Wordfence Intelligence Weekly WordPress Vulnerability Report (April 28, 2025 to May 4, 2025)


📢 In case you missed it, Wordfence just published its annual WordPress security report for 2024. Read it now to learn more about the evolving risk landscape of WordPress so you can keep your sites protected in 2025 and beyond.  


Last week, there were 75 vulnerabilities disclosed in 63 WordPress Plugins and 5 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 32 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to implement layered security, aligning with our overarching mission to secure WordPress with defense in depth strategies. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 26,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.


New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our PremiumCare, and Response customers last week:

Wordfence PremiumCare, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.


Total Unpatched & Patched Vulnerabilities Last Week

Patch Status Number of Vulnerabilities
Patched 35
Unpatched 40

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating Number of Vulnerabilities
Medium Severity 58
High Severity 13
Critical Severity 4

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) 31
Missing Authorization 14
Cross-Site Request Forgery (CSRF) 7
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) 5
Authorization Bypass Through User-Controlled Key 3
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) 3
Exposure of Sensitive Information to an Unauthorized Actor 2
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) 2
Improper Control of Generation of Code (‘Code Injection’) 2
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) 2
Improper Authorization 1
Improper Privilege Management 1
Server-Side Request Forgery (SSRF) 1
Unrestricted Upload of File with Dangerous Type 1

Researchers That Contributed to WordPress Security Last Week

Researcher Name Number of Vulnerabilities
8
7
6
6
5
4
3
3
3
2
2
2
2
2
2
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.


WordPress Plugins with Reported Vulnerabilities Last Week

Software Name Software Slug
A/B Testing, Popups, Website Personalization, Email Popup, Exit Intent Pop Up, Upsell Pop Up – Personizely personizely
Abundatrade Plugin abundatrade-plugin
Ads Pro Plugin – Multi-Purpose WordPress Advertising Manager ap-plugin-scripteo
Advance Seat Reservation Management for WooCommerce scw-seat-reservation
Advanced Reorder Image Text Slider advanced-reorder-image-text-slider
Alink Tap alink-tap
AM LottiePlayer am-lottieplayer
April Framework april-framework
Auteur Framework g5plus-auteur
Benaa Framework benaa-framework
Beyot Framework beyot-framework
BP Messages Tool bp-messages-tool
Buddyboss Platform buddyboss-platform
Category Widget category-widget
Crossword Compiler Puzzles crossword-compiler-puzzles
Custom Login and Registration ms-registration
Custom PC Builder Lite for WooCommerce custom-pc-builder-lite-for-woocommerce
Database Toolset database-toolset
EC Authorize.net ec-authorizenet
Flynax Bridge flynax-bridge
Formality formality
FULL – Cliente full-customer
GmapsMania gmapsmania
Gravity Forms WebHooks gravityformswebhooks
Gutenverse – Ultimate Block Addons and Page Builder for Site Editor gutenverse
IGIT Related Posts With Thumb Image After Posts igit-related-posts-with-thumb-images-after-posts
Job Listings job-listings
KiwiChat NextClient kiwichat
kStats Reloaded kstats-reloaded
List Children list-children
Meta Keywords & Description wp-meta-keywords-meta-description
MStore API – Create Native Android & iOS Apps On The Cloud mstore-api
Nautic Pages nautic-pages
occupancyplan occupancyplan
OTP-less one tap Sign in otpless
OttoKit: All-in-One Automation Platform (Formerly SureTriggers) suretriggers
Page View Count page-views-count
Product Category Slider for WooCommerce woo-category-slider-by-pluginever
Projectopia – WordPress Project Management projectopia-core
Remote Images Grabber remote-images-grabber
Section Widget section-widget
SecuPress Free — WordPress Security secupress
Seraphinite Accelerator seraphinite-accelerator
Subpage List subpage-view
SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity surveyjs
Syndicate Out syndicate-out
tagDiv Composer td-composer
tagDiv Opt-In Builder td-subscription
Taxonomy Chain Menu taxonomy-chain-menu
Team Members – Best WordPress Team Plugin with Team Slider, Team Showcase & Team Builder wps-team
Theme Blvd Sliders theme-blvd-sliders
Total Donations total-donations
Total processing card payments for WooCommerce totalprocessing-card-payments
Ultimate Auction Pro ultimate-woocommerce-auction-pro
Ultimate Store Kit – Elementor powered WooCommerce Builder, 80+ Widgets and Template Builder ultimate-store-kit
VerticalResponse Newsletter Widget vertical-response-newsletter-widget
Visual Builder visual-builder
Web3Press – Decentralize Publishing with Writing NFT likecoin
WordPress Simple Shopping Cart wordpress-simple-paypal-shopping-cart
WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin wp-statistics
WPML sitepress-multilingual-cms
Xavin’s Review Ratings xavins-review-ratings
Yame | Link In Bio yame-linkinbio

WordPress Themes with Reported Vulnerabilities Last Week

Software Name Software Slug
Boot Store boot-store
Homey homey
KLEO – Community Focused & Multi-Purpose BuddyPress WordPress Theme kleo
Motors – Car Dealer, Rental & Listing WordPress theme motors
NewsBlogger newsblogger

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-3918
Patch Status
Unpatched
Published
May 2, 2025
Affected Software
Job Listings
Researcher
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-46454
Patch Status
Unpatched
Published
Apr 28, 2025
Affected Software
Meta Keywords & Description
Researcher
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-3746
Patch Status
Unpatched
Published
May 1, 2025
Affected Software
OTP-less one tap Sign in
Researcher
CVSS Rating
High (8.8)
CVE-ID
CVE-2025-1304
Patch Status
Patched
Published
Apr 30, 2025
Affected Software
NewsBlogger
Researcher
CVSS Rating
High (8.8)
CVE-ID
CVE-2025-1305
Patch Status
Patched
Published
Apr 30, 2025
Affected Software
NewsBlogger
Researcher
CVSS Rating
High (8.8)
CVE-ID
CVE-2025-39364
Patch Status
Patched
Published
May 2, 2025
CVSS Rating
High (8.8)
CVE-ID
CVE-2024-13418
Patch Status
Unpatched
Published
May 1, 2025
CVSS Rating
High (8.1)
CVE-ID
CVE-2025-2816
Patch Status
Patched
Published
Apr 30, 2025
Affected Software
Page View Count
Researcher
CVSS Rating
High (7.5)
CVE-ID
CVE-2024-13344
Patch Status
Patched
Published
May 1, 2025
CVSS Rating
High (7.5)
CVE-ID
CVE-2025-4204
Patch Status
Patched
Published
May 1, 2025
Affected Software
Ultimate Auction Pro
Researcher
CVSS Rating
High (7.3)
CVE-ID
CVE-2025-4179
Patch Status
Unpatched
Published
May 1, 2025
Affected Software
Flynax Bridge
Researcher
CVSS Rating
High (7.2)
CVE-ID
CVE-2025-43836
Patch Status
Unpatched
Published
Apr 29, 2025
Affected Software
Syndicate Out
Researcher
CVSS Rating
High (7.2)
CVE-ID
CVE-2025-43837
Patch Status
Unpatched
Published
Apr 29, 2025
Affected Software
Total Donations
Researcher
CVSS Rating
Medium (6.5)
CVE-ID
CVE-2024-12023
Patch Status
Patched
Published
May 1, 2025
Affected Software
FULL – Cliente
Researcher
CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-2890
Patch Status
Patched
Published
Apr 29, 2025
Affected Software
tagDiv Opt-In Builder
Researcher
CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-46527
Patch Status
Patched
Published
May 2, 2025
CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-3874
Patch Status
Patched
Published
Apr 30, 2025
Affected Software
WordPress Simple Shopping Cart
Researcher
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-1529
Patch Status
Patched
Published
Apr 30, 2025
Affected Software
AM LottiePlayer
Researcher
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13860
Patch Status
Unpatched
Published
May 1, 2025
Affected Software
Buddyboss Platform
Researcher
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13859
Patch Status
Unpatched
Published
May 1, 2025
Affected Software
Buddyboss Platform
Researcher
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13858
Patch Status
Unpatched
Published
May 1, 2025
Affected Software
Buddyboss Platform
Researcher
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-46493
Patch Status
Unpatched
Published
May 2, 2025
Affected Software
Crossword Compiler Puzzles
Researcher
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-39363
Patch Status
Unpatched
Published
May 2, 2025
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-3858
Patch Status
Patched
Published
May 1, 2025
Affected Software
Formality
Researcher
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-4131
Patch Status
Unpatched
Published
May 1, 2025
Affected Software
GmapsMania
Researcher
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-46518
Patch Status
Unpatched
Published
May 2, 2025
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-3670
Patch Status
Unpatched
Published
May 1, 2025
Affected Software
KiwiChat NextClient
Researcher
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-4099
Patch Status
Patched
Published
Apr 30, 2025
Affected Software
List Children
Researcher
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-4100
Patch Status
Unpatched
Published
Apr 30, 2025
Affected Software
Nautic Pages
Researcher
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-4168
Patch Status
Unpatched
Published
May 2, 2025
Affected Software
Subpage List
Researcher
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-3510
Patch Status
Patched
Published
May 1, 2025
Affected Software
tagDiv Composer
Researcher
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-3748
Patch Status
Patched
Published
May 1, 2025
Affected Software
Taxonomy Chain Menu
Researcher
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-4172
Patch Status
Unpatched
Published
May 2, 2025
Researcher
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-3890
Patch Status
Patched
Published
Apr 30, 2025
Affected Software
WordPress Simple Shopping Cart
Researcher
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-3488
Patch Status
Patched
Published
May 1, 2025
Affected Software
WPML
Researcher
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-4170
Patch Status
Unpatched
Published
May 2, 2025
Affected Software
Xavin’s Review Ratings
Researcher
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-4199
Patch Status
Unpatched
Published
May 2, 2025
Affected Software
Abundatrade Plugin
Researcher
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-4188
Patch Status
Unpatched
Published
May 2, 2025
Researcher
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-4198
Patch Status
Unpatched
Published
May 2, 2025
Affected Software
Alink Tap
Researcher
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2015-4582
Patch Status
Unpatched
Published
Apr 28, 2025
Affected Software
Boot Store
Researcher(s): Unknown
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-43839
Patch Status
Patched
Published
Apr 29, 2025
Affected Software
BP Messages Tool
Researcher
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-46515
Patch Status
Unpatched
Published
May 2, 2025
Affected Software
Category Widget
Researcher
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-46487
Patch Status
Unpatched
Published
May 2, 2025
Affected Software
EC Authorize.net
Researcher
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-46440
Patch Status
Unpatched
Published
May 2, 2025
Affected Software
kStats Reloaded
Researcher
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-4434
Patch Status
Unpatched
Published
Apr 30, 2025
Affected Software
Remote Images Grabber
Researcher
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-46537
Patch Status
Unpatched
Published
May 2, 2025
Affected Software
Section Widget
Researcher
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-46456
Patch Status
Unpatched
Published
May 2, 2025
Affected Software
Theme Blvd Sliders
Researcher
CVSS Rating
Medium (5.9)
CVE-ID
CVE-2025-4222
Patch Status
Unpatched
Published
May 2, 2025
Affected Software
Database Toolset
Researcher
CVSS Rating
Medium (5.5)
CVE-ID
CVE-2024-13845
Patch Status
Patched
Published
Apr 30, 2025
Affected Software
Gravity Forms WebHooks
Researcher
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-43838
Patch Status
Unpatched
Published
Apr 29, 2025
Researcher
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-4177
Patch Status
Unpatched
Published
May 1, 2025
Affected Software
Flynax Bridge
Researcher
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-39367
Patch Status
Patched
Published
Apr 29, 2025
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-46441
Patch Status
Unpatched
Published
Apr 30, 2025
Affected Software
Section Widget
Researcher
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-46488
Patch Status
Unpatched
Published
May 2, 2025
Affected Software
Visual Builder
Researcher
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-3889
Patch Status
Patched
Published
Apr 30, 2025
Affected Software
WordPress Simple Shopping Cart
Researcher
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-2880
Patch Status
Unpatched
Published
May 1, 2025
Affected Software
Yame | Link In Bio
Researcher
CVSS Rating
Medium (4.9)
CVE-ID
CVE-2025-46486
Patch Status
Unpatched
Published
May 2, 2025
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-1327
Patch Status
Patched
Published
May 1, 2025
Affected Software
Homey
Researcher
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-1326
Patch Status
Patched
Published
May 1, 2025
Affected Software
Homey
Researcher
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-46458
Patch Status
Unpatched
Published
May 2, 2025
Affected Software
occupancyplan
Researcher
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-3452
Patch Status
Patched
Published
Apr 28, 2025
Researcher
CVSS Rating
Medium (4.3)
CVE-ID
Unknown
Patch Status
Patched
Published
Apr 29, 2025
Affected Software
Seraphinite Accelerator
Researcher
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-13420
Patch Status
Unpatched
Published
May 1, 2025

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (April 28, 2025 to May 4, 2025) appeared first on Wordfence.

Leave a Comment