Wordfence Intelligence Weekly WordPress Vulnerability Report (July 14, 2025 to July 20, 2025)

by

📢 Calling all Vulnerability Researchers and Bug Bounty Hunters! 📢

🌞 Spring into Summer with Wordfence! Now through August 4, 2025, earn 2X bounty rewards for all in-scope submissions from our ‘High Threat’ list in software with fewer than 5 million active installs. Bounties up to $31,200 per vulnerability. Submit bold. Earn big!

Last week, there were 140 vulnerabilities disclosed in 120 WordPress Plugins and 5 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 48 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to implement layered security, aligning with our overarching mission to secure WordPress with defense in depth strategies. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report. As the world’s leading quality vulnerability database provider for WordPress, site owners can rest assured knowing Wordfence has their back.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 28,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our PremiumCare, and Response customers last week:

  • WAF-RULE-859 – Data redacted while we work with the vendor on a patch.

Wordfence PremiumCare, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status Number of Vulnerabilities
Patched 106
Unpatched 34

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating Number of Vulnerabilities
Medium Severity 112
High Severity 15
Critical Severity 13

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) 55
Missing Authorization 24
Cross-Site Request Forgery (CSRF) 17
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) 11
Exposure of Sensitive Information to an Unauthorized Actor 9
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) 6
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) 5
Deserialization of Untrusted Data 4
Unrestricted Upload of File with Dangerous Type 3
Authentication Bypass Using an Alternate Path or Channel 1
Authorization Bypass Through User-Controlled Key 1
External Control of File Name or Path 1
Improper Control of Generation of Code (‘Code Injection’) 1
Improper Privilege Management 1
Server-Side Request Forgery (SSRF) 1

Researchers That Contributed to WordPress Security Last Week

Researcher Name Number of Vulnerabilities
21
12
8
7
7
6
5
5
4
4
4
3
3
3
3
3
3
2
2
2
2
2
2
2
2

Bao
2
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name Software Slug
aapanel WP Toolkit aapanel-wp-toolkit
Affiliate Reviews affiliate-reviews
Alike – WordPress Custom Post Comparison alike
Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer) azon-addon-js-composer
Animator – Scroll Triggered Animations scroll-triggered-animations
AntiSpam for Contact Form 7 cf7-antispam
Apollo – Sticky Full Width HTML5 Audio Player lbg-audio5-html5-shoutcast-sticky
Appointment Booking & Scheduling Plugin — Webba Booking Calendar webba-booking-lite
Attachment Manager attachment-manager
Avada (Fusion) Builder fusion-builder
Avishi WP PayPal Payment Button avishi-wp-paypal-payment-button
B1.lt b1-accounting
Bears Backup bears-backup
Block Editor Gallery Slider block-editor-gallery-slider
Bold Page Builder bold-page-builder
Brandfolder – Digital Asset Management Simplified. brandfolder
Chatbox Manager wa-chatbox-manager
Cloud SAML SSO – Single Sign On Login cloud-sso-single-sign-on
CM Pop-Up – Create engaging popups to capture attention and boost interaction cm-pop-up-banners
Companion Auto Update companion-auto-update
Copymatic – AI Content Writer & Generator copymatic
Cost Calculator ql-cost-calculator
Counter live visitors for WooCommerce counter-visitor-for-woocommerce
Coupon Affiliates – Affiliate Plugin for WooCommerce woo-coupon-usage
Crowdfunding for WooCommerce crowdfunding-for-woocommerce
Custom API for WP custom-api-for-wp
DB Backup db-backup
Easy Elementor Addons easy-elementor-addons
ELEX WooCommerce Bulk Edit Products, Prices & Attributes (Basic) elex-bulk-edit-products-prices-attributes-for-woocommerce-basic
EPay.bg Payments epaybg-payments
FG Drupal to WordPress fg-drupal-to-wp
FluentSnippets – The High-Performance file based Custom Code Snippets Plugin easy-code-manager
FoodMenu – WP Creative Restaurant Menu Showcase WooCommerce dzs-restaurantmenu
Formality formality
Forminator Forms – Contact Form, Payment Form & Custom Form Builder forminator
Ghost Kit – Page Builder Blocks, Motion Effects & Extensions ghostkit
GSheetConnector for WC wc-gsheetconnector
Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor gutentor
HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder. ht-contactform
HTML5 Radio Player – WPBakery Page Builder Addon lbg_radio_player_addon_visual_composer
IDonatePro – Blood Donation, Request And Donor Management WordPress Plugin idonate-pro
Image Wall image-wall
Import CDN-Remote Images import-cdn-remote-images
Integration for Google Sheets and Contact Form 7, WPForms, Elementor, Ninja Forms integration-for-contact-form-7-and-google-sheets
Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms integration-for-contact-form-7-and-pipedrive
JetBlocks for Elementor jet-blocks
JetElements jet-elements
JetEngine jet-engine
JetFormBuilder — Dynamic Blocks Form Builder jetformbuilder
JetMenu jet-menu
JetPopup jet-popup
JetSearch jet-search
JetSmartFilters jet-smart-filters
JetTabs jet-tabs
JetTricks jet-tricks
JetWooBuilder jet-woo-builder
Knowledge Base knowledgebase
lbg-audio4-html5-shoutcast lbg-audio4-html5-shoutcast
LightBox Block – Gutenberg block for creating fully functional lightbox lightbox-block
Listly: Listicles For WordPress listly
Live Stream Badger live-stream-badger
LoginPress Pro loginpress-pro
Madara – Core madara-core
Malcure Malware Scanner — Toolset for Malware Removal wp-malware-removal
Map My Locations map-my-locations
Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations master-addons
MasterStudy LMS Pro masterstudy-lms-learning-management-system-pro
Maya Business Plugin paymaya-checkout-for-woocommerce
Media Library Assistant media-library-assistant
Mediabay – WordPress Media Library Folders mediabay
MORKVA Vchasno Kasa Integration mrkv-vchasno-kasa
Multimedia Playlist Slider Addon for WPBakery Page Builder lbg_vp_youtube_vimeo_addon_visual_composer
News Kit Elementor Addons news-kit-elementor-addons
Newsletters newsletters-lite
Partnerský systém Martinus martinus-partnersky-system
Pinterest Automatic wp-pinterest-automatic
Plugin Pengiriman WooCommerce Kurir Reguler, Instan, Kargo – Biteship biteship
ProfileGrid – User Profiles, Groups and Communities profilegrid-user-profiles-groups-and-communities
Real Estate Property 2025 Create Your Own Fields and Search Bar real-estate-right-now
Residential Address Detection residential-address-detection
Responsive Addons for Elementor – Free Elementor Addons Plugin and Elementor Templates responsive-addons-for-elementor
Restaurant Menu and Food Ordering mp-restaurant-menu
Restrict File Access restrict-file-access
Revolution Video Player With Bottom Playlist WordPress Plugin – YouTube/Vimeo/Self-Hosted Support revolution_video_player
Ruven Themes: Shortcodes ruven-themes-shortcodes
School Management System for WordPress school-management
SHOUT – HTML5 Radio Player With Ads – ShoutCast and IceCast Support lbg-audio8-html5-radio-ads
Simple Link Directory Pro qc-simple-link-directory
SMTP for Amazon SES – YaySMTP smtp-amazon-ses
SMTP for SendGrid – YaySMTP smtp-sendgrid
SMTP for Sendinblue – YaySMTP smtp-sendinblue
SMTP2GO for WordPress – Email Made Easy smtp2go
Stop and Block bots plugin Anti bots antibots
Strong Testimonials strong-testimonials
Temporarily Hidden Content temporarily-hidden-content
Terms descriptions terms-descriptions
Testimonial Post type testimonial-post-type
The Plus Addons for Elementor Page Builder Pro theplus_elementor_addon
Theme Builder For Elementor theme-builder-for-elementor
ThemeREX Addons trx_addons
Ultimate WP Mail ultimate-wp-mail
Universal Video Player – Addon for WPBakery Page Builder lbg-universal-video-player-addon-visual-composer
Universal Video Player – Addon for WPBakery Page Builder lbg_universal_video_player_addon_visual_composer
URL Shortener Plugin For WordPress exact-links
Useful Tab Block – Responsive & AMP-Compatible useful-tab-block-responsive-amp-compatible
Vertical scroll image slideshow gallery vertical-scroll-image-slideshow-gallery
Videopack video-embed-thumbnail-generator
Wallet System for WooCommerce wallet-system-for-woocommerce
Welcart e-Commerce usc-e-shop
Widget for Google Reviews business-reviews-wp
WooCommerce Refund And Exchange with RMA – Warranty Management, Refund Policy, Manage User Wallet woocommerce-refund-and-exchange
WooCommerce Shop Page Builder dzs-wootable
WP Delicious – Recipe Plugin for Food Bloggers (formerly Delicious Recipes) delicious-recipes
WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce wp-event-manager
WP Post Hide wp-post-hide
WP Shortcodes Plugin — Shortcodes Ultimate shortcodes-ultimate
WPAdverts – Classifieds Plugin wpadverts
YayExtra – WooCommerce Extra Product Options yayextra
Youtube Vimeo Video Player and Slider WP Plugin video_player_youtube_vimeo
Zuppler Online Ordering zuppler-online-ordering

WordPress Themes with Reported Vulnerabilities Last Week

Software Name Software Slug
Alone – Charity Multipurpose Non-profit WordPress Theme alone
GymBase Theme Classes gymbase_classes
Hestia hestia
Houzez houzez
Visual Art | Gallery WordPress Theme visual-arts

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

Alone – Charity Multipurpose Non-profit WordPress Theme <= 7.8.3 – Missing Authorization to Unauthenticated Arbitrary File Upload via Plugin Installation

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-5394
Patch Status
Patched
Published
Jul 14, 2025
Affected Software
Alone – Charity Multipurpose Non-profit WordPress Theme
Researcher
More Details >

Bears Backup <= 2.0.0 – Unauthenticated Remote Code Execution

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-5396
Patch Status
Patched
Published
Jul 16, 2025
Affected Software
Bears Backup
Researcher
More Details >

Formality <= 1.5.9 – Unauthenticated Local File Inclusion

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-48157
Patch Status
Patched
Published
Jul 16, 2025
Affected Software
Formality
Researcher
More Details >

HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder. <= 2.2.1 – Unauthenticated Arbitrary File Upload

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-7340
Patch Status
Patched
Published
Jul 14, 2025
Affected Software
HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder.
Researcher
More Details >

Integration for Google Sheets and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.1.1 – Unauthenticated PHP Object Injection via verify_field_val Function

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-7697
Patch Status
Patched
Published
Jul 18, 2025
Affected Software
Integration for Google Sheets and Contact Form 7, WPForms, Elementor, Ninja Forms
Researcher
More Details >

Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.2.3 – Unauthenticated PHP Object Injection via verify_field_val Function

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-7696
Patch Status
Patched
Published
Jul 18, 2025
Affected Software
Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms
Researcher
More Details >

LoginPress Pro <= 5.0.1 – Authentication Bypass via WordPress.com OAuth provider

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-7444
Patch Status
Patched
Published
Jul 17, 2025
Affected Software
LoginPress Pro
Researcher
More Details >

WooCommerce Refund And Exchange with RMA – Warranty Management, Refund Policy, Manage User Wallet <= 3.2.6 – Unauthenticated Arbitrary File Upload

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-6222
Patch Status
Patched
Published
Jul 17, 2025
Affected Software
WooCommerce Refund And Exchange with RMA – Warranty Management, Refund Policy, Manage User Wallet
Researchers
More Details >

Alone – Charity Multipurpose Non-profit WordPress Theme <= 7.8.5 – Missing Authorization to Unauthenticated Arbitrary File Deletion

9.1
CVSS Rating
Critical (9.1)
CVE-ID
CVE-2025-5393
Patch Status
Patched
Published
Jul 14, 2025
Affected Software
Alone – Charity Multipurpose Non-profit WordPress Theme
Researcher
More Details >

Attachment Manager <= 2.1.2 – Unauthenticated Arbitrary File Deletion

9.1
CVSS Rating
Critical (9.1)
CVE-ID
CVE-2025-7643
Patch Status
Unpatched
Published
Jul 17, 2025
Affected Software
Attachment Manager
Researcher
More Details >

HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder. <= 2.2.1 – Directory Traversal to Arbitrary File Move

9.1
CVSS Rating
Critical (9.1)
CVE-ID
CVE-2025-7360
Patch Status
Patched
Published
Jul 14, 2025
Affected Software
HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder.
Researcher
More Details >

HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder. <= 2.2.1 – Unauthenticated Arbitrary File Deletion

9.1
CVSS Rating
Critical (9.1)
CVE-ID
CVE-2025-7341
Patch Status
Patched
Published
Jul 14, 2025
Affected Software
HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder.
Researcher
More Details >

Madara – Core <= 2.2.3 – Unauthenticated Arbitrary File Deletion

9.1
CVSS Rating
Critical (9.1)
CVE-ID
CVE-2025-7712
Patch Status
Patched
Published
Jul 16, 2025
Affected Software
Madara – Core
Researcher
More Details >

aapanel WP Toolkit 1.0 – 1.1 – Missing Authorization to Authenticated (Subscriber+) Privilege Escalation via auto_login() Function

8.8
CVSS Rating
High (8.8)
CVE-ID
CVE-2025-6813
Patch Status
Unpatched
Published
Jul 17, 2025
Affected Software
aapanel WP Toolkit
Researcher
More Details >

B1.lt for WooCommerce <= 2.2.56 – Missing Authorization to Authenticated (Subscriber+) Arbitrary SQL Injection

8.8
CVSS Rating
High (8.8)
CVE-ID
CVE-2025-6718
Patch Status
Unpatched
Published
Jul 17, 2025
Affected Software
B1.lt
Researcher
More Details >

School Management System for WordPress <= 93.1.0 – Authenticated (Subscriber+) Local File Inclusion to Privilege Escalation via Password Update

8.8
CVSS Rating
High (8.8)
CVE-ID
CVE-2025-3740
Patch Status
Patched
Published
Jul 17, 2025
Affected Software
School Management System for WordPress
Researcher
More Details >

Counter live visitors for WooCommerce <= 1.3.6 – Unauthenticated Arbitrary File Deletion in wcvisitor_get_block

8.2
CVSS Rating
High (8.2)
CVE-ID
CVE-2025-7359
Patch Status
Unpatched
Published
Jul 15, 2025
Affected Software
Counter live visitors for WooCommerce
Researcher
More Details >

Cloud SAML SSO – Single Sign On Login <= 1.0.18 – Unauthenticated Local File Inclusion

8.1
CVSS Rating
High (8.1)
CVE-ID
CVE-2025-49264
Patch Status
Patched
Published
Jul 16, 2025
Affected Software
Cloud SAML SSO – Single Sign On Login
Researcher
More Details >

Ghost Kit <= 3.4.1 – Unauthenticated Local File Inclusion

8.1
CVSS Rating
High (8.1)
CVE-ID
CVE-2025-53567
Patch Status
Patched
Published
Jul 16, 2025
Affected Software
Ghost Kit – Page Builder Blocks, Motion Effects & Extensions
Researcher
More Details >

IDonatePro <= 2.1.8 – Unauthenticated Local File Inclusion

8.1
CVSS Rating
High (8.1)
CVE-ID
CVE-2025-30635
Patch Status
Unpatched
Published
Jul 16, 2025
Affected Software
IDonatePro – Blood Donation, Request And Donor Management WordPress Plugin
Researcher
More Details >

Malcure Malware Scanner — #1 Toolset for WordPress Malware Removal <= 17.0 – Authenticated (Subscriber+) Arbitrary File Deletion

8.1
CVSS Rating
High (8.1)
CVE-ID
CVE-2025-6043
Patch Status
Patched
Published
Jul 15, 2025
Affected Software
Malcure Malware Scanner — #1 Toolset for Malware Removal
Researcher
More Details >

Restrict File Access <= 1.1.2 – Cross-Site Request Forgery to Arbitrary File Deletion

8.1
CVSS Rating
High (8.1)
CVE-ID
CVE-2025-7667
Patch Status
Unpatched
Published
Jul 14, 2025
Affected Software
Restrict File Access
Researcher
More Details >

Widget for Google Reviews <= 1.0.15 – Unauthenticated Local File Inclusion

8.1
CVSS Rating
High (8.1)
CVE-ID
CVE-2025-53565
Patch Status
Patched
Published
Jul 16, 2025
Affected Software
Widget for Google Reviews
Researcher
More Details >

Custom API for WP <= 4.2.2 – Unauthenticated SQL Injection

7.5
CVSS Rating
High (7.5)
CVE-ID
CVE-2025-54048
Patch Status
Patched
Published
Jul 16, 2025
Affected Software
Custom API for WP
Researcher
More Details >

MasterStudy LMS – Online Courses, eLearning PRO Plus <= 4.7.9 – Authenticated (Subscriber+) Arbitrary File Upload

7.5
CVSS Rating
High (7.5)
CVE-ID
CVE-2025-7438
Patch Status
Patched
Published
Jul 17, 2025
Affected Software
MasterStudy LMS Pro
Researcher
More Details >

Ultimate WP Mail 1.0.17 – 1.3.6 – Missing Authorization to Authenticated (Contributor+) Privilege Escalation via get_email_log_details Function

7.5
CVSS Rating
High (7.5)
CVE-ID
CVE-2025-6993
Patch Status
Patched
Published
Jul 15, 2025
Affected Software
Ultimate WP Mail
Researcher
More Details >

Visual Art | Gallery WordPress Theme <= 2.4 – Authenticated (Subscriber+) PHP Object Injection

7.5
CVSS Rating
High (7.5)
CVE-ID
CVE-2025-31422
Patch Status
Unpatched
Published
Jul 15, 2025
Affected Software
Visual Art | Gallery WordPress Theme
Researcher
More Details >

WP Event Manager <= 3.1.50 – Unauthenticated Stored Cross-Site Scripting via ‘organizer_name’

7.2
CVSS Rating
High (7.2)
CVE-ID
CVE-2025-2800
Patch Status
Patched
Published
Jul 15, 2025
Affected Software
WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce
Researcher
More Details >

HT Contact Form 7 <= 2.0.0 – Authenticated (Administrator+) Local File Inclusion

6.6
CVSS Rating
Medium (6.6)
CVE-ID
CVE-2025-54015
Patch Status
Patched
Published
Jul 16, 2025
Affected Software
HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder.
Researcher
More Details >

JetFormBuilder <= 3.5.1.2 – Authenticated (Administrator+) PHP Object Injection

6.6
CVSS Rating
Medium (6.6)
CVE-ID
CVE-2025-53990
Patch Status
Patched
Published
Jul 16, 2025
Affected Software
JetFormBuilder — Dynamic Blocks Form Builder
Researcher
More Details >

B1.lt for WooCommerce <= 2.2.56 – Authenticated (Subscriber+) SQL Injection

6.5
CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-6717
Patch Status
Unpatched
Published
Jul 17, 2025
Affected Software
B1.lt
Researcher
More Details >

ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes <= 1.4.9 – Authenticated (Subscriber+) SQL Injection

6.5
CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-47645
Patch Status
Patched
Published
Jul 15, 2025
Affected Software
ELEX WooCommerce Bulk Edit Products, Prices & Attributes (Basic)
Researcher
More Details >

GymBase Theme Classes <= 1.4 – Authenticated (Contributor+) SQL Injection

6.5
CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-54026
Patch Status
Patched
Published
Jul 16, 2025
Affected Software
GymBase Theme Classes
Researcher
More Details >

Mediabay – WordPress Media Library Folders <= 1.4 – Authenticated (Subscriber+) SQL Injection

6.5
CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-28949
Patch Status
Unpatched
Published
Jul 15, 2025
Affected Software
Mediabay – WordPress Media Library Folders
Researcher
More Details >

Pinterest Automatic Pin < 4.19.0 – Authenticated (Subscriber+) SQL Injection

6.5
CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-39510
Patch Status
Patched
Published
Jul 16, 2025
Affected Software
Pinterest Automatic
Researcher
More Details >

Affiliate Reviews <= 1.0.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via numColumns Parameter

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-5845
Patch Status
Unpatched
Published
Jul 15, 2025
Affected Software
Affiliate Reviews
Researcher
More Details >

Avada (Fusion) Builder <= 3.12.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-6747
Patch Status
Patched
Published
Jul 15, 2025
Affected Software
Avada (Fusion) Builder
Researcher
More Details >

Bold Page Builder <= 5.4.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-54006
Patch Status
Patched
Published
Jul 16, 2025
Affected Software
Bold Page Builder
Researcher
More Details >

Brandfolder <= 5.0.19 – Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-5843
Patch Status
Unpatched
Published
Jul 15, 2025
Affected Software
Brandfolder – Digital Asset Management Simplified.
Researcher
More Details >

Crowdfunding for WooCommerce <= 3.1.14 – Authenticated (Contributor+) Stored Cross-Site Scripting via width Parameter

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-5767
Patch Status
Unpatched
Published
Jul 17, 2025
Affected Software
Crowdfunding for WooCommerce
Researcher
More Details >

Easy Elementor Addons <= 2.2.5 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-48295
Patch Status
Patched
Published
Jul 16, 2025
Affected Software
Easy Elementor Addons
Researcher
More Details >

EPay.bg Payments <= 0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-7653
Patch Status
Unpatched
Published
Jul 18, 2025
Affected Software
EPay.bg Payments
Researcher
More Details >

Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor <= 3.4.8 – Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-4685
Patch Status
Patched
Published
Jul 20, 2025
Affected Software
Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor
Researcher
More Details >

Image Wall <= 3.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-48156
Patch Status
Patched
Published
Jul 16, 2025
Affected Software
Image Wall
Researcher
More Details >

JetBlocks For Elementor <= 1.3.19 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-53989
Patch Status
Patched
Published
Jul 16, 2025
Affected Software
JetBlocks for Elementor
Researcher
More Details >

JetElements For Elementor <= 2.7.7 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-53982
Patch Status
Patched
Published
Jul 16, 2025
Affected Software
JetElements
Researcher
More Details >

JetPopup <= 2.0.15 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-53994
Patch Status
Patched
Published
Jul 16, 2025
Affected Software
JetPopup
Researcher
More Details >

JetPopup <= 2.0.15.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-53995
Patch Status
Patched
Published
Jul 16, 2025
Affected Software
JetPopup
Researcher
More Details >

JetSearch <= 3.5.10.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-53996
Patch Status
Patched
Published
Jul 16, 2025
Affected Software
JetSearch
Researcher
More Details >

JetSmartFilters <= 3.6.8 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-54009
Patch Status
Patched
Published
Jul 16, 2025
Affected Software
JetSmartFilters
Researcher
More Details >

JetTabs <= 2.2.9 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-53984
Patch Status
Patched
Published
Jul 16, 2025
Affected Software
JetTabs
Researcher
More Details >

JetTricks <= 1.5.4.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-53991
Patch Status
Patched
Published
Jul 16, 2025
Affected Software
JetTricks
Researcher
More Details >

LightBox Block <= 1.1.30 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-54051
Patch Status
Patched
Published
Jul 16, 2025
Affected Software
LightBox Block – Gutenberg block for creating fully functional lightbox
Researcher
More Details >

Live Stream Badger <= 1.4.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-7655
Patch Status
Unpatched
Published
Jul 18, 2025
Affected Software
Live Stream Badger
Researcher
More Details >

Map My Locations <= 1.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-7660
Patch Status
Unpatched
Published
Jul 17, 2025
Affected Software
Map My Locations
Researcher
More Details >

Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations <= 2.0.8.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-5284
Patch Status
Patched
Published
Jul 15, 2025
Affected Software
Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations
Researcher
More Details >

Media Library Assistant <= 3.26 – Authenticated (Contributor+) Stored Cross-Site Scripting via mla_tag_cloud and mla_term_list Shortcodes

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-7035
Patch Status
Patched
Published
Jul 15, 2025
Affected Software
Media Library Assistant
Researcher
More Details >

Partnerský systém Martinus <= 1.7.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-7661
Patch Status
Unpatched
Published
Jul 18, 2025
Affected Software
Partnerský systém Martinus
Researcher
More Details >

Responsive Addons for Elementor <= 1.7.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-54050
Patch Status
Patched
Published
Jul 16, 2025
Affected Software
Responsive Addons for Elementor – Free Elementor Addons Plugin and Elementor Templates
Researcher
More Details >

Ruven Themes: Shortcodes <= 1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-7648
Patch Status
Unpatched
Published
Jul 17, 2025
Affected Software
Ruven Themes: Shortcodes
Researcher
More Details >

Strong Testimonials <= 3.2.11 – Authenticated (Author+) Stored Cross-Site Scripting via Custom Fields

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-7367
Patch Status
Patched
Published
Jul 14, 2025
Affected Software
Strong Testimonials
Researcher
More Details >

Temporarily Hidden Content <= 1.0.6 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-7658
Patch Status
Unpatched
Published
Jul 18, 2025
Affected Software
Temporarily Hidden Content
Researcher
More Details >

Testimonial Post type <= 1.2.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via auto_play Parameter

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-5800
Patch Status
Unpatched
Published
Jul 17, 2025
Affected Software
Testimonial Post type
Researcher
More Details >

ThemeREX Addons <= 2.35.1.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via trx_addons_get_svg_from_file Function

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-6997
Patch Status
Patched
Published
Jul 18, 2025
Affected Software
ThemeREX Addons
Researcher
More Details >

Useful Tab Block – Responsive & AMP-Compatible <= 1.3.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via className Parameter

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-5754
Patch Status
Unpatched
Published
Jul 17, 2025
Affected Software
Useful Tab Block – Responsive & AMP-Compatible
Researcher
More Details >

Vertical scroll image slideshow gallery <= 11.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via width Parameter

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-5752
Patch Status
Unpatched
Published
Jul 17, 2025
Affected Software
Vertical scroll image slideshow gallery
Researcher
More Details >

Videopack <= 4.10.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-54016
Patch Status
Patched
Published
Jul 16, 2025
Affected Software
Videopack
Researcher
More Details >

WP Delicious <= 1.8.4 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-54023
Patch Status
Patched
Published
Jul 16, 2025
Affected Software
WP Delicious – Recipe Plugin for Food Bloggers (formerly Delicious Recipes)
Researcher
More Details >

WP Shortcodes Plugin — Shortcodes Ultimate <= 7.4.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Plugin Shortcodes

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-7354
Patch Status
Patched
Published
Jul 20, 2025
Affected Software
WP Shortcodes Plugin — Shortcodes Ultimate
Researcher
More Details >

WPAdverts <= 2.2.5 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-54024
Patch Status
Patched
Published
Jul 16, 2025
Affected Software
WPAdverts – Classifieds Plugin
Researcher
More Details >

Alike – WordPress Custom Post Comparison <= 3.0.1 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-28975
Patch Status
Unpatched
Published
Jul 17, 2025
Affected Software
Alike – WordPress Custom Post Comparison
Researcher
More Details >

Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer) <= 1.2 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-30631
Patch Status
Unpatched
Published
Jul 17, 2025
Affected Software
Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer)
Researcher
More Details >

Apollo – Sticky Full Width HTML5 Audio Player <= 3.4 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-48168
Patch Status
Patched
Published
Jul 17, 2025
Affected Software
Apollo – Sticky Full Width HTML5 Audio Player
Researcher
More Details >

Avishi WP PayPal Payment Button <= 2.0 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-7669
Patch Status
Unpatched
Published
Jul 18, 2025
Affected Software
Avishi WP PayPal Payment Button
Researcher
More Details >

FoodMenu <= 1.20 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-29014
Patch Status
Unpatched
Published
Jul 17, 2025
Affected Software
FoodMenu – WP Creative Restaurant Menu Showcase WooCommerce
Researcher
More Details >

HTML5 Radio Player – WPBakery Page Builder Addon <= 2.5 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-53564
Patch Status
Patched
Published
Jul 16, 2025
Affected Software
HTML5 Radio Player – WPBakery Page Builder Addon
Researcher
More Details >

Multimedia Playlist Slider Addon for WPBakery Page Builder <= 2.1 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-30626
Patch Status
Unpatched
Published
Jul 16, 2025
Affected Software
Multimedia Playlist Slider Addon for WPBakery Page Builder
Researcher
More Details >

ProfileGrid – User Profiles, Groups and Communities <= 5.9.5.4 – Reflected Cross-Site Scripting via ‘pm_get_messenger_notification’ function

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-6977
Patch Status
Patched
Published
Jul 15, 2025
Affected Software
ProfileGrid – User Profiles, Groups and Communities
Researcher
More Details >

Radio Player Shoutcast & Icecast <= 4.4.7 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-53205
Patch Status
Patched
Published
Jul 16, 2025
Affected Software
lbg-audio4-html5-shoutcast
Researcher
More Details >

Revolution Video Player With Bottom Playlist <= 2.9.2 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-53212
Patch Status
Patched
Published
Jul 16, 2025
Affected Software
Revolution Video Player With Bottom Playlist WordPress Plugin – YouTube/Vimeo/Self-Hosted Support
Researcher
More Details >

Shortcodes Ultimate <= 7.4.2 – Cross-Site Request Forgery to Arbitrary Shortcode Execution

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-7369
Patch Status
Patched
Published
Jul 20, 2025
Affected Software
WP Shortcodes Plugin — Shortcodes Ultimate
Researcher
More Details >

SHOUT – HTML5 Radio Player With Ads – ShoutCast and IceCast Support <= 3.5.4 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-48163
Patch Status
Patched
Published
Jul 17, 2025
Affected Software
SHOUT – HTML5 Radio Player With Ads – ShoutCast and IceCast Support
Researcher
More Details >

Simple Link Directory < 14.8.1 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-48297
Patch Status
Patched
Published
Jul 16, 2025
Affected Software
Simple Link Directory Pro
Researcher
More Details >

Universal Video Player – Addon for WPBakery Page Builder <= 3.2.1 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-48170
Patch Status
Patched
Published
Jul 17, 2025
Affected Software
Universal Video Player – Addon for WPBakery Page Builder
Researcher
More Details >

Universal Video Player – Addon for WPBakery Page Builder <= 3.2.1 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-53562
Patch Status
Patched
Published
Jul 17, 2025
Affected Software
Universal Video Player – Addon for WPBakery Page Builder
Researcher
More Details >

WooCommerce Shop Page Builder <= 2.27.7 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-28999
Patch Status
Unpatched
Published
Jul 17, 2025
Affected Software
WooCommerce Shop Page Builder
Researcher
More Details >

Youtube Vimeo Video Player and Slider <= 3.8 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-53563
Patch Status
Patched
Published
Jul 16, 2025
Affected Software
Youtube Vimeo Video Player and Slider WP Plugin
Researcher
More Details >

Zuppler Online Ordering <= 2.1.0 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-6053
Patch Status
Unpatched
Published
Jul 17, 2025
Affected Software
Zuppler Online Ordering
Researcher
More Details >

Companion Auto Update <= 3.9.2 – Authenticated (Administrator+) Stored Cross-Site Scripting via update_delay_days parameter

5.5
CVSS Rating
Medium (5.5)
CVE-ID
CVE-2025-4369
Patch Status
Patched
Published
Jul 14, 2025
Affected Software
Companion Auto Update
Researcher
More Details >

FG Drupal to WordPress <= 3.90.0 – Authenticated (Admin+) Server-Side Request Forgery

5.5
CVSS Rating
Medium (5.5)
CVE-ID
CVE-2025-48294
Patch Status
Patched
Published
Jul 16, 2025
Affected Software
FG Drupal to WordPress
Researcher
More Details >

Welcart e-Commerce <= 2.11.16 – Authenticated (Editor+) Stored Cross-Site Scripting

5.5
CVSS Rating
Medium (5.5)
CVE-ID
CVE-2025-54013
Patch Status
Patched
Published
Jul 16, 2025
Affected Software
Welcart e-Commerce
Researcher
More Details >

Hestia <= 3.2.10 – Missing Authorization

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-53986
Patch Status
Patched
Published
Jul 16, 2025
Affected Software
Hestia
Researcher
More Details >

JetBlocks For Elementor <= 1.3.18 – Authenticated (Subscriber+) Information Disclsoure

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-53988
Patch Status
Patched
Published
Jul 16, 2025
Affected Software
JetBlocks for Elementor
Researcher
More Details >

JetSmartFilters <= 3.6.7 – Authenticated (Subscriber+) Sensitive Information Exposure

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-54008
Patch Status
Patched
Published
Jul 16, 2025
Affected Software
JetSmartFilters
Researcher
More Details >

JetTricks <= 1.5.4.1 – Authenticated (Subscriber+) Information Exposure

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-53992
Patch Status
Patched
Published
Jul 16, 2025
Affected Software
JetTricks
Researcher
More Details >

Listly: Listicles For WordPress <= 2.7 – Unauthenticated Arbitrary Transient Deletion

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-5811
Patch Status
Unpatched
Published
Jul 17, 2025
Affected Software
Listly: Listicles For WordPress
Researcher
More Details >

Maya Business <= 1.2.0 – Unauthenticated Insecure Direct Object Reference

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-53208
Patch Status
Patched
Published
Jul 16, 2025
Affected Software
Maya Business Plugin
Researcher
More Details >

Residential Address Detection <= 2.5.9 – Missing Authorization

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-48155
Patch Status
Patched
Published
Jul 16, 2025
Affected Software
Residential Address Detection
Researcher
More Details >

Stop and Block bots plugin Anti bots <= 1.48 – Missing Authorization

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-48166
Patch Status
Patched
Published
Jul 16, 2025
Affected Software
Stop and Block bots plugin Anti bots
Researcher
More Details >

URL Shortener <= 3.0.7 – Missing Authorization

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-28965
Patch Status
Unpatched
Published
Jul 15, 2025
Affected Software
URL Shortener Plugin For WordPress
Researcher
More Details >

Vchasno Kasa <= 1.0.3 – Missing Authorization to Unauthenticated Invoice Generation

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-6721
Patch Status
Patched
Published
Jul 18, 2025
Affected Software
MORKVA Vchasno Kasa Integration
Researcher
More Details >

Vchasno Kasa <= 1.0.3 – Unauthenticated Log File Clearing

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-6720
Patch Status
Patched
Published
Jul 18, 2025
Affected Software
MORKVA Vchasno Kasa Integration
Researcher
More Details >

Webba Booking <= 5.1.20 – Missing Authorization

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-54040
Patch Status
Patched
Published
Jul 16, 2025
Affected Software
Appointment Booking & Scheduling Plugin — Webba Booking Calendar
Researcher
More Details >

Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.45.0 – Authenticated (Administrator+) SQL Injection via `order_by` Parameter

4.9
CVSS Rating
Medium (4.9)
CVE-ID
CVE-2025-7638
Patch Status
Patched
Published
Jul 17, 2025
Affected Software
Forminator Forms – Contact Form, Payment Form & Custom Form Builder
Researcher
More Details >

SMTP for Amazon SES <= 1.9 – Authenticated (Administrator+) SQL Injection

4.9
CVSS Rating
Medium (4.9)
CVE-ID
CVE-2025-54043
Patch Status
Patched
Published
Jul 16, 2025
Affected Software
SMTP for Amazon SES – YaySMTP
Researcher
More Details >

SMTP for SendGrid – YaySMTP <= 1.5 – Authenticated (Administrator+) SQL Injection

4.9
CVSS Rating
Medium (4.9)
CVE-ID
CVE-2025-48301
Patch Status
Patched
Published
Jul 16, 2025
Affected Software
SMTP for SendGrid – YaySMTP
Researcher
More Details >

YayExtra <= 1.5.5 – Authenticated (Administrator+) SQL Injection

4.9
CVSS Rating
Medium (4.9)
CVE-ID
CVE-2025-48299
Patch Status
Patched
Published
Jul 16, 2025
Affected Software
YayExtra – WooCommerce Extra Product Options
Researcher
More Details >

YaySMTP <= 1.3 – Authenticated (Administrator+) SQL Injection

4.9
CVSS Rating
Medium (4.9)
CVE-ID
CVE-2025-48161
Patch Status
Patched
Published
Jul 16, 2025
Affected Software
SMTP for Sendinblue – YaySMTP
Researcher
More Details >

Knowledge Base <= 2.3.1 – Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Slug

4.4
CVSS Rating
Medium (4.4)
CVE-ID
CVE-2025-7431
Patch Status
Patched
Published
Jul 17, 2025
Affected Software
Knowledge Base
Researcher
More Details >

Terms descriptions <= 3.4.8 – Authenticated (Admin+) Stored Cross-Site Scripting

4.4
CVSS Rating
Medium (4.4)
CVE-ID
CVE-2025-6719
Patch Status
Unpatched
Published
Jul 17, 2025
Affected Software
Terms descriptions
Researcher
More Details >

Animator <= 3.0.16 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-54039
Patch Status
Patched
Published
Jul 16, 2025
Affected Software
Animator – Scroll Triggered Animations
Researcher
More Details >

AntiSpam for Contact Form 7 <= 0.6.3 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-54020
Patch Status
Patched
Published
Jul 16, 2025
Affected Software
AntiSpam for Contact Form 7
Researcher
Bao
More Details >

Block Editor Gallery Slider <= 1.1.1 – Missing Authorization to Authenticated (Subscriber+) Limited Post Meta Update

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-6726
Patch Status
Patched
Published
Jul 17, 2025
Affected Software
Block Editor Gallery Slider
Researcher
More Details >

Chatbox Manager <= 1.2.5 – Missing Authorization

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-48167
Patch Status
Patched
Published
Jul 16, 2025
Affected Software
Chatbox Manager
Researcher
More Details >

CM Pop-Up banners <= 1.8.4 – Missing Authorization

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-54018
Patch Status
Patched
Published
Jul 16, 2025
Affected Software
CM Pop-Up – Create engaging popups to capture attention and boost interaction
Researcher
Bao
More Details >

Copymatic – AI Content Writer & Generator <= 2.1 – Cross-Site Request Forgery to Settings Update

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-6781
Patch Status
Unpatched
Published
Jul 17, 2025
Affected Software
Copymatic – AI Content Writer & Generator
Researcher
More Details >

Cost Calculator <= 7.4 – Missing Authorization

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-54047
Patch Status
Patched
Published
Jul 16, 2025
Affected Software
Cost Calculator
Researcher
More Details >

Coupon Affiliates <= 6.4.0 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-54022
Patch Status
Patched
Published
Jul 16, 2025
Affected Software
Coupon Affiliates – Affiliate Plugin for WooCommerce
Researcher
More Details >

DB Backup <= 6.0 – Missing Authorization

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-50031
Patch Status
Unpatched
Published
Jul 16, 2025
Affected Software
DB Backup
Researcher
More Details >

FluentSnippets <= 10.50 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-54010
Patch Status
Patched
Published
Jul 16, 2025
Affected Software
FluentSnippets – The High-Performance file based Custom Code Snippets Plugin
Researcher
More Details >

Houzez <= 4.0.4 – Missing Authorization

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-53997
Patch Status
Patched
Published
Jul 16, 2025
Affected Software
Houzez
Researcher
More Details >

Import CDN-Remote Images <= 2.1.2 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-48153
Patch Status
Patched
Published
Jul 16, 2025
Affected Software
Import CDN-Remote Images
Researcher
More Details >

JetElements For Elementor <= 2.7.7 – Authenticated (Subscriber+) Information Disclosure

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-53983
Patch Status
Patched
Published
Jul 16, 2025
Affected Software
JetElements
Researcher
More Details >

JetEngine <= 3.7.0 – Authenticated (Subscriber+) Information Exposure

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-53196
Patch Status
Patched
Published
Jul 16, 2025
Affected Software
JetEngine
Researcher
More Details >

JetMenu <= 2.4.11.1 – Authenticated (Subscriber+) Information Exposure

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-53987
Patch Status
Patched
Published
Jul 16, 2025
Affected Software
JetMenu
Researcher
More Details >

JetPopup <= 2.0.15 – Authenticated (Subscriber+) Information Disclosure

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-53993
Patch Status
Patched
Published
Jul 16, 2025
Affected Software
JetPopup
Researcher
More Details >

JetTabs <= 2.2.9 – Authenticated (Subscriber+) Information Exposure

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-53985
Patch Status
Patched
Published
Jul 16, 2025
Affected Software
JetTabs
Researcher
More Details >

JetWooBuilder <= 2.1.20 – Authenticated (Subscriber+) Information Exposure

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-53998
Patch Status
Patched
Published
Jul 16, 2025
Affected Software
JetWooBuilder
Researcher
More Details >

News Kit Elementor Addons <= 1.3.4 – Missing Authorization

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-54037
Patch Status
Patched
Published
Jul 16, 2025
Affected Software
News Kit Elementor Addons
Researcher
More Details >

Newsletters <= 4.10 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-54035
Patch Status
Patched
Published
Jul 16, 2025
Affected Software
Newsletters
Researcher
More Details >

Plugin Pengiriman WooCommerce Kurir Reguler, Instan, Kargo – Biteship <= 3.2.0 – Insecure Direct Object Reference to Authenticated (Subscriber+) View Order Tracking Details

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-5816
Patch Status
Unpatched
Published
Jul 17, 2025
Affected Software
Plugin Pengiriman WooCommerce Kurir Reguler, Instan, Kargo – Biteship
Researcher
More Details >

Real Estate Property 2024 Create Your Own Fields and Search Bar WP Plugin <= 4.48 – Missing Authorization

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-48150
Patch Status
Patched
Published
Jul 16, 2025
Affected Software
Real Estate Property 2025 Create Your Own Fields and Search Bar
Researcher
More Details >

Restaurant Menu by MotoPress <= 2.4.6 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-54038
Patch Status
Patched
Published
Jul 16, 2025
Affected Software
Restaurant Menu and Food Ordering
Researcher
More Details >

SMTP2GO <= 1.12.1 – Missing Authorization

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-54011
Patch Status
Patched
Published
Jul 16, 2025
Affected Software
SMTP2GO for WordPress – Email Made Easy
Researcher
More Details >

The Plus Addons for Elementor Pro < 6.3.7 – Missing Authorization

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-46434
Patch Status
Patched
Published
Jul 16, 2025
Affected Software
The Plus Addons for Elementor Page Builder Pro
Researcher
More Details >

Theme Builder For Elementor <= 1.2.3 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-54033
Patch Status
Patched
Published
Jul 16, 2025
Affected Software
Theme Builder For Elementor
Researcher
More Details >

Wallet System for WooCommerce <= 2.6.7 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-54041
Patch Status
Patched
Published
Jul 16, 2025
Affected Software
Wallet System for WooCommerce
Researcher
More Details >

Webba Booking <= 5.1.20 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-54036
Patch Status
Patched
Published
Jul 16, 2025
Affected Software
Appointment Booking & Scheduling Plugin — Webba Booking Calendar
Researcher
More Details >

WooCommerce Google Sheet Connector <= 1.3.20 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-54030
Patch Status
Patched
Published
Jul 16, 2025
Affected Software
GSheetConnector for WC
Researcher
More Details >

WP Post Hide <= 1.0.9 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-54042
Patch Status
Patched
Published
Jul 16, 2025
Affected Software
WP Post Hide
Researcher
More Details >

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (July 14, 2025 to July 20, 2025) appeared first on Wordfence.

Leave a Comment