Plugin Slug:: the-plus-addons-for-block-editor
Installations: 8,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.5.5
Severity Score:: Medium
CVE:: 2025-8567

Plugin:: Flexible Map
Plugin Slug:: wp-flexible-map
Installations: 8,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.19.0
Severity Score:: Medium
CVE:: 2025-8622

Plugin:: WP Colorbox
Plugin Slug:: wp-colorbox
Installations: 7,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.1.6
Severity Score:: Medium
CVE:: 2025-49397

Plugin:: Equalize Digital Accessibility Checker – Audit Your Website for WCAG, ADA, and Section 508 Accessibility Errors
Plugin Slug:: accessibility-checker
Installations: 6,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 1.30.1
Severity Score:: Medium
CVE:: 2025-57886

Plugin:: Raptive Ads
Plugin Slug:: adthrive-ads
Installations: 6,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.9.0
Severity Score:: High
CVE:: 2025-53319

Plugin:: Themify Builder
Plugin Slug:: themify-builder
Installations: 6,000+
Vulnerability:: Broken Access Control
Patched in Version:: 7.6.8
Severity Score:: Medium
CVE:: 2025-49396

Plugin:: CubeWP – All-in-One Dynamic Content Framework
Plugin Slug:: cubewp-framework
Installations: 5,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 1.1.25
Severity Score:: High
CVE:: 2025-54735

Plugin:: Themify Icons
Plugin Slug:: themify-icons
Installations: 4,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.4
Severity Score:: Medium
CVE:: 2025-49395

Plugin:: Responsive YouTube Video Gallery Plugin for WordPress – YouTube Showcase
Plugin Slug:: youtube-showcase
Installations: 3,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 3.5.2
Severity Score:: High
CVE:: 2025-54731

Plugin:: E-cab Taxi Booking Manager for Woocommerce
Plugin Slug:: ecab-taxi-booking-manager
Installations: 1,000+
Vulnerability:: Broken Authentication
Patched in Version:: 1.3.1
Severity Score:: Critical
CVE:: 2025-54713

Plugin:: WP Fast Total Search – The Power of Indexed Search
Plugin Slug:: fulltext-search
Installations: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.79.274
Severity Score:: Medium
CVE:: 2025-57893

Plugin:: JobWP – Job Board, Job Listing, Career Page and Recruitment Plugin
Plugin Slug:: jobwp
Installations: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.4.4
Severity Score:: Medium
CVE:: 2025-57895

Plugin:: Markup Markdown
Plugin Slug:: markup-markdown
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.20.7
Severity Score:: Medium
CVE:: 2025-49420

Plugin:: Recurring PayPal Donations
Plugin Slug:: recurring-donation
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.9
Severity Score:: Medium
CVE:: 2025-57891

Plugin:: Sign-up Sheets
Plugin Slug:: sign-up-sheets
Installations: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.3.3.1
Severity Score:: Medium
CVE:: 2025-49391

Plugin:: Simple Statistics for Feeds
Plugin Slug:: simple-feed-stats
Installations: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 20250820
Severity Score:: Medium
CVE:: 2025-57892

Plugin:: Themify Audio Dock
Plugin Slug:: themify-audio-dock
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.6
Severity Score:: Medium
CVE:: 2025-49392

Plugin:: MDTF – Meta Data and Taxonomies Filter
Plugin Slug:: wp-meta-data-filter-and-taxonomy-filter
Installations: 1,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.3.3.8
Severity Score:: Critical
CVE:: 2025-54707

Plugin:: WPPizza – A Restaurant Plugin
Plugin Slug:: wppizza
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.19.8.1
Severity Score:: Medium
CVE:: 2025-57894

Plugin:: Sessions
Plugin Slug:: sessions
Installations: 900+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.2.1
Severity Score:: Medium
CVE:: 2025-57890

Plugin:: Notice Bar
Plugin Slug:: notice-bar
Installations: 800+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.1.4
Severity Score:: Medium
CVE:: 2025-49389

Plugin:: Church Admin
Plugin Slug:: church-admin
Installations: 700+
Vulnerability:: Broken Access Control
Patched in Version:: 5.0.27
Severity Score:: Medium
CVE:: 2025-57896

Plugin:: Employee Spotlight – Team Member Showcase & Meet the Team Plugin
Plugin Slug:: employee-spotlight
Installations: 500+
Vulnerability:: PHP Object Injection
Patched in Version:: 5.1.2
Severity Score:: High
CVE:: 2025-53583

Plugin:: UPC/EAN/GTIN Code Generator
Plugin Slug:: upc-ean-barcode-generator
Installations: 500+
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 2.0.3
Severity Score:: High
CVE:: 2025-53588

Plugin:: Customer Support Ticket System & Helpdesk Plugin for WordPress
Plugin Slug:: wp-ticket
Installations: 500+
Vulnerability:: PHP Object Injection
Patched in Version:: 6.0.3
Severity Score:: High
CVE:: 2025-53584

Plugin:: Bible SuperSearch
Plugin Slug:: biblesupersearch
Installations: 300+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.1.0
Severity Score:: Medium
CVE:: 2025-8064

Plugin:: Cloudflare Image Resizing – Optimize & Accelerate Your Images
Plugin Slug:: cf-image-resizing
Installations: 300+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 1.5.7
Severity Score:: Critical
CVE:: 2025-8723

Plugin:: Contact Manager
Plugin Slug:: contact-manager
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 8.6.6
Severity Score:: Medium
CVE:: 2025-8783

Plugin:: Vibes
Plugin Slug:: vibes
Installations: 100+
Vulnerability:: SQL Injection
Patched in Version:: 2.2.1
Severity Score:: Critical
CVE:: 2025-9172

Plugin:: ads.txt Guru Connect
Plugin Slug:: adstxt-guru-connect
Installations: 90+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.1.2
Severity Score:: Critical
CVE:: 2025-49381

Plugin:: Simple Contact Form Plugin for WordPress – WP Easy Contact
Plugin Slug:: wp-easy-contact
Installations: 40+
Vulnerability:: PHP Object Injection
Patched in Version:: 4.0.2
Severity Score:: High
CVE:: 2025-53572

Plugin:: Custom Query Shortcode
Plugin Slug:: custom-query-shortcode
Installations: 30+
Vulnerability:: Directory Traversal
Patched in Version:: 0.5.0
Severity Score:: Medium
CVE:: 2025-8562

Plugin:: Case Theme User
Plugin Slug:: case-theme-user
Vulnerability:: Broken Authentication
Patched in Version:: 1.0.4
Severity Score:: Critical
CVE:: 2025-5821

Plugin:: eventlist
Plugin Slug:: eventlist
Vulnerability:: Privilege Escalation
Patched in Version:: 2.0.5
Severity Score:: High
CVE:: 2025-6366

Plugin:: Global DNS
Plugin Slug:: global-dns
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 3.1.1
Severity Score:: Critical
CVE:: 2025-53577

Plugin:: Miraculous Core Plugin
Plugin Slug:: miraculouscore
Vulnerability:: Privilege Escalation
Patched in Version:: 2.0.8
Severity Score:: Critical
CVE:: 2025-49388

Plugin:: Ovatheme Events
Plugin Slug:: ova-events
Vulnerability:: Local File Inclusion
Patched in Version:: 1.2.7
Severity Score:: High
CVE:: 2025-53576

Plugin:: Simple Business Directory Pro
Plugin Slug:: simple-business-directory-pro
Vulnerability:: Privilege Escalation
Patched in Version:: 15.6.9
Severity Score:: Critical
CVE:: 2025-53580

Plugin:: Tourfic
Plugin Slug:: tourfic
Vulnerability:: Broken Access Control
Patched in Version:: 2.15.0
Severity Score:: Medium
CVE:: 2024-8860

Plugin:: Automatic
Plugin Slug:: wp-automatic
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 3.119.0
Severity Score:: High
CVE:: 2025-6247

WordPress Themes — 13 Patched / 11 Unpatched

Theme:: BlogMarks
Theme Slug:: blogmarks
Downloads: 2,998
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-53247

Theme:: Eximious Magazine
Theme Slug:: eximious-magazine
Downloads: 89,583
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-53248

Theme:: Glamer
Theme Slug:: glamer
Downloads: 1,229
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-53216

Theme:: Magazine Elite
Theme Slug:: magazine-elite
Downloads: 23,250
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-53244

Theme:: Magazine Saga
Theme Slug:: magazine-saga
Downloads: 39,647
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-53227

Theme:: Jannah
Theme Slug:: jannah
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-53334

Theme:: Kalium
Theme Slug:: kalium
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-53348

Theme:: Kitring
Theme Slug:: kitring
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-49426

Theme:: Nuss
Theme Slug:: nuss
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2025-49894

Theme:: Organic Beauty
Theme Slug:: organic-beauty
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2025-49890

Theme:: Pro Bulk Watermark Plugin for WordPress
Theme Slug:: pro-watermark
Vulnerability:: Path Traversal
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2025-49405

Theme:: ColorMag
Theme Slug:: colormag
Downloads: 4,262,710
Vulnerability:: Broken Access Control
Patched in Version:: 4.0.20
Severity Score:: Medium
CVE:: 2025-9202

Theme:: Inspiro
Theme Slug:: inspiro
Downloads: 1,177,489
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.1.3
Severity Score:: High
CVE:: 2025-8592

Theme:: Spacious
Theme Slug:: spacious
Downloads: 2,634,166
Vulnerability:: Broken Access Control
Patched in Version:: 1.9.12
Severity Score:: Medium
CVE:: 2025-9331

Theme:: Golo
Theme Slug:: golo
Vulnerability:: Broken Authentication
Patched in Version:: 1.7.1
Severity Score:: Critical
CVE:: 2025-54725

Theme:: Houzez
Theme Slug:: houzez
Vulnerability:: Broken Access Control
Patched in Version:: 4.1.4
Severity Score:: Medium
CVE:: 2025-49406

Theme:: JobZilla – Job Board WordPress Theme
Theme Slug:: jobzilla
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.0.1
Severity Score:: High
CVE:: 2025-49382

Theme:: Kipso
Theme Slug:: kipso
Vulnerability:: Local File Inclusion
Patched in Version:: 1.3.5
Severity Score:: High
CVE:: 2025-53578

Theme:: Jobmonster
Theme Slug:: noo-jobmonster
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 4.8.1
Severity Score:: Medium
CVE:: 2025-57888

Theme:: Jobmonster
Theme Slug:: noo-jobmonster
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.8.1
Severity Score:: Medium
CVE:: 2025-57887

Theme:: Jobmonster
Theme Slug:: noo-jobmonster
Vulnerability:: Broken Authentication
Patched in Version:: 4.8.0
Severity Score:: Critical
CVE:: 2025-54738

Theme:: Real Spaces
Theme Slug:: real-spaces
Vulnerability:: Privilege Escalation
Patched in Version:: 3.6.1
Severity Score:: Critical
CVE:: 2025-6758

Theme:: Real Spaces
Theme Slug:: real-spaces
Vulnerability:: Privilege Escalation
Patched in Version:: 3.6
Severity Score:: High
CVE:: 2025-8218

Theme:: Sala
Theme Slug:: sala
Vulnerability:: Local File Inclusion
Patched in Version:: 1.1.7
Severity Score:: High
CVE:: 2025-54709

Solid Security is part of Solid Suite — The best foundation for WordPress websites.

Every WordPress site needs security, backups, and management tools. That’s Solid Suite — an integrated bundle of three plugins: Solid Security, Solid Backups, and Solid Central. You also get access to Solid Academy’s learning resources for WordPress professionals. Build your next WordPress website on a solid foundation with Solid Suite!

Get Solid Security

The post WordPress Vulnerability Report — August 27, 2025 appeared first on SolidWP.

Click here to continue reading this article.

Your WordPress News Dashboard

WordPress Vulnerability Report — August 27, 2025

Table of Contents

WordPress Core

WordPress Plugins — 58 Patched / 87 Unpatched