Wordfence Intelligence Weekly WordPress Vulnerability Report (June 16, 2025 to June 22, 2025)

Calling all Vulnerability Researchers and Bug Bounty Hunters!

Spring into Summer with Wordfence! Now through August 4, 2025, earn 2X bounty rewards for all in-scope submissions from our ‘High Threat’ list in software with fewer than 5 million active installs. Bounties up to $31,200 per vulnerability. Submit bold. Earn big!

Last week, there were 131 vulnerabilities disclosed in 124 WordPress Plugins and 5 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 44 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to implement layered security, aligning with our overarching mission to secure WordPress with defense in depth strategies. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report. As the world’s leading quality vulnerability database provider for WordPress, site owners can rest assured knowing Wordfence has their back.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 27,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

• WAF-RULE-849 – Data redacted while we work with the vendor on a patch.
• WAF-RULE-853 – Data redacted while we work with the vendor on a patch.

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Total Vulnerabilities by CVSS Severity Last Week

Total Vulnerabilities by CWE Type Last Week

Researchers That Contributed to WordPress Security Last Week

Researcher Name	Number of Vulnerabilities
Nguyen Xuan Chien	12
Peter Thaleikis	11
domiee13	11
Nabil Irawan	10
Kévin Mosbahi (Mika)	10
Chu The Anh	7
muhammad yudha	7
ch4r0n	4
Trương Hữu Phúc (truonghuuphuc)	4
mikemyers	3
theviper17y	3
Bonds	3
Prissy	3
greenhats	3
Nguyen Ngoc Quang Bach (maysbachs)	3
Brian Sans-Souci (liardom)	2
HLog	2
Skalucy	2
zaim	2
Asaf Mozes	2
LVT-tholv2k	2
Tran Nguyen Bao Khanh	2
yuhda	1
Miki Iwamoto	1
István Márton	1
0xd4rk5id3	1
Jonas Benjamin Friedli	1
Nguyen Kim Sang	1
Iwasawa Toshiki	1
Tom Broucke	1
Vincent Fourcade (vinceMatsui)	1
Nguyễn Trung Kiên	1
siavashvafshar	1
Jang Jeong Ahn (Jhanks)	1
Webbernaut	1
Ryan Kozak	1
Frissi0n	1
s1lentmt	1
zer0gh0st	1
Amin Beheshti	1
Hiro	1
chuongcd	1
Gilang	1
lucky_buddy	1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

WordPress Themes with Reported Vulnerabilities Last Week

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

Integration for Contact Form 7 and Zoho CRM, Bigin <= 1.3.0 – Unauthenticated PHP Object Injection

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-49330

Patch Status
Patched

Published
Jun 16, 2025

Affected Software
WP Zoho for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms – CRM, Bigin

Researcher

Frissi0n

More Details >

Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit <= 3.5.3 – Missing Authorization to Unauthenticated Arbitrary Plugin Installation

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-1562

Patch Status
Patched

Published
Jun 17, 2025

Affected Software
FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce

Researcher

mikemyers

More Details >

AI Engine 2.8.0 – 2.8.3 – Authenticated (Subscriber+) Insufficient Authorization to Privilege Escalation via MCP

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-5071

Patch Status
Patched

Published
Jun 18, 2025

Affected Software
AI Engine

Researcher

István Márton

More Details >

HUSKY <= 1.3.7 – Authenticated (Contributor+) Local File Inclusion

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-52708

Patch Status
Patched

Published
Jun 19, 2025

Affected Software
HUSKY – Products Filter Professional for WooCommerce

Researcher

LVT-tholv2k

More Details >

Pixabay Images <= 3.4 – Authenticated (Author+) Arbitrary File Upload

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-4413

Patch Status
Unpatched

Published
Jun 17, 2025

Affected Software
Pixabay Images

Researcher

siavashvafshar

More Details >

Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.8.9 – Unauthenticated Arbitrary File Upload via Insufficient Blacklist Checks

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2025-3515

Patch Status
Patched

Published
Jun 16, 2025

Affected Software
Drag and Drop Multiple File Upload for Contact Form 7

Researcher

mikemyers

More Details >

Beaver Builder Plugin (Starter Version) <= 2.9.1 – Authenticated (Administrator+) Arbitrary File Upload

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2025-4102

Patch Status
Patched

Published
Jun 19, 2025

Affected Software
Beaver Builder Plugin (Starter Version)

Researcher

Tom Broucke

More Details >

CSV Me <= 2.0 – Authenticated (Administrator+) Arbitrary File Upload

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2025-6086

Patch Status
Unpatched

Published
Jun 17, 2025

Affected Software
CSV Me

Researcher(s): Unknown

More Details >

Ultimate Addons for Contact Form 7 <= 3.5.12 – Authenticated (Administrator+) Arbitrary File Upload via ‘save_options’

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2025-6220

Patch Status
Patched

Published
Jun 17, 2025

Affected Software
Ultra Addons for Contact Form 7

Researcher

Ryan Kozak

More Details >

Wise Chat <= 3.3.4 – Unauthenticated Stored Cross-Site Scripting via X-Forwarded-For Header

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2025-3774

Patch Status
Patched

Published
Jun 16, 2025

Affected Software
Wise Chat

Researcher

Vincent Fourcade (vinceMatsui)

More Details >

Blog2Social <= 8.4.4 – Authenticated (Subscriber+) SQL Injection via `prgSortPostType` Parameter

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2025-5673

Patch Status
Patched

Published
Jun 16, 2025

Affected Software
Blog2Social: Social Media Auto Post & Scheduler

Researcher

mikemyers

More Details >

Video List Manager <= 1.7 – Authenticated (Contributor+) SQL Injection

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2025-52821

Patch Status
Unpatched

Published
Jun 19, 2025

Affected Software
Video List Manager

Researcher

Chu The Anh

More Details >

WP Roadmap <= 2.1.3 – Authenticated (Contributor+) SQL Injection

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2025-52822

Patch Status
Unpatched

Published
Jun 19, 2025

Affected Software
WP Roadmap – Product Feedback Board

Researcher

Peter Thaleikis

More Details >

3D FlipBook – Lite Edition <= 1.16.15 – Authenticated (Contributor+) Stored Cross-Site Scripting via style and mode Parameters

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-5289

Patch Status
Patched

Published
Jun 20, 2025

Affected Software
3D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery

Researcher

muhammad yudha

More Details >

Anant Addons for Elementor <= 1.2.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-50038

Patch Status
Unpatched

Published
Jun 19, 2025

Affected Software
Anant Addons for Elementor

Researcher

Prissy

More Details >

ANON::form embedded secure form <= 1.7 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-52733

Patch Status
Patched

Published
Jun 19, 2025

Affected Software
ANON::form embedded secure form

Researcher

Peter Thaleikis

More Details >

Auto Upload Images <= 3.3.2 – Authenticated (Contributor+) Server-Side Request Forgery

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-49985

Patch Status
Unpatched

Published
Jun 19, 2025

Affected Software
Auto Upload Images

Researcher

ch4r0n

More Details >

Automatically Hierarchic Categories in Menu <= 2.0.9 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-50048

Patch Status
Unpatched

Published
Jun 19, 2025

Affected Software
Automatically Hierarchic Categories in Menu

Researcher

muhammad yudha

More Details >

Buying Buddy IDX CRM <= 2.3.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-50037

Patch Status
Unpatched

Published
Jun 19, 2025

Affected Software
Buying Buddy IDX CRM – Real Estate MLS Plugin

Researcher

Peter Thaleikis

More Details >

Code Engine <= 0.3.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-50043

Patch Status
Unpatched

Published
Jun 19, 2025

Affected Software
Code Engine

Researcher

zaim

More Details >

Download Manager <= 3.3.18 – Authenticated (Author+) Stored Cross-site Scripting via wpdm_user_dashboard Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-4367

Patch Status
Patched

Published
Jun 18, 2025

Affected Software
Download Manager

Researcher

Brian Sans-Souci (liardom)

More Details >

Elementor Website Builder <= 3.29.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-50555

Patch Status
Patched

Published
Jun 19, 2025

Affected Software
Elementor Website Builder Pro
Elementor Website Builder – More Than Just a Page Builder

Researcher

Bonds

More Details >

ElementsKit Lite <= 3.5.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Image Comparison Widget

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-4479

Patch Status
Patched

Published
Jun 18, 2025

Affected Software
ElementsKit Elementor Addons and Templates

Researcher

Asaf Mozes

More Details >

Euro FxRef Currency Converter <= 2.0.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via currency Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-6257

Patch Status
Patched

Published
Jun 19, 2025

Affected Software
Euro FxRef Currency Converter

Researcher

Gilang

More Details >

Firelight Lightbox <= 2.3.16 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-52707

Patch Status
Patched

Published
Jun 19, 2025

Affected Software
Firelight Lightbox

Researcher

Prissy

More Details >

Fitness Park <= 1.1.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-50033

Patch Status
Unpatched

Published
Jun 19, 2025

Affected Software
Fitness Park

Researcher

Peter Thaleikis

More Details >

Fyrebox Quizzes <= 3.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-50035

Patch Status
Unpatched

Published
Jun 19, 2025

Affected Software
Fyrebox Quizzes

Researcher

Peter Thaleikis

More Details >

Gutenberg Blocks – ACF Blocks Suite <= 2.6.11 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-50041

Patch Status
Unpatched

Published
Jun 19, 2025

Affected Software
Gutenberg Blocks – ACF Blocks Suite

Researcher

Prissy

More Details >

Gutenverse News <= 1.0.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via elementId Parameter

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-5234

Patch Status
Patched

Published
Jun 18, 2025

Affected Software
Gutenverse News – Advanced News Magazine Blog Gutenberg Blocks Addons

Researcher

Peter Thaleikis

More Details >

Jobs for WordPress <= 2.7.12 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-50050

Patch Status
Unpatched

Published
Jun 19, 2025

Affected Software
Job Postings

Researcher

yuhda

More Details >

Master Slider <= 3.10.8 – Authenticated (Contributor+) Stored Cross-Site Scripting via masterslider_pb and ms_slide Shortcodes

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-5291

Patch Status
Patched

Published
Jun 16, 2025

Affected Software
Master Slider – Responsive Touch Slider

Researcher

muhammad yudha

More Details >

Modern Footnotes <= 1.4.19 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-50049

Patch Status
Patched

Published
Jun 19, 2025

Affected Software
Modern Footnotes

Researcher

muhammad yudha

More Details >

Pixel Manager for WooCommerce (PRO) <= 1.49.0 – Authenticated (Contributor+) Cross-Site Scripting via Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-6201

Patch Status
Patched

Published
Jun 18, 2025

Affected Software
Pixel Manager for WooCommerce – Track Conversions and Analytics, Google Ads, TikTok and more

Researcher

theviper17y

More Details >

Post and Page Builder by BoldGrid – Visual Drag and Drop Editor <= 1.27.8 – Authenticated (Contributor+) Server-Side Request Forgery

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-52713

Patch Status
Patched

Published
Jun 19, 2025

Affected Software
Post and Page Builder by BoldGrid – Visual Drag and Drop Editor

Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

PowerPress Podcasting <= 11.13.2 – Authenticated (Contributor+) Server-Side Request Forgery

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-49984

Patch Status
Unpatched

Published
Jun 19, 2025

Affected Software
PowerPress Podcasting plugin by Blubrry

Researcher

Nguyễn Trung Kiên

More Details >

Related Products Manager for WooCommerce <= 1.6.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-50045

Patch Status
Unpatched

Published
Jun 19, 2025

Affected Software
Related Products Manager for WooCommerce

Researcher

muhammad yudha

More Details >

Simple Logo Carousel <= 1.9.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-5700

Patch Status
Patched

Published
Jun 16, 2025

Affected Software
Simple Logo Carousel

Researcher

Peter Thaleikis

More Details >

Simple Sticky Footer <= 1.3.5 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-50019

Patch Status
Unpatched

Published
Jun 19, 2025

Affected Software
Simple Sticky Footer

Researcher

Nabil Irawan

More Details >

Sitekit <= 1.9 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-50047

Patch Status
Patched

Published
Jun 19, 2025

Affected Software
Sitekit

Researcher

muhammad yudha

More Details >

Spark Multipurpose <= 1.0.7 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-50030

Patch Status
Unpatched

Published
Jun 19, 2025

Affected Software
Spark Multipurpose

Researcher

Peter Thaleikis

More Details >

TableOn – WordPress Posts Table Filterable <= 1.0.4.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via tableon_popup_iframe_button Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-5143

Patch Status
Patched

Published
Jun 20, 2025

Affected Software
TableOn – WordPress Posts Table Filterable 

Researcher

Peter Thaleikis

More Details >

Target Video Easy Publish <= 3.8.5 – Authenticated (Contributor+) Stored Cross-Site Scripting via width Parameter

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-5237

Patch Status
Patched

Published
Jun 17, 2025

Affected Software
Target Video Easy Publish

Researcher

Peter Thaleikis

More Details >

WordPress Infinite Scroll – Ajax Load More <= 7.4.0.1 – Authenticated(Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-4775

Patch Status
Patched

Published
Jun 16, 2025

Affected Software
WordPress Infinite Scroll – Ajax Load More

Researcher

Webbernaut

More Details >

WP Register Profile With Shortcode <= 3.6.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-50042

Patch Status
Unpatched

Published
Jun 19, 2025

Affected Software
WP Register Profile With Shortcode

Researcher

muhammad yudha

More Details >

WP-Members <= 3.5.4 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-50051

Patch Status
Patched

Published
Jun 19, 2025

Affected Software
WP-Members Membership Plugin

Researcher

zaim

More Details >

WPBakery Page Builder <= 8.4.1 – Authenticated (Author+) Stored Cross-Site Scripting via Grid Builder

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-4965

Patch Status
Patched

Published
Jun 18, 2025

Affected Software
WPBakery Page Builder for WordPress

Researcher

zer0gh0st

More Details >

WPComplete <= 2.9.5 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-50046

Patch Status
Unpatched

Published
Jun 19, 2025

Affected Software
WPComplete

Researcher

theviper17y

More Details >

WPThumb <= 0.10 – Authenticated (Contributor+) Server-Side Request Forgery

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-49983

Patch Status
Unpatched

Published
Jun 19, 2025

Affected Software
WPThumb

Researcher

domiee13

More Details >

Bulk YouTube Post Creator <= 1.0 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-49423

Patch Status
Unpatched

Published
Jun 18, 2025

Affected Software
Bulk YouTube Post Creator

Researcher

Miki Iwamoto

More Details >

FastBook <= 1.1 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-25173

Patch Status
Unpatched

Published
Jun 18, 2025

Affected Software
FastBook – Responsive Appointment Booking and Scheduling System

Researcher

HLog

More Details >

FormLift for Infusionsoft Web Forms <= 7.5.20 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-47654

Patch Status
Unpatched

Published
Jun 18, 2025

Affected Software
FormLift for Infusionsoft Web Forms

Researcher

lucky_buddy

More Details >

HYDRO <= 2.8 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-31428

Patch Status
Unpatched

Published
Jun 18, 2025

Affected Software
HYDRO – One Page Portfolio WordPress Theme

Researcher

Tran Nguyen Bao Khanh

More Details >

Lewe ChordPress <= 3.9.7 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-52789

Patch Status
Unpatched

Published
Jun 19, 2025

Affected Software
Lewe ChordPress – ChordPro Text Formatter

Researcher

Nguyen Xuan Chien

More Details >

School Management <= 92.0.0 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-47574

Patch Status
Unpatched

Published
Jun 18, 2025

Affected Software
School Management System for WordPress

Researcher

Bonds

More Details >

Scroll UP <= 2.0 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-52782

Patch Status
Unpatched

Published
Jun 19, 2025

Affected Software
Scroll UP

Researcher

Nguyen Xuan Chien

More Details >

Smart Notification <= 10.3 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-39478

Patch Status
Unpatched

Published
Jun 18, 2025

Affected Software
Smart Notification WordPress Plugin. Web & Mobile Push, FB Messenger, FB Notifications & Newsletter.

Researcher

Bonds

More Details >

SpecFit-Virtual Try On Woocommerce <= 7.0.5 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-23973

Patch Status
Unpatched

Published
Jun 18, 2025

Affected Software
SpecFit-Virtual Try On Woocommerce

Researcher

HLog

More Details >

Woocommerce Line Notify <= 1.1.7 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-30972

Patch Status
Unpatched

Published
Jun 18, 2025

Affected Software
Woocommerce Line Notify

Researcher

LVT-tholv2k

More Details >

WP User Stylesheet Switcher <= v2.2.0 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-52792

Patch Status
Unpatched

Published
Jun 19, 2025

Affected Software
WP User Stylesheet Switcher

Researcher

Nguyen Xuan Chien

More Details >

Football Pool <= 2.12.4 – Authenticated (Administrator+) Stored Cross-Site Scripting

5.5

CVSS Rating
Medium (5.5)

CVE-ID
CVE-2025-5490

Patch Status
Patched

Published
Jun 18, 2025

Affected Software
Football Pool

Researcher

Jonas Benjamin Friedli

More Details >

Hand Talk <= 6.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

5.5

CVSS Rating
Medium (5.5)

CVE-ID
CVE-2025-50015

Patch Status
Unpatched

Published
Jun 19, 2025

Affected Software
Hand Talk

Researcher

Nguyen Ngoc Quang Bach (maysbachs)

More Details >

GiveWP – Donation Plugin and Fundraising Platform <= 4.3.0 – Missing Authorization To Authenticated (Contributor+) Campaign Data View And Modification

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2025-4571

Patch Status
Patched

Published
Jun 18, 2025

Affected Software
GiveWP – Donation Plugin and Fundraising Platform

Researcher

Brian Sans-Souci (liardom)

More Details >

App Builder <= 5.5.3 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-49989

Patch Status
Unpatched

Published
Jun 19, 2025

Affected Software
App Builder – Create Native Android & iOS Apps On The Flight

Researcher

Hiro

More Details >

Contact Form 7 AWeber Extension <= 0.1.38 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-49988

Patch Status
Unpatched

Published
Jun 19, 2025

Affected Software
Contact Form 7 AWeber Extension

Researcher

Kévin Mosbahi (Mika)

More Details >

ContentStudio <= 1.3.4 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-49990

Patch Status
Unpatched

Published
Jun 19, 2025

Affected Software
ContentStudio

Researcher

domiee13

More Details >

Cookie-Script.com <= 1.2.1 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-49993

Patch Status
Unpatched

Published
Jun 19, 2025

Affected Software
Cookie-Script.com

Researcher

domiee13

More Details >

CRM ERP Business Solution <= 1.13 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-49987

Patch Status
Unpatched

Published
Jun 19, 2025

Affected Software
CRM ERP Business Solution | freelancers & SME | for WordPress & WooCommerce

Researcher

ch4r0n

More Details >

Giveaways and Contests by RafflePress <= 1.12.17 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-49997

Patch Status
Unpatched

Published
Jun 19, 2025

Affected Software
Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers

Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

Import YouTube videos as WP Posts <= 2.1 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-52802

Patch Status
Unpatched

Published
Jun 19, 2025

Affected Software
Import YouTube videos as WP Posts

Researcher

Kévin Mosbahi (Mika)

More Details >

Video List Manager <= 1.7 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-49986

Patch Status
Unpatched

Published
Jun 19, 2025

Affected Software
Video List Manager

Researcher

Chu The Anh

More Details >

WooCommerce Manager – Customize and Control Cart page, Add to Cart button, Checkout fields easily <= 1.2.4.5 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-50008

Patch Status
Unpatched

Published
Jun 19, 2025

Affected Software
WooCommerce Manager – Customize and Control Cart page, Add to Cart button, Checkout fields easily

Researcher

Kévin Mosbahi (Mika)

More Details >

WP Visitor Statistics (Real Time Traffic) <= 7.8 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-49996

Patch Status
Unpatched

Published
Jun 19, 2025

Affected Software
WP Visitor Statistics (Real Time Traffic)

Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

WP-Recall <= 16.26.14 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-49991

Patch Status
Unpatched

Published
Jun 19, 2025

Affected Software
WP-Recall – Registration, Profile, Commerce & More

Researcher

Nguyen Xuan Chien

More Details >

OceanWP <= 4.0.9 – Authenticated (Contributor+) Stored Cross-Site Scripting via Select HTML Tag

4.9

CVSS Rating
Medium (4.9)

CVE-ID
CVE-2025-5524

Patch Status
Patched

Published
Jun 18, 2025

Affected Software
OceanWP

Researcher

Asaf Mozes

More Details >

ATP Call Now <= 1.0.3 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-50024

Patch Status
Unpatched

Published
Jun 19, 2025

Affected Software
ATP Call Now

Researcher

Nabil Irawan

More Details >

Better Random Redirect <= 1.3.20 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-50021

Patch Status
Unpatched

Published
Jun 19, 2025

Affected Software
Better Random Redirect

Researcher

Nabil Irawan

More Details >

CodePen Embed Block <= 1.1.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-50023

Patch Status
Unpatched

Published
Jun 19, 2025

Affected Software
CodePen Embed Block

Researcher

Nabil Irawan

More Details >

CP Polls <= 1.0.81 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-50025

Patch Status
Unpatched

Published
Jun 19, 2025

Affected Software
Polls CP

Researcher

Nabil Irawan

More Details >

CSV Importer Improved <= 0.6.1 – Authenticated (Editor+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-50013

Patch Status
Unpatched

Published
Jun 19, 2025

Affected Software
CSV Importer Improved

Researcher

Chu The Anh

More Details >

File Manager Pro <= 1.8.8 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-52710

Patch Status
Patched

Published
Jun 19, 2025

Affected Software
File Manager Pro – Filester

Researcher

Nguyen Kim Sang

More Details >

Inventory Presser <= 15.0.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-50012

Patch Status
Unpatched

Published
Jun 19, 2025

Affected Software
Inventory Presser – Car Dealer Listings

Researcher

greenhats

More Details >

IP Based Login <= 2.4.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-50016

Patch Status
Unpatched

Published
Jun 19, 2025

Affected Software
IP Based Login

Researcher

Nguyen Ngoc Quang Bach (maysbachs)

More Details >

Login/Signup Popup <= 2.9.4 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-50027

Patch Status
Unpatched

Published
Jun 19, 2025

Affected Software
Login & Register Customizer – Popup | Slider | Inline | WooCommerce

Researcher

Nabil Irawan

More Details >

PDPA Consent for Thailand <= 1.1.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-50014

Patch Status
Unpatched

Published
Jun 19, 2025

Affected Software
PDPA Consent for Thailand

Researcher

Nguyen Ngoc Quang Bach (maysbachs)

More Details >

RDFa Breadcrumb <= 2.3 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-50020

Patch Status
Unpatched

Published
Jun 19, 2025

Affected Software
RDFa Breadcrumb

Researcher

Nabil Irawan

More Details >

Recipes manager – WPH <= 1.0.4 – Authenticated (Editor+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-50011

Patch Status
Unpatched

Published
Jun 19, 2025

Affected Software
Recipes manager – WPH

Researcher

greenhats

More Details >

Spoki <= 2.16.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-50026

Patch Status
Unpatched

Published
Jun 19, 2025

Affected Software
Spoki – Chat Buttons and WooCommerce Notifications

Researcher

Nabil Irawan

More Details >

Tealium <= 2.1.17 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-50018

Patch Status
Unpatched

Published
Jun 19, 2025

Affected Software
Tealium

Researcher

Nabil Irawan

More Details >

WP Voting Contest <= 5.8 – Authenticated (Editor+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-50017

Patch Status
Unpatched

Published
Jun 19, 2025

Affected Software
WP Voting Contest Lite

Researcher

greenhats

More Details >

WP-FB-AutoConnect <= 4.6.3 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-50022

Patch Status
Unpatched

Published
Jun 19, 2025

Affected Software
WP Social AutoConnect

Researcher

Nabil Irawan

More Details >

Bluff Post <= 1.1.1 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-52784

Patch Status
Unpatched

Published
Jun 19, 2025

Affected Software
Bluff Post

Researcher

Nguyen Xuan Chien

More Details >

Breeze <= 2.2.13 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-23999

Patch Status
Patched

Published
Jun 18, 2025

Affected Software
Breeze – WordPress Cache Plugin

Researcher

domiee13

More Details >

Change Cart button Colors WooCommerce <= 1.0 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-52783

Patch Status
Unpatched

Published
Jun 19, 2025

Affected Software
Change Cart button Colors WooCommerce

Researcher

Nguyen Xuan Chien

More Details >

ClipLink <= 1.1 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-49964

Patch Status
Unpatched

Published
Jun 19, 2025

Affected Software
ClipLink

Researcher

chuongcd

More Details >

Creative Contact Form <= 1.0.0 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-52794

Patch Status
Unpatched

Published
Jun 19, 2025

Affected Software
Creative Contact Form

Researcher

Nguyen Xuan Chien

More Details >

eDS Responsive Menu <= 1.2 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-49971

Patch Status
Unpatched

Published
Jun 19, 2025

Affected Software
eDS Responsive Menu

Researcher

Kévin Mosbahi (Mika)

More Details >

Enhanced Blocks – Page Builder Blocks for Gutenberg <= 1.4.1 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-50034

Patch Status
Unpatched

Published
Jun 19, 2025

Affected Software
Enhanced Blocks – Page Builder Blocks for Gutenberg

Researcher

theviper17y

More Details >

Esselink.nu Settings <= 2.94 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-52793

Patch Status
Unpatched

Published
Jun 19, 2025

Affected Software
Esselink.nu Settings

Researcher

Nguyen Xuan Chien

More Details >

Hello FSE Blog <= 1.0.6 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-49970

Patch Status
Unpatched

Published
Jun 19, 2025

Affected Software
Hello FSE Blog

Researcher

Peter Thaleikis

More Details >

Image Sizes Controller, Create Custom Image Sizes, Disable Image Sizes <= 1.0.10 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-49973

Patch Status
Unpatched

Published
Jun 19, 2025

Affected Software
Image Sizes Controller, Create Custom Image Sizes, Disable Image Sizes

Researcher

ch4r0n

More Details >

JobSearch <= 2.9.0 – Authenticated (Subscriber+) Insecure Direct Object Reference

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-49978

Patch Status
Unpatched

Published
Jun 19, 2025

Affected Software
JobSearch WP Job Board

Researcher

Tran Nguyen Bao Khanh

More Details >

JobWP <= 2.4.0 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-49975

Patch Status
Unpatched

Published
Jun 19, 2025

Affected Software
JobWP – Job Board, Job Listing, Career Page and Recruitment Plugin

Researcher

domiee13

More Details >

Kata Plus <= 1.5.3 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-50009

Patch Status
Patched

Published
Jun 19, 2025

Affected Software
Kata Plus – Addons for Elementor – Widgets, Extensions and Templates

Researcher

domiee13

More Details >

Knowledge Base – Knowledge Base Maker <= 1.1.8 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-52791

Patch Status
Unpatched

Published
Jun 19, 2025

Affected Software
Knowledge Base – Knowledge Base Maker

Researcher

Nguyen Xuan Chien

More Details >

Live Sports Streamthunder <= 2.1 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-49967

Patch Status
Unpatched

Published
Jun 19, 2025

Affected Software
Live Sports Streamthunder

Researcher

Jang Jeong Ahn (Jhanks)

More Details >

Logo Manager For Samandehi <= 0.5 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-52780

Patch Status
Unpatched

Published
Jun 19, 2025

Affected Software
Logo Manager For Samandehi

Researcher

Skalucy

More Details >

Mailing Group Listserv <= 3.0.5 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-50036

Patch Status
Unpatched

Published
Jun 19, 2025

Affected Software
Mailing Group Listserv

Researcher

Kévin Mosbahi (Mika)

More Details >

Media Hygiene <= 4.0.1 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-49979

Patch Status
Unpatched

Published
Jun 19, 2025

Affected Software
Media Hygiene: Remove or Delete Unused Images and More!

Researcher

domiee13

More Details >

Oganro Travel Portal Search Widget for HotelBeds APITUDE API <= 1.0 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-49966

Patch Status
Unpatched

Published
Jun 19, 2025

Affected Software
Oganro Travel Portal Search Widget for HotelBeds APITUDE API

Researcher

Chu The Anh

More Details >

PixelBeds Channel Manager and Hotel Booking Engine <= 1.0 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-49965

Patch Status
Unpatched

Published
Jun 19, 2025

Affected Software
PixelBeds Channel Manager and Hotel Booking Engine

Researcher

Chu The Anh

More Details >

Poll, Survey & Quiz Maker Plugin by Opinion Stage <= 19.9.0 – Incorrect Authorization to Authenticated (Contributor+) Plugin Settings Update

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-3880

Patch Status
Patched

Published
Jun 16, 2025

Affected Software
Poll, Survey & Quiz Maker Plugin by Opinion Stage

Researcher

Amin Beheshti

More Details >

Post and Page Builder by BoldGrid – Visual Drag and Drop Editor <= 1.27.8 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-52711

Patch Status
Patched

Published
Jun 19, 2025

Affected Software
Post and Page Builder by BoldGrid – Visual Drag and Drop Editor

Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

Real Estate Manager <= 7.3 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-52825

Patch Status
Unpatched

Published
Jun 19, 2025

Affected Software
Real Estate Manager – Property Listing and Agent Management

Researcher

0xd4rk5id3

More Details >

Real Estate Manager <= 7.3 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-50044

Patch Status
Unpatched

Published
Jun 19, 2025

Affected Software
Real Estate Manager – Property Listing and Agent Management

Researcher

Kévin Mosbahi (Mika)

More Details >

TinyNav <= 1.4 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-52781

Patch Status
Unpatched

Published
Jun 19, 2025

Affected Software
TinyNav

Researcher

Nguyen Xuan Chien

More Details >

TM Replace Howdy <= 1.4.2 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-49972

Patch Status
Unpatched

Published
Jun 19, 2025

Affected Software
TM Replace Howdy

Researcher

Chu The Anh

More Details >

UpStream: a Project Management Plugin for WordPress <= 2.1.0 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-49974

Patch Status
Unpatched

Published
Jun 19, 2025

Affected Software
UpStream: a Project Management Plugin for WordPress

Researcher

domiee13

More Details >

User Roles and Capabilities <= 1.2.6 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-49981

Patch Status
Unpatched

Published
Jun 19, 2025

Affected Software
User Roles and Capabilities

Researcher

domiee13

More Details >

Virtual Moderator <= 1.4 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-52772

Patch Status
Unpatched

Published
Jun 19, 2025

Affected Software
Virtual Moderator

Researcher

Iwasawa Toshiki

More Details >

WANotifier <= 2.7.7 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-49976

Patch Status
Unpatched

Published
Jun 19, 2025

Affected Software
Send Notifications from Woocommerce, Form Plugins and More!

Researcher

domiee13

More Details >

WooCommerce Fortnox Integration <= 4.5.5 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-49998

Patch Status
Unpatched

Published
Jun 19, 2025

Affected Software
WooCommerce Fortnox Integration

Researcher

Kévin Mosbahi (Mika)

More Details >

WP Customer Area <= 8.2.5 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-49982

Patch Status
Unpatched

Published
Jun 19, 2025

Affected Software
WP Customer Area

Researcher

domiee13

More Details >

WP Dummy Content Generator <= 3.4.6 – Missing Authorization to Authenticated (Subscriber+) Arbitrary User Deletion

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-49234

Patch Status
Patched

Published
Jun 16, 2025

Affected Software
WP Dummy Content Generator

Researcher

Kévin Mosbahi (Mika)

More Details >

WP Front User Submit / Front Editor <= 4.9.4 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-52795

Patch Status
Unpatched

Published
Jun 19, 2025

Affected Software
Guest posting / Frontend Posting / Front Editor – WP Front User Submit

Researcher

Kévin Mosbahi (Mika)

More Details >

WP Inventory Manager <= 2.3.4 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-49977

Patch Status
Unpatched

Published
Jun 19, 2025

Affected Software
WP Inventory Manager

Researcher

Skalucy

More Details >

WP User Profile Avatar <= 1.0.6 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-49980

Patch Status
Unpatched

Published
Jun 19, 2025

Affected Software
WP User Profile Avatar

Researcher

s1lentmt

More Details >

WP-DownloadCounter <= 1.01 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-52790

Patch Status
Unpatched

Published
Jun 19, 2025

Affected Software
WP-DownloadCounter

Researcher

Nguyen Xuan Chien

More Details >

XML Travel Portal Widget <= 2.0 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-49968

Patch Status
Unpatched

Published
Jun 19, 2025

Affected Software
XML Travel Portal Widget

Researcher

Chu The Anh

More Details >

YITH PayPal Express Checkout for WooCommerce <= 1.49.0 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-48111

Patch Status
Patched

Published
Jun 16, 2025

Affected Software
YITH PayPal Express Checkout for WooCommerce

Researcher

Nguyen Xuan Chien

More Details >

Zapier for WordPress <= 1.5.2 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-50010

Patch Status
Unpatched

Published
Jun 19, 2025

Affected Software
Zapier for WordPress

Researcher

ch4r0n

More Details >

Zara 4 Image Compression <= 1.2.17.2 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-49969

Patch Status
Unpatched

Published
Jun 19, 2025

Affected Software
Zara 4 Image Compression

Researcher

Kévin Mosbahi (Mika)

More Details >

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (June 16, 2025 to June 22, 2025) appeared first on Wordfence.