In this report, 114 vulnerabilities have been publicly disclosed. Security patches for 75 of these plugins and themes are now available, so please run those updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Additionally, there are 39 plugin and theme vulnerabilities, and no patch has been available yet. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

Along with poor user account security, vulnerable plugins and themes are among the top reasons why WordPress websites get hacked. Unfortunately, cyberattacks are increasing in volume and sophistication. They’re also increasingly aimed at small to mid-sized businesses.

Our WordPress Vulnerability Report covers the latest emerging WordPress plugin, theme, and core vulnerabilities. Each vulnerability will have a severity rating of LowMediumHigh, or Critical. Responsible disclosure of vulnerabilities is essential to keeping the WordPress community safe. Please share this report to help spread the word and make WordPress — and the web — more secure.

WordPress Core

WordPress 6.8.2 was released on July 15, 2025. This maintenance release includes fixes for 20 Core tickets and 15 Block Editor issues. For a full list of bug fixes, please refer to the release candidate announcement.

No new core vulnerabilities were disclosed this week.

WordPress Plugins — 68 Patched / 28 Unpatched

Poll, Survey & Quiz Maker Plugin by Opinion Stage

Plugin:

Poll, Survey & Quiz Maker Plugin by Opinion Stage

Plugin Slug:
social-polls-by-opinionstage

Installations
8,000+

Vulnerability:
Local File Inclusion

Patched in Version:
No Fix

Severity Score:
High

CVE:

2025-53328

The vulnerability has not been patched. You should deactivate the plugin.

Chartbeat

Plugin:

Chartbeat

Plugin Slug:
chartbeat

Installations
1,000+

Vulnerability:
Server Side Request Forgery (SSRF)

Patched in Version:
No Fix

Severity Score:
Medium

CVE:

2025-53250

The vulnerability has not been patched. You should deactivate the plugin.

Post Type Converter

Plugin:

Post Type Converter

Plugin Slug:
post-type-converter

Installations
1,000+

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
No Fix

Severity Score:
Medium

CVE:

2025-48303

The vulnerability has not been patched. You should deactivate the plugin.

Link View

Plugin:

Link View

Plugin Slug:
link-view

Installations
900+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

CVE:

2025-48110

The vulnerability has not been patched. You should deactivate the plugin.

NextGEN Gallery Search

Plugin:

NextGEN Gallery Search

Plugin Slug:
nextgen-gallery-search-galleries

Installations
100+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
High

CVE:

2025-53224

The vulnerability has not been patched. You should deactivate the plugin.

Page Manager for Elementor

Plugin:

Page Manager for Elementor

Plugin Slug:
page-manager-for-elementor

Installations
100+

Vulnerability:
Broken Access Control

Patched in Version:
No Fix

Severity Score:
High

CVE:

2025-53230

The vulnerability has not been patched. You should deactivate the plugin.

Theme Switcher Reloaded

Plugin:

Theme Switcher Reloaded

Plugin Slug:
theme-switcher-reloaded

Installations
100+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
High

CVE:

2025-53223

The vulnerability has not been patched. You should deactivate the plugin.

XmasB Quotes

Plugin:

XmasB Quotes

Plugin Slug:
xmasb-quotes

Installations
100+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
High

CVE:

2025-53220

The vulnerability has not been patched. You should deactivate the plugin.

Google XML News Sitemap plugin

Plugin:

Google XML News Sitemap plugin

Plugin Slug:
gn-xml-sitemap

Installations
90+

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
No Fix

Severity Score:
High

CVE:

2025-48304

The vulnerability has not been patched. You should deactivate the plugin.

SEO For Images

Plugin:

SEO For Images

Plugin Slug:
seo-for-images

Installations
90+

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
No Fix

Severity Score:
High

CVE:

2025-48307

The vulnerability has not been patched. You should deactivate the plugin.

WooCommerce Payment Gateway for Saferpay

Plugin:

WooCommerce Payment Gateway for Saferpay

Plugin Slug:
woocommerce-payment-gateway-for-saferpay

Installations
60+

Vulnerability:
Path Traversal

Patched in Version:
No Fix

Severity Score:
High

CVE:

2025-48317

The vulnerability has not been patched. You should deactivate the plugin.

XM-Backup

Plugin:

XM-Backup

Plugin Slug:
xm-backup

Installations
60+

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
No Fix

Severity Score:
High

CVE:

2025-48109

The vulnerability has not been patched. You should deactivate the plugin.

bidorbuy Store Integrator

Plugin:

bidorbuy Store Integrator

Plugin Slug:
bidorbuystoreintegrator

Installations
50+

Vulnerability:
Remote Code Execution (RCE)

Patched in Version:
No Fix

Severity Score:
Critical

CVE:

2025-48100

The vulnerability has not been patched. You should deactivate the plugin.

Yahoo! WebPlayer

Plugin:

Yahoo! WebPlayer

Plugin Slug:
yahoo-media-player

Installations
50+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
High

CVE:

2025-53215

The vulnerability has not been patched. You should deactivate the plugin.

Savyour Affiliate Partner

Plugin:

Savyour Affiliate Partner

Plugin Slug:
savyour-affiliate-partner

Installations
40+

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
No Fix

Severity Score:
High

CVE:

2025-48306

The vulnerability has not been patched. You should deactivate the plugin.

Goal Tracker for Patreon

Plugin:

Goal Tracker for Patreon

Plugin Slug:
goal-tracker-for-patreon

Installations
10+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

CVE:

2025-48305

The vulnerability has not been patched. You should deactivate the plugin.

Premium Age Verification / Restriction for WordPress

Plugin:

Premium Age Verification / Restriction for WordPress

Plugin Slug:
age-restriction

Vulnerability:
Arbitrary File Download

Patched in Version:
No Fix

Severity Score:
High

CVE:

2025-49403

The vulnerability has not been patched. You should deactivate the plugin.

Premium Age Verification / Restriction for WordPress

Plugin:

Premium Age Verification / Restriction for WordPress

Plugin Slug:
age-restriction

Vulnerability:
Arbitrary File Upload

Patched in Version:
No Fix

Severity Score:
Critical

CVE:

2025-49408

The vulnerability has not been patched. You should deactivate the plugin.

Exertio Framework

Plugin:

Exertio Framework

Plugin Slug:
exertio-framework

Vulnerability:
SQL Injection

Patched in Version:
No Fix

Severity Score:
High

CVE:

2025-49402

The vulnerability has not been patched. You should deactivate the plugin.

iATS Online Forms

Plugin:

iATS Online Forms

Plugin Slug:
iats-online-forms

Vulnerability:
SQL Injection

Patched in Version:
No Fix

Severity Score:
High

CVE:

2025-9441

The vulnerability has not been patched. You should deactivate the plugin.

Printeers Print & Ship

Plugin:

Printeers Print & Ship

Plugin Slug:
invition-print-ship

Vulnerability:
Directory Traversal

Patched in Version:
No Fix

Severity Score:
Medium

CVE:

2025-48081

The vulnerability has not been patched. You should deactivate the plugin.

List Subpages

Plugin:

List Subpages

Plugin Slug:
list-sub-pages

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

CVE:

2025-8290

The vulnerability has not been patched. You should deactivate the plugin.

OSM Map Widget for Elementor

Plugin:

OSM Map Widget for Elementor

Plugin Slug:
osm-map-elementor

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

CVE:

2025-8619

The vulnerability has not been patched. You should deactivate the plugin.

Related Posts Lite

Plugin:

Related Posts Lite

Plugin Slug:
related-posts-lite

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
No Fix

Severity Score:
Medium

CVE:

2025-9618

The vulnerability has not been patched. You should deactivate the plugin.

Theme Blvd Widget Areas

Plugin:

Theme Blvd Widget Areas

Plugin Slug:
theme-blvd-widget-areas

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
High

CVE:

2025-53289

The vulnerability has not been patched. You should deactivate the plugin.

Ultimate Tag Warrior Importer

Plugin:

Ultimate Tag Warrior Importer

Plugin Slug:
utw-importer

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
No Fix

Severity Score:
Medium

CVE:

2025-9374

The vulnerability has not been patched. You should deactivate the plugin.

All-in-One WP Migration and Backup

Plugin:

All-in-One WP Migration and Backup

Plugin Slug:
all-in-one-wp-migration

Installations
5,000,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
7.98

Severity Score:
Medium

CVE:

2025-8490

The vulnerability has been patched, so you should update to version 7.98.

TablePress – Tables in WordPress made easy

Plugin:

TablePress – Tables in WordPress made easy

Plugin Slug:
tablepress

Installations
700,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
3.2.1

Severity Score:
Medium

CVE:

2025-9500

The vulnerability has been patched, so you should update to version 3.2.1.

Ocean Extra

Plugin:

Ocean Extra

Plugin Slug:
ocean-extra

Installations
600,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
2.5.0

Severity Score:
Medium

CVE:

2025-9499

The vulnerability has been patched, so you should update to version 2.5.0.

SiteSEO – SEO Simplified

Plugin:

SiteSEO – SEO Simplified

Plugin Slug:
siteseo

Installations
400,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
1.2.8

Severity Score:
Medium

CVE:

2025-9277

The vulnerability has been patched, so you should update to version 1.2.8.

Unlimited Elements For Elementor

Plugin:

Unlimited Elements For Elementor

Plugin Slug:
unlimited-elements-for-elementor

Installations
300,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
1.5.149

Severity Score:
Medium

CVE:

2025-8603

The vulnerability has been patched, so you should update to version 1.5.149.

Beaver Builder – WordPress Page Builder

Plugin:

Beaver Builder – WordPress Page Builder

Plugin Slug:
beaver-builder-lite-version

Installations
100,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
2.9.3.1

Severity Score:
High

CVE:

2025-8897

The vulnerability has been patched, so you should update to version 2.9.3.1.

WP Bulk Delete

Plugin:

WP Bulk Delete

Plugin Slug:
wp-bulk-delete

Installations
90,000+

Vulnerability:
Broken Access Control

Patched in Version:
1.3.7

Severity Score:
Medium

CVE:

2025-58192

The vulnerability has been patched, so you should update to version 1.3.7.

Ajax Search Lite – Live Search & Filter

Plugin:

Ajax Search Lite – Live Search & Filter

Plugin Slug:
ajax-search-lite

Installations
80,000+

Vulnerability:
Broken Access Control

Patched in Version:
4.13.2

Severity Score:
Medium

CVE:

2025-7956

The vulnerability has been patched, so you should update to version 4.13.2.

Bold Page Builder

Plugin:

Bold Page Builder

Plugin Slug:
bold-page-builder

Installations
50,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
5.4.4

Severity Score:
Medium

CVE:

2025-58194

The vulnerability has been patched, so you should update to version 5.4.4.

Booking Calendar

Plugin:

Booking Calendar

Plugin Slug:
booking

Installations
50,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
10.14.2

Severity Score:
Medium

CVE:

2025-9346

The vulnerability has been patched, so you should update to version 10.14.2.

UiCore Elements – Free Elementor widgets and templates

Plugin:

UiCore Elements – Free Elementor widgets and templates

Plugin Slug:
uicore-elements

Installations
40,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
1.3.5

Severity Score:
Medium

CVE:

2025-58196

The vulnerability has been patched, so you should update to version 1.3.5.

140+ Widgets | Xpro Addons For Elementor – FREE

Plugin:

140+ Widgets | Xpro Addons For Elementor – FREE

Plugin Slug:
xpro-elementor-addons

Installations
30,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
1.4.18

Severity Score:
Medium

CVE:

2025-58195

The vulnerability has been patched, so you should update to version 1.4.18.

Simple Download Monitor

Plugin:

Simple Download Monitor

Plugin Slug:
simple-download-monitor

Installations
20,000+

Vulnerability:
SQL Injection

Patched in Version:
3.9.34

Severity Score:
High

CVE:

2025-8977

The vulnerability has been patched, so you should update to version 3.9.34.

Simple Download Monitor

Plugin:

Simple Download Monitor

Plugin Slug:
simple-download-monitor

Installations
20,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
3.9.35

Severity Score:
Medium

CVE:

2025-58197

The vulnerability has been patched, so you should update to version 3.9.35.

Lazy Load for Videos

Plugin:

Lazy Load for Videos

Plugin Slug:
lazy-load-for-videos

Installations
10,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
2.18.8

Severity Score:
Medium

CVE:

2025-7732

The vulnerability has been patched, so you should update to version 2.18.8.

Xpro Theme Builder For Elementor – FREE

Plugin:

Xpro Theme Builder For Elementor – FREE

Plugin Slug:
xpro-theme-builder

Installations
10,000+

Vulnerability:
Broken Access Control

Patched in Version:
1.2.10

Severity Score:
Medium

CVE:

2025-58198

The vulnerability has been patched, so you should update to version 1.2.10.

Events Addon for Elementor

Plugin:

Events Addon for Elementor

Plugin Slug:
events-addon-for-elementor

Installations
8,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
2.3.0

Severity Score:
Medium

CVE:

2025-8150

The vulnerability has been patched, so you should update to version 2.3.0.

LWSCache

Plugin:

LWSCache

Plugin Slug:
lwscache

Installations
8,000+

Vulnerability:
Broken Access Control

Patched in Version:
2.9

Severity Score:
Medium

CVE:

2025-8147

The vulnerability has been patched, so you should update to version 2.9.

Event Booking Manager for WooCommerce – WpEvently

Plugin:

Event Booking Manager for WooCommerce – WpEvently

Plugin Slug:
mage-eventpress

Installations
8,000+

Vulnerability:
PHP Object Injection

Patched in Version:
4.4.9

Severity Score:
High

CVE:

2025-54742

The vulnerability has been patched, so you should update to version 4.4.9.

Xagio SEO – AI Powered SEO

Plugin:

Xagio SEO – AI Powered SEO

Plugin Slug:
xagio-seo

Installations
8,000+

Vulnerability:
Sensitive Data Exposure

Patched in Version:
7.1.0.6

Severity Score:
High

CVE:

2024-13807

The vulnerability has been patched, so you should update to version 7.1.0.6.

Solace Extra

Plugin:

Solace Extra

Plugin Slug:
solace-extra

Installations
7,000+

Vulnerability:
Server Side Request Forgery (SSRF)

Patched in Version:
1.3.3

Severity Score:
Medium

CVE:

2025-58203

The vulnerability has been patched, so you should update to version 1.3.3.

Simple Page Access Restriction

Plugin:

Simple Page Access Restriction

Plugin Slug:
simple-page-access-restriction

Installations
6,000+

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
1.0.33

Severity Score:
Medium

CVE:

2025-58202

The vulnerability has been patched, so you should update to version 1.0.33.

B Slider – Responsive Image Slider

Plugin:

B Slider – Responsive Image Slider

Plugin Slug:
b-slider

Installations
5,000+

Vulnerability:
Broken Access Control

Patched in Version:
2.0.0

Severity Score:
Medium

CVE:

2025-54734

The vulnerability has been patched, so you should update to version 2.0.0.

All Bootstrap Blocks

Plugin:

All Bootstrap Blocks

Plugin Slug:
all-bootstrap-blocks

Installations
4,000+

Vulnerability:
Broken Access Control

Patched in Version:
1.3.29

Severity Score:
Medium

CVE:

2025-54733

The vulnerability has been patched, so you should update to version 1.3.29.

ElementInvader Addons for Elementor

Plugin:

ElementInvader Addons for Elementor

Plugin Slug:
elementinvader-addons-for-elementor

Installations
4,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
1.3.7

Severity Score:
Medium

CVE:

2025-58205

The vulnerability has been patched, so you should update to version 1.3.7.

Podlove Podcast Publisher

Plugin:

Podlove Podcast Publisher

Plugin Slug:
podlove-podcasting-plugin-for-wordpress

Installations
4,000+

Vulnerability:
Open Redirection

Patched in Version:
4.2.6

Severity Score:
Medium

CVE:

2025-58204

The vulnerability has been patched, so you should update to version 4.2.6.

JS Archive List

Plugin:

JS Archive List

Plugin Slug:
jquery-archive-list-widget

Installations
3,000+

Vulnerability:
SQL Injection

Patched in Version:
6.1.6

Severity Score:
Critical

CVE:

2025-54726

The vulnerability has been patched, so you should update to version 6.1.6.

Pronamic Google Maps

Plugin:

Pronamic Google Maps

Plugin Slug:
pronamic-google-maps

Installations
2,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
2.4.2

Severity Score:
Medium

CVE:

2025-9352

The vulnerability has been patched, so you should update to version 2.4.2.

E-cab Taxi Booking Manager for Woocommerce

Plugin:

E-cab Taxi Booking Manager for Woocommerce

Plugin Slug:
ecab-taxi-booking-manager

Installations
1,000+

Vulnerability:
Broken Authentication

Patched in Version:
1.3.1

Severity Score:
Critical

CVE:

2025-54713

The vulnerability has been patched, so you should update to version 1.3.1.

PDF for Elementor Forms + Drag And Drop Template Builder

Plugin:

PDF for Elementor Forms + Drag And Drop Template Builder

Plugin Slug:
pdf-for-elementor-forms

Installations
1,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
6.3.0

Severity Score:
Medium

CVE:

2025-58208

The vulnerability has been patched, so you should update to version 6.3.0.

Skyword XMLRPC publishing

Plugin:

Skyword XMLRPC publishing

Plugin Slug:
skyword-plugin

Installations
1,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
2.5.3

Severity Score:
Medium

CVE:

2024-11907

The vulnerability has been patched, so you should update to version 2.5.3.

Zephyr Project Manager

Plugin:

Zephyr Project Manager

Plugin Slug:
zephyr-project-manager

Installations
1,000+

Vulnerability:
Broken Access Control

Patched in Version:
3.3.202

Severity Score:
High

CVE:

2025-54714

The vulnerability has been patched, so you should update to version 3.3.202.

Drag and Drop File Upload for Elementor Forms

Plugin:

Drag and Drop File Upload for Elementor Forms

Plugin Slug:
drag-and-drop-file-upload-for-elementor-forms

Installations
800+

Vulnerability:
Arbitrary File Upload

Patched in Version:
1.5.4

Severity Score:
Critical

CVE:

2025-49387

The vulnerability has been patched, so you should update to version 1.5.4.

Transcoder

Plugin:

Transcoder

Plugin Slug:
transcoder

Installations
700+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
1.4.1

Severity Score:
Medium

CVE:

2025-58209

The vulnerability has been patched, so you should update to version 1.4.1.

Epeken All Kurir Plugin for Woocommerce Full Version

Plugin:

Epeken All Kurir Plugin for Woocommerce Full Version

Plugin Slug:
epeken-all-kurir

Installations
500+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
2.0.2

Severity Score:
Medium

CVE:

2025-58212

The vulnerability has been patched, so you should update to version 2.0.2.

UPC/EAN/GTIN Code Generator

Plugin:

UPC/EAN/GTIN Code Generator

Plugin Slug:
upc-ean-barcode-generator

Installations
500+

Vulnerability:
Arbitrary File Deletion

Patched in Version:
2.0.3

Severity Score:
High

CVE:

2025-53588

The vulnerability has been patched, so you should update to version 2.0.3.

Chatbox Manager

Plugin:

Chatbox Manager

Plugin Slug:
wa-chatbox-manager

Installations
500+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
1.2.7

Severity Score:
Medium

CVE:

2025-58211

The vulnerability has been patched, so you should update to version 1.2.7.

Booking System Trafft

Plugin:

Booking System Trafft

Plugin Slug:
booking-system-trafft

Installations
400+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
1.0.15

Severity Score:
Medium

CVE:

2025-58213

The vulnerability has been patched, so you should update to version 1.0.15.

Captcha.eu

Plugin:

Captcha.eu

Plugin Slug:
captcha-eu

Installations
200+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
1.0.61

Severity Score:
High

CVE:

2025-53579

The vulnerability has been patched, so you should update to version 1.0.61.

Dynamic AJAX Product Filters for WooCommerce

Plugin:

Dynamic AJAX Product Filters for WooCommerce

Plugin Slug:
dynamic-ajax-product-filters-for-woocommerce

Installations
100+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
1.3.8

Severity Score:
Medium

CVE:

2025-8073

The vulnerability has been patched, so you should update to version 1.3.8.

File Manager, Code Editor, and Backup by Managefy

Plugin:

File Manager, Code Editor, and Backup by Managefy

Plugin Slug:
softdiscover-db-file-manager

Installations
100+

Vulnerability:
Path Traversal

Patched in Version:
1.5.0

Severity Score:
Medium

CVE:

2025-9345

The vulnerability has been patched, so you should update to version 1.5.0.

Vibes

Plugin:

Vibes

Plugin Slug:
vibes

Installations
100+

Vulnerability:
SQL Injection

Patched in Version:
2.2.1

Severity Score:
Critical

CVE:

2025-9172

The vulnerability has been patched, so you should update to version 2.2.1.

WP Thumbtack Review Slider

Plugin:

WP Thumbtack Review Slider

Plugin Slug:
wp-thumbtack-review-slider

Installations
100+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
2.7

Severity Score:
Medium

CVE:

2025-58216

The vulnerability has been patched, so you should update to version 2.7.

Video Share VOD – Turnkey Video Site Builder Script

Plugin:

Video Share VOD – Turnkey Video Site Builder Script

Plugin Slug:
video-share-vod

Installations
90+

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
2.7.7

Severity Score:
High

CVE:

2025-7812

The vulnerability has been patched, so you should update to version 2.7.7.

Instant Breaking News

Plugin:

Instant Breaking News

Plugin Slug:
instant-breaking-news

Installations
60+

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
1.0.1

Severity Score:
High

CVE:

2025-58217

The vulnerability has been patched, so you should update to version 1.0.1.

Custom Query Shortcode

Plugin:

Custom Query Shortcode

Plugin Slug:
custom-query-shortcode

Installations
40+

Vulnerability:
Directory Traversal

Patched in Version:
0.5.0

Severity Score:
Medium

CVE:

2025-8562

The vulnerability has been patched, so you should update to version 0.5.0.

RingCentral Communications Plugin – FREE

Plugin:

RingCentral Communications Plugin – FREE

Plugin Slug:
rccp-free

Installations
30+

Vulnerability:
Broken Authentication

Patched in Version:
1.7.0

Severity Score:
Critical

CVE:

2025-7955

The vulnerability has been patched, so you should update to version 1.7.0.

Small Package Quotes – USPS Edition

Plugin:

Small Package Quotes – USPS Edition

Plugin Slug:
small-package-quotes-usps-edition

Installations
10+

Vulnerability:
PHP Object Injection

Patched in Version:
1.3.10

Severity Score:
High

CVE:

2025-58218

The vulnerability has been patched, so you should update to version 1.3.10.

Dokan Pro

Plugin:

Dokan Pro

Plugin Slug:
dokan-pro

Vulnerability:
Privilege Escalation

Patched in Version:
4.0.6

Severity Score:
High

CVE:

2025-5931

The vulnerability has been patched, so you should update to version 4.0.6.

eventlist

Plugin:

eventlist

Plugin Slug:
eventlist

Vulnerability:
Privilege Escalation

Patched in Version:
2.0.5

Severity Score:
High

CVE:

2025-6366

The vulnerability has been patched, so you should update to version 2.0.5.

WooCommerce csv import export

Plugin:

WooCommerce csv import export

Plugin Slug:
extendons-eo-wooimport-export

Vulnerability:
Arbitrary File Deletion

Patched in Version:
2.0.7

Severity Score:
High

CVE:

2025-54029

The vulnerability has been patched, so you should update to version 2.0.7.

Houzez CRM

Plugin:

Houzez CRM

Plugin Slug:
houzez-crm

Vulnerability:
Broken Access Control

Patched in Version:
1.5.0

Severity Score:
Medium

CVE:

2025-49402

The vulnerability has been patched, so you should update to version 1.5.0.

Nest Addons

Plugin:

Nest Addons

Plugin Slug:
nest-addons

Vulnerability:
SQL Injection

Patched in Version:
1.6.4

Severity Score:
Critical

CVE:

2025-54720

The vulnerability has been patched, so you should update to version 1.6.4.

Slider Revolution

Plugin:

Slider Revolution

Plugin Slug:
revslider

Vulnerability:
Arbitrary File Download

Patched in Version:
6.7.37

Severity Score:
Medium

CVE:

2025-9217

The vulnerability has been patched, so you should update to version 6.7.37.

Automatic

Plugin:

Automatic

Plugin Slug:
wp-automatic

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
3.119.0

Severity Score:
High

CVE:

2025-6247

The vulnerability has been patched, so you should update to version 3.119.0.

WP ULike Pro

Plugin:

WP ULike Pro

Plugin Slug:
wp-ulike-pro

Vulnerability:
Arbitrary File Upload

Patched in Version:
1.9.4

Severity Score:
Medium

CVE:

2024-9648

The vulnerability has been patched, so you should update to version 1.9.4.

WordPress Themes — 7 Patched / 11 Unpatched

Magazine Saga

Theme:

Magazine Saga

Theme Slug:
magazine-saga

Downloads
39,662

Vulnerability:
Local File Inclusion

Patched in Version:
No Fix

Severity Score:
High

CVE:

2025-53227

The vulnerability has not been patched. You should switch themes.

ArcHub

Theme:

ArcHub

Theme Slug:
archub

Vulnerability:
Broken Access Control

Patched in Version:
No Fix

Severity Score:
Medium

CVE:

2025-0951

The vulnerability has not been patched. You should switch themes.

Cars4Rent

Theme:

Cars4Rent

Theme Slug:
cars4rent

Vulnerability:
PHP Object Injection

Patched in Version:
No Fix

Severity Score:
Critical

CVE:

2025-49434

The vulnerability has not been patched. You should switch themes.

Hub

Theme:

Hub

Theme Slug:
hub

Vulnerability:
Broken Access Control

Patched in Version:
No Fix

Severity Score:
Medium

CVE:

2025-0951

The vulnerability has not been patched. You should switch themes.

Jannah

Theme:

Jannah

Theme Slug:
jannah

Vulnerability:
Local File Inclusion

Patched in Version:
No Fix

Severity Score:
High

CVE:

2025-53334

The vulnerability has not been patched. You should switch themes.

Jina – Celebration Agency Theme

Theme:

Jina – Celebration Agency Theme

Theme Slug:
jina

Vulnerability:
Deserialization of untrusted data

Patched in Version:
No Fix

Severity Score:
Critical

CVE:

2025-31927

The vulnerability has not been patched. You should switch themes.

The Restaurant

Theme:

The Restaurant

Theme Slug:
nrgrestaurant

Vulnerability:
PHP Object Injection

Patched in Version:
No Fix

Severity Score:
Critical

CVE:

2025-31927

The vulnerability has not been patched. You should switch themes.

Nuss

Theme:

Nuss

Theme Slug:
nuss

Vulnerability:
Local File Inclusion

Patched in Version:
No Fix

Severity Score:
High

CVE:

2025-49894

The vulnerability has not been patched. You should switch themes.

Pro Bulk Watermark Plugin for WordPress

Theme:

Pro Bulk Watermark Plugin for WordPress

Theme Slug:
pro-watermark

Vulnerability:
Path Traversal

Patched in Version:
No Fix

Severity Score:
Medium

CVE:

2025-4956

The vulnerability has not been patched. You should switch themes.

Rozario

Theme:

Rozario

Theme Slug:
rozario

Vulnerability:
PHP Object Injection

Patched in Version:
No Fix

Severity Score:
Critical

CVE:

2025-31927

The vulnerability has not been patched. You should switch themes.

Upking – Hiking Club WordPress Theme

Theme:

Upking – Hiking Club WordPress Theme

Theme Slug:
upking

Vulnerability:
Deserialization of untrusted data

Patched in Version:
No Fix

Severity Score:
Critical

CVE:

2025-31927

The vulnerability has not been patched. You should switch themes.

Golo

Theme:

Golo

Theme Slug:
golo

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
1.7.2

Severity Score:
High

CVE:

2025-54724

The vulnerability has been patched, so you should update to version 1.7.2.

Houzez

Theme:

Houzez

Theme Slug:
houzez

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
4.1.4

Severity Score:
High

CVE:

2025-49407

The vulnerability has been patched, so you should update to version 4.1.4.

Houzez

Theme:

Houzez

Theme Slug:
houzez

Vulnerability:
Local File Inclusion

Patched in Version:
4.1.4

Severity Score:
High

CVE:

2025-49405

The vulnerability has been patched, so you should update to version 4.1.4.

Ireca

Theme:

Ireca

Theme Slug:
ireca

Vulnerability:
Local File Inclusion

Patched in Version:
1.8.6

Severity Score:
High

CVE:

2025-54716

The vulnerability has been patched, so you should update to version 1.8.6.

Makeaholic

Theme:

Makeaholic

Theme Slug:
makeaholic

Vulnerability:
Broken Access Control

Patched in Version:
1.8.7

Severity Score:
Medium

CVE:

2025-58210

The vulnerability has been patched, so you should update to version 1.8.7.

Neresa

Theme:

Neresa

Theme Slug:
neresa-wp

Vulnerability:
Local File Inclusion

Patched in Version:
1.4

Severity Score:
High

CVE:

2025-49383

The vulnerability has been patched, so you should update to version 1.4.

Pin WP

Theme:

Pin WP

Theme Slug:
pin-wp

Vulnerability:
Arbitrary File Upload

Patched in Version:
7.2

Severity Score:
Critical

CVE:

2025-53251

The vulnerability has been patched, so you should update to version 7.2.

Solid Security is part of Solid Suite — The best foundation for WordPress websites.

Every WordPress site needs security, backups, and management tools. That’s Solid Suite — an integrated bundle of three plugins: Solid Security, Solid Backups, and Solid Central. You also get access to Solid Academy’s learning resources for WordPress professionals. Build your next WordPress website on a solid foundation with Solid Suite!

Get Solid Security

The post WordPress Vulnerability Report — September 3, 2025 appeared first on SolidWP.

Click here to continue reading this article.