In case you missed it, Wordfence just published its annual WordPress security report for 2024. Read it now to learn more about the evolving risk landscape of WordPress so you can keep your sites protected in 2025 and beyond.
Last week, there were 160 vulnerabilities disclosed in 108 WordPress Plugins and 44 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 46 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to implement layered security, aligning with our overarching mission to secure WordPress with defense in depth strategies. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report. As the world’s leading quality vulnerability database provider for WordPress, site owners can rest assured knowing Wordfence has their back.
Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 27,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
- WAF-RULE-838 – Data redacted while we work with the vendor on a patch.
- WAF-RULE-839 – Data redacted while we work with the vendor on a patch.
- WAF-RULE-840 – Data redacted while we work with the vendor on a patch.
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
Patch Status | Number of Vulnerabilities |
---|---|
Patched | 68 |
Unpatched | 92 |
Total Vulnerabilities by CVSS Severity Last Week
Severity Rating | Number of Vulnerabilities |
---|---|
Medium Severity | 90 |
High Severity | 21 |
Critical Severity | 49 |
Total Vulnerabilities by CWE Type Last Week
Vulnerability Type by CWE | Number of Vulnerabilities |
---|---|
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 52 |
Deserialization of Untrusted Data | 24 |
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) | 23 |
Missing Authorization | 17 |
Cross-Site Request Forgery (CSRF) | 12 |
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 11 |
Unrestricted Upload of File with Dangerous Type | 5 |
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | 4 |
External Control of File Name or Path | 3 |
Incorrect Privilege Assignment | 3 |
Improper Control of Generation of Code (‘Code Injection’) | 2 |
Authorization Bypass Through User-Controlled Key | 1 |
Improper Privilege Management | 1 |
Unverified Password Change | 1 |
URL Redirection to Untrusted Site (‘Open Redirect’) | 1 |
Researchers That Contributed to WordPress Security Last Week
Researcher Name | Number of Vulnerabilities |
---|---|
29 | |
20 | |
13 | |
8 | |
7 | |
7 | |
7 | |
6 | |
4 | |
4 | |
4 | |
3 | |
3 | |
3 | |
3 | |
3 | |
2 | |
2 | |
2 | |
2 | |
2 | |
2 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 |
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
Software Name | Software Slug |
---|---|
4stats | 4stats |
Active Products Tables for WooCommerce. Use constructor to create tables | profit-products-tables-for-woocommerce |
Additional Custom Emails & Recipients for WooCommerce | custom-emails-for-woocommerce |
Ads Pro Plugin – Multi-Purpose WordPress Advertising Manager | ap-plugin-scripteo |
Advanced Database Cleaner PRO | advanced-database-cleaner-pro |
Affiliate Sales in Google Analytics and other tools | wecantrack |
Affiliates Manager Google reCAPTCHA Integration | affiliates-manager-google-recaptcha-integration |
Animated Buttons | animated-buttons |
AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress | automatorwp |
AWcode Toolkit | awcode-toolkit |
Back Button Widget | back-button-widget |
Binary MLM Plan | binary-mlm-plan |
Blog Designer PRO for WordPress | blog-designer-pro |
Booking and Rental Manager for Bike | Car | Resort | Appointment | Dress | Equipment | booking-and-rental-manager-for-woocommerce |
Bot for Telegram on WooCommerce | bot-for-telegram-on-woocommerce |
Broadcast Live Video – Live Streaming : WebRTC, HLS, RTSP, RTMP | videowhisper-live-streaming-integration |
bunny.net – WordPress CDN Plugin | bunnycdn |
Bus Ticket Booking with Seat Reservation for WooCommerce | scw-bus-seat-reservation |
Change Add to Cart Button Text for WooCommerce | add-to-cart-button-labels-for-woocommerce |
Cloudflare Turnstile or reCAPTCHA For any Pages, to Block Spam and Hackers Attack. | recaptcha-for-all |
Cost Calculator Builder | cost-calculator-builder |
Cost of Goods: Product Cost & Profit Calculator for WooCommerce | cost-of-goods-for-woocommerce |
Coupons & Add to Cart by URL Links for WooCommerce | url-coupons-for-woocommerce-by-algoritmika |
CryptoCloud – Crypto Payment Gateway | cryptocloud-crypto-payment-gateway |
DPEPress | dpepress |
Dynamic Pricing & Discounts Lite for WooCommerce | woo-dynamic-pricing-discounts-lite |
DZS Video Gallery | dzs-videogallery |
EAN Barcode Generator for WooCommerce: UPC, ISBN & GTIN Inventory | ean-for-woocommerce |
ElementInvader Addons for Elementor | elementinvader-addons-for-elementor |
eMagicOne Store Manager for WooCommerce | store-manager-connector |
Embed and Integrate Etsy Shop | embed-and-integrate-etsy-shop |
Essential Real Estate | essential-real-estate |
Exclusive Addons for Elementor | exclusive-addons-for-elementor |
Falang multilanguage for WordPress | falang |
Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder | form-maker |
Formulario de contacto SalesUp! | formularios-de-contacto-salesup |
Free Shipping Bar: Amount Left for Free Shipping for WooCommerce | amount-left-free-shipping-woocommerce |
GDPR CCPA Compliance & Cookie Consent Banner | ninja-gdpr-compliance |
Glossary by WPPedia – Best Glossary plugin for WordPress | wppedia |
Goodlayers Hostel | gdlr-hostel |
Goodlayers Hotel | gdlr-hotel |
Hospital Management System for WordPress | hospital-management |
Hot Random Image | hot-random-image |
Import Social Events | import-facebook-events |
Infocob CRM Forms | infocob-crm-forms |
Japanized for WooCommerce | woocommerce-for-japan |
JobHunt Job Alerts | jobhunt-notifications |
JP Students Result Management System Premium | jp-students-result-system-premium |
KBx Pro Ultimate | knowledgebase-helpdesk-pro |
Legal Pages – Privacy Policy, Terms & Conditions, GDPR, CCPA, and Cookie Notice Generator | legal-pages |
Majestic Support – The Leading-Edge Help Desk & Customer Support Plugin | majestic-support |
MapSVG | mapsvg |
Medicare | medicare |
MetalpriceAPI | metalpriceapi |
miniOrange Discord Integration | miniorange-discord-integration |
miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) Pro Addon | miniorange-login-openid |
MultiVendorX – WooCommerce Multivendor Marketplace Solutions | dc-woocommerce-multi-vendor |
Nasa Core | nasa-core |
Network Posts Extended | network-posts-extended |
Page Builder: Pagelayer – Drag and Drop website builder | pagelayer |
Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery | nextgen-gallery |
Pix 4x sem juros – Pagaleve | wc-pagaleve |
Pixel WordPress Form BuilderPlugin & Autoresponder | pixel-formbuilder |
PrettyLinks – Affiliate Links, Link Branding, Link Tracking, Marketing and Stripe Payments Plugin | pretty-link |
Product Code for WooCommerce | product-code-for-woocommerce |
Product Notes Tab & Private Admin Notes for WooCommerce | product-notes-for-woocommerce |
Projectopia – WordPress Project Management | projectopia-core |
Raisely Donation Form | raisely-donation-form |
ReDi Restaurant Reservation – Instant Availability & Confirmation | redi-restaurant-reservation |
Rootspersona | rootspersona |
RSVPMaker | rsvpmaker |
School Management System for WordPress | school-management |
Simple Business Directory Pro | simple-business-directory-pro |
Simplelightbox | simplelightbox |
Sitewide Discount for WooCommerce: Apply Discount to All Products | global-shop-discount-for-woocommerce |
SKT Blocks – Gutenberg based Page Builder | skt-blocks |
Slim SEO – Fast & Automated WordPress SEO Plugin | slim-seo |
Smart Forms – when you need more than just a contact form | smart-forms |
Solid Mail – SMTP email and logging made by SolidWP | wp-smtp |
Splitit | splitit-installment-payments |
Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light | excel-like-price-change-for-woocommerce-and-wp-e-commerce-light |
StyleAI | relentlosoftware |
TablePress – Tables in WordPress made easy | tablepress |
The Events Calendar | the-events-calendar |
The Plus Addons for Elementor Page Builder | theplus_elementor_addon |
Tour Master – Tour Booking, Travel, Hotel | tourmaster |
Tournamatch | tournamatch |
Ultimate Blocks – WordPress Blocks Plugin | ultimate-blocks |
Url Rewrite Analyzer | url-rewrite-analyzer |
User Meta – User Profile Builder and User management plugin | user-meta |
User Profile Meta Manager | user-profile-meta |
Visual Composer Website Builder | visualcomposer |
WhatsCart – Whatsapp Abandoned Cart Recovery, Order Notifications, Chat Box, OTP for WooCommerce | WhatsCart-for-WooCommerce |
Wishlist for WooCommerce: Multi Wishlists Per Customer | wish-list-for-woocommerce |
WooCommerce | woocommerce |
WordPress Mega Menu Block | getwid-megamenu |
WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce | wp-event-manager |
WP Image Mask | wp-image-mask |
WP Job Portal – A Complete Recruitment System for Company or Job Board website | wp-job-portal |
WP Mapa Politico España | wp-mapa-politico-spain |
WP Post Modules for Elementor | wp-post-modules-el |
WP Smart Import : Import any XML File to WordPress | wp-smart-import |
WP YouTube Video Optimizer | wp-youtube-video-optimizer |
WPAdverts – Classifieds Plugin | wpadverts |
WPCHURCH – Church Management System for WordPress | church-management |
Xpro Addons For Beaver Builder – Lite | xpro-addons-beaver-builder-elementor |
Year Make Model Search for WooCommerce | ymm-search |
ZoomSounds – WordPress Wave Audio Player with Playlist | dzs-zoomsounds |
WordPress Themes with Reported Vulnerabilities Last Week
Software Name | Software Slug |
---|---|
Acerola – Ultra Minimalist Agency Theme | acerola |
Ashley – Creative Portfolio WordPress Theme | ashley |
Avantage – Business Consulting WordPress Theme | avantage |
Backpack Traveler – Modern Travel Blog WordPress Theme | backpacktraveler |
bloggie | bloggie |
Builty – Construction WordPress Theme | builty |
Butcher – Meat Shop WooCommerce WordPress Theme | butcher |
Capie – Minimal Creative WooCommerce WordPress Theme | capie |
Car Dealer Automotive WordPress Theme – Responsive | cardealer |
couponxl | couponxl |
Crafts & Arts – Handmade Artist WordPress | crafts-and-arts |
Dash – Creative Business Theme | dash |
Entrada | entrada |
Enzio – Responsive Business WordPress Theme | enzio |
Finance Consultant – Consulting WordPress Theme | finance |
Fish House | A Stylish Seafood Restaurant / Cafe / Bar WordPress Theme | fish-house |
Grand Tour | Travel Agency WordPress | grandtour |
Healsoul – Medical Care, Home Healthcare Service WP Theme | healsoul |
HotStar – MultiPurpose Business WordPress Theme | hotstar |
Insurance WordPress Theme | insurance |
itsulu | itsulu |
Jarvis – Night Club, Concert, Festival WordPress Theme | jarvis |
kaffen | kaffen |
Kiamo – Responsive Business Service WordPress Theme | kiamo |
Kids Planet – Children Kindergarten and Playgroup WordPress Theme | kidsplanet |
Kinsley – Hotel Booking Theme | kinsley |
La Boom – Food & Restaurant Bistro WordPress Theme | laboom |
larson | larson |
luique | luique |
Madara – Responsive and modern WordPress theme for manga sites | madara |
Motors – Car Dealer, Rental & Listing WordPress theme | motors |
OBER – CV Resume WordPress Theme | ober |
Ogami – Organic Store WordPress Theme | ogami |
Oxpitan – Nonprofit Charity WordPress Theme | oxpitan |
Pet World – Dog Care & Pet Shop WordPress Theme | petsworld |
Photography | photography |
ruizarch | ruizarch |
samantha | samantha |
The Business – Powerful One Page Biz Theme | nrgbusiness |
Umberto – Mushroom Farm & Organic Products Store WordPress Theme | umberto |
Vizeon – Business Consulting WordPress Themes | vizeon |
Wilmër – Construction WordPress Theme | wilmer |
winnex | winnex |
Yozi – Multipurpose Electronics WooCommerce WordPress Theme | yozi |
Vulnerability Details
Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.
As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.
This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
The post Wordfence Intelligence Weekly WordPress Vulnerability Report (May 19, 2025 to May 25, 2025) appeared first on Wordfence.