Wordfence Intelligence Weekly WordPress Vulnerability Report (May 12, 2025 to May 18, 2025)

by

📢 In case you missed it, Wordfence just published its annual WordPress security report for 2024. Read it now to learn more about the evolving risk landscape of WordPress so you can keep your sites protected in 2025 and beyond.  

Last week, there were 132 vulnerabilities disclosed in 110 WordPress Plugins and 9 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 48 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to implement layered security, aligning with our overarching mission to secure WordPress with defense in depth strategies. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report. As the world’s leading quality vulnerability database provider for WordPress, site owners can rest assured knowing Wordfence has their back.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 26,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our PremiumCare, and Response customers last week:

Wordfence PremiumCare, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status Number of Vulnerabilities
Patched 38
Unpatched 94

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating Number of Vulnerabilities
Medium Severity 96
High Severity 24
Critical Severity 12

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE Number of Vulnerabilities
Missing Authorization 30
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) 25
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) 18
Cross-Site Request Forgery (CSRF) 15
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) 7
Unrestricted Upload of File with Dangerous Type 7
Deserialization of Untrusted Data 6
Exposure of Sensitive Information to an Unauthorized Actor 5
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) 5
Authorization Bypass Through User-Controlled Key 4
Improper Control of Generation of Code (‘Code Injection’) 4
Improper Authorization 2
External Control of File Name or Path 1
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) 1
Incorrect Authorization 1
Server-Side Request Forgery (SSRF) 1

Researchers That Contributed to WordPress Security Last Week

Researcher Name Number of Vulnerabilities
23
16
8
7
7
6
5
5
4
4
2
2
2
2
2
2
2
2
2
2
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name Software Slug
6Storage Rentals 6storage-rentals
Ads Pro Plugin – Multi-Purpose WordPress Advertising Manager ap-plugin-scripteo
All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic all-in-one-seo-pack
AlT Monitoring alt-monitoring
Apollo lbg-audio7_html5_full_width_sticky_pro
Aptivada for WP aptivada-for-wp
Arconix Shortcodes arconix-shortcodes
Audio Comments Plugin audio-comments
B2i Investor Tools b2i-investor-tools
BERTHA AI. Your AI co-pilot for WordPress and Chrome bertha-ai-free
BNS Twitter Follow Button bns-twitter-follow-button
Bold Page Builder bold-page-builder
Bon Toolkit bon-toolkit
Broadstreet broadstreet
Chameleon HTML5 Audio Player With/Without Playlist lbg-audio1-html5
Crawlomatic Multipage Scraper Post Generator crawlomatic-multipage-scraper-post-generator
CSS3 Accordions for WordPress css3_accordions
CSS3 Tooltips for WordPress css3_tooltips
CURCY – WooCommerce Multi Currency – Currency Switcher woocommerce-multi-currency
Dokan Pro dokan-pro
Dot html,php,xml etc pages dot-htmlphpxml-etc-pages
Drag and Drop File Upload for Elementor Forms drag-and-drop-file-upload-for-elementor-forms
Easiest Funnel Builder For WordPress & WooCommerce, Specialized For Digital Creators – WPFunnels wpfunnels
Echo RSS Feed Post Generator rss-feed-post-generator-echo
EG-Series eg-series
Element Pack Pro – Addon for Elementor Page Builder WordPress Plugin bdthemes-element-pack
Estatik Mortgage Calculator estatik-mortgage-calculator
Eventer eventer
EventON (Pro) – WordPress Virtual Event Calendar Plugin eventON
EventON – Events Calendar eventon-lite
Experto CTA Widget – Call To Action, Sticky CTA, Floating Button Plugin experto-cta-widget
Facturante – Facturación Electrónica facturante
FAT Services Booking fat-services-booking
File Manager Advanced Shortcode file-manager-advanced-shortcode
File Manager Advanced Shortcode advanced-file-manager-pro-premium
Front End Users front-end-only-users
Frontend Dashboard frontend-dashboard
Import Export For WooCommerce import-export-for-woocommerce
Interview interview
Jetpack Debug Helper jetpack-debug-helper
Jupiter X Core jupiterx-core
LatePoint – Calendar Booking Plugin for Appointments and Events latepoint
Magic Responsive Slider and Carousel WordPress magic-carousel
MapSVG mapsvg
MapSVG – Vector maps, Image maps, Google Maps mapsvg-lite-interactive-vector-maps
Multimedia Responsive Carousel with Image Video Audio Support multimedia-carousel
MultiVendorX – WooCommerce Multivendor Marketplace Solutions dc-woocommerce-multi-vendor
Nasa Core nasa-core
Newsletters newsletters-lite
Ninja Forms Webhooks ninja-forms-webhooks
Ninja Tables Pro ninja-tables-pro
Opal Woo Custom Product Variation opal-woo-custom-product-variation
PeepSo Core: File Uploads peepso-files
Pinterest Automatic wp-pinterest-automatic
Pixel WordPress Form BuilderPlugin & Autoresponder pixel-formbuilder
Posts per Cat posts-per-cat
Printcart Web to Print Product Designer for WooCommerce printcart-integration
ProfileGrid – User Profiles, Groups and Communities profilegrid-user-profiles-groups-and-communities
Push notification for Mobile and Web app push-notification-mobile-and-web-app
QuickCal quickcal
Radio Player Shoutcast & Icecast WordPress Plugin audio4-html5
Rankie – WordPress Rank Tracker Plugin valvepress-rankie
Relevanssi – A Better Search relevanssi
Relevanssi – A Better Search (Pro) relevanssi-premium
Responsive HTML5 Audio Player PRO With Playlist lbg-audio2-html5
RS WP Book Showcase – A Complete Book Catalogue & Library System rs-wp-books-showcase
Salon Booking Pro salon-booking-plugin-pro-cc
Salon Booking System, Appointment Scheduling for Salons, Spas & Small Businesses salon-booking-system
SEO Flow by LupsOnline lupsonline-link-netwerk
SEO合集(支持百度/Google/Bing/头条推送) baiduseo
Sharespine Woocommerce Connector sharespine-woocommerce-connector
ShayanWeb Admin FontChanger | افزونه‌ی تغییر فونت پیشخوان وردپرس شایان وب shayanweb-admin-fontchanger
SHOUT lbg-audio8-html5-radio_ads
Simple Link Directory Pro qc-simple-link-directory
Spotlight Social Feeds – Block, Shortcode, and Widget (Premium) spotlight-social-photo-feeds-premium
STAGGS – Product Configurator Toolkit staggs
Sticky Radio Player lbg-audio5-html5-shoutcast_sticky
Subaccounts for WooCommerce subaccounts-for-woocommerce
Tainacan tainacan
TI WooCommerce Wishlist ti-woocommerce-wishlist
TicketBAI Facturas para WooCommerce wp-ticketbai
TNC FlipBook pdf-viewer-for-wordpress
Tours tours
UberSlider uber-classic
UiPress lite | Effortless custom dashboards, admin themes and pages uipress-lite
UltraAddons – Elementor Addons (Header Footer Builder, Custom Font, Custom CSS,Woo Widget, Menu Builder, Anywhere Elementor Shortcode) ultraaddons-elementor-lite
Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin uncanny-automator
Uncanny Toolkit for LearnDash uncanny-learndash-toolkit
ValidateCertify Free validar-certificados-de-cursos
Video Player & FullScreen Video Background universal-video-player-and-bg
WC Affiliate – A Complete WooCommerce Affiliate Plugin wc-affiliate
Weluka Lite weluka-lite
WHMpress – WHMCS WordPress Integration Plugin whmpress
Wise Chat wise-chat
Wishlist wishlist
WooCommerce POS – Point of Sale woocommerce-pos
WordPress Auto Spinner wp-auto-spinner
WordPress Events Calendar Registration & Tickets wpeventplus
WP Booking Calendar booking
WP Content Security Plugin wp-content-security-policy
WP JobHunt wp-jobhunt
WP Notes Widget wp-notes-widget
WP Tabs – Responsive Tabs and Custom Product Tabs wp-expand-tabs-free
WP Ultimate Tours Builder WP_UltimateToursBuilder
WP-Members Membership Plugin wp-members
WP2LEADS | WordPress und KlickTipp einfach verbinden – WooCommerce und KlickTipp einfach verbinden wp2leads
WPBot Pro WordPress Chatbot wpbot-pro
WPCHURCH – Church Management System for WordPress church-management
WPGYM – WordPress Gym Management System gym-management
X Addons for Elementor x-addons-elementor

WordPress Themes with Reported Vulnerabilities Last Week

Software Name Software Slug
AnyWhere Elementor Pro anywhere-elementor-pro
Bimber – Viral Magazine WordPress Theme bimber
HotStar – MultiPurpose Business WordPress Theme hotstar
Plant | Gardening & Houseplants WordPress Theme plant
Rozario – Restaurant & Food WordPress Theme rozario
Seven Stars – Modern Responsive MultiPurpose Theme sevenstars
Spare – Ultimate MultiPurpose LESS Theme spare
The Business – Powerful One Page Biz Theme nrgbusiness
TheGem thegem

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

Crawlomatic Multipage Scraper Post Generator <= 2.6.8.1 – Unauthenticated Arbitrary File Upload

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-4389
Patch Status
Patched
Published
May 16, 2025
Affected Software
Crawlomatic Multipage Scraper Post Generator
Researcher
More Details >

Echo RSS Feed Post Generator <= 5.4.8.1 – Unauthenticated Arbitrary File Upload

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-4391
Patch Status
Patched
Published
May 16, 2025
Affected Software
Echo RSS Feed Post Generator
Researcher
More Details >

Printcart Web to Print Product Designer for WooCommerce <= 2.3.8 – Unauthenticated Arbitrary File Upload

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-47641
Patch Status
Unpatched
Published
May 16, 2025
Affected Software
Printcart Web to Print Product Designer for WooCommerce
Researcher
More Details >

STAGGS <= 2.11.0 – Unauthenticated Arbitrary File Upload

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-47637
Patch Status
Unpatched
Published
May 16, 2025
Affected Software
STAGGS – Product Configurator Toolkit
Researcher
More Details >

TI WooCommerce Wishlist <= 2.9.2 – Unauthenticated Arbitrary File Upload

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-47577
Patch Status
Unpatched
Published
May 16, 2025
Affected Software
TI WooCommerce Wishlist
Researcher
More Details >

TicketBAI Facturas para WooCommerce <= 3.18 – Unauthenticated Arbitrary File Deletion

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-4564
Patch Status
Patched
Published
May 14, 2025
Affected Software
TicketBAI Facturas para WooCommerce
Researcher
More Details >

WHMpress <= 6.2-revision-9 – Unauthenticated Local File Inclusion

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-39491
Patch Status
Unpatched
Published
May 16, 2025
Affected Software
WHMpress – WHMCS WordPress Integration Plugin
Researcher
More Details >

WordPress Events Calendar Registration & Tickets <= 2.6.0 – Unauthenticated PHP Object Injection

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-47581
Patch Status
Unpatched
Published
May 16, 2025
Affected Software
WordPress Events Calendar Registration & Tickets
Researcher
More Details >

WPBot Pro WordPress Chatbot <= 12.7.0 – Unauthenticated PHP Object Injection

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-47582
Patch Status
Unpatched
Published
May 14, 2025
Affected Software
WPBot Pro WordPress Chatbot
Researcher
More Details >

WPCHURCH <= 2.7.0 – Unauthenticated Local File Inclusion

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-32304
Patch Status
Unpatched
Published
May 16, 2025
Affected Software
WPCHURCH – Church Management System for WordPress
Researcher
More Details >

WPFunnels <= 3.5.18 – Unauthenticated PHP Object Injection

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-47530
Patch Status
Patched
Published
May 12, 2025
Affected Software
Easiest Funnel Builder For WordPress & WooCommerce, Specialized For Digital Creators – WPFunnels
Researcher
More Details >

百度站长SEO合集(支持百度/神马/Bing/头条推送) <= 2.0.6 – Unauthenticated Arbitrary File Upload

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-3917
Patch Status
Unpatched
Published
May 14, 2025
Affected Software
SEO合集(支持百度/Google/Bing/头条推送)
Researcher
More Details >

Bimber – Viral Magazine WordPress Theme <= 9.2.5 – Authenticated (Contributor+) Local File Inclusion

8.8
CVSS Rating
High (8.8)
CVE-ID
CVE-2025-47576
Patch Status
Unpatched
Published
May 13, 2025
Affected Software
Bimber – Viral Magazine WordPress Theme
Researcher
More Details >

FAT Services Booking <= 5.5 – Authenticated (Contributor+) Local File Inclusion

8.8
CVSS Rating
High (8.8)
CVE-ID
CVE-2025-47693
Patch Status
Unpatched
Published
May 16, 2025
Affected Software
FAT Services Booking
Researcher
More Details >

Frontend Dashboard 1.0 – 2.2.7 – Missing Authorization to Authenticated (Subscriber+) Privilege Escalation via fed_admin_setting_form_function Function

8.8
CVSS Rating
High (8.8)
CVE-ID
CVE-2025-4474
Patch Status
Patched
Published
May 12, 2025
Affected Software
Frontend Dashboard
Researcher
More Details >

Frontend Dashboard 1.5.10 – 2.2.7 – Missing Authorization to Authenticated (Subscriber+) Account Takeover/Privilege Escalation via ajax_request Function

8.8
CVSS Rating
High (8.8)
CVE-ID
CVE-2025-4473
Patch Status
Patched
Published
May 12, 2025
Affected Software
Frontend Dashboard
Researcher
More Details >

Mortgage Calculator Estatik <= 2.0.12 – Authenticated (Contributor+) Local File Inclusion

8.8
CVSS Rating
High (8.8)
CVE-ID
CVE-2025-48136
Patch Status
Unpatched
Published
May 16, 2025
Affected Software
Estatik Mortgage Calculator
Researcher
More Details >

Nasa Core <= 6.3.2 – Authenticated (Contributor+) Local File Inclusion

8.8
CVSS Rating
High (8.8)
CVE-ID
CVE-2025-39507
Patch Status
Unpatched
Published
May 16, 2025
Affected Software
Nasa Core
Researcher
More Details >

QuickCal <= 1.0.13 – Cross-Site Request Forgery to Privilege Escalation

8.8
CVSS Rating
High (8.8)
CVE-ID
CVE-2025-32310
Patch Status
Unpatched
Published
May 16, 2025
Affected Software
QuickCal
Researcher
More Details >

Subaccounts for WooCommerce <= 1.6.6 – Authenticated (Subscriber+) Privilege Escalation via Account Takeover

8.8
CVSS Rating
High (8.8)
CVE-ID
CVE-2025-47461
Patch Status
Patched
Published
May 12, 2025
Affected Software
Subaccounts for WooCommerce
Researcher
More Details >

TheGem <= 5.10.3 – Authenticated (Subscriber+) Arbitrary File Upload

8.8
CVSS Rating
High (8.8)
CVE-ID
CVE-2025-4317
Patch Status
Patched
Published
May 12, 2025
Affected Software
TheGem
Researcher
More Details >

UiPress lite | Effortless custom dashboards, admin themes and pages <= 3.5.07 – Authenticated (Subscriber+) Remote Code Execution

8.8
CVSS Rating
High (8.8)
CVE-ID
CVE-2025-3053
Patch Status
Patched
Published
May 14, 2025
Affected Software
UiPress lite | Effortless custom dashboards, admin themes and pages
Researchers
More Details >

WC Affiliate <= 2.9 – Authenticated (Subscriber+) PHP Object Injection

8.8
CVSS Rating
High (8.8)
CVE-ID
CVE-2025-47660
Patch Status
Unpatched
Published
May 16, 2025
Affected Software
WC Affiliate – A Complete WooCommerce Affiliate Plugin
Researcher
More Details >

WHMpress <= 6.2-revision-9 – Authenticated (Contributor+) Local File Inclusion

8.8
CVSS Rating
High (8.8)
CVE-ID
CVE-2025-39492
Patch Status
Unpatched
Published
May 16, 2025
Affected Software
WHMpress – WHMCS WordPress Integration Plugin
Researcher
More Details >

Uncanny Automator <= 6.4.0.1 – Authenticated (Subscriber+) PHP Object Injection in automator_api_decode_message Function

8.1
CVSS Rating
High (8.1)
CVE-ID
CVE-2025-3623
Patch Status
Patched
Published
May 13, 2025
Affected Software
Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin
Researcher
More Details >

WPBot Pro WordPress Chatbot <= 13.6.2 – Authenticated (Subscriber+) Arbitrary File Deletion

8.1
CVSS Rating
High (8.1)
CVE-ID
CVE-2025-3812
Patch Status
Unpatched
Published
May 16, 2025
Affected Software
WPBot Pro WordPress Chatbot
Researcher
More Details >

Eventer <= 3.9.6 – Unauthenticated SQL Injection

7.5
CVSS Rating
High (7.5)
CVE-ID
CVE-2025-39481
Patch Status
Unpatched
Published
May 16, 2025
Affected Software
Eventer
Researcher
More Details >

Facturante <= 1.11 – Unauthenticated SQL Injection

7.5
CVSS Rating
High (7.5)
CVE-ID
CVE-2025-47599
Patch Status
Unpatched
Published
May 16, 2025
Affected Software
Facturante – Facturación Electrónica
Researcher
More Details >

Printcart Web to Print Product Designer for WooCommerce <= 2.3.8 – Unauthenticated SQL Injection

7.5
CVSS Rating
High (7.5)
CVE-ID
CVE-2025-47640
Patch Status
Unpatched
Published
May 16, 2025
Affected Software
Printcart Web to Print Product Designer for WooCommerce
Researcher
More Details >

Relevanssi <= 4.24.4 (Free) and <= 2.27.5 (Premium) – Unauthenticated SQL Injection

7.5
CVSS Rating
High (7.5)
CVE-ID
CVE-2025-4396
Patch Status
Patched
Published
May 12, 2025
Affected Software
Relevanssi – A Better Search (Pro)
Relevanssi – A Better Search
Researcher
More Details >

Wise Chat <= 3.3.3 – Unauthenticated Sensitive Information Exposure Through Unprotected Directory

7.5
CVSS Rating
High (7.5)
CVE-ID
CVE-2024-13613
Patch Status
Patched
Published
May 16, 2025
Affected Software
Wise Chat
Researcher
More Details >

WP JobHunt <= 7.1 – Unauthenticated Insecure Direct Object Reference

7.5
CVSS Rating
High (7.5)
CVE-ID
CVE-2025-39537
Patch Status
Unpatched
Published
May 16, 2025
Affected Software
WP JobHunt
Researcher
More Details >

WPGYM <= 65.0 – Unauthenticated SQL Injection

7.5
CVSS Rating
High (7.5)
CVE-ID
CVE-2025-32643
Patch Status
Unpatched
Published
May 16, 2025
Affected Software
WPGYM – WordPress Gym Management System
Researcher
More Details >

File Manager Advanced Shortcode <= Multiple Versions – Authenticated (Administrator+) Local JavaScript File Inclusion via Shortcode

7.2
CVSS Rating
High (7.2)
CVE-ID
CVE-2024-13914
Patch Status
Patched
Published
May 14, 2025
Affected Software
File Manager Advanced Shortcode
File Manager Advanced Shortcode
Researcher
More Details >

WP Content Security Plugin <= 2.3 – Unauthenticated Stored Cross-Site Scripting via CSP-Report Fields

7.2
CVSS Rating
High (7.2)
CVE-ID
CVE-2025-4579
Patch Status
Unpatched
Published
May 14, 2025
Affected Software
WP Content Security Plugin
Researcher
More Details >

WP Tabs <= 2.2.11 – Authenticated (Administrator+) PHP Object Injection

7.2
CVSS Rating
High (7.2)
CVE-ID
CVE-2025-48134
Patch Status
Unpatched
Published
May 16, 2025
Affected Software
WP Tabs – Responsive Tabs and Custom Product Tabs
Researcher
More Details >

Apollo <= 3.6.3 – Authenticated (Contributor+) SQL Injection

6.5
CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-32245
Patch Status
Unpatched
Published
May 16, 2025
Affected Software
Apollo
Researcher
More Details >

Chameleon HTML5 Audio Player With/Without Playlist <= 3.5.6 – Authenticated (Contributor+) SQL Injection

6.5
CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-32307
Patch Status
Unpatched
Published
May 16, 2025
Affected Software
Chameleon HTML5 Audio Player With/Without Playlist
Researcher
More Details >

CURCY <= 2.3.7 – Missing Authorization to Arbitrary Shortcode Execution

6.5
CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-47563
Patch Status
Unpatched
Published
May 16, 2025
Affected Software
CURCY – WooCommerce Multi Currency – Currency Switcher
Researcher
More Details >

Interview <= 1.01 – Authenticated (Contributor+) SQL Injection

6.5
CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-48137
Patch Status
Unpatched
Published
May 16, 2025
Affected Software
Interview
Researcher
More Details >

Magic Responsive Slider and Carousel WordPress <= 1.4 – Authenticated (Contributor+) SQL Injection

6.5
CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-31640
Patch Status
Unpatched
Published
May 16, 2025
Affected Software
Magic Responsive Slider and Carousel WordPress
Researcher
More Details >

MapSVG <= 8.5.34 – Unauthenticated Arbitrary Shortcode Execution

6.5
CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-47562
Patch Status
Unpatched
Published
May 16, 2025
Affected Software
MapSVG
Researcher
More Details >

MapSVG Lite <= 8.6.4 – Unauthenticated Arbitrary Shortcode Execution

6.5
CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-48120
Patch Status
Unpatched
Published
May 16, 2025
Affected Software
MapSVG – Vector maps, Image maps, Google Maps
Researcher
More Details >

Multimedia Responsive Carousel with Image Video Audio Support <= 2.6.0 – Authenticated (Contributor+) SQL Injection

6.5
CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-31928
Patch Status
Unpatched
Published
May 16, 2025
Affected Software
Multimedia Responsive Carousel with Image Video Audio Support
Researcher
More Details >

Newsletters <= 4.9.9.8 – Authenticated (Contributor+) SQL Injection orderby Parameter

6.5
CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-3107
Patch Status
Patched
Published
May 12, 2025
Affected Software
Newsletters
Researcher
More Details >

ProfileGrid <= 5.9.5.0 – Authenticated (Subscriber+) SQL Injection

6.5
CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-47478
Patch Status
Patched
Published
May 12, 2025
Affected Software
ProfileGrid – User Profiles, Groups and Communities
Researcher
More Details >

Radio Player Shoutcast & Icecast WordPress Plugin <= 4.4.6 – Authenticated (Contributor+) SQL Injection

6.5
CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-32306
Patch Status
Unpatched
Published
May 16, 2025
Affected Software
Radio Player Shoutcast & Icecast WordPress Plugin
Researcher
More Details >

Responsive HTML5 Audio Player PRO With Playlist <= 3.5.7 – Authenticated (Contributor+) SQL Injection

6.5
CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-32287
Patch Status
Unpatched
Published
May 16, 2025
Affected Software
Responsive HTML5 Audio Player PRO With Playlist
Researcher
More Details >

RS WP Book Showcase <= 6.7.41 – Unauthenticated Arbitrary Shortcode Execution

6.5
CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-48119
Patch Status
Unpatched
Published
May 16, 2025
Affected Software
RS WP Book Showcase – A Complete Book Catalogue & Library System
Researcher
More Details >

SHOUT <= 3.5.3 – Authenticated (Contributor+) SQL Injection

6.5
CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-31637
Patch Status
Unpatched
Published
May 16, 2025
Affected Software
SHOUT
Researcher
More Details >

Sticky Radio Player <= 3.4 – Authenticated (Contributor+) SQL Injection

6.5
CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-31926
Patch Status
Unpatched
Published
May 16, 2025
Affected Software
Sticky Radio Player
Researcher
More Details >

UberSlider <= 2.3 – Authenticated (Contributor+) SQL Injection

6.5
CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-31641
Patch Status
Unpatched
Published
May 16, 2025
Affected Software
UberSlider
Researcher
More Details >

Ads Pro Plugin <= 4.88 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-46464
Patch Status
Unpatched
Published
May 16, 2025
Affected Software
Ads Pro Plugin – Multi-Purpose WordPress Advertising Manager
Researcher
More Details >

All in One SEO Pack <= 4.8.1.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Post Meta Description and Canonical URL

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-2892
Patch Status
Patched
Published
May 18, 2025
Affected Software
All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic
Researcher
More Details >

Aptivada for WP <= 2.0.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-48135
Patch Status
Unpatched
Published
May 16, 2025
Affected Software
Aptivada for WP
Researcher
More Details >

Bold Page Builder <= 5.3.5 – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘data-text’ Parameter

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-3715
Patch Status
Patched
Published
May 17, 2025
Affected Software
Bold Page Builder
Researcher
More Details >

Bon Toolkit <= 1.3.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-4589
Patch Status
Unpatched
Published
May 14, 2025
Affected Software
Bon Toolkit
Researcher
More Details >

Booking Calendar <= 10.11.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via wpbc Shortcode

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-4669
Patch Status
Patched
Published
May 16, 2025
Affected Software
WP Booking Calendar
Researcher
More Details >

Broadstreet <= 1.51.8 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-48113
Patch Status
Unpatched
Published
May 16, 2025
Affected Software
Broadstreet
Researcher
More Details >

Dokan Pro <= 3.14.5 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-39497
Patch Status
Unpatched
Published
May 16, 2025
Affected Software
Dokan Pro
Researcher
More Details >

EG-Series <= 2.1.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-4126
Patch Status
Unpatched
Published
May 14, 2025
Affected Software
EG-Series
Researcher
More Details >

EventON – WordPress Virtual Event Calendar Plugin <= 4.9.6 – Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-3527
Patch Status
Patched
Published
May 16, 2025
Affected Software
EventON (Pro) – WordPress Virtual Event Calendar Plugin
Researcher
More Details >

Jupiterx Core <= 4.8.12 – Authenticated (Contributor+) Stored Cross-Site Scripting via Inline SVG

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-3888
Patch Status
Patched
Published
May 16, 2025
Affected Software
Jupiter X Core
Researcher
More Details >

MapSVG <= 8.5.31 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-47557
Patch Status
Unpatched
Published
May 16, 2025
Affected Software
MapSVG
Researcher
More Details >

Ninja Tables Pro <= 5.0.17 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-39534
Patch Status
Unpatched
Published
May 16, 2025
Affected Software
Ninja Tables Pro
Researcher
More Details >

Posts per Cat [Unmaintained] <= 1.4.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-4169
Patch Status
Patched
Published
May 15, 2025
Affected Software
Posts per Cat
Researcher
More Details >

TI WooCommerce Wishlist <= 2.9.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-32920
Patch Status
Unpatched
Published
May 15, 2025
Affected Software
TI WooCommerce Wishlist
Researcher
More Details >

TNC FlipBook <= 12.1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-39509
Patch Status
Unpatched
Published
May 16, 2025
Affected Software
TNC FlipBook
Researcher
More Details >

UltraAddons Elementor Lite <= 2.0.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-48131
Patch Status
Unpatched
Published
May 16, 2025
Affected Software
UltraAddons – Elementor Addons (Header Footer Builder, Custom Font, Custom CSS,Woo Widget, Menu Builder, Anywhere Elementor Shortcode)
Researcher
More Details >

Uncanny Toolkit for LearnDash <= 3.7.0.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-48080
Patch Status
Patched
Published
May 16, 2025
Affected Software
Uncanny Toolkit for LearnDash
Researcher
More Details >

Weluka Lite <= 1.0.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-4591
Patch Status
Unpatched
Published
May 14, 2025
Affected Software
Weluka Lite
Researcher
More Details >

WP Notes Widget <= 1.0.6 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-48121
Patch Status
Unpatched
Published
May 16, 2025
Affected Software
WP Notes Widget
Researcher
More Details >

WP-Members <= 3.5.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via wpmem_user_memberships Shortcode

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-4610
Patch Status
Patched
Published
May 16, 2025
Affected Software
WP-Members Membership Plugin
Researcher
More Details >

X Addons for Elementor <= 1.0.14 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-48132
Patch Status
Unpatched
Published
May 16, 2025
Affected Software
X Addons for Elementor
Researcher
More Details >

AlT Monitoring <= 1.0.3 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-4194
Patch Status
Unpatched
Published
May 16, 2025
Affected Software
AlT Monitoring
Researcher
More Details >

Arconix Shortcodes <= 2.1.16 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-47673
Patch Status
Unpatched
Published
May 16, 2025
Affected Software
Arconix Shortcodes
Researcher
More Details >

Audio Comments Plugin <= 1.0.4 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-4189
Patch Status
Unpatched
Published
May 16, 2025
Affected Software
Audio Comments Plugin
Researcher
More Details >

B2i Investor Tools <= 1.0.7.9 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-47458
Patch Status
Patched
Published
May 12, 2025
Affected Software
B2i Investor Tools
Researcher
More Details >

CSS3 Accordions for WordPress <= 3.0 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-31922
Patch Status
Unpatched
Published
May 16, 2025
Affected Software
CSS3 Accordions for WordPress
Researcher
More Details >

Dot html,php,xml etc pages <= 1.0 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-48112
Patch Status
Unpatched
Published
May 16, 2025
Affected Software
Dot html,php,xml etc pages
Researcher
More Details >

Import Export For WooCommerce <= 1.6.2 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-48144
Patch Status
Unpatched
Published
May 16, 2025
Affected Software
Import Export For WooCommerce
Researcher
More Details >

SEO Flow by LupsOnline <= 2.2.0 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-48146
Patch Status
Unpatched
Published
May 16, 2025
Affected Software
SEO Flow by LupsOnline
Researcher
More Details >

Ninja Forms Webhooks <= 3.0.7 – Authenticated (Admin+) Server-Side Request Forgery via Form Webhook

5.5
CVSS Rating
Medium (5.5)
CVE-ID
CVE-2024-13940
Patch Status
Patched
Published
May 13, 2025
Affected Software
Ninja Forms Webhooks
Researcher
More Details >

BNS Twitter Follow Button <= 0.3.8 – Authenticated (Contributor+) Stored Cross-Site Scripting

5.4
CVSS Rating
Medium (5.4)
CVE-ID
CVE-2025-47578
Patch Status
Unpatched
Published
May 12, 2025
Affected Software
BNS Twitter Follow Button
Researcher
More Details >

Pixel WordPress Form BuilderPlugin & Autoresponder <= 1.0.2 – Cross-Site Request Forgery

5.4
CVSS Rating
Medium (5.4)
CVE-ID
CVE-2025-31915
Patch Status
Unpatched
Published
May 16, 2025
Affected Software
Pixel WordPress Form BuilderPlugin & Autoresponder
Researcher
More Details >

Drag and Drop File Upload for Elementor Forms <= 1.4.3 – Unauthenticated Arbitrary File Deletion

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-47492
Patch Status
Patched
Published
May 15, 2025
Affected Software
Drag and Drop File Upload for Elementor Forms
Researcher
More Details >

EventON (Pro) <= 4.9.9 – Missing Authorization

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-47564
Patch Status
Patched
Published
May 16, 2025
Affected Software
EventON (Pro) – WordPress Virtual Event Calendar Plugin
Researcher
More Details >

EventON <= 2.4.4 – Missing Authorization

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-48116
Patch Status
Unpatched
Published
May 16, 2025
Affected Software
EventON – Events Calendar
Researcher
More Details >

Experto CTA Widget – Call To Action, Sticky CTA, Floating Button Plugin <= 1.1.1 – Missing Authorization to Unauthenticated Settings Update

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-47529
Patch Status
Patched
Published
May 15, 2025
Affected Software
Experto CTA Widget – Call To Action, Sticky CTA, Floating Button Plugin
Researcher
More Details >

Front End Users <= 3.2.32 – Missing Authorization to Information Exposure

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-47580
Patch Status
Unpatched
Published
May 15, 2025
Affected Software
Front End Users
Researcher
More Details >

HotStar – Multi-Purpose Business Theme <= 1.4 – Missing Authorization

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-31071
Patch Status
Unpatched
Published
May 16, 2025
Affected Software
HotStar – MultiPurpose Business WordPress Theme
Researcher
More Details >

Jetpack Debug Tools <= 2.0.0 – Missing Authorization

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-56006
Patch Status
Patched
Published
May 15, 2025
Affected Software
Jetpack Debug Helper
Researcher
More Details >

Latepoint <= 5.1.92 – Unauthenticated Insecure Direct Object Reference

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-3769
Patch Status
Patched
Published
May 13, 2025
Affected Software
LatePoint – Calendar Booking Plugin for Appointments and Events
Researcher
More Details >

Opal Woo Custom Product Variation <= 1.2.0 – Unauthenticated Arbitrary File Deletion

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-47535
Patch Status
Patched
Published
May 12, 2025
Affected Software
Opal Woo Custom Product Variation
Researcher
More Details >

PeepSo Core: File Uploads <= 6.4.6.0 – Insecure Direct Object Reference to Unauthenticated Sensitive Information Exposure via file_download

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-8988
Patch Status
Patched
Published
May 13, 2025
Affected Software
PeepSo Core: File Uploads
Researcher
More Details >

Plant – Gardening & Houseplants WordPress Theme <= 1.0.0 – Unauthenticated Information Exposure

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-31051
Patch Status
Unpatched
Published
May 16, 2025
Affected Software
Plant | Gardening & Houseplants WordPress Theme
Researcher
More Details >

Push notification for Mobile and Web app <= 2.0.3 – Missing Authorization

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-48127
Patch Status
Unpatched
Published
May 16, 2025
Affected Software
Push notification for Mobile and Web app
Researcher
More Details >

Rozario <= 1.4 – Missing Authorization

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-31065
Patch Status
Unpatched
Published
May 16, 2025
Affected Software
Rozario – Restaurant & Food WordPress Theme
Researcher
More Details >

Simple Link Directory Pro <= 14.7.3 – Missing Authorization

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-32296
Patch Status
Unpatched
Published
May 16, 2025
Affected Software
Simple Link Directory Pro
Researcher
More Details >

Spotlight – Social Media Feeds (Premium) <= 1.7.1 – Unauthenticated Information Exposure

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-39498
Patch Status
Unpatched
Published
May 16, 2025
Affected Software
Spotlight Social Feeds – Block, Shortcode, and Widget (Premium)
Researcher
More Details >

Tainacan <= 0.21.14 – Unauthenticated Arbitrary File Deletion

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-47512
Patch Status
Patched
Published
May 16, 2025
Affected Software
Tainacan
Researcher
More Details >

The Business <= 1.6.1 – Missing Authorization

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-31630
Patch Status
Unpatched
Published
May 16, 2025
Affected Software
The Business – Powerful One Page Biz Theme
Researcher
More Details >

WooCommerce POS <= 1.7.8 – Missing Authorization

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-48117
Patch Status
Patched
Published
May 16, 2025
Affected Software
WooCommerce POS – Point of Sale
Researcher
More Details >

Video Player & FullScreen Video Background <= 2.4.1 – Authenticated (Administrator+) SQL Injection

4.9
CVSS Rating
Medium (4.9)
CVE-ID
CVE-2025-47567
Patch Status
Unpatched
Published
May 16, 2025
Affected Software
Video Player & FullScreen Video Background
Researcher
More Details >

6Storage Rentals <= 2.19.4 – Missing Authorization

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-47619
Patch Status
Unpatched
Published
May 16, 2025
Affected Software
6Storage Rentals
Researcher
More Details >

AnyWhere Elementor Pro <= 2.29 – Missing Authorization

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-31046
Patch Status
Unpatched
Published
May 16, 2025
Affected Software
AnyWhere Elementor Pro
Researcher
More Details >

BERTHA AI <= 1.12.11 – Missing Authorization

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-48138
Patch Status
Unpatched
Published
May 16, 2025
Affected Software
BERTHA AI. Your AI co-pilot for WordPress and Chrome
Researcher
More Details >

CSS3 Accordions for WordPress <= 3.0 – Missing Authorization

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-31923
Patch Status
Unpatched
Published
May 16, 2025
Affected Software
CSS3 Accordions for WordPress
Researcher
More Details >

CSS3 Tooltips for WordPress <= 1.8 – Missing Authorization

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-32180
Patch Status
Unpatched
Published
May 16, 2025
Affected Software
CSS3 Tooltips for WordPress
Researcher
More Details >

Element Pack Pro <= 7.18.12 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-46257
Patch Status
Unpatched
Published
May 16, 2025
Affected Software
Element Pack Pro – Addon for Elementor Page Builder WordPress Plugin
Researcher
More Details >

Element Pack Pro <= 7.18.12 – Missing Authorization

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-46258
Patch Status
Unpatched
Published
May 16, 2025
Affected Software
Element Pack Pro – Addon for Elementor Page Builder WordPress Plugin
Researcher
More Details >

Eventer <= 3.9.6 – Missing Authorization

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-39482
Patch Status
Unpatched
Published
May 16, 2025
Affected Software
Eventer
Researcher
More Details >

MapSVG <= 8.5.32 – Missing Authorization

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-47560
Patch Status
Unpatched
Published
May 16, 2025
Affected Software
MapSVG
Researcher
More Details >

MultiVendorX – WooCommerce Multivendor Marketplace Solutions <= 4.2.22 – Incorrect Authorization to Authenticated (Contributor+) Arbitrary Post Deletion

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-4101
Patch Status
Patched
Published
May 16, 2025
Affected Software
MultiVendorX – WooCommerce Multivendor Marketplace Solutions
Researcher
More Details >

Pinterest Automatic Pin <= 4.18.2 – Missing Authorization

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-39511
Patch Status
Unpatched
Published
May 16, 2025
Affected Software
Pinterest Automatic
Researcher
More Details >

ProfileGrid <= 5.9.5.1 – Missing Authorization

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-48079
Patch Status
Patched
Published
May 16, 2025
Affected Software
ProfileGrid – User Profiles, Groups and Communities
Researcher
More Details >

QuickCal <= 1.0.15 – Authenticated (Subscriber+) Sensitive Information Exposure

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-32299
Patch Status
Unpatched
Published
May 16, 2025
Affected Software
QuickCal
Researcher
More Details >

Rankie <= 1.8.0 – Missing Authorization

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-39493
Patch Status
Unpatched
Published
May 16, 2025
Affected Software
Rankie – WordPress Rank Tracker Plugin
Researcher
More Details >

Salon Booking Pro <= 10.10.2 – Missing Authorization

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-32295
Patch Status
Unpatched
Published
May 16, 2025
Affected Software
Salon Booking Pro
Researcher
More Details >

Salon booking system <= 10.16 – Cross-Site Request Forgery to Arbitrary Post/Page Deletion

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-47583
Patch Status
Unpatched
Published
May 15, 2025
Affected Software
Salon Booking System, Appointment Scheduling for Salons, Spas & Small Businesses
Researcher
More Details >

Seven Stars <= 1.4.4 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-31068
Patch Status
Unpatched
Published
May 16, 2025
Affected Software
Seven Stars – Modern Responsive MultiPurpose Theme
Researcher
More Details >

Sharespine Woocommerce Connector <= 4.7.55 – Missing Authorization

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-48128
Patch Status
Unpatched
Published
May 16, 2025
Affected Software
Sharespine Woocommerce Connector
Researcher
More Details >

ShayanWeb Admin FontChanger <= 1.8.1 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-48114
Patch Status
Unpatched
Published
May 16, 2025
Affected Software
ShayanWeb Admin FontChanger | افزونه‌ی تغییر فونت پیشخوان وردپرس شایان وب
Researcher
More Details >

Spare <= 1.7 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-31639
Patch Status
Unpatched
Published
May 16, 2025
Affected Software
Spare – Ultimate MultiPurpose LESS Theme
Researcher
More Details >

TheGem <= 5.10.3 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Theme Options Update

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-4339
Patch Status
Patched
Published
May 12, 2025
Affected Software
TheGem
Researcher
More Details >

Tours <= 1.0.0 – Missing Authorization

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-51666
Patch Status
Patched
Published
May 15, 2025
Affected Software
Tours
Researcher
More Details >

ValidateCertify <= 1.6.2 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-48115
Patch Status
Unpatched
Published
May 16, 2025
Affected Software
ValidateCertify Free
Researcher
More Details >

Wishlist <= 2.1.0 – Authenticated (Subscriber+) Information Exposure

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-31062
Patch Status
Unpatched
Published
May 16, 2025
Affected Software
Wishlist
Researcher
More Details >

Wishlist <= 2.1.0 – Missing Authorization

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-31063
Patch Status
Unpatched
Published
May 16, 2025
Affected Software
Wishlist
Researcher
More Details >

WordPress Auto Spinner <= 3.25.0 – Missing Authorization

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-47534
Patch Status
Unpatched
Published
May 16, 2025
Affected Software
WordPress Auto Spinner
Researcher
More Details >

WP Ultimate Tours Builder <= 1.055 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-31921
Patch Status
Unpatched
Published
May 16, 2025
Affected Software
WP Ultimate Tours Builder
Researcher
More Details >

WP2LEADS <= 3.5.0 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-32922
Patch Status
Unpatched
Published
May 15, 2025
Affected Software
WP2LEADS | WordPress und KlickTipp einfach verbinden – WooCommerce und KlickTipp einfach verbinden
Researcher
More Details >

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (May 12, 2025 to May 18, 2025) appeared first on Wordfence.

Leave a Comment