In case you missed it, Wordfence just published its annual WordPress security report for 2024. Read it now to learn more about the evolving risk landscape of WordPress so you can keep your sites protected in 2025 and beyond.
Last week, there were 64 vulnerabilities disclosed in 59 WordPress Plugins and 3 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 39 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to implement layered security, aligning with our overarching mission to secure WordPress with defense in depth strategies. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report. As the world’s leading quality vulnerability database provider for WordPress, site owners can rest assured knowing Wordfence has their back.
Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 27,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
- WAF-RULE-841 – Data redacted while we work with the vendor on a patch.
- WAF-RULE-842 – Data redacted while we work with the vendor on a patch.
- WAF-RULE-843 – Data redacted while we work with the vendor on a patch.
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
| Patch Status | Number of Vulnerabilities |
|---|---|
| Patched | 37 |
| Unpatched | 27 |
Total Vulnerabilities by CVSS Severity Last Week
| Severity Rating | Number of Vulnerabilities |
|---|---|
| Medium Severity | 43 |
| High Severity | 14 |
| Critical Severity | 7 |
Total Vulnerabilities by CWE Type Last Week
| Vulnerability Type by CWE | Number of Vulnerabilities |
|---|---|
| Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 29 |
| Missing Authorization | 7 |
| Deserialization of Untrusted Data | 4 |
| Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 4 |
| Cross-Site Request Forgery (CSRF) | 3 |
| Improper Authorization | 3 |
| Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | 3 |
| Exposure of Sensitive Information to an Unauthorized Actor | 2 |
| Unrestricted Upload of File with Dangerous Type | 2 |
| Authentication Bypass Using an Alternate Path or Channel | 1 |
| Authorization Bypass Through User-Controlled Key | 1 |
| External Control of File Name or Path | 1 |
| Improper Access Control | 1 |
| Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) | 1 |
| Incorrect Privilege Assignment | 1 |
| Use of Insufficiently Random Values | 1 |
Researchers That Contributed to WordPress Security Last Week
| Researcher Name | Number of Vulnerabilities |
|---|---|
| 5 | |
| 5 | |
| 3 | |
| 3 | |
| 3 | |
| 3 | |
| 3 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 |
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| All-in-One Addons for Elementor – WidgetKit | widgetkit-for-elementor |
| Apptha Slider Gallery | apptha-slider-gallery |
| Blog Designer PRO for WordPress | blog-designer-pro |
| Bold Page Builder | bold-page-builder |
| Borderless – Elementor Addons and Templates | borderless |
| Browse As | browse-as |
| Daisycon prijsvergelijkers | daisycon |
| Dynamic Pricing and Discount Rules | discount-and-dynamic-pricing |
| Easy Digital Downloads – eCommerce Payments and Subscriptions made easy | easy-digital-downloads |
| Element Pack Addons for Elementor – Best Elementor addons with Ready Templates, Blocks, Widgets and WooCommerce Builder | bdthemes-element-pack-lite |
| Essential Blocks – AI-Powered Page Builder Gutenberg Blocks, Patterns & Templates | essential-blocks |
| Exclusive Addons for Elementor | exclusive-addons-for-elementor |
| FastSpring | fastspring |
| Featured Image Plus – Quick & Bulk Edit with Unsplash | featured-image-plus |
| Free Booking Plugin for Hotels, Restaurants and Car Rentals – eaSYNC Booking | easync-booking |
| History Log by click5 | history-log-by-click5 |
| Infility Global | infility-global |
| Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms | cf7-salesforce |
| LA-Studio Element Kit for Elementor | lastudio-element-kit |
| Likes and Dislikes Plugin | inprosysmedia-likes-dislikes-post |
| Map Block Leaflet | map-block-leaflet |
| MasterStudy LMS Pro | masterstudy-lms-learning-management-system-pro |
| MaxiBlocks: 2300+ Patterns, 280+ Pages, 14.3K Icons & 100 Styles | maxi-blocks |
| Minimal Share Buttons | minimal-share-buttons |
| MStore API – Create Native Android & iOS Apps On The Cloud | mstore-api |
| Newsletters | newsletters-lite |
| NinjaTeam Chat for Telegram | ninjateam-telegram |
| Offsprout Page Builder | offsprout-page-builder |
| OpenSheetMusicDisplay | opensheetmusicdisplay |
| Product Subtitle for WooCommerce | product-subtitle-for-woocommerce |
| Property – Real Estate Directory Listing | property |
| PSW Front-end Login & Registration | psw-login-and-registration |
| Quick Contact Form | quick-contact-form |
| quickcab | quickcab |
| Real Time Validation for Gravity Forms | real-time-validation-for-gravity-forms |
| Relevanssi – A Better Search | relevanssi |
| Relevanssi – A Better Search (Pro) | relevanssi-premium |
| Responsive Plus – Starter Templates, Advanced Features and Customizer Settings for Responsive Theme. | responsive-add-ons |
| Royal Elementor Addons and Templates | royal-elementor-addons |
| Simple Page Access Restriction | simple-page-access-restriction |
| Smash Balloon Instagram Feed Pro | instagram-feed-pro |
| Smash Balloon Social Photo Feed – Easy Social Feeds Plugin | instagram-feed |
| Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light | excel-like-price-change-for-woocommerce-and-wp-e-commerce-light |
| SUMO Affiliates Pro | affs |
| The E-Commerce ERP: Purchasing, Inventory, Fulfillment, Manufacturing, BOM, Accounting, Sales Analysis | profitori |
| The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce | the-plus-addons-for-elementor-page-builder |
| The Ultimate WordPress Toolkit – WP Extended | wpextended |
| Verge3D Publishing and E-Commerce | verge3d |
| Volunteer Sign Up Sheets | pta-volunteer-sign-up-sheets |
| WBW Product Table Pro | woo-producttables-pro |
| Wishlist | wishlist |
| Woo Slider Pro – Drag Drop Slider Builder For WooCommerce | woo-slider-pro-drag-drop-slider-builder-for-woocommerce |
| WooCommerce Orders & Customers Exporter | woocommerce-orders-customers-exporter |
| WP Attachments | wp-attachments |
| WP Guppy | wp-guppy |
| WP Pipes | wp-pipes |
| WP Posts Carousel | wp-posts-carousel |
| WP-GeoMeta | wp-geometa |
| WPCHURCH – Church Management System for WordPress | church-management |
WordPress Themes with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| Course Builder – Online Course WordPress Theme | course-builder |
| Solar Energy – Wind & Power Company WordPress Theme | solar |
| The Fashion – Model Agency One Page Beauty Theme | nrgfashion |
Vulnerability Details
Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.
CVE-2025-48336
Patched
May 29, 2025
Course Builder – Online Course WordPress Theme
CVE-2025-4631
Unpatched
May 30, 2025
The E-Commerce ERP: Purchasing, Inventory, Fulfillment, Manufacturing, BOM, Accounting, Sales Analysis
CVE-2025-4607
Unpatched
May 30, 2025
PSW Front-end Login & Registration
CVE-2025-48330
Unpatched
May 30, 2025
Real Time Validation for Gravity Forms
CVE-2025-32291
Unpatched
May 30, 2025
SUMO Affiliates Pro
The Fashion – Model Agency One Page Beauty Theme <= 1.4.4 – Unauthenticated PHP Object Injection
CVE-2025-31052
Unpatched
May 29, 2025
The Fashion – Model Agency One Page Beauty Theme
CVE-2025-48267
Patched
May 30, 2025
WP Pipes
CVE-2025-5190
Unpatched
May 29, 2025
Browse As
CVE-2025-4800
Patched
May 27, 2025
MasterStudy LMS Pro
MaxiBlocks <= 2.1.0 – Missing Authorization to Authenticated (Contributor+) Arbitrary Options Update
CVE-2025-47601
Unpatched
May 30, 2025
MaxiBlocks: 2300+ Patterns, 280+ Pages, 14.3K Icons & 100 Styles
CVE-2025-4672
Unpatched
May 30, 2025
Offsprout Page Builder
CVE-2025-5117
Patched
May 26, 2025
Property – Real Estate Directory Listing
CVE-2025-32283
Unpatched
May 30, 2025
Solar Energy – Wind & Power Company WordPress Theme
CVE-2025-39358
Patched
May 29, 2025
WP Posts Carousel
CVE-2025-4103
Unpatched
May 30, 2025
WP-GeoMeta
CVE-2025-31643
Unpatched
May 30, 2025
WPCHURCH – Church Management System for WordPress
CVE-2025-31050
Unpatched
May 29, 2025
Apptha Slider Gallery
CVE-2025-5287
Unpatched
May 27, 2025
Likes and Dislikes Plugin
CVE-2025-48124
Unpatched
May 30, 2025
Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light
CVE-2025-31059
Unpatched
May 30, 2025
WBW Product Table Pro
CVE-2025-4857
Patched
May 30, 2025
Newsletters
CVE-2025-47651
Unpatched
May 29, 2025
Infility Global
CVE-2025-5142
Patched
May 29, 2025
Simple Page Access Restriction
CVE-2025-4597
Unpatched
May 29, 2025
Woo Slider Pro – Drag Drop Slider Builder For WooCommerce
CVE-2025-31920
Unpatched
May 30, 2025
WP Guppy
CVE-2025-5286
Patched
May 28, 2025
Bold Page Builder
CVE-2025-5290
Patched
May 30, 2025
Borderless – Elementor Addons and Templates
CVE-2025-4590
Unpatched
May 30, 2025
Daisycon prijsvergelijkers
CVE-2025-4670
Patched
May 28, 2025
Easy Digital Downloads – eCommerce Payments and Subscriptions made easy
CVE-2025-5292
Patched
May 30, 2025
CVE-2025-4682
Patched
May 26, 2025
CVE-2025-4783
Patched
May 26, 2025
Exclusive Addons for Elementor
CVE-2025-4595
Unpatched
May 30, 2025
FastSpring
CVE-2025-47598
Unpatched
May 30, 2025
History Log by click5
CVE-2025-4943
Patched
May 29, 2025
LA-Studio Element Kit for Elementor
CVE-2025-4944
Patched
May 29, 2025
LA-Studio Element Kit for Elementor
CVE-2025-5122
Patched
May 28, 2025
Map Block Leaflet
CVE-2025-5259
Patched
May 29, 2025
Minimal Share Buttons
CVE-2025-5236
Patched
May 29, 2025
NinjaTeam Chat for Telegram
CVE-2025-5235
Patched
May 29, 2025
OpenSheetMusicDisplay
CVE-2025-5285
Patched
May 30, 2025
Product Subtitle for WooCommerce
CVE-2025-3813
Patched
May 30, 2025
Royal Elementor Addons and Templates
CVE-2025-49076
Patched
May 30, 2025
CVE-2025-49074
Patched
May 30, 2025
All-in-One Addons for Elementor – WidgetKit
CVE-2025-49075
Patched
May 30, 2025
Wishlist
CVE-2025-4963
Patched
May 27, 2025
The Ultimate WordPress Toolkit – WP Extended
CVE-2025-47694
Unpatched
May 30, 2025
Blog Designer PRO for WordPress
CVE-2025-48245
Patched
May 29, 2025
Quick Contact Form
CVE-2025-48329
Unpatched
May 30, 2025
Real Time Validation for Gravity Forms
CVE-2025-48241
Patched
May 29, 2025
Verge3D Publishing and E-Commerce
CVE-2025-5082
Patched
May 27, 2025
WP Attachments
CVE-2025-4583
Patched
May 28, 2025
Smash Balloon Social Photo Feed – Easy Social Feeds Plugin
Smash Balloon Instagram Feed Pro
CVE-2025-4691
Patched
May 30, 2025
CVE-2025-4659
Patched
May 29, 2025
Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms
CVE-2025-48337
Unpatched
May 29, 2025
quickcab
CVE-2025-5016
Patched
May 30, 2025
CVE-2025-3704
Patched
May 27, 2025
Volunteer Sign Up Sheets
CVE-2025-49077
Patched
May 30, 2025
Dynamic Pricing and Discount Rules
CVE-2025-4431
Patched
May 29, 2025
Featured Image Plus – Quick & Bulk Edit with Unsplash
CVE-2025-4683
Patched
May 26, 2025
MStore API – Create Native Android & iOS Apps On The Cloud
CVE-2025-48328
Unpatched
May 30, 2025
Real Time Validation for Gravity Forms
CVE-2025-48335
Patched
May 29, 2025
Responsive Plus – Starter Templates, Advanced Features and Customizer Settings for Responsive Theme.
CVE-2025-48334
Unpatched
May 30, 2025
Woo Slider Pro – Drag Drop Slider Builder For WooCommerce
WooCommerce Orders & Customers Exporter <= 5.0 – Authenticated (Subscriber+) Information Exposure
CVE-2025-48331
Unpatched
May 30, 2025
WooCommerce Orders & Customers Exporter
As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.
This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
The post Wordfence Intelligence Weekly WordPress Vulnerability Report (May 26, 2025 to June 1, 2025) appeared first on Wordfence.
