Wordfence Intelligence Weekly WordPress Vulnerability Report (November 17, 2025 to November 23, 2025)

by

Last week, there were 140 vulnerabilities disclosed in 129 WordPress Plugins and 1 WordPress Theme that have been added to the Wordfence Intelligence Vulnerability Database, and there were 58 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to implement layered security, aligning with our overarching mission to secure WordPress with defense in depth strategies. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report. As the world’s leading quality vulnerability database provider for WordPress, site owners can rest assured knowing Wordfence has their back.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 31,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our PremiumCare, and Response customers last week:

    • WAF-RULE-876 – Data redacted while we work with the vendor on a patch.

Wordfence PremiumCare, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status Number of Vulnerabilities
Patched 92
Unpatched 48

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating Number of Vulnerabilities
Medium Severity 111
High Severity 28
Critical Severity 1

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) 44
Missing Authorization 36
Cross-Site Request Forgery (CSRF) 10
Unrestricted Upload of File with Dangerous Type 8
Exposure of Sensitive Information to an Unauthorized Actor 7
Server-Side Request Forgery (SSRF) 6
Authorization Bypass Through User-Controlled Key 5
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) 5
Improper Authorization 4
External Control of File Name or Path 2
Files or Directories Accessible to External Parties 2
Improper Control of Generation of Code (‘Code Injection’) 2
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) 2
Missing Authentication for Critical Function 2
Deserialization of Untrusted Data 1
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) 1
Improper Input Validation 1
Improper Neutralization of Formula Elements in a CSV File 1
Insufficient Verification of Data Authenticity 1

Researchers That Contributed to WordPress Security Last Week

Researcher Name Number of Vulnerabilities
14
9
8
8
6
6
5
5
5
4
4
3
3
3
2
2
2
2
2
2
2
2
2
2
2
2
2
2
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name Software Slug
ACF Flexible Layouts Manager acf-flexible-layouts-manager
Ads Pro Plugin – Multi-Purpose WordPress Advertising Manager ap-plugin-scripteo
Affiliate AI Lite affiliate-ai-lite
AI Engine ai-engine
Appointment Booking Calendar appointment-booking-calendar
ArtiBot Free Chat Bot for WebSites artibot
AudioTube audiotube
AuthorSure authorsure
Better Chat Support for Messenger better-chat-support
BigBuy Dropshipping Connector for WooCommerce bigbuy-wc-dropshipping-connector
Booking Calendar Contact Form booking-calendar-contact-form
Booking for Appointments and Events Calendar – Amelia ameliabooking
BrightTALK WordPress Shortcode brighttalk-wp-shortcode
Broken Link Checker by AIOSEO – Easily Fix/Monitor Internal and External links broken-link-checker-seo
Bulma Shortcodes bulma-shortcodes
Category and Product Woocommerce Tabs category-and-product-woocommerce-tabs
CBX Bookmark & Favorite cbxwpbookmark
Chat Help – Click to Chat Button & Form chat-help
Checkbox checkbox
Checkout Files Upload for WooCommerce checkout-files-upload-woocommerce
Classified Listing – AI-Powered Classified ads & Business Directory Plugin classified-listing
Code Snippets code-snippets
Coil Web Monetization coil-web-monetization
Community Events community-events
Cookie Notice & Compliance for GDPR / CCPA cookie-notice
CP Contact Form with PayPal cp-contact-form-with-paypal
Cryptocurrency (Token), Launchpad (Presale), ICO & IDO, Airdrop by TokenICO tokenico-cryptocurrency-token-launchpad-presale-ico-ido-airdrop
Cryptocurrency Payment Gateway for WooCommerce triplea-cryptocurrency-payment-gateway-for-woocommerce
CSV to SortTable csv-to-sorttable
Custom Order Numbers for WooCommerce custom-order-numbers-for-woocommerce
Custom Post Type custom-post-type
Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings directorist
Display Pages Shortcode display-pages-shortcode
Download Panel (Biggiko Team) download-panel
EchBay Admin Security echbay-admin-security
Element Pack Addons for Elementor bdthemes-element-pack-lite
ELEX WordPress HelpDesk & Customer Ticketing System elex-helpdesk-customer-support-ticket-system
Email Subscribers & Newsletters – Powerful Email Marketing, Post Notification & Newsletter Plugin for WordPress & WooCommerce email-subscribers
Enable SVG, WebP, and ICO Upload enable-svg-webp-ico-upload
everviz – Charts, Maps and Tables – Interactive and responsive everviz
Flo Forms – Easy Drag & Drop Form Builder flo-forms
FluentCRM – Email Newsletter, Automation, Email Marketing, Email Campaigns, Optins, Leads, and CRM Solution fluent-crm
FunnelKit – Funnel Builder for WooCommerce Checkout funnel-builder
Gallery with thumbnail slider gallery-with-thumbnail-slider
Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers rafflepress
GiveWP – Donation Plugin and Fundraising Platform give
Gravity Forms gravityforms
Groundhogg — CRM, Newsletters, and Marketing Automation groundhogg
GSheetConnector For Ninja Forms gsheetconnector-ninja-forms
Gutenify – Visual Site Builder Blocks & Site Templates. gutenify
HotelRunner Booking Widget hotelrunner
HT Mega – Absolute Addons For Elementor ht-mega-for-elementor
Ibtana – WordPress Website Builder ibtana-visual-editor
Icon List Block – Add Icon-Based Lists with Custom Styles icon-list-block
IDonate – Blood Donation, Request And Donor Management System idonate
Image Hover Effects Ultimate image-hover-effects-ultimate
Import WP – Export and Import CSV and XML files to WordPress jc-importer
Islamic Phrases islamic-phrases
LearnPress – WordPress LMS Plugin learnpress
Legal Pages – Privacy Policy, Terms & Conditions, GDPR, CCPA, and Cookie Notice Generator legal-pages
LightGallery WP lightgallerywp
Like-it like-it
Live sales notification for WooCommerce live-sales-notifications-for-woocommerce
Local Syndication local-syndication
Magical Products Display – Elementor WooCommerce Widgets | Product Sliders, Grids & AJAX Search magical-products-display
Meta Display Block meta-display-block
Multiple Roles per User multiple-roles-per-user
New User Approve new-user-approve
OneClick Chat to Order oneclick-whatsapp-order
Padlet Shortcode wallwisher-shortcode
Pet-Manager – Petfinder tier-management-petfinder
Photonic Gallery & Lightbox for Flickr, SmugMug & Others photonic
Pie Forms — Drag & Drop Form Builder pie-forms-for-wp
Pixel Manager for WooCommerce – Track Conversions and Analytics, Google Ads, TikTok and more woocommerce-google-adwords-conversion-tracking-tag
Pollcaster Shortcode Plugin pollcaster-shortcode
Portfolio, Gallery, Product Catalog – Grid KIT Portfolio portfolio-wp
Post Type Switcher post-type-switcher
PPOM – Product Addons & Custom Fields for WooCommerce woocommerce-product-addon
Premmerce Wholesale Pricing for WooCommerce premmerce-woocommerce-wholesale-pricing
Project Honey Pot Spam Trap project-honey-pot-spam-trap
Quiz Maker quiz-maker
Realty Portal realty-portal
Responsive Lightbox & Gallery responsive-lightbox
Restrictions for BuddyPress bp-restrict
Return Refund and Exchange For WooCommerce woo-refund-and-exchange-lite
Royal Addons for Elementor – Addons and Templates Kit for Elementor royal-elementor-addons
RTMKit rometheme-for-elementor
S2B AI Assistant – ChatBot, ChatGPT, OpenAI, Content & Image Generator s2b-ai-assistant
Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories post-expirator
Shortcode for Google Street View wp-google-street-view-shortcode
Shortcodes Bootstrap shortcodes-bootstrap
Simple User Import Export a3-user-importer
Simple User Registration wp-registration
SiteSEO – SEO Simplified siteseo
Stock Tools stock-tools
Subscriptions & Memberships for PayPal subscriptions-memberships-for-paypal
Surbma | MiniCRM Shortcode surbma-minicrm-shortcode
SureForms – Contact Form, Payment Form & Other Custom Form Builder sureforms
Tainacan tainacan
The Permalinks Cascade the-permalinks-cascade
Time Slot – Booking and Appointment Scheduling timeslot
Tips Shortcode tips-shortcode
Top Friends top-friends
TP WooCommerce Product Gallery tp-woocommerce-product-gallery
UiPress lite | Effortless custom dashboards, admin themes and pages uipress-lite
Ultimate Member Widgets for Elementor – WordPress User Directory ultimate-member-widgets-for-elementor
URL Image Importer url-image-importer
User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor profile-builder
Vitepos – Point of Sale (POS) for WooCommerce vitepos-lite
VK All in One Expansion Unit vk-all-in-one-expansion-unit
wModes – Catalog Mode, Product Pricing, Enquiry Forms & Promotions | for WooCommerce catalog-mode-pricing-enquiry-forms-promotions
WP Admin Microblog wp-admin-microblog
WP AUDIO GALLERY wp-audio-gallery
WP Company Info wp-company-info
WP Delete Post Copies etruel-del-post-copies
WP Directory Kit wpdirectorykit
WP Dropzone wp-dropzone
WP Duplicate Page wp-duplicate-page
WP Import – Ultimate CSV XML Importer for WordPress wp-ultimate-csv-importer
WP Login and Register using JWT login-register-using-jwt
WP Migrate Lite – WordPress Migration Made Easy wp-migrate-db
WP Shortcodes Plugin — Shortcodes Ultimate shortcodes-ultimate
WP Twitter Auto Publish twitter-auto-publish
WPBookit wpbookit
WPSite Shortcode wpsite-shortcode
WSChat – WordPress Live Chat wschat-live-chat
YITH WooCommerce Wishlist yith-woocommerce-wishlist
Zegen Core zegen-core
简数采集器 keydatas

WordPress Themes with Reported Vulnerabilities Last Week

Software Name Software Slug
OnePress onepress

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

ELEX WordPress HelpDesk & Customer Ticketing System <= 3.3.1 – Unauthenticated Arbitrary File Upload

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-11456
Patch Status
Patched
Published
Nov 20, 2025
Affected Software
ELEX WordPress HelpDesk & Customer Ticketing System
Researcher
More Details >

Category and Product Woocommerce Tabs <= 1.0 – Authenticated (Contributor+) Local File Inclusion

8.8
CVSS Rating
High (8.8)
CVE-ID
CVE-2025-13088
Patch Status
Unpatched
Published
Nov 17, 2025
Affected Software
Category and Product Woocommerce Tabs
Researcher
More Details >

Enable SVG, WebP, and ICO Upload <= 1.1.2 – Authenticated (Author+) Arbitrary File Upload via ICO Upload Bypass

8.8
CVSS Rating
High (8.8)
CVE-ID
CVE-2025-13069
Patch Status
Unpatched
Published
Nov 17, 2025
Affected Software
Enable SVG, WebP, and ICO Upload
Researcher
More Details >

Realty Portal <= 0.4.1 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update

8.8
CVSS Rating
High (8.8)
CVE-ID
CVE-2025-11985
Patch Status
Unpatched
Published
Nov 20, 2025
Affected Software
Realty Portal
Researcher
More Details >

URL Image Importer <= 1.0.6 – Authenticated (Author+) Arbitrary File Upload

8.8
CVSS Rating
High (8.8)
CVE-ID
CVE-2025-12138
Patch Status
Patched
Published
Nov 20, 2025
Affected Software
URL Image Importer
Researcher
More Details >

Vitepos – Point of Sale (POS) for WooCommerce <= 3.3.0 – Authenticated (Subscriber+) Arbitrary File Upload to Remote Code Execution

8.8
CVSS Rating
High (8.8)
CVE-ID
CVE-2025-13156
Patch Status
Patched
Published
Nov 20, 2025
Affected Software
Vitepos – Point of Sale (POS) for WooCommerce
Researcher
More Details >

WP Dropzone <= 1.1.0 – Authenticated (Subscriber+) Arbitrary File Upload

8.8
CVSS Rating
High (8.8)
CVE-ID
CVE-2025-12775
Patch Status
Patched
Published
Nov 17, 2025
Affected Software
WP Dropzone
Researcher
More Details >

Zegen Core <= 2.0.1 – Cross-Site Request Forgery to Arbitrary File Upload

8.8
CVSS Rating
High (8.8)
CVE-ID
CVE-2025-11087
Patch Status
Patched
Published
Nov 21, 2025
Affected Software
Zegen Core
Researcher
More Details >

Gravity Forms <= 2.9.21.1 – Unauthenticated Arbitrary File Upload via Legacy Chunked Upload

8.1
CVSS Rating
High (8.1)
CVE-ID
CVE-2025-12974
Patch Status
Patched
Published
Nov 17, 2025
Affected Software
Gravity Forms
Researcher
More Details >

Pie Forms for WP <= 1.6 – Unauthenticated Arbitrary File Upload

8.1
CVSS Rating
High (8.1)
CVE-ID
CVE-2025-12528
Patch Status
Unpatched
Published
Nov 17, 2025
Affected Software
Pie Forms — Drag & Drop Form Builder
Researcher
More Details >

WP AUDIO GALLERY <= 2.0 – Authenticated (Subscriber+) Arbitrary File Deletion via ‘audio_upload’ Parameter

8.1
CVSS Rating
High (8.1)
CVE-ID
CVE-2025-13322
Patch Status
Unpatched
Published
Nov 20, 2025
Affected Software
WP AUDIO GALLERY
Researcher
More Details >

Code Snippets <= 3.9.1 – Authenticated (Contributor+) PHP Code Injection via extract() and PHP Filter Chains

8.0
CVSS Rating
High (8.0)
CVE-ID
CVE-2025-13035
Patch Status
Patched
Published
Nov 18, 2025
Affected Software
Code Snippets
Researcher
More Details >

Ads Pro Plugin – Multi-Purpose WordPress Advertising Manager <= 4.95 – Unauthenticated SQL Injection via site_id

7.5
CVSS Rating
High (7.5)
CVE-ID
CVE-2025-7402
Patch Status
Unpatched
Published
Nov 23, 2025
Affected Software
Ads Pro Plugin – Multi-Purpose WordPress Advertising Manager
Researcher
More Details >

Chat Help – Click to Chat Button & Form <= 3.1.3 – Missing Authorization to Unauthenticated Sensitive Information Exposure

7.5
CVSS Rating
High (7.5)
CVE-ID
Unknown
Patch Status
Patched
Published
Nov 18, 2025
Affected Software
Chat Help – Click to Chat Button & Form
Researcher
More Details >

Community Events <= 1.5.4 – Unauthenticated SQL Injection

7.5
CVSS Rating
High (7.5)
CVE-ID
CVE-2025-12646
Patch Status
Patched
Published
Nov 18, 2025
Affected Software
Community Events
Researcher
More Details >

CP Contact Form with PayPal <= 1.3.56 – Missing Authorization to Unauthenticated Arbitrary Payment Confirmation

7.5
CVSS Rating
High (7.5)
CVE-ID
CVE-2025-13384
Patch Status
Patched
Published
Nov 21, 2025
Affected Software
CP Contact Form with PayPal
Researcher
More Details >

Live sales notification for WooCommerce <= 2.3.39 – Missing Authorization to Unauthenticated Customer Data Exposure

7.5
CVSS Rating
High (7.5)
CVE-ID
CVE-2025-12955
Patch Status
Patched
Published
Nov 17, 2025
Affected Software
Live sales notification for WooCommerce
Researcher
More Details >

OneClick Chat to Order <= 1.0.8 – Insecure Direct Object Reference to Unauthenticated Sensitive Information Exposure

7.5
CVSS Rating
High (7.5)
CVE-ID
CVE-2025-13526
Patch Status
Patched
Published
Nov 21, 2025
Affected Software
OneClick Chat to Order
Researcher
More Details >

WP Directory Kit <= 1.4.3 – Unauthenticated SQL Injection via select_2_ajax() Function

7.5
CVSS Rating
High (7.5)
CVE-ID
CVE-2025-13138
Patch Status
Patched
Published
Nov 20, 2025
Affected Software
WP Directory Kit
Researcher
More Details >

Checkout Files Upload for WooCommerce <= 2.2.1 – Unauthenticated Stored Cross-Site Scripting

7.2
CVSS Rating
High (7.2)
CVE-ID
CVE-2025-4212
Patch Status
Patched
Published
Nov 17, 2025
Affected Software
Checkout Files Upload for WooCommerce
Researcher
More Details >

Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers <= 1.12.19 – Unauthenticated Stored Cross-Site Scripting

7.2
CVSS Rating
High (7.2)
CVE-ID
CVE-2025-12484
Patch Status
Patched
Published
Nov 18, 2025
Affected Software
Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers
Researcher
More Details >

GiveWP – Donation Plugin and Fundraising Platform <= 4.13.0 – Unauthenticated Stored Cross-Site Scripting via ‘name’

7.2
CVSS Rating
High (7.2)
CVE-ID
CVE-2025-13206
Patch Status
Patched
Published
Nov 18, 2025
Affected Software
GiveWP – Donation Plugin and Fundraising Platform
Researcher
More Details >

Multiple Roles per User <= 1.0 – Missing Authorization to Authenticated (Custom+) Privilege Escalation

7.2
CVSS Rating
High (7.2)
CVE-ID
CVE-2025-11620
Patch Status
Unpatched
Published
Nov 17, 2025
Affected Software
Multiple Roles per User
Researcher
More Details >

S2B AI Assistant – ChatBot, ChatGPT, OpenAI, Content & Image Generator <= 1.7.8 – Authenticated (Editor+) Arbitrary File Upload

7.2
CVSS Rating
High (7.2)
CVE-ID
CVE-2025-12973
Patch Status
Patched
Published
Nov 20, 2025
Affected Software
S2B AI Assistant – ChatBot, ChatGPT, OpenAI, Content & Image Generator
Researcher
More Details >

Simple User Registration <= 6.6 – Unauthenticated Stored Cross-Site Scripting

7.2
CVSS Rating
High (7.2)
CVE-ID
CVE-2025-12160
Patch Status
Patched
Published
Nov 20, 2025
Affected Software
Simple User Registration
Researcher
More Details >

WP Import – Ultimate CSV XML Importer for WordPress <= 7.33.1 – Authenticated (Administrator+) PHP Object Injection via CSV Import

7.2
CVSS Rating
High (7.2)
CVE-ID
CVE-2025-13145
Patch Status
Patched
Published
Nov 18, 2025
Affected Software
WP Import – Ultimate CSV XML Importer for WordPress
Researchers
More Details >

WPBookit <= 1.0.6 – Unauthenticated Stored Cross-Site Scripting

7.2
CVSS Rating
High (7.2)
CVE-ID
CVE-2025-12135
Patch Status
Patched
Published
Nov 20, 2025
Affected Software
WPBookit
Researcher
More Details >

Flo Forms – Easy Drag & Drop Form Builder <= 1.0.43 – Unauthenticated Stored Cross-Site Scripting via SVG Upload

7.1
CVSS Rating
High (7.1)
CVE-ID
CVE-2025-13159
Patch Status
Unpatched
Published
Nov 20, 2025
Affected Software
Flo Forms – Easy Drag & Drop Form Builder
Researcher
More Details >

Premmerce Wholesale Pricing for WooCommerce <= 1.1.10 – Authenticated (Subscriber+) SQL Injection

7.1
CVSS Rating
High (7.1)
CVE-ID
CVE-2025-12411
Patch Status
Unpatched
Published
Nov 17, 2025
Affected Software
Premmerce Wholesale Pricing for WooCommerce
Researcher
More Details >

AI Engine <= 3.1.8 – Authenticated (Editor+) Server-Side Request Forgery

6.8
CVSS Rating
Medium (6.8)
CVE-ID
CVE-2025-8084
Patch Status
Patched
Published
Nov 18, 2025
Affected Software
AI Engine
Researcher
More Details >

Simple User Import Export <= 1.1.7 – Authenticated (Admin+) CSV Injection

6.6
CVSS Rating
Medium (6.6)
CVE-ID
CVE-2025-13133
Patch Status
Unpatched
Published
Nov 17, 2025
Affected Software
Simple User Import Export
Researcher
More Details >

ACF Flexible Layouts Manager <= 1.1.6 – Missing Authorization to Unauthenticated Custom Field Update

6.5
CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-12937
Patch Status
Unpatched
Published
Nov 17, 2025
Affected Software
ACF Flexible Layouts Manager
Researcher
More Details >

Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings <= 8.5.2 – Missing Authorization to Authenticated (Subscriber+) Data Export and Slug Update

6.5
CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-12174
Patch Status
Patched
Published
Nov 18, 2025
Affected Software
Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings
Researcher
More Details >

UiPress lite <= 3.5.08 – Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure

6.5
CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-10938
Patch Status
Patched
Published
Nov 20, 2025
Affected Software
UiPress lite | Effortless custom dashboards, admin themes and pages
Researcher
More Details >

Affiliate AI Lite <= 1.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-11799
Patch Status
Patched
Published
Nov 20, 2025
Affected Software
Affiliate AI Lite
Researcher
More Details >

AudioTube <= 0.0.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-11801
Patch Status
Unpatched
Published
Nov 20, 2025
Affected Software
AudioTube
Researcher
More Details >

BrightTALK WordPress Shortcode <= 2.4.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-11770
Patch Status
Unpatched
Published
Nov 20, 2025
Affected Software
BrightTALK WordPress Shortcode
Researcher
More Details >

Bulma Shortcodes <= 1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-11802
Patch Status
Unpatched
Published
Nov 20, 2025
Affected Software
Bulma Shortcodes
Researcher
More Details >

Cookie Notice & Compliance for GDPR / CCPA <= 2.5.8 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-11186
Patch Status
Patched
Published
Nov 21, 2025
Affected Software
Cookie Notice & Compliance for GDPR / CCPA
Researcher
More Details >

CSV to SortTable <= 4.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-12823
Patch Status
Unpatched
Published
Nov 17, 2025
Affected Software
CSV to SortTable
Researcher
More Details >

Display Pages Shortcode <= 1.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-11763
Patch Status
Unpatched
Published
Nov 20, 2025
Affected Software
Display Pages Shortcode
Researcher
More Details >

Enable SVG, WebP, and ICO Upload <= 1.1.2 – Authenticated (Author+) Stored Cross-Site Scripting via SVG File Uploads

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-12457
Patch Status
Unpatched
Published
Nov 17, 2025
Affected Software
Enable SVG, WebP, and ICO Upload
Researcher
More Details >

everviz <= 1.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-11868
Patch Status
Unpatched
Published
Nov 17, 2025
Affected Software
everviz – Charts, Maps and Tables – Interactive and responsive
Researcher
More Details >

FluentCRM – Marketing Automation For WordPress <= 2.9.84 – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘fluentcrm_content’ Shortcode

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-12935
Patch Status
Patched
Published
Nov 20, 2025
Affected Software
FluentCRM – Email Newsletter, Automation, Email Marketing, Email Campaigns, Optins, Leads, and CRM Solution
Researcher
More Details >

FunnelKit – Funnel Builder for WooCommerce Checkout <= 3.13.1.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via wfop_phone Shortcode

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-12878
Patch Status
Patched
Published
Nov 18, 2025
Affected Software
FunnelKit – Funnel Builder for WooCommerce Checkout
Researcher
More Details >

Gutenify – Visual Site Builder Blocks & Site Templates <= 1.5.9 – Authenticated (Contributor+) Stored Cross-Site Scripting via Count Up block

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-8605
Patch Status
Unpatched
Published
Nov 17, 2025
Affected Software
Gutenify – Visual Site Builder Blocks & Site Templates.
Researcher
More Details >

HotelRunner Booking Widget <= 5.2.4 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-13135
Patch Status
Unpatched
Published
Nov 20, 2025
Affected Software
HotelRunner Booking Widget
Researcher
More Details >

HT Mega – Absolute Addons For Elementor <= 3.0.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Tag Attribute Injection

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-13141
Patch Status
Patched
Published
Nov 20, 2025
Affected Software
HT Mega – Absolute Addons For Elementor
Researcher
More Details >

Icon List Block – Add Icon-Based Lists with Custom Styles <= 1.2.1 – Authenticated (Subscriber+) Server-Side Request Forgery

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-12376
Patch Status
Patched
Published
Nov 18, 2025
Affected Software
Icon List Block – Add Icon-Based Lists with Custom Styles
Researcher
More Details >

Islamic Phrases <= 2.12.2015 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-11768
Patch Status
Unpatched
Published
Nov 20, 2025
Affected Software
Islamic Phrases
Researcher
More Details >

Local Syndication <= 1.5a – Authenticated (Contributor+) Server-Side Request Forgery via Shortcode

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-12962
Patch Status
Unpatched
Published
Nov 17, 2025
Affected Software
Local Syndication
Researcher
More Details >

Magical Products Display <= 1.1.29 – Authenticated (Contributor+) Stored Cross-Site Scripting via MPD Pricing Table Widget

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-12964
Patch Status
Patched
Published
Nov 20, 2025
Affected Software
Magical Products Display – Elementor WooCommerce Widgets | Product Sliders, Grids & AJAX Search
Researcher
More Details >

Meta Display Block <= 1.0.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-12088
Patch Status
Unpatched
Published
Nov 17, 2025
Affected Software
Meta Display Block
Researcher
More Details >

Multiple Plugins and Themes <= (Various Versions) – Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via lightGallery JavaScript Library

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-5092
Patch Status
Patched
Published
Nov 19, 2025
Affected Software
Gallery with thumbnail slider
Ibtana – WordPress Website Builder
Image Hover Effects Ultimate
LightGallery WP
OnePress
Portfolio, Gallery, Product Catalog – Grid KIT Portfolio
Royal Addons for Elementor – Addons and Templates Kit for Elementor
TP WooCommerce Product Gallery
Researcher
More Details >

Padlet Shortcode <= 1.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-12660
Patch Status
Unpatched
Published
Nov 20, 2025
Affected Software
Padlet Shortcode
Researcher
More Details >

Pet-Manager – Petfinder <= 3.6.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via kwm-petfinder Shortcode

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-12710
Patch Status
Patched
Published
Nov 18, 2025
Affected Software
Pet-Manager – Petfinder
Researcher
More Details >

Photonic Gallery & Lightbox for Flickr, SmugMug & Others <= 3.21 – Authenticated (Contributor+) Stored Cross-Site Scripting via Caption Attribute

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-12691
Patch Status
Patched
Published
Nov 17, 2025
Affected Software
Photonic Gallery & Lightbox for Flickr, SmugMug & Others
Researcher
More Details >

Pollcaster Shortcode Plugin <= 1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-12661
Patch Status
Unpatched
Published
Nov 20, 2025
Affected Software
Pollcaster Shortcode Plugin
Researcher
More Details >

Royal Elementor Addons and Templates <= 1.7.1036 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-6251
Patch Status
Patched
Published
Nov 18, 2025
Affected Software
Royal Addons for Elementor – Addons and Templates Kit for Elementor
Researcher
More Details >

RTMKit Addons <= 1.6.5 – Authenticated (Contributor+) Stored Cross-Site Scripting via Accordion Repeater Block Attribute

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-8609
Patch Status
Patched
Published
Nov 17, 2025
Affected Software
RTMKit
Researcher
More Details >

Shortcode for Google Street View <= 0.5.7 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-11808
Patch Status
Unpatched
Published
Nov 20, 2025
Affected Software
Shortcode for Google Street View
Researcher
More Details >

Shortcodes Bootstrap <= 1.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-11764
Patch Status
Unpatched
Published
Nov 20, 2025
Affected Software
Shortcodes Bootstrap
Researcher
More Details >

Stock Tools <= 1.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-11765
Patch Status
Unpatched
Published
Nov 20, 2025
Affected Software
Stock Tools
Researcher
More Details >

Surbma | MiniCRM Shortcode <= 2.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-11800
Patch Status
Unpatched
Published
Nov 20, 2025
Affected Software
Surbma | MiniCRM Shortcode
Researcher
More Details >

Tips Shortcode <= 0.2.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-11767
Patch Status
Unpatched
Published
Nov 20, 2025
Affected Software
Tips Shortcode
Researcher
More Details >

UiPress lite <= 3.5.08 – Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-11003
Patch Status
Patched
Published
Nov 20, 2025
Affected Software
UiPress lite | Effortless custom dashboards, admin themes and pages
Researcher
More Details >

User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor <= 3.14.8 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-13054
Patch Status
Patched
Published
Nov 18, 2025
Affected Software
User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor
Researcher
More Details >

VK All in One Expansion Unit <= 9.112.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-11267
Patch Status
Patched
Published
Nov 17, 2025
Affected Software
VK All in One Expansion Unit
Researcher
More Details >

VK All in One Expansion Unit <= 9.112.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-11265
Patch Status
Patched
Published
Nov 17, 2025
Affected Software
VK All in One Expansion Unit
Researcher
More Details >

WP Company Info <= 1.9.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-11826
Patch Status
Unpatched
Published
Nov 20, 2025
Affected Software
WP Company Info
Researcher
More Details >

WP Shortcodes Plugin — Shortcodes Ultimate <= 7.4.5 – Authenticated (Administrator+) Server-Side Request Forgery

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-12800
Patch Status
Patched
Published
Nov 23, 2025
Affected Software
WP Shortcodes Plugin — Shortcodes Ultimate
Researcher
More Details >

WPSite Shortcode <= 1.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-11803
Patch Status
Unpatched
Published
Nov 20, 2025
Affected Software
WPSite Shortcode
Researcher
More Details >

ArtiBot Free Chat Bot for WebSites <= 1.1.7 – Reflected Cross-Site Scripting via PostMessage

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-12078
Patch Status
Unpatched
Published
Nov 17, 2025
Affected Software
ArtiBot Free Chat Bot for WebSites
Researcher
More Details >

AuthorSure <= 2.3 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-13134
Patch Status
Unpatched
Published
Nov 20, 2025
Affected Software
AuthorSure
Researcher
More Details >

EchBay Admin Security <= 1.3.0 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-11885
Patch Status
Patched
Published
Nov 20, 2025
Affected Software
EchBay Admin Security
Researcher
More Details >

Like-it <= 2.2 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-12404
Patch Status
Unpatched
Published
Nov 17, 2025
Affected Software
Like-it
Researcher
More Details >

Project Honey Pot Spam Trap <= 1.0.1 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-12406
Patch Status
Unpatched
Published
Nov 17, 2025
Affected Software
Project Honey Pot Spam Trap
Researcher
More Details >

Tainacan <= 1.0.0 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-12746
Patch Status
Patched
Published
Nov 20, 2025
Affected Software
Tainacan
Researcher
More Details >

WP Twitter Auto Publish <= 1.7.3 – Reflected Cross-Site Scripting via PostMessage

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-12079
Patch Status
Unpatched
Published
Nov 17, 2025
Affected Software
WP Twitter Auto Publish
Researcher
More Details >

WP Migrate Lite <= 2.7.6 – Unauthenticated Blind Server-Side Request Forgery

5.8
CVSS Rating
Medium (5.8)
CVE-ID
CVE-2025-11427
Patch Status
Patched
Published
Nov 17, 2025
Affected Software
WP Migrate Lite – WordPress Migration Made Easy
Researcher
More Details >

Broken Link Checker by AIOSEO – Easily Fix/Monitor Internal and External links <= 1.2.5 – Missing Authorization to Authenticated (Contributor+) Arbitrary Post Trashing

5.4
CVSS Rating
Medium (5.4)
CVE-ID
CVE-2025-11734
Patch Status
Patched
Published
Nov 17, 2025
Affected Software
Broken Link Checker by AIOSEO – Easily Fix/Monitor Internal and External links
Researcher
More Details >

Classified Listing – Classified ads & Business Directory Plugin <= 5.0.3 – Authenticated (Subscriber+) Arbitrary Shortcode Execution via Listing Description

5.4
CVSS Rating
Medium (5.4)
CVE-ID
CVE-2025-7711
Patch Status
Patched
Published
Nov 17, 2025
Affected Software
Classified Listing – AI-Powered Classified ads & Business Directory Plugin
Researcher
More Details >

Element Pack Addons for Elementor <= 8.3.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via Open Street Map widget

5.4
CVSS Rating
Medium (5.4)
CVE-ID
CVE-2025-13196
Patch Status
Patched
Published
Nov 17, 2025
Affected Software
Element Pack Addons for Elementor
Researcher
More Details >

Post Type Switcher <= 4.0.0 – Insecure Direct Object Reference to Authenticated (Author+) Post Type Change

5.4
CVSS Rating
Medium (5.4)
CVE-ID
CVE-2025-12524
Patch Status
Patched
Published
Nov 17, 2025
Affected Software
Post Type Switcher
Researcher
More Details >

Responsive Lightbox & Gallery <= 2.5.3 – Authenticated (Author+) Server-Side Request Forgery

5.4
CVSS Rating
Medium (5.4)
CVE-ID
CVE-2025-12359
Patch Status
Patched
Published
Nov 18, 2025
Affected Software
Responsive Lightbox & Gallery
Researcher
More Details >

Return Refund and Exchange For WooCommerce <= 4.5.5 – Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Order Message Read

5.4
CVSS Rating
Medium (5.4)
CVE-ID
CVE-2025-12881
Patch Status
Patched
Published
Nov 20, 2025
Affected Software
Return Refund and Exchange For WooCommerce
Researcher
More Details >

Amelia 1.2.18 – 1.2.36 – Unauthenticated Sensitive Information Exposure

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2023-49282
Patch Status
Patched
Published
Nov 18, 2025
Affected Software
Booking for Appointments and Events Calendar – Amelia
Researcher
More Details >

Appointment Booking Calendar <= 1.3.96 – Missing Authorization to Arbitrary Booking Confirmation via ‘cpabc_ipncheck’ Parameter

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-13317
Patch Status
Patched
Published
Nov 21, 2025
Affected Software
Appointment Booking Calendar
Researcher
More Details >

Better Chat Support for Messenger <= 1.2.18 – Missing Authorization

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-66113
Patch Status
Patched
Published
Nov 20, 2025
Affected Software
Better Chat Support for Messenger
Researcher
More Details >

BigBuy Dropshipping Connector for WooCommerce <= 2.0.5 – Unauthenticated IP Spoofing to phpinfo() Exposure

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-12039
Patch Status
Unpatched
Published
Nov 20, 2025
Affected Software
BigBuy Dropshipping Connector for WooCommerce
Researcher
More Details >

Booking Calendar Contact Form <= 1.2.60 – Missing Authorization to Unauthenticated Arbitrary Booking Confirmation via ‘dex_bccf_ipn’ Parameter

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-13318
Patch Status
Patched
Published
Nov 21, 2025
Affected Software
Booking Calendar Contact Form
Researcher
More Details >

Booking Plugin for WordPress Appointments – Time Slot <= 1.4.7 – Unauthenticated Arbitrary Email Sending

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-12842
Patch Status
Patched
Published
Nov 18, 2025
Affected Software
Time Slot – Booking and Appointment Scheduling
Researcher
More Details >

Checkbox <= 2.8.10 – Missing Authorization to Unauthenticated Log Clearing

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-12170
Patch Status
Patched
Published
Nov 20, 2025
Affected Software
Checkbox
Researcher
More Details >

Cryptocurrency (Token), Launchpad (Presale), ICO & IDO, Airdrop by TokenICO <= 2.4.6 – Missing Authentication to Unauthenticated Presale Update

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-11771
Patch Status
Unpatched
Published
Nov 20, 2025
Affected Software
Cryptocurrency (Token), Launchpad (Presale), ICO & IDO, Airdrop by TokenICO
Researcher
More Details >

Cryptocurrency Payment Gateway for WooCommerce <= 2.0.22 – Missing Authorization to Unauthenticated Tracking Status Update

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-12392
Patch Status
Unpatched
Published
Nov 17, 2025
Affected Software
Cryptocurrency Payment Gateway for WooCommerce
Researcher
More Details >

Custom Order Numbers for WooCommerce <= 1.11.0 – Missing Authorization

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-66071
Patch Status
Patched
Published
Nov 22, 2025
Affected Software
Custom Order Numbers for WooCommerce
Researcher
More Details >

ELEX WordPress HelpDesk & Customer Ticketing System <= 3.3.1 – Missing Authorization to Authenticated (Subscriber+) Role Removal

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-10054
Patch Status
Patched
Published
Nov 20, 2025
Affected Software
ELEX WordPress HelpDesk & Customer Ticketing System
Researcher
More Details >

Email Subscribers & Newsletters <= 5.9.10 – Missing Authentication to Unauthenticated Mailing Queue Trigger

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-12349
Patch Status
Patched
Published
Nov 18, 2025
Affected Software
Email Subscribers & Newsletters – Powerful Email Marketing, Post Notification & Newsletter Plugin for WordPress & WooCommerce
Researcher
More Details >

IDonate – Blood Donation, Request And Donor Management System <= 2.1.15 – Missing Authorization to Unauthenticated Arbitrary Post Deletion

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-12877
Patch Status
Patched
Published
Nov 21, 2025
Affected Software
IDonate – Blood Donation, Request And Donor Management System
Researcher
More Details >

Import WP – Export and Import CSV and XML files to WordPress <= 2.14.17 – Unauthenticated Information Exposure

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-12894
Patch Status
Patched
Published
Nov 20, 2025
Affected Software
Import WP – Export and Import CSV and XML files to WordPress
Researcher
More Details >

LearnPress – WordPress LMS Plugin <= 4.2.9.4 – Missing Authorization to Unauthenticated Arbitrary Callback Execution to Information Exposure

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-11368
Patch Status
Patched
Published
Nov 20, 2025
Affected Software
LearnPress – WordPress LMS Plugin
Researcher
More Details >

Legal Pages <= 1.4.6 – Missing Authorization

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-66077
Patch Status
Patched
Published
Nov 21, 2025
Affected Software
Legal Pages – Privacy Policy, Terms & Conditions, GDPR, CCPA, and Cookie Notice Generator
Researcher
More Details >

New User Approve <= 3.0.9 – Unauthenticated Sensitive Information Disclosure via Type Juggling

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-12770
Patch Status
Patched
Published
Nov 18, 2025
Affected Software
New User Approve
Researcher
More Details >

Pixel Manager for WooCommerce – Track Conversions and Analytics, Google Ads, TikTok and more <= 1.49.2 – Unauthenticated Information Exposure

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-12545
Patch Status
Patched
Published
Nov 18, 2025
Affected Software
Pixel Manager for WooCommerce – Track Conversions and Analytics, Google Ads, TikTok and more
Researcher
More Details >

Quiz Maker <= 6.7.0.80 – Unauthenticated Sensitive Information Exposure

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-12426
Patch Status
Patched
Published
Nov 18, 2025
Affected Software
Quiz Maker
Researcher
More Details >

Restrictions for BuddyPress <= 1.5.2 – Missing Authorization to Unauthenticated Tracking Status Update

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-12391
Patch Status
Unpatched
Published
Nov 17, 2025
Affected Software
Restrictions for BuddyPress
Researcher
More Details >

SiteSEO – SEO Simplified <= 1.3.2 – Improper Authorization to Authenticated Settings Reset

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-12814
Patch Status
Patched
Published
Nov 18, 2025
Affected Software
SiteSEO – SEO Simplified
Researcher
More Details >

Subscriptions & Memberships for PayPal <= 1.1.7 – Unauthenticated Fake Payment Creation

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-12752
Patch Status
Patched
Published
Nov 21, 2025
Affected Software
Subscriptions & Memberships for PayPal
Researcher
More Details >

SureForms <= 1.13.1 – Cross-Site Request Forgery Protection Bypass via Improper Nonce Distribution

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-12535
Patch Status
Patched
Published
Nov 18, 2025
Affected Software
SureForms – Contact Form, Payment Form & Other Custom Form Builder
Researcher
More Details >

Tainacan <= 1.0.0 – Unauthenticated Information Exposure

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-12747
Patch Status
Patched
Published
Nov 20, 2025
Affected Software
Tainacan
Researcher
More Details >

Ultimate Member Widgets for Elementor <= 2.3 – Missing Authorization to Unauthenticated Information Exposure

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-12778
Patch Status
Patched
Published
Nov 19, 2025
Affected Software
Ultimate Member Widgets for Elementor – WordPress User Directory
Researcher
More Details >

YITH WooCommerce Wishlist <= 4.10.0 – Unauthenticated Insecure Direct Object Reference to Unauthenticated Wishlist Rename

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-12427
Patch Status
Patched
Published
Nov 18, 2025
Affected Software
YITH WooCommerce Wishlist
Researcher
More Details >

YITH WooCommerce Wishlist <= 4.10.0 – Unauthenticated Wishlist Token Disclosure to Wishlist Item Deletion

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-12777
Patch Status
Patched
Published
Nov 18, 2025
Affected Software
YITH WooCommerce Wishlist
Researcher
More Details >

Groundhogg <= 4.2.6.1 – Authenticated (Admin+) SQL Injection

4.9
CVSS Rating
Medium (4.9)
CVE-ID
CVE-2025-12750
Patch Status
Patched
Published
Nov 20, 2025
Affected Software
Groundhogg — CRM, Newsletters, and Marketing Automation
Researcher
More Details >

简数采集器 <= 2.6.3 – Authenticated (Admin+) Arbitrary File Read

4.9
CVSS Rating
Medium (4.9)
CVE-ID
CVE-2025-11973
Patch Status
Patched
Published
Nov 20, 2025
Affected Software
简数采集器
Researcher
More Details >

WP Delete Post Copies <= 6.0.2 – Authenticated (Admin+) Stored Cross-Site Scripting

4.4
CVSS Rating
Medium (4.4)
CVE-ID
CVE-2025-12066
Patch Status
Patched
Published
Nov 20, 2025
Affected Software
WP Delete Post Copies
Researcher
More Details >

CBX Bookmark & Favorite <= 2.0.1 – Missing Authorization

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-66101
Patch Status
Patched
Published
Nov 18, 2025
Affected Software
CBX Bookmark & Favorite
Researcher
More Details >

Coil Web Monetization <= 2.0.2 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-9625
Patch Status
Unpatched
Published
Nov 17, 2025
Affected Software
Coil Web Monetization
Researcher
More Details >

Cryptocurrency (Token), Launchpad (Presale), ICO & IDO, Airdrop by TokenICO <= 2.4.6 – Missing Authorization to Authenticated (Subscriber+) Contract Address Update

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-11773
Patch Status
Unpatched
Published
Nov 20, 2025
Affected Software
Cryptocurrency (Token), Launchpad (Presale), ICO & IDO, Airdrop by TokenICO
Researcher
More Details >

Custom Post Type <= 1.0 – Cross-Site Request Forgery to Custom Post Type Deletion

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-13142
Patch Status
Unpatched
Published
Nov 20, 2025
Affected Software
Custom Post Type
Researcher
More Details >

Download Panel <= 1.3.3 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Settings Modification

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-12961
Patch Status
Unpatched
Published
Nov 17, 2025
Affected Software
Download Panel (Biggiko Team)
Researcher
More Details >

ELEX WordPress HelpDesk & Customer Ticketing System <= 3.2.9 – Authenticated (Subscriber+) Insecure Direct Object Reference via ‘eh_crm_ticket_single_view_client’

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-10039
Patch Status
Patched
Published
Nov 20, 2025
Affected Software
ELEX WordPress HelpDesk & Customer Ticketing System
Researcher
More Details >

ELEX WordPress HelpDesk & Customer Ticketing System <= 3.3.0 – Missing Authorization to Authenitcated (Subscriber+) to Scheduled Trigger Deletion

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-12169
Patch Status
Patched
Published
Nov 20, 2025
Affected Software
ELEX WordPress HelpDesk & Customer Ticketing System
Researcher
More Details >

ELEX WordPress HelpDesk & Customer Ticketing System <= 3.3.1 – Missing Authorization to Authenticated (Subscriber+) Ticket Restore

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-12023
Patch Status
Patched
Published
Nov 20, 2025
Affected Software
ELEX WordPress HelpDesk & Customer Ticketing System
Researcher
More Details >

ELEX WordPress HelpDesk & Customer Ticketing System <= 3.3.1 – Missing Authorization to Authenticated (Subscriber+) Trash Empty

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-12085
Patch Status
Patched
Published
Nov 20, 2025
Affected Software
ELEX WordPress HelpDesk & Customer Ticketing System
Researcher
More Details >

ELEX WordPress HelpDesk & Customer Ticketing System <= 3.3.1 – Missing Authorization to Authenticated (Subscriber+) Trash Restore

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-12022
Patch Status
Patched
Published
Nov 20, 2025
Affected Software
ELEX WordPress HelpDesk & Customer Ticketing System
Researcher
More Details >

Giveaways and Contests by RafflePress <= 1.12.20 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-66064
Patch Status
Patched
Published
Nov 21, 2025
Affected Software
Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers
Researcher
More Details >

GSheetConnector For Ninja Forms <= 2.0.1 – Missing Authorization to Authenticated (Subscriber+) System Information Exposure

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-13136
Patch Status
Patched
Published
Nov 21, 2025
Affected Software
GSheetConnector For Ninja Forms
Researcher
More Details >

PPOM for WooCommerce <= 33.0.16 – Missing Authorization

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-66069
Patch Status
Patched
Published
Nov 17, 2025
Affected Software
PPOM – Product Addons & Custom Fields for WooCommerce
Researcher
More Details >

Return Refund and Exchange For WooCommerce <= 4.5.5 – Insecure Direct Object Reference to Authenticated (Subscriber+) Refund Request Cancellation

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-12086
Patch Status
Patched
Published
Nov 20, 2025
Affected Software
Return Refund and Exchange For WooCommerce
Researcher
More Details >

Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories <= 4.9.1 – Authenticated (Author+) Missing Authorization to Post/Page Status Modification

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-13149
Patch Status
Patched
Published
Nov 20, 2025
Affected Software
Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories
Researcher
More Details >

SiteSEO – SEO Simplified <= 1.3.2 – Insecure Direct Object Reference to Sensitive Post Meta Disclosure

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-13085
Patch Status
Patched
Published
Nov 18, 2025
Affected Software
SiteSEO – SEO Simplified
Researcher
More Details >

The Permalinks Cascade <= 2.2 – Missing Authorization To Authenticated (Subscriber+) Plugin Settings Update

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-12372
Patch Status
Unpatched
Published
Nov 17, 2025
Affected Software
The Permalinks Cascade
Researcher
More Details >

Top Friends <= 0.3 – Cross-Site Request Forgery to Settings Update

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-12827
Patch Status
Unpatched
Published
Nov 17, 2025
Affected Software
Top Friends
Researcher
More Details >

UiPress lite | Effortless custom dashboards, admin themes and pages <= 3.5.08 – Missing Authorization to Authenticated (Subscriber+) Plugin Settings Update

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-11815
Patch Status
Patched
Published
Nov 20, 2025
Affected Software
UiPress lite | Effortless custom dashboards, admin themes and pages
Researcher
More Details >

wModes – Catalog Mode, Product Pricing, Enquiry Forms & Promotions | for WooCommerce <= 1.2.2 – Missing Authorization to Sensitive Information Disclosure

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-12639
Patch Status
Patched
Published
Nov 17, 2025
Affected Software
wModes – Catalog Mode, Product Pricing, Enquiry Forms & Promotions | for WooCommerce
Researcher
More Details >

WP Admin Microblog <= 3.1.1 – Cross-Site Request Forgery to Message Creation

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-12173
Patch Status
Unpatched
Published
Nov 17, 2025
Affected Software
WP Admin Microblog
Researcher
More Details >

WP Duplicate Page <= 1.7 – Missing Authorization to Authenticated (Contributor+) Sensitive Information Disclosure

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-12481
Patch Status
Patched
Published
Nov 17, 2025
Affected Software
WP Duplicate Page
Researcher
More Details >

WP Login and Register using JWT <= 3.0.0 – Missing Authorization to Authenticated (Subscriber+) API Key Exposure

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-12822
Patch Status
Patched
Published
Nov 18, 2025
Affected Software
WP Login and Register using JWT
Researcher
More Details >

WSChat – WordPress Live Chat <= 3.1.6 – Missing Authorization to Authenticated (Subscriber+) Settings Reset

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-12751
Patch Status
Patched
Published
Nov 18, 2025
Affected Software
WSChat – WordPress Live Chat
Researcher
More Details >

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (November 17, 2025 to November 23, 2025) appeared first on Wordfence.

Leave a Comment