Wordfence Intelligence Weekly WordPress Vulnerability Report (March 10, 2025 to March 16, 2025)

by

📢 Did you know Wordfence runs a Bug Bounty Program for all WordPress plugins and themes at no cost to vendors? Researchers can earn up to $31,200 per vulnerability, for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we handle all the rest.

Last week, there were 147 vulnerabilities disclosed in 125 WordPress Plugins and 7 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 47 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to implement layered security, aligning with our overarching mission to secure WordPress with defense in depth strategies. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 24,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

  • WAF-RULE-813 – Data redacted while we work with the vendor on a patch.
  • WAF-RULE-814 – Data redacted while we work with the vendor on a patch.

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status Number of Vulnerabilities
Patched 50
Unpatched 97

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating Number of Vulnerabilities
Medium Severity 114
High Severity 24
Critical Severity 9

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) 45
Cross-Site Request Forgery (CSRF) 43
Missing Authorization 20
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) 8
Authentication Bypass Using an Alternate Path or Channel 5
Authorization Bypass Through User-Controlled Key 5
Deserialization of Untrusted Data 2
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) 2
Improper Control of Generation of Code (‘Code Injection’) 2
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) 2
Improper Privilege Management 2
Authentication Bypass by Alternate Name 1
Exposure of Private Personal Information to an Unauthorized Actor 1
Exposure of Sensitive Information to an Unauthorized Actor 1
Improper Access Control 1
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) 1
Incorrect Privilege Assignment 1
Relative Path Traversal 1
Server-Side Request Forgery (SSRF) 1
Unrestricted Upload of File with Dangerous Type 1
URL Redirection to Untrusted Site (‘Open Redirect’) 1
Use of Hard-coded Cryptographic Key 1

Researchers That Contributed to WordPress Security Last Week

Researcher Name Number of Vulnerabilities
15
13
12
10
9
9
8
6
6
5
4
3
3
3
2
2
2
2
2
2
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name Software Slug
Accounting for WooCommerce accounting-for-woocommerce
All-in-One WP Migration and Backup all-in-one-wp-migration
AnalyticsWP analyticswp
Another Events Calendar another-events-calendar
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin simply-schedule-appointments
AppPresser – Mobile App Framework apppresser
Appsero Helper appsero-helper
ArielBrailovsky-ViralAd arielbrailovsky-viralad
AS English Admin as-english-admin
Awesome Surveys awesome-surveys
Back To Top backtotop
binlayerpress binlayerpress
Block Spam By Math Reloaded block-spam-by-math-reloaded
BlogBuzzTime for WP blogbuzztime-for-wp
BP Email Assign Templates bp-email-assign-templates
Builder for Contact Form 7 by Webconstruct – Drag & Drop Contact Form Builder cf7-builder
Business Directory Plugin – Easy Listing Directories for WordPress business-directory-plugin
CC-IMG-Shortcode cc-img-shortcode
CM FAQ – Simplify support with an intuitive FAQ management tool cm-faq
Comment Date and Gravatar remover remove-date-and-gravatar-under-comment
Contact Form 7 Select Box Editor Button contact-form-7-select-box-editor-button
CRM and Lead Management by vcita crm-customer-relationship-management-by-vcita
Custom Dashboard Page custom-dashboard-page
Custom top bar custom-top-bar
Delete Original Image delete-original-image
DethemeKit for Elementor dethemekit-for-elementor
Directory Listings WordPress plugin – uListing ulisting
Display Template Name display-template-name
Domain Theme domain-theme
Download Manager download-manager
DP ALTerminator – Missing ALT manager dp-alterminator-missing-alt-manager
Easy Image Display easy-image-display
Event post event-post
Featured Image Thumbnail Grid thumbnail-grid
Featured Posts Grid featured-posts-grid
Finale Lite – Sales Countdown Timer & Discount for WooCommerce finale-woocommerce-sales-countdown-timer-discount
Frontpage category filter frontpage-category-filter
FTP Sync – Theme, Media & Plugin Files ftp-sync
GetSocial getsocial
GiveWP – Donation Plugin and Fundraising Platform give
GNUCommerce gnucommerce
GNUPress gnupress
Go To Top go-to-top
Google News Editors Picks Feed Generator google-news-editors-picks-news-feeds
HUSKY – Products Filter Professional for WooCommerce woocommerce-products-filter
In Stock Mailer for WooCommerce in-stock-mailer-for-woocommerce
Insert Code insert-code
InstaWP Connect – 1-click WP Staging & Migration instawp-connect
JobCareer | Job Board Responsive WordPress Theme jobcareer
Lava Ajax Search lava-ajax-search
Layer Slider bee-layer-slider
List Mixcloud list-mixcloud
List of Posts from each Category plugin for WordPress list-posts-by-category
Login Logger login-logger
LoginPress | wp-login Custom Login Page Customizer loginpress
Lunar – Sell photos online lunar-sell-photos-online
Maintenance Notice maintenance-notice
MaxA/B maxab
Members page only for logged in users members-page-only-for-logged-in-users
MicroPayments – Fans Paysite: Paid Creator Subscriptions, Digital Assets, Wallet paid-membership
NEX-Forms – Ultimate Form Builder – Contact forms and much more nex-forms-express-wp-form-builder
No Disposable Email no-disposable-email
Omnipress omnipress
Page Builder: Pagelayer – Drag and Drop website builder pagelayer
Picture Gallery – Frontend Image Uploads, AJAX Photo List picture-gallery
pipDisqus – Lightweight Disqus Comments pipdisqus
pixelstats pixelstats
Plugin Name: amoCRM WebForm amocrm-webform
Plugins Last Updated Column plugins-last-updated-column
Portfolio and Projects portfolio-and-projects
Post Read Time post-read-time
price-calc price-calc
ProductDyno productdyno
Qubely – Advanced Gutenberg Blocks qubely
Rankchecker.io Integration rankchecker-io-integration
Realteo realteo
Responsive Google Map responsive-google-map
REST API TO MiniProgram rest-api-to-miniprogram
Review Schema – Review & Structure Data Schema Plugin review-schema
School Management System – WPSchoolPress wpschoolpress
Search & Filter Pro search-filter-pro
SecuPress Free — WordPress Security secupress
ShareThis Dashboard for Google Analytics googleanalytics
ShopLentor – WooCommerce Builder for Elementor & Gutenberg +20 Modules – All in One Solution (formerly WooLentor) woolentor-addons
Simple Amazon Affiliate simple-amazon-affiliate
Skitter Slideshow wp-skitter-slideshow
Skrill – WooCommerce official-skrill-woocommerce
SoundRise Music soundrise-music
spam-byebye spam-byebye
Tabbed Login Widget tabbed-login
TabGarb Pro tabgarb
TBTestimonials tb-testimonials
ThemeEgg ToolKit themeegg-toolkit
Thumbnail carousel slider wp-responsive-thumbnail-slider
Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin uncanny-automator
Video Share VOD – Turnkey Video Site Builder Script video-share-vod
VidoRev Extensions vidorev-extensions
W3Counter Free Real-Time Web Stats blog-stats-by-w3counter
WATI Chat and Notification wati-chat-and-notification
WC Affiliate – A Complete WooCommerce Affiliate Plugin wc-affiliate
WordPress form builder plugin for contact forms, surveys and quizzes – Tripetto tripetto
WordPress Hashtags wp-hashtags
wordpress login form to anywhere wp-show-login-form
WordPress Mobile Themes wp-mobile-themes
WordPress Report Brute Force Attacks and Login Protection ReportAttacks Plugins reportattacks
Workreap workreap
WP Add Active Class To Menu Item wp-add-active-class-to-menu-item
WP Bulk Post Duplicator wp-bulk-post-duplicator
WP Compare Tables wp-compare-tables
WP Crowdfunding wp-crowdfunding
WP Ghost (Hide My WP Ghost) – Security & Firewall hide-my-wp
WP Hide Admin Bar wp-hide-admin-bar
WP JobHunt wp-jobhunt
WP jQuery Persian Datepicker wpjqp-datepicker
WP Last Modified wp-last-modified
WP No-Bot Question wp-no-bot-question
WP Performance Pack wp-performance-pack
WP Recipe Maker wp-recipe-maker
WP Simple Slideshow wp-simple-slideshow
WP Test Email wp-test-email
WP01 – Speed, Security, SEO consultant wp01
WPCOM Member wpcom-member
WPCS – WordPress Currency Switcher Professional currency-switcher
ZipList Recipe Plugin ziplist-recipe-plugin
Zoorum Comments zoorum-comments

WordPress Themes with Reported Vulnerabilities Last Week

Software Name Software Slug
Civi – Job Board & Freelance Marketplace WordPress Theme civi
CiyaShop – Multipurpose WooCommerce Theme ciyashop
Eco Nature – Environment & Ecology WordPress Theme eco-nature
Industrial industrial
Resido – Real Estate WordPress Theme resido
Travel Booking WordPress Theme traveler
Zegen – Church WordPress Theme zegen

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

Civi – Job Board & Freelance Marketplace WordPress Theme <= 2.1.4 – Authentication Bypass via Password Update

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-13771
Patch Status
Unpatched
Published
Mar 13, 2025
Affected Software
Civi – Job Board & Freelance Marketplace WordPress Theme
Researcher
More Details >

CiyaShop – Multipurpose WooCommerce Theme <= 4.19.0 – Unauthenticated PHP Object Injection

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-13824
Patch Status
Patched
Published
Mar 13, 2025
Affected Software
CiyaShop – Multipurpose WooCommerce Theme
Researcher
More Details >

HUSKY – Products Filter Professional for WooCommerce <= 1.3.6.5 – Unauthenticated Local File Inclusion

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-1661
Patch Status
Patched
Published
Mar 10, 2025
Affected Software
HUSKY – Products Filter Professional for WooCommerce
Researcher
More Details >

Realteo – Real Estate Plugin by Purethemes <= 1.2.8 – Authentication Bypass via ‘do_register_user’

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-2232
Patch Status
Patched
Published
Mar 13, 2025
Affected Software
Realteo
Researcher
More Details >

Traveler <= 3.1.8 – Unauthenticated Local File Inclusion via hotel_alone_load_more_post

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-1771
Patch Status
Patched
Published
Mar 14, 2025
Affected Software
Travel Booking WordPress Theme
Researcher
More Details >

Workreap <= 3.2.5 – Unauthenticated Privilege Escalation via Account Takeover

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-13446
Patch Status
Patched
Published
Mar 11, 2025
Affected Software
Workreap
Researcher
More Details >

WP JobHunt <= 7.1 – Authentication Bypass

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-11286
Patch Status
Unpatched
Published
Mar 13, 2025
Affected Software
WP JobHunt
Researcher
More Details >

WP JobHunt <= 7.1 – Unauthenticated Privilege Escalation via Email Update/Account Takeover

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-11285
Patch Status
Unpatched
Published
Mar 13, 2025
Affected Software
WP JobHunt
Researcher
More Details >

WP JobHunt <= 7.1 – Unauthenticated Privilege Escalation via Password Reset/Account Takeover

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-11284
Patch Status
Unpatched
Published
Mar 13, 2025
Affected Software
WP JobHunt
Researcher
More Details >

Directory Listings WordPress plugin – uListing <= 2.1.7 – Authenticated (Subscriber+) Privilege Escalation

8.8
CVSS Rating
High (8.8)
CVE-ID
CVE-2025-1653
Patch Status
Unpatched
Published
Mar 14, 2025
Affected Software
Directory Listings WordPress plugin – uListing
Researcher
More Details >

Directory Listings WordPress plugin – uListing <= 2.1.7 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Meta Update and PHP Object Injection

8.8
CVSS Rating
High (8.8)
CVE-ID
CVE-2025-1657
Patch Status
Unpatched
Published
Mar 14, 2025
Affected Software
Directory Listings WordPress plugin – uListing
Researcher
More Details >

Industrial <= 1.7.8 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update

8.8
CVSS Rating
High (8.8)
CVE-ID
CVE-2024-13376
Patch Status
Patched
Published
Mar 13, 2025
Affected Software
Industrial
Researcher
More Details >

InstaWP Connect – 1-click WP Staging & Migration <= 0.1.0.83 – Cross-Site Request Forgery to Local File Inclusion

8.8
CVSS Rating
High (8.8)
CVE-ID
CVE-2024-13913
Patch Status
Patched
Published
Mar 13, 2025
Affected Software
InstaWP Connect – 1-click WP Staging & Migration
Researcher
More Details >

JobCareer | Job Board Responsive WordPress Theme <= 7.1 – Missing Authorization to Authenticated (Subscriber+) Multiple Administrative Actions

8.8
CVSS Rating
High (8.8)
CVE-ID
CVE-2024-12810
Patch Status
Unpatched
Published
Mar 13, 2025
Affected Software
JobCareer | Job Board Responsive WordPress Theme
Researcher
More Details >

Review Schema <= 2.2.4 – Authenticated (Contributor+) Local File Inclusion via Post Meta

8.8
CVSS Rating
High (8.8)
CVE-ID
CVE-2025-1707
Patch Status
Patched
Published
Mar 11, 2025
Affected Software
Review Schema – Review & Structure Data Schema Plugin
Researcher
More Details >

School Management System – WPSchoolPress <= 2.2.16 – Missing Authorization to Privilege Escalation via Account Takeover

8.8
CVSS Rating
High (8.8)
CVE-ID
CVE-2025-1667
Patch Status
Unpatched
Published
Mar 14, 2025
Affected Software
School Management System – WPSchoolPress
Researcher
More Details >

SoundRise Music <= 1.7 – Authenticated (Subscriber+) Arbitrary Options Update

8.8
CVSS Rating
High (8.8)
CVE-ID
CVE-2025-2103
Patch Status
Patched
Published
Mar 13, 2025
Affected Software
SoundRise Music
Researcher
More Details >

Eco Nature – Environment & Ecology WordPress Theme <= 2.0.4 – Missing Authorization to Authenticated (Subscriber+) Limited Options Update

8.1
CVSS Rating
High (8.1)
CVE-ID
CVE-2025-0952
Patch Status
Patched
Published
Mar 13, 2025
Affected Software
Eco Nature – Environment & Ecology WordPress Theme
Researcher
More Details >

All in One WP Migration <= 7.89 – Unauthenticated PHP Object Injection

7.5
CVSS Rating
High (7.5)
CVE-ID
CVE-2024-10942
Patch Status
Patched
Published
Mar 12, 2025
Affected Software
All-in-One WP Migration and Backup
Researcher
More Details >

AnalyticsWP <= 2.0.0 – Unauthenticated SQL Injection

7.5
CVSS Rating
High (7.5)
CVE-ID
CVE-2024-13321
Patch Status
Patched
Published
Mar 13, 2025
Affected Software
AnalyticsWP
Researcher
More Details >

Arielbrailovsky-Viralad <= 1.0.8 – Unauthenticated SQL Injection

7.5
CVSS Rating
High (7.5)
CVE-ID
CVE-2025-2106
Patch Status
Unpatched
Published
Mar 12, 2025
Affected Software
ArielBrailovsky-ViralAd
Researcher
More Details >

Arielbrailovsky-Viralad <= 1.0.8 – Unauthenticated SQL Injection

7.5
CVSS Rating
High (7.5)
CVE-ID
CVE-2025-2107
Patch Status
Unpatched
Published
Mar 12, 2025
Affected Software
ArielBrailovsky-ViralAd
Researcher
More Details >

LoginPress <= 3.3.1 – Cross-Site Request Forgery to Arbitrary Options Update

7.5
CVSS Rating
High (7.5)
CVE-ID
CVE-2025-1764
Patch Status
Patched
Published
Mar 13, 2025
Affected Software
LoginPress | wp-login Custom Login Page Customizer
Researcher
More Details >

WP Ghost <= 5.4.01 – Unauthenticated Limited File Read

7.5
CVSS Rating
High (7.5)
CVE-ID
CVE-2025-2056
Patch Status
Patched
Published
Mar 13, 2025
Affected Software
WP Ghost (Hide My WP Ghost) – Security & Firewall
Researcher
More Details >

WP JobHunt <= 7.1 – Authentication Bypass to Candidate

7.5
CVSS Rating
High (7.5)
CVE-ID
CVE-2024-11283
Patch Status
Unpatched
Published
Mar 13, 2025
Affected Software
WP JobHunt
Researcher
More Details >

WPCOM Member <= 1.7.6 – Unauthenticated Time-Based SQL Injection

7.5
CVSS Rating
High (7.5)
CVE-ID
CVE-2025-2221
Patch Status
Patched
Published
Mar 13, 2025
Affected Software
WPCOM Member
Researcher
More Details >

Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin <= 1.6.8.5 – Unauthenticated Arbitrary Shortcode Execution

7.3
CVSS Rating
High (7.3)
CVE-ID
CVE-2025-1119
Patch Status
Patched
Published
Mar 12, 2025
Affected Software
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin
Researcher
More Details >

Civi – Job Board & Freelance Marketplace WordPress Theme <= 2.1.4 – Sensitive Information Exposure

7.3
CVSS Rating
High (7.3)
CVE-ID
CVE-2024-13773
Patch Status
Unpatched
Published
Mar 13, 2025
Affected Software
Civi – Job Board & Freelance Marketplace WordPress Theme
Researcher
More Details >

WPCS – WordPress Currency Switcher Professional <= 1.2.0.4 – Unauthenticated Arbitrary Shortcode Execution

7.3
CVSS Rating
High (7.3)
CVE-ID
CVE-2025-2169
Patch Status
Patched
Published
Mar 10, 2025
Affected Software
WPCS – WordPress Currency Switcher Professional
Researcher
More Details >

AppPresser – Mobile App Framework <= 4.4.10 – Unauthenticated Stored Cross-Site Scripting

7.2
CVSS Rating
High (7.2)
CVE-ID
CVE-2025-1561
Patch Status
Patched
Published
Mar 12, 2025
Affected Software
AppPresser – Mobile App Framework
Researcher
More Details >

ThemeEgg ToolKit <= 1.2.9 – Authenticated (Administrator+) Arbitrary File Upload

7.2
CVSS Rating
High (7.2)
CVE-ID
CVE-2025-28915
Patch Status
Unpatched
Published
Mar 11, 2025
Affected Software
ThemeEgg ToolKit
Researcher
More Details >

WordPress form builder plugin for contact forms, surveys and quizzes – Tripetto <= 8.0.9 – Unauthenticated Stored Cross-Site Scripting

7.2
CVSS Rating
High (7.2)
CVE-ID
CVE-2024-13497
Patch Status
Patched
Published
Mar 14, 2025
Affected Software
WordPress form builder plugin for contact forms, surveys and quizzes – Tripetto
Researcher
More Details >

WP Test Email <= 1.1.8 – Unauthenticated Stored Cross-Site Scripting

7.2
CVSS Rating
High (7.2)
CVE-ID
CVE-2025-2325
Patch Status
Patched
Published
Mar 14, 2025
Affected Software
WP Test Email
Researcher
More Details >

BP Email Assign Templates <= 1.6 – Missing Authorization to Authorization Bypass

6.8
CVSS Rating
Medium (6.8)
CVE-ID
CVE-2025-28874
Patch Status
Unpatched
Published
Mar 11, 2025
Affected Software
BP Email Assign Templates
Researcher
More Details >

Give <= 3.22.0 – Missing Authorization to Unauthenticated Arbitrary Earning Reports Disclosure via give_reports_earnings Function

6.5
CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-2025
Patch Status
Patched
Published
Mar 14, 2025
Affected Software
GiveWP – Donation Plugin and Fundraising Platform
Researcher
More Details >

School Management System – WPSchoolPress <= 2.2.16 – Authenticated (Parent+) SQL Injection

6.5
CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-1670
Patch Status
Unpatched
Published
Mar 14, 2025
Affected Software
School Management System – WPSchoolPress
Researcher
More Details >

School Management System – WPSchoolPress <= 2.2.16 – Authenticated (Teacher+) SQL Injection

6.5
CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-1669
Patch Status
Unpatched
Published
Mar 14, 2025
Affected Software
School Management System – WPSchoolPress
Researcher
More Details >

WC Affiliate – A Complete WooCommerce Affiliate Plugin <= 2.5.3 – Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure via wf-export-all

6.5
CVSS Rating
Medium (6.5)
CVE-ID
CVE-2024-12336
Patch Status
Patched
Published
Mar 14, 2025
Affected Software
WC Affiliate – A Complete WooCommerce Affiliate Plugin
Researcher
More Details >

WP01 – Speed, Security, SEO consultant <= 2.6.2 – Authenticated (Subscriber+) Arbitrary File Download

6.5
CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-2267
Patch Status
Unpatched
Published
Mar 14, 2025
Affected Software
WP01 – Speed, Security, SEO consultant
Researcher
More Details >

amoCRM WebForm <= 1.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-28870
Patch Status
Unpatched
Published
Mar 11, 2025
Affected Software
Plugin Name: amoCRM WebForm
Researcher
More Details >

Bee Layer Slider <= 1.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-28879
Patch Status
Unpatched
Published
Mar 11, 2025
Affected Software
Layer Slider
Researcher
More Details >

CC-IMG-Shortcode <= 1.1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-1559
Patch Status
Unpatched
Published
Mar 12, 2025
Affected Software
CC-IMG-Shortcode
Researcher
More Details >

DethemeKit for Elementor <= 2.1.9 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-1526
Patch Status
Patched
Published
Mar 13, 2025
Affected Software
DethemeKit for Elementor
Researcher
More Details >

Easy Image Display <= 1.2.5 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-28919
Patch Status
Unpatched
Published
Mar 11, 2025
Affected Software
Easy Image Display
Researcher
More Details >

Event post <= 5.9.8 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-26923
Patch Status
Patched
Published
Mar 11, 2025
Affected Software
Event post
Researcher
More Details >

Featured Image Thumbnail Grid <= 6.6.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-28918
Patch Status
Unpatched
Published
Mar 11, 2025
Affected Software
Featured Image Thumbnail Grid
Researcher
More Details >

Finale Lite – Sales Countdown Timer & Discount for WooCommerce <= 2.19.0 – Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Countdown Timer

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-12589
Patch Status
Patched
Published
Mar 11, 2025
Affected Software
Finale Lite – Sales Countdown Timer & Discount for WooCommerce
Researcher
More Details >

List Mixcloud <= 1.4 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-28930
Patch Status
Unpatched
Published
Mar 11, 2025
Affected Software
List Mixcloud
Researcher
More Details >

ShopLentor – WooCommerce Builder for Elementor & Gutenberg +20 Modules – All in One Solution (formerly WooLentor) <= 3.1.0 – Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Flash Sale Countdown Module

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-1527
Patch Status
Patched
Published
Mar 11, 2025
Affected Software
ShopLentor – WooCommerce Builder for Elementor & Gutenberg +20 Modules – All in One Solution (formerly WooLentor)
Researcher
More Details >

Tabbed Login Widget <= 1.1.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-28929
Patch Status
Unpatched
Published
Mar 11, 2025
Affected Software
Tabbed Login Widget
Researcher
More Details >

WP Recipe Maker <= 9.8.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-1503
Patch Status
Patched
Published
Mar 12, 2025
Affected Software
WP Recipe Maker
Researcher
More Details >

Another Events Calendar <= 1.7.0 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-26536
Patch Status
Unpatched
Published
Mar 11, 2025
Affected Software
Another Events Calendar
Researcher
More Details >

Appsero Helper <= 1.3.2 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-13436
Patch Status
Patched
Published
Mar 10, 2025
Affected Software
Appsero Helper
Researcher
More Details >

CM FAQ – Simplify support with an intuitive FAQ management tool <= 1.2.5 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-2166
Patch Status
Patched
Published
Mar 13, 2025
Affected Software
CM FAQ – Simplify support with an intuitive FAQ management tool
Researcher
More Details >

Featured Posts Grid <= 1.7 – Cross-Site Request Forgery to Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-28905
Patch Status
Unpatched
Published
Mar 11, 2025
Affected Software
Featured Posts Grid
Researcher
More Details >

FTP Sync <= 1.1.6 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-28892
Patch Status
Unpatched
Published
Mar 11, 2025
Affected Software
FTP Sync – Theme, Media & Plugin Files
Researcher
More Details >

GetSocial <= 2.0.1 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-22283
Patch Status
Unpatched
Published
Mar 12, 2025
Affected Software
GetSocial
Researcher
More Details >

GNUCommerce <= 1.5.4 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-26564
Patch Status
Unpatched
Published
Mar 11, 2025
Affected Software
GNUCommerce
Researcher
More Details >

GNUPress <= 0.2.9 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-26565
Patch Status
Unpatched
Published
Mar 11, 2025
Affected Software
GNUPress
Researcher
More Details >

Go To Top <= 0.0.8 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-28922
Patch Status
Unpatched
Published
Mar 11, 2025
Affected Software
Go To Top
Researcher
More Details >

Google News Editors Picks Feed Generator <= 2.1 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-28860
Patch Status
Unpatched
Published
Mar 11, 2025
Affected Software
Google News Editors Picks Feed Generator
Researcher
More Details >

Hashtags <= 0.3.2 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-28931
Patch Status
Unpatched
Published
Mar 11, 2025
Affected Software
WordPress Hashtags
Researcher
More Details >

In Stock Mailer for WooCommerce <= 2.1.1 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-26566
Patch Status
Unpatched
Published
Mar 11, 2025
Affected Software
In Stock Mailer for WooCommerce
Researcher
More Details >

Insert Code <= 2.4 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-28932
Patch Status
Unpatched
Published
Mar 11, 2025
Affected Software
Insert Code
Researcher
More Details >

List of Posts from each Category plugin for WordPress <= 2.0 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-28894
Patch Status
Unpatched
Published
Mar 11, 2025
Affected Software
List of Posts from each Category plugin for WordPress
Researcher
More Details >

MaxA/B <= 2.2.2 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-28933
Patch Status
Unpatched
Published
Mar 11, 2025
Affected Software
MaxA/B
Researcher
More Details >

Members page only for logged in users <= 1.4.2 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-28901
Patch Status
Unpatched
Published
Mar 11, 2025
Affected Software
Members page only for logged in users
Researcher
More Details >

MicroPayments <= 3.1.5 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-26579
Patch Status
Unpatched
Published
Mar 12, 2025
Affected Software
MicroPayments – Fans Paysite: Paid Creator Subscriptions, Digital Assets, Wallet
Researcher
More Details >

No Disposable Email <= 2.5.1 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-28923
Patch Status
Unpatched
Published
Mar 11, 2025
Affected Software
No Disposable Email
Researcher
More Details >

Picture Gallery <= 1.6.2 – Unauthenticated Stored Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-26581
Patch Status
Unpatched
Published
Mar 12, 2025
Affected Software
Picture Gallery – Frontend Image Uploads, AJAX Photo List
Researcher
More Details >

pixelstats <= 0.8.2 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-2164
Patch Status
Unpatched
Published
Mar 14, 2025
Affected Software
pixelstats
Researcher
More Details >

price-calc <= 0.6.3 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-28891
Patch Status
Unpatched
Published
Mar 11, 2025
Affected Software
price-calc
Researcher
More Details >

ProductDyno <= 1.0.24 – Reflected Cross-Site Scripting via ‘res’ Parameter

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-13413
Patch Status
Patched
Published
Mar 10, 2025
Affected Software
ProductDyno
Researcher
More Details >

Rankchecker.io Integration <= 1.0.9 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-28857
Patch Status
Unpatched
Published
Mar 11, 2025
Affected Software
Rankchecker.io Integration
Researcher
More Details >

Simple Amazon Affiliate <= 1.0.9 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-2077
Patch Status
Unpatched
Published
Mar 11, 2025
Affected Software
Simple Amazon Affiliate
Researcher
More Details >

TabGarb Pro <= 2.6 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-28900
Patch Status
Unpatched
Published
Mar 11, 2025
Affected Software
TabGarb Pro
Researcher
More Details >

TBTestimonials <= 1.7.3 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-26584
Patch Status
Unpatched
Published
Mar 12, 2025
Affected Software
TBTestimonials
Researcher
More Details >

Traveler <= 3.1.8 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-1773
Patch Status
Patched
Published
Mar 14, 2025
Affected Software
Travel Booking WordPress Theme
Researcher
More Details >

Video Share VOD <= 2.7.2 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-26583
Patch Status
Unpatched
Published
Mar 12, 2025
Affected Software
Video Share VOD – Turnkey Video Site Builder Script
Researcher
More Details >

WATI Chat and Notification <= 1.1.2 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-28925
Patch Status
Patched
Published
Mar 11, 2025
Affected Software
WATI Chat and Notification
Researcher
More Details >

WP Compare Tables <= 1.0.5 – Cross-Site Request Forgery

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-28883
Patch Status
Unpatched
Published
Mar 11, 2025
Affected Software
WP Compare Tables
Researcher
More Details >

WP jQuery Persian Datepicker <= 0.1.0 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-28861
Patch Status
Unpatched
Published
Mar 11, 2025
Affected Software
WP jQuery Persian Datepicker
Researcher
More Details >

WP Simple Slideshow <= 1.0 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-26576
Patch Status
Unpatched
Published
Mar 12, 2025
Affected Software
WP Simple Slideshow
Researcher
More Details >

Zoorum Comments <= 0.9 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-2163
Patch Status
Unpatched
Published
Mar 14, 2025
Affected Software
Zoorum Comments
Researcher
More Details >

Civi – Job Board & Freelance Marketplace WordPress Theme <= 2.1.4 – Authentication Bypass via Non-Randomized Password for SSO Accounts

5.6
CVSS Rating
Medium (5.6)
CVE-ID
CVE-2024-13772
Patch Status
Unpatched
Published
Mar 13, 2025
Affected Software
Civi – Job Board & Freelance Marketplace WordPress Theme
Researcher
More Details >

Awesome Surveys <= 2.0.10 – Authenticated (Editor+) Stored Cross-Site Scripting

5.5
CVSS Rating
Medium (5.5)
CVE-ID
CVE-2025-28878
Patch Status
Unpatched
Published
Mar 11, 2025
Affected Software
Awesome Surveys
Researcher
More Details >

BP Email Assign Templates <= 1.6 – Authenticated (Administrator+) Stored Cross-Site Scripting

5.5
CVSS Rating
Medium (5.5)
CVE-ID
CVE-2025-28875
Patch Status
Unpatched
Published
Mar 11, 2025
Affected Software
BP Email Assign Templates
Researcher
More Details >

Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin <= 6.2 – Authenticated (Admin+) Server-Side Request Forgery via Webhook

5.5
CVSS Rating
Medium (5.5)
CVE-ID
CVE-2024-13838
Patch Status
Patched
Published
Mar 11, 2025
Affected Software
Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin
Researcher
More Details >

Custom top bar <= 2.0.2 – Cross-Site Request Forgery to Stored Cross-Site Scripting

5.4
CVSS Rating
Medium (5.4)
CVE-ID
CVE-2025-28895
Patch Status
Unpatched
Published
Mar 11, 2025
Affected Software
Custom top bar
Researcher
More Details >

Download Manager <= 3.3.08 – Authenticated (Author+) Path Traversal to Limited File Overwrite

5.4
CVSS Rating
Medium (5.4)
CVE-ID
CVE-2025-1785
Patch Status
Patched
Published
Mar 12, 2025
Affected Software
Download Manager
Researcher
More Details >

AS English Admin <= 1.0.0 – Open Redirection

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-28896
Patch Status
Unpatched
Published
Mar 11, 2025
Affected Software
AS English Admin
Researcher
More Details >

Block Spam By Math Reloaded <= 2.2.4 – Missing Authorization

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-28872
Patch Status
Unpatched
Published
Mar 11, 2025
Affected Software
Block Spam By Math Reloaded
Researcher
More Details >

Business Directory Plugin – Easy Listing Directories for WordPress <= 6.4.14 – Insecure Direct Object Reference to Listing Arbitrary Image Addition

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-13887
Patch Status
Patched
Published
Mar 12, 2025
Affected Software
Business Directory Plugin – Easy Listing Directories for WordPress
Researcher
More Details >

NEX-Forms – Ultimate Form Builder – Contact forms and much more <= 8.8.1 – Unauthenticated Sensitive Information Exposure

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-13498
Patch Status
Patched
Published
Mar 11, 2025
Affected Software
NEX-Forms – Ultimate Form Builder – Contact forms and much more
Researcher
More Details >

Resido – Real Estate WordPress Theme <= 3.6 – Missing Authorization to Unauthenticated Server-Side Request Forgery and API Key Settings Update

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-1285
Patch Status
Patched
Published
Mar 13, 2025
Affected Software
Resido – Real Estate WordPress Theme
Researcher
More Details >

Responsive Google Map <= 3.1.5 – Missing Authorization

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-28920
Patch Status
Unpatched
Published
Mar 11, 2025
Affected Software
Responsive Google Map
Researcher
More Details >

SecuPress Free <= 2.2.5.3 – Missing Authorization

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-43228
Patch Status
Patched
Published
Mar 11, 2025
Affected Software
SecuPress Free — WordPress Security
Researcher(s): Unknown
More Details >

ShareThis Dashboard for Google Analytics <= 3.2.1 – Missing Authorization to Unauthenticated Feature Deactivation

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-1507
Patch Status
Patched
Published
Mar 13, 2025
Affected Software
ShareThis Dashboard for Google Analytics
Researcher
More Details >

VidoRev Extensions <= 2.9.9.9.9.9.5 – Missing Authorization to Unauthenticated Youtube Video Import

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-0955
Patch Status
Patched
Published
Mar 13, 2025
Affected Software
VidoRev Extensions
Researcher
More Details >

WP Crowdfunding <= 2.1.13 – Missing Authorization to Authenticated (Subscriber+) Post Content Download

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-1508
Patch Status
Unpatched
Published
Mar 11, 2025
Affected Software
WP Crowdfunding
Researcher
More Details >

Portfolio and Projects <= 1.5.3 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.9
CVSS Rating
Medium (4.9)
CVE-ID
CVE-2024-13847
Patch Status
Unpatched
Published
Mar 14, 2025
Affected Software
Portfolio and Projects
Researcher
More Details >

Thumbnail carousel slider <= 1.0.4 – Authenticated (Admin+) SQL Injection

4.9
CVSS Rating
Medium (4.9)
CVE-ID
CVE-2019-25222
Patch Status
Patched
Published
Mar 14, 2025
Affected Software
Thumbnail carousel slider
Researcher
More Details >

WordPress Report Brute Force Attacks and Login Protection ReportAttacks Plugins <= 2.32 – Authenticated (Admin+) SQL Injection

4.9
CVSS Rating
Medium (4.9)
CVE-ID
CVE-2025-2250
Patch Status
Patched
Published
Mar 12, 2025
Affected Software
WordPress Report Brute Force Attacks and Login Protection ReportAttacks Plugins
Researcher
More Details >

Accounting for WooCommerce <=1.6.8 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4
CVSS Rating
Medium (4.4)
CVE-ID
CVE-2025-26929
Patch Status
Patched
Published
Mar 11, 2025
Affected Software
Accounting for WooCommerce
Researcher
More Details >

binlayerpress <= 1.1 – Authenticated (Admin+) Stored Cross-Site Scripting

4.4
CVSS Rating
Medium (4.4)
CVE-ID
CVE-2025-2076
Patch Status
Unpatched
Published
Mar 11, 2025
Affected Software
binlayerpress
Researcher
More Details >

Block Spam By Math Reloaded <= 2.2.4 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4
CVSS Rating
Medium (4.4)
CVE-ID
CVE-2025-28871
Patch Status
Unpatched
Published
Mar 11, 2025
Affected Software
Block Spam By Math Reloaded
Researcher
More Details >

BlogBuzzTime-for-wp <= 1.1 – Authenticated (Admin+) Stored Cross-Site Scripting

4.4
CVSS Rating
Medium (4.4)
CVE-ID
CVE-2025-2078
Patch Status
Unpatched
Published
Mar 11, 2025
Affected Software
BlogBuzzTime for WP
Researcher
More Details >

DP ALTerminator – Missing ALT manager <= 1.0.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4
CVSS Rating
Medium (4.4)
CVE-ID
CVE-2025-28943
Patch Status
Unpatched
Published
Mar 11, 2025
Affected Software
DP ALTerminator – Missing ALT manager
Researcher
More Details >

Lava Ajax Search <= 1.1.9 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4
CVSS Rating
Medium (4.4)
CVE-ID
CVE-2025-28937
Patch Status
Unpatched
Published
Mar 11, 2025
Affected Software
Lava Ajax Search
Researcher
More Details >

Lunar <= 1.3.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4
CVSS Rating
Medium (4.4)
CVE-ID
CVE-2025-28936
Patch Status
Unpatched
Published
Mar 11, 2025
Affected Software
Lunar – Sell photos online
Researcher
More Details >

pipDisqus <= 1.6 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4
CVSS Rating
Medium (4.4)
CVE-ID
CVE-2025-28908
Patch Status
Unpatched
Published
Mar 11, 2025
Affected Software
pipDisqus – Lightweight Disqus Comments
Researcher
More Details >

Post Read Time <= 1.2.6 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4
CVSS Rating
Medium (4.4)
CVE-ID
CVE-2025-28926
Patch Status
Unpatched
Published
Mar 11, 2025
Affected Software
Post Read Time
Researcher
More Details >

Skitter Slideshow <= 2.5.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4
CVSS Rating
Medium (4.4)
CVE-ID
CVE-2025-28906
Patch Status
Unpatched
Published
Mar 11, 2025
Affected Software
Skitter Slideshow
Researcher
More Details >

wordpress login form to anywhere <= 0.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4
CVSS Rating
Medium (4.4)
CVE-ID
CVE-2025-28914
Patch Status
Unpatched
Published
Mar 11, 2025
Affected Software
wordpress login form to anywhere
Researcher
More Details >

WP Last Modified <= 0.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4
CVSS Rating
Medium (4.4)
CVE-ID
CVE-2025-28907
Patch Status
Unpatched
Published
Mar 11, 2025
Affected Software
WP Last Modified
Researcher
More Details >

Back To Top <= 2.0 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-28940
Patch Status
Unpatched
Published
Mar 11, 2025
Affected Software
Back To Top
Researcher
More Details >

Builder for Contact Form 7 by Webconstruct <= 1.2.2 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-28864
Patch Status
Unpatched
Published
Mar 11, 2025
Affected Software
Builder for Contact Form 7 by Webconstruct – Drag & Drop Contact Form Builder
Researcher
More Details >

Comment Date and Gravatar remover <= 1.0 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-28862
Patch Status
Unpatched
Published
Mar 11, 2025
Affected Software
Comment Date and Gravatar remover
Researcher
More Details >

Contact Form 7 Select Box Editor Button <= 0.6 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-28902
Patch Status
Unpatched
Published
Mar 11, 2025
Affected Software
Contact Form 7 Select Box Editor Button
Researcher
More Details >

CRM and Lead Management by vcita <= 2.7.1 – Missing Authorization to Authenticated (Susbcriber+) Widget Toggle

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-13703
Patch Status
Unpatched
Published
Mar 12, 2025
Affected Software
CRM and Lead Management by vcita
Researcher
More Details >

Custom Dashboard Page <= 1.0 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-28912
Patch Status
Unpatched
Published
Mar 11, 2025
Affected Software
Custom Dashboard Page
Researcher
More Details >

Delete Original Image <= 0.4 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-28863
Patch Status
Unpatched
Published
Mar 11, 2025
Affected Software
Delete Original Image
Researcher
More Details >

Display Template Name <= 1.7.1 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-28927
Patch Status
Unpatched
Published
Mar 11, 2025
Affected Software
Display Template Name
Researcher
More Details >

Domain Theme <= 1.3 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-28897
Patch Status
Unpatched
Published
Mar 11, 2025
Affected Software
Domain Theme
Researcher
More Details >

Frontpage category filter <= 1.0.2 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-28867
Patch Status
Unpatched
Published
Mar 11, 2025
Affected Software
Frontpage category filter
Researcher
More Details >

Login Logger <= 1.2.1 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-28866
Patch Status
Unpatched
Published
Mar 11, 2025
Affected Software
Login Logger
Researcher
More Details >

Maintenance Notice <= 1.0.5 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-28859
Patch Status
Unpatched
Published
Mar 11, 2025
Affected Software
Maintenance Notice
Researcher
More Details >

Mobile Themes <= 1.1.1 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-28881
Patch Status
Unpatched
Published
Mar 11, 2025
Affected Software
WordPress Mobile Themes
Researcher
More Details >

Omnipress <= 1.5.4 – Authenticated (Contributor+) Post Disclosure

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-13407
Patch Status
Patched
Published
Mar 13, 2025
Affected Software
Omnipress
Researcher
More Details >

Page Builder: Pagelayer – Drag and Drop website builder <= 1.9.8 – Authenticated (Contributor+) Private Post Disclosure in pagelayer_builder_posts_shortcode

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-13430
Patch Status
Patched
Published
Mar 11, 2025
Affected Software
Page Builder: Pagelayer – Drag and Drop website builder
Researcher
More Details >

Page Builder: Pagelayer – Drag and Drop website builder <= 1.9.9 – Missing Authorization to Authenticated (Contributor+) Post Publication

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-2104
Patch Status
Patched
Published
Mar 12, 2025
Affected Software
Page Builder: Pagelayer – Drag and Drop website builder
Researcher
More Details >

Plugins Last Updated Column <= 0.1.3 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-28887
Patch Status
Unpatched
Published
Mar 11, 2025
Affected Software
Plugins Last Updated Column
Researcher
More Details >

Qubely – Advanced Gutenberg Blocks <= 1.8.13 – Authenticated (Contributor+) Sensitive Information Exposure via qubely_get_content

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-13228
Patch Status
Patched
Published
Mar 10, 2025
Affected Software
Qubely – Advanced Gutenberg Blocks
Researcher
More Details >

REST API TO MiniProgram <= 4.7.1 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-28886
Patch Status
Unpatched
Published
Mar 11, 2025
Affected Software
REST API TO MiniProgram
Researcher
More Details >

School Management System – WPSchoolPress <= 2.2.16 – Missing Authorization to Arbitrary User Deletion

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-1668
Patch Status
Unpatched
Published
Mar 14, 2025
Affected Software
School Management System – WPSchoolPress
Researcher
More Details >

Search and filter pro <= 2.5.19 – Missing Authorization to Authenticated (Subscriber+) Post Meta Exposure

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-1528
Patch Status
Patched
Published
Mar 13, 2025
Affected Software
Search & Filter Pro
Researcher
More Details >

Skrill Official <= 1.0.66 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-28876
Patch Status
Patched
Published
Mar 11, 2025
Affected Software
Skrill – WooCommerce
Researcher
More Details >

Spam Byebye <= 2.2.4 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-28941
Patch Status
Unpatched
Published
Mar 11, 2025
Affected Software
spam-byebye
Researcher(s): Unknown
More Details >

Tripetto <= 8.0.9 – Cross-Site Request Forgery to Arbitrary Results Deletion

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-1530
Patch Status
Patched
Published
Mar 14, 2025
Affected Software
WordPress form builder plugin for contact forms, surveys and quizzes – Tripetto
Researcher
More Details >

W3Counter Free Real-Time Web Stats <= 4.1 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-28856
Patch Status
Unpatched
Published
Mar 11, 2025
Affected Software
W3Counter Free Real-Time Web Stats
Researcher
More Details >

WP Add Active Class To Menu Item <= 1.0 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-28913
Patch Status
Unpatched
Published
Mar 11, 2025
Affected Software
WP Add Active Class To Menu Item
Researcher
More Details >

WP Bulk Post Duplicator <= 1.2 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-28884
Patch Status
Unpatched
Published
Mar 11, 2025
Affected Software
WP Bulk Post Duplicator
Researcher
More Details >

WP Hide Admin Bar <= 2.0 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-28910
Patch Status
Unpatched
Published
Mar 11, 2025
Affected Software
WP Hide Admin Bar
Researcher
More Details >

WP No-Bot Question <= 0.1.7 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-28909
Patch Status
Unpatched
Published
Mar 11, 2025
Affected Software
WP No-Bot Question
Researcher
More Details >

WP Performance Pack <= 2.5.3 – Missing Authorization

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-28938
Patch Status
Unpatched
Published
Mar 11, 2025
Affected Software
WP Performance Pack
Researcher
More Details >

Zegen – Church WordPress Theme <= 1.1.9 – Missing Authorization to Authenticated (Subscriber+) Theme Options Updates

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-2289
Patch Status
Unpatched
Published
Mar 13, 2025
Affected Software
Zegen – Church WordPress Theme
Researcher
More Details >

ZipList Recipe <= 3.1 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-28868
Patch Status
Unpatched
Published
Mar 11, 2025
Affected Software
ZipList Recipe Plugin
Researcher
More Details >

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (March 10, 2025 to March 16, 2025) appeared first on Wordfence.

Leave a Comment