Wordfence Intelligence Weekly WordPress Vulnerability Report (August 11, 2025 to August 17, 2025)

by

📢 Calling all Vulnerability Researchers and Bug Bounty Hunters! 📢

🌞 Spring into Summer with Wordfence! Now through September 4, 2025, earn 2X bounty rewards for all in-scope submissions from our ‘High Threat’ list in software with fewer than 5 million active installs. Bounties up to $31,200 per vulnerability. Submit bold. Earn big!

💉 Participate in the SQLsplorer Challenge! Now through September 22, 2025, all SQL Injection vulnerabilities in software with at least 25 active installs are considered in-scope for all researchers, regardless of researcher tier AND earn a 20% bonus on all SQL Injection vulnerability submissions.

Last week, there were 161 vulnerabilities disclosed in 135 WordPress Plugins and 11 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 68 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to implement layered security, aligning with our overarching mission to secure WordPress with defense in depth strategies. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report. As the world’s leading quality vulnerability database provider for WordPress, site owners can rest assured knowing Wordfence has their back.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 28,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status Number of Vulnerabilities
Patched 76
Unpatched 85

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating Number of Vulnerabilities
Low Severity 1
Medium Severity 126
High Severity 27
Critical Severity 7

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) 58
Missing Authorization 26
Cross-Site Request Forgery (CSRF) 22
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) 9
Exposure of Sensitive Information to an Unauthorized Actor 7
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) 7
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) 7
Improper Control of Generation of Code (‘Code Injection’) 5
Unrestricted Upload of File with Dangerous Type 5
Deserialization of Untrusted Data 3
Server-Side Request Forgery (SSRF) 3
Improper Input Validation 2
Authorization Bypass Through User-Controlled Key 1
Client-Side Enforcement of Server-Side Security 1
Improper Authorization 1
Improper Neutralization of Formula Elements in a CSV File 1
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) 1
Improper Privilege Management 1
Relative Path Traversal 1

Researchers That Contributed to WordPress Security Last Week

Researcher Name Number of Vulnerabilities
13
9
8
7
7
7
7
7
4

Bao
4
4
4
4
3
3
3
3
3
3
3
2
2
2
2
2
2
2
2
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name Software Slug
12 Step Meeting List 12-step-meeting-list
Add Custom Codes – Insert Header, Footer, Custom PHP Snippets, CSS, Javascript add-custom-codes
Add User Meta add-user-meta
Advanced File Manager – Ultimate WP File Manager And Document Library Solution file-manager-advanced
Advanced iFrame advanced-iframe
AL Pack alpack
Alobaidi Captcha alobaidi-captcha
Anber Elementor Addon anber-elementor-addon
AnWP Football Leagues football-leagues-by-anwppro
Appointment Booking & Scheduling Plugin — Webba Booking Calendar webba-booking-lite
Assistant for NextGEN Gallery assistant-for-nextgen-gallery
Authentication and xmlrpc log writer authentication-and-xmlrpc-log-writer
Awesome Support – WordPress HelpDesk & Support Plugin awesome-support
B Blocks – Essential Gutenberg Blocks & Patterns Collection b-blocks
B Slider – Responsive Image Slider b-slider
Barcode Scanner (+Mobile App) – Inventory manager, Order fulfillment system, POS (Point of Sale) barcode-scanner-lite-pos-to-manage-products-inventory-and-orders
BetterDocs – Advanced AI-Driven Documentation, FAQ & Knowledge Base Tool for Elementor & Gutenberg with Encyclopedia, AI Support, Instant Answers betterdocs
Billplz Addon for Contact Form 7 billplz-for-contact-form-7
Bit Form – Custom Contact Form, Multi Step, Conversational, Payment & Quiz Form builder bit-form
BizCalendar Web bizcalendar-web
Blog Designer PRO for WordPress blog-designer-pro
Build App Online build-app-online
CF7 Spreadsheets cf7-spreadsheets
CM Search And Replace – Optimize content edits with a powerful search and replace tool cm-on-demand-search-and-replace
CodeablePress: Simple Frontend Profile Picture Upload codeablepress-simple-frontend-profile-picture-upload
Database for Contact Form 7, WPforms, Elementor forms contact-form-entries
DigitalOcean Spaces Sync do-spaces-sync
Drag and Drop Multiple File Upload for Contact Form 7 drag-and-drop-multiple-file-upload-contact-form-7
Dropshix dropshipping-xox
Dynamic Pricing With Discount Rules for WooCommerce aco-woo-dynamic-pricing
E-cab Taxi Booking Manager for Woocommerce ecab-taxi-booking-manager
Earnware Connect earnware-connect
Easy Elementor Addons easy-elementor-addons
Easy restaurant menu manager easy-pdf-restaurant-menu-upload
Elementor Website Builder – More Than Just a Page Builder elementor
elink – Embed Content elink-embed-content
Elizaibots elizaibot-chatbots
Embed Bokun embed-bokun
Embedder for Google Reviews embedder-for-google-reviews
Essential Addons for Elementor – Popular Elementor Templates & Widgets essential-addons-for-elementor-lite
Eventin – AI Powered Event Manager, Events Calendar, Booking and Tickets Plugin wp-event-solution
EventON – Events Calendar eventon-lite
File Manager Pro wp-file-manager-pro
File Manager Pro – Filester filester
flexo-social-gallery flexo-social-gallery
Forms forms-by-made-it
Frontend Admin by DynamiApps acf-frontend-form-element
Gestion de tarifs gestion-tarifs
GMap Generator gmap-venturit
Graphina – Elementor Charts and Graphs graphina-elementor-charts-and-graphs
Hide Text Shortcode hide-text-shortcode
Icons Factory icons-factory
Infility Global infility-global
Inline Stock Quotes inline-stock-quotes
Inpersttion For Theme err-our-team
Inspectlet – User Session Recording and Heatmaps inspectlet-heatmaps-and-user-session-recording
Intl DateTime Calendar intl-datetime-calendar
JetElements jet-elements
JetProductGallery jet-woo-product-gallery
JobSearch WP Job Board wp-jobsearch
Kadence WooCommerce Email Designer kadence-woocommerce-email-designer
Last.fm Recent Album Artwork lastfm-recent-album-artwork
LatestCheckins latestcheckins
Linux Promotional Plugin linux-promotional-plugin
Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations master-addons
Membership For WooCommerce – WordPress Membership Plugin, Restrict Content, Build Online Communities, Paywall & Content Dripping membership-for-woocommerce
Mosaic Generator mosaic-generator
Neon Channel Product Customizer Free neon-channel-product-customizer-free
Netease Music netease-music
NetInsight Analytics Implementation Plugin netinsight-analytics-implementation-plugin
Nexter Blocks – WordPress Gutenberg Blocks & 1000+ Starter Templates the-plus-addons-for-block-editor
oik oik
Online Booking & Scheduling Calendar for WordPress by vcita meeting-scheduler-by-vcita
Order Tip for WooCommerce order-tip-woo
Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress wp-user-avatar
Plugin README Parser wp-readme-parser
Poll Maker – Versus Polls, Anonymous Polls, Image Polls poll-maker
Premium Addons for KingComposer premium-addons-for-kingcomposer
Premium Packages – Sell Digital Products Securely wpdm-premium-packages
Primer MyData for Woocommerce primer-mydata
Print My Blog – Print, PDF, & eBook Converter WordPress Plugin print-my-blog
Project Cost Calculator project-cost-calculator
Project Management, Bug and Issue Tracking Plugin – Software Issue Manager software-issue-manager
Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker quiz-master-next
Quttera Web Malware Scanner quttera-web-malware-scanner
Radius Blocks – WordPress Gutenberg Blocks radius-blocks
Real Estate Manager Pro real-estate-manager-pro
Responsive Posts Carousel WordPress Plugin responsive-posts-carousel-pro
RSS Feed Pro rss-feed-pro
RT Easy Builder – Advanced addons for Elementor rt-easy-builder-advanced-addons-for-elementor
School Management System for WordPress school-management
ServerBuddy by PluginBuddy.com serverbuddy-by-pluginbuddy
Shortcode Redirect shortcode-redirect
Simple Local Avatars simple-local-avatars
Simple Poll simple-poll
Simple Responsive Slider addi-simple-slider
Simplified Plugin simplified
SoundSt SEO Search soundst-seo-search
StoryChief story-chief
Surbma | Recent Comments Shortcode surbma-recent-comments-shortcode
Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI simple-tags
Templatera templatera
Thank You Page Customizer for WooCommerce – Increase Your Sales woo-thank-you-page-customizer
The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce the-plus-addons-for-elementor-page-builder
Thim Core thim-core
Time Sheets time-sheets
Translate This gTranslate Shortcode translate-this-google-translate-web-element-shortcode
Tutor LMS Pro tutor-pro
UiCore Elements – Free Elementor widgets and templates uicore-elements
Ultimate Video Player WordPress & WooCommerce Plugin fwduvp
User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor profile-builder
Vertical scroll slideshow gallery v2 vertical-scroll-slideshow-gallery-v2
Video Expander video-expander
Visual Composer Website Builder visualcomposer
weichuncai(WP伪春菜) weichuncai
Welcart e-Commerce usc-e-shop
Woocommerce Blocks – Woolook woolook
WooCommerce OTP Login With Phone Number, OTP Verification login-with-phone-number
WooCommerce Purchase Orders wc-purchase-orders
WordLift – AI powered SEO – Schema wordlift
WordPress Event Manager, Event Calendar and Booking Plugin eventin-pro
WordPress StoryMap Plugin wp-storymap
WP Airdrop Manager airdrop
Wp chart generator wp-chart-generator
WP Discord Post Plus – Supports Unlimited Channels wp-discord-post-plus
WP Dynamic Links wp-dynamic-links
WP Emmet wp-emmet
WP Membership wp-membership
WP Pipes wp-pipes
WP Private Content Plus wp-private-content-plus
WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin wp-statistics
WP Table Builder – WordPress Table Plugin wp-table-builder
WP Voting wp-voting
WP-Database-Optimizer-Tools wp-database-optimizer-tools
WPGYM – WordPress Gym Management System gym-management

WordPress Themes with Reported Vulnerabilities Last Week

Software Name Software Slug
App, SaaS & Software Startup Tech Theme – Stratus stratus
Blocksy blocksy
Findgo – Directory Listing WordPress Theme findgo
Kalium 3 | Creative WordPress & WooCommerce Theme kalium
Makeaholic – Beauty Cosmetics WordPress Theme makeaholic
Modernize – Flexibility of WordPress modernize
OceanWP oceanwp
Savoy savoy
Soledad soledad
unicamp unicamp
WP Rentals – Booking Accommodation WordPress Theme wprentals

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

B Blocks <= 2.0.6 – Missing Authorization to Unauthenticated Privilege Escalation via rgfr_registration Function

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-8059
Patch Status
Patched
Published
Aug 11, 2025
Affected Software
B Blocks – Essential Gutenberg Blocks & Patterns Collection
Researcher
More Details >

Contact Form by Bit Form – Bit Form <= 2.20.3 – Unauthenticated Arbitrary File Upload

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-6679
Patch Status
Patched
Published
Aug 14, 2025
Affected Software
Bit Form – Custom Contact Form, Multi Step, Conversational, Payment & Quiz Form builder
Researcher
More Details >

Database for Contact Form 7, WPforms, Elementor forms <= 1.4.3 – Unauthenticated PHP Object Injection to Arbitrary File Deletion

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-7384
Patch Status
Patched
Published
Aug 12, 2025
Affected Software
Database for Contact Form 7, WPforms, Elementor forms
Researcher
More Details >

Icons Factory <= 1.6.12 – Missing Authorization to Unauthenticated Arbitrary File Deletion via delete_files() Function

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-7778
Patch Status
Unpatched
Published
Aug 14, 2025
Affected Software
Icons Factory
Researcher
More Details >

Makeaholic <= 1.8.4 – Unauthenticated Local File Inclusion

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-54700
Patch Status
Patched
Published
Aug 14, 2025
Affected Software
Makeaholic – Beauty Cosmetics WordPress Theme
Researcher
More Details >

StoryChief <= 1.0.42 – Unauthenticated Arbitrary File Upload

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-7441
Patch Status
Unpatched
Published
Aug 15, 2025
Affected Software
StoryChief
Researcher
More Details >

Taxi Booking Manager for Woocommerce | E-cab <= 1.3.0 – Missing Authorization to Unauthenticated Privilege Escalation via Account Takeover

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-8898
Patch Status
Patched
Published
Aug 15, 2025
Affected Software
E-cab Taxi Booking Manager for Woocommerce
Researcher
More Details >

Add Custom Codes <= 4.80 – Authenticated (Contributor+) Remote Code Execution

8.8
CVSS Rating
High (8.8)
CVE-ID
CVE-2025-30975
Patch Status
Unpatched
Published
Aug 14, 2025
Affected Software
Add Custom Codes – Insert Header, Footer, Custom PHP Snippets, CSS, Javascript
Researcher
More Details >

B Slider- Gutenberg Slider Block for WP <= 1.1.30 – Authenticated (Subscriber+) Missing Authorization to Arbitrary Plugin Installation

8.8
CVSS Rating
High (8.8)
CVE-ID
CVE-2025-8418
Patch Status
Patched
Published
Aug 11, 2025
Affected Software
B Slider – Responsive Image Slider
Researcher
More Details >

Forms <= 2.9.0 – Authenticated (Contributor+) Arbitrary File Upload

8.8
CVSS Rating
High (8.8)
CVE-ID
CVE-2025-24775
Patch Status
Unpatched
Published
Aug 13, 2025
Affected Software
Forms
Researcher
More Details >

Online Booking & Scheduling Calendar for WordPress by vcita <= 4.5.3 – Authenticated (Author+) Arbitrary File Upload

8.8
CVSS Rating
High (8.8)
CVE-ID
CVE-2025-54677
Patch Status
Patched
Published
Aug 14, 2025
Affected Software
Online Booking & Scheduling Calendar for WordPress by vcita
Researcher
More Details >

School Management System <= 93.2.0 – Authenticated (Student+) Arbitrary File Upload

8.8
CVSS Rating
High (8.8)
CVE-ID
CVE-2025-6079
Patch Status
Unpatched
Published
Aug 15, 2025
Affected Software
School Management System for WordPress
Researcher
More Details >

Soledad <= 8.6.7 – Authenticated (Contributor+) Local File Inclusion via ‘header_layout’

8.8
CVSS Rating
High (8.8)
CVE-ID
CVE-2025-8142
Patch Status
Patched
Published
Aug 15, 2025
Affected Software
Soledad
Researcher
More Details >

Tutor LMS Pro – eLearning and online course solution <= 3.7.0 – Authenticated (Tutor Instructor+) SQL Injection

8.8
CVSS Rating
High (8.8)
CVE-ID
CVE-2025-6184
Patch Status
Patched
Published
Aug 12, 2025
Affected Software
Tutor LMS Pro
Researcher
More Details >

WPGYM – WordPress Gym Management System <= 67.7.0 – Authenticated (Subscriber+) Local File Inclusion to Privilege Escalation via Password Update

8.8
CVSS Rating
High (8.8)
CVE-ID
CVE-2025-3671
Patch Status
Unpatched
Published
Aug 15, 2025
Affected Software
WPGYM – WordPress Gym Management System
Researchers
More Details >

WPGYM <= 67.7.0 – Missing Authorization to Admin Account Creation

8.8
CVSS Rating
High (8.8)
CVE-ID
CVE-2025-6080
Patch Status
Unpatched
Published
Aug 15, 2025
Affected Software
WPGYM – WordPress Gym Management System
Researcher
More Details >

Premium Addons for KingComposer <= 1.1.1 – Unauthenticated Local File Inclusion

8.1
CVSS Rating
High (8.1)
CVE-ID
CVE-2025-49036
Patch Status
Unpatched
Published
Aug 11, 2025
Affected Software
Premium Addons for KingComposer
Researcher
More Details >

Unicamp <= 2.6.3 – Unauthenticated Local File Inclusion

8.1
CVSS Rating
High (8.1)
CVE-ID
CVE-2025-54701
Patch Status
Patched
Published
Aug 14, 2025
Affected Software
unicamp
Researcher
More Details >

WooCommerce OTP Login With Phone Number, OTP Verification <= 1.8.47 – Authentication Bypass

8.1
CVSS Rating
High (8.1)
CVE-ID
CVE-2025-8342
Patch Status
Patched
Published
Aug 14, 2025
Affected Software
WooCommerce OTP Login With Phone Number, OTP Verification
Researcher
More Details >

WooCommerce Purchase Orders <= 1.0.2 – Authenticated (Subscriber+) Arbitrary File Deletion

8.1
CVSS Rating
High (8.1)
CVE-ID
CVE-2025-5391
Patch Status
Unpatched
Published
Aug 11, 2025
Affected Software
WooCommerce Purchase Orders
Researcher
More Details >

Al Pack <= 1.0.2 – Missing Authorization to Unauthenticated Premium Feature Activation via check_activate_permission Function

7.5
CVSS Rating
High (7.5)
CVE-ID
CVE-2025-7664
Patch Status
Unpatched
Published
Aug 15, 2025
Affected Software
AL Pack
Researcher
More Details >

Assistant for NextGEN Gallery <= 1.0.9 – Unauthenticated Arbitrary Directory Deletion

7.5
CVSS Rating
High (7.5)
CVE-ID
CVE-2025-7641
Patch Status
Unpatched
Published
Aug 14, 2025
Affected Software
Assistant for NextGEN Gallery
Researcher
More Details >

BizCalendar Web <= 1.1.0.50 – Authenticated (Contributor+) Local File Inclusion

7.5
CVSS Rating
High (7.5)
CVE-ID
CVE-2025-7650
Patch Status
Unpatched
Published
Aug 14, 2025
Affected Software
BizCalendar Web
Researcher
More Details >

Blog Designer PRO <= 3.4.7 – Authenticated (Subscriber+) Local File Inclusion

7.5
CVSS Rating
High (7.5)
CVE-ID
CVE-2025-47695
Patch Status
Unpatched
Published
Aug 13, 2025
Affected Software
Blog Designer PRO for WordPress
Researcher
More Details >

Eventin <= 4.0.31 – Authenticated (Contributor+) PHP Object Injection

7.5
CVSS Rating
High (7.5)
CVE-ID
CVE-2025-49869
Patch Status
Patched
Published
Aug 13, 2025
Affected Software
Eventin – AI Powered Event Manager, Events Calendar, Booking and Tickets Plugin
Researcher
More Details >

JobSearch <= 2.9.0 – Authenticated (Subscriber+) Local File Inclusion

7.5
CVSS Rating
High (7.5)
CVE-ID
CVE-2025-52806
Patch Status
Unpatched
Published
Aug 14, 2025
Affected Software
JobSearch WP Job Board
Researcher
More Details >

Order Tip for WooCommerce <= 1.5.4 – Unauthenticated Tip Manipulation to Negative Value Leading to Unauthorized Discounts

7.5
CVSS Rating
High (7.5)
CVE-ID
CVE-2025-6025
Patch Status
Patched
Published
Aug 14, 2025
Affected Software
Order Tip for WooCommerce
Researcher
More Details >

Responsive Posts Carousel WordPress Plugin <= 15.0 – Authenticated (Subscriber+) Local File Inclusion

7.5
CVSS Rating
High (7.5)
CVE-ID
CVE-2025-52728
Patch Status
Patched
Published
Aug 13, 2025
Affected Software
Responsive Posts Carousel WordPress Plugin
Researcher
More Details >

School Management System for WordPress <= 93.2.0 – Unauthenticated SQL Injection

7.5
CVSS Rating
High (7.5)
CVE-ID
CVE-2024-12612
Patch Status
Unpatched
Published
Aug 15, 2025
Affected Software
School Management System for WordPress
Researcher
More Details >

ServerBuddy by PluginBuddy.com <= 1.0.5 – Cross-Site Request Forgery to PHP Object Injection

7.5
CVSS Rating
High (7.5)
CVE-ID
CVE-2025-49895
Patch Status
Unpatched
Published
Aug 16, 2025
Affected Software
ServerBuddy by PluginBuddy.com
Researcher
More Details >

UiCore Elements <= 1.3.0 – Missing Authorization to Unauthenticated Arbitrary File Read

7.5
CVSS Rating
High (7.5)
CVE-ID
CVE-2025-6253
Patch Status
Patched
Published
Aug 11, 2025
Affected Software
UiCore Elements – Free Elementor widgets and templates
Researcher
More Details >

Soledad <= 8.6.7 – Unauthenticated Arbitrary Shortcode Execution

7.3
CVSS Rating
High (7.3)
CVE-ID
CVE-2025-8105
Patch Status
Patched
Published
Aug 15, 2025
Affected Software
Soledad
Researcher
More Details >

Dynamic Pricing With Discount Rules for WooCommerce <= 4.5.9 – Authenticated (Shop Manager+) Arbitrary Code Execution

7.2
CVSS Rating
High (7.2)
CVE-ID
CVE-2025-47588
Patch Status
Patched
Published
Aug 14, 2025
Affected Software
Dynamic Pricing With Discount Rules for WooCommerce
Researcher
More Details >

Kadence WooCommerce Email Designer <= 1.5.16 – Authenticated (Shop Manager+) Arbitrary Options Update

7.2
CVSS Rating
High (7.2)
CVE-ID
CVE-2025-54697
Patch Status
Patched
Published
Aug 14, 2025
Affected Software
Kadence WooCommerce Email Designer
Researcher
More Details >

Welcart e-Commerce <= 2.11.16 – Authenticated (Editor+) PHP Object Injection

6.6
CVSS Rating
Medium (6.6)
CVE-ID
CVE-2025-54012
Patch Status
Patched
Published
Aug 12, 2025
Affected Software
Welcart e-Commerce
Researcher
More Details >

Woocommerce Blocks – Woolook <= 1.7.0 – Authenticated (Admin+) Local File Inclusion

6.6
CVSS Rating
Medium (6.6)
CVE-ID
CVE-2024-8393
Patch Status
Unpatched
Published
Aug 15, 2025
Affected Software
Woocommerce Blocks – Woolook
Researcher
More Details >

Frontend Admin by DynamiApps <= 3.28.3 – Authenticated (Subscriber+) SQL Injection

6.5
CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-49267
Patch Status
Patched
Published
Aug 12, 2025
Affected Software
Frontend Admin by DynamiApps
Researcher
More Details >

Gestion de tarifs <= 1.4 – Authenticated (Contributor+) SQL Injection

6.5
CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-7662
Patch Status
Unpatched
Published
Aug 14, 2025
Affected Software
Gestion de tarifs
Researcher
More Details >

Infility Global <= 2.14.7 – Authenticated (Subscriber+) Arbitrary File Download

6.5
CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-47650
Patch Status
Unpatched
Published
Aug 14, 2025
Affected Software
Infility Global
Researcher
More Details >

Multiple elFinder Plugins <= (Various Versions) – Directory Traversal to Arbitrary File Deletion

6.5
CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-0818
Patch Status
Patched
Published
Aug 12, 2025
Affected Software
File Manager Pro – Filester
Advanced File Manager – Ultimate WP File Manager And Document Library Solution
File Manager Pro
Researcher
More Details >

Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress <= 4.16.4 – Unauthenticated Arbitrary Shortcode Execution

6.5
CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-8878
Patch Status
Patched
Published
Aug 15, 2025
Affected Software
Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
Researchers
More Details >

Quiz And Survey Master <= 10.2.4 – Authenticated (Contributor+) SQL Injection

6.5
CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-55708
Patch Status
Patched
Published
Aug 14, 2025
Affected Software
Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker
Researcher
More Details >

School Management <= 93.2.0 – Authenticated (Support staff+) SQL Injection

6.5
CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-49898
Patch Status
Unpatched
Published
Aug 15, 2025
Affected Software
School Management System for WordPress
Researcher
More Details >

Vertical scroll slideshow gallery v2 <= 9.1 – Authenticated (Contributor+) SQL Injection

6.5
CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-49897
Patch Status
Unpatched
Published
Aug 15, 2025
Affected Software
Vertical scroll slideshow gallery v2
Researcher
More Details >

12 Step Meeting List <= 3.18.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-54054
Patch Status
Patched
Published
Aug 14, 2025
Affected Software
12 Step Meeting List
Researcher(s): Unknown
More Details >

Anber Elementor Addon <= 1.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Banner button link

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-7439
Patch Status
Unpatched
Published
Aug 15, 2025
Affected Software
Anber Elementor Addon
Researcher
More Details >

Anber Elementor Addon <= 1.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Carousel button link

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-7440
Patch Status
Unpatched
Published
Aug 15, 2025
Affected Software
Anber Elementor Addon
Researcher
More Details >

B Blocks <= 2.0.5 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-54708
Patch Status
Patched
Published
Aug 14, 2025
Affected Software
B Blocks – Essential Gutenberg Blocks & Patterns Collection
Researcher
More Details >

CF7 Spreadsheets <= 2.3.2 – Authenticated (Subscriber+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-50040
Patch Status
Unpatched
Published
Aug 11, 2025
Affected Software
CF7 Spreadsheets
Researcher
More Details >

Earnware Connect <= 1.0.73 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-7651
Patch Status
Unpatched
Published
Aug 15, 2025
Affected Software
Earnware Connect
Researcher
More Details >

elink – Embed Content <= 1.1.0 – Authenticated (Contributor+) Insufficient Input Validation

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-7507
Patch Status
Unpatched
Published
Aug 14, 2025
Affected Software
elink – Embed Content
Researcher
More Details >

Elizaibots <= 1.0.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-49893
Patch Status
Unpatched
Published
Aug 16, 2025
Affected Software
Elizaibots
Researcher
More Details >

Embed Bokun <= 0.23 – Authenticated (Contributor+) Stored Cross-Site Scripting via align Parameter

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-6221
Patch Status
Unpatched
Published
Aug 15, 2025
Affected Software
Embed Bokun
Researcher
More Details >

Essential Addons for Elementor – Popular Elementor Templates and Widgets <= 6.2.2 – Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via ‘data-gallery-items’

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-8451
Patch Status
Patched
Published
Aug 14, 2025
Affected Software
Essential Addons for Elementor – Popular Elementor Templates & Widgets
Researcher
More Details >

GMap – Venturit <= 1.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘h’ Parameter

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-8568
Patch Status
Unpatched
Published
Aug 11, 2025
Affected Software
GMap Generator
Researcher
More Details >

Graphina – Elementor Charts and Graphs <= 3.1.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-8867
Patch Status
Patched
Published
Aug 14, 2025
Affected Software
Graphina – Elementor Charts and Graphs
Researcher
More Details >

Hide Text Shortcode <= 1.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-49051
Patch Status
Unpatched
Published
Aug 13, 2025
Affected Software
Hide Text Shortcode
Researcher
More Details >

Inline Stock Quotes <= 0.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via stock Shortcode

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-8688
Patch Status
Unpatched
Published
Aug 11, 2025
Affected Software
Inline Stock Quotes
Researcher
More Details >

Intl DateTime Calendar <= 1.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via date Parameter

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-8293
Patch Status
Unpatched
Published
Aug 15, 2025
Affected Software
Intl DateTime Calendar
Researcher
More Details >

JetElements For Elementor <= 2.7.9 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-55714
Patch Status
Patched
Published
Aug 14, 2025
Affected Software
JetElements
Researcher
More Details >

JetProductGallery <= 2.2.0.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-54749
Patch Status
Patched
Published
Aug 14, 2025
Affected Software
JetProductGallery
Researcher
More Details >

Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations <= 2.0.8.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via fancyBox

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-8874
Patch Status
Patched
Published
Aug 11, 2025
Affected Software
Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations
Researcher
More Details >

Modernize <= 3.4.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-53342
Patch Status
Unpatched
Published
Aug 14, 2025
Affected Software
Modernize – Flexibility of WordPress
Researcher
More Details >

Mosaic Generator <= 1.0.5 – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘c’ Parameter

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-8621
Patch Status
Unpatched
Published
Aug 11, 2025
Affected Software
Mosaic Generator
Researcher
More Details >

Plugin README Parser <= 1.3.15 – Authenticated (Contributor+) Stored Cross-Site Scripting via target Parameter

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-8720
Patch Status
Unpatched
Published
Aug 14, 2025
Affected Software
Plugin README Parser
Researcher
More Details >

Print My Blog <= 3.27.9 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-54740
Patch Status
Patched
Published
Aug 14, 2025
Affected Software
Print My Blog – Print, PDF, & eBook Converter WordPress Plugin
Researcher
More Details >

Radius Blocks <= 2.2.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via subHeadingTagName Parameter

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-5844
Patch Status
Unpatched
Published
Aug 14, 2025
Affected Software
Radius Blocks – WordPress Gutenberg Blocks
Researcher
More Details >

RT Easy Builder <= 2.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-8462
Patch Status
Unpatched
Published
Aug 11, 2025
Affected Software
RT Easy Builder – Advanced addons for Elementor
Researcher
More Details >

Shortcode Redirect <= 1.0.02 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-54746
Patch Status
Patched
Published
Aug 14, 2025
Affected Software
Shortcode Redirect
Researcher
More Details >

Simple Responsive Slider <= 2.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-8690
Patch Status
Unpatched
Published
Aug 11, 2025
Affected Software
Simple Responsive Slider
Researcher
More Details >

Software Issue Manager <= 5.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via noaccess_msg Parameter

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-8314
Patch Status
Patched
Published
Aug 11, 2025
Affected Software
Project Management, Bug and Issue Tracking Plugin – Software Issue Manager
Researcher
More Details >

Soledad <= 8.6.7 – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘pcsml_smartlists_h’

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-8143
Patch Status
Patched
Published
Aug 15, 2025
Affected Software
Soledad
Researcher
More Details >

Surbma | Recent Comments Shortcode <= 2.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-7649
Patch Status
Unpatched
Published
Aug 15, 2025
Affected Software
Surbma | Recent Comments Shortcode
Researcher
More Details >

Templatera <= 2.3.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-54747
Patch Status
Patched
Published
Aug 14, 2025
Affected Software
Templatera
Researcher
More Details >

Translate This – Google Translate Web Element Shortcode <= 1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via base_lang Parameter

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-8719
Patch Status
Unpatched
Published
Aug 15, 2025
Affected Software
Translate This gTranslate Shortcode
Researcher
More Details >

User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor <= 3.14.3 – Authenticated (Subscriber+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-8896
Patch Status
Patched
Published
Aug 15, 2025
Affected Software
User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor
Researcher
More Details >

Video Expander <= 1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-52771
Patch Status
Unpatched
Published
Aug 14, 2025
Affected Software
Video Expander
Researcher
More Details >

Visual Composer Website Builder <= 45.13.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-55709
Patch Status
Patched
Published
Aug 14, 2025
Affected Software
Visual Composer Website Builder
Researcher
More Details >

WordLift <= 3.54.5 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-53582
Patch Status
Patched
Published
Aug 14, 2025
Affected Software
WordLift – AI powered SEO – Schema
Researcher
More Details >

WordPress Event Manager, Event Calendar and Booking Plugin <= 4.0.24 – Authenticated (Subscriber+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-52730
Patch Status
Patched
Published
Aug 11, 2025
Affected Software
WordPress Event Manager, Event Calendar and Booking Plugin
Researcher
More Details >

Wp chart generator <= 1.0.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via wpchart Shortcode

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-8685
Patch Status
Unpatched
Published
Aug 11, 2025
Affected Software
Wp chart generator
Researcher
More Details >

WP Rentals <= 3.13.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-53330
Patch Status
Unpatched
Published
Aug 14, 2025
Affected Software
WP Rentals – Booking Accommodation WordPress Theme
Researcher
More Details >

WP Table Builder – WordPress Table Plugin <= 2.0.12 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-8604
Patch Status
Patched
Published
Aug 14, 2025
Affected Software
WP Table Builder – WordPress Table Plugin
Researcher
More Details >

WP Table Builder <= 2.0.12 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-55711
Patch Status
Patched
Published
Aug 14, 2025
Affected Software
WP Table Builder – WordPress Table Plugin
Researcher
More Details >

Inpersttion For Theme <= 1.0 – Authenticated (Contributor+) Arbitrary Function Call

6.3
CVSS Rating
Medium (6.3)
CVE-ID
CVE-2025-8905
Patch Status
Unpatched
Published
Aug 14, 2025
Affected Software
Inpersttion For Theme
Researcher
More Details >

Add User Meta <= 1.0.1 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-7688
Patch Status
Unpatched
Published
Aug 14, 2025
Affected Software
Add User Meta
Researcher
More Details >

Authentication and xmlrpc log writer <= 1.2.2 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-49037
Patch Status
Unpatched
Published
Aug 13, 2025
Affected Software
Authentication and xmlrpc log writer
Researcher
More Details >

Billplz Addon for Contact Form 7 <= 1.2.0 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-31007
Patch Status
Patched
Published
Aug 13, 2025
Affected Software
Billplz Addon for Contact Form 7
Researcher
More Details >

Last.fm Recent Album Artwork <= 1.0.2 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-7684
Patch Status
Unpatched
Published
Aug 15, 2025
Affected Software
Last.fm Recent Album Artwork
Researcher
More Details >

LatestCheckins <= 1 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-7683
Patch Status
Unpatched
Published
Aug 15, 2025
Affected Software
LatestCheckins
Researcher
More Details >

Linux Promotional Plugin <= 1.4 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-7668
Patch Status
Unpatched
Published
Aug 15, 2025
Affected Software
Linux Promotional Plugin
Researcher
More Details >

oik <= 4.15.2 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-54670
Patch Status
Patched
Published
Aug 14, 2025
Affected Software
oik
Researcher
More Details >

Real Estate Manager Pro <= 12.7.3 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-54032
Patch Status
Patched
Published
Aug 14, 2025
Affected Software
Real Estate Manager Pro
Researcher
More Details >

Simple Poll <= 1.1.1 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-49044
Patch Status
Unpatched
Published
Aug 14, 2025
Affected Software
Simple Poll
Researcher
More Details >

SoundSt SEO Search <= 1.2.3 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-49058
Patch Status
Unpatched
Published
Aug 12, 2025
Affected Software
SoundSt SEO Search
Researcher
More Details >

Time Sheets <= 2.1.3 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-49054
Patch Status
Unpatched
Published
Aug 13, 2025
Affected Software
Time Sheets
Researcher
More Details >

weichuncai(WP伪春菜) <= 1.5 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-7686
Patch Status
Unpatched
Published
Aug 15, 2025
Affected Software
weichuncai(WP伪春菜)
Researcher
More Details >

WP Dynamic Links <= 1.0.1 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-49038
Patch Status
Unpatched
Published
Aug 12, 2025
Affected Software
WP Dynamic Links
Researcher
More Details >

WP Pipes <= 1.4.3 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-28977
Patch Status
Unpatched
Published
Aug 14, 2025
Affected Software
WP Pipes
Researcher
More Details >

WP Voting <= 1.8 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-49057
Patch Status
Unpatched
Published
Aug 12, 2025
Affected Software
WP Voting
Researcher
More Details >

Blocksy <= 2.1.6 – Authenticated (Shop manager+) Stored Cross-Site Scripting

5.5
CVSS Rating
Medium (5.5)
CVE-ID
CVE-2025-55713
Patch Status
Patched
Published
Aug 14, 2025
Affected Software
Blocksy
Researcher
More Details >

RSS Feed Pro <= 1.1.8 – Authenticated (Editor+) Stored Cross-Site Scripting

5.5
CVSS Rating
Medium (5.5)
CVE-ID
CVE-2025-53581
Patch Status
Patched
Published
Aug 14, 2025
Affected Software
RSS Feed Pro
Researcher
More Details >

Simplified <= 1.0.9 – Authenticated (Administrator+) Server-Side Request Forgery

5.5
CVSS Rating
Medium (5.5)
CVE-ID
CVE-2025-53241
Patch Status
Unpatched
Published
Aug 14, 2025
Affected Software
Simplified Plugin
Researcher
More Details >

Advanced iFrame <= 2025.6 – Authenticated (Contributor+) Stored Cross-Site Scripting

5.4
CVSS Rating
Medium (5.4)
CVE-ID
CVE-2025-8089
Patch Status
Patched
Published
Aug 15, 2025
Affected Software
Advanced iFrame
Researcher
More Details >

Awesome Support <= 6.3.4 – Information Exposure

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-53340
Patch Status
Unpatched
Published
Aug 14, 2025
Affected Software
Awesome Support – WordPress HelpDesk & Support Plugin
Researcher
More Details >

BetterDocs <= 4.1.1 – Missing Authorization to Private And Password-Protected Posts Information Disclosure

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-7499
Patch Status
Patched
Published
Aug 15, 2025
Affected Software
BetterDocs – Advanced AI-Driven Documentation, FAQ & Knowledge Base Tool for Elementor & Gutenberg with Encyclopedia, AI Support, Instant Answers
Researcher
More Details >

Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.9.0 – Directory Traversal via `wpcf7_guest_user_id` Cookie

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-8464
Patch Status
Patched
Published
Aug 15, 2025
Affected Software
Drag and Drop Multiple File Upload for Contact Form 7
Researcher
More Details >

Embedder for Google Reviews <= 1.7.3 – Missing Authorization

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-54730
Patch Status
Patched
Published
Aug 14, 2025
Affected Software
Embedder for Google Reviews
Researcher
Bao
More Details >

Membership For WooCommerce <= 2.9.0 – Missing Authorization

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-54692
Patch Status
Patched
Published
Aug 12, 2025
Affected Software
Membership For WooCommerce – WordPress Membership Plugin, Restrict Content, Build Online Communities, Paywall & Content Dripping
Researcher
More Details >

Neon Channel Product Customizer Free <= 2.0 – Missing Authorization to Unauthenticated Arbitrary Content Deletion

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-54679
Patch Status
Patched
Published
Aug 14, 2025
Affected Software
Neon Channel Product Customizer Free
Researcher
More Details >

Nexter Blocks <= 4.5.4 – Missing Authorization

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-54739
Patch Status
Patched
Published
Aug 14, 2025
Affected Software
Nexter Blocks – WordPress Gutenberg Blocks & 1000+ Starter Templates
Researcher
More Details >

Poll Maker – Versus Polls, Anonymous Polls, Image Polls <= 5.8.9 – Unauthenticated Basic Information Exposure

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-12575
Patch Status
Patched
Published
Aug 15, 2025
Affected Software
Poll Maker – Versus Polls, Anonymous Polls, Image Polls
Researcher
More Details >

Savoy <= 3.0.8 – Unauthenticated Information Exposure

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-54736
Patch Status
Patched
Published
Aug 14, 2025
Affected Software
Savoy
Researcher
More Details >

School Management <= 93.1.0 – Unauthenticated Insecure Direct Object Reference

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-49896
Patch Status
Unpatched
Published
Aug 15, 2025
Affected Software
School Management System for WordPress
Researcher
More Details >

Ultimate Video Player <= 10.1 – Missing Authorization

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-49432
Patch Status
Unpatched
Published
Aug 15, 2025
Affected Software
Ultimate Video Player WordPress & WooCommerce Plugin
Researcher
More Details >

WP Private Content Plus <= 3.6.2 – Unauthenticated Sensitive Information Exposure

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-4390
Patch Status
Unpatched
Published
Aug 11, 2025
Affected Software
WP Private Content Plus
Researcher
More Details >

Barcode Scanner with Inventory & Order Manager <= 1.9.0 – Authenticated (Admin+) Arbitrary File Download

4.9
CVSS Rating
Medium (4.9)
CVE-ID
CVE-2025-54715
Patch Status
Patched
Published
Aug 14, 2025
Affected Software
Barcode Scanner (+Mobile App) – Inventory manager, Order fulfillment system, POS (Point of Sale)
Researcher
More Details >

Elementor <= 3.30.2 – Authenticated (Administrator+) Arbitrary File Read via Image Import

4.9
CVSS Rating
Medium (4.9)
CVE-ID
CVE-2025-8081
Patch Status
Patched
Published
Aug 11, 2025
Affected Software
Elementor Website Builder – More Than Just a Page Builder
Researcher
More Details >

AnWP Football Leagues <= 0.16.17 – Authenticated (Administrator+) CSV Injection

4.8
CVSS Rating
Medium (4.8)
CVE-ID
CVE-2025-8767
Patch Status
Patched
Published
Aug 11, 2025
Affected Software
AnWP Football Leagues
Researcher
More Details >

Alobaidi Captcha <= 1.0.3 – Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings

4.4
CVSS Rating
Medium (4.4)
CVE-ID
CVE-2025-8080
Patch Status
Unpatched
Published
Aug 14, 2025
Affected Software
Alobaidi Captcha
Researcher
More Details >

CM On Demand Search And Replace <= 1.5.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4
CVSS Rating
Medium (4.4)
CVE-ID
CVE-2025-54727
Patch Status
Patched
Published
Aug 14, 2025
Affected Software
CM Search And Replace – Optimize content edits with a powerful search and replace tool
Researcher
Bao
More Details >

DigitalOcean Spaces Sync <= 2.2.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4
CVSS Rating
Medium (4.4)
CVE-ID
CVE-2025-49047
Patch Status
Unpatched
Published
Aug 14, 2025
Affected Software
DigitalOcean Spaces Sync
Researcher
More Details >

Dropshix <= 4.0.14 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4
CVSS Rating
Medium (4.4)
CVE-ID
CVE-2025-49898
Patch Status
Unpatched
Published
Aug 15, 2025
Affected Software
Dropshix
Researcher
More Details >

Inspectlet – User Session Recording and Heatmaps <= 2.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4
CVSS Rating
Medium (4.4)
CVE-ID
CVE-2025-49048
Patch Status
Unpatched
Published
Aug 14, 2025
Affected Software
Inspectlet – User Session Recording and Heatmaps
Researcher
More Details >

Webba Booking <= 6.0.5 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4
CVSS Rating
Medium (4.4)
CVE-ID
CVE-2025-54729
Patch Status
Patched
Published
Aug 14, 2025
Affected Software
Appointment Booking & Scheduling Plugin — Webba Booking Calendar
Researcher
More Details >

WP Airdrop Manager <= 1.0.5 – Authenticated (Editor+) Stored Cross-Site Scripting

4.4
CVSS Rating
Medium (4.4)
CVE-ID
CVE-2025-49053
Patch Status
Unpatched
Published
Aug 13, 2025
Affected Software
WP Airdrop Manager
Researcher
More Details >

WP Emmet <= 0.3.4 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4
CVSS Rating
Medium (4.4)
CVE-ID
CVE-2025-49894
Patch Status
Unpatched
Published
Aug 16, 2025
Affected Software
WP Emmet
Researcher
More Details >

B Slider – Gutenberg Slider Block for WP <= 2.0.0 – Authenticated (Subscriber+) Sensitive Information Exposure

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-8676
Patch Status
Patched
Published
Aug 14, 2025
Affected Software
B Slider – Responsive Image Slider
Researcher
More Details >

B Slider – Gutenberg Slider Block for WP <= 2.0.0 – Authenticated (Subscriber+) Server-Side Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-8680
Patch Status
Patched
Published
Aug 14, 2025
Affected Software
B Slider – Responsive Image Slider
Researcher
More Details >

Build App Online <= 1.0.23 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-53249
Patch Status
Unpatched
Published
Aug 14, 2025
Affected Software
Build App Online
Researcher
More Details >

CM On Demand Search And Replace <= 1.5.2 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-54728
Patch Status
Patched
Published
Aug 14, 2025
Affected Software
CM Search And Replace – Optimize content edits with a powerful search and replace tool
Researcher
Bao
More Details >

CodeablePress <= 1.0.0 – Missing Authorization

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-53221
Patch Status
Unpatched
Published
Aug 14, 2025
Affected Software
CodeablePress: Simple Frontend Profile Picture Upload
Researcher
More Details >

Easy Elementor Addons <= 2.2.7 – Missing Authorization

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-54712
Patch Status
Patched
Published
Aug 14, 2025
Affected Software
Easy Elementor Addons
Researcher
More Details >

Easy restaurant menu manager <= 2.0.2 – Cross-Site Request Forgery to Menu Upload

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-8491
Patch Status
Patched
Published
Aug 12, 2025
Affected Software
Easy restaurant menu manager
Researcher
More Details >

EventON Lite <= 2.4.6 – Authenticated (Contributor+) Information Disclosure

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-8091
Patch Status
Unpatched
Published
Aug 14, 2025
Affected Software
EventON – Events Calendar
Researcher
More Details >

Findgo <= 1.3.57 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-53587
Patch Status
Patched
Published
Aug 14, 2025
Affected Software
Findgo – Directory Listing WordPress Theme
Researcher
More Details >

flexo-social-gallery <= 1.0006 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-52769
Patch Status
Unpatched
Published
Aug 14, 2025
Affected Software
flexo-social-gallery
Researcher
More Details >

Kalium <= 3.18.3 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-53347
Patch Status
Unpatched
Published
Aug 14, 2025
Affected Software
Kalium 3 | Creative WordPress & WooCommerce Theme
Researcher
More Details >

Modernize <= 3.4.0 – Missing Authorization

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-53343
Patch Status
Unpatched
Published
Aug 14, 2025
Affected Software
Modernize – Flexibility of WordPress
Researcher
More Details >

Netease Music <= 3.2.1 – Missing Authorization

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-49052
Patch Status
Unpatched
Published
Aug 13, 2025
Affected Software
Netease Music
Researcher
More Details >

NetInsight Analytics Implementation Plugin <= 1.0.3 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-52767
Patch Status
Unpatched
Published
Aug 14, 2025
Affected Software
NetInsight Analytics Implementation Plugin
Researcher
More Details >

NetInsight Analytics Implementation Plugin <= 1.0.3 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-52765
Patch Status
Unpatched
Published
Aug 14, 2025
Affected Software
NetInsight Analytics Implementation Plugin
Researcher
More Details >

OceanWP <= 4.0.9 – 4.1.1 – Cross-Site Request Forgery to Ocean Extra Plugin Installation

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-8891
Patch Status
Patched
Published
Aug 12, 2025
Affected Software
OceanWP
Researcher
More Details >

Primer MyData for Woocommerce <= 4.2.5 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-53575
Patch Status
Patched
Published
Aug 14, 2025
Affected Software
Primer MyData for Woocommerce
Researcher
More Details >

Project Cost Calculator <= 1.0.0 – Missing Authorization

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-52775
Patch Status
Unpatched
Published
Aug 11, 2025
Affected Software
Project Cost Calculator
Researcher
More Details >

School Management <= 93.2.0 – Missing Authorization

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-49895
Patch Status
Unpatched
Published
Aug 15, 2025
Affected Software
School Management System for WordPress
Researcher
More Details >

Simple Local Avatars <= 2.8.4 – Missing Authorization to Authenticated (Subscriber+) Avatar Migration

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-8482
Patch Status
Patched
Published
Aug 11, 2025
Affected Software
Simple Local Avatars
Researcher
More Details >

StoryMap <= 2.1 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-52797
Patch Status
Unpatched
Published
Aug 14, 2025
Affected Software
WordPress StoryMap Plugin
Researcher
More Details >

Stratus <= 4.2.5 – Missing Authorization

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-53341
Patch Status
Unpatched
Published
Aug 14, 2025
Affected Software
App, SaaS & Software Startup Tech Theme – Stratus
Researcher
More Details >

Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI <= 3.37.2 – Authenticated (Subscriber+) Information Exposure

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-55710
Patch Status
Patched
Published
Aug 14, 2025
Affected Software
Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI
Researcher
More Details >

Thank You Page Customizer for WooCommerce – Increase Your Sales <= 1.1.7 – Missing Authorization

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-30993
Patch Status
Unpatched
Published
Aug 11, 2025
Affected Software
Thank You Page Customizer for WooCommerce – Increase Your Sales
Researcher
More Details >

The Plus Addons for Elementor Page Builder Lite <= 6.3.13 – Missing Authorization

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-55712
Patch Status
Patched
Published
Aug 14, 2025
Affected Software
The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce
Researcher
More Details >

Thim Core <= 2.3.3 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-53344
Patch Status
Unpatched
Published
Aug 14, 2025
Affected Software
Thim Core
Researcher
More Details >

Thim Core <= 2.3.3 – Missing Authorization

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-53346
Patch Status
Unpatched
Published
Aug 14, 2025
Affected Software
Thim Core
Researcher
More Details >

WordPress Event Manager, Event Calendar and Booking Plugin <= 4.0.24 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Content Deletion

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-52731
Patch Status
Patched
Published
Aug 13, 2025
Affected Software
WordPress Event Manager, Event Calendar and Booking Plugin
Researcher
More Details >

WP Discord Post Plus – Supports Unlimited Channels <= 1.0.2 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
Unknown
Patch Status
Unpatched
Published
Aug 15, 2025
Affected Software
WP Discord Post Plus – Supports Unlimited Channels
Researcher
Bao
More Details >

WP Membership <= 1.6.3 – Missing Authorization to Authenticated (Subscriber+) Settings Update

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-54717
Patch Status
Patched
Published
Aug 14, 2025
Affected Software
WP Membership
Researcher
More Details >

WP Statistics <= 14.15 – Missing Authorization

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-55716
Patch Status
Patched
Published
Aug 14, 2025
Affected Software
WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin
Researcher
More Details >

WP-Database-Optimizer-Tools <= 0.2 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-53219
Patch Status
Unpatched
Published
Aug 14, 2025
Affected Software
WP-Database-Optimizer-Tools
Researcher
More Details >

WPDM – Premium Packages <= 6.0.2 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-54732
Patch Status
Patched
Published
Aug 14, 2025
Affected Software
Premium Packages – Sell Digital Products Securely
Researcher
More Details >

Quttera Web Malware Scanner <= 3.5.1.41 – Authenticated (Administrator+) Server-Side Request Forgery

3.8
CVSS Rating
Low (3.8)
CVE-ID
CVE-2025-8013
Patch Status
Patched
Published
Aug 14, 2025
Affected Software
Quttera Web Malware Scanner
Researcher
More Details >

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (August 11, 2025 to August 17, 2025) appeared first on Wordfence.

Leave a Comment