Wordfence Intelligence Weekly WordPress Vulnerability Report (March 17, 2025 to March 23, 2025)

by

📢 Did you know Wordfence runs a Bug Bounty Program for all WordPress plugins and themes at no cost to vendors? Researchers can earn up to $31,200 per vulnerability, for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we handle all the rest.

Last week, there were 111 vulnerabilities disclosed in 94 WordPress Plugins and 5 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 33 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to implement layered security, aligning with our overarching mission to secure WordPress with defense in depth strategies. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 24,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status Number of Vulnerabilities
Patched 37
Unpatched 74

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating Number of Vulnerabilities
Low Severity 2
Medium Severity 78
High Severity 18
Critical Severity 13

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) 62
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) 8
Missing Authorization 8
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) 7
Cross-Site Request Forgery (CSRF) 4
Deserialization of Untrusted Data 4
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) 4
Server-Side Request Forgery (SSRF) 3
External Control of File Name or Path 2
Unrestricted Upload of File with Dangerous Type 2
Authentication Bypass Using an Alternate Path or Channel 1
Authorization Bypass Through User-Controlled Key 1
Exposure of Sensitive Information to an Unauthorized Actor 1
Improper Control of Generation of Code (‘Code Injection’) 1
Improper Input Validation 1
Use of a Broken or Risky Cryptographic Algorithm 1
Weak Password Recovery Mechanism for Forgotten Password 1

Researchers That Contributed to WordPress Security Last Week

Researcher Name Number of Vulnerabilities
30
8
8
8
5
4
4
4
3
3
3
3
2
2
2
2
2
2
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name Software Slug
140+ Widgets | Xpro Addons For Elementor – FREE xpro-elementor-addons
Ads24 Lite – Ultimate WP Ads Manager Plugin wp-ad-management
Age Gate age-gate
AHAthat Plugin ahathat
AppReview appreview
Are you robot google recaptcha for wordpress are-you-robot-recaptcha
AuMenu aumenu
Bitcoin / AltCoin Payment Gateway for WooCommerce & Multivendor store / shop woo-altcoin-payment-gateway
Bitspecter Suite bitspecter-suite
Block Logic – Full Gutenberg Block Display Control block-logic
BoomBox Theme Extensions boombox-theme-extensions
CG Button content-glass-button
CITS Support svg, webp Media and TTF,OTF File Upload, Use Custom Fonts cits-support-svg-webp-media-upload
Code Clone code-clone
Cookies Pro cookies-pro
CryoKey cryokey
Custom Field List Widget custom-field-list-widget
Custom Smilies custom-smilies-se
Custom Twitter Feeds – A Tweets Widget or X Feed Widget custom-twitter-feeds
custom-post-edit front-end-post-edit
Display Post Meta display-post-meta
Docpro docpro
Easy Custom Admin Bar easy-custom-admin-bar
En Masse WordPress en-masse-wp
Event Manager, Events Calendar, Tickets, Registrations – Eventin wp-event-solution
Export and Import Users and Customers users-customers-import-export-for-wp-woocommerce
FancyBox fancy-box
File Away file-away
Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder fluentform
FOMO Pay Chinese Payment Solution fomo-payment-gateway-for-woocommerce
Formality formality
Frontend Post Submission frontend-post-submission
FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce wp-marketing-automations
GDPR Tools gdpr-tools
GetShop ecommerce getshop-ecommerce
GiveWP – Donation Plugin and Fundraising Platform give
GlobalPayments WooCommerce global-payments-woocommerce
Google Plus google-plus-google
Gotcha | Gesture-based Captcha gotcha-gesture-based-captcha
HT Mega – Absolute Addons For Elementor ht-mega-for-elementor
Improve My City improve-my-city
Infugrator – Infusionsoft + WordPress infugrator
Instant Appointment instant-appointment
Já-Já Pagamentos for WooCommerce – Payment with MULTICAIXA Express wc-ja-ja-pagamentos-multicaixa-express
LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes lifterlms
LinkedIn Lite linkedin-lite
LIVE TV live-tv
Logo Slider – Logo Showcase, Logo Carousel, Logo Gallery and Client Logo Presentation gs-logo-slider
Management-screen-droptiles cxc-sawa
MemberSpace – Membership Plugin and Paid Subscriptions memberspace
Motors – Car Dealership & Classified Listings Plugin motors-car-dealership-classified-listings
Multi Video Box multi-video-box
Narnoo Operator narnoo-shortcodes
Newsletters newsletters-lite
NP Quote Request for WooCommerce woo-rfq-for-woocommerce
NS Simple Intro Loader ns-simple-intro-loader
Off Page SEO off-page-seo
Order Export & Order Import for WooCommerce order-import-export-for-woocommerce
Pixobe Cartography pixobe-cartography
Product Puller product-puller
ProfileGrid – User Profiles, Groups and Communities profilegrid-user-profiles-groups-and-communities
Random Quotes random-quotes
RDP inGroups+ rdp-ingroups
RDP Linkedin Login rdp-linkedin-login
Rizzi Guestbook rizzi-guestbook
RWS Enquiry And Lead Follow-up rws-enquiry
s2Member Pro s2member-pro
Schedule schedule
Secure Invites wordpress-mu-secure-invites
Service Finder Bookings sf-booking
Simple Post Series simple-post-series
Site Editor Google Map – with drag and drop site-editor-google-map
Sleekplan – User Feedback, Roadmap & Changelog sleekplan
Snow Storm snow-storm
SpatialMatch IDX spatialmatch-free-lifestyle-search
Stencies stencies
SUPER RESPONSIVE SLIDER super-slider
ULTIMATE VIDEO GALLERY ultimate-gallery
UTM tags + Landing page + “gclid” tracking for Contact Form 7 cf7-utm-tracking
WooCommerce Multivendor Marketplace – REST API wcfm-marketplace-rest-api
WordPress Theme Demo Bar wordpress-theme-demo-bar
WP Azure offload wp-azure-offload
WP Contact Form III wp-contact-form-iii
WP Database Audit database-audit
WP Email Delivery wp-email-delivery
WP Ghost (Hide My WP Ghost) – Security & Firewall hide-my-wp
WP Google Calendar Manager – Google Calendar Plugin wp-gcalendar
Your Friendly Drag and Drop Page Builder — Make Builder make-builder
Your Lightbox your-lightbox
Zalo Live Chat zalo-live-chat
ZD Scribd iPaper zd-scribd-ipaper
ZenphotoPress zenphotopress
ZhinaTwitterWidget zhina-twitter-widget
Zielke Design Project Gallery zielke-design-project-gallery

WordPress Themes with Reported Vulnerabilities Last Week

Software Name Software Slug
Altair altair
CozyStay – Hotel Booking WordPress Theme cozystay
FoodBakery | Delivery Restaurant Directory WordPress Theme wp-foodbakery
MinimogWP – The High Converting eCommerce WordPress Theme minimog
TinySalt – Personal Food Blog WordPress Theme tinysalt

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

Age Gate <= 3.5.3 – Unauthenticated Local PHP File Inclusion via ‘lang’

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-2505
Patch Status
Patched
Published
Mar 19, 2025
Affected Software
Age Gate
Researcher
More Details >

Altair <= 5.2.4 – Unauthenticated Arbitrary Options Update via pp_import_current

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-12922
Patch Status
Patched
Published
Mar 18, 2025
Affected Software
Altair
Researcher
More Details >

CozyStay <= 1.7.0 and TinySalt <= 3.9.0 – Unauthenticated PHP Object Injection in ajax_handler

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-13410
Patch Status
Patched
Published
Mar 18, 2025
Affected Software
CozyStay – Hotel Booking WordPress Theme
TinySalt – Personal Food Blog WordPress Theme
Researcher
More Details >

Custom Field List Widget <= 1.5.1 – Unauthenticated Local File Inclusion

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-23952
Patch Status
Unpatched
Published
Mar 17, 2025
Affected Software
Custom Field List Widget
Researcher
More Details >

Docpro <= 2.0.1 – Unauthenticated Local File Inclusion

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-28916
Patch Status
Unpatched
Published
Mar 23, 2025
Affected Software
Docpro
Researcher
More Details >

File Away <= 3.9.9.0.1 – Missing Authorization to Unauthenticated File Upload via upload Function

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-2512
Patch Status
Unpatched
Published
Mar 18, 2025
Affected Software
File Away
Researcher
More Details >

Formality <= 1.5.7 – Unauthenticated Local File Inclusion

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-24690
Patch Status
Patched
Published
Mar 17, 2025
Affected Software
Formality
Researcher
More Details >

GetShop ecommerce <= 1.3 – Unauthenticated Local File Inclusion

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-54362
Patch Status
Unpatched
Published
Mar 17, 2025
Affected Software
GetShop ecommerce
Researcher
More Details >

Hide My WP Ghost <= 5.4.01 – Unauthenticated Local File Inclusion

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-26909
Patch Status
Patched
Published
Mar 19, 2025
Affected Software
WP Ghost (Hide My WP Ghost) – Security & Firewall
Researcher
More Details >

Instant Appointment <= 1.2 – Unauthenticated Arbitrary File Upload

9.8
CVSS Rating
Critical (9.8)
CVE-ID
Unknown
Patch Status
Unpatched
Published
Mar 20, 2025
Affected Software
Instant Appointment
Researcher
More Details >

LinkedIn Lite <= 1.0 – Unauthenticated Local File Inclusion

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-23937
Patch Status
Unpatched
Published
Mar 17, 2025
Affected Software
LinkedIn Lite
Researcher
More Details >

MinimogWP – The High Converting eCommerce WordPress Theme <= 3.7.0 – Unauthenticated Local PHP File Inclusion

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-13790
Patch Status
Patched
Published
Mar 18, 2025
Affected Software
MinimogWP – The High Converting eCommerce WordPress Theme
Researcher
More Details >

Service Finder Bookings <= 5.0 – Unauthenticated Privilege Escalation via Account Takeover

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-13442
Patch Status
Patched
Published
Mar 18, 2025
Affected Software
Service Finder Bookings
Researcher
More Details >

Block Logic <= 1.0.8 – Authenticated (Contributor+) Remote Code Execution

8.8
CVSS Rating
High (8.8)
CVE-ID
CVE-2025-2303
Patch Status
Unpatched
Published
Mar 21, 2025
Affected Software
Block Logic – Full Gutenberg Block Display Control
Researcher
More Details >

BoomBox Theme Extensions <= 1.8.0 – Authenticated (Subscriber+) Privilege Escalation via Password Reset/Account Takeover in boombox_ajax_reset_password

8.8
CVSS Rating
High (8.8)
CVE-ID
CVE-2024-12295
Patch Status
Patched
Published
Mar 18, 2025
Affected Software
BoomBox Theme Extensions
Researcher
More Details >

Event Manager, Events Calendar, Tickets, Registrations – Eventin <= 4.0.24 – Authenticated (Contributor+) Local File Inclusion

8.8
CVSS Rating
High (8.8)
CVE-ID
CVE-2025-1770
Patch Status
Patched
Published
Mar 19, 2025
Affected Software
Event Manager, Events Calendar, Tickets, Registrations – Eventin
Researcher
More Details >

FoodBakery | Delivery Restaurant Directory WordPress Theme <= 4.7 – Cross-Site Request Forgery in Multiple Functions

8.8
CVSS Rating
High (8.8)
CVE-ID
CVE-2024-13933
Patch Status
Unpatched
Published
Mar 18, 2025
Affected Software
FoodBakery | Delivery Restaurant Directory WordPress Theme
Researcher
More Details >

FoodBakery | Delivery Restaurant Directory WordPress Theme <= 4.7 – Missing Authorization in Multiple Functions

8.8
CVSS Rating
High (8.8)
CVE-ID
CVE-2024-12920
Patch Status
Unpatched
Published
Mar 18, 2025
Affected Software
FoodBakery | Delivery Restaurant Directory WordPress Theme
Researcher
More Details >

ProfileGrid – User Profiles, Groups and Communities <= 5.9.4.5 – Authenticated (Subscriber+) PHP Object Injection

8.8
CVSS Rating
High (8.8)
CVE-ID
CVE-2025-0724
Patch Status
Patched
Published
Mar 21, 2025
Affected Software
ProfileGrid – User Profiles, Groups and Communities
Researcher
More Details >

s2Member Pro <= 250214 – Authenticated (Contributor+) Local File Inclusion to Remote Code Execution via Shortcode

8.8
CVSS Rating
High (8.8)
CVE-ID
CVE-2024-12563
Patch Status
Unpatched
Published
Mar 18, 2025
Affected Software
s2Member Pro
Researcher
More Details >

Export and Import Users and Customers <= 2.6.2 – Authenticated (Administrator+) Server-Side Request Forgery via validate_file Function

7.6
CVSS Rating
High (7.6)
CVE-ID
CVE-2025-1970
Patch Status
Patched
Published
Mar 21, 2025
Affected Software
Export and Import Users and Customers
Researcher
More Details >

Order Export & Order Import for WooCommerce <= 2.6.0 – Authenticated (Administrator+) Server-Side Request Forgery via validate_file Function

7.6
CVSS Rating
High (7.6)
CVE-ID
CVE-2024-13923
Patch Status
Patched
Published
Mar 19, 2025
Affected Software
Order Export & Order Import for WooCommerce
Researcher
More Details >

CozyStay <= 1.7.0 – Missing Authorization to Arbitrary Action Execution in ajax_handler

7.5
CVSS Rating
High (7.5)
CVE-ID
CVE-2024-13412
Patch Status
Patched
Published
Mar 18, 2025
Affected Software
CozyStay – Hotel Booking WordPress Theme
Researcher
More Details >

File Away <= 3.9.9.0.1 – Missing Authorization to Unauthenticated Arbitrary File Read

7.5
CVSS Rating
High (7.5)
CVE-ID
CVE-2025-2539
Patch Status
Unpatched
Published
Mar 19, 2025
Affected Software
File Away
Researcher
More Details >

NP Quote Request for WooCommerce <= 1.9.179 – Insecure Direct Object Reference to Unauthenticated Sensitive Information Disclosure

7.5
CVSS Rating
High (7.5)
CVE-ID
CVE-2024-13558
Patch Status
Patched
Published
Mar 19, 2025
Affected Software
NP Quote Request for WooCommerce
Researcher
More Details >

Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit <= 3.5.1 – Unauthenticated SQL Injection via ‘automationId’

7.5
CVSS Rating
High (7.5)
CVE-ID
CVE-2025-2186
Patch Status
Patched
Published
Mar 21, 2025
Affected Software
FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce
Researcher
More Details >

Schedule <= 1.0.0 – Unauthenticated SQL Injection

7.5
CVSS Rating
High (7.5)
CVE-ID
CVE-2025-22523
Patch Status
Unpatched
Published
Mar 17, 2025
Affected Software
Schedule
Researcher
More Details >

Logo Slider <= 3.7.3 – Unauthenticated Arbitrary Shortcode Execution

7.3
CVSS Rating
High (7.3)
CVE-ID
CVE-2025-2262
Patch Status
Patched
Published
Mar 17, 2025
Affected Software
Logo Slider – Logo Showcase, Logo Carousel, Logo Gallery and Client Logo Presentation
Researcher
More Details >

Export and Import Users and Customers <= 2.6.2 – Authenticated (Admin+) PHP Object Injection via form_data Parameter

7.2
CVSS Rating
High (7.2)
CVE-ID
CVE-2025-1971
Patch Status
Patched
Published
Mar 21, 2025
Affected Software
Export and Import Users and Customers
Researcher
More Details >

Improve My City <= 1.6 – Unauthenticated Stored Cross-Site Scripting

7.2
CVSS Rating
High (7.2)
CVE-ID
CVE-2025-22501
Patch Status
Unpatched
Published
Mar 18, 2025
Affected Software
Improve My City
Researcher
More Details >

Order Export & Order Import for WooCommerce <= 2.6.0 – Authenticated (Admin+) PHP Object Injection via form_data Parameter

7.2
CVSS Rating
High (7.2)
CVE-ID
CVE-2024-13921
Patch Status
Patched
Published
Mar 19, 2025
Affected Software
Order Export & Order Import for WooCommerce
Researcher
More Details >

ProfileGrid – User Profiles, Groups and Communities <= 5.9.4.7 – Authenticated (Subscriber+) SQL Injection

6.5
CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-0723
Patch Status
Patched
Published
Mar 21, 2025
Affected Software
ProfileGrid – User Profiles, Groups and Communities
Researcher
More Details >

WooCommerce Multivendor Marketplace – REST API <= 1.6.2 – Authenticated (Subscriber+) SQL Injection

6.5
CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-1311
Patch Status
Unpatched
Published
Mar 21, 2025
Affected Software
WooCommerce Multivendor Marketplace – REST API
Researcher
More Details >

WP Google Calendar Manager <= 2.1 – Authenticated (Subscriber+) SQL Injection

6.5
CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-28939
Patch Status
Unpatched
Published
Mar 21, 2025
Affected Software
WP Google Calendar Manager – Google Calendar Plugin
Researcher
More Details >

140+ Widgets | Xpro Addons For Elementor – FREE <= 1.4.7.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘Site Title’ widget

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-2108
Patch Status
Patched
Published
Mar 19, 2025
Affected Software
140+ Widgets | Xpro Addons For Elementor – FREE
Researcher
More Details >

Bitspecter Suite <= 1.0.0 – Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-2577
Patch Status
Patched
Published
Mar 21, 2025
Affected Software
Bitspecter Suite
Researcher
More Details >

GDPR Tools <= 1.0.2 – Authenticated (Subscriber+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-26537
Patch Status
Unpatched
Published
Mar 20, 2025
Affected Software
GDPR Tools
Researcher
More Details >

HT Mega – Absolute Addons For Elementor <= 2.8.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-1802
Patch Status
Patched
Published
Mar 19, 2025
Affected Software
HT Mega – Absolute Addons For Elementor
Researcher
More Details >

Make Builder <= 1.1.10 – Authenticated (Subscriber+) Server-Side Request Forgery via make_builder_ajax_subscribe Function

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13856
Patch Status
Patched
Published
Mar 21, 2025
Affected Software
Your Friendly Drag and Drop Page Builder — Make Builder
Researcher
More Details >

Ads24 Lite <= 1.0 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-23458
Patch Status
Unpatched
Published
Mar 18, 2025
Affected Software
Ads24 Lite – Ultimate WP Ads Manager Plugin
Researcher
More Details >

AppReview <= 0.2.9 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-23714
Patch Status
Unpatched
Published
Mar 20, 2025
Affected Software
AppReview
Researcher
More Details >

Are you robot google recaptcha for wordpress <= 2.2 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-28928
Patch Status
Unpatched
Published
Mar 22, 2025
Affected Software
Are you robot google recaptcha for wordpress
Researcher
More Details >

AuMenu <= 1.1.5 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-23728
Patch Status
Unpatched
Published
Mar 20, 2025
Affected Software
AuMenu
Researcher
More Details >

Bitcoin / AltCoin Payment Gateway for WooCommerce <= 1.7.6 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-26541
Patch Status
Unpatched
Published
Mar 20, 2025
Affected Software
Bitcoin / AltCoin Payment Gateway for WooCommerce & Multivendor store / shop
Researcher
More Details >

CG Button <= 1.0.5.6 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-23632
Patch Status
Unpatched
Published
Mar 19, 2025
Affected Software
CG Button
Researcher
More Details >

Cookies Pro <= 1.0 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-26546
Patch Status
Unpatched
Published
Mar 21, 2025
Affected Software
Cookies Pro
Researcher
More Details >

Custom Smilies <= 2.9.2 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-28917
Patch Status
Unpatched
Published
Mar 23, 2025
Affected Software
Custom Smilies
Researcher
More Details >

custom-post-edit <= 1.0.4 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-23667
Patch Status
Unpatched
Published
Mar 19, 2025
Affected Software
custom-post-edit
Researcher
More Details >

Display Post Meta <= 2.4.4 -Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-26575
Patch Status
Unpatched
Published
Mar 20, 2025
Affected Software
Display Post Meta
Researcher
More Details >

Easy Custom Admin Bar <= 1.0 – Reflected Cross-Site Scripting via msg Parameter

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-2479
Patch Status
Unpatched
Published
Mar 21, 2025
Affected Software
Easy Custom Admin Bar
Researcher
More Details >

En Masse <= 1.0 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-23707
Patch Status
Unpatched
Published
Mar 19, 2025
Affected Software
En Masse WordPress
Researcher
More Details >

FancyBox <= 1.0.1 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-28935
Patch Status
Unpatched
Published
Mar 21, 2025
Affected Software
FancyBox
Researcher
More Details >

FOMO Pay Chinese Payment Solution <= 2.0.4 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-23543
Patch Status
Unpatched
Published
Mar 18, 2025
Affected Software
FOMO Pay Chinese Payment Solution
Researcher
More Details >

Frontend Post Submission <= 1.0 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-23638
Patch Status
Unpatched
Published
Mar 19, 2025
Affected Software
Frontend Post Submission
Researcher
More Details >

GlobalPayments WooCommerce <= 1.12.1 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-22767
Patch Status
Unpatched
Published
Mar 18, 2025
Affected Software
GlobalPayments WooCommerce
Researcher
More Details >

Google Plus <= 1.0.2 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-23964
Patch Status
Unpatched
Published
Mar 20, 2025
Affected Software
Google Plus
Researcher
More Details >

Gotcha | Gesture-based Captcha <= 1.0.0 – Reflected Cross-Site Scripting via menu Parameter

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-2482
Patch Status
Unpatched
Published
Mar 21, 2025
Affected Software
Gotcha | Gesture-based Captcha
Researcher
More Details >

Infugrator <= 1.0.3 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-23735
Patch Status
Unpatched
Published
Mar 20, 2025
Affected Software
Infugrator – Infusionsoft + WordPress
Researcher
More Details >

Já-Já Pagamentos for WooCommerce <= 1.3.0 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-51624
Patch Status
Unpatched
Published
Mar 17, 2025
Affected Software
Já-Já Pagamentos for WooCommerce – Payment with MULTICAIXA Express
Researcher
More Details >

LIVE TV <= 1.2 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-23608
Patch Status
Unpatched
Published
Mar 19, 2025
Affected Software
LIVE TV
Researcher
More Details >

Management-screen-droptiles <= 1.0 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-23666
Patch Status
Unpatched
Published
Mar 19, 2025
Affected Software
Management-screen-droptiles
Researcher
More Details >

MemberSpace <= 2.1.13 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-26874
Patch Status
Patched
Published
Mar 20, 2025
Affected Software
MemberSpace – Membership Plugin and Paid Subscriptions
Researcher
More Details >

Multi Video Box <= 1.5.2 – Reflected Cross-Site Scripting via video_id and group_id Parameters

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-2484
Patch Status
Unpatched
Published
Mar 21, 2025
Affected Software
Multi Video Box
Researcher
More Details >

Narnoo Operator <= 2.0.0 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-23680
Patch Status
Unpatched
Published
Mar 19, 2025
Affected Software
Narnoo Operator
Researcher
More Details >

Newsletters <= 4.9.9.7 – Reflected Cross-Site Scripting via To Parameter

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-13739
Patch Status
Patched
Published
Mar 21, 2025
Affected Software
Newsletters
Researcher
More Details >

NS Simple Intro Loader <= 2.2.3 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-23459
Patch Status
Unpatched
Published
Mar 18, 2025
Affected Software
NS Simple Intro Loader
Researcher
More Details >

Off Page SEO <= 3.0.3 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-23554
Patch Status
Unpatched
Published
Mar 19, 2025
Affected Software
Off Page SEO
Researcher
More Details >

Pixobe Cartography <= 1.0.1 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-23612
Patch Status
Unpatched
Published
Mar 19, 2025
Affected Software
Pixobe Cartography
Researcher
More Details >

Product Puller <= 1.5.1 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-23550
Patch Status
Unpatched
Published
Mar 18, 2025
Affected Software
Product Puller
Researcher
More Details >

Random Quotes <= 1.3 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-27267
Patch Status
Unpatched
Published
Mar 20, 2025
Affected Software
Random Quotes
Researcher
More Details >

RDP inGroups+ <= 1.0.6 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-23546
Patch Status
Unpatched
Published
Mar 18, 2025
Affected Software
RDP inGroups+
Researcher
More Details >

RDP Linkedin Login <= 1.7.0 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-23542
Patch Status
Unpatched
Published
Mar 18, 2025
Affected Software
RDP Linkedin Login
Researcher
More Details >

Rizzi Guestbook <= 4.0.1 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-26573
Patch Status
Unpatched
Published
Mar 20, 2025
Affected Software
Rizzi Guestbook
Researcher
More Details >

RWS Enquiry And Lead Follow-up <= 1.0 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-23460
Patch Status
Unpatched
Published
Mar 18, 2025
Affected Software
RWS Enquiry And Lead Follow-up
Researcher
More Details >

Secure Invites <= 1.3 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-26559
Patch Status
Unpatched
Published
Mar 21, 2025
Affected Software
Secure Invites
Researcher
More Details >

Simple Post Series <= 2.4.4 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-28934
Patch Status
Unpatched
Published
Mar 21, 2025
Affected Software
Simple Post Series
Researcher
More Details >

Site Editor Google Map <= 1.0.1 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-23466
Patch Status
Unpatched
Published
Mar 18, 2025
Affected Software
Site Editor Google Map – with drag and drop
Researcher
More Details >

Sleekplan <= 0.2.0 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-23469
Patch Status
Unpatched
Published
Mar 18, 2025
Affected Software
Sleekplan – User Feedback, Roadmap & Changelog
Researcher
More Details >

SpatialMatch IDX <= 3.0.9 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-28921
Patch Status
Unpatched
Published
Mar 23, 2025
Affected Software
SpatialMatch IDX
Researcher
More Details >

Stencies <= 0.58 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-22356
Patch Status
Unpatched
Published
Mar 18, 2025
Affected Software
Stencies
Researcher
More Details >

SUPER RESPONSIVE SLIDER <= 1.4 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-22575
Patch Status
Unpatched
Published
Mar 18, 2025
Affected Software
SUPER RESPONSIVE SLIDER
Researcher
More Details >

Theme Demo Bar <= 1.6.3 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-25134
Patch Status
Unpatched
Published
Mar 20, 2025
Affected Software
WordPress Theme Demo Bar
Researcher
More Details >

ULTIMATE VIDEO GALLERY <= 1.4 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-22566
Patch Status
Unpatched
Published
Mar 18, 2025
Affected Software
ULTIMATE VIDEO GALLERY
Researcher
More Details >

UTM tags tracking for Contact Form 7 <= 2.1 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-26544
Patch Status
Unpatched
Published
Mar 21, 2025
Affected Software
UTM tags + Landing page + “gclid” tracking for Contact Form 7
Researcher
More Details >

WP Azure offload <= 2.0 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-22360
Patch Status
Unpatched
Published
Mar 17, 2025
Affected Software
WP Azure offload
Researcher
More Details >

WP Contact Form III <= 1.6.2d – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-26560
Patch Status
Unpatched
Published
Mar 21, 2025
Affected Software
WP Contact Form III
Researcher
More Details >

WP Database Audit <= 1.0 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-23633
Patch Status
Unpatched
Published
Mar 19, 2025
Affected Software
WP Database Audit
Researcher
More Details >

WP Email Delivery <= 1.20.11.23 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
Unknown
Patch Status
Unpatched
Published
Mar 17, 2025
Affected Software
WP Email Delivery
Researcher
More Details >

Your Lightbox <= 1.0 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-23704
Patch Status
Unpatched
Published
Mar 19, 2025
Affected Software
Your Lightbox
Researcher
More Details >

Zalo Live Chat <= 1.1.0 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-26542
Patch Status
Unpatched
Published
Mar 20, 2025
Affected Software
Zalo Live Chat
Researcher
More Details >

ZD Scribd iPaper <= 1.0 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-23757
Patch Status
Unpatched
Published
Mar 20, 2025
Affected Software
ZD Scribd iPaper
Researcher
More Details >

ZenphotoPress <= 1.8 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-28924
Patch Status
Unpatched
Published
Mar 22, 2025
Affected Software
ZenphotoPress
Researcher
More Details >

ZhinaTwitterWidget <= 1.0 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-23719
Patch Status
Unpatched
Published
Mar 20, 2025
Affected Software
ZhinaTwitterWidget
Researcher
More Details >

Zielke Design Project Gallery <= 2.5.0 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-23705
Patch Status
Unpatched
Published
Mar 19, 2025
Affected Software
Zielke Design Project Gallery
Researcher
More Details >

Event Manager, Events Calendar, Tickets, Registrations – Eventin <= 4.0.24 – Missing Authorization to Unauthenticated Payment Status Update

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-1766
Patch Status
Patched
Published
Mar 19, 2025
Affected Software
Event Manager, Events Calendar, Tickets, Registrations – Eventin
Researcher
More Details >

Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder <= 5.2.12 – IP-Spoofing

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-13666
Patch Status
Patched
Published
Mar 21, 2025
Affected Software
Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder
Researcher
More Details >

GiveWP – Donation Plugin and Fundraising Platform <= 3.22.1 – Authenticated (Subscriber+) Sensitive Information Exposure

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-2331
Patch Status
Patched
Published
Mar 21, 2025
Affected Software
GiveWP – Donation Plugin and Fundraising Platform
Researcher
More Details >

LifterLMS <= 8.0.1 – Missing Authorization to Unauthenticated Post Trashing

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-2290
Patch Status
Patched
Published
Mar 18, 2025
Affected Software
LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes
Researcher
More Details >

AHAthat Plugin <= 1.6 – Authenticated (Administrator+) SQL Injection via id Parameter

4.9
CVSS Rating
Medium (4.9)
CVE-ID
CVE-2025-2511
Patch Status
Unpatched
Published
Mar 18, 2025
Affected Software
AHAthat Plugin
Researcher
More Details >

Code Clone <= 0.9 – Authenticated (Administrator+) SQL Injection via snippetId Parameter

4.9
CVSS Rating
Medium (4.9)
CVE-ID
CVE-2025-2478
Patch Status
Unpatched
Published
Mar 21, 2025
Affected Software
Code Clone
Researcher
More Details >

Export and Import Users and Customers <= 2.6.2 – Directory Traversal to Authenticated (Administrator+) Limited Arbitrary File Read via download_file Function

4.9
CVSS Rating
Medium (4.9)
CVE-ID
CVE-2025-1973
Patch Status
Patched
Published
Mar 21, 2025
Affected Software
Export and Import Users and Customers
Researcher
More Details >

Order Export & Order Import for WooCommerce <= 2.6.0 – Directory Traversal to Authenticated (Administrator+) Limited Arbitrary File Read via download_file Function

4.9
CVSS Rating
Medium (4.9)
CVE-ID
CVE-2024-13920
Patch Status
Patched
Published
Mar 19, 2025
Affected Software
Order Export & Order Import for WooCommerce
Researcher
More Details >

CryoKey <= 2.4 – Reflected Cross-Site Scripting via ‘ckemail’ Parameter

4.7
CVSS Rating
Medium (4.7)
CVE-ID
CVE-2025-2477
Patch Status
Unpatched
Published
Mar 21, 2025
Affected Software
CryoKey
Researcher
More Details >

Snow Storm <= 1.4.6 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4
CVSS Rating
Medium (4.4)
CVE-ID
Unknown
Patch Status
Patched
Published
Mar 18, 2025
Affected Software
Snow Storm
Researcher(s): Unknown
More Details >

CITS Support svg, webp Media and TTF,OTF File Upload, Use Custom Fonts <= 4.2 – Cross-Site Request Forgery to Font Assignment Deletion

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-13768
Patch Status
Unpatched
Published
Mar 21, 2025
Affected Software
CITS Support svg, webp Media and TTF,OTF File Upload, Use Custom Fonts
Researcher
More Details >

CITS Support svg, webp Media and TTF,OTF File Upload, Use Custom Fonts <= 4.2 – Cross-Site Request Forgery to Settings Update

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-0807
Patch Status
Unpatched
Published
Mar 21, 2025
Affected Software
CITS Support svg, webp Media and TTF,OTF File Upload, Use Custom Fonts
Researcher
More Details >

Custom Twitter Feeds <= 2.2.5 – Cross-Site Request Forgery to Cache Reset via ctf_clear_cache_admin Function

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-1314
Patch Status
Patched
Published
Mar 19, 2025
Affected Software
Custom Twitter Feeds – A Tweets Widget or X Feed Widget
Researcher
More Details >

Motors – Car Dealer, Classifieds & Listing <= 1.4.57 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Deletion and Listing Template Creation

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-13737
Patch Status
Patched
Published
Mar 21, 2025
Affected Software
Motors – Car Dealership & Classified Listings Plugin
Researcher
More Details >

ProfileGrid – User Profiles, Groups and Communities <= 5.9.4.4 – Missing Authorinzation to Authenticated (Subscriber+) Join Group Requests Management

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-1408
Patch Status
Patched
Published
Mar 21, 2025
Affected Software
ProfileGrid – User Profiles, Groups and Communities
Researcher
More Details >

Export and Import Users and Customers <= 2.6.2 – Directory Traversal to Authenticated (Administrator+) Limited Arbitrary File Deletion via admin_log_page Function

2.7
CVSS Rating
Low (2.7)
CVE-ID
CVE-2025-1972
Patch Status
Patched
Published
Mar 21, 2025
Affected Software
Export and Import Users and Customers
Researcher
More Details >

Order Export & Order Import for WooCommerce <= 2.6.0 – Directory Traversal to Authenticated (Administrator+) Limited Arbitrary File Deletion via admin_log_page Function

2.7
CVSS Rating
Low (2.7)
CVE-ID
CVE-2024-13922
Patch Status
Patched
Published
Mar 19, 2025
Affected Software
Order Export & Order Import for WooCommerce
Researcher
More Details >

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (March 17, 2025 to March 23, 2025) appeared first on Wordfence.

Leave a Comment