In case you missed it, Wordfence just published its annual WordPress security report for 2024. Read it now to learn more about the evolving risk landscape of WordPress so you can keep your sites protected in 2025 and beyond.
Last week, there were 75 vulnerabilities disclosed in 63 WordPress Plugins and 5 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 32 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to implement layered security, aligning with our overarching mission to secure WordPress with defense in depth strategies. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 26,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
- Order Delivery Date for WooCommerce 2.0 – 12.3.1- Unauthenticated Arbitrary Options Update
- SureTriggers <= 1.0.82 – Unauthenticated Privilege Escalation
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
| Patch Status | Number of Vulnerabilities |
|---|---|
| Patched | 35 |
| Unpatched | 40 |
Total Vulnerabilities by CVSS Severity Last Week
| Severity Rating | Number of Vulnerabilities |
|---|---|
| Medium Severity | 58 |
| High Severity | 13 |
| Critical Severity | 4 |
Total Vulnerabilities by CWE Type Last Week
| Vulnerability Type by CWE | Number of Vulnerabilities |
|---|---|
| Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 31 |
| Missing Authorization | 14 |
| Cross-Site Request Forgery (CSRF) | 7 |
| Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 5 |
| Authorization Bypass Through User-Controlled Key | 3 |
| Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | 3 |
| Exposure of Sensitive Information to an Unauthorized Actor | 2 |
| Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) | 2 |
| Improper Control of Generation of Code (‘Code Injection’) | 2 |
| Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) | 2 |
| Improper Authorization | 1 |
| Improper Privilege Management | 1 |
| Server-Side Request Forgery (SSRF) | 1 |
| Unrestricted Upload of File with Dangerous Type | 1 |
Researchers That Contributed to WordPress Security Last Week
| Researcher Name | Number of Vulnerabilities |
|---|---|
| 8 | |
| 7 | |
| 6 | |
| 6 | |
| 5 | |
| 4 | |
| 3 | |
| 3 | |
| 3 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 |
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| A/B Testing, Popups, Website Personalization, Email Popup, Exit Intent Pop Up, Upsell Pop Up – Personizely | personizely |
| Abundatrade Plugin | abundatrade-plugin |
| Ads Pro Plugin – Multi-Purpose WordPress Advertising Manager | ap-plugin-scripteo |
| Advance Seat Reservation Management for WooCommerce | scw-seat-reservation |
| Advanced Reorder Image Text Slider | advanced-reorder-image-text-slider |
| Alink Tap | alink-tap |
| AM LottiePlayer | am-lottieplayer |
| April Framework | april-framework |
| Auteur Framework | g5plus-auteur |
| Benaa Framework | benaa-framework |
| Beyot Framework | beyot-framework |
| BP Messages Tool | bp-messages-tool |
| Buddyboss Platform | buddyboss-platform |
| Category Widget | category-widget |
| Crossword Compiler Puzzles | crossword-compiler-puzzles |
| Custom Login and Registration | ms-registration |
| Custom PC Builder Lite for WooCommerce | custom-pc-builder-lite-for-woocommerce |
| Database Toolset | database-toolset |
| EC Authorize.net | ec-authorizenet |
| Flynax Bridge | flynax-bridge |
| Formality | formality |
| FULL – Cliente | full-customer |
| GmapsMania | gmapsmania |
| Gravity Forms WebHooks | gravityformswebhooks |
| Gutenverse – Ultimate Block Addons and Page Builder for Site Editor | gutenverse |
| IGIT Related Posts With Thumb Image After Posts | igit-related-posts-with-thumb-images-after-posts |
| Job Listings | job-listings |
| KiwiChat NextClient | kiwichat |
| kStats Reloaded | kstats-reloaded |
| List Children | list-children |
| Meta Keywords & Description | wp-meta-keywords-meta-description |
| MStore API – Create Native Android & iOS Apps On The Cloud | mstore-api |
| Nautic Pages | nautic-pages |
| occupancyplan | occupancyplan |
| OTP-less one tap Sign in | otpless |
| OttoKit: All-in-One Automation Platform (Formerly SureTriggers) | suretriggers |
| Page View Count | page-views-count |
| Product Category Slider for WooCommerce | woo-category-slider-by-pluginever |
| Projectopia – WordPress Project Management | projectopia-core |
| Remote Images Grabber | remote-images-grabber |
| Section Widget | section-widget |
| SecuPress Free — WordPress Security | secupress |
| Seraphinite Accelerator | seraphinite-accelerator |
| Subpage List | subpage-view |
| SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity | surveyjs |
| Syndicate Out | syndicate-out |
| tagDiv Composer | td-composer |
| tagDiv Opt-In Builder | td-subscription |
| Taxonomy Chain Menu | taxonomy-chain-menu |
| Team Members – Best WordPress Team Plugin with Team Slider, Team Showcase & Team Builder | wps-team |
| Theme Blvd Sliders | theme-blvd-sliders |
| Total Donations | total-donations |
| Total processing card payments for WooCommerce | totalprocessing-card-payments |
| Ultimate Auction Pro | ultimate-woocommerce-auction-pro |
| Ultimate Store Kit – Elementor powered WooCommerce Builder, 80+ Widgets and Template Builder | ultimate-store-kit |
| VerticalResponse Newsletter Widget | vertical-response-newsletter-widget |
| Visual Builder | visual-builder |
| Web3Press – Decentralize Publishing with Writing NFT | likecoin |
| WordPress Simple Shopping Cart | wordpress-simple-paypal-shopping-cart |
| WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin | wp-statistics |
| WPML | sitepress-multilingual-cms |
| Xavin’s Review Ratings | xavins-review-ratings |
| Yame | Link In Bio | yame-linkinbio |
WordPress Themes with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| Boot Store | boot-store |
| Homey | homey |
| KLEO – Community Focused & Multi-Purpose BuddyPress WordPress Theme | kleo |
| Motors – Car Dealer, Rental & Listing WordPress theme | motors |
| NewsBlogger | newsblogger |
Vulnerability Details
Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.
CVE-2025-3918
Unpatched
May 2, 2025
Job Listings
CVE-2025-46454
Unpatched
Apr 28, 2025
Meta Keywords & Description
CVE-2025-3746
Unpatched
May 1, 2025
OTP-less one tap Sign in
CVE-2025-27007
Patched
Apr 30, 2025
OttoKit: All-in-One Automation Platform (Formerly SureTriggers)
CVE-2025-1304
Patched
Apr 30, 2025
NewsBlogger
CVE-2025-1305
Patched
Apr 30, 2025
NewsBlogger
Product Category Slider for WooCommerce <= 4.3.4 – Authenticated (Contributor+) Local File Inclusion
CVE-2025-39364
Patched
May 2, 2025
Product Category Slider for WooCommerce
CVE-2024-13418
Unpatched
May 1, 2025
CVE-2025-2816
Patched
Apr 30, 2025
Page View Count
CVE-2025-3952
Patched
Apr 30, 2025
Projectopia – WordPress Project Management
Ads Pro Plugin – Multi-Purpose WordPress Advertising Manager <= 4.88 – Unauthenticated SQL Injection
CVE-2024-13322
Patched
May 1, 2025
Ads Pro Plugin – Multi-Purpose WordPress Advertising Manager
CVE-2024-13344
Patched
May 1, 2025
Advance Seat Reservation Management for WooCommerce
CVE-2025-4204
Patched
May 1, 2025
Ultimate Auction Pro
CVE-2025-4179
Unpatched
May 1, 2025
Flynax Bridge
CVE-2024-13738
Patched
May 2, 2025
Motors – Car Dealer, Rental & Listing WordPress theme
CVE-2025-43836
Unpatched
Apr 29, 2025
Syndicate Out
CVE-2025-43837
Unpatched
Apr 29, 2025
Total Donations
CVE-2024-12023
Patched
May 1, 2025
FULL – Cliente
CVE-2025-3438
Patched
May 1, 2025
MStore API – Create Native Android & iOS Apps On The Cloud
CVE-2025-2890
Patched
Apr 29, 2025
tagDiv Opt-In Builder
CVE-2025-46527
Patched
May 2, 2025
Web3Press – Decentralize Publishing with Writing NFT
CVE-2025-3874
Patched
Apr 30, 2025
WordPress Simple Shopping Cart
CVE-2025-3953
Patched
Apr 29, 2025
WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin
CVE-2025-1529
Patched
Apr 30, 2025
AM LottiePlayer
CVE-2024-13860
Unpatched
May 1, 2025
Buddyboss Platform
CVE-2024-13859
Unpatched
May 1, 2025
Buddyboss Platform
CVE-2024-13858
Unpatched
May 1, 2025
Buddyboss Platform
CVE-2025-46493
Unpatched
May 2, 2025
Crossword Compiler Puzzles
Custom Login and Registration <= 1.0.0 – Authenticated (Subscriber+) Stored Cross-Site Scripting
CVE-2025-39363
Unpatched
May 2, 2025
Custom Login and Registration
Formality <= 1.5.8 – Authenticated (Contributor+) Stored Cross-Site Scripting via align Parameter
CVE-2025-3858
Patched
May 1, 2025
Formality
CVE-2025-4131
Unpatched
May 1, 2025
GmapsMania
Gutenverse <= 2.2.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via countdown Block
CVE-2025-2893
Patched
Apr 28, 2025
Gutenverse – Ultimate Block Addons and Page Builder for Site Editor
CVE-2025-46518
Unpatched
May 2, 2025
IGIT Related Posts With Thumb Image After Posts
CVE-2025-3670
Unpatched
May 1, 2025
KiwiChat NextClient
CVE-2025-4099
Patched
Apr 30, 2025
List Children
CVE-2025-4100
Unpatched
Apr 30, 2025
Nautic Pages
CVE-2025-3779
Patched
May 2, 2025
CVE-2024-13419
Unpatched
May 1, 2025
CVE-2025-4168
Unpatched
May 2, 2025
Subpage List
CVE-2025-3815
Patched
May 2, 2025
SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity
CVE-2025-3510
Patched
May 1, 2025
tagDiv Composer
CVE-2025-3748
Patched
May 1, 2025
Taxonomy Chain Menu
CVE-2025-3521
Unpatched
Apr 30, 2025
Team Members – Best WordPress Team Plugin with Team Slider, Team Showcase & Team Builder
VerticalResponse Newsletter Widget <= 1.6 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE-2025-4172
Unpatched
May 2, 2025
VerticalResponse Newsletter Widget
CVE-2025-3890
Patched
Apr 30, 2025
WordPress Simple Shopping Cart
CVE-2025-3488
Patched
May 1, 2025
WPML
CVE-2025-4170
Unpatched
May 2, 2025
Xavin’s Review Ratings
CVE-2025-4199
Unpatched
May 2, 2025
Abundatrade Plugin
CVE-2025-4188
Unpatched
May 2, 2025
Advanced Reorder Image Text Slider
CVE-2025-43839
Patched
Apr 29, 2025
BP Messages Tool
CVE-2025-46515
Unpatched
May 2, 2025
Category Widget
CVE-2025-46487
Unpatched
May 2, 2025
EC Authorize.net
CVE-2025-46440
Unpatched
May 2, 2025
kStats Reloaded
CVE-2025-4434
Unpatched
Apr 30, 2025
Remote Images Grabber
CVE-2025-46537
Unpatched
May 2, 2025
Section Widget
CVE-2025-46456
Unpatched
May 2, 2025
Theme Blvd Sliders
CVE-2025-4222
Unpatched
May 2, 2025
Database Toolset
Gravity Forms WebHooks <= 1.6.0 – Authenticated (Admin+) Server-Side Request Forgery via Webhook
CVE-2024-13845
Patched
Apr 30, 2025
Gravity Forms WebHooks
CVE-2025-43838
Unpatched
Apr 29, 2025
Custom PC Builder Lite for WooCommerce
CVE-2025-4177
Unpatched
May 1, 2025
Flynax Bridge
CVE-2025-39367
Patched
Apr 29, 2025
KLEO – Community Focused & Multi-Purpose BuddyPress WordPress Theme
CVE-2025-46441
Unpatched
Apr 30, 2025
Section Widget
CVE-2025-46488
Unpatched
May 2, 2025
Visual Builder
WordPress Simple PayPal Shopping Cart <= 5.1.3 – Insecure Direct Object Reference via ‘quantity’
CVE-2025-3889
Patched
Apr 30, 2025
WordPress Simple Shopping Cart
CVE-2025-2880
Unpatched
May 1, 2025
Yame | Link In Bio
Nomupay Payment Processing Gateway <= 7.1.7 – Authenticated (Shop Manager+) Arbitrary File Download
CVE-2025-46486
Unpatched
May 2, 2025
Total processing card payments for WooCommerce
CVE-2025-46458
Unpatched
May 2, 2025
occupancyplan
CVE-2025-3452
Patched
Apr 28, 2025
SecuPress Free — WordPress Security
Seraphinite Accelerator <= 2.27.21 – Cross-Site Request Forgery to Multiple Administrative Actions
Unknown
Patched
Apr 29, 2025
Seraphinite Accelerator
CVE-2024-13420
Unpatched
May 1, 2025
CVE-2025-2168
Patched
Apr 30, 2025
Ultimate Store Kit – Elementor powered WooCommerce Builder, 80+ Widgets and Template Builder
As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.
This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
The post Wordfence Intelligence Weekly WordPress Vulnerability Report (April 28, 2025 to May 4, 2025) appeared first on Wordfence.
