Wordfence Intelligence Weekly WordPress Vulnerability Report (November 3, 2025 to November 9, 2025)

by

📢 Calling all Vulnerability Researchers and Bug Bounty Hunters! 📢

📁 The LFInder Challenge: Refine your LFI hunting skills with an expanded scope. Now through November 24, 2025, all LFI vulnerabilities in software with at least 25 active installs are considered in-scope for all researchers, regardless of researcher tier, AND earn a 30% bonus on all Local File Inclusion vulnerability submissions not already increased by another promotion.

Last week, there were 110 vulnerabilities disclosed in 101 WordPress Plugins and no WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 56 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to implement layered security, aligning with our overarching mission to secure WordPress with defense in depth strategies. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report. As the world’s leading quality vulnerability database provider for WordPress, site owners can rest assured knowing Wordfence has their back.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 29,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status Number of Vulnerabilities
Patched 72
Unpatched 38

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating Number of Vulnerabilities
Medium Severity 85
High Severity 17
Critical Severity 8

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE Number of Vulnerabilities
Missing Authorization 27
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) 26
Cross-Site Request Forgery (CSRF) 15
Unrestricted Upload of File with Dangerous Type 7
Exposure of Sensitive Information to an Unauthorized Actor 6
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) 5
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) 3
Server-Side Request Forgery (SSRF) 3
Authorization Bypass Through User-Controlled Key 2
Deserialization of Untrusted Data 2
Improper Authorization 2
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) 2
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) 2
Improper Control of Generation of Code (‘Code Injection’) 1
Incorrect Authorization 1
Incorrect Comparison 1
Insertion of Sensitive Information into Log File 1
Missing Authentication for Critical Function 1
Reliance on Untrusted Inputs in a Security Decision 1
Use of Hard-coded Cryptographic Key 1
Use of Hard-coded Password 1

Researchers That Contributed to WordPress Security Last Week

Researcher Name Number of Vulnerabilities
11
7
7
6
5
5
4
4
3
3
2
2
2
2
2
2
2
2
2
2
1
1
1
1
1
1
1
1
1
1
1

Jay
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name Software Slug
Academy LMS Pro academy-pro
Academy LMS – WordPress LMS Plugin for Complete eLearning Solution academy
Ad Inserter – Ad Manager & AdSense Ads ad-inserter
Ai Auto Tool Content Writing Assistant All in One ai-auto-tool
AI Engine ai-engine
Alex Reservations: Smart Restaurant Booking alex-reservations
All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier aio-time-clock-lite
Asgaros Forum asgaros-forum
Associados Amazon Plugin brzon
aThemes Addons for Elementor athemes-addons-for-elementor-lite
Better Find and Replace – AI-Powered Suggestions real-time-auto-find-and-replace
Blog2Social: Social Media Auto Post & Scheduler blog2social
Bootstrap Multi-language Responsive Portfolio bootstrap-multi-language-responsive-portfolio
Carousel Block – Responsive Image and Content Carousel b-carousel-block
CE21 Suite ce21-suite
Centangle-Team centangle-team
clubmember clubmember
Connector Wizard (formerly LC Wizard) ghl-wizard
Contact Form 7 AWeber Extension integrate-contact-form-7-and-aweber
Content Locker for Elementor content-locker-for-elementor
CoSchedule coschedule-by-todaymade
Course Booking System course-booking-system
Crypto Payment Gateway with Payeer for WooCommerce crypto-payment-gateway-with-payeer-for-woocommerce
CYAN Backup cyan-backup
Document Embedder – Embed PDFs, Word, Excel, and Other Files document-emberdder
DominoKit dominokit
Download Manager download-manager
Easy Digital Downloads – eCommerce Payments and Subscriptions made easy easy-digital-downloads
Easy Email Subscription email-subscription-with-secure-captcha
Easy Upload Files During Checkout easy-upload-files-during-checkout
Easy WordPress Funnel Builder To Collect Leads And Increase Sales – WPFunnels wpfunnels
Elegance Menu elegance-menu
EM Beer Manager em-beer-manager
EventPrime – Events Calendar, Bookings and Tickets eventprime-event-calendar-management
Everest Forms Pro everest-forms-pro
Extensions for Leaflet Map extensions-leaflet-map
Features features
File Manager for Google Drive – Integrate Google Drive integrate-google-drive
Flexible Refund and Return Order for WooCommerce flexible-refund-and-return-order-for-woocommerce
Footnotes Made Easy footnotes-made-easy
Free Quotation free-quotation
FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce wp-marketing-automations
Gallery Plugin for WordPress – Envira Photo Gallery envira-gallery-lite
Graphina – Charts and Graphs For Elementor graphina-elementor-charts-and-graphs
Gravity Forms gravityforms
Greenshift – animation and page builder blocks greenshift-animation-and-page-builder-blocks
Groups groups
HTML Forms – Simple WordPress Forms Plugin html-forms
Hubbub Lite – Fast, free social sharing and follow buttons social-pug
IDonate – Blood Donation, Request And Donor Management System idonate
Image Comparison Addon for Elementor image-comparison-elementor-addon
Image Hover Effects for Elementor image-hover-effects-elementor-addon
Import Export For WooCommerce import-export-for-woocommerce
Insert Headers and Footers Code – HT Script insert-headers-and-footers-script
KiotViet Sync kiotvietsync
Label Plugins label-plugins
LinkedIn Resume linkedin-resume
LMB^Box Smileys lmbbox-smileys
Mail Mint – Newsletters, Email Marketing, Automation, WooCommerce Emails, Post Notification, and more mail-mint
Mang Board WP mangboard
MapMap mapmap
Master Blocks – Ultimate Gutenberg Blocks for Marketers ultimate-blocks-for-gutenberg
MeetingList meeting-list
Nari Accountant nari-accountant
Ohio Extra ohio-extra
Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More themeisle-companion
Ovatheme Events Manager ova-events-manager
Page & Post Notes page-post-notes
Pagerank tools pagerank-tools
Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction paid-member-subscriptions
Popup and Slider Builder by Depicter – Add Email collecting Popup, Popup Modal, Coupon Popup, Image Slider, Carousel Slider, Post Slider Carousel depicter
Posts Navigation Links for Sections and Headings – Free by WP Masters posts-navigation-links-for-sections-and-headings-free-by-wp-masters
Premium Portfolio Features for Phlox theme auxin-portfolio
Quick Featured Images quick-featured-images
Reuse Builder reuse-builder
Rey Core Rey-Core
Saphali LiqPay for donate saphali-liqpay-for-donate
SH Contextual Help sh-contextual-help
ShopLentor – WooCommerce Builder for Elementor & Gutenberg +21 Modules – All in One Solution (formerly WooLentor) woolentor-addons
Simple Downloads List simple-downloads-list
Simple User Capabilities simple-user-capabilities
Smart Auto Upload Images – Import External Images smart-auto-upload-images
SMS for WordPress sms4wp
Spectra Gutenberg Blocks – Website Builder for the Block Editor ultimate-addons-for-gutenberg
Strong Testimonials strong-testimonials
SUMO Affiliates Pro affs
TablePress – Tables in WordPress made easy tablepress
Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI simple-tags
The Events Calendar the-events-calendar
Top Bar Notification top-bar-notification
ViaAds viaads
Visit Counter visit-counter
Visual Link Preview visual-link-preview
WP Airbnb Review Slider wp-airbnb-review-slider
WP Carticon wp-carticon
WP Global Screen Options wp-global-screen-options
WP Snow Effect wp-snow-effect
WP2Social Auto Publish facebook-auto-publish
WPCF7 Stop words wpcf7-stop-words
WPeMatico RSS Feed Fetcher wpematico
ZoloBlocks – Gutenberg Block Editor Plugin with Advanced Blocks, Dynamic Content, Templates & Patterns zoloblocks

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

AI Engine <= 3.1.3 – Unauthenticated Sensitive Information Exposure to Privilege Escalation

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-11749
Patch Status
Patched
Published
Nov 4, 2025
Affected Software
AI Engine
Researcher
More Details >

CE21 Suite <= 2.3.1 – Unauthenticated Sensitive Information Exposure to Privilege Escalation

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-11008
Patch Status
Unpatched
Published
Nov 3, 2025
Affected Software
CE21 Suite
Researcher
More Details >

CE21 Suite 2.2.1 – 2.3.1 – Missing Authorization to Unauthenticated Privilege Escalation via Plugin Settings Update

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-11007
Patch Status
Unpatched
Published
Nov 3, 2025
Affected Software
CE21 Suite
Researcher
More Details >

Easy Upload Files During Checkout <= 2.9.8 – Unauthenticated Arbitrary JavaScript File Upload

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-12682
Patch Status
Patched
Published
Nov 3, 2025
Affected Software
Easy Upload Files During Checkout
Researcher
More Details >

Gravity Forms <= 2.9.20 – Unauthenticated Arbitrary File Upload via ‘copy_post_image’

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-12352
Patch Status
Patched
Published
Nov 6, 2025
Affected Software
Gravity Forms
Researcher
More Details >

KiotViet Sync <= 1.8.5 – Unauthenticated Arbitrary File Upload

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-12674
Patch Status
Unpatched
Published
Nov 4, 2025
Affected Software
KiotViet Sync
Researcher
More Details >

ShopLentor <= 3.2.5 – Unauthenticated Local PHP File Inclusion via ‘load_template’

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-12493
Patch Status
Patched
Published
Nov 3, 2025
Affected Software
ShopLentor – WooCommerce Builder for Elementor & Gutenberg +21 Modules – All in One Solution (formerly WooLentor)
Researcher
More Details >

Simple User Capabilities <= 1.0 – Missing Authorization to Authenticated (Subscriber+) Privilege Escalation

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-12158
Patch Status
Unpatched
Published
Nov 3, 2025
Affected Software
Simple User Capabilities
Researcher
More Details >

Better Find and Replace <= 1.7.7 – Authenticated (Subscriber+) Limited Code Injection

8.8
CVSS Rating
High (8.8)
CVE-ID
CVE-2025-9334
Patch Status
Patched
Published
Nov 7, 2025
Affected Software
Better Find and Replace – AI-Powered Suggestions
Researcher
More Details >

EM Beer Manager <= 3.2.3 – Authenticated (Subscriber+) Arbitrary File Upload

8.8
CVSS Rating
High (8.8)
CVE-ID
CVE-2025-11724
Patch Status
Unpatched
Published
Nov 3, 2025
Affected Software
EM Beer Manager
Researcher
More Details >

IDonate 2.1.5 – 2.1.9 – Missing Authorization to Authenticated (Subscriber+) Account Takeover/Privilege Escalation via idonate_donor_password Function

8.8
CVSS Rating
High (8.8)
CVE-ID
CVE-2025-4519
Patch Status
Patched
Published
Nov 6, 2025
Affected Software
IDonate – Blood Donation, Request And Donor Management System
Researcher
More Details >

Multiple Plugins <= Multiple Versions – Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Upload

8.8
CVSS Rating
High (8.8)
CVE-ID
CVE-2025-10896
Patch Status
Patched
Published
Nov 3, 2025
Affected Software
Content Locker for Elementor
Image Comparison Addon for Elementor
Image Hover Effects for Elementor
Master Blocks – Ultimate Gutenberg Blocks for Marketers
Researcher
More Details >

Smart Auto Upload Images <= 1.2.0 – Authenticated (Contributor+) Arbitrary File Upload

8.8
CVSS Rating
High (8.8)
CVE-ID
CVE-2025-12161
Patch Status
Patched
Published
Nov 7, 2025
Affected Software
Smart Auto Upload Images – Import External Images
Researchers
More Details >

Document Embedder – Embed PDFs, Word, Excel, and Other Files <= 2.0.0 – Missing Authorization to Unauthenticated Document Manipulation

8.6
CVSS Rating
High (8.6)
CVE-ID
CVE-2025-12384
Patch Status
Patched
Published
Nov 4, 2025
Affected Software
Document Embedder – Embed PDFs, Word, Excel, and Other Files
Researcher
More Details >

LC Wizard 1.2.10 – 1.3.0 – Missing Authorization to Unauthenticated Privilege Escalation

8.1
CVSS Rating
High (8.1)
CVE-ID
CVE-2025-5483
Patch Status
Patched
Published
Nov 6, 2025
Affected Software
Connector Wizard (formerly LC Wizard)
Researcher
More Details >

Premium Portfolio Features for Phlox theme <= 2.3.10 – Unauthenticated Local File Inclusion via args[extra_template_path]

8.1
CVSS Rating
High (8.1)
CVE-ID
CVE-2025-12497
Patch Status
Patched
Published
Nov 4, 2025
Affected Software
Premium Portfolio Features for Phlox theme
Researcher
More Details >

Asgaros Forum <= 3.1.0 – Unauthenticated SQL Injection

7.5
CVSS Rating
High (7.5)
CVE-ID
CVE-2025-11452
Patch Status
Patched
Published
Nov 7, 2025
Affected Software
Asgaros Forum
Researcher
More Details >

Crypto Payment Gateway with Payeer for WooCommerce <= 1.0.3 – Unauthenticated Payment Bypass

7.5
CVSS Rating
High (7.5)
CVE-ID
CVE-2025-11890
Patch Status
Unpatched
Published
Nov 3, 2025
Affected Software
Crypto Payment Gateway with Payeer for WooCommerce
Researcher
More Details >

Elegance Menu <= 1.9 – Authenticated (Contributor+) Local File Inclusion

7.5
CVSS Rating
High (7.5)
CVE-ID
CVE-2025-11704
Patch Status
Unpatched
Published
Nov 3, 2025
Affected Software
Elegance Menu
Researcher
More Details >

File Manager for Google Drive – Integrate Google Drive with WordPress <= 1.5.3 – Unauthenticated Sensitive Information Exposure

7.5
CVSS Rating
High (7.5)
CVE-ID
CVE-2025-12139
Patch Status
Patched
Published
Nov 4, 2025
Affected Software
File Manager for Google Drive – Integrate Google Drive
Researcher
More Details >

The Events Calendar 6.15.1.1 – 6.15.9 – Unauthenticated SQL Injection via s

7.5
CVSS Rating
High (7.5)
CVE-ID
CVE-2025-12197
Patch Status
Patched
Published
Nov 4, 2025
Affected Software
The Events Calendar
Researcher
More Details >

Academy LMS – WordPress LMS Plugin for Complete eLearning Solution <= 3.3.8 – Authenticated (Administrator+) PHP Object Injection via ‘import_all_courses’

7.2
CVSS Rating
High (7.2)
CVE-ID
CVE-2025-12099
Patch Status
Patched
Published
Nov 7, 2025
Affected Software
Academy LMS – WordPress LMS Plugin for Complete eLearning Solution
Researcher
More Details >

Alex Reservations: Smart Restaurant Booking <= 2.2.3 – Authenticated (Admin+) Arbitrary File Upload

7.2
CVSS Rating
High (7.2)
CVE-ID
CVE-2025-12399
Patch Status
Patched
Published
Nov 7, 2025
Affected Software
Alex Reservations: Smart Restaurant Booking
Researcher
More Details >

Footnotes Made Easy <= 3.0.7 – Unauthenticated Stored Cross-Site Scripting

7.2
CVSS Rating
High (7.2)
CVE-ID
CVE-2025-11733
Patch Status
Patched
Published
Nov 3, 2025
Affected Software
Footnotes Made Easy
Researcher
More Details >

Mail Mint <= 1.18.10 – Authenticated (Admin+) Arbitrary File Upload

7.2
CVSS Rating
High (7.2)
CVE-ID
CVE-2025-11967
Patch Status
Patched
Published
Nov 7, 2025
Affected Software
Mail Mint – Newsletters, Email Marketing, Automation, WooCommerce Emails, Post Notification, and more
Researcher
More Details >

All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier <= 2.0.3 – Missing Authorization to Page Creation and Information Exposure

6.5
CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-11758
Patch Status
Patched
Published
Nov 3, 2025
Affected Software
All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier
Researcher
More Details >

CYAN Backup <= 2.5.4 – Authenticated (Admin+) Arbitrary File Deletion

6.5
CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-12092
Patch Status
Patched
Published
Nov 7, 2025
Affected Software
CYAN Backup
Researcher
More Details >

IDonate 2.0.0 – 2.1.9 – Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary User Deletion via admin_post_donor_delete Function

6.5
CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-4522
Patch Status
Patched
Published
Nov 6, 2025
Affected Software
IDonate – Blood Donation, Request And Donor Management System
Researcher
More Details >

Ovatheme Events Manager <= 1.8.6 – Missing Authorization

6.5
CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-7663
Patch Status
Patched
Published
Nov 7, 2025
Affected Software
Ovatheme Events Manager
Researcher
More Details >

WPFunnels <= 3.6.2 – Authenticated (Administrator+) Arbitrary File Deletion via Path Traversal

6.5
CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-12000
Patch Status
Patched
Published
Nov 7, 2025
Affected Software
Easy WordPress Funnel Builder To Collect Leads And Increase Sales – WPFunnels
Researcher
More Details >

Ad Inserter <= 2.8.7 – Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Field

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-11745
Patch Status
Patched
Published
Nov 4, 2025
Affected Software
Ad Inserter – Ad Manager & AdSense Ads
Researcher
More Details >

aThemes Addons for Elementor <= 1.1.5 – Authenticated (Contributor+) Stored Cross-Site Scripting via Call To Action Widget

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-12837
Patch Status
Patched
Published
Nov 7, 2025
Affected Software
aThemes Addons for Elementor
Researcher
More Details >

B Carousel Block – Responsive Image and Content Carousel <= 1.1.5 – Missing Authorization to Authenticated (Subscriber+) Server-Side Request Forgery

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-12388
Patch Status
Patched
Published
Nov 4, 2025
Affected Software
Carousel Block – Responsive Image and Content Carousel
Researcher
More Details >

Extensions for Leaflet Map <= 4.7 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-12369
Patch Status
Patched
Published
Nov 3, 2025
Affected Software
Extensions for Leaflet Map
Researcher
More Details >

Graphina – Elementor Charts and Graphs <= 3.1.8 – Authenticated (Contributor+) Stored Cross-Site Scripting via Chart Widgets

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-11820
Patch Status
Patched
Published
Nov 4, 2025
Affected Software
Graphina – Charts and Graphs For Elementor
Researcher
More Details >

Greenshift – animation and page builder blocks <= 12.2.7 – Authenticated (Contributor+) Stored Cross-Site Scripting via Chart Data Attributes

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-11841
Patch Status
Patched
Published
Nov 3, 2025
Affected Software
Greenshift – animation and page builder blocks
Researcher
More Details >

Insert Headers and Footers Code – HT Script <= 1.1.6 – Authenticated (Author+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-12112
Patch Status
Patched
Published
Nov 7, 2025
Affected Software
Insert Headers and Footers Code – HT Script
Researcher
More Details >

Ohio Extra <= 3.6.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-64365
Patch Status
Patched
Published
Nov 4, 2025
Affected Software
Ohio Extra
Researcher
More Details >

Orbit Fox Companion <= 3.0.2 – Authenticated (Author+) Stored Cross-Site Scripting via Post Taxonomy

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-12045
Patch Status
Patched
Published
Nov 3, 2025
Affected Software
Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More
Researcher
More Details >

Reuse Builder <= 1.7 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-11812
Patch Status
Unpatched
Published
Nov 3, 2025
Affected Software
Reuse Builder
Researcher
More Details >

Rey Core <= 3.1.8 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-64220
Patch Status
Patched
Published
Nov 4, 2025
Affected Software
Rey Core
Researcher
More Details >

Saphali LiqPay for donate <= 1.0.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-12643
Patch Status
Patched
Published
Nov 7, 2025
Affected Software
Saphali LiqPay for donate
Researcher
More Details >

Simple Downloads List <= 1.4.3 – Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-12583
Patch Status
Patched
Published
Nov 7, 2025
Affected Software
Simple Downloads List
Researcher
More Details >

Spectra <= 2.19.14 – Authenticated (Contributor+) Stored Cross-Site Scripting via Custom CSS

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-11162
Patch Status
Patched
Published
Nov 4, 2025
Affected Software
Spectra Gutenberg Blocks – Website Builder for the Block Editor
Researcher
More Details >

TablePress – Tables in WordPress made easy <= 3.2.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-12324
Patch Status
Patched
Published
Nov 3, 2025
Affected Software
TablePress – Tables in WordPress made easy
Researcher
More Details >

Visual Link Preview <= 2.2.7 – Authenticated (Contributor+) Stored Cross-Site Scripting via visual-link-preview Shortcode

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-11987
Patch Status
Patched
Published
Nov 4, 2025
Affected Software
Visual Link Preview
Researcher
More Details >

WPeMatico RSS Feed Fetcher <= 2.8.11 – Authenticated (Subscriber+) Server-Side Request Forgery via wpematico_test_feed

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-11917
Patch Status
Patched
Published
Nov 4, 2025
Affected Software
WPeMatico RSS Feed Fetcher
Researcher
More Details >

Associados Amazon Plugin <= 0.8 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-12403
Patch Status
Unpatched
Published
Nov 3, 2025
Affected Software
Associados Amazon Plugin
Researcher
More Details >

Centangle Team Showcase <= 1.0.0 – Cross-Site Request Forgery To Plugin’s Settings Modification And Stored Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-12456
Patch Status
Unpatched
Published
Nov 3, 2025
Affected Software
Centangle-Team
Researcher
More Details >

Hubbub Lite <= 1.36.0 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-12471
Patch Status
Patched
Published
Nov 5, 2025
Affected Software
Hubbub Lite – Fast, free social sharing and follow buttons
Researcher
More Details >

Label Plugins <= 0.5 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-12401
Patch Status
Unpatched
Published
Nov 3, 2025
Affected Software
Label Plugins
Researcher
More Details >

LinkedIn Resume <= 2.00 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-12402
Patch Status
Unpatched
Published
Nov 3, 2025
Affected Software
LinkedIn Resume
Researcher
More Details >

LMB^Box Smileys <= 3.2 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-12400
Patch Status
Unpatched
Published
Nov 3, 2025
Affected Software
LMB^Box Smileys
Researcher
More Details >

Mang Board WP <= 2.3.1 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-12193
Patch Status
Patched
Published
Nov 7, 2025
Affected Software
Mang Board WP
Researcher
More Details >

MapMap <= 1.1 – Cross-Site Request Forgery to Settings Update and Stored Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-12415
Patch Status
Unpatched
Published
Nov 3, 2025
Affected Software
MapMap
Researcher
More Details >

Pagerank Tools <= 1.1.5 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-12416
Patch Status
Unpatched
Published
Nov 3, 2025
Affected Software
Pagerank tools
Researcher
More Details >

SH Contextual Help <= 3.2.1 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-12410
Patch Status
Unpatched
Published
Nov 3, 2025
Affected Software
SH Contextual Help
Researcher
More Details >

SMS for WordPress <= 1.1.8 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-12580
Patch Status
Unpatched
Published
Nov 4, 2025
Affected Software
SMS for WordPress
Researcher
More Details >

Top Bar Notification <= 1.12 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-12412
Patch Status
Unpatched
Published
Nov 3, 2025
Affected Software
Top Bar Notification
Researcher
More Details >

Visit Counter 1.0 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-12452
Patch Status
Unpatched
Published
Nov 3, 2025
Affected Software
Visit Counter
Researcher
More Details >

WP2Social Auto Publish <= 2.4.7 – Reflected Cross-Site Scripting via PostMessage

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-12064
Patch Status
Patched
Published
Nov 7, 2025
Affected Software
WP2Social Auto Publish
Researcher
More Details >

Everest Forms (Pro) <= 1.9.7 – Unauthenticated PHP Object Injection via PHAR Deserialization in Form Signature

5.6
CVSS Rating
Medium (5.6)
CVE-ID
CVE-2025-8871
Patch Status
Patched
Published
Nov 4, 2025
Affected Software
Everest Forms Pro
Researcher
More Details >

Social Media WPCF7 Stop Words <= 1.1.3 – Cross-Site Request Forgery to Settings Update

5.4
CVSS Rating
Medium (5.4)
CVE-ID
CVE-2025-12413
Patch Status
Unpatched
Published
Nov 3, 2025
Affected Software
WPCF7 Stop words
Researcher
More Details >

Academy LMS Pro <= 3.3.8 – Unauthenticated Sensitive Information Exposure via ‘enqueue_social_login_script’

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-12098
Patch Status
Patched
Published
Nov 7, 2025
Affected Software
Academy LMS Pro
Researcher
More Details >

Blog2Social: Social Media Auto Post & Scheduler <= 8.6.0 – Authenticated (Subscriber+) Blind Server-Side Request Forgery via post_url

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-12560
Patch Status
Patched
Published
Nov 5, 2025
Affected Software
Blog2Social: Social Media Auto Post & Scheduler
Researcher
More Details >

CoSchedule <= 3.4.0 – Missing Authorization

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-49913
Patch Status
Patched
Published
Nov 4, 2025
Affected Software
CoSchedule
Researcher
More Details >

Course Booking System <= 6.1.5 – Missing Authorization to Unauthenticated Booking Data Export

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-12042
Patch Status
Patched
Published
Nov 7, 2025
Affected Software
Course Booking System
Researcher
More Details >

DominoKit <= 1.1.0 – Missing Authorization to Unauthenticated Settings Update

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-12350
Patch Status
Unpatched
Published
Nov 3, 2025
Affected Software
DominoKit
Researcher
More Details >

Download Manager <= 3.3.30 – Unauthenticated Cron Trigger due to Hardcoded Cron Key

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-12177
Patch Status
Patched
Published
Nov 7, 2025
Affected Software
Download Manager
Researcher
More Details >

Easy Digital Download <= 3.5.2 – Insufficient Verification to Order Manipulation

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-11271
Patch Status
Patched
Published
Nov 5, 2025
Affected Software
Easy Digital Downloads – eCommerce Payments and Subscriptions made easy
Researcher
Jay
More Details >

Flexible Refund and Return Order for WooCommerce <= 1.0.42 – Incorrect Authorization to Authenticated (Contributor+) Refund Status Update

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-12621
Patch Status
Patched
Published
Nov 7, 2025
Affected Software
Flexible Refund and Return Order for WooCommerce
Researcher
More Details >

FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce <= 3.6.4.1 – Unauthenticated Sensitive Information Exposure

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-12468
Patch Status
Patched
Published
Nov 4, 2025
Affected Software
FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce
Researcher
More Details >

KiotViet Sync <= 1.8.5 – Unauthenticated Webhook Key Exposure

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-12677
Patch Status
Unpatched
Published
Nov 4, 2025
Affected Software
KiotViet Sync
Researcher
More Details >

KiotViet Sync <= 1.8.5 – Use of Hard-coded Password to Authorization Bypass

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-12676
Patch Status
Unpatched
Published
Nov 4, 2025
Affected Software
KiotViet Sync
Researcher
More Details >

Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction <= 2.16.4 – Missing Authorization to Unauthenticated Arbitrary Member Subscription Auto Renewal

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-11835
Patch Status
Patched
Published
Nov 4, 2025
Affected Software
Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction
Researcher
More Details >

Simple User Capabilities <= 1.0 – Missing Authorization to Unauthenticated Capability Reset

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-12157
Patch Status
Unpatched
Published
Nov 3, 2025
Affected Software
Simple User Capabilities
Researcher
More Details >

Snow Effect <= 1.1.15 – Missing Authorization

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-64294
Patch Status
Unpatched
Published
Nov 3, 2025
Affected Software
WP Snow Effect
Researcher
More Details >

The Events Calendar <= 6.15.9 – Sysinfo Key Incorrect Comparison to Unauthenticated Sensitive Information Exposure

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-12192
Patch Status
Patched
Published
Nov 4, 2025
Affected Software
The Events Calendar
Researcher
More Details >

WPFunnels <= 3.6.2 – Unauthorized User Registration

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-12353
Patch Status
Patched
Published
Nov 7, 2025
Affected Software
Easy WordPress Funnel Builder To Collect Leads And Increase Sales – WPFunnels
Researcher
More Details >

ZoloBlocks <= 2.3.11 – Missing Authorization

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-49903
Patch Status
Patched
Published
Nov 4, 2025
Affected Software
ZoloBlocks – Gutenberg Block Editor Plugin with Advanced Blocks, Dynamic Content, Templates & Patterns
Researcher
More Details >

Easy Email Subscription <= 1.3 – Authenticated (Admin+) SQL Injection via uid

4.9
CVSS Rating
Medium (4.9)
CVE-ID
CVE-2025-10683
Patch Status
Patched
Published
Nov 5, 2025
Affected Software
Easy Email Subscription
Researcher
More Details >

Quick Featured Images <= 13.7.3 – Authenticated (Editor+) SQL Injection via delete_orphaned

4.9
CVSS Rating
Medium (4.9)
CVE-ID
CVE-2025-11980
Patch Status
Patched
Published
Nov 7, 2025
Affected Software
Quick Featured Images
Researcher
More Details >

Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI <= 3.40.0 – Authenticated (Editor+) SQL Injection

4.9
CVSS Rating
Medium (4.9)
CVE-ID
CVE-2025-11972
Patch Status
Patched
Published
Nov 7, 2025
Affected Software
Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI
Researcher
More Details >

Clubmember <= 0.2 – Authenticated (Admin+) Stored Cross-Site Scripting

4.4
CVSS Rating
Medium (4.4)
CVE-ID
CVE-2025-12396
Patch Status
Unpatched
Published
Nov 3, 2025
Affected Software
clubmember
Researcher
More Details >

Free Quotation <= 3.1.6 – Authenticated (Admin+) Stored Cross-Site Scripting

4.4
CVSS Rating
Medium (4.4)
CVE-ID
CVE-2025-12393
Patch Status
Unpatched
Published
Nov 3, 2025
Affected Software
Free Quotation
Researcher
More Details >

HTML Forms <= 1.5.5 – Authenticated (Admin+) Stored Cross-Site Scripting

4.4
CVSS Rating
Medium (4.4)
CVE-ID
CVE-2025-12125
Patch Status
Patched
Published
Nov 7, 2025
Affected Software
HTML Forms – Simple WordPress Forms Plugin
Researcher
More Details >

MeetingList <= 0.11 – Authenticated (Admin+) Stored Cross-Site Scripting

4.4
CVSS Rating
Medium (4.4)
CVE-ID
CVE-2025-12184
Patch Status
Unpatched
Published
Nov 3, 2025
Affected Software
MeetingList
Researcher
More Details >

Multi-language Responsive Portfolio WordPress <= 1.0 – Authenticated (Admin+) Stored Cross-Site Scripting

4.4
CVSS Rating
Medium (4.4)
CVE-ID
CVE-2025-11753
Patch Status
Unpatched
Published
Nov 3, 2025
Affected Software
Bootstrap Multi-language Responsive Portfolio
Researcher
More Details >

Nari Accountant <= 1.0.12 – Authenticated (Editor+) Stored Cross-Site Scripting

4.4
CVSS Rating
Medium (4.4)
CVE-ID
CVE-2025-12371
Patch Status
Unpatched
Published
Nov 3, 2025
Affected Software
Nari Accountant
Researcher
More Details >

WP Carticon <= 1.0.0 – Authenticated (Admin+) Stored Cross-Site Scripting

4.4
CVSS Rating
Medium (4.4)
CVE-ID
CVE-2025-12065
Patch Status
Unpatched
Published
Nov 3, 2025
Affected Software
WP Carticon
Researcher
More Details >

Ai Auto Tool Content Writing Assistant (Gemini Writer, ChatGPT ) All in One 2.0.7 – 2.3.0 – Missing Authorization to Authenticated (Subscriber+) Post Creation

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-12156
Patch Status
Unpatched
Published
Nov 3, 2025
Affected Software
Ai Auto Tool Content Writing Assistant All in One
Researcher
More Details >

Better Find and Replace <= 1.7.7 – Missing Authorization

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-12360
Patch Status
Patched
Published
Nov 5, 2025
Affected Software
Better Find and Replace – AI-Powered Suggestions
Researcher
More Details >

Blog2Social: Social Media Auto Post & Scheduler <= 8.6.0 – Incorrect Authorization to Video File Upload

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-12563
Patch Status
Patched
Published
Nov 5, 2025
Affected Software
Blog2Social: Social Media Auto Post & Scheduler
Researcher
More Details >

Contact Form 7 AWeber Extension <= 0.1.42 – Missing Authorization to Authenticated (Subscriber+) Log Reset

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-12167
Patch Status
Patched
Published
Nov 7, 2025
Affected Software
Contact Form 7 AWeber Extension
Researcher
More Details >

Easy Email Subscription <= 1.3 – Cross-Site Request Forgery to Arbitrary Subscriber Deletion

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-10691
Patch Status
Patched
Published
Nov 5, 2025
Affected Software
Easy Email Subscription
Researcher
More Details >

EventPrime – Events Calendar, Bookings and Tickets <= 4.2.0.0 – Missing Authorization to Authenticated (Subscriber+) Booking Note Creation

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-12498
Patch Status
Patched
Published
Nov 7, 2025
Affected Software
EventPrime – Events Calendar, Bookings and Tickets
Researcher
More Details >

Features <= 0.0.2 – Missing Authorization to Authenticated (Subscriber+) Option Reset

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-12582
Patch Status
Unpatched
Published
Nov 4, 2025
Affected Software
Features
Researcher
More Details >

FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce <= 3.6.4.1 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Email Sending

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-12469
Patch Status
Patched
Published
Nov 4, 2025
Affected Software
FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce
Researcher
More Details >

Gallery Plugin for WordPress – Envira Photo Gallery <= 1.11.0 – Missing Authorization to Authenticated (Contributor+) Gallery Conversion

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-11448
Patch Status
Patched
Published
Nov 7, 2025
Affected Software
Gallery Plugin for WordPress – Envira Photo Gallery
Researcher
More Details >

Groups <= 3.7.0 – Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Group Join

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-11748
Patch Status
Patched
Published
Nov 7, 2025
Affected Software
Groups
Researcher
More Details >

Import Export For WooCommerce <= 1.6.2 – Missing Authorization to Authenticated (Subscriber+) Settings Update

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-12389
Patch Status
Unpatched
Published
Nov 3, 2025
Affected Software
Import Export For WooCommerce
Researcher
More Details >

KiotViet Sync <= 1.8.5 – Missing Authorization to Authenticated (Subscriber+) Settings Update

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-12675
Patch Status
Unpatched
Published
Nov 4, 2025
Affected Software
KiotViet Sync
Researcher
More Details >

Page & Post Notes <= 1.3.4 – Missing Authorization to Authenticated (Subscriber+) Note Update/Deletion

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-12527
Patch Status
Patched
Published
Nov 6, 2025
Affected Software
Page & Post Notes
Researcher
More Details >

Popup and Slider Builder by Depicter – Add Email collecting Popup, Popup Modal, Coupon Popup, Image Slider, Carousel Slider, Post Slider Carousel <= 4.0.4 – Missing Authorization to Authenticated (Contributor+) Safe File Type Upload

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-11373
Patch Status
Patched
Published
Nov 4, 2025
Affected Software
Popup and Slider Builder by Depicter – Add Email collecting Popup, Popup Modal, Coupon Popup, Image Slider, Carousel Slider, Post Slider Carousel
Researcher
More Details >

Posts Navigation Links for Sections and Headings – Free by WP Masters <= 1.0.1 – Cross-Site Request Forgery to Settings Update

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-12188
Patch Status
Unpatched
Published
Nov 3, 2025
Affected Software
Posts Navigation Links for Sections and Headings – Free by WP Masters
Researcher
More Details >

Strong Testimonials <= 3.2.16 – Unauthenticated Arbitrary Shortcode Execution

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-11268
Patch Status
Patched
Published
Nov 5, 2025
Affected Software
Strong Testimonials
Researcher
More Details >

SUMO Affiliates Pro <= 11.0.0 – Authenticated (Subscriber+) Information Exposure

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-64228
Patch Status
Patched
Published
Nov 4, 2025
Affected Software
SUMO Affiliates Pro
Researcher
More Details >

ViaAds <= 2.1.1 – Cross-Site Request Forgery to API Key Update

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-12070
Patch Status
Unpatched
Published
Nov 3, 2025
Affected Software
ViaAds
Researcher
More Details >

WP Global Screen Options <= 0.2 – Cross-Site Request Forgery to Screen Options Update

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-12069
Patch Status
Unpatched
Published
Nov 3, 2025
Affected Software
WP Global Screen Options
Researcher
More Details >

WP Airbnb Review Slider <= 4.2 – Authenticated (Admin+) Stored Cross-Site Scripting

4.0
CVSS Rating
Medium (4.0)
CVE-ID
CVE-2025-12520
Patch Status
Patched
Published
Nov 6, 2025
Affected Software
WP Airbnb Review Slider
Researcher
More Details >

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (November 3, 2025 to November 9, 2025) appeared first on Wordfence.

Leave a Comment