Wordfence Intelligence Weekly WordPress Vulnerability Report (September 29, 2025 to October 5, 2025)

by

📢 Calling all Vulnerability Researchers and Bug Bounty Hunters! 📢

🚀  Operation: Maximum Impact Challenge! Now through November 10, 2025, earn 2X bounty rewards for all in-scope submissions in software with at least 5,000 active installs and fewer than 5 million active installs. Bounties up to $31,200 per vulnerability. Submit bold. Earn big!

📁 The LFInder Challenge: Refine your LFI hunting skills with an expanded scope. Now through November 24, 2025, all LFI vulnerabilities in software with at least 25 active installs are considered in-scope for all researchers, regardless of researcher tier, AND earn a 30% bonus on all Local File Inclusion vulnerability submissions not already increased by another promotion.

Last week, there were 93 vulnerabilities disclosed in 83 WordPress Plugins and 2 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 28 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to implement layered security, aligning with our overarching mission to secure WordPress with defense in depth strategies. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report. As the world’s leading quality vulnerability database provider for WordPress, site owners can rest assured knowing Wordfence has their back.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 29,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status Number of Vulnerabilities
Patched 27
Unpatched 66

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating Number of Vulnerabilities
Low Severity 1
Medium Severity 73
High Severity 11
Critical Severity 8

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) 42
Cross-Site Request Forgery (CSRF) 17
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) 6
Missing Authorization 5
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) 3
Unrestricted Upload of File with Dangerous Type 3
Authentication Bypass Using an Alternate Path or Channel 2
Exposure of Sensitive Information to an Unauthorized Actor 2
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) 2
External Control of File Name or Path 1
Improper Access Control 1
Improper Authorization 1
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) 1
Improper Neutralization of Directives in Statically Saved Code (‘Static Code Injection’) 1
Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) 1
Improper Verification of Cryptographic Signature 1
Missing Authentication for Critical Function 1
Server-Side Request Forgery (SSRF) 1
Unverified Password Change 1
Use of Hard-coded Cryptographic Key 1

Researchers That Contributed to WordPress Security Last Week

Researcher Name Number of Vulnerabilities
12
12
10
9
7
6
5
4
3
2
2
2
2
2
2
2
1
1
1
1
1
1
1
1
1
1
1
1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name Software Slug
A Simple Multilanguage Plugin a-simple-multilanguage
AffiliateWP affiliate-wp
All in One Music Player all-in-one-music-player
All Social Share Options all-social-share-options
Any News Ticker any-news-ticker
AP Background ap-background
Appy Pie Connect for WooCommerce appy-pie-connect-for-woocommerce
Auto Bulb Finder for WordPress auto-bulb-finder-for-wp-wc
Backup Bolt backup-bolt
Bei Fen – WordPress Backup Plugin bei-fen
Big Post Shipping for WooCommerce woo-bigpost-shipping
Blappsta Mobile App Plugin – Your native, mobile iPhone App and Android App yournewsapp
Block For Mailchimp – Easy Mailchimp Form Integration block-for-mailchimp
BP Direct Menus bp-direct-menus
Chat by Chatwee chatwee
Comment Info Detector comment-info-detector
ContentMX Content Publisher contentmx-content-publisher
Contest Gallery – Upload, Vote & Sell with PayPal and Stripe contest-gallery
Copypress Rest API copypress-rest-api
Cost Calculator Builder cost-calculator-builder
dbview dbview
Easy Elementor Addons – Addons Pack for Elementor Page Builder easy-elementor-addons
Epic Bootstrap Buttons epic-bootstrap-buttons
Eulerpool Research Systems alleaktien-quantitativ
Event Tickets, RSVPs, Calendar ticket-spot
FancyTabs fancytabs
File Manager, Code Editor, and Backup by Managefy softdiscover-db-file-manager
Fintelligence Calculator fintelligence-calculator
Flexi – Guest Submit flexi
Generic Elements generic-elements-for-elementor
GiveWP – Donation Plugin and Fundraising Platform give
GutenBee – Gutenberg Blocks gutenbee
Integrate Dynamics 365 CRM integrate-dynamics-365-crm
Interactive Human Anatomy with Clickable Body Parts interactive-medical-drawing-of-human-body
Ird Slider ird-slider
JoomSport – for Sports: Team & League, Football, Hockey & more joomsport-sports-league-results-management
LatePoint – Calendar Booking Plugin for Appointments and Events latepoint
Layers layers
LockerPress – WordPress Security Plugin lockerpress-wordpress-security
Majestic Before After Image majestic-before-after-image
Meks Easy Maps meks-easy-maps
Mihdan: Elementor Yandex Maps mihdan-elementor-yandex-maps
Mobile Site Redirect mobile-site-redirect
MPWizard – Create Mercado Pago Payment Links mpwizard
My AskAI my-askai
Nexa Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE nexa-blocks
Notification Bar simple-bar
OAuth Single Sign On – SSO (OAuth Client) miniorange-login-with-eve-online-google-facebook
Optimize More! – CSS optimize-more-css
PayPal Forms paypal-forms
planetcalc planetcalc
Post By Email post-by-email
Qyrr – simply and modern QR-Code creation qyrr-code
Restrict User Registration restrict-user-registration
RestroPress – Online Food Ordering System restropress
Schema Plugin For Divi, Gutenberg & Shortcodes wp-structured-data-schema
SiteAlert (Formerly WP Health) my-wp-health-check
Smart Docs smart-docs
SmartCrawl SEO checker, analyzer & optimizer smartcrawl-seo
Spirit Framework spirit-framework
Survey Anyplace surveyanyplace
TableGen – Data Table Generator table-creator
TextBuilder textbuilder
The Pack Elementor addon the-pack-addon
Tiny Bootstrap Elements Light tiny-bootstrap-elements-light
Trinity Audio – Text to Speech AI audio player to convert content into audio trinity-audio
Ultimate Multi Design Video Carousel ultimate-multi-design-video-carousel
Ultimate Viral Quiz ultimate-viral-quiz
Ultra Addons Lite for Elementor ut-elementor-addons-lite
Unify unify
WDesignKit – Elementor & Gutenberg Starter Templates, Patterns, Cloud Workspace & Widget Builder wdesignkit
WeedMaps Menu for WordPress weedmaps-menu-embed
Woo superb slideshow transition gallery with random effect woo-superb-slideshow-transition-gallery-with-random-effect
Wp cycle text announcement wp-cycle-text-announcement
WP Dispatcher wp-dispatcher
WP Photo Album Plus wp-photo-album-plus
WP Photo Effects wp-photo-effects
WP SinoType wp-sinotype
WPRecovery wprecovery
X Addons for Elementor x-addons-elementor
Yoast SEO Premium wordpress-seo-premium
Yoga Schedule Momoyoga momoyoga-integration
ZoloBlocks – Gutenberg Block Editor Plugin with Advanced Blocks, Dynamic Content, Templates & Patterns zoloblocks

WordPress Themes with Reported Vulnerabilities Last Week

Software Name Software Slug
Constructor constructor
Customify customify

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

Appy Pie Connect for WooCommerce <= 1.1.2 – Missing Authorization to Unauthenticated Privilege Escalation via reset_user_password

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-9286
Patch Status
Unpatched
Published
Oct 2, 2025
Affected Software
Appy Pie Connect for WooCommerce
Researcher
More Details >

Copypress Rest API 1.1 – 1.2 – Missing Configurable JWT Secret and File-Type Validation to Unauthenticated Remote Code Execution

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-8625
Patch Status
Unpatched
Published
Sep 29, 2025
Affected Software
Copypress Rest API
Researcher
More Details >

JoomSport <= 5.7.3 – Unauthenticated Directory Traversal to Local File Inclusion

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-7721
Patch Status
Patched
Published
Oct 2, 2025
Affected Software
JoomSport – for Sports: Team & League, Football, Hockey & more
Researcher
More Details >

OAuth Single Sign On – SSO (OAuth Client) <= 6.26.12 – Authentication Bypass via get_resource_owner_from_id_token()

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-9485
Patch Status
Patched
Published
Oct 3, 2025
Affected Software
OAuth Single Sign On – SSO (OAuth Client)
Researcher
More Details >

Post By Email <= 1.0.4b – Unauthenticated Arbitrary File Upload via Email Attachments

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-9762
Patch Status
Unpatched
Published
Sep 29, 2025
Affected Software
Post By Email
Researcher
More Details >

RestroPress – Online Food Ordering System 3.0.0 – 3.1.9.2 – Unauthenticated Information Exposure to Authentication Bypass via Forged JWT

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-9209
Patch Status
Unpatched
Published
Oct 2, 2025
Affected Software
RestroPress – Online Food Ordering System
Researcher
More Details >

Spirit Framework <= 1.2.14 – Authentication Bypass to Account Takeover and Privilege Escalation

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-6388
Patch Status
Patched
Published
Oct 2, 2025
Affected Software
Spirit Framework
Researcher
More Details >

WPRecovery <= 2.0 – Unauthenticated SQL Injection to Arbitrary File Deletion

9.1
CVSS Rating
Critical (9.1)
CVE-ID
CVE-2025-10726
Patch Status
Unpatched
Published
Oct 2, 2025
Affected Software
WPRecovery
Researcher
More Details >

AP Background 3.8.1 – 3.8.2 – Missing Authorization to Authenticated (Subscriber+) Arbitrary File Upload via advParallaxBackAdminSaveSlider Function

8.8
CVSS Rating
High (8.8)
CVE-ID
CVE-2025-9561
Patch Status
Unpatched
Published
Oct 2, 2025
Affected Software
AP Background
Researcher
More Details >

LatePoint <= 5.1.94 – Cross-Site Request Forgery to Account Takeover via change_password() Function

8.8
CVSS Rating
High (8.8)
CVE-ID
CVE-2025-7052
Patch Status
Patched
Published
Sep 29, 2025
Affected Software
LatePoint – Calendar Booking Plugin for Appointments and Events
Researcher
More Details >

TextBuilder 1.0.0 – 1.1.1 – Cross-Site Request Forgery to Privilege Escalation via Account Takeover

8.8
CVSS Rating
High (8.8)
CVE-ID
CVE-2025-9213
Patch Status
Patched
Published
Oct 2, 2025
Affected Software
TextBuilder
Researcher
More Details >

WP Dispatcher <= 1.2.0 – Authenticated (Contributor+) SQL Injection

8.8
CVSS Rating
High (8.8)
CVE-ID
CVE-2025-10582
Patch Status
Unpatched
Published
Oct 2, 2025
Affected Software
WP Dispatcher
Researcher
More Details >

LatePoint <= 5.1.94 – Unauthenticated Authentication Bypass via load_step Function

8.2
CVSS Rating
High (8.2)
CVE-ID
CVE-2025-7038
Patch Status
Patched
Published
Sep 29, 2025
Affected Software
LatePoint – Calendar Booking Plugin for Appointments and Events
Researcher
More Details >

Bei Fen – WordPress Backup Plugin <= 1.4.2 – Authenticated (Subscriber+) Local File Inclusion

8.1
CVSS Rating
High (8.1)
CVE-ID
CVE-2025-9993
Patch Status
Unpatched
Published
Sep 29, 2025
Affected Software
Bei Fen – WordPress Backup Plugin
Researcher
More Details >

Cost Calculator Builder <= 3.5.32 – Authenticated (Subscriber+) Missing Authorization via get_cc_orders/update_order_status Functions

8.1
CVSS Rating
High (8.1)
CVE-ID
CVE-2025-9243
Patch Status
Patched
Published
Oct 3, 2025
Affected Software
Cost Calculator Builder
Researcher
More Details >

Tiny Bootstrap Elements Light <= 4.3.34 – Unauthenticated Local File Inclusion

8.1
CVSS Rating
High (8.1)
CVE-ID
CVE-2025-9991
Patch Status
Unpatched
Published
Sep 29, 2025
Affected Software
Tiny Bootstrap Elements Light
Researcher
More Details >

AffiliateWP <= 2.28.2 – Unauthenticated SQL Injection

7.5
CVSS Rating
High (7.5)
CVE-ID
CVE-2025-8877
Patch Status
Patched
Published
Sep 29, 2025
Affected Software
AffiliateWP
Researcher
More Details >

Blappsta Mobile App Plugin – Your native, mobile iPhone App and Android App <= 0.8.8.8 – Unauthenticated SQL Injection

7.5
CVSS Rating
High (7.5)
CVE-ID
CVE-2025-9200
Patch Status
Unpatched
Published
Oct 2, 2025
Affected Software
Blappsta Mobile App Plugin – Your native, mobile iPhone App and Android App
Researcher
More Details >

WP Dispatcher <= 1.2.0 – Authenticated (Subscriber+) Arbitrary File Upload

7.5
CVSS Rating
High (7.5)
CVE-ID
CVE-2025-9212
Patch Status
Unpatched
Published
Oct 2, 2025
Affected Software
WP Dispatcher
Researcher
More Details >

All in One Music Player <= 1.3.1 – Authenticated (Contributor+) Path Traversal via theme Parameter

6.5
CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-8559
Patch Status
Unpatched
Published
Sep 29, 2025
Affected Software
All in One Music Player
Researcher
More Details >

GiveWP – Donation Plugin and Fundraising Platform <= 4.10.0 – Missing Authorization to Unauthenticated Forms and Campaigns Disclosure

6.5
CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-11227
Patch Status
Patched
Published
Oct 3, 2025
Affected Software
GiveWP – Donation Plugin and Fundraising Platform
Researcher
More Details >

Integrate Dynamics 365 CRM <= 1.0.9 – Missing Authorization

6.5
CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-10746
Patch Status
Patched
Published
Oct 3, 2025
Affected Software
Integrate Dynamics 365 CRM
Researcher
More Details >

Woo superb slideshow transition gallery with random effect <= 9.1 – Authenticated (Contributor+) SQL Injection

6.5
CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-9199
Patch Status
Unpatched
Published
Oct 2, 2025
Affected Software
Woo superb slideshow transition gallery with random effect
Researcher
More Details >

Wp cycle text announcement <= 8.1 – Authenticated (Contributor+) SQL Injection

6.5
CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-9198
Patch Status
Unpatched
Published
Oct 2, 2025
Affected Software
Wp cycle text announcement
Researcher
More Details >

A Simple Multilanguage Plugin <= 1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-9854
Patch Status
Unpatched
Published
Oct 2, 2025
Affected Software
A Simple Multilanguage Plugin
Researcher
More Details >

All Social Share Options <= 1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-10131
Patch Status
Unpatched
Published
Sep 29, 2025
Affected Software
All Social Share Options
Researcher
More Details >

Any News Ticker <= 3.1.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-10168
Patch Status
Unpatched
Published
Sep 29, 2025
Affected Software
Any News Ticker
Researcher
More Details >

AP Background <= 3.8.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-10165
Patch Status
Unpatched
Published
Oct 2, 2025
Affected Software
AP Background
Researcher
More Details >

Auto Bulb Finder for WordPress <= 2.8.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-9858
Patch Status
Unpatched
Published
Oct 2, 2025
Affected Software
Auto Bulb Finder for WordPress
Researcher
More Details >

Big Post Shipping for WooCommerce <= 2.1.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-10191
Patch Status
Unpatched
Published
Sep 29, 2025
Affected Software
Big Post Shipping for WooCommerce
Researcher
More Details >

BP Direct Menus <= 1.0.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-10189
Patch Status
Unpatched
Published
Sep 29, 2025
Affected Software
BP Direct Menus
Researcher
More Details >

Contest Gallery – Upload, Vote & Sell with PayPal and Stripe <= 27.0.2 – Authenticated (Author+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-10383
Patch Status
Patched
Published
Oct 3, 2025
Affected Software
Contest Gallery – Upload, Vote & Sell with PayPal and Stripe
Researcher
More Details >

dbview <= 0.5.5 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-10182
Patch Status
Unpatched
Published
Sep 29, 2025
Affected Software
dbview
Researcher
More Details >

Easy Elementor Addons <= 2.2.8 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-9045
Patch Status
Unpatched
Published
Oct 2, 2025
Affected Software
Easy Elementor Addons – Addons Pack for Elementor Page Builder
Researcher
More Details >

Epic Bootstrap Buttons <= 1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via icol Parameter

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-8776
Patch Status
Unpatched
Published
Oct 2, 2025
Affected Software
Epic Bootstrap Buttons
Researcher
More Details >

Eulerpool Research Systems <= 4.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-10128
Patch Status
Unpatched
Published
Sep 29, 2025
Affected Software
Eulerpool Research Systems
Researcher
More Details >

Event Tickets, RSVPs, Calendar <= 1.0.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-9875
Patch Status
Patched
Published
Oct 2, 2025
Affected Software
Event Tickets, RSVPs, Calendar
Researcher
More Details >

FancyTabs <= 1.1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via title Parameter

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-8560
Patch Status
Unpatched
Published
Sep 29, 2025
Affected Software
FancyTabs
Researcher
More Details >

Fintelligence Calculator <= 1.0.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-9859
Patch Status
Unpatched
Published
Oct 2, 2025
Affected Software
Fintelligence Calculator
Researcher
More Details >

Flexi <= 4.28 – Authenticated (Contributor+) Stored Cross-Site Scripting via flexi-form-tag Shortcode

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-9129
Patch Status
Unpatched
Published
Oct 2, 2025
Affected Software
Flexi – Guest Submit
Researcher
More Details >

Generic Elements <= 1.2.4 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-9080
Patch Status
Unpatched
Published
Oct 2, 2025
Affected Software
Generic Elements
Researcher
More Details >

GutenBee – Gutenberg Blocks <= 2.18.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-8566
Patch Status
Unpatched
Published
Sep 29, 2025
Affected Software
GutenBee – Gutenberg Blocks
Researcher
More Details >

Ird Slider <= 1.0.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-9876
Patch Status
Unpatched
Published
Oct 2, 2025
Affected Software
Ird Slider
Researcher
More Details >

LatePoint <= 5.1.94 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-6941
Patch Status
Patched
Published
Sep 29, 2025
Affected Software
LatePoint – Calendar Booking Plugin for Appointments and Events
Researcher
More Details >

Layers <= 0.5 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-10130
Patch Status
Patched
Published
Sep 29, 2025
Affected Software
Layers
Researcher
More Details >

Meks Easy Maps <= 2.1.4 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-9206
Patch Status
Unpatched
Published
Oct 2, 2025
Affected Software
Meks Easy Maps
Researcher
More Details >

Mihdan: Elementor Yandex Maps <= 1.6.11 – Authenticated (Contributor+) Stored Cross-Site Scripting via Marker Pins

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-8608
Patch Status
Unpatched
Published
Sep 29, 2025
Affected Software
Mihdan: Elementor Yandex Maps
Researcher
More Details >

My AskAI <= 1.0.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-10179
Patch Status
Unpatched
Published
Sep 29, 2025
Affected Software
My AskAI
Researcher
More Details >

Nexa Blocks <= 1.1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Google Maps Widget

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-8624
Patch Status
Unpatched
Published
Sep 29, 2025
Affected Software
Nexa Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE
Researcher
More Details >

planetcalc <= 2.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via language Parameter

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-8777
Patch Status
Unpatched
Published
Sep 29, 2025
Affected Software
planetcalc
Researcher
More Details >

Qyrr – simply and modern QR-Code creation <= 2.0.7 – Authenticated (Contributor+) Arbitrary File Upload

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-10000
Patch Status
Unpatched
Published
Sep 29, 2025
Affected Software
Qyrr – simply and modern QR-Code creation
Researcher
More Details >

SurveyAnyplace Plugin <= 1.0.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-10196
Patch Status
Unpatched
Published
Sep 29, 2025
Affected Software
Survey Anyplace
Researcher
More Details >

The Pack Elementor addon <= 2.1.5 – Authenticated (Contributor+) Stored Cross-Site Scripting via Typing Letter Widget

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-8214
Patch Status
Unpatched
Published
Sep 29, 2025
Affected Software
The Pack Elementor addon
Researcher
More Details >

Ultra Addons Lite for Elementor <= 1.1.9 – Authenticated (Contributor+) Stored Cross-Site Scripting via Animated Text Field

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-9077
Patch Status
Unpatched
Published
Oct 2, 2025
Affected Software
Ultra Addons Lite for Elementor
Researcher
More Details >

Unify <= 3.4.7 – Authenticated (Contributor+) Stored Cross-Site Scripting via unify_checkout Shortcode

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-9130
Patch Status
Unpatched
Published
Oct 2, 2025
Affected Software
Unify
Researcher
More Details >

WeedMaps Menu for WordPress <= 1.2.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via weedmaps_menu Shortcode

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-8623
Patch Status
Unpatched
Published
Sep 29, 2025
Affected Software
WeedMaps Menu for WordPress
Researcher
More Details >

WP Photo Effects <= 1.2.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-10192
Patch Status
Unpatched
Published
Oct 2, 2025
Affected Software
WP Photo Effects
Researcher
More Details >

X Addons for Elementor <= 1.0.14 – Authenticated (Contributor+) Stored Cross-Site Scripting via Youtube Video ID Field

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-9204
Patch Status
Unpatched
Published
Oct 2, 2025
Affected Software
X Addons for Elementor
Researcher
More Details >

Yoast SEO Premium 25.7-25.9 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-11241
Patch Status
Patched
Published
Oct 2, 2025
Affected Software
Yoast SEO Premium
Researcher
More Details >

Yoga Schedule Momoyoga <= 2.9.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-9852
Patch Status
Unpatched
Published
Sep 29, 2025
Affected Software
Yoga Schedule Momoyoga
Researcher
More Details >

ZoloBlocks – Gutenberg Block Editor Plugin with Advanced Blocks, Dynamic Content, Templates & Patterns <= 2.3.10 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-9075
Patch Status
Patched
Published
Sep 30, 2025
Affected Software
ZoloBlocks – Gutenberg Block Editor Plugin with Advanced Blocks, Dynamic Content, Templates & Patterns
Researcher
More Details >

Schema Plugin For Divi, Gutenberg & Shortcodes <= 4.3.2 – Authenticated (Contributor+) Object Instantiation

6.3
CVSS Rating
Medium (6.3)
CVE-ID
CVE-2025-7825
Patch Status
Unpatched
Published
Oct 2, 2025
Affected Software
Schema Plugin For Divi, Gutenberg & Shortcodes
Researcher
More Details >

LockerPress – WordPress Security Plugin <= 1.0 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-9946
Patch Status
Unpatched
Published
Sep 29, 2025
Affected Software
LockerPress – WordPress Security Plugin
Researcher
More Details >

Mobile Site Redirect <= 1.2.1 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-9884
Patch Status
Unpatched
Published
Oct 2, 2025
Affected Software
Mobile Site Redirect
Researcher
More Details >

Trinity Audio <= 5.20.2 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-9952
Patch Status
Patched
Published
Oct 3, 2025
Affected Software
Trinity Audio – Text to Speech AI audio player to convert content into audio
Researcher
More Details >

Interactive Medical Drawing of Human Body <= 2.6 – Authenticated (Admin+) Stored Cross-Site Scripting

5.5
CVSS Rating
Medium (5.5)
CVE-ID
CVE-2025-9332
Patch Status
Unpatched
Published
Oct 2, 2025
Affected Software
Interactive Human Anatomy with Clickable Body Parts
Researcher
More Details >

LatePoint <= 5.1.94 – Authenticated (Administrator+) Stored Cross-Site Scripting

5.5
CVSS Rating
Medium (5.5)
CVE-ID
CVE-2025-6815
Patch Status
Patched
Published
Sep 29, 2025
Affected Software
LatePoint – Calendar Booking Plugin for Appointments and Events
Researchers
More Details >

Smart Docs <= 1.1.1 – Authenticated (Admin+) Stored Cross-Site Scripting

5.5
CVSS Rating
Medium (5.5)
CVE-ID
CVE-2025-9333
Patch Status
Unpatched
Published
Oct 2, 2025
Affected Software
Smart Docs
Researcher
More Details >

Ultimate Multi Design Video Carousel <= 1.4 – Authenticated (Editor+) Stored Cross-Site Scripting

5.5
CVSS Rating
Medium (5.5)
CVE-ID
CVE-2025-9372
Patch Status
Unpatched
Published
Oct 2, 2025
Affected Software
Ultimate Multi Design Video Carousel
Researcher
More Details >

Majestic Before After Image <= 2.0.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

5.4
CVSS Rating
Medium (5.4)
CVE-ID
CVE-2025-9030
Patch Status
Patched
Published
Oct 3, 2025
Affected Software
Majestic Before After Image
Researcher
More Details >

WP Photo Album Plus <= 9.0.11.006 – Authenticated (Subscriber+) Stored Cross-Site Scripting via wppa_user_upload

5.4
CVSS Rating
Medium (5.4)
CVE-ID
CVE-2025-8726
Patch Status
Patched
Published
Oct 3, 2025
Affected Software
WP Photo Album Plus
Researcher
More Details >

File Manager, Code editor, backup by Managefy <= 1.6.1 – Unauthenticated Information Exposure

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-10744
Patch Status
Patched
Published
Sep 30, 2025
Affected Software
File Manager, Code Editor, and Backup by Managefy
Researcher
More Details >

GiveWP – Donation Plugin and Fundraising Platform <= 4.10.0 – Missing Authorization to Unauthenticated Forms-Campaign Association

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-11228
Patch Status
Patched
Published
Oct 3, 2025
Affected Software
GiveWP – Donation Plugin and Fundraising Platform
Researcher
More Details >

Restrict User Registration <= 1.0.1 – Cross-Site Request Forgery to Settings Update

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-9892
Patch Status
Unpatched
Published
Oct 2, 2025
Affected Software
Restrict User Registration
Researcher
More Details >

SiteAlert (Formerly WP Health) <= 1.9.8 – Missing Authorization to Unauthenticated Site Health Information Exposure

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-10212
Patch Status
Unpatched
Published
Oct 2, 2025
Affected Software
SiteAlert (Formerly WP Health)
Researcher
More Details >

TableGen – Data Table Generator <= 1.3.1 – Authenticated (Admin+) Stored Cross-Site Scripting

4.4
CVSS Rating
Medium (4.4)
CVE-ID
CVE-2025-10053
Patch Status
Unpatched
Published
Oct 2, 2025
Affected Software
TableGen – Data Table Generator
Researcher
More Details >

AP Background <= 3.8.2 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-9897
Patch Status
Unpatched
Published
Oct 2, 2025
Affected Software
AP Background
Researcher
More Details >

Chat by Chatwee <= 2.1.3 – Cross-Site Request Forgery to Settings Update

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-9948
Patch Status
Unpatched
Published
Sep 29, 2025
Affected Software
Chat by Chatwee
Researcher
More Details >

Comment Info Detector <= 1.0.5 – Cross-Site Request Forgery to Settings Update

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-10311
Patch Status
Unpatched
Published
Oct 2, 2025
Affected Software
Comment Info Detector
Researcher
More Details >

Constructor <= 1.6.5 – Missing Authorization to Authenticated (Subscriber+) Theme Clean

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-9194
Patch Status
Unpatched
Published
Oct 2, 2025
Affected Software
Constructor
Researcher
More Details >

ContentMX Content Publisher <= 1.0.6 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-9889
Patch Status
Unpatched
Published
Oct 2, 2025
Affected Software
ContentMX Content Publisher
Researcher
More Details >

Customify <= 0.4.11 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-8669
Patch Status
Patched
Published
Oct 2, 2025
Affected Software
Customify
Researcher
More Details >

MPWizard – Create Mercado Pago Payment Links <= 1.2.1 – Cross-Site Request Forgery to Arbitrary Post Deletion

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-9885
Patch Status
Unpatched
Published
Oct 2, 2025
Affected Software
MPWizard – Create Mercado Pago Payment Links
Researcher
More Details >

Notification Bar <= 2.2 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-9895
Patch Status
Unpatched
Published
Oct 2, 2025
Affected Software
Notification Bar
Researcher
More Details >

Optimize More! – CSS <= 1.0.3 – Cross-Site Request Forgery to Plugin Settings Reset

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-9945
Patch Status
Unpatched
Published
Oct 2, 2025
Affected Software
Optimize More! – CSS
Researcher
More Details >

PayPal Forms <= 1.0.3 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-10309
Patch Status
Unpatched
Published
Oct 2, 2025
Affected Software
PayPal Forms
Researcher
More Details >

SmartCrawl SEO checker, analyzer & optimizer <= 3.14.3 – Missing Authorization to Plugin Settings Update

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-11163
Patch Status
Patched
Published
Sep 29, 2025
Affected Software
SmartCrawl SEO checker, analyzer & optimizer
Researcher
More Details >

Trinity Audio <= 5.20.2 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-9886
Patch Status
Patched
Published
Oct 3, 2025
Affected Software
Trinity Audio – Text to Speech AI audio player to convert content into audio
Researcher
More Details >

Ultimate Viral Quiz <= 1.0 – Cross-Site Request Forgery to Settings Update

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-10302
Patch Status
Unpatched
Published
Oct 2, 2025
Affected Software
Ultimate Viral Quiz
Researcher
More Details >

WDesignKit – Elementor & Gutenberg Starter Templates, Patterns, Cloud Workspace & Widget Builder <= 1.2.16 – Missing Authentication via wdkit_handle_review_submission Function

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-9029
Patch Status
Patched
Published
Oct 3, 2025
Affected Software
WDesignKit – Elementor & Gutenberg Starter Templates, Patterns, Cloud Workspace & Widget Builder
Researcher
More Details >

WP SinoType <= 1.0 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-9630
Patch Status
Unpatched
Published
Oct 2, 2025
Affected Software
WP SinoType
Researcher
More Details >

Block For Mailchimp – Easy Mailchimp Form Integration <= 1.1.12 – Unauthenticated Blind Server-Side Request Forgery

4.0
CVSS Rating
Medium (4.0)
CVE-ID
CVE-2025-10735
Patch Status
Patched
Published
Sep 30, 2025
Affected Software
Block For Mailchimp – Easy Mailchimp Form Integration
Researcher
More Details >

Backup Bolt <= 1.4.1 – Authenticated (Admin+) Arbitrary File Download

3.8
CVSS Rating
Low (3.8)
CVE-ID
CVE-2025-10306
Patch Status
Unpatched
Published
Oct 2, 2025
Affected Software
Backup Bolt
Researcher
More Details >

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (September 29, 2025 to October 5, 2025) appeared first on Wordfence.

Leave a Comment