Wordfence Intelligence Weekly WordPress Vulnerability Report (October 20, 2025 to October 26, 2025)

by

📢 Calling all Vulnerability Researchers and Bug Bounty Hunters! 📢

🚀  Operation: Maximum Impact Challenge! Now through November 10, 2025, earn 2X bounty rewards for all in-scope submissions in software with at least 5,000 active installs and fewer than 5 million active installs. Bounties up to $31,200 per vulnerability. Submit bold. Earn big!

📁 The LFInder Challenge: Refine your LFI hunting skills with an expanded scope. Now through November 24, 2025, all LFI vulnerabilities in software with at least 25 active installs are considered in-scope for all researchers, regardless of researcher tier, AND earn a 30% bonus on all Local File Inclusion vulnerability submissions not already increased by another promotion.

Last week, there were 113 vulnerabilities disclosed in 105 WordPress Plugins and 3 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 49 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to implement layered security, aligning with our overarching mission to secure WordPress with defense in depth strategies. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report. As the world’s leading quality vulnerability database provider for WordPress, site owners can rest assured knowing Wordfence has their back.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 29,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our PremiumCare, and Response customers last week:

  • WAF-RULE-869 – Data redacted while we work with the vendor on a patch.
  • WAF-RULE-870 – Data redacted while we work with the vendor on a patch.

Wordfence PremiumCare, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status Number of Vulnerabilities
Patched 66
Unpatched 47

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating Number of Vulnerabilities
Low Severity 2
Medium Severity 95
High Severity 12
Critical Severity 4

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) 47
Missing Authorization 19
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) 7
Cross-Site Request Forgery (CSRF) 6
Server-Side Request Forgery (SSRF) 6
Improper Authorization 5
Exposure of Sensitive Information to an Unauthorized Actor 3
Unrestricted Upload of File with Dangerous Type 3
Authorization Bypass Through User-Controlled Key 2
Improper Control of Generation of Code (‘Code Injection’) 2
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) 2
Deserialization of Untrusted Data 1
Improper Access Control 1
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) 1
Improper Input Validation 1
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) 1
Improper Neutralization of Formula Elements in a CSV File 1
Improper Privilege Management 1
Incorrect Authorization 1
Incorrect Privilege Assignment 1
Insertion of Sensitive Information into Log File 1
URL Redirection to Untrusted Site (‘Open Redirect’) 1

Researchers That Contributed to WordPress Security Last Week

Researcher Name Number of Vulnerabilities
15
12
7
6
6
5
5
5
4
3
3
2
2
2
2
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1

Jay
1
1
1
1
1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name Software Slug
Academy LMS Pro academy-pro
ACF to REST API acf-to-rest-api
Advanced Database Cleaner advanced-database-cleaner
AI Chatbot Free Models – Customer Support, Live Chat, Virtual Assistant chatbot-ai-free-models
AIO Forms – Craft Complex Forms Easily all-in-one-forms
Ajax Search Lite – Live Search & Filter ajax-search-lite
All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier aio-time-clock-lite
BackWPup – WordPress Backup & Restore Plugin backwpup
Beaver Builder Plugin (Starter Version) bb-plugin
Bg Book Publisher bg-book-publisher
Bold Page Builder bold-page-builder
Builderall for WordPress builderall-cheetah-for-wp
Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More charitable
Check Plagiarism check-plagiarism
Cinza Grid cinza-grid
Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings directorist
Disable Content Editor For Specific Template disable-contect-editor-for-specific-template
Discussion Board – WordPress Forum Plugin wp-discussion-board
Dynamic User Directory dynamic-user-directory
Element Pack Addons for Elementor bdthemes-element-pack-lite
Email Subscription Popup email-subscribe
Email Tracker – Email Log, Email Open Tracking, Email Analytics & Email Management for WordPress Emails email-tracker
eRoom – Webinar & Meeting Plugin for Zoom, Google Meet, Microsoft Teams eroom-zoom-meetings-webinar
FanBridge signup fanbridge-signup
Fast Velocity Minify fast-velocity-minify
Flexible Refund and Return Order for WooCommerce flexible-refund-and-return-order-for-woocommerce
FuseWP – WordPress User Sync to Email List & Marketing Automation (Mailchimp, Constant Contact, ActiveCampaign etc.) fusewp
GenerateBlocks generateblocks
Gutenberg Blocks – PublishPress Blocks Controls, Visibility, Reusable Blocks advanced-gutenberg
HAPPY – Helpdesk Support Ticket System happy-helpdesk-support-ticket-system
IndieAuth indieauth
JB News Ticker jb-news-ticker
King Addons for Elementor – 4,000+ ready Elementor sections, 650+ templates, 70+ FREE widgets for Elementor king-addons
KiotViet Sync kiotvietsync
LLM Hubspot Blog Import llm-hubspot-blog-import
Material Design Iconic Font Integration material-design-iconic-font-integration
MDTF – Meta Data and Taxonomies Filter wp-meta-data-filter-and-taxonomy-filter
Microsoft Azure Storage for WordPress windows-azure-storage
Mixlr Shortcode mixlr-shortcode
Multi Item Responsive Slider mislider
MxChat – AI Chatbot for WordPress mxchat-basic
Name: Print Button Shortcode print-button-shortcode
NGINX Cache Optimizer nginx-cache-optimizer
NS Maintenance Mode for WP ns-maintenance-mode-for-wp
Oboxmedia Ads oboxmedia-ads
Originality.ai AI Checker originality-ai
Password Policy Manager | Password Manager password-policy-manager
Password Protected — Lock Entire Site, Pages, Posts, Categories, and Partial Content password-protected
Persian Admnin Fonts persian-admin-fonts
Photographers galleries photographers-galleries
PixelYourSite – Your smart PIXEL (TAG) & API Manager pixelyoursite
Playerzbr playerzbr
Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers popup-builder-block
Posts By Tag posts-by-tag
Product Filter by WBW woo-product-filter
qnotsquiz qnotsquiz
Quickcreator – AI Blog Writer quickcreator
RapidResult rapidresult
Real Cookie Banner: GDPR & ePrivacy Cookie Consent real-cookie-banner
Responsive iframe GoogleMap responsive-iframe-googlemap
Responsive Progress Bar responsive-progress-bar
RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator feedzy-rss-feeds
ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution shopengine
ShopLentor – WooCommerce Builder for Elementor & Gutenberg +21 Modules – All in One Solution (formerly WooLentor) woolentor-addons
Simple Banner – Easily add multiple Banners/Bars/Notifications/Announcements to the top or bottom of your website simple-banner
Simple Business Data simple-business-data
Simple Excel Pricelist for WooCommerce simple-excel-pricelist-for-woocommerce
Simple Pull Quote simple-pull-quote
Simple Registration for WooCommerce woocommerce-simple-registration
Simple Tableau Viz simple-tableau-viz
Simple Youtube Shortcode simple-youtube-shortcode
Slider Templates slider-templates
SM CountDown Widget smcountdown
Social Feed Gallery insta-gallery
SpendeOnline.org spendeonline
ST Categories Widget st-category-wp
Stripe Payment Forms by WP Full Pay – Accept Credit Card Payments, Donations & Subscriptions wp-full-stripe-free
Supervisor supervisor
Testimonial Carousel For Elementor testimonials-carousel-elementor
This-or-That this-or-that
Time Clock – A WordPress Employee & Volunteer Time Clock Plugin time-clock
Tutor LMS Pro tutor-pro
Tutor LMS – eLearning and online course solution tutor
URL Shortener Plugin For WordPress exact-links
User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds userfeedback-lite
VikBooking Hotel Booking Engine & PMS vikbooking
VNPAY Payment gateway vnpay-for-woocommerce
Watu Quiz watu
Welcart e-Commerce usc-e-shop
WhyDonate – FREE Donate button – Crowdfunding – Fundraising wp-whydonate
Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets widget-options
WooCommerce Designer Pro wc-designer-pro
WP AD Gallery wp-ad-gallery
WP AdCenter – Ad Manager & Adsense Ads wpadcenter
WP Gravity Forms Zoho CRM and Bigin gf-zoho
WP Responsive Meet The Team wp-responsive-meet-the-team
WP Restaurant Listings wp-restaurant-listings
WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress wpvr
WP-Force Images Download wp-force-images-download
WP-Thumbnail wp-thumbnail
WPC Countdown Timer for WooCommerce wpc-countdown-timer
WPComplete wpcomplete
wpForo Forum wpforo
WPMobile.App wpappninja
ZoloBlocks – Gutenberg Block Editor Plugin with Advanced Blocks, Dynamic Content, Templates & Patterns zoloblocks

WordPress Themes with Reported Vulnerabilities Last Week

Software Name Software Slug
Listeo – Directory & Listings With Booking – WordPress Theme listeo
Open Source Genesis Framework genesis
The7 — Website and eCommerce Builder for WordPress dt-the7

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

HAPPY <= 1.0.7 – Unauthenticated Remote Code Execution

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-49372
Patch Status
Patched
Published
Oct 25, 2025
Affected Software
HAPPY – Helpdesk Support Ticket System
Researcher
More Details >

King Addons for Elementor <= 51.1.36 – Unauthenticated Arbitrary File Upload

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-6327
Patch Status
Patched
Published
Oct 21, 2025
Affected Software
King Addons for Elementor – 4,000+ ready Elementor sections, 650+ templates, 70+ FREE widgets for Elementor
Researcher
More Details >

King Addons for Elementor <= 51.1.36 – Unauthenticated Privilege Escalation

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-6325
Patch Status
Patched
Published
Oct 21, 2025
Affected Software
King Addons for Elementor – 4,000+ ready Elementor sections, 650+ templates, 70+ FREE widgets for Elementor
Researcher
More Details >

WooCommerce Designer Pro <= 1.9.26 – Unauthenticated Arbitrary File Upload

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-6440
Patch Status
Unpatched
Published
Oct 23, 2025
Affected Software
WooCommerce Designer Pro
Researcher
More Details >

IndieAuth <= 4.5.4 – Cross-Site Request Forgery to Account Takeover via Stolen OAuth Tokens

8.8
CVSS Rating
High (8.8)
CVE-ID
CVE-2025-12028
Patch Status
Patched
Published
Oct 23, 2025
Affected Software
IndieAuth
Researcher
More Details >

Simple Registration for WooCommerce <= 1.5.8 – Cross-Site Request Forgery to Privilege Escalation via Role Request Approval

8.8
CVSS Rating
High (8.8)
CVE-ID
CVE-2025-12095
Patch Status
Patched
Published
Oct 24, 2025
Affected Software
Simple Registration for WooCommerce
Researcher
More Details >

Academy LMS Pro <= 3.3.7 – Unauthenticated Privilege Escalation via Social Login Addon

8.1
CVSS Rating
High (8.1)
CVE-ID
CVE-2025-11086
Patch Status
Patched
Published
Oct 21, 2025
Affected Software
Academy LMS Pro
Researcher
More Details >

Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings <= 8.4.8 – Authenticated (Subscriber+) Arbitrary File Move

8.1
CVSS Rating
High (8.1)
CVE-ID
CVE-2025-10488
Patch Status
Patched
Published
Oct 24, 2025
Affected Software
Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings
Researcher
More Details >

Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers <= 2.1.4 – Unauthenticated Server-Side Request Forgery

7.5
CVSS Rating
High (7.5)
CVE-ID
CVE-2025-10861
Patch Status
Patched
Published
Oct 23, 2025
Affected Software
Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers
Researcher
More Details >

Product Filter by WBW <= 2.9.7 – Unauthenticated SQL Injection

7.5
CVSS Rating
High (7.5)
CVE-ID
CVE-2025-8416
Patch Status
Patched
Published
Oct 24, 2025
Affected Software
Product Filter by WBW
Researcher
More Details >

Quickcreator – AI Blog Writer 0.0.9 – 0.1.17 – Unauthenticated API Key Exposure

7.5
CVSS Rating
High (7.5)
CVE-ID
CVE-2025-11504
Patch Status
Unpatched
Published
Oct 23, 2025
Affected Software
Quickcreator – AI Blog Writer
Researcher
More Details >

Stripe Payment Forms <= 8.3.1 – Unauthenticated SQL Injection

7.5
CVSS Rating
High (7.5)
CVE-ID
CVE-2025-9322
Patch Status
Patched
Published
Oct 24, 2025
Affected Software
Stripe Payment Forms by WP Full Pay – Accept Credit Card Payments, Donations & Subscriptions
Researcher
More Details >

wpForo Forum <= 2.4.8 – Unauthenticated SQL Injection via get_members Function

7.5
CVSS Rating
High (7.5)
CVE-ID
CVE-2025-4203
Patch Status
Patched
Published
Oct 24, 2025
Affected Software
wpForo Forum
Researcher
More Details >

AIO Forms <= 1.3.15 – Authenticated (Admin+) Arbitrary File Upload via Zip Import

7.2
CVSS Rating
High (7.2)
CVE-ID
CVE-2025-11889
Patch Status
Unpatched
Published
Oct 23, 2025
Affected Software
AIO Forms – Craft Complex Forms Easily
Researcher
More Details >

Watu Quiz <= 3.4.4 – Unauthenticated Stored Cross-Site Scripting via HTTP Referer

7.2
CVSS Rating
High (7.2)
CVE-ID
CVE-2025-11238
Patch Status
Patched
Published
Oct 24, 2025
Affected Software
Watu Quiz
Researcher
More Details >

WPMobile.App <= 11.71 – Unauthenticated Stored Cross-Site Scripting

7.2
CVSS Rating
High (7.2)
CVE-ID
CVE-2025-62074
Patch Status
Patched
Published
Oct 26, 2025
Affected Software
WPMobile.App
Researcher
More Details >

Real Cookie Banner: GDPR & ePrivacy Cookie Consent <= 5.2.4 – Authenticated (Admin+) Server-Side Request Forgery via scan-without-login Endpoint

6.8
CVSS Rating
Medium (6.8)
CVE-ID
CVE-2025-12136
Patch Status
Patched
Published
Oct 23, 2025
Affected Software
Real Cookie Banner: GDPR & ePrivacy Cookie Consent
Researcher
More Details >

Ajax Search Lite <= 4.13.3 – Authenticated (Administrator+) PHP Object Injection

6.6
CVSS Rating
Medium (6.6)
CVE-ID
CVE-2025-48086
Patch Status
Patched
Published
Oct 21, 2025
Affected Software
Ajax Search Lite – Live Search & Filter
Researcher
More Details >

PixelYourSite – Your smart PIXEL (TAG) Manager < 11.1.2 – Authenticated (Administrator+) Local File Inclusion

6.6
CVSS Rating
Medium (6.6)
CVE-ID
CVE-2025-10723
Patch Status
Patched
Published
Oct 24, 2025
Affected Software
PixelYourSite – Your smart PIXEL (TAG) & API Manager
Researcher
More Details >

Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More <= 1.8.8.4 – Authenticated (Subscriber+) SQL Injection

6.5
CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-11893
Patch Status
Patched
Published
Oct 24, 2025
Affected Software
Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More
Researcher
More Details >

GenerateBlocks <= 2.1.1 – Improper Authorization to Authenticated (Contributor+) Arbitrary Options Disclosure

6.5
CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-11879
Patch Status
Patched
Published
Oct 24, 2025
Affected Software
GenerateBlocks
Researcher
More Details >

RapidResult <= 1.2 – Authenticated (Contributor+) SQL Injection

6.5
CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-10748
Patch Status
Unpatched
Published
Oct 23, 2025
Affected Software
RapidResult
Researcher
More Details >

Beaver Builder Plugin (Starter Version) <= 2.9.2.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘auto_play’

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-8427
Patch Status
Patched
Published
Oct 22, 2025
Affected Software
Beaver Builder Plugin (Starter Version)
Researcher
More Details >

Bg Book Publisher <= 1.25 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-11867
Patch Status
Unpatched
Published
Oct 21, 2025
Affected Software
Bg Book Publisher
Researcher
More Details >

Bold Page Builder <= 5.4.5 – Authenticated (Contributor+) Stored Cross-Site Scripting via `percentage` Parameter

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-7730
Patch Status
Patched
Published
Oct 23, 2025
Affected Software
Bold Page Builder
Researcher
More Details >

Builderall Builder for WordPress <= 3.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-62987
Patch Status
Unpatched
Published
Oct 23, 2025
Affected Software
Builderall for WordPress
Researcher
More Details >

Cinza Grid <= 1.2.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Skin Content Field

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-11824
Patch Status
Patched
Published
Oct 21, 2025
Affected Software
Cinza Grid
Researcher
More Details >

Dynamic User Directory <= 2.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-62982
Patch Status
Unpatched
Published
Oct 21, 2025
Affected Software
Dynamic User Directory
Researcher
More Details >

Gutenberg Blocks – PublishPress Blocks Controls, Visibility, Reusable Blocks <= 3.3.4 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-8588
Patch Status
Patched
Published
Oct 24, 2025
Affected Software
Gutenberg Blocks – PublishPress Blocks Controls, Visibility, Reusable Blocks
Researcher
More Details >

JB News Ticker <= 1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-11804
Patch Status
Unpatched
Published
Oct 21, 2025
Affected Software
JB News Ticker
Researcher
More Details >

Listeo <= 2.0.8 – Authenticated (Contributor+) Stored Cross-Site Scripting via soundcloud Shortcode

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-8413
Patch Status
Patched
Published
Oct 24, 2025
Affected Software
Listeo – Directory & Listings With Booking – WordPress Theme
Researcher
More Details >

Material Design Iconic Font Integration <= 2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-11872
Patch Status
Unpatched
Published
Oct 21, 2025
Affected Software
Material Design Iconic Font Integration
Researcher
More Details >

Mixlr Shortcode <= 1.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-11807
Patch Status
Unpatched
Published
Oct 21, 2025
Affected Software
Mixlr Shortcode
Researcher
More Details >

Oboxmedia Ads <= 1.9.8 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-11827
Patch Status
Unpatched
Published
Oct 21, 2025
Affected Software
Oboxmedia Ads
Researcher
More Details >

Open Source Genesis Framework <= 3.6.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Shortcodes

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-10737
Patch Status
Patched
Published
Oct 24, 2025
Affected Software
Open Source Genesis Framework
Researcher
More Details >

Photographers galleries <= 1.1.8 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-11866
Patch Status
Unpatched
Published
Oct 21, 2025
Affected Software
Photographers galleries
Researcher
More Details >

Playerzbr <= 1.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via URL Meta Field

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-11825
Patch Status
Unpatched
Published
Oct 21, 2025
Affected Software
Playerzbr
Researcher
More Details >

Posts By Tag <= 3.2.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-62983
Patch Status
Unpatched
Published
Oct 22, 2025
Affected Software
Posts By Tag
Researcher
More Details >

Print Button Shortcode <= 1.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-11810
Patch Status
Unpatched
Published
Oct 21, 2025
Affected Software
Name: Print Button Shortcode
Researcher
More Details >

Responsive iframe GoogleMap <= 1.0.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-11813
Patch Status
Unpatched
Published
Oct 21, 2025
Affected Software
Responsive iframe GoogleMap
Researcher
More Details >

Responsive Progress Bar <= 1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-11883
Patch Status
Unpatched
Published
Oct 21, 2025
Affected Software
Responsive Progress Bar
Researcher
More Details >

ShopLentor – WooCommerce Builder for Elementor & Gutenberg +21 Modules – All in One Solution <= 3.2.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-11823
Patch Status
Patched
Published
Oct 24, 2025
Affected Software
ShopLentor – WooCommerce Builder for Elementor & Gutenberg +21 Modules – All in One Solution (formerly WooLentor)
Researcher
More Details >

Simple Business Data <= 1.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-11870
Patch Status
Unpatched
Published
Oct 21, 2025
Affected Software
Simple Business Data
Researcher
More Details >

Simple Excel Pricelist for WooCommerce <= 1.13 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-12096
Patch Status
Unpatched
Published
Oct 23, 2025
Affected Software
Simple Excel Pricelist for WooCommerce
Researcher
More Details >

Simple Pull Quote <= 1.6.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-62985
Patch Status
Unpatched
Published
Oct 23, 2025
Affected Software
Simple Pull Quote
Researcher
More Details >

Simple Tableau Viz <= 2.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-11817
Patch Status
Unpatched
Published
Oct 21, 2025
Affected Software
Simple Tableau Viz
Researcher
More Details >

Simple Youtube Shortcode <= 1.1.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-11811
Patch Status
Unpatched
Published
Oct 21, 2025
Affected Software
Simple Youtube Shortcode
Researcher
More Details >

Slider Templates <= 1.0.3 – Authenticated (Subscriber+) Server-Side Request Forgery

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-62988
Patch Status
Unpatched
Published
Oct 24, 2025
Affected Software
Slider Templates
Researcher
More Details >

SM CountDown Widget <= 1.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-11880
Patch Status
Unpatched
Published
Oct 21, 2025
Affected Software
SM CountDown Widget
Researcher
More Details >

SpendeOnline.org <= 3.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-11875
Patch Status
Patched
Published
Oct 24, 2025
Affected Software
SpendeOnline.org
Researcher
More Details >

ST Categories Widget <= 1.0.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-11878
Patch Status
Unpatched
Published
Oct 21, 2025
Affected Software
ST Categories Widget
Researcher
More Details >

Testimonial Carousel For Elementor <= 11.6.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-8666
Patch Status
Patched
Published
Oct 24, 2025
Affected Software
Testimonial Carousel For Elementor
Researcher
More Details >

The7 — Ultimate WordPress & WooCommerce Theme <= 12.9.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘the7_fancy_title_css’

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-11897
Patch Status
Patched
Published
Oct 24, 2025
Affected Software
The7 — Website and eCommerce Builder for WordPress
Researcher
More Details >

This-or-That by André Boekhorst <= 1.0.4 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-10138
Patch Status
Unpatched
Published
Oct 21, 2025
Affected Software
This-or-That
Researcher
More Details >

Time Clock – A WordPress Employee & Volunteer Time Clock Plugin <= 1.3.1 – Authenticated (Custom+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-10701
Patch Status
Patched
Published
Oct 23, 2025
Affected Software
Time Clock – A WordPress Employee & Volunteer Time Clock Plugin
Researcher
More Details >

Widget Options – The #1 WordPress Widget & Block Control Plugin <= 4.1.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-10580
Patch Status
Patched
Published
Oct 24, 2025
Affected Software
Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets
Researcher
More Details >

WP AD Gallery <= 1.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-11834
Patch Status
Unpatched
Published
Oct 21, 2025
Affected Software
WP AD Gallery
Researcher
More Details >

WP AdCenter <= 2.6.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-62984
Patch Status
Unpatched
Published
Oct 22, 2025
Affected Software
WP AdCenter – Ad Manager & Adsense Ads
Researcher
More Details >

WP Responsive Meet The Team <= 1.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-11818
Patch Status
Unpatched
Published
Oct 21, 2025
Affected Software
WP Responsive Meet The Team
Researcher
More Details >

WP Restaurant Listings <= 1.0.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-11830
Patch Status
Unpatched
Published
Oct 21, 2025
Affected Software
WP Restaurant Listings
Researcher
More Details >

WP-Force Images Download <= 1.8 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-11809
Patch Status
Patched
Published
Oct 21, 2025
Affected Software
WP-Force Images Download
Researcher
More Details >

WP-Thumbnail <= 1.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-11819
Patch Status
Unpatched
Published
Oct 21, 2025
Affected Software
WP-Thumbnail
Researcher
More Details >

WPC Countdown Timer for WooCommerce <= 3.1.4 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-49908
Patch Status
Patched
Published
Oct 20, 2025
Affected Software
WPC Countdown Timer for WooCommerce
Researcher
More Details >

Discussion Board – WordPress Forum Plugin <= 2.5.5 – Authenticated (Subscriber+) Arbitrary Shortcode Execution

6.3
CVSS Rating
Medium (6.3)
CVE-ID
CVE-2025-8483
Patch Status
Patched
Published
Oct 24, 2025
Affected Software
Discussion Board – WordPress Forum Plugin
Researcher
More Details >

URL Shortener Plugin For WordPress <= 3.0.7 – Missing Authorization to Authenticated (Subscriber+) Link Manipulation

6.3
CVSS Rating
Medium (6.3)
CVE-ID
CVE-2025-10740
Patch Status
Unpatched
Published
Oct 23, 2025
Affected Software
URL Shortener Plugin For WordPress
Researcher
More Details >

Multi Item Responsive Slider <= 1.0 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-11992
Patch Status
Unpatched
Published
Oct 23, 2025
Affected Software
Multi Item Responsive Slider
Researcher
More Details >

VNPAY for Woocommerce <= 1.0.0 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-12017
Patch Status
Unpatched
Published
Oct 23, 2025
Affected Software
VNPAY Payment gateway
Researcher
More Details >

Welcart e-Commerce <= 2.11.22 – Authenticated (Editor+) Stored Cross-Site Scripting via order_mail

5.5
CVSS Rating
Medium (5.5)
CVE-ID
CVE-2025-10651
Patch Status
Patched
Published
Oct 21, 2025
Affected Software
Welcart e-Commerce
Researcher
More Details >

Microsoft Azure Storage for WordPress <= 4.5.1 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Media Deletion

5.4
CVSS Rating
Medium (5.4)
CVE-ID
CVE-2025-10749
Patch Status
Patched
Published
Oct 23, 2025
Affected Software
Microsoft Azure Storage for WordPress
Researcher
More Details >

Tutor LMS Pro – eLearning and online course solution <= 3.8.3 – Authenticated (Subscriber+) Insecure Direct Object Reference to View/Edit Other Assignments

5.4
CVSS Rating
Medium (5.4)
CVE-ID
CVE-2025-6639
Patch Status
Patched
Published
Oct 24, 2025
Affected Software
Tutor LMS Pro
Researcher
More Details >

ACF to REST API <= 3.3.4 – Unauthenticated Information Exposure

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-62979
Patch Status
Unpatched
Published
Oct 20, 2025
Affected Software
ACF to REST API
Researcher
More Details >

BackWPup 5 – 5.5.0 – Missing Authorization to Sensitive Information Exposure

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-10579
Patch Status
Patched
Published
Oct 24, 2025
Affected Software
BackWPup – WordPress Backup & Restore Plugin
Researcher
More Details >

eRoom – Webinar & Meeting Plugin for Zoom, Google Meet, Microsoft Teams <= 1.5.6 – Unauthenticated Sensitive Information Exposure

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-11760
Patch Status
Patched
Published
Oct 24, 2025
Affected Software
eRoom – Webinar & Meeting Plugin for Zoom, Google Meet, Microsoft Teams
Researcher
More Details >

MxChat – AI Chatbot for WordPress <= 2.4.6 – Unauthenticated Blind Server-Side Request Forgery

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-10705
Patch Status
Patched
Published
Oct 22, 2025
Affected Software
MxChat – AI Chatbot for WordPress
Researcher
More Details >

NS Maintenance Mode for WP <= 1.3.1 – Unauthenticated Information Exposure

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-10638
Patch Status
Unpatched
Published
Oct 22, 2025
Affected Software
NS Maintenance Mode for WP
Researcher
More Details >

Product Filter by WBW <= 3.0.0 – Missing Authorization to Unauthenticated Settings Update

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-11269
Patch Status
Patched
Published
Oct 24, 2025
Affected Software
Product Filter by WBW
Researcher
More Details >

Social Feed Gallery <= 4.9.2 – Missing Authorization to Unauthenticated Information Exposure

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-10637
Patch Status
Patched
Published
Oct 24, 2025
Affected Software
Social Feed Gallery
Researcher
More Details >

Tutor LMS – eLearning and online course solution <= 3.8.3 – Missing Authorization to Unauthenticated Payment Status Update

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-11564
Patch Status
Patched
Published
Oct 24, 2025
Affected Software
Tutor LMS – eLearning and online course solution
Researcher
More Details >

User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds <= 1.8.0 – Missing Authorization to Information Disclosure

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-10694
Patch Status
Patched
Published
Oct 24, 2025
Affected Software
User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds
Researcher
More Details >

VikBooking Hotel Booking Engine & PMS <= 1.8.2 – Missing Authorization

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-5803
Patch Status
Patched
Published
Oct 21, 2025
Affected Software
VikBooking Hotel Booking Engine & PMS
Researcher
More Details >

Whydonate <= 4.0.15 – Missing Authorization

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-49899
Patch Status
Patched
Published
Oct 20, 2025
Affected Software
WhyDonate – FREE Donate button – Crowdfunding – Fundraising
Researcher
More Details >

WPComplete <= 2.9.5.3 – Missing Authorization

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-49906
Patch Status
Patched
Published
Oct 24, 2025
Affected Software
WPComplete
Researcher
More Details >

ZoloBlocks <= 2.3.11 – Missing Authorization to Unauthenticated Popup Enable/Disable

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-12134
Patch Status
Patched
Published
Oct 23, 2025
Affected Software
ZoloBlocks – Gutenberg Block Editor Plugin with Advanced Blocks, Dynamic Content, Templates & Patterns
Researcher
Jay
More Details >

Element Pack Addons for Elementor <= 8.2.5 – Authenticated (Subscriber+) Blind Server-Side Request Forgery

5.0
CVSS Rating
Medium (5.0)
CVE-ID
CVE-2025-11536
Patch Status
Patched
Published
Oct 20, 2025
Affected Software
Element Pack Addons for Elementor
Researcher
More Details >

Feedzy RSS Feeds Lite <= 5.1.0 – Authenticated (Subscriber+) Server-Side Request Forgery

5.0
CVSS Rating
Medium (5.0)
CVE-ID
CVE-2025-11128
Patch Status
Patched
Published
Oct 22, 2025
Affected Software
RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator
Researcher
More Details >

Email Tracker <= 5.3.12 – Authenticated (Admin+) SQL Injection

4.9
CVSS Rating
Medium (4.9)
CVE-ID
CVE-2025-10047
Patch Status
Unpatched
Published
Oct 21, 2025
Affected Software
Email Tracker – Email Log, Email Open Tracking, Email Analytics & Email Management for WordPress Emails
Researcher
More Details >

WP Gravity Forms Zoho CRM and Bigin <= 1.2.8 – Open Redirect

4.7
CVSS Rating
Medium (4.7)
CVE-ID
CVE-2025-62981
Patch Status
Patched
Published
Oct 21, 2025
Affected Software
WP Gravity Forms Zoho CRM and Bigin
Researcher
More Details >

Email Subscription Popup <= 1.2.26 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4
CVSS Rating
Medium (4.4)
CVE-ID
CVE-2025-49912
Patch Status
Patched
Published
Oct 22, 2025
Affected Software
Email Subscription Popup
Researcher
More Details >

Fast Velocity Minify <= 3.5.1 – Authenticated (Admin+) Stored Cross-Site Scripting

4.4
CVSS Rating
Medium (4.4)
CVE-ID
CVE-2025-12034
Patch Status
Patched
Published
Oct 24, 2025
Affected Software
Fast Velocity Minify
Researcher
More Details >

qnotsquiz <= 1.0.0 – Authenticated (Admin+) Stored Cross-Site Scripting

4.4
CVSS Rating
Medium (4.4)
CVE-ID
CVE-2025-12016
Patch Status
Unpatched
Published
Oct 23, 2025
Affected Software
qnotsquiz
Researcher
More Details >

Simple Banner <= 3.0.10 – Authenticated (Admin+) Stored Cross-Site Scripting

4.4
CVSS Rating
Medium (4.4)
CVE-ID
CVE-2025-12033
Patch Status
Patched
Published
Oct 21, 2025
Affected Software
Simple Banner – Easily add multiple Banners/Bars/Notifications/Announcements to the top or bottom of your website
Researcher
More Details >

Advanced Database Cleaner <= 3.1.6 – Cross-Site Request Forgery to Settings Manipulation

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-11497
Patch Status
Patched
Published
Oct 24, 2025
Affected Software
Advanced Database Cleaner
Researcher
More Details >

AI Chatbot Free Models – Customer Support, Live Chat, Virtual Assistant <= 1.6.5 – Unauthenticated CSV Injection

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-11576
Patch Status
Patched
Published
Oct 23, 2025
Affected Software
AI Chatbot Free Models – Customer Support, Live Chat, Virtual Assistant
Researcher
More Details >

All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier <= 2.0 – Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Clocking In/Out

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-6833
Patch Status
Patched
Published
Oct 21, 2025
Affected Software
All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier
Researcher
More Details >

Check Plagiarism <= 2.0 – Missing Authorization to Authenticated (Subscriber+) Settings Update

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-11172
Patch Status
Unpatched
Published
Oct 23, 2025
Affected Software
Check Plagiarism
Researcher
More Details >

Disable Content Editor For Specific Template <= 2.0 – Cross-Site Request Forgery to Template Configuration Update

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-12072
Patch Status
Unpatched
Published
Oct 23, 2025
Affected Software
Disable Content Editor For Specific Template
Researcher
More Details >

FanBridge signup <= 0.6 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-62986
Patch Status
Unpatched
Published
Oct 23, 2025
Affected Software
FanBridge signup
Researcher
More Details >

Flexible Refund and Return Order for WooCommerce <= 1.0.38 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Order Refund

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-10570
Patch Status
Patched
Published
Oct 21, 2025
Affected Software
Flexible Refund and Return Order for WooCommerce
Researcher
More Details >

FuseWP – WordPress User Sync to Email List & Marketing Automation (Mailchimp, Constant Contact, ActiveCampaign etc.) <= 1.1.23.0 – Cross-Site Request Forgery to Sync Rule Creation

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-11976
Patch Status
Patched
Published
Oct 24, 2025
Affected Software
FuseWP – WordPress User Sync to Email List & Marketing Automation (Mailchimp, Constant Contact, ActiveCampaign etc.)
Researcher
More Details >

KiotViet Sync <= 1.8.5 – Missing Authorization

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-62978
Patch Status
Unpatched
Published
Oct 20, 2025
Affected Software
KiotViet Sync
Researcher
More Details >

LLM Hubspot Blog Import <= 1.0.1 – Missing Authorization to Authenticated (Subscriber+) Hubspot Import

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-11257
Patch Status
Unpatched
Published
Oct 23, 2025
Affected Software
LLM Hubspot Blog Import
Researcher
More Details >

MDTF <= 1.3.3.9 – Missing Authorization

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-49907
Patch Status
Patched
Published
Oct 24, 2025
Affected Software
MDTF – Meta Data and Taxonomies Filter
Researcher
More Details >

NGINX Cache Optimizer <= 1.1 – Missing Authorization to Authenticated (Subscriber+) Dynamic Caching Exclusion Update

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-12014
Patch Status
Unpatched
Published
Oct 23, 2025
Affected Software
NGINX Cache Optimizer
Researcher
More Details >

Originality.ai AI Checker <= 1.0.12 – Missing Authorization to Authenticated (Subscriber+) Scan Log Deletion via ‘ ai_scan_result_remove’

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-10902
Patch Status
Unpatched
Published
Oct 23, 2025
Affected Software
Originality.ai AI Checker
Researcher
More Details >

Originality.ai AI Checker <= 1.0.12 – Missing Authorization to Authenticated (Subscriber+) Sensitive Information Disclosure via ‘ai_get_table’

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-10901
Patch Status
Unpatched
Published
Oct 23, 2025
Affected Software
Originality.ai AI Checker
Researcher
More Details >

Password Policy Manager | Password Manager <= 2.0.5 – Missing Authorization to Authenticated (Subscriber+) Configuration Log Out

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-11255
Patch Status
Patched
Published
Oct 24, 2025
Affected Software
Password Policy Manager | Password Manager
Researcher
More Details >

Persian Admnin Fonts <= 4.1.03 – Missing Authorization

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-62980
Patch Status
Unpatched
Published
Oct 21, 2025
Affected Software
Persian Admnin Fonts
Researcher
More Details >

PixelYourSite <= 11.1.2 – Cross-Site Request Forgery to GDPR Options Modification

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-10588
Patch Status
Patched
Published
Oct 21, 2025
Affected Software
PixelYourSite – Your smart PIXEL (TAG) & API Manager
Researcher
More Details >

Supervisor <= 1.3.2 – Missing Authorization to Authenticated (Subscriber+) Settings Update

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-11887
Patch Status
Patched
Published
Oct 23, 2025
Affected Software
Supervisor
Researcher
More Details >

Tutor LMS <= 3.8.3 – Missing Authorization to Sensitive Information Exposure

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-6680
Patch Status
Patched
Published
Oct 24, 2025
Affected Software
Tutor LMS – eLearning and online course solution
Researcher
More Details >

WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress <= 8.5.41 – Improper Authorization to Authenticated (Contributor+) Plugin Settings Update

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-12005
Patch Status
Patched
Published
Oct 24, 2025
Affected Software
WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress
Researcher
More Details >

Password Protected <= 2.7.11 – Unauthenticated Authorization Bypass via IP Address Spoofing

3.7
CVSS Rating
Low (3.7)
CVE-ID
CVE-2025-11244
Patch Status
Patched
Published
Oct 24, 2025
Affected Software
Password Protected — Lock Entire Site, Pages, Posts, Categories, and Partial Content
Researcher
More Details >

ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution <= 4.8.4 – Incorrect Authorization to Authenticated (Editor+) License Status Update

2.7
CVSS Rating
Low (2.7)
CVE-ID
CVE-2025-11888
Patch Status
Patched
Published
Oct 24, 2025
Affected Software
ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution
Researcher
More Details >

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (October 20, 2025 to October 26, 2025) appeared first on Wordfence.

Leave a Comment