Wordfence Intelligence Weekly WordPress Vulnerability Report (February 24, 2025 to March 2, 2025)

by

📢 Did you know Wordfence runs a Bug Bounty Program for all WordPress plugins and themes at no cost to vendors? Researchers can earn up to $31,200 per vulnerability, for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we handle all the rest.

Last week, there were 168 vulnerabilities disclosed in 157 WordPress Plugins and 5 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 61 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to implement layered security, aligning with our overarching mission to secure WordPress with defense in depth strategies. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 24,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status Number of Vulnerabilities
Patched 79
Unpatched 89

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating Number of Vulnerabilities
Low Severity 1
Medium Severity 131
High Severity 26
Critical Severity 10

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) 68
Cross-Site Request Forgery (CSRF) 32
Missing Authorization 18
Exposure of Sensitive Information to an Unauthorized Actor 8
Deserialization of Untrusted Data 6
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) 5
Server-Side Request Forgery (SSRF) 5
Authentication Bypass Using an Alternate Path or Channel 4
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) 3
Improper Control of Generation of Code (‘Code Injection’) 3
Improper Privilege Management 3
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) 2
Unverified Password Change 2
Authorization Bypass Through User-Controlled Key 1
Exposure of Private Personal Information to an Unauthorized Actor 1
External Control of File Name or Path 1
Guessable CAPTCHA 1
Improper Access Control 1
Improper Input Validation 1
Incorrect Privilege Assignment 1
Unrestricted Upload of File with Dangerous Type 1
Weak Password Recovery Mechanism for Forgotten Password 1

Researchers That Contributed to WordPress Security Last Week

Researcher Name Number of Vulnerabilities
15
10
9
8
7
7
7
6
6
5
5
5
4
4
3
3
3
3
3
3
2
2
2
2
2
2
2
2
2
2
2
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name Software Slug
1 click passwordless login, temporary login, social login & user switching – Login Me Now login-me-now
Academist Membership academist-membership
Add Linked Images To Gallery add-linked-images-to-gallery-v01
ADFO – Custom data in admin dashboard admin-form
Admin Menu Manager admin-menu-manager
Advanced AJAX Product Filters woocommerce-ajax-filters
Advanced Google reCAPTCHA advanced-google-recaptcha
Album Gallery – WordPress Gallery new-album-gallery
All-In-One Cufon all-in-one-cufon
Alloggio Membership alloggio-membership
Animated Text Block animated-text-block
Archive Page archive-page
Authors List authors-list
Auto Ad Inserter – Increase Google Adsense and Ad Manager Revenue revenueflex-easy-ads
Auto Tag Links auto-tag-links
Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss bp-better-messages
Blighty Explorer blighty-explorer
Booking Calendar and Notification booking-calendar-and-notification
Booknetic booknetic
Bravo Search & Replace bravo-search-and-replace
Buddyboss Platform buddyboss-platform
BuddyHolis TableSearch tablesearch
BuddyPress WooCommerce My Account Integration. Create WooCommerce Member Pages wc4bp
Bulk Content Creator bulk-content-creator
Card Elements for Elementor card-elements-for-elementor
Classified Listing – Classified ads & Business Directory Plugin classified-listing
Clicface Trombi clicface-trombi
Contact Form 7 Star Rating contact-form-7-star-rating
Contact Form 7 Star Rating with font Awesome contact-form-7-star-rating-with-font-awersome
Counter Box: Add Engaging Countdowns, Timers & Counters to Your WordPress Site counter-box
Currency Switcher for WooCommerce currency-switcher-woocommerce
Database Backup and check Tables Automated With Scheduler 2024 database-backup
DefendWP Firewall defend-wp-firewall
DHVC Form dhvc-form
Direct Checkout Button for WooCommerce woo-direct-checkout-button
Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings directorist
Download HTML TinyMCE Button download-html-tinymce-button
Easy Digital Downloads Google Sheet Connector gsheetconnector-easy-digital-downloads
Edd Google Sheet Connector Pro edd-google-sheet-connector-pro
Elementor Website Builder – More Than Just a Page Builder elementor
Erima Zarinpal Donate erima-zarinpal-donate
Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates essential-blocks
Events Manager – Calendar, Bookings, Tickets, and more! events-manager
Exclusive Addons for Elementor exclusive-addons-for-elementor
Exertio Framework exertio-framework
EZ InLinkz linkup inlinkz-scripter
F12-Profiler f12-profiler
Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button, WhatsApp – Chaty chaty
Fluent Support – Helpdesk & Customer Support Ticket System fluent-support
FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel foogallery
Forex Calculators fx-calculators
Forminator Forms – Contact Form, Payment Form & Custom Form Builder forminator
Fresh Framework fresh-framework
GenerateBlocks generateblocks
Get Posts nurelm-get-posts
Google Maps for WordPress google-maps-for-wordpress
Gutenberg Blocks with AI by Kadence WP – Page Builder Features kadence-blocks
Hover Image Button hover-image-button
Ibtana – WordPress Website Builder ibtana-visual-editor
Image Photo Gallery Final Tiles Grid final-tiles-grid-gallery-lite
IP2Location Redirection ip2location-redirection
Jeg Elementor Kit jeg-elementor-kit
JPG, PNG Compression and Optimization wp-image-compression
Just Variables just-wp-variables
KiviCare – Clinic & Patient Management System (EHR) kivicare-clinic-management-system
Link My Posts linkmyposts
List Related Attachments list-related-attachments-widget
Live Streaming Video Player – by SRS Player srs-player
Local Search SEO Contact Page local-search-seo-contact-page
mEintopf meintopf
MemberSpace – Membership Plugin and Paid Subscriptions memberspace
Minimum Password Strength minimum-password-strength
MK Google Directions google-distance-calculator
Modal Portfolio modal-portfolio
Multilevel Referral Affiliate Plugin for WooCommerce multilevel-referral-plugin-for-woocommerce
My Quota my-quota
Namaste! LMS namaste-lms
NextMove Lite – Thank You Page for WooCommerce woo-thank-you-page-nextmove-lite
NHR Options Table Manager nhrrob-options-table-manager
Ninja Pages ninja-page-categories-and-tags
OneStore Sites onestore-sites
Order Attachments for WooCommerce order-attachments-for-woocommerce
Page Builder by SiteOrigin siteorigin-panels
Passbeemedia Web Push Notification passbeemedia-web-push-notifications
Pathomation pathomation
Phee’s LinkPreview linkpreview
Photo Gallery ( Responsive ) photo-gallery-pearlbells
Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal or Stripe, Social Share Buttons contest-gallery
Pie Register Premium pie-register-premium
PiwigoPress piwigopress
PixelYourSite – Your smart PIXEL (TAG) & API Manager pixelyoursite
PlayerJS playerjs
Post Grid and Gutenberg Blocks – ComboBlocks post-grid
Pricing Table by PickPlugins pricingtable
Private Content private-content
Product Catalog Simple post-type-x
Profile Widget Ninja profile-widget-ninja
Quiz Organizer quiz-organizer
Quotes llama quotes-llama
RateMyAgent Official ratemyagent-official
RAYS Grid rays-grid
Reactive Mortgage Calculator reactive-mortgage-calculator
School Management System – SakolaWP sakolawp-lite
SecuPress Free — WordPress Security secupress
Secure Copy Content Protection and Content Locking secure-copy-content-protection
SetSail Membership setsail-membership
Simple Download Counter simple-download-counter
Simple Google Sitemap simple-google-sitemap
Simple:Press Forum simplepress
Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates) sina-extension-for-elementor
Site Mailer – SMTP Replacement, Email API Deliverability & Email Log site-mailer
SKU Generator for WooCommerce sku-for-woocommerce
Smart Maintenance & Countdown smart-maintenance-countdown
Social Share And Social Locker – ARSocial social-share-and-social-locker-arsocial
SpotBot spotbot
Sticky Header On Scroll sticky-header-on-scroll
Subscriptions & Memberships for PayPal subscriptions-memberships-for-paypal
SureMembers suremembers
SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity surveyjs
SVG Support svg-support
Table of Contents Block table-of-contents
Tabs for WooCommerce wc-tabs
TemplatesNext ToolKit templatesnext-toolkit
Templines Elementor Helper Core templines-helper-core
The Ark | WordPress Theme made for Freelancers ark-core
ThemeMakers PayPal Express Checkout tmm_paypal_checkout
ThemeMakers Stripe Checkout tmm_stripe_checkout
Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid boldgrid-backup
Ultra Addons Lite for Elementor ut-elementor-addons-lite
URL Media Uploader url-media-uploader
User Registration & Membership – Custom Registration Form, Login Form, and User Profile user-registration
VG PostCarousel vg-postcarousel
Video.js HLS Player videojs-hls-player
ViperBar viperbar
WHMCS Client Area for WordPress by WHMpress WHMpress_Client_Area_Api
WHMpress – WHMCS WordPress Integration Plugin whmpress
WooCommerce Display Products by Tags woocommerce-display-products-by-tags
WooCommerce Recargo de Equivalencia woo-recargo-de-equivalencia
WooCommerce Ultimate Gift Card woocommerce-ultimate-gift-card
Woocommerce – Loi Hamon loi-hamon
WordPress File Upload wp-file-upload
WOW Entrance Effects (WEE!) wow-entrance-effects-wee
WP About Author wp-about-author
WP Activity Log wp-security-audit-log
WP Posts Carousel wp-posts-carousel
WP Sitemap wp-sitemap
Wp Social Login and Register Social Counter wp-social
WP Social SEO Booster – Knowledge Graph Social Signals SEO wp-social-seo-booster
WP tarteaucitron.js Self Hosted wp-tarteaucitron-js-self-hosted
WP Video Posts wp-video-posts
WP-Asambleas wp-asambleas
WP-PManager wp-programmmanager
WP-PostRatings Cheater wp-postratings-cheater
wpForo Forum wpforo
Yawave yawave
Önceki Yazı Link onceki-yazi-linki
无觅相关文章插件 wumii-related-posts

WordPress Themes with Reported Vulnerabilities Last Week

Software Name Software Slug
Bricks bricks
Car Dealer Automotive WordPress Theme – Responsive cardealer
Enfold – Responsive Multi-Purpose Theme enfold
Nokri – Job Board WordPress Theme nokri
Travel Booking WordPress Theme traveler

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

Academist Membership <= 1.1.6 – Authentication Bypass via Account Takeover

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-1671
Patch Status
Patched
Published
Feb 28, 2025
Affected Software
Academist Membership
Researcher
More Details >

Alloggio Membership <= 1.1 – Authentication Bypass via Social Login Account Takeover

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-1638
Patch Status
Patched
Published
Feb 28, 2025
Affected Software
Alloggio Membership
Researcher
More Details >

Ark Theme Core <= 1.70.0 – Unauthenticated Remote Code Execution

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-26970
Patch Status
Unpatched
Published
Feb 24, 2025
Affected Software
The Ark | WordPress Theme made for Freelancers
Researcher
More Details >

DHVC Form <= 2.4.7 – Unauthenticated Privilege Escalation

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-8420
Patch Status
Patched
Published
Feb 27, 2025
Affected Software
DHVC Form
Researcher
More Details >

Fresh Framework <= 1.70.0 – Unauthenticated Remote Code Execution

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-26936
Patch Status
Unpatched
Published
Feb 24, 2025
Affected Software
Fresh Framework
Researcher
More Details >

Nokri – Job Board WordPress Theme <= 1.6.2 – Unauthenticated Arbitrary Password Change

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-12824
Patch Status
Patched
Published
Feb 28, 2025
Affected Software
Nokri – Job Board WordPress Theme
Researcher
More Details >

Private Content <= 8.11.5 – Unauthenticated Privilege Escalation via Account Takeover

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-26966
Patch Status
Unpatched
Published
Feb 24, 2025
Affected Software
Private Content
Researcher
More Details >

SetSail Membership <= 1.0.3 – Authentication Bypass via Account Takeover

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-1564
Patch Status
Patched
Published
Feb 28, 2025
Affected Software
SetSail Membership
Researcher
More Details >

WHMpress <= 6.3-revision-0 – Unauthenticated Local File Inclusion to Arbitrary Options Update

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-9193
Patch Status
Patched
Published
Feb 27, 2025
Affected Software
WHMpress – WHMCS WordPress Integration Plugin
Researcher
More Details >

WooCommerce Ultimate Gift Card <= 2.6.0 – Unauthenticated Arbitrary File Upload

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-8425
Patch Status
Unpatched
Published
Feb 27, 2025
Affected Software
WooCommerce Ultimate Gift Card
Researcher
More Details >

Car Dealer Automotive WordPress Theme – Responsive <= 1.6.3 – Authenticated (Subscriber+) Arbitrary File Deletion and Read

8.8
CVSS Rating
High (8.8)
CVE-ID
CVE-2025-1282
Patch Status
Patched
Published
Feb 26, 2025
Affected Software
Car Dealer Automotive WordPress Theme – Responsive
Researcher
More Details >

Cardealer <= 1.6.4 – Arbitrary Theme Option Update to Authenticated (Subscriber+) Privilege Escalation

8.8
CVSS Rating
High (8.8)
CVE-ID
CVE-2025-1682
Patch Status
Patched
Published
Feb 27, 2025
Affected Software
Car Dealer Automotive WordPress Theme – Responsive
Researcher
More Details >

Cardealer <= 1.6.4 – Cross-Site Request Forgery to User Update via update_user_profile

8.8
CVSS Rating
High (8.8)
CVE-ID
CVE-2025-1687
Patch Status
Patched
Published
Feb 27, 2025
Affected Software
Car Dealer Automotive WordPress Theme – Responsive
Researcher
More Details >

SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity <= 1.12.17 – Missing Authorization to Authenticated (Subscriber+) Arbitrary File Deletion via SurveyJS_DeleteFile

8.8
CVSS Rating
High (8.8)
CVE-ID
CVE-2024-12544
Patch Status
Patched
Published
Feb 28, 2025
Affected Software
SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity
Researcher
More Details >

Templines Elementor Helper Core <= 2.7 – Authenticated (Subscriber+) Privilege Escalation

8.8
CVSS Rating
High (8.8)
CVE-ID
CVE-2025-1295
Patch Status
Patched
Published
Feb 26, 2025
Affected Software
Templines Elementor Helper Core
Researcher
More Details >

Traveler <= 3.1.8 – Authenticated (Contributor+) Local File Inclusion via Shortcode

8.8
CVSS Rating
High (8.8)
CVE-ID
CVE-2024-12811
Patch Status
Unpatched
Published
Feb 27, 2025
Affected Software
Travel Booking WordPress Theme
Researcher
More Details >

VG PostCarousel <= 1.1 – Authenticated (Contributor+) Local File Inclusion

8.8
CVSS Rating
High (8.8)
CVE-ID
CVE-2025-27272
Patch Status
Unpatched
Published
Feb 24, 2025
Affected Software
VG PostCarousel
Researcher
More Details >

WHMPress – WHMCS Client Area <= 4.3-revision-3- Authenticated (Subscriber+) Arbitrary Options Update

8.8
CVSS Rating
High (8.8)
CVE-ID
CVE-2024-9195
Patch Status
Unpatched
Published
Feb 27, 2025
Affected Software
WHMCS Client Area for WordPress by WHMpress
Researcher
More Details >

WP Video Posts <= 3.5.1 – Cross-Site Request Forgery to Remote Code Execution

8.3
CVSS Rating
High (8.3)
CVE-ID
CVE-2025-27298
Patch Status
Unpatched
Published
Feb 24, 2025
Affected Software
WP Video Posts
Researcher
More Details >

Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings <= 8.1 – Privilege Escalation and Account Takeover via Weak OTP

8.1
CVSS Rating
High (8.1)
CVE-ID
CVE-2025-1570
Patch Status
Patched
Published
Feb 27, 2025
Affected Software
Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings
Researcher
More Details >

Exertio Framework <= 1.3.1 – Unauthenticated Arbitrary User Password Update

8.1
CVSS Rating
High (8.1)
CVE-ID
CVE-2024-13373
Patch Status
Patched
Published
Feb 28, 2025
Affected Software
Exertio Framework
Researcher
More Details >

Login Me Now <= 1.7.2 – Authentication Bypass

8.1
CVSS Rating
High (8.1)
CVE-ID
CVE-2025-1717
Patch Status
Unpatched
Published
Feb 26, 2025
Affected Software
1 click passwordless login, temporary login, social login & user switching – Login Me Now
Researcher
More Details >

PixelYourSite – Your smart PIXEL (TAG) & API Manager <= 10.1.1.1 – Unauthenticated PHP Object Injection

8.1
CVSS Rating
High (8.1)
CVE-ID
CVE-2025-0769
Patch Status
Patched
Published
Feb 28, 2025
Affected Software
PixelYourSite – Your smart PIXEL (TAG) & API Manager
Researcher
More Details >

Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss <= 2.6.9 – Unauthenticated Sensitive Information Exposure Through Unprotected Directory

7.5
CVSS Rating
High (7.5)
CVE-ID
CVE-2024-13611
Patch Status
Patched
Published
Feb 28, 2025
Affected Software
Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss
Researcher
More Details >

Fluent Support – Helpdesk & Customer Support Ticket System <= 1.8.5 – Unauthenticated Sensitive Information Exposure Through Unprotected Directory

7.5
CVSS Rating
High (7.5)
CVE-ID
CVE-2024-13568
Patch Status
Patched
Published
Feb 28, 2025
Affected Software
Fluent Support – Helpdesk & Customer Support Ticket System
Researcher
More Details >

Yawave <= 2.9.1 – Unauthenticated SQL Injection

7.5
CVSS Rating
High (7.5)
CVE-ID
CVE-2025-1648
Patch Status
Unpatched
Published
Feb 24, 2025
Affected Software
Yawave
Researcher
More Details >

WP-Asambleas <= 2.85.0 – Unauthenticated Arbitrary Shortcode Execution

7.3
CVSS Rating
High (7.3)
CVE-ID
CVE-2025-27294
Patch Status
Unpatched
Published
Feb 24, 2025
Affected Software
WP-Asambleas
Researcher
More Details >

ADFO – Custom data in admin dashboard <= 1.9.1 – Authenticated (Admin+) PHP Object Injection

7.2
CVSS Rating
High (7.2)
CVE-ID
CVE-2025-27300
Patch Status
Unpatched
Published
Feb 24, 2025
Affected Software
ADFO – Custom data in admin dashboard
Researcher
More Details >

Album Gallery – WordPress Gallery <= 1.6.3 – Authenticated (Editor+) PHP Object Injection via Gallery Meta

7.2
CVSS Rating
High (7.2)
CVE-ID
CVE-2024-13833
Patch Status
Patched
Published
Feb 28, 2025
Affected Software
Album Gallery – WordPress Gallery
Researcher
More Details >

Database Backup and check Tables Automated With Scheduler 2024 <= 2.35 – Authenticated (Administrator+) Sensitive Information Exposure

7.2
CVSS Rating
High (7.2)
CVE-ID
CVE-2024-13911
Patch Status
Patched
Published
Feb 28, 2025
Affected Software
Database Backup and check Tables Automated With Scheduler 2024
Researcher
More Details >

Database Backup and check Tables Automated With Scheduler 2024 <= 2.36 – Authenticated (Administrator+) Arbitrary File Deletion

7.2
CVSS Rating
High (7.2)
CVE-ID
CVE-2024-13910
Patch Status
Patched
Published
Feb 28, 2025
Affected Software
Database Backup and check Tables Automated With Scheduler 2024
Researcher
More Details >

NHR Options Table Manager <= 1.1.2 – Authenticated (Admin+) PHP Object Injection

7.2
CVSS Rating
High (7.2)
CVE-ID
CVE-2025-27301
Patch Status
Unpatched
Published
Feb 24, 2025
Affected Software
NHR Options Table Manager
Researcher
More Details >

Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons <= 26.0.0.1 – Unauthenticated Stored Cross-Site Scripting

7.2
CVSS Rating
High (7.2)
CVE-ID
CVE-2025-1513
Patch Status
Patched
Published
Feb 27, 2025
Affected Software
Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal or Stripe, Social Share Buttons
Researcher
More Details >

Site Mailer <= 1.2.3 – Unauthenticated Stored Cross-Site Scripting

7.2
CVSS Rating
High (7.2)
CVE-ID
CVE-2025-1319
Patch Status
Patched
Published
Feb 27, 2025
Affected Software
Site Mailer – SMTP Replacement, Email API Deliverability & Email Log
Researcher
More Details >

Tabs for WooCommerce <= 1.0.0 – Authentiated (Shop Manager+) PHP Object Injection in product_has_custom_tabs

7.2
CVSS Rating
High (7.2)
CVE-ID
CVE-2024-13831
Patch Status
Unpatched
Published
Feb 27, 2025
Affected Software
Tabs for WooCommerce
Researcher
More Details >

Bricksbuilder <= 1.9.6.1 – Authenticated (Contributor+) Privilege Escalation via create_autosave

7.1
CVSS Rating
High (7.1)
CVE-ID
CVE-2024-2297
Patch Status
Patched
Published
Feb 26, 2025
Affected Software
Bricks
Researcher
More Details >

WP Activity Log <= 5.3.2 – Authenticated (Admin+) PHP Object Injection

6.6
CVSS Rating
Medium (6.6)
CVE-ID
CVE-2025-0767
Patch Status
Patched
Published
Feb 27, 2025
Affected Software
WP Activity Log
Researcher
More Details >

Authors List <= 2.0.6 – Unauthenticated Arbitrary Shortcode Execution

6.5
CVSS Rating
Medium (6.5)
CVE-ID
CVE-2024-13806
Patch Status
Patched
Published
Feb 28, 2025
Affected Software
Authors List
Researcher
More Details >

Booking Calendar and Notification <= 4.0.3 – Missing Authorization via wpcb_all_bookings, wpcb_update_booking_post, and wpcb_delete_posts Functions

6.5
CVSS Rating
Medium (6.5)
CVE-ID
CVE-2024-13746
Patch Status
Unpatched
Published
Feb 28, 2025
Affected Software
Booking Calendar and Notification
Researchers
More Details >

KiviCare – Clinic & Patient Management System (EHR) <= 3.6.7 – Authenticated (Doctor+) SQL Injection via ‘u_id’ Parameter

6.5
CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-1572
Patch Status
Patched
Published
Feb 27, 2025
Affected Software
KiviCare – Clinic & Patient Management System (EHR)
Researcher
More Details >

Multilevel Referral Affiliate Plugin for WooCommerce <= 2.27 – Authenticated (Subscriber+) SQL Injection

6.5
CVSS Rating
Medium (6.5)
CVE-ID
CVE-2024-13750
Patch Status
Unpatched
Published
Feb 28, 2025
Affected Software
Multilevel Referral Affiliate Plugin for WooCommerce
Researcher
More Details >

Simple Download Counter <= 2.0 – Authenticated (Author+) Arbitrary File Read

6.5
CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-1730
Patch Status
Patched
Published
Feb 28, 2025
Affected Software
Simple Download Counter
Researcher
More Details >

WP Sitemap <= 1.0 – Authenticated (Contributor+) SQL Injection

6.5
CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-27312
Patch Status
Unpatched
Published
Feb 24, 2025
Affected Software
WP Sitemap
Researcher
More Details >

wpForo Forum <= 2.4.1 – Authenticated (Subscriber+) Arbitrary File Read in update

6.5
CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-0764
Patch Status
Patched
Published
Feb 27, 2025
Affected Software
wpForo Forum
Researcher
More Details >

Archive Page <= 1.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-27280
Patch Status
Unpatched
Published
Feb 24, 2025
Affected Software
Archive Page
Researcher
More Details >

BuddyBoss Platform <= 2.7.70 – Authenticated (Subscriber+) Stored Cross-Site Scripting via ‘link_title’

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13402
Patch Status
Patched
Published
Feb 26, 2025
Affected Software
Buddyboss Platform
Researcher
More Details >

BuddyHolis TableSearch <= 1.1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
Unknown
Patch Status
Unpatched
Published
Feb 27, 2025
Affected Software
BuddyHolis TableSearch
Researcher
More Details >

Card Elements for Elementor <= 1.2.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via Profile Card Widget

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13734
Patch Status
Patched
Published
Feb 26, 2025
Affected Software
Card Elements for Elementor
Researcher
More Details >

Clicface Trombi <= 2.08 – Authenticated (Contributor+) Stored Cross-Site Scripting via nom Parameter

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-0820
Patch Status
Unpatched
Published
Feb 28, 2025
Affected Software
Clicface Trombi
Researcher
More Details >

Direct Checkout Button for WooCommerce <= 1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-27347
Patch Status
Unpatched
Published
Feb 24, 2025
Affected Software
Direct Checkout Button for WooCommerce
Researcher
More Details >

Elementor Website Builder <= 3.25.10 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-54444
Patch Status
Patched
Published
Feb 24, 2025
Affected Software
Elementor Website Builder – More Than Just a Page Builder
Researcher
More Details >

Enfold <= 6.0.9 – Authenticated (Subscriber+) Server-Side Request Forgery via attachment_id

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13695
Patch Status
Patched
Published
Feb 24, 2025
Affected Software
Enfold – Responsive Multi-Purpose Theme
Researcher
More Details >

Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates <= 5.2.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13803
Patch Status
Patched
Published
Feb 25, 2025
Affected Software
Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates
Researcher
More Details >

Exclusive Addons for Elementor <= 2.7.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via Animated Text and Image Comparison Widgets

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-1571
Patch Status
Patched
Published
Feb 27, 2025
Affected Software
Exclusive Addons for Elementor
Researcher
More Details >

EZ InLinkz linkup <= 0.18 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-27329
Patch Status
Unpatched
Published
Feb 24, 2025
Affected Software
EZ InLinkz linkup
Researcher
More Details >

Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button, WhatsApp – Chaty <= 3.3.5 – Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-1450
Patch Status
Patched
Published
Feb 26, 2025
Affected Software
Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button, WhatsApp – Chaty
Researcher
More Details >

Forminator <= 1.39.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-0469
Patch Status
Patched
Published
Feb 26, 2025
Affected Software
Forminator Forms – Contact Form, Payment Form & Custom Form Builder
Researcher
More Details >

Get Posts <= 0.6 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-27349
Patch Status
Unpatched
Published
Feb 24, 2025
Affected Software
Get Posts
Researcher
More Details >

Google Maps for WordPress <= 1.0.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-27265
Patch Status
Unpatched
Published
Feb 24, 2025
Affected Software
Google Maps for WordPress
Researcher
More Details >

Gutenberg Blocks by Kadence Blocks <= 3.4.9 – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘icon’

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-1291
Patch Status
Patched
Published
Feb 28, 2025
Affected Software
Gutenberg Blocks with AI by Kadence WP – Page Builder Features
Researcher
More Details >

Hover Image Button <= 1.1.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-27266
Patch Status
Unpatched
Published
Feb 24, 2025
Affected Software
Hover Image Button
Researcher
More Details >

Ibtana <= 1.2.4.9 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-26891
Patch Status
Unpatched
Published
Feb 24, 2025
Affected Software
Ibtana – WordPress Website Builder
Researcher
More Details >

Image Photo Gallery Final Tiles Grid <= 3.6.0 – Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-6261
Patch Status
Patched
Published
Feb 26, 2025
Affected Software
Image Photo Gallery Final Tiles Grid
Researcher
More Details >

List Related Attachments <= 2.1.6 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-26897
Patch Status
Unpatched
Published
Feb 24, 2025
Affected Software
List Related Attachments
Researcher
More Details >

Live Streaming Video Player – by SRS Player <= 1.0.18 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-27327
Patch Status
Unpatched
Published
Feb 24, 2025
Affected Software
Live Streaming Video Player – by SRS Player
Researcher
More Details >

Local Search SEO Contact Page <= 4.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-27351
Patch Status
Unpatched
Published
Feb 24, 2025
Affected Software
Local Search SEO Contact Page
Researcher
More Details >

MK Google Directions <= 3.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-12820
Patch Status
Patched
Published
Feb 27, 2025
Affected Software
MK Google Directions
Researcher
More Details >

Page Builder by SiteOrigin <= 2.31.4 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-1459
Patch Status
Patched
Published
Feb 28, 2025
Affected Software
Page Builder by SiteOrigin
Researcher
More Details >

Pathomation <= 2.5.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-27306
Patch Status
Unpatched
Published
Feb 24, 2025
Affected Software
Pathomation
Researcher
More Details >

PiwigoPress <= 2.33 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-26896
Patch Status
Unpatched
Published
Feb 24, 2025
Affected Software
PiwigoPress
Researcher
More Details >

PlayerJS <= 2.23 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-27330
Patch Status
Patched
Published
Feb 24, 2025
Affected Software
PlayerJS
Researcher
More Details >

Pricing Table by PickPlugins <= 1.12.10 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13469
Patch Status
Unpatched
Published
Feb 27, 2025
Affected Software
Pricing Table by PickPlugins
Researcher
More Details >

Product Catalog Simple <= 1.7.11 – Authenticated (Contributor+) Stored Cross-Site Scripting via show_products Shortcode

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-1405
Patch Status
Patched
Published
Feb 27, 2025
Affected Software
Product Catalog Simple
Researcher
More Details >

Profile Widget Ninja <= 4.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-27320
Patch Status
Unpatched
Published
Feb 24, 2025
Affected Software
Profile Widget Ninja
Researcher
More Details >

Quotes llama <= 3.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-27307
Patch Status
Patched
Published
Feb 24, 2025
Affected Software
Quotes llama
Researcher
More Details >

Reactive Mortgage Calculator <= 1.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-27341
Patch Status
Unpatched
Published
Feb 24, 2025
Affected Software
Reactive Mortgage Calculator
Researcher
More Details >

SecuPress Free — WordPress Security <= 2.2.5.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via secupress_check_ban_ips_form Shortcode

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-9019
Patch Status
Unpatched
Published
Feb 27, 2025
Affected Software
SecuPress Free — WordPress Security
Researcher
More Details >

Sina Extension for Elementor <= 3.6.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Fancy Text, Countdown Widget, and Login Form Shortcodes

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-1517
Patch Status
Patched
Published
Feb 25, 2025
Affected Software
Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates)
Researcher
More Details >

Table of Contents Block <= 1.0.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-27305
Patch Status
Unpatched
Published
Feb 24, 2025
Affected Software
Table of Contents Block
Researcher
More Details >

TemplatesNext ToolKit <= 3.2.9 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13559
Patch Status
Unpatched
Published
Feb 28, 2025
Affected Software
TemplatesNext ToolKit
Researcher
More Details >

ThemeMakers PayPal Express Checkout <= 1.1.9 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-1689
Patch Status
Patched
Published
Feb 26, 2025
Affected Software
ThemeMakers PayPal Express Checkout
Researcher
More Details >

ThemeMakers Stripe Checkout <= 1.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-1690
Patch Status
Patched
Published
Feb 26, 2025
Affected Software
ThemeMakers Stripe Checkout
Researcher
More Details >

URL Media Uploader <= 1.0.0 – Authenticated (Author+) Server-Side Request Forgery via DNS Rebinding

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-1662
Patch Status
Patched
Published
Feb 27, 2025
Affected Software
URL Media Uploader
Researcher
More Details >

Video.js HLS Player <= 1.0.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-27325
Patch Status
Unpatched
Published
Feb 24, 2025
Affected Software
Video.js HLS Player
Researcher
More Details >

WooCommerce Display Products by Tags <= 1.0.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-27331
Patch Status
Unpatched
Published
Feb 24, 2025
Affected Software
WooCommerce Display Products by Tags
Researcher
More Details >

WOW Entrance Effects (WEE!) <= 0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-1560
Patch Status
Unpatched
Published
Feb 27, 2025
Affected Software
WOW Entrance Effects (WEE!)
Researcher
More Details >

WP About Author <= 1.5 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-27323
Patch Status
Unpatched
Published
Feb 24, 2025
Affected Software
WP About Author
Researcher
More Details >

WP Posts Carousel <= 1.3.7 – Authenticated (Contributor+) Stored Cross-Site Scripting via auto_play_timeout Parameter

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-1491
Patch Status
Patched
Published
Mar 1, 2025
Affected Software
WP Posts Carousel
Researcher
More Details >

WP Social SEO Booster – Knowledge Graph Social Signals SEO <= 1.2.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-27348
Patch Status
Unpatched
Published
Feb 24, 2025
Affected Software
WP Social SEO Booster – Knowledge Graph Social Signals SEO
Researcher
More Details >

Add Linked Images To Gallery <= 1.4 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-27277
Patch Status
Unpatched
Published
Feb 24, 2025
Affected Software
Add Linked Images To Gallery
Researcher
More Details >

Advanced AJAX Product Filters <= 1.6.8.1 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-1505
Patch Status
Patched
Published
Feb 27, 2025
Affected Software
Advanced AJAX Product Filters
Researcher
More Details >

Blightly Explorer <= 2.3.0 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-27321
Patch Status
Unpatched
Published
Feb 24, 2025
Affected Software
Blighty Explorer
Researcher
More Details >

Currency Switcher for WooCommerce <= 2.16.2 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-9217
Patch Status
Unpatched
Published
Feb 28, 2025
Affected Software
Currency Switcher for WooCommerce
Researcher
More Details >

Download HTML TinyMCE Button <= 1.2 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-1286
Patch Status
Unpatched
Published
Feb 26, 2025
Affected Software
Download HTML TinyMCE Button
Researcher
More Details >

FooGallery <= 2.4.29 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-22624
Patch Status
Unpatched
Published
Feb 27, 2025
Affected Software
FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel
Researcher
More Details >

Just Variables <= 1.2.3 – Cross-Site Request Forgery

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-27336
Patch Status
Unpatched
Published
Feb 24, 2025
Affected Software
Just Variables
Researcher
More Details >

Link My Posts <= 1.0 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-13881
Patch Status
Unpatched
Published
Feb 26, 2025
Affected Software
Link My Posts
Researcher
More Details >

mEintopf <= 0.2.1 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-13876
Patch Status
Unpatched
Published
Feb 26, 2025
Affected Software
mEintopf
Researcher
More Details >

MemberSpace <= 2.1.13 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-13727
Patch Status
Patched
Published
Mar 2, 2025
Affected Software
MemberSpace – Membership Plugin and Paid Subscriptions
Researcher
More Details >

My Quota <= 1.0.8 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-13880
Patch Status
Unpatched
Published
Feb 26, 2025
Affected Software
My Quota
Researcher
More Details >

Passbeemedia Web Push Notification <= 1.0.0 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-13877
Patch Status
Unpatched
Published
Feb 26, 2025
Affected Software
Passbeemedia Web Push Notification
Researcher
More Details >

SKU Generator for WooCommerce <= 1.6.2 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-9212
Patch Status
Unpatched
Published
Feb 28, 2025
Affected Software
SKU Generator for WooCommerce
Researcher
More Details >

Smart Maintenance & Countdown <= 1.2 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-27332
Patch Status
Unpatched
Published
Feb 24, 2025
Affected Software
Smart Maintenance & Countdown
Researcher
More Details >

SpotBot <= 0.1.8 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-13878
Patch Status
Unpatched
Published
Feb 26, 2025
Affected Software
SpotBot
Researcher
More Details >

User Registration & Membership – Custom Registration Form, Login Form, and User Profile <= 4.0.4 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-1511
Patch Status
Patched
Published
Feb 27, 2025
Affected Software
User Registration & Membership – Custom Registration Form, Login Form, and User Profile
Researcher
More Details >

ViperBar <= 2.0 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-26557
Patch Status
Unpatched
Published
Feb 24, 2025
Affected Software
ViperBar
Researcher
More Details >

Woocommerce – Loi Hamon <= 1.1.0 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-27355
Patch Status
Unpatched
Published
Feb 24, 2025
Affected Software
Woocommerce – Loi Hamon
Researcher
More Details >

WP tarteaucitron.js Self Hosted <= 1.2.4 – Running a Vulnerable Dependency

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2023-3620
Patch Status
Unpatched
Published
Feb 24, 2025
Affected Software
WP tarteaucitron.js Self Hosted
Researcher(s): Unknown
More Details >

WP-PManager <= 1.2 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-13875
Patch Status
Unpatched
Published
Feb 26, 2025
Affected Software
WP-PManager
Researcher
More Details >

无觅相关文章插件 <= 1.0.5.7 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-27352
Patch Status
Unpatched
Published
Feb 24, 2025
Affected Software
无觅相关文章插件
Researcher
More Details >

Order Attachments for WooCommerce <= 2.5.1 – Unauthenticated Sensitive Information Exposure Through Unprotected Directory

5.9
CVSS Rating
Medium (5.9)
CVE-ID
CVE-2024-13638
Patch Status
Unpatched
Published
Feb 27, 2025
Affected Software
Order Attachments for WooCommerce
Researcher
More Details >

Modal Portfolio <= 1.7.4.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

5.5
CVSS Rating
Medium (5.5)
CVE-ID
CVE-2024-13851
Patch Status
Unpatched
Published
Feb 27, 2025
Affected Software
Modal Portfolio
Researchers
More Details >

Cardealer <= 1.6.4 – Missing Authorization to Authenticated (Subscriber+) Change and Delete JS and CSS Files

5.4
CVSS Rating
Medium (5.4)
CVE-ID
CVE-2025-1681
Patch Status
Patched
Published
Feb 27, 2025
Affected Software
Car Dealer Automotive WordPress Theme – Responsive
Researcher
More Details >

SVG Support <= 2.5.8 – Stored Cross-Site Scripting via Vulnerability Dependency

5.4
CVSS Rating
Medium (5.4)
CVE-ID
CVE-2022-23638
Patch Status
Patched
Published
Feb 24, 2025
Affected Software
SVG Support
Researcher(s): Unknown
More Details >

Advanced Google reCaptcha <= 1.27 – Built-in Math CAPTCHA Bypass

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-1262
Patch Status
Patched
Published
Feb 24, 2025
Affected Software
Advanced Google reCAPTCHA
Researcher
More Details >

Classified Listing – Classified ads & Business Directory Plugin <= 4.0.4 – Unauthenticated Settings Exposure

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-1063
Patch Status
Patched
Published
Feb 24, 2025
Affected Software
Classified Listing – Classified ads & Business Directory Plugin
Researcher
More Details >

Enfold <= 6.0.9 – Missing Authorization to Sensitive Information Disclosure in avia-export-class.php

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-13693
Patch Status
Patched
Published
Feb 24, 2025
Affected Software
Enfold – Responsive Multi-Purpose Theme
Researcher
More Details >

Events Manager – Calendar, Bookings, Tickets, and more! <= 6.6.4.1 – Missing Authorization

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-1249
Patch Status
Patched
Published
Feb 26, 2025
Affected Software
Events Manager – Calendar, Bookings, Tickets, and more!
Researcher
More Details >

IP2Location Redirection <= 1.33.3 – Missing Authorization to Unauthenticated Settings Export

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-1502
Patch Status
Patched
Published
Feb 28, 2025
Affected Software
IP2Location Redirection
Researcher
More Details >

OneStore Sites <= 0.1.1 – Unauthenticated Blind Server-Side Request Forgery

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-13905
Patch Status
Unpatched
Published
Feb 26, 2025
Affected Software
OneStore Sites
Researcher
More Details >

Post Grid and Gutenberg Blocks – ComboBlocks <= 2.3.6 – Unauthenticated User Information Exposure

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-13796
Patch Status
Patched
Published
Feb 27, 2025
Affected Software
Post Grid and Gutenberg Blocks – ComboBlocks
Researcher
More Details >

Secure Copy Content Protection and Content Locking <= 4.4.7 – Missing Authorization to Unauthenticated User Email Retrieval via ays_sccp_reports_user_search Function

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-1404
Patch Status
Patched
Published
Feb 28, 2025
Affected Software
Secure Copy Content Protection and Content Locking
Researcher
More Details >

SureMembers <= 1.10.6 – Sensitive Information Exposure

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-12434
Patch Status
Patched
Published
Feb 25, 2025
Affected Software
SureMembers
Researcher
More Details >

Bravo Search & Replace <= 1.0 – Authenticated (Administrator+) SQL Injection

4.9
CVSS Rating
Medium (4.9)
CVE-ID
CVE-2025-27297
Patch Status
Unpatched
Published
Feb 24, 2025
Affected Software
Bravo Search & Replace
Researcher
More Details >

Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid <= 1.16.8 – Authenticated (Administrator+) Server-Side Request Forgery

4.9
CVSS Rating
Medium (4.9)
CVE-ID
CVE-2024-13907
Patch Status
Patched
Published
Feb 26, 2025
Affected Software
Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid
Researcher
More Details >

Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss <= 2.7.4 – Unauthenticated Limited Server-Side Request Forgery in nice_links

4.8
CVSS Rating
Medium (4.8)
CVE-ID
CVE-2024-13697
Patch Status
Patched
Published
Feb 28, 2025
Affected Software
Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss
Researcher
More Details >

Contact Form 7 Star Rating <= 1.10 – Authenticated (Editor+) Stored Cross-Site Scripting

4.4
CVSS Rating
Medium (4.4)
CVE-ID
CVE-2025-27303
Patch Status
Unpatched
Published
Feb 24, 2025
Affected Software
Contact Form 7 Star Rating
Researcher
More Details >

Contact Form 7 Star Rating with font Awesome <= 1.3 – Authenticated (Editor+) Stored Cross-Site Scripting

4.4
CVSS Rating
Medium (4.4)
CVE-ID
CVE-2025-27304
Patch Status
Unpatched
Published
Feb 24, 2025
Affected Software
Contact Form 7 Star Rating with font Awesome
Researcher
More Details >

Counter Box: Add Engaging Countdowns, Timers & Counters to Your WordPress Site <= 2.0.6 – Authenticated (Administrator+) DOM-Based Stored Cross-Site Scripting

4.4
CVSS Rating
Medium (4.4)
CVE-ID
CVE-2024-13901
Patch Status
Patched
Published
Feb 28, 2025
Affected Software
Counter Box: Add Engaging Countdowns, Timers & Counters to Your WordPress Site
Researcher
More Details >

Ninja Pages <= 1.4.2 – Authenticated (Admin+) Stored Cross-Site Scripting

4.4
CVSS Rating
Medium (4.4)
CVE-ID
CVE-2025-1454
Patch Status
Unpatched
Published
Feb 26, 2025
Affected Software
Ninja Pages
Researcher
More Details >

Quiz Organizer <= 2.9.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4
CVSS Rating
Medium (4.4)
CVE-ID
CVE-2024-6810
Patch Status
Unpatched
Published
Feb 25, 2025
Affected Software
Quiz Organizer
Researcher
More Details >

Social Share And Social Locker – ARSocial <= 1.4.1 – Authenticated (Admin+) Stored Cross-Site Scripting

4.4
CVSS Rating
Medium (4.4)
CVE-ID
CVE-2024-11189
Patch Status
Patched
Published
Feb 25, 2025
Affected Software
Social Share And Social Locker – ARSocial
Researcher
More Details >

Admin Menu Manager <= 1.0.3 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-26925
Patch Status
Unpatched
Published
Feb 26, 2025
Affected Software
Admin Menu Manager
Researcher
More Details >

All-In-One Cufon <= 1.3.0 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-27315
Patch Status
Unpatched
Published
Feb 24, 2025
Affected Software
All-In-One Cufon
Researcher
More Details >

Animated Text Block <= 1.0.7 – Missing Authorization

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-26883
Patch Status
Patched
Published
Feb 24, 2025
Affected Software
Animated Text Block
Researcher
More Details >

Auto Tag Links <= 1.0.13 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-27335
Patch Status
Unpatched
Published
Feb 24, 2025
Affected Software
Auto Tag Links
Researcher
More Details >

Booknetic <= 4.0.9 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-26926
Patch Status
Unpatched
Published
Feb 24, 2025
Affected Software
Booknetic
Researcher
More Details >

BuddyPress WooCommerce My Account Integration. Create WooCommerce Member Pages <= 3.4.24 – Missing Authorization to Authenticated (Subscriber+) Limited Settings Update

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-13358
Patch Status
Patched
Published
Feb 28, 2025
Affected Software
BuddyPress WooCommerce My Account Integration. Create WooCommerce Member Pages
Researcher
More Details >

BuddyPress WooCommerce My Account Integration. Create WooCommerce Member Pages <= 3.4.25 – Cross-Site Request Forgery to Limited Settings Update

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-1780
Patch Status
Patched
Published
Feb 28, 2025
Affected Software
BuddyPress WooCommerce My Account Integration. Create WooCommerce Member Pages
Researcher
More Details >

Bulk Content Creator <= 1.2.1 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-27311
Patch Status
Unpatched
Published
Feb 24, 2025
Affected Software
Bulk Content Creator
Researcher
More Details >

DefendWP Firewall <= 1.1.0 – Missing Authorization

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-22280
Patch Status
Patched
Published
Feb 24, 2025
Affected Software
DefendWP Firewall
Researcher
More Details >

Easy Digital Downloads Google Sheet Connector <= 1.6.6 – Cross-Site Request Forgery to Access Code Update

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2023-2334
Patch Status
Patched
Published
Mar 2, 2025
Affected Software
Edd Google Sheet Connector Pro
Easy Digital Downloads Google Sheet Connector
Researcher
More Details >

Erima Zarinpal Donate <= 1.0 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-27290
Patch Status
Unpatched
Published
Feb 24, 2025
Affected Software
Erima Zarinpal Donate
Researcher
More Details >

F12-Profiler <= 1.3.9 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-27340
Patch Status
Unpatched
Published
Feb 24, 2025
Affected Software
F12-Profiler
Researcher
More Details >

Forex Calculators <= 1.3.7 – Missing Authorization to Authenticated (Subscriber+) Settings Update

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-13716
Patch Status
Patched
Published
Feb 27, 2025
Affected Software
Forex Calculators
Researcher
More Details >

GenerateBlocks <= 1.9.1 – Authenticated (Contributor+) Sensitive Information Exposure via ‘get_image_description’

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-13546
Patch Status
Patched
Published
Feb 28, 2025
Affected Software
GenerateBlocks
Researcher
More Details >

Jeg Elementor Kit <= 2.6.11 – Authenticated (Contributor+) Sensitive Information Exposure via Countdown and Off-Canvas

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-13217
Patch Status
Patched
Published
Feb 26, 2025
Affected Software
Jeg Elementor Kit
Researcher
More Details >

JPG, PNG Compression and Optimization <= 1.7.35 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-27316
Patch Status
Unpatched
Published
Feb 24, 2025
Affected Software
JPG, PNG Compression and Optimization
Researcher
More Details >

Minimum Password Strength <= 1.2.0 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-27339
Patch Status
Unpatched
Published
Feb 24, 2025
Affected Software
Minimum Password Strength
Researcher
More Details >

Namaste! LMS <= 2.6.5 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-27353
Patch Status
Unpatched
Published
Feb 24, 2025
Affected Software
Namaste! LMS
Researcher
More Details >

NextMove Lite – Thank You Page for WooCommerce <= 2.19.0 – Missing Authorization to Authenticated (Subscriber+) Deactivation Reason Submission

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-10860
Patch Status
Patched
Published
Feb 27, 2025
Affected Software
NextMove Lite – Thank You Page for WooCommerce
Researcher
More Details >

Ă–nceki Yazı Link <= 1.3 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-27357
Patch Status
Unpatched
Published
Feb 24, 2025
Affected Software
Önceki Yazı Link
Researcher
More Details >

Phee’s LinkPreview <= 1.6.7 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-27344
Patch Status
Unpatched
Published
Feb 24, 2025
Affected Software
Phee’s LinkPreview
Researcher
More Details >

Photo Gallery ( Responsive ) <= 4.0 – Cross-Site Request Forgery to Privilege Escalation

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-27276
Patch Status
Unpatched
Published
Feb 24, 2025
Affected Software
Photo Gallery ( Responsive )
Researcher
More Details >

Pie Register Premium <= 3.8.3.2 – Missing Authorization

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-26948
Patch Status
Patched
Published
Feb 24, 2025
Affected Software
Pie Register Premium
Researcher
More Details >

RateMyAgent Official <= 1.4.0 – Cross-Site Request Forgery to API Key Update

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-0801
Patch Status
Patched
Published
Feb 27, 2025
Affected Software
RateMyAgent Official
Researcher
More Details >

RAYS Grid <= 1.3.1 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-27317
Patch Status
Unpatched
Published
Feb 24, 2025
Affected Software
RAYS Grid
Researcher
More Details >

School Management System – SakolaWP <= 1.0.8 – Cross-Site Request Forgery to Exam Setting Manipulation

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-13647
Patch Status
Unpatched
Published
Feb 26, 2025
Affected Software
School Management System – SakolaWP
Researcher
More Details >

Simple Google Sitemap <= 1.6 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-27318
Patch Status
Unpatched
Published
Feb 24, 2025
Affected Software
Simple Google Sitemap
Researcher
More Details >

Simple:Press <= 6.10.11 – Cross-Site Request Forgery to Unauthorized Post Editing

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-13518
Patch Status
Unpatched
Published
Feb 28, 2025
Affected Software
Simple:Press Forum
Researcher
More Details >

Sticky Header On Scroll <= 1.0 – Missing Authorization

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-27356
Patch Status
Unpatched
Published
Feb 24, 2025
Affected Software
Sticky Header On Scroll
Researcher
More Details >

Subscriptions & Memberships for PayPal <= 1.1.6 – Cross-Site Request Forgery to Arbitrary Post Deletion

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-13560
Patch Status
Patched
Published
Feb 25, 2025
Affected Software
Subscriptions & Memberships for PayPal
Researcher
More Details >

Ultra Addons Lite for Elementor <= 1.1.8 – Authenticated (Contributor+) Restricted Post Disclosure

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-13832
Patch Status
Unpatched
Published
Feb 27, 2025
Affected Software
Ultra Addons Lite for Elementor
Researcher
More Details >

WooCommerce Recargo de Equivalencia <= 1.6.24 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-27342
Patch Status
Unpatched
Published
Feb 24, 2025
Affected Software
WooCommerce Recargo de Equivalencia
Researcher
More Details >

WordPress File Upload <= 4.25.2 – Cross-Site Request Forgery in wfu_file_details

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-13494
Patch Status
Patched
Published
Feb 24, 2025
Affected Software
WordPress File Upload
Researcher
More Details >

Wp Social Login and Register Social Counter <= 3.1.0 – Cross-Site Request Forgery to Settings Update

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-1506
Patch Status
Patched
Published
Feb 27, 2025
Affected Software
Wp Social Login and Register Social Counter
Researcher
More Details >

WP-PostRatings Cheater <= 1.5 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-27328
Patch Status
Unpatched
Published
Feb 24, 2025
Affected Software
WP-PostRatings Cheater
Researcher
More Details >

Auto Ad Inserter – Increase Google Adsense and Ad Manager Revenue <= 1.5 – Missing Authorization to Authenticated (Editor+) Settings Update

2.7
CVSS Rating
Low (2.7)
CVE-ID
CVE-2025-27296
Patch Status
Patched
Published
Feb 24, 2025
Affected Software
Auto Ad Inserter – Increase Google Adsense and Ad Manager Revenue
Researcher
More Details >

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (February 24, 2025 to March 2, 2025) appeared first on Wordfence.

Leave a Comment