Calling all Vulnerability Researchers and Bug Bounty Hunters!
Operation: Maximum Impact Challenge! Now through November 10, 2025, earn 2X bounty rewards for all in-scope submissions in software with at least 5,000 active installs and fewer than 5 million active installs. Bounties up to $31,200 per vulnerability. Submit bold. Earn big!
The LFInder Challenge: Refine your LFI hunting skills with an expanded scope. Now through November 24, 2025, all LFI vulnerabilities in software with at least 25 active installs are considered in-scope for all researchers, regardless of researcher tier, AND earn a 30% bonus on all Local File Inclusion vulnerability submissions not already increased by another promotion.
Last week, there were 76 vulnerabilities disclosed in 62 WordPress Plugins and 8 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 47 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to implement layered security, aligning with our overarching mission to secure WordPress with defense in depth strategies. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report. As the world’s leading quality vulnerability database provider for WordPress, site owners can rest assured knowing Wordfence has their back.
Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 29,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
- WAF-RULE-871 – Data redacted while we work with the vendor on a patch.
- Alone – Charity Multipurpose Non-profit WordPress Theme <= 7.8.3 – Missing Authorization to Unauthenticated Arbitrary File Upload via Plugin Installation (Extended Coverage)
- WAF-RULE-873 – Data redacted while we work with the vendor on a patch.
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
| Patch Status | Number of Vulnerabilities |
|---|---|
| Patched | 71 |
| Unpatched | 5 |
Total Vulnerabilities by CVSS Severity Last Week
| Severity Rating | Number of Vulnerabilities |
|---|---|
| Medium Severity | 48 |
| High Severity | 23 |
| Critical Severity | 5 |
Total Vulnerabilities by CWE Type Last Week
| Vulnerability Type by CWE | Number of Vulnerabilities |
|---|---|
| Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 21 |
| Missing Authorization | 17 |
| Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) | 7 |
| Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 4 |
| Exposure of Sensitive Information to an Unauthorized Actor | 3 |
| Unrestricted Upload of File with Dangerous Type | 3 |
| Authorization Bypass Through User-Controlled Key | 2 |
| Cross-Site Request Forgery (CSRF) | 2 |
| Improper Authorization | 2 |
| Improper Control of Generation of Code (‘Code Injection’) | 2 |
| Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | 2 |
| Improper Privilege Management | 2 |
| Absolute Path Traversal | 1 |
| Authentication Bypass Using an Alternate Path or Channel | 1 |
| Client-Side Enforcement of Server-Side Security | 1 |
| Deserialization of Untrusted Data | 1 |
| External Control of File Name or Path | 1 |
| Improper Output Neutralization for Logs | 1 |
| Incorrect Authorization | 1 |
| Protection Mechanism Failure | 1 |
| Server-Side Request Forgery (SSRF) | 1 |
Researchers That Contributed to WordPress Security Last Week
| Researcher Name | Number of Vulnerabilities |
|---|---|
| 11 | |
| 7 | |
| 5 | |
| 3 | |
| 3 | |
| 3 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 |
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| Advanced Ads – Ad Manager & AdSense | advanced-ads |
| Analytify Pro | wp-analytify-pro |
| Anti-Malware Security and Brute-Force Firewall | gotmls |
| AppPresser – Mobile App Framework | apppresser |
| Auto Featured Image (Auto Post Thumbnail) | auto-post-thumbnail |
| Booking and Rental Manager for Bike | Car | Resort | Appointment | Dress | Equipment | booking-and-rental-manager-for-woocommerce |
| Call Now Button – The #1 Click to Call Button for WordPress | call-now-button |
| Community Events | community-events |
| Consulting Elementor Widgets | consulting-elementor-widgets |
| CSS & JavaScript Toolbox | css-javascript-toolbox |
| Doccure Core | doccure |
| Document Library Lite | document-library-lite |
| Easy Testimonial Slider and Form | easy-testimonial-rotator |
| Employee Spotlight – Team Member Showcase & Meet the Team Plugin | employee-spotlight |
| ERI File Library | eri-file-library |
| Facebook for WooCommerce | facebook-for-woocommerce |
| Flying Images: Optimize and Lazy Load Images for Faster Page Speed | nazy-load |
| Folderly | folderly |
| FuseWP – WordPress User Sync to Email List & Marketing Automation (Mailchimp, Constant Contact, ActiveCampaign etc.) | fusewp |
| Groundhogg — CRM, Newsletters, and Marketing Automation | groundhogg |
| HUSKY – Products Filter Professional for WooCommerce | woocommerce-products-filter |
| IDonate – Blood Donation, Request And Donor Management System | idonate |
| Import WP – Export and Import CSV and XML files to WordPress | jc-importer |
| Inactive Logout | inactive-logout |
| Insert PHP Code Snippet | insert-php-code-snippet |
| Jannah – Extensions | jannah-extensions |
| K Elements | k-elements |
| King Addons for Elementor – 4,000+ ready Elementor sections, 650+ templates, 70+ FREE widgets for Elementor | king-addons |
| List category posts | list-category-posts |
| LiteSpeed Cache | litespeed-cache |
| NS Maintenance Mode for WP | ns-maintenance-mode-for-wp |
| OOPSpam Anti-Spam: Spam Protection for WordPress Forms & Comments (No CAPTCHA) | oopspam-anti-spam |
| Polylang | polylang |
| Popup and Slider Builder by Depicter – Add Email collecting Popup, Popup Modal, Coupon Popup, Image Slider, Carousel Slider, Post Slider Carousel | depicter |
| Popup Box – Create Countdown, Coupon, Video, Contact Form Popups | ays-popup-box |
| Post SMTP – Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App | post-smtp |
| Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WP Legal Pages | wplegalpages |
| Qi Blocks | qi-blocks |
| Qzzr Shortcode Plugin | qzzr-shortcode |
| Range Slider Addon for Gravity Forms | range-slider-addon-for-gravity-forms |
| RESTful Content Syndication | restful-syndication |
| Schema & Structured Data for WP & AMP | schema-and-structured-data-for-wp |
| Schema Scalpel | schema-scalpel |
| Service Finder Bookings | sf-booking |
| Simple Payment | simple-payment |
| Site Checkup Debug AI Troubleshooting with Wizard and Tips for Each Issue | site-checkup |
| SiteSEO – SEO Simplified | siteseo |
| Smart Coupons For WooCommerce Coupons | wt-smart-coupons-for-woocommerce |
| Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent | tablesome |
| The Events Calendar | the-events-calendar |
| Thumbnail Slider With Lightbox | wp-responsive-slider-with-lightbox |
| Translate WordPress and go Multilingual – Weglot | weglot |
| Web Accessibility by accessiBe | accessibe |
| WooCommerce | woocommerce |
| WooCommerce Designer Pro | wc-designer-pro |
| WordPress User Extra Fields | wp-user-extra-fields |
| WP Delicious – Recipe Plugin for Food Bloggers (formerly Delicious Recipes) | delicious-recipes |
| WP Discourse | wp-discourse |
| WPC Name Your Price for WooCommerce | wpc-name-your-price |
| WPCOM Member | wpcom-member |
| wpForo Forum | wpforo |
| Zombify | zombify |
WordPress Themes with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| Consulting | consulting |
| KALLYAS – Creative eCommerce Multi-Purpose WordPress Theme | kallyas |
| kleo | kleo |
| Masterstudy – Education WordPress Theme | masterstudy |
| Noo JobMonster | noo-jobmonster |
| Sahifa | sahifa |
| SmartMag – Newspaper Magazine & News WordPress | smart-mag |
| WpResidence | wpresidence |
Vulnerability Details
Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.
CVE-2025-8900
Patched
Oct 31, 2025
Doccure Core
CVE-2025-5397
Patched
Oct 30, 2025
Noo JobMonster
CVE-2025-8489
Patched
Oct 30, 2025
CVE-2025-11833
Patched
Oct 31, 2025
CVE-2025-11499
Patched
Oct 31, 2025
CVE-2025-11755
Patched
Oct 31, 2025
CVE-2025-6990
Unpatched
Oct 31, 2025
KALLYAS – Creative eCommerce Multi-Purpose WordPress Theme
CVE-2025-12171
Patched
Oct 31, 2025
RESTful Content Syndication
CVE-2025-6574
Patched
Oct 31, 2025
Service Finder Bookings
CVE-2025-5949
Patched
Oct 31, 2025
Service Finder Bookings
CVE-2025-7846
Patched
Oct 30, 2025
WordPress User Extra Fields
CVE-2025-11920
Patched
Oct 31, 2025
WPCOM Member
CVE-2025-10897
Unpatched
Oct 30, 2025
WooCommerce Designer Pro
CVE-2025-62075
Patched
Oct 29, 2025
Simple Payment
CVE-2025-10145
Patched
Oct 27, 2025
Auto Featured Image (Auto Post Thumbnail)
CVE-2025-64359
Patched
Oct 27, 2025
Consulting
CVE-2025-64360
Patched
Oct 27, 2025
Consulting Elementor Widgets
CVE-2025-11735
Patched
Oct 27, 2025
HUSKY – Products Filter Professional for WooCommerce
CVE-2025-64363
Patched
Oct 30, 2025
kleo
CVE-2025-64364
Patched
Oct 30, 2025
Masterstudy – Education WordPress Theme
CVE-2025-64353
Patched
Oct 28, 2025
Polylang
CVE-2025-64216
Patched
Nov 1, 2025
SmartMag – Newspaper Magazine & News WordPress
CVE-2025-12115
Patched
Oct 30, 2025
WPC Name Your Price for WooCommerce
CVE-2025-10487
Patched
Oct 31, 2025
Advanced Ads – Ad Manager & AdSense
CVE-2025-49904
Patched
Nov 1, 2025
Booking and Rental Manager for Bike | Car | Resort | Appointment | Dress | Equipment
CVE-2025-11995
Patched
Oct 31, 2025
Community Events
CVE-2025-49905
Patched
Oct 27, 2025
Range Slider Addon for Gravity Forms
CVE-2025-62076
Patched
Oct 29, 2025
Simple Payment
CVE-2025-11705
Patched
Oct 28, 2025
Anti-Malware Security and Brute-Force Firewall
CVE-2025-11627
Patched
Oct 29, 2025
CVE-2025-11740
Patched
Oct 31, 2025
wpForo Forum
Consulting Elementor Widgets <= 1.4.2 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE-2025-64361
Patched
Oct 27, 2025
Consulting Elementor Widgets
CVE-2025-12090
Patched
Oct 31, 2025
Employee Spotlight – Team Member Showcase & Meet the Team Plugin
CVE-2025-64367
Patched
Oct 31, 2025
Groundhogg — CRM, Newsletters, and Marketing Automation
CVE-2025-11922
Patched
Oct 31, 2025
Inactive Logout
CVE-2025-64208
Patched
Oct 30, 2025
Jannah – Extensions
CVE-2025-64362
Patched
Oct 30, 2025
K Elements
CVE-2025-6988
Unpatched
Oct 31, 2025
KALLYAS – Creative eCommerce Multi-Purpose WordPress Theme
CVE-2025-11806
Unpatched
Oct 30, 2025
Qzzr Shortcode Plugin
CVE-2025-64202
Patched
Oct 27, 2025
Sahifa
CVE-2025-11502
Patched
Oct 31, 2025
Schema & Structured Data for WP & AMP
CVE-2025-12118
Patched
Oct 31, 2025
Schema Scalpel
CVE-2025-64204
Patched
Oct 30, 2025
SmartMag – Newspaper Magazine & News WordPress
CVE-2025-12450
Patched
Oct 28, 2025
LiteSpeed Cache
CVE-2025-12521
Patched
Oct 30, 2025
Analytify Pro
CVE-2025-11881
Patched
Oct 29, 2025
AppPresser – Mobile App Framework
CVE-2025-11174
Patched
Oct 31, 2025
Document Library Lite
CVE-2025-12041
Patched
Oct 30, 2025
ERI File Library
Facebook for WooCommerce <= 3.5.7 – Missing Authorization to Unauthenticated Notification Dismissal
CVE-2025-64296
Patched
Oct 29, 2025
Facebook for WooCommerce
CVE-2025-11154
Patched
Oct 28, 2025
IDonate – Blood Donation, Request And Donor Management System
CVE-2025-12094
Patched
Oct 30, 2025
CVE-2025-11816
Patched
Oct 31, 2025
Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WP Legal Pages
CVE-2025-10008
Patched
Oct 29, 2025
Translate WordPress and go Multilingual – Weglot
CVE-2025-64199
Patched
Oct 27, 2025
WpResidence
CVE-2015-10147
Patched
Oct 28, 2025
Easy Testimonial Slider and Form
CVE-2025-12137
Patched
Oct 31, 2025
Import WP – Export and Import CSV and XML files to WordPress
CVE-2015-10146
Patched
Oct 28, 2025
Thumbnail Slider With Lightbox
CVE-2025-11928
Patched
Oct 31, 2025
CSS & JavaScript Toolbox
CVE-2025-11927
Patched
Oct 31, 2025
Flying Images: Optimize and Lazy Load Images for Faster Page Speed
NS Maintenance Mode for WP <= 1.3.1 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE-2025-10636
Unpatched
Oct 30, 2025
NS Maintenance Mode for WP
CVE-2025-49042
Patched
Oct 29, 2025
WooCommerce
CVE-2025-11587
Patched
Oct 28, 2025
Call Now Button – The #1 Click to Call Button for WordPress
Call Now Button <= 1.5.4 – Authenticated (Subscriber+) Missing Authorization to Multiple Functions
CVE-2025-11632
Patched
Oct 29, 2025
Call Now Button – The #1 Click to Call Button for WordPress
CVE-2025-8383
Patched
Oct 30, 2025
CVE-2025-12038
Patched
Oct 31, 2025
Folderly
CVE-2025-11975
Patched
Oct 30, 2025
CVE-2025-64356
Patched
Oct 27, 2025
Insert PHP Code Snippet
CVE-2025-11377
Patched
Oct 31, 2025
List category posts
CVE-2025-57931
Patched
Oct 29, 2025
Popup Box – Create Countdown, Coupon, Video, Contact Form Popups
Qi Blocks <= 1.4.3 – Missing Authorization to Authenticated (Contributor+) Plugin Settings Update
CVE-2025-12180
Patched
Oct 31, 2025
Qi Blocks
CVE-2025-12367
Patched
Oct 31, 2025
SiteSEO – SEO Simplified
CVE-2025-64358
Patched
Oct 30, 2025
Smart Coupons For WooCommerce Coupons
CVE-2025-12175
Patched
Oct 30, 2025
The Events Calendar
CVE-2025-49920
Patched
Oct 27, 2025
Web Accessibility by accessiBe
CVE-2025-11983
Patched
Oct 31, 2025
WP Discourse
As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.
This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
The post Wordfence Intelligence Weekly WordPress Vulnerability Report (October 27, 2025 to November 2, 2025) appeared first on Wordfence.
