In this report, 133 vulnerabilities have been publicly disclosed. Security patches for 98 of these plugins and themes are now available, so please run those updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Additionally, there are 35 plugin and theme vulnerabilities, and no patch has been available yet. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

Along with poor user account security, vulnerable plugins and themes are among the top reasons why WordPress websites get hacked. Unfortunately, cyberattacks are increasing in volume and sophistication. They’re also increasingly aimed at small to mid-sized businesses.

Our WordPress Vulnerability Report covers the latest emerging WordPress plugin, theme, and core vulnerabilities. Each vulnerability will have a severity rating of LowMediumHigh, or Critical. Responsible disclosure of vulnerabilities is essential to keeping the WordPress community safe. Please share this report to help spread the word and make WordPress — and the web — more secure.

WordPress Core

WordPress 6.8.2 was released on July 15, 2025. This maintenance release includes fixes for 20 Core tickets and 15 Block Editor issues. For a full list of bug fixes, please refer to the release candidate announcement.

No new core vulnerabilities were disclosed this week.

WordPress Plugins — 86 Patched / 33 Unpatched

Eventer

Plugin:

Eventer

Plugin Slug:
eventer

Installations
1,000+

Vulnerability:
Content Injection

Patched in Version:
No Fix

Severity Score:
Medium

CVE:

2025-39483


The vulnerability has not been patched. You should deactivate the plugin.

PressForward

Plugin:

PressForward

Plugin Slug:
pressforward

Installations
200+

Vulnerability:
Server Side Request Forgery (SSRF)

Patched in Version:
No Fix

Severity Score:
Medium

CVE:

2025-28987


The vulnerability has not been patched. You should deactivate the plugin.

360 Photo Spheres

Plugin:

360 Photo Spheres

Plugin Slug:
360-sphere-images

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

CVE:

2025-4588


The vulnerability has not been patched. You should deactivate the plugin.

Advanced Google Universal Analytics

Plugin:

Advanced Google Universal Analytics

Plugin Slug:
advanced-google-universal-analytics

Vulnerability:
Broken Access Control

Patched in Version:
No Fix

Severity Score:
Medium

CVE:

2025-28962


The vulnerability has not been patched. You should deactivate the plugin.

Affiliate Plus

Plugin:

Affiliate Plus

Plugin Slug:
affiliate-plus

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
No Fix

Severity Score:
High

CVE:

2025-7690


The vulnerability has not been patched. You should deactivate the plugin.

April Framework

Plugin:

April Framework

Plugin Slug:
april-framework

Vulnerability:
Arbitrary File Upload

Patched in Version:
No Fix

Severity Score:
High

CVE:

2024-13418


The vulnerability has not been patched. You should deactivate the plugin.

April Framework

Plugin:

April Framework

Plugin Slug:
april-framework

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

CVE:

2024-13419


The vulnerability has not been patched. You should deactivate the plugin.

April Framework

Plugin:

April Framework

Plugin Slug:
april-framework

Vulnerability:
Broken Access Control

Patched in Version:
No Fix

Severity Score:
Medium

CVE:

2024-13420


The vulnerability has not been patched. You should deactivate the plugin.

Image Gallery

Plugin:

Image Gallery

Plugin Slug:
bee-quick-gallery

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
High

CVE:

2025-8400


The vulnerability has not been patched. You should deactivate the plugin.

BeeTeam368 Extensions

Plugin:

BeeTeam368 Extensions

Plugin Slug:
beeteam368-extensions

Vulnerability:
Local File Inclusion

Patched in Version:
No Fix

Severity Score:
Critical

CVE:

2025-25174


The vulnerability has not been patched. You should deactivate the plugin.

Benaa Framework

Plugin:

Benaa Framework

Plugin Slug:
benaa-framework

Vulnerability:
Arbitrary File Upload

Patched in Version:
No Fix

Severity Score:
High

CVE:

2024-13418


The vulnerability has not been patched. You should deactivate the plugin.

Benaa Framework

Plugin:

Benaa Framework

Plugin Slug:
benaa-framework

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

CVE:

2024-13419


The vulnerability has not been patched. You should deactivate the plugin.

Benaa Framework

Plugin:

Benaa Framework

Plugin Slug:
benaa-framework

Vulnerability:
Broken Access Control

Patched in Version:
No Fix

Severity Score:
Medium

CVE:

2024-13420


The vulnerability has not been patched. You should deactivate the plugin.

Beyot Framework

Plugin:

Beyot Framework

Plugin Slug:
beyot-framework

Vulnerability:
Arbitrary File Upload

Patched in Version:
No Fix

Severity Score:
High

CVE:

2024-13418


The vulnerability has not been patched. You should deactivate the plugin.

Beyot Framework

Plugin:

Beyot Framework

Plugin Slug:
beyot-framework

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

CVE:

2024-13419


The vulnerability has not been patched. You should deactivate the plugin.

Beyot Framework

Plugin:

Beyot Framework

Plugin Slug:
beyot-framework

Vulnerability:
Broken Access Control

Patched in Version:
No Fix

Severity Score:
Medium

CVE:

2024-13420


The vulnerability has not been patched. You should deactivate the plugin.

Bonanza – WooCommerce Free Gifts Lite

Plugin:

Bonanza – WooCommerce Free Gifts Lite

Plugin Slug:
bonanza-woocommerce-free-gifts-lite

Vulnerability:
Broken Access Control

Patched in Version:
No Fix

Severity Score:
Medium

CVE:

2025-6730


The vulnerability has not been patched. You should deactivate the plugin.

Cube Portfolio

Plugin:

Cube Portfolio

Plugin Slug:
cubeportfolio

Vulnerability:
SQL Injection

Patched in Version:
No Fix

Severity Score:
High

CVE:

2025-52823


The vulnerability has not been patched. You should deactivate the plugin.

Custom Word Cloud

Plugin:

Custom Word Cloud

Plugin Slug:
custom-word-cloud

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

CVE:

2025-8317


The vulnerability has not been patched. You should deactivate the plugin.

Fan Page

Plugin:

Fan Page

Plugin Slug:
fan-page

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

CVE:

2025-6681


The vulnerability has not been patched. You should deactivate the plugin.

Auteur Framework

Plugin:

Auteur Framework

Plugin Slug:
g5plus-auteur

Vulnerability:
Arbitrary File Upload

Patched in Version:
No Fix

Severity Score:
High

CVE:

2024-13418


The vulnerability has not been patched. You should deactivate the plugin.

Auteur Framework

Plugin:

Auteur Framework

Plugin Slug:
g5plus-auteur

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

CVE:

2024-13419


The vulnerability has not been patched. You should deactivate the plugin.

Auteur Framework

Plugin:

Auteur Framework

Plugin Slug:
g5plus-auteur

Vulnerability:
Broken Access Control

Patched in Version:
No Fix

Severity Score:
Medium

CVE:

2024-13420


The vulnerability has not been patched. You should deactivate the plugin.

WP LOL Rotation

Plugin:

WP LOL Rotation

Plugin Slug:
league-of-legends-rotation

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

CVE:

2025-49437


The vulnerability has not been patched. You should deactivate the plugin.

Magic Edge – Lite

Plugin:

Magic Edge – Lite

Plugin Slug:
magic-edge-lite-image-background-remover

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

CVE:

2025-8391


The vulnerability has not been patched. You should deactivate the plugin.

Medical Addon for Elementor

Plugin:

Medical Addon for Elementor

Plugin Slug:
medical-addon-for-elementor

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

CVE:

2025-8212


The vulnerability has not been patched. You should deactivate the plugin.

Mmm Unity Loader

Plugin:

Mmm Unity Loader

Plugin Slug:
mmm-unity-loader

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

CVE:

2025-8399


The vulnerability has not been patched. You should deactivate the plugin.

My Reservation System

Plugin:

My Reservation System

Plugin Slug:
my-reservation-system

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
High

CVE:

2025-7022


The vulnerability has not been patched. You should deactivate the plugin.

SEO Metrics

Plugin:

SEO Metrics

Plugin Slug:
seo-metrics-helper

Vulnerability:
Privilege Escalation

Patched in Version:
No Fix

Severity Score:
High

CVE:

2025-6754


The vulnerability has not been patched. You should deactivate the plugin.

Supermalink

Plugin:

Supermalink

Plugin Slug:
supermalink

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

CVE:

2025-49433


The vulnerability has not been patched. You should deactivate the plugin.

TheBooking

Plugin:

TheBooking

Plugin Slug:
thebooking

Vulnerability:
Broken Access Control

Patched in Version:
No Fix

Severity Score:
High

CVE:

2025-52801


The vulnerability has not been patched. You should deactivate the plugin.

Amazon Native Shopping Recommendations

Plugin:

Amazon Native Shopping Recommendations

Plugin Slug:
woozone-contextual

Vulnerability:
SQL Injection

Patched in Version:
No Fix

Severity Score:
Critical

CVE:

2025-30633


The vulnerability has not been patched. You should deactivate the plugin.

YouTube Embed – YouTube Gallery, Vimeo Gallery – WordPress Plugin

Plugin:

YouTube Embed – YouTube Gallery, Vimeo Gallery – WordPress Plugin

Plugin Slug:
youram-youtube-embed

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

CVE:

2025-6692


The vulnerability has not been patched. You should deactivate the plugin.

Elementor Website Builder – More Than Just a Page Builder

Plugin:

Elementor Website Builder – More Than Just a Page Builder

Plugin Slug:
elementor

Installations
10,000,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
3.30.3

Severity Score:
Medium

CVE:

2025-4566


The vulnerability has been patched, so you should update to version 3.30.3.

Smart Slider 3

Plugin:

Smart Slider 3

Plugin Slug:
smart-slider-3

Installations
900,000+

Vulnerability:
SQL Injection

Patched in Version:
3.5.1.29

Severity Score:
High

CVE:

2025-6348


The vulnerability has been patched, so you should update to version 3.5.1.29.

Qi Addons For Elementor

Plugin:

Qi Addons For Elementor

Plugin Slug:
qi-addons-for-elementor

Installations
200,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
1.9.3

Severity Score:
Medium

CVE:

2025-8146


The vulnerability has been patched, so you should update to version 1.9.3.

AI Engine

Plugin:

AI Engine

Plugin Slug:
ai-engine

Installations
100,000+

Vulnerability:
Arbitrary File Upload

Patched in Version:
2.9.5

Severity Score:
Critical

CVE:

2025-7847


The vulnerability has been patched, so you should update to version 2.9.5.

GiveWP – Donation Plugin and Fundraising Platform

Plugin:

GiveWP – Donation Plugin and Fundraising Platform

Plugin Slug:
give

Installations
100,000+

Vulnerability:
Sensitive Data Exposure

Patched in Version:
4.6.1

Severity Score:
High


The vulnerability has been patched, so you should update to version 4.6.1.

GiveWP – Donation Plugin and Fundraising Platform

Plugin:

GiveWP – Donation Plugin and Fundraising Platform

Plugin Slug:
give

Installations
100,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
4.6.0

Severity Score:
Medium

CVE:

2025-7205


The vulnerability has been patched, so you should update to version 4.6.0.

Brizy – Page Builder

Plugin:

Brizy – Page Builder

Plugin Slug:
brizy

Installations
80,000+

Vulnerability:
Broken Access Control

Patched in Version:
2.6.21

Severity Score:
Medium

CVE:

2025-4370


The vulnerability has been patched, so you should update to version 2.6.21.

Customer Reviews for WooCommerce

Plugin:

Customer Reviews for WooCommerce

Plugin Slug:
customer-reviews-woocommerce

Installations
80,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
5.81.0

Severity Score:
High

CVE:

2025-5720


The vulnerability has been patched, so you should update to version 5.81.0.

HT Mega – Absolute Addons For Elementor

Plugin:

HT Mega – Absolute Addons For Elementor

Plugin Slug:
ht-mega-for-elementor

Installations
80,000+

Vulnerability:
Path Traversal

Patched in Version:
2.9.2

Severity Score:
Medium

CVE:

2025-8151


The vulnerability has been patched, so you should update to version 2.9.2.

HT Mega – Absolute Addons For Elementor

Plugin:

HT Mega – Absolute Addons For Elementor

Plugin Slug:
ht-mega-for-elementor

Installations
80,000+

Vulnerability:
Sensitive Data Exposure

Patched in Version:
2.9.2

Severity Score:
Medium

CVE:

2025-8401


The vulnerability has been patched, so you should update to version 2.9.2.

HT Mega – Absolute Addons For Elementor

Plugin:

HT Mega – Absolute Addons For Elementor

Plugin Slug:
ht-mega-for-elementor

Installations
80,000+

Vulnerability:
Broken Access Control

Patched in Version:
2.9.2

Severity Score:
Medium

CVE:

2025-8068


The vulnerability has been patched, so you should update to version 2.9.2.

HT Mega – Absolute Addons For Elementor

Plugin:

HT Mega – Absolute Addons For Elementor

Plugin Slug:
ht-mega-for-elementor

Installations
80,000+

Vulnerability:
Broken Access Control

Patched in Version:
2.9.1

Severity Score:
Medium

CVE:

2025-54695


The vulnerability has been patched, so you should update to version 2.9.1.

Ocean Social Sharing

Plugin:

Ocean Social Sharing

Plugin Slug:
ocean-social-sharing

Installations
80,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
2.2.2

Severity Score:
Medium

CVE:

2025-7500


The vulnerability has been patched, so you should update to version 2.2.2.

Sina Extension for Elementor (Header Builder, Footer Builter, Theme Builder, Slider, Gallery, Form, Modal, Data Table Free Elementor Widgets & Elementor Templates)

Plugin:

Sina Extension for Elementor (Header Builder, Footer Builter, Theme Builder, Slider, Gallery, Form, Modal, Data Table Free Elementor Widgets & Elementor Templates)

Plugin Slug:
sina-extension-for-elementor

Installations
50,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
3.7.1

Severity Score:
Medium

CVE:

2025-6228


The vulnerability has been patched, so you should update to version 3.7.1.

WP Import Export Lite

Plugin:

WP Import Export Lite

Plugin Slug:
wp-import-export-lite

Installations
50,000+

Vulnerability:
Arbitrary File Upload

Patched in Version:
3.9.30

Severity Score:
Critical

CVE:

2025-5061


The vulnerability has been patched, so you should update to version 3.9.30.

WP Import Export Lite

Plugin:

WP Import Export Lite

Plugin Slug:
wp-import-export-lite

Installations
50,000+

Vulnerability:
Arbitrary File Upload

Patched in Version:
3.9.29

Severity Score:
Critical

CVE:

2025-6207


The vulnerability has been patched, so you should update to version 3.9.29.

NinjaScanner – Virus & Malware scan

Plugin:

NinjaScanner – Virus & Malware scan

Plugin Slug:
ninjascanner

Installations
30,000+

Vulnerability:
Arbitrary File Deletion

Patched in Version:
3.2.6

Severity Score:
Medium

CVE:

2025-8213


The vulnerability has been patched, so you should update to version 3.2.6.

Content Egg

Plugin:

Content Egg

Plugin Slug:
content-egg

Installations
20,000+

Vulnerability:
PHP Object Injection

Patched in Version:
8.0.0

Severity Score:
High

CVE:

2025-47536


The vulnerability has been patched, so you should update to version 8.0.0.

BlockSpare: Gutenberg Blocks & Patterns for Blogs, Magazines, Business Sites – Post Grids, Sliders, Carousels, Counters, Page Builder & Starter Site Imports, No Coding Needed

Plugin:

BlockSpare: Gutenberg Blocks & Patterns for Blogs, Magazines, Business Sites – Post Grids, Sliders, Carousels, Counters, Page Builder & Starter Site Imports, No Coding Needed

Plugin Slug:
blockspare

Installations
10,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
3.2.13.2

Severity Score:
Medium

CVE:

2025-4684


The vulnerability has been patched, so you should update to version 3.2.13.2.

Graphina – Elementor Charts and Graphs

Plugin:

Graphina – Elementor Charts and Graphs

Plugin Slug:
graphina-elementor-charts-and-graphs

Installations
10,000+

Vulnerability:
Local File Inclusion

Patched in Version:
3.1.2

Severity Score:
High

CVE:

2025-23968


The vulnerability has been patched, so you should update to version 3.1.2.

WP REST Cache

Plugin:

WP REST Cache

Plugin Slug:
wp-rest-cache

Installations
10,000+

Vulnerability:
Local File Inclusion

Patched in Version:
2025.1.1

Severity Score:
High

CVE:

2025-52716


The vulnerability has been patched, so you should update to version 2025.1.1.

Motors – Car Dealership & Classified Listings Plugin

Plugin:

Motors – Car Dealership & Classified Listings Plugin

Plugin Slug:
motors-car-dealership-classified-listings

Installations
9,000+

Vulnerability:
Insecure Direct Object References (IDOR)

Patched in Version:
1.4.81

Severity Score:
Medium

CVE:

2025-54691


The vulnerability has been patched, so you should update to version 1.4.81.

Event Booking Manager for WooCommerce – WpEvently

Plugin:

Event Booking Manager for WooCommerce – WpEvently

Plugin Slug:
mage-eventpress

Installations
8,000+

Vulnerability:
Broken Access Control

Patched in Version:
4.4.7

Severity Score:
Medium

CVE:

2025-54705


The vulnerability has been patched, so you should update to version 4.4.7.

Simple File List

Plugin:

Simple File List

Plugin Slug:
simple-file-list

Installations
5,000+

Vulnerability:
Arbitrary File Download

Patched in Version:
6.1.15

Severity Score:
High

CVE:

2025-54021


The vulnerability has been patched, so you should update to version 6.1.15.

Magical Posts Display – Elementor Advanced Posts widgets

Plugin:

Magical Posts Display – Elementor Advanced Posts widgets

Plugin Slug:
magical-posts-display

Installations
4,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
1.2.53

Severity Score:
Medium

CVE:

2025-54706


The vulnerability has been patched, so you should update to version 1.2.53.

Chartify – WordPress Chart Plugin

Plugin:

Chartify – WordPress Chart Plugin

Plugin Slug:
chart-builder

Installations
3,000+

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
3.5.4

Severity Score:
Medium

CVE:

2025-54673


The vulnerability has been patched, so you should update to version 3.5.4.

Product Configurator for WooCommerce

Plugin:

Product Configurator for WooCommerce

Plugin Slug:
product-configurator-for-woocommerce

Installations
3,000+

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
1.5.0

Severity Score:
Medium

CVE:

2025-54674


The vulnerability has been patched, so you should update to version 1.5.0.

Connector for Gravity Forms and Google Sheets

Plugin:

Connector for Gravity Forms and Google Sheets

Plugin Slug:
wp-gravity-forms-spreadsheets

Installations
3,000+

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
1.2.5

Severity Score:
Medium

CVE:

2025-54682


The vulnerability has been patched, so you should update to version 1.2.5.

Connector for Gravity Forms and Google Sheets

Plugin:

Connector for Gravity Forms and Google Sheets

Plugin Slug:
wp-gravity-forms-spreadsheets

Installations
3,000+

Vulnerability:
Open Redirection

Patched in Version:
1.2.5

Severity Score:
Medium

CVE:

2025-54681


The vulnerability has been patched, so you should update to version 1.2.5.

WP CTA

Plugin:

WP CTA

Plugin Slug:
easy-sticky-sidebar

Installations
2,000+

Vulnerability:
Broken Access Control

Patched in Version:
1.7.1

Severity Score:
Medium

CVE:

2025-8152


The vulnerability has been patched, so you should update to version 1.7.1.

Online Booking & Scheduling Calendar for WordPress by vcita

Plugin:

Online Booking & Scheduling Calendar for WordPress by vcita

Plugin Slug:
meeting-scheduler-by-vcita

Installations
2,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
4.5.5

Severity Score:
Medium

CVE:

2025-54676


The vulnerability has been patched, so you should update to version 4.5.5.

Newsletters

Plugin:

Newsletters

Plugin Slug:
newsletters-lite

Installations
2,000+

Vulnerability:
Local File Inclusion

Patched in Version:
4.11

Severity Score:
High

CVE:

2025-54034


The vulnerability has been patched, so you should update to version 4.11.

oik

Plugin:

oik

Plugin Slug:
oik

Installations
2,000+

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
4.15.3

Severity Score:
Medium

CVE:

2025-54671


The vulnerability has been patched, so you should update to version 4.15.3.

Realtyna Organic IDX plugin + WPL Real Estate

Plugin:

Realtyna Organic IDX plugin + WPL Real Estate

Plugin Slug:
real-estate-listing-realtyna-wpl

Installations
2,000+

Vulnerability:
Local File Inclusion

Patched in Version:
5.0.1

Severity Score:
High

CVE:

2025-54052


The vulnerability has been patched, so you should update to version 5.0.1.

Sky Addons – Elementor Addons with Widgets & Templates

Plugin:

Sky Addons – Elementor Addons with Widgets & Templates

Plugin Slug:
sky-elementor-addons

Installations
2,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
3.2.0

Severity Score:
Medium

CVE:

2025-8216


The vulnerability has been patched, so you should update to version 3.2.0.

WP Modal Popup with Cookie Integration

Plugin:

WP Modal Popup with Cookie Integration

Plugin Slug:
wp-modal-popup-with-cookie-integration

Installations
2,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
2.5

Severity Score:
Medium

CVE:

2025-54683


The vulnerability has been patched, so you should update to version 2.5.

Photo Engine (Media Organizer & Lightroom)

Plugin:

Photo Engine (Media Organizer & Lightroom)

Plugin Slug:
wplr-sync

Installations
2,000+

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
6.4.4

Severity Score:
Medium

CVE:

2025-54672


The vulnerability has been patched, so you should update to version 6.4.4.

YITH WooCommerce Popup

Plugin:

YITH WooCommerce Popup

Plugin Slug:
yith-woocommerce-popup

Installations
2,000+

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
1.48.1

Severity Score:
Medium

CVE:

2025-54675


The vulnerability has been patched, so you should update to version 1.48.1.

Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal or Stripe, Social Share Buttons, OpenAI

Plugin:

Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal or Stripe, Social Share Buttons, OpenAI

Plugin Slug:
contest-gallery

Installations
1,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
26.1.1

Severity Score:
High

CVE:

2025-7725


The vulnerability has been patched, so you should update to version 26.1.1.

Custom API for WP

Plugin:

Custom API for WP

Plugin Slug:
custom-api-for-wp

Installations
1,000+

Vulnerability:
Privilege Escalation

Patched in Version:
4.2.3

Severity Score:
Critical

CVE:

2025-54049


The vulnerability has been patched, so you should update to version 4.2.3.

Easy Elementor Addons

Plugin:

Easy Elementor Addons

Plugin Slug:
easy-elementor-addons

Installations
1,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
2.2.7

Severity Score:
Medium

CVE:

2025-54704


The vulnerability has been patched, so you should update to version 2.2.7.

Ebook Store

Plugin:

Ebook Store

Plugin Slug:
ebook-store

Installations
1,000+

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
5.8014

Severity Score:
Medium

CVE:

2025-54702


The vulnerability has been patched, so you should update to version 5.8014.

StreamWeasels Twitch Integration

Plugin:

StreamWeasels Twitch Integration

Plugin Slug:
streamweasels-twitch-integration

Installations
1,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
1.9.4

Severity Score:
Medium

CVE:

2025-7809


The vulnerability has been patched, so you should update to version 1.9.4.

StreamWeasels YouTube Integration

Plugin:

StreamWeasels YouTube Integration

Plugin Slug:
streamweasels-youtube-integration

Installations
1,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
1.4.1

Severity Score:
Medium

CVE:

2025-7811


The vulnerability has been patched, so you should update to version 1.4.1.

SureDash

Plugin:

SureDash

Plugin Slug:
suredash

Installations
600+

Vulnerability:
Sensitive Data Exposure

Patched in Version:
1.2.0

Severity Score:
Medium

CVE:

2025-54685


The vulnerability has been patched, so you should update to version 1.2.0.

SureDash

Plugin:

SureDash

Plugin Slug:
suredash

Installations
600+

Vulnerability:
Privilege Escalation

Patched in Version:
1.1.0

Severity Score:
High

CVE:

2025-48164


The vulnerability has been patched, so you should update to version 1.1.0.

DELUCKS SEO

Plugin:

DELUCKS SEO

Plugin Slug:
delucks-seo

Installations
500+

Vulnerability:
Privilege Escalation

Patched in Version:
2.6.1

Severity Score:
High

CVE:

2025-48165


The vulnerability has been patched, so you should update to version 2.6.1.

BuddyPress XProfile Custom Image Field

Plugin:

BuddyPress XProfile Custom Image Field

Plugin Slug:
buddypress-xprofile-image-field

Installations
300+

Vulnerability:
Arbitrary File Deletion

Patched in Version:
3.1.0

Severity Score:
High

CVE:

2025-48158


The vulnerability has been patched, so you should update to version 3.1.0.

Google Map Targeting

Plugin:

Google Map Targeting

Plugin Slug:
gmap-targeting

Installations
100+

Vulnerability:
Local File Inclusion

Patched in Version:
1.1.7

Severity Score:
High

CVE:

2025-52732


The vulnerability has been patched, so you should update to version 1.1.7.

Dataverse Integration

Plugin:

Dataverse Integration

Plugin Slug:
integration-cds

Installations
100+

Vulnerability:
Privilege Escalation

Patched in Version:
2.81.1

Severity Score:
High

CVE:

2025-7695


The vulnerability has been patched, so you should update to version 2.81.1.

StreamWeasels Kick Integration

Plugin:

StreamWeasels Kick Integration

Plugin Slug:
streamweasels-kick-integration

Installations
100+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
1.1.5

Severity Score:
Medium

CVE:

2025-7810


The vulnerability has been patched, so you should update to version 1.1.5.

StoreKeeper for WooCommerce

Plugin:

StoreKeeper for WooCommerce

Plugin Slug:
storekeeper-for-woocommerce

Installations
50+

Vulnerability:
Arbitrary File Upload

Patched in Version:
14.4.5

Severity Score:
Critical

CVE:

2025-48148


The vulnerability has been patched, so you should update to version 14.4.5.

Download Counter

Plugin:

Download Counter

Plugin Slug:
download-counter

Installations
40+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
1.4

Severity Score:
Medium

CVE:

2025-8294


The vulnerability has been patched, so you should update to version 1.4.

Service Finder SMS System

Plugin:

Service Finder SMS System

Plugin Slug:
aone-sms

Vulnerability:
Privilege Escalation

Patched in Version:
3.0.0

Severity Score:
Critical

CVE:

2025-5954


The vulnerability has been patched, so you should update to version 3.0.0.

Brave Conversion Engine (PRO)

Plugin:

Brave Conversion Engine (PRO)

Plugin Slug:
bravepopup-pro

Vulnerability:
Broken Authentication

Patched in Version:
0.8.0

Severity Score:
Critical

CVE:

2025-7710


The vulnerability has been patched, so you should update to version 0.8.0.

JetEngine

Plugin:

JetEngine

Plugin Slug:
jet-engine

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
3.7.2

Severity Score:
Medium

CVE:

2025-54688


The vulnerability has been patched, so you should update to version 3.7.2.

JetTabs

Plugin:

JetTabs

Plugin Slug:
jet-tabs

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
2.2.9.2

Severity Score:
Medium

CVE:

2025-54687


The vulnerability has been patched, so you should update to version 2.2.9.2.

RT-Theme 18 | Extensions

Plugin:

RT-Theme 18 | Extensions

Plugin Slug:
rt18-extensions

Vulnerability:
Local File Inclusion

Patched in Version:
2.5

Severity Score:
High

CVE:

2025-32288


The vulnerability has been patched, so you should update to version 2.5.

Super Store Finder

Plugin:

Super Store Finder

Plugin Slug:
superstorefinder-wp

Vulnerability:
SQL Injection

Patched in Version:
7.6

Severity Score:
Critical

CVE:

2025-52720


The vulnerability has been patched, so you should update to version 7.6.

Use-your-Drive

Plugin:

Use-your-Drive

Plugin Slug:
use-your-drive

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
3.3.2

Severity Score:
High

CVE:

2025-7050


The vulnerability has been patched, so you should update to version 3.3.2.

Woffice Core

Plugin:

Woffice Core

Plugin Slug:
woffice-core

Vulnerability:
Arbitrary File Deletion

Patched in Version:
5.4.27

Severity Score:
Medium

CVE:

2025-7694


The vulnerability has been patched, so you should update to version 5.4.27.

WordPress Themes — 12 Patched / 2 Unpatched

News Magazine X

Theme:

News Magazine X

Theme Slug:
news-magazine-x

Downloads
28,695

Vulnerability:
Local File Inclusion

Patched in Version:
No Fix

Severity Score:
High

CVE:

2025-24766


The vulnerability has not been patched. You should switch themes.

Shopo

Theme:

Shopo

Theme Slug:
shopo

Vulnerability:
Arbitrary File Upload

Patched in Version:
No Fix

Severity Score:
Critical

CVE:

2025-31048


The vulnerability has not been patched. You should switch themes.

Appzend

Theme:

Appzend

Theme Slug:
appzend

Downloads
23,837

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
1.2.7

Severity Score:
Medium

CVE:

2025-5587


The vulnerability has been patched, so you should update to version 1.2.7.

Blogger Buzz

Theme:

Blogger Buzz

Theme Slug:
blogger-buzz

Downloads
52,137

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
1.2.7

Severity Score:
Medium

CVE:

2025-54680


The vulnerability has been patched, so you should update to version 1.2.7.

Alone

Theme:

Alone

Theme Slug:
alone

Vulnerability:
Arbitrary Code Execution

Patched in Version:
7.8.5

Severity Score:
Medium

CVE:

2025-54019


The vulnerability has been patched, so you should update to version 7.8.5.

Bricks Builder

Theme:

Bricks Builder

Theme Slug:
bricks

Vulnerability:
SQL Injection

Patched in Version:
2.0

Severity Score:
Critical

CVE:

2025-6495


The vulnerability has been patched, so you should update to version 2.0.

Cook&Meal

Theme:

Cook&Meal

Theme Slug:
cookandmeal

Vulnerability:
Local File Inclusion

Patched in Version:
1.2.4

Severity Score:
High

CVE:

2025-48149


The vulnerability has been patched, so you should update to version 1.2.4.

Druco

Theme:

Druco

Theme Slug:
druco

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
1.5.3

Severity Score:
High

CVE:

2025-54055


The vulnerability has been patched, so you should update to version 1.5.3.

Exertio

Theme:

Exertio

Theme Slug:
exertio

Vulnerability:
PHP Object Injection

Patched in Version:
1.3.3

Severity Score:
Critical

CVE:

2025-54686


The vulnerability has been patched, so you should update to version 1.3.3.

KALLYAS – Creative eCommerce Multi-Purpose WordPress Theme

Theme:

KALLYAS – Creative eCommerce Multi-Purpose WordPress Theme

Theme Slug:
kallyas

Vulnerability:
Arbitrary File Deletion

Patched in Version:
4.22.0

Severity Score:
High

CVE:

2025-6989


The vulnerability has been patched, so you should update to version 4.22.0.

MediCenter – Health Medical Clinic

Theme:

MediCenter – Health Medical Clinic

Theme Slug:
medicenter

Vulnerability:
PHP Object Injection

Patched in Version:
15.2

Severity Score:
Critical

CVE:

2025-54014


The vulnerability has been patched, so you should update to version 15.2.

MinimogWP

Theme:

MinimogWP

Theme Slug:
minimog

Vulnerability:
Content Injection

Patched in Version:
3.9.1

Severity Score:
High

CVE:

2025-8198


The vulnerability has been patched, so you should update to version 3.9.1.

Platform

Theme:

Platform

Theme Slug:
platform

Vulnerability:
Broken Access Control

Patched in Version:
1.4.4

Severity Score:
Critical

CVE:

2015-10143


The vulnerability has been patched, so you should update to version 1.4.4.

UpStore

Theme:

UpStore

Theme Slug:
upstore

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
1.7.1

Severity Score:
High

CVE:

2025-48296


The vulnerability has been patched, so you should update to version 1.7.1.

Solid Security is part of Solid Suite — The best foundation for WordPress websites.

Every WordPress site needs security, backups, and management tools. That’s Solid Suite — an integrated bundle of three plugins: Solid Security, Solid Backups, and Solid Central. You also get access to Solid Academy’s learning resources for WordPress professionals. Build your next WordPress website on a solid foundation with Solid Suite!

Get Solid Security

The post WordPress Vulnerability Report — August 6, 2025 appeared first on SolidWP.

Click here to continue reading this article.