Wordfence Intelligence Weekly WordPress Vulnerability Report (September 8, 2025 to September 14, 2025)

by

📢 Calling all Vulnerability Researchers and Bug Bounty Hunters! 📢

🚀  Operation: Maximum Impact Challenge! Now through November 10, 2025, earn 2X bounty rewards for all in-scope submissions in software with at least 5,000 active installs and fewer than 5 million active installs. Bounties up to $31,200 per vulnerability. Submit bold. Earn big!

💉 Participate in the SQLsplorer Challenge! Now through September 22, 2025, all SQL Injection vulnerabilities in software with at least 25 active installs are considered in-scope for all researchers, regardless of researcher tier AND earn a 20% bonus on all SQL Injection vulnerability submissions.

Last week, there were 99 vulnerabilities disclosed in 89 WordPress Plugins and 12 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 41 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to implement layered security, aligning with our overarching mission to secure WordPress with defense in depth strategies. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report. As the world’s leading quality vulnerability database provider for WordPress, site owners can rest assured knowing Wordfence has their back.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 28,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status Number of Vulnerabilities
Patched 45
Unpatched 54

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating Number of Vulnerabilities
Medium Severity 78
High Severity 17
Critical Severity 4

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) 34
Cross-Site Request Forgery (CSRF) 19
Missing Authorization 16
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) 11
Unrestricted Upload of File with Dangerous Type 4
Authorization Bypass Through User-Controlled Key 3
Improper Control of Generation of Code (‘Code Injection’) 3
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) 2
Server-Side Request Forgery (SSRF) 2
Absolute Path Traversal 1
Exposure of Sensitive Information to an Unauthorized Actor 1
External Control of File Name or Path 1
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) 1
Use of Hard-coded Credentials 1

Researchers That Contributed to WordPress Security Last Week

Researcher Name Number of Vulnerabilities
11
9
7
6
6
5
5
5
3
2

Bao
2
2
2
2
2
2
2
2
2
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name Software Slug
Additional Custom Product Tabs for WooCommerce product-tabs-for-woocommerce
Admin in English with Switch admin-in-english-with-switch
Advanced Settings 3 advanced-settings
All in one Minifier all-in-one-minifier
Analytics Reduce Bounce Rate analytics-unbounce
Auto Save Remote Images (Drafts) auto-save-remote-images-drafts
AutoCatSet autocatset
AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress automatorwp
azurecurve BBCode azurecurve-bbcode
BerqWP – Automated All-In-One Page Speed Optimization for Core Web Vitals, Cache, CDN, Images, CSS, and JavaScript searchpro
BeyondCart Connector beyondcart
Blog Designer For Elementor – Post Slider, Post Carousel, Post Grid blog-designer-for-elementor
Catalog Importer, Scraper & Crawler intelligent-importer
Categorify – WordPress Media Library Category & File Manager categorify
CatFolders – Tame Your WordPress Media Library by Category catfolders
CBX Map for Google Map & OpenStreetMap cbxgooglemap
Certifica WP certifica-wp
Countdown Timer for Elementor countdown-timer-for-elementor
Coupon API couponapi
Digital Events Calendar digital-events-calendar
Duplicate Page and Post duplicate-wp-page-post
Dynamic Text Field For Contact Form 7 dynamic-text-field-for-contact-form-7
eID Easy smart-id
Elements Plus! elements-plus
Embed Google Datastudio embed-google-data-studio
Enhanced BibliPlug enhanced-bibliplug
Equalize Digital Accessibility Checker – Audit Your Website for WCAG, ADA, and Section 508 Accessibility Errors accessibility-checker
Evenium evenium
Export WP Page to Static HTML & PDF export-wp-page-to-static-html
Football Pool football-pool
Fortnox for WooCommerce woocommerce-fortnox-integration
Heateor Login – Social Login Plugin heateor-login
Import any XML, CSV or Excel File to WordPress wp-all-import
Include Me include-me
Jobify jobify
LH Signing lh-signing
LWS Cleaner lws-cleaner
Maspik – Ultimate Spam Protection contact-forms-anti-spam
Mikado Core mikado-core
Mitfahrgelegenheit mitfahrgelegenheit
Mixtape mixtape
My Tickets – Accessible Event Ticketing my-tickets
My WP Translate my-wp-translate
MyBrain Utilities mybrain-utilities
NitroPack – Caching & Speed Optimization for Core Web Vitals, Defer CSS & JS, Lazy load Images and CDN nitropack
PagBank / PagSeguro Connect para WooCommerce pagbank-connect
Payments Plugin and Checkout Plugin for WooCommerce: Stripe, PayPal, Square, Authorize.net peachpay-for-woocommerce
PDF Generator for WordPress pdf-generator-for-wp
PhpList Subber phpls
Pixeline’s Email Protector pixelines-email-protector
Plugin updates blocker plugin-update-blocker
PowerPack Addons for Elementor (Free Widgets, Extensions and Templates) powerpack-lite-for-elementor
Propovoice: All-in-One Client Management System propovoice
Publish approval publish-approval
Resideo Plugin for Resideo – Real Estate WordPress Theme resideo-plugin
Responsive Addons for Elementor – Free Elementor Addons Plugin and Elementor Templates responsive-addons-for-elementor
Responsive Filterable Portfolio responsive-filterable-portfolio
Run Log run-log
Salon Booking System, Appointment Scheduling for Salons, Spas & Small Businesses salon-booking-system
Seo Monster seo-monster
ShopLentor – WooCommerce Builder for Elementor & Gutenberg +21 Modules – All in One Solution (formerly WooLentor) woolentor-addons
Side Slide Responsive Menu side-slide-responsive-menu
Smartcat Translator for WPML smartcat-wpml
Spotify Embed Creator spotify-embed-creator
Testimonial indianic-testimonial
The Events Calendar the-events-calendar
The Hack Repair Guy’s Plugin Archiver hackrepair-plugin-archiver
The integration of the AMO.CRM leads-for-amo-crm
ThemeLoom Widgets themeloom-widgets
Time Tracker time-tracker
Tutor LMS – eLearning and online course solution tutor
Ultimate Blogroll ultimate-blogroll
Ultimate Classified Listings ultimate-classified-listings
User Meta – User Profile Builder and User management plugin user-meta
Welcart e-Commerce usc-e-shop
Wilmer Core wilmer-core
WooCommerce Booking Bundle Hours woo-booking-bundle-hours
Workable Api wrapper-for-workable-api
WP Blast | SEO & Performance Booster wpblast
WP Easy FAQs wp-easy-faqs
WP eBay Product Feeds ebay-feeds-for-wordpress
WP Import – Ultimate CSV XML Importer for WordPress wp-ultimate-csv-importer
WP Mailgun SMTP wp-mailgun-smtp
WP Scriptcase wp-scriptcase
WP SendGrid SMTP wp-sendgrid-smtp
WP-Members Membership Plugin wp-members
WPGYM – WordPress Gym Management System gym-management
ZIP Code Based Content Protection zip-code-based-content-protection
Zoho Flow – Integrate 100+ plugins with 1000+ business apps, no-code workflow automation zoho-flow

WordPress Themes with Reported Vulnerabilities Last Week

Software Name Software Slug
ButterBelly butterbelly
Cloriato Lite cloriato-lite
ColorWay colorway
Compass compass
Doccure doccure
Dzonia Lite dzonia-lite
Goza – Nonprofit Charity WordPress Theme goza-theme
Mow mow
Poloray poloray
Rethink rethink
Road Fighter road-fighter
Themia Lite themia-lite

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

BeyondCart Connector <= 2.1.0 – Missing Configuration of JWT Secret to Unauthenticated Privilege Escalation via determine_current_user Filter

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-8570
Patch Status
Unpatched
Published
Sep 10, 2025
Affected Software
BeyondCart Connector
Researcher
More Details >

Doccure <= 1.4.8 – Unauthenticated Arbitrary File Upload

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-9113
Patch Status
Unpatched
Published
Sep 8, 2025
Affected Software
Doccure
Researcher
More Details >

Doccure <= 1.4.9 – Unauthenticated Arbitrary User Password Change

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-9114
Patch Status
Unpatched
Published
Sep 8, 2025
Affected Software
Doccure
Researcher
More Details >

Goza – Nonprofit Charity WordPress Theme <= 3.2.2 – Missing Authorization to Unauthenticated Arbitrary File Upload via Plugin Installation

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-10690
Patch Status
Patched
Published
Sep 8, 2025
Affected Software
Goza – Nonprofit Charity WordPress Theme
Researcher
More Details >

Doccure <= 1.4.9 – Authenticated (Subscriber+) Arbitrary File Upload

8.8
CVSS Rating
High (8.8)
CVE-ID
CVE-2025-9112
Patch Status
Unpatched
Published
Sep 8, 2025
Affected Software
Doccure
Researcher
More Details >

My WP Translate <= 1.1 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update

8.8
CVSS Rating
High (8.8)
CVE-ID
CVE-2025-8425
Patch Status
Unpatched
Published
Sep 10, 2025
Affected Software
My WP Translate
Researcher
More Details >

Resideo Plugin for Resideo – Real Estate WordPress Theme <= 2.5.4 – Authenticated (Subscriber+) Insecure Direct Object Reference to Privilege Escalation via Account Takeover

8.8
CVSS Rating
High (8.8)
CVE-ID
CVE-2025-7718
Patch Status
Unpatched
Published
Sep 9, 2025
Affected Software
Resideo Plugin for Resideo – Real Estate WordPress Theme
Researcher
More Details >

Time Tracker <= 3.1.0 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update and Limited Data Deletion

8.8
CVSS Rating
High (8.8)
CVE-ID
CVE-2025-9018
Patch Status
Patched
Published
Sep 10, 2025
Affected Software
Time Tracker
Researcher
More Details >

WPGYM – WordPress Gym Management System <= 67.7.0 – Authenticated (Subscriber+) Privilege Escalation via Account Takeover

8.8
CVSS Rating
High (8.8)
CVE-ID
CVE-2025-7049
Patch Status
Unpatched
Published
Sep 9, 2025
Affected Software
WPGYM – WordPress Gym Management System
Researcher
More Details >

Catalog Importer, Scraper & Crawler <= 5.1.4 – Unauthenticated PHP Code Injection

8.1
CVSS Rating
High (8.1)
CVE-ID
CVE-2025-8417
Patch Status
Unpatched
Published
Sep 10, 2025
Affected Software
Catalog Importer, Scraper & Crawler
Researcher
More Details >

AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress <= 5.3.6 – Missing Authorization To Authenticated (Subscriber+) Remote Code Execution via Automation Creation

8.0
CVSS Rating
High (8.0)
CVE-ID
CVE-2025-9539
Patch Status
Patched
Published
Sep 8, 2025
Affected Software
AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress
Researcher
More Details >

User Meta – User Profile Builder and User management plugin <= 3.1.2 – Authenticated (Subscriber+) Arbitrary File Deletion

8.0
CVSS Rating
High (8.0)
CVE-ID
CVE-2025-9693
Patch Status
Unpatched
Published
Sep 10, 2025
Affected Software
User Meta – User Profile Builder and User management plugin
Researcher
More Details >

WP Import – Ultimate CSV XML Importer for WordPress <= 7.27 – Missing Authorization to Authenticated (Subscriber+) FTP/SFTP Credential Exposure

7.7
CVSS Rating
High (7.7)
CVE-ID
CVE-2025-10040
Patch Status
Patched
Published
Sep 9, 2025
Affected Software
WP Import – Ultimate CSV XML Importer for WordPress
Researcher
More Details >

All in one Minifier <= 3.2 – Unauthenticated SQL Injection

7.5
CVSS Rating
High (7.5)
CVE-ID
CVE-2025-9073
Patch Status
Unpatched
Published
Sep 10, 2025
Affected Software
All in one Minifier
Researcher
More Details >

Propovoice <= 1.7.6.7 – Unauthenticated Arbitrary File Read

7.5
CVSS Rating
High (7.5)
CVE-ID
CVE-2025-8422
Patch Status
Unpatched
Published
Sep 10, 2025
Affected Software
Propovoice: All-in-One Client Management System
Researcher
More Details >

The Events Calendar <= 6.15.1 – Unauthenticated SQL Injection

7.5
CVSS Rating
High (7.5)
CVE-ID
CVE-2025-9807
Patch Status
Patched
Published
Sep 11, 2025
Affected Software
The Events Calendar
Researcher
More Details >

Ultimate Classified Listings <= 1.6 – Authenticated (Contributor+) Local File Inclusion

7.5
CVSS Rating
High (7.5)
CVE-ID
CVE-2025-9874
Patch Status
Unpatched
Published
Sep 10, 2025
Affected Software
Ultimate Classified Listings
Researcher
More Details >

Import any XML, CSV or Excel File to WordPress <= 3.9.3 – Authenticated (Admin+) Limited Unsafe File Upload

7.2
CVSS Rating
High (7.2)
CVE-ID
CVE-2025-10001
Patch Status
Patched
Published
Sep 9, 2025
Affected Software
Import any XML, CSV or Excel File to WordPress
Researcher
More Details >

LWS Cleaner <= 2.4.1.3 – Authenticated (Administrator+) Arbitrary File Deletion via ‘lws_cl_delete_file’

7.2
CVSS Rating
High (7.2)
CVE-ID
CVE-2025-8575
Patch Status
Patched
Published
Sep 11, 2025
Affected Software
LWS Cleaner
Researcher
More Details >

Responsive Filterable Portfolio <= 1.0.24 – Authenticated (Admin+) Arbitrary File Upload

7.2
CVSS Rating
High (7.2)
CVE-ID
CVE-2025-10049
Patch Status
Patched
Published
Sep 9, 2025
Affected Software
Responsive Filterable Portfolio
Researcher
More Details >

The Hack Repair Guy’s Plugin Archiver <= 2.0.4 – Authenticated (Administrator+) Arbitrary File Deletion

7.2
CVSS Rating
High (7.2)
CVE-ID
CVE-2025-10176
Patch Status
Patched
Published
Sep 12, 2025
Affected Software
The Hack Repair Guy’s Plugin Archiver
Researcher
More Details >

CatFolders – Tame Your WordPress Media Library by Category <= 2.5.2 – Authenticated (Author+) SQL Injection via CSV Import

6.5
CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-9776
Patch Status
Patched
Published
Sep 10, 2025
Affected Software
CatFolders – Tame Your WordPress Media Library by Category
Researcher
More Details >

Duplicate Page and Post <= 2.9.5 – Authenticated (Contributor+) SQL Injection via meta_key Parameter

6.5
CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-6189
Patch Status
Unpatched
Published
Sep 9, 2025
Affected Software
Duplicate Page and Post
Researcher
More Details >

Payments Plugin and Checkout Plugin for WooCommerce: Stripe, PayPal, Square, Authorize.net <= 1.117.5 – Authenticated (Contributor+) SQL Injection via order_by Parameter

6.5
CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-9463
Patch Status
Patched
Published
Sep 9, 2025
Affected Software
Payments Plugin and Checkout Plugin for WooCommerce: Stripe, PayPal, Square, Authorize.net
Researcher
More Details >

Smartcat Translator for WPML <= 3.1.69 – Authenticated (Author+) SQL Injection via orderby Parameter

6.5
CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-9451
Patch Status
Unpatched
Published
Sep 10, 2025
Affected Software
Smartcat Translator for WPML
Researcher
More Details >

Testimonial <= 2.3 – Authenticated (Contributor+) SQL Injection

6.5
CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-7826
Patch Status
Unpatched
Published
Sep 9, 2025
Affected Software
Testimonial
Researcher
More Details >

Additional Custom Product Tabs for WooCommerce <= 1.7.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-58985
Patch Status
Patched
Published
Sep 9, 2025
Affected Software
Additional Custom Product Tabs for WooCommerce
Researcher
More Details >

Auto Save Remote Images (Drafts) <= 1.0.9 – Authenticated (Contributor+) Server-Side Request Forgery

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-7843
Patch Status
Unpatched
Published
Sep 9, 2025
Affected Software
Auto Save Remote Images (Drafts)
Researcher
More Details >

azurecurve BBCode <= 2.0.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via url Shortcode

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-8398
Patch Status
Unpatched
Published
Sep 10, 2025
Affected Software
azurecurve BBCode
Researcher
More Details >

CBX Map for Google Map & OpenStreetMap <= 1.1.12 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-9123
Patch Status
Unpatched
Published
Sep 10, 2025
Affected Software
CBX Map for Google Map & OpenStreetMap
Researcher
More Details >

Certifica WP <= 3.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via evento Parameter

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-8316
Patch Status
Unpatched
Published
Sep 10, 2025
Affected Software
Certifica WP
Researcher
More Details >

Countdown Timer for Elementor <= 1.3.9 – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘countdown_label’

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-8445
Patch Status
Unpatched
Published
Sep 10, 2025
Affected Software
Countdown Timer for Elementor
Researcher
More Details >

Digital Events Calendar <= 1.0.8 – Authenticated (Contributor+) Stored Cross-Site Scripting via column Parameter

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-5801
Patch Status
Unpatched
Published
Sep 10, 2025
Affected Software
Digital Events Calendar
Researcher
More Details >

Dynamic Text Field For Contact Form 7 <= 2.0.22 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-58989
Patch Status
Patched
Published
Sep 9, 2025
Affected Software
Dynamic Text Field For Contact Form 7
Researcher
More Details >

eID Easy <= 4.9.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-9128
Patch Status
Unpatched
Published
Sep 10, 2025
Affected Software
eID Easy
Researcher
More Details >

Elements Plus! <= 2.16.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-8689
Patch Status
Unpatched
Published
Sep 10, 2025
Affected Software
Elements Plus!
Researcher
More Details >

Embed Google Datastudio <= 1.0.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-9877
Patch Status
Unpatched
Published
Sep 11, 2025
Affected Software
Embed Google Datastudio
Researcher
More Details >

Enhanced BibliPlug <= 1.3.8 – Authenticated (Contirbutor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-9855
Patch Status
Unpatched
Published
Sep 10, 2025
Affected Software
Enhanced BibliPlug
Researcher
More Details >

Evenium <= 1.3.11 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-9850
Patch Status
Unpatched
Published
Sep 10, 2025
Affected Software
Evenium
Researcher
More Details >

Football Pool <= 2.12.6 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-58987
Patch Status
Patched
Published
Sep 9, 2025
Affected Software
Football Pool
Researcher
More Details >

Heateor Login – Social Login Plugin <= 1.1.9 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-9857
Patch Status
Patched
Published
Sep 9, 2025
Affected Software
Heateor Login – Social Login Plugin
Researcher
More Details >

Jobify <= 1.4.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via keyword Parameter

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-8318
Patch Status
Unpatched
Published
Sep 10, 2025
Affected Software
Jobify
Researcher
More Details >

Mikado Core <= 1.5.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-9058
Patch Status
Patched
Published
Sep 8, 2025
Affected Software
Mikado Core
Researcher
More Details >

Mitfahrgelegenheit <= 1.1.5 – Authenticated (Contributor+) Stored Cross-Site Scripting via date Parameter

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-8392
Patch Status
Unpatched
Published
Sep 10, 2025
Affected Software
Mitfahrgelegenheit
Researcher
More Details >

Mixtape <= 1.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-9860
Patch Status
Unpatched
Published
Sep 10, 2025
Affected Software
Mixtape
Researcher
More Details >

My Tickets <= 2.0.22 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-58988
Patch Status
Patched
Published
Sep 9, 2025
Affected Software
My Tickets – Accessible Event Ticketing
Researcher
More Details >

MyBrain Utilities <= 1.0.8 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-10126
Patch Status
Patched
Published
Sep 9, 2025
Affected Software
MyBrain Utilities
Researcher
More Details >

PowerPack Lite for Elementor <= 2.9.4 – Authenticated (Contributor+) Stored Cross-Site Scripting Via ‘cursor_url’

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-8388
Patch Status
Patched
Published
Sep 9, 2025
Affected Software
PowerPack Addons for Elementor (Free Widgets, Extensions and Templates)
Researcher
More Details >

Responsive Addons for Elementor <= 1.7.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-8215
Patch Status
Unpatched
Published
Sep 10, 2025
Affected Software
Responsive Addons for Elementor – Free Elementor Addons Plugin and Elementor Templates
Researcher
More Details >

ShopLentor <= 3.2.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-58990
Patch Status
Patched
Published
Sep 9, 2025
Affected Software
ShopLentor – WooCommerce Builder for Elementor & Gutenberg +21 Modules – All in One Solution (formerly WooLentor)
Researcher
More Details >

Spotify Embed Creator <= 1.0.5 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-9879
Patch Status
Unpatched
Published
Sep 11, 2025
Affected Software
Spotify Embed Creator
Researcher
More Details >

ThemeLoom Widgets <= 1.8.5 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-9861
Patch Status
Unpatched
Published
Sep 10, 2025
Affected Software
ThemeLoom Widgets
Researcher
More Details >

Wilmer Core <= 2.4.5 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-9061
Patch Status
Patched
Published
Sep 8, 2025
Affected Software
Wilmer Core
Researcher
More Details >

WooCommerce Fortnox Integration <= 4.5.6 – Authenticated (Subscriber+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-47610
Patch Status
Patched
Published
Sep 11, 2025
Affected Software
Fortnox for WooCommerce
Researcher
More Details >

Workable API <= 1.0.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via workable_jobs Shortcode

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-8721
Patch Status
Unpatched
Published
Sep 10, 2025
Affected Software
Workable Api
Researcher
More Details >

WP Easy FAQs <= 1.0.5 – Authenticated (Author+) Stored Cross-Site Scripting via WP_EASY_FAQ Shortcode

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-8686
Patch Status
Unpatched
Published
Sep 10, 2025
Affected Software
WP Easy FAQs
Researcher
More Details >

WP eBay Product Feeds <= 3.4.8 – Authenticated (Contributor+) Server Side Request Forgery

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-58977
Patch Status
Patched
Published
Sep 9, 2025
Affected Software
WP eBay Product Feeds
Researcher
More Details >

WP Scriptcase <= 2.0.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via url Parameter

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-8691
Patch Status
Unpatched
Published
Sep 10, 2025
Affected Software
WP Scriptcase
Researcher
More Details >

Seo Monster <= 3.3.3 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-9620
Patch Status
Unpatched
Published
Sep 10, 2025
Affected Software
Seo Monster
Researcher
More Details >

Side Slide Responsive Menu <= 1.0 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-9880
Patch Status
Unpatched
Published
Sep 11, 2025
Affected Software
Side Slide Responsive Menu
Researcher
More Details >

Ultimate Blogroll <= 2.5.2 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-9881
Patch Status
Unpatched
Published
Sep 11, 2025
Affected Software
Ultimate Blogroll
Researcher
More Details >

Welcart e-Commerce <= 2.11.20 – Authenticated (Editor+) Stored Cross-Site Scripting

5.5
CVSS Rating
Medium (5.5)
CVE-ID
CVE-2025-9367
Patch Status
Patched
Published
Sep 9, 2025
Affected Software
Welcart e-Commerce
Researcher
More Details >

AutomatorWP <= 5.3.7 – Authenticated (Subscriber+) Missing Authorization to Multiple Functions

5.4
CVSS Rating
Medium (5.4)
CVE-ID
CVE-2025-9542
Patch Status
Patched
Published
Sep 8, 2025
Affected Software
AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress
Researcher
More Details >

My WP Translate <= 1.1 – Authenticated (Subscriber+) Missing Authorization to Arbitrary Option Read and Deletion

5.4
CVSS Rating
Medium (5.4)
CVE-ID
CVE-2025-8423
Patch Status
Unpatched
Published
Sep 10, 2025
Affected Software
My WP Translate
Researcher
More Details >

BerqWP <= 2.2.53 – Missing Authorization

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-58979
Patch Status
Patched
Published
Sep 9, 2025
Affected Software
BerqWP – Automated All-In-One Page Speed Optimization for Core Web Vitals, Cache, CDN, Images, CSS, and JavaScript
Researcher
Bao
More Details >

Export WP Page to Static HTML/CSS <= 4.1.0 – Missing Authorization

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-58980
Patch Status
Patched
Published
Sep 9, 2025
Affected Software
Export WP Page to Static HTML & PDF
Researcher
Bao
More Details >

Multiple Plugins and Themes by inkthemes <= 1.1.8 – Unauthenticated Information Exposure

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-59003
Patch Status
Unpatched
Published
Sep 12, 2025
Affected Software
ButterBelly
Cloriato Lite
ColorWay
Compass
Dzonia Lite
Poloray
Rethink
Road Fighter
Themia Lite
WP Mailgun SMTP
and 1 more…
Researcher
More Details >

Publish approval <= 1.1 – Cross-Site Request Forgery

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-9617
Patch Status
Unpatched
Published
Sep 10, 2025
Affected Software
Publish approval
Researcher
More Details >

Salon Booking System <= 10.20 – Missing Authorization to Unauthenticated AJAX Actions Execution

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-8492
Patch Status
Unpatched
Published
Sep 10, 2025
Affected Software
Salon Booking System, Appointment Scheduling for Salons, Spas & Small Businesses
Researcher
More Details >

WP-Members Membership Plugin <= 3.5.4.2 – Authenticated (Subscriber+) Arbitrary Shortcode Execution via Profile Names

5.0
CVSS Rating
Medium (5.0)
CVE-ID
CVE-2025-9489
Patch Status
Patched
Published
Sep 8, 2025
Affected Software
WP-Members Membership Plugin
Researcher
More Details >

Coupon API <= 6.2.9 – Authenticated (Administrator+) SQL Injection via ‘log_duration’

4.9
CVSS Rating
Medium (4.9)
CVE-ID
CVE-2025-8692
Patch Status
Unpatched
Published
Sep 10, 2025
Affected Software
Coupon API
Researcher
More Details >

PagBank / PagSeguro Connect para WooCommerce <= 4.44.3 – Authenticated (Shop Manager+) SQL Injection

4.9
CVSS Rating
Medium (4.9)
CVE-ID
CVE-2025-10142
Patch Status
Patched
Published
Sep 9, 2025
Affected Software
PagBank / PagSeguro Connect para WooCommerce
Researcher
More Details >

Tutor LMS <= 3.7.4 – Authenticated (Administrator+) SQL Injection

4.9
CVSS Rating
Medium (4.9)
CVE-ID
CVE-2025-58993
Patch Status
Patched
Published
Sep 9, 2025
Affected Software
Tutor LMS – eLearning and online course solution
Researcher
More Details >

ZIP Code Based Content Protection <= 1.0.0 – Authenticated (Administrator+) SQL Injection

4.9
CVSS Rating
Medium (4.9)
CVE-ID
CVE-2025-59008
Patch Status
Patched
Published
Sep 8, 2025
Affected Software
ZIP Code Based Content Protection
Researcher
More Details >

Include Me <= 1.3.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4
CVSS Rating
Medium (4.4)
CVE-ID
CVE-2025-58983
Patch Status
Patched
Published
Sep 9, 2025
Affected Software
Include Me
Researcher
More Details >

Pixeline’s Email Protector <= 1.3.8 – Authenticated (Admin+) Stored Cross-Site Scripting

4.4
CVSS Rating
Medium (4.4)
CVE-ID
CVE-2025-58982
Patch Status
Patched
Published
Sep 9, 2025
Affected Software
Pixeline’s Email Protector
Researcher
More Details >

Welcart e-Commerce <= 2.11.20 – Authenticated (Editor+) Stored Cross-Site Scripting

4.4
CVSS Rating
Medium (4.4)
CVE-ID
CVE-2025-58984
Patch Status
Patched
Published
Sep 9, 2025
Affected Software
Welcart e-Commerce
Researcher
More Details >

Accessibility Checker by Equalize Digital <= 1.31.0 – Missing Authorization

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-58981
Patch Status
Patched
Published
Sep 9, 2025
Affected Software
Equalize Digital Accessibility Checker – Audit Your Website for WCAG, ADA, and Section 508 Accessibility Errors
Researcher
More Details >

Accessibility Checker by Equalize Digital <= 1.31.0 – Missing Authorization

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-58976
Patch Status
Patched
Published
Sep 9, 2025
Affected Software
Equalize Digital Accessibility Checker – Audit Your Website for WCAG, ADA, and Section 508 Accessibility Errors
Researcher
More Details >

Admin in English with Switch <= 1.1 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-9623
Patch Status
Unpatched
Published
Sep 10, 2025
Affected Software
Admin in English with Switch
Researcher
More Details >

Advanced Settings <= 3.1.1 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-58975
Patch Status
Patched
Published
Sep 9, 2025
Affected Software
Advanced Settings 3
Researcher
More Details >

Analytics Reduce Bounce Rate <= 2.3 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-9635
Patch Status
Unpatched
Published
Sep 10, 2025
Affected Software
Analytics Reduce Bounce Rate
Researcher
More Details >

AutoCatSet <= 2.1.4 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-9631
Patch Status
Unpatched
Published
Sep 10, 2025
Affected Software
AutoCatSet
Researcher
More Details >

Blog Designer For Elementor – Post Slider, Post Carousel, Post Grid <= 1.1.7 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-8481
Patch Status
Unpatched
Published
Sep 10, 2025
Affected Software
Blog Designer For Elementor – Post Slider, Post Carousel, Post Grid
Researcher
More Details >

Categorify <= 1.0.7.5 – Missing Authorization

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-59005
Patch Status
Unpatched
Published
Sep 8, 2025
Affected Software
Categorify – WordPress Media Library Category & File Manager
Researcher
More Details >

LH Signing <= 2.83 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-9633
Patch Status
Unpatched
Published
Sep 10, 2025
Affected Software
LH Signing
Researcher
More Details >

Maspik <= 2.5.6 – Authenticated (Subscriber+) Missing Authorization to Spam Log Export

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-9979
Patch Status
Patched
Published
Sep 9, 2025
Affected Software
Maspik – Ultimate Spam Protection
Researcher
More Details >

Maspik <= 2.5.6 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-9888
Patch Status
Patched
Published
Sep 9, 2025
Affected Software
Maspik – Ultimate Spam Protection
Researcher
More Details >

Mow <= 4.10 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-58997
Patch Status
Patched
Published
Sep 9, 2025
Affected Software
Mow
Researcher
More Details >

NitroPack <= 1.18.4 – Missing Authorization to Authenticated (Subscriber+) Limited Settings Update via nitropack_set_compression_ajax Function

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-8778
Patch Status
Patched
Published
Sep 9, 2025
Affected Software
NitroPack – Caching & Speed Optimization for Core Web Vitals, Defer CSS & JS, Lazy load Images and CDN
Researcher
More Details >

PDF Generator for WordPress <= 1.5.4 – Missing Authorization

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-58978
Patch Status
Patched
Published
Sep 9, 2025
Affected Software
PDF Generator for WordPress
Researcher
More Details >

PhpList Subber <= 1.1 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-9632
Patch Status
Unpatched
Published
Sep 10, 2025
Affected Software
PhpList Subber
Researcher
More Details >

Plugin updates blocker <= 0.2 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-9634
Patch Status
Unpatched
Published
Sep 10, 2025
Affected Software
Plugin updates blocker
Researcher
More Details >

Run Log <= 1.7.10 – Cross-Site Request Forgery to Settings Update

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-9627
Patch Status
Unpatched
Published
Sep 10, 2025
Affected Software
Run Log
Researcher
More Details >

The integration of the AMO.CRM <= 1.0.1 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-9628
Patch Status
Unpatched
Published
Sep 10, 2025
Affected Software
The integration of the AMO.CRM
Researcher
More Details >

Ultimate Classified Listings <= 1.6 – Missing Authorization to Authenticated (Subscriber+) Plugin Settings Update

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-0763
Patch Status
Unpatched
Published
Sep 10, 2025
Affected Software
Ultimate Classified Listings
Researcher
More Details >

WooCommerce Booking Bundle Hours <= 0.7.4 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-58991
Patch Status
Patched
Published
Sep 9, 2025
Affected Software
WooCommerce Booking Bundle Hours
Researcher
More Details >

WP Blast | SEO & Performance Booster <= 1.8.6 – Cross-Site Request Forgery to Cache Clearing

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-9622
Patch Status
Patched
Published
Sep 9, 2025
Affected Software
WP Blast | SEO & Performance Booster
Researcher
More Details >

Zoho Flow <= 2.14.1 – Cross-Site Request Forgery

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-8479
Patch Status
Patched
Published
Sep 10, 2025
Affected Software
Zoho Flow – Integrate 100+ plugins with 1000+ business apps, no-code workflow automation
Researcher
More Details >

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (September 8, 2025 to September 14, 2025) appeared first on Wordfence.

Leave a Comment