Calling all Vulnerability Researchers and Bug Bounty Hunters!
The LFInder Challenge: Refine your LFI hunting skills with an expanded scope. Now through November 24, 2025, all LFI vulnerabilities in software with at least 25 active installs are considered in-scope for all researchers, regardless of researcher tier, AND earn a 30% bonus on all Local File Inclusion vulnerability submissions not already increased by another promotion.
Last week, there were 106 vulnerabilities disclosed in 100 WordPress Plugins and 1 WordPress Theme that have been added to the Wordfence Intelligence Vulnerability Database, and there were 48 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to implement layered security, aligning with our overarching mission to secure WordPress with defense in depth strategies. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report. As the worldâs leading quality vulnerability database provider for WordPress, site owners can rest assured knowing Wordfence has their back.
Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 29,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
-
- WAF-RULE-874 â Data redacted while we work with the vendor on a patch.
- Gravity Forms <= 2.9.21.1 â Unauthenticated Arbitrary File Upload via Legacy Chunked Upload
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
| Patch Status | Number of Vulnerabilities |
|---|---|
| Patched | 49 |
| Unpatched | 57 |
Total Vulnerabilities by CVSS Severity Last Week
| Severity Rating | Number of Vulnerabilities |
|---|---|
| Medium Severity | 89 |
| High Severity | 13 |
| Critical Severity | 4 |
Total Vulnerabilities by CWE Type Last Week
| Vulnerability Type by CWE | Number of Vulnerabilities |
|---|---|
| Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 40 |
| Missing Authorization | 21 |
| Cross-Site Request Forgery (CSRF) | 7 |
| Authorization Bypass Through User-Controlled Key | 6 |
| Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 6 |
| Exposure of Sensitive Information to an Unauthorized Actor | 4 |
| Improper Control of Generation of Code (‘Code Injection’) | 3 |
| Improper Privilege Management | 3 |
| Improper Authorization | 2 |
| Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) | 2 |
| Unrestricted Upload of File with Dangerous Type | 2 |
| Client-Side Enforcement of Server-Side Security | 1 |
| Deserialization of Untrusted Data | 1 |
| Exposure of Private Personal Information to an Unauthorized Actor | 1 |
| External Control of File Name or Path | 1 |
| Improper Access Control | 1 |
| Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | 1 |
| Insecure Storage of Sensitive Information | 1 |
| Insertion of Sensitive Information into Externally-Accessible File or Directory | 1 |
| Missing Authentication for Critical Function | 1 |
| Use of Insufficiently Random Values | 1 |
Researchers That Contributed to WordPress Security Last Week
| Researcher Name | Number of Vulnerabilities |
|---|---|
| 12 | |
| 12 | |
| 8 | |
| 6 | |
| 5 | |
| 4 | |
| 4 | |
| 3 | |
| 3 | |
| 3 | |
| 3 | |
| 3 | |
| 3 | |
| 3 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 |
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| 0 Day Analytics | 0-day-analytics |
| Add Multiple Marker | add-multiple-marker |
| AI Engine | ai-engine |
| AI-Powered Project Management & Task Manager with Kanban Board & Gantt Chart â WP Project Manager | wedevs-project-manager |
| All in One SEO â Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic | all-in-one-seo-pack |
| Alt Text Generator AI â Auto Generate & Bulk Update Alt Texts For Images | alt-text-generator |
| Appointment Booking Calendar | appointment-booking-calendar |
| Asgaros Forum | asgaros-forum |
| Astra Security Suite â Firewall & Malware Scan | getastra |
| Authors List | authors-list |
| Auto Amazon Links â Amazon Associates Affiliate Plugin | amazon-auto-links |
| Blocksy Companion | blocksy-companion |
| Booking Calendar | booking |
| Booking Calendar | Appointment Booking | Bookit | bookit |
| Booking for Appointments and Events Calendar â Amelia | ameliabooking |
| Chart Expert | chart-expert |
| Classified Listing â AI-Powered Classified ads & Business Directory Plugin | classified-listing |
| Comment Edit Core â Simple Comment Editing | simple-comment-editing |
| Contact Form Email | contact-form-to-email |
| Contest Gallery â Upload, Vote & Sell with PayPal and Stripe | contest-gallery |
| Convert WebP & AVIF | Quicq | Best image optimizer and compression plugin | Improve your Google Pagespeed | quicq |
| Coon Google Maps | coon-google-maps |
| Crypto Tool | crypto |
| CTL Arcade Lite | ctl-arcade-lite |
| Data Tables Generator by Supsystic | data-tables-generator-by-supsystic |
| Document Pro Elementor â Documentation & Knowledge Base | document-pro-elementor |
| Double the Donation â A workplace giving tool | double-the-donation |
| Easy Email Subscription | email-subscription-with-secure-captcha |
| EasyCommerce â AI-Powered Ecommerce To Sell Physical & Digital Products | easycommerce |
| Elastic Theme Editor | elastic-theme-editor |
| Eventbee Ticketing Widget | eventbee-ticketing-widget |
| Featured Image | featured-image |
| Find Unused Images | find-unused-images |
| Five9 Live Chat | five9 |
| Fleet Manager | fleet |
| Flickr Show | wp-flickrshow |
| Gallery Plugin for WordPress â Envira Photo Gallery | envira-gallery-lite |
| GeoDirectory â WP Business Directory Plugin and Classified Listings Directory | geodirectory |
| Geopost | geopost |
| GitHub Gist Shortcode Plugin | github-gist-shortcode |
| Holiday class post calendar | holiday-class-post-calendar |
| Hydra Booking â Appointment Scheduling & Booking Calendar | hydra-booking |
| Image Gallery â Photo Grid & Video Gallery | modula-best-grid-gallery |
| Import any XML, CSV or Excel File to WordPress | wp-all-import |
| Include Fussball.de Widgets | include-fussball-de-widgets |
| Jeba Cute forkit | jeba-cute-forkit |
| LifterLMS â WP LMS for eLearning, Online Courses, & Quizzes | lifterlms |
| Live Photos on WordPress | live-photos |
| Magazine Companion | bnm-blocks |
| MembershipWorks â Membership, Events & Directory | memberfindme |
| Mementor Core | mementor-core |
| My Geo Posts Free | my-geo-posts-free |
| Ninja Countdown | Fastest Countdown Builder | ninja-countdown |
| Nonaki â Drag and Drop Email Template builder and Newsletter plugin for WordPress | nonaki-email-template-customizer |
| Page Builder: Pagelayer â Drag and Drop website builder | pagelayer |
| Payment Plugins Braintree For WooCommerce | woo-payment-gateway |
| Paypal Donation Shortcode | paypal-donation-shortcode |
| PDF Builder for WooCommerce. Create invoices,packing slips and more | woo-pdf-invoice-builder |
| Poll Maker â Versus Polls, Anonymous Polls, Image Polls | poll-maker |
| Precise Columns | precise-columns |
| Preload Current Images | preload-current-images |
| Private Google Calendars | private-google-calendars |
| Progress Bar Blocks for Gutenberg | progressmatify-blocks |
| Qi Blocks | qi-blocks |
| RandomQuotr | randomquotr |
| Save as PDF Button | save-as-pdf |
| School Management System â WPSchoolPress | wpschoolpress |
| Share to Google Classroom | share-to-google-classroom |
| Simple Donate | simple-donate |
| Skip to Timestamp | skip-to-timestamp |
| Slippy Slider â Responsive Touch Navigation Slider | slippy-slider-responsive-touch-navigation-slider |
| SNORDIAN’s H5PxAPIkatchu | h5pxapikatchu |
| Specific Content For Mobile â Customize the mobile version without redirections | specific-content-for-mobile |
| Squirrels Auto Inventory | squirrels-auto-inventory |
| Stock Management for WooCommerce by Shelf Planner | shelf-planner |
| SureForms â Contact Form, Custom Form Builder, Calculator & More | sureforms |
| Survey Maker | survey-maker |
| The Total Book Project | the-total-book-project |
| Theater for WordPress | theatre |
| Thumbnail Slider With Lightbox | wp-responsive-slider-with-lightbox |
| TNC Toolbox: Web Performance | tnc-toolbox |
| Twitter Feed | ot-twitter-feed |
| Ungapped Widgets | ungapped-widgets |
| USB Qr Code Scanner For Woocommerce | usb-qr-code-scanner-for-woocommerce |
| Welcart e-Commerce | usc-e-shop |
| Wishlist and Save for later for Woocommerce | aco-wishlist-for-woocommerce |
| Wisly | wisly |
| Woocommerce â Products By Custom Tax | woocommerce-products-by-custom-tax |
| WordPress Content Flipper | wp-flipper |
| WP BBCode | wp-bbcode |
| WP Bootstrap Tabs | wp-bootstrap-tabs |
| WP Count Down Timer | wp-count-down-timer |
| WP Custom Admin Login Page Logo | wp-custom-login-page-logo |
| WP Import â Ultimate CSV XML Importer for WordPress | wp-ultimate-csv-importer |
| WP Plugin Manager â Deactivate plugins per page | wp-plugin-manager |
| WP-Iconics | wp-iconics |
| WP-OAuth | wp-oauth |
| WP-Walla | wp-walla |
| WP秝čĄĺ°ç¨ăăŠă°ă¤ăł for CPI | cpi-wp-migration |
| YSlider | yslider |
WordPress Themes with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| Angel â Fashion Model Agency WordPress CMS Theme | angel |
Vulnerability Details
Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you shouldâve already been notified if your site was affected by any of these vulnerabilities. If youâd like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.
CVE-ID
CVE-2025-12539
CVE-2025-12539
Patch Status
Patched
Patched
Published
Nov 10, 2025
Nov 10, 2025
Affected Software
TNC Toolbox: Web Performance
TNC Toolbox: Web Performance
Researcher
CVE-ID
CVE-2025-11457
CVE-2025-11457
Patch Status
Patched
Patched
Published
Nov 10, 2025
Nov 10, 2025
Researcher
CVE-ID
CVE-2025-12813
CVE-2025-12813
Patch Status
Unpatched
Unpatched
Published
Nov 10, 2025
Nov 10, 2025
Affected Software
Holiday class post calendar
Holiday class post calendar
Researcher
CVE-ID
CVE-2025-11170
CVE-2025-11170
Patch Status
Unpatched
Unpatched
Published
Nov 10, 2025
Nov 10, 2025
Affected Software
WP秝čĄĺ°ç¨ăăŠă°ă¤ăł for CPI
WP秝čĄĺ°ç¨ăăŠă°ă¤ăł for CPI
Researcher
Blocksy Companion <= 2.1.19 – Authenticated (Author+) Arbitrary File Upload via SVG Upload Bypass
8.8
CVE-ID
CVE-2025-12846
CVE-2025-12846
Patch Status
Patched
Patched
Published
Nov 10, 2025
Nov 10, 2025
Affected Software
Blocksy Companion
Blocksy Companion
Researcher
CVE-ID
CVE-2025-12637
CVE-2025-12637
Patch Status
Unpatched
Unpatched
Published
Nov 10, 2025
Nov 10, 2025
Affected Software
Elastic Theme Editor
Elastic Theme Editor
Researcher
CVE-ID
CVE-2025-12733
CVE-2025-12733
Patch Status
Patched
Patched
Published
Nov 12, 2025
Nov 12, 2025
Affected Software
Import any XML, CSV or Excel File to WordPress
Import any XML, CSV or Excel File to WordPress
Researcher
CVE-ID
CVE-2025-11923
CVE-2025-11923
Patch Status
Patched
Patched
Published
Nov 12, 2025
Nov 12, 2025
Affected Software
LifterLMS â WP LMS for eLearning, Online Courses, & Quizzes
LifterLMS â WP LMS for eLearning, Online Courses, & Quizzes
Researcher
CVE-ID
CVE-2025-11168
CVE-2025-11168
Patch Status
Unpatched
Unpatched
Published
Nov 10, 2025
Nov 10, 2025
Affected Software
Mementor Core
Mementor Core
Researcher
CVE-ID
CVE-2025-11521
CVE-2025-11521
Patch Status
Unpatched
Unpatched
Published
Nov 10, 2025
Nov 10, 2025
Affected Software
Astra Security Suite â Firewall & Malware Scan
Astra Security Suite â Firewall & Malware Scan
Researcher
CVE-ID
CVE-2025-11451
CVE-2025-11451
Patch Status
Unpatched
Unpatched
Published
Nov 10, 2025
Nov 10, 2025
Affected Software
Auto Amazon Links â Amazon Associates Affiliate Plugin
Auto Amazon Links â Amazon Associates Affiliate Plugin
Researcher
CVE-ID
CVE-2025-12633
CVE-2025-12633
Patch Status
Patched
Patched
Published
Nov 11, 2025
Nov 11, 2025
Affected Software
Booking Calendar | Appointment Booking | Bookit
Booking Calendar | Appointment Booking | Bookit
Researcher
CVE-ID
CVE-2025-12482
CVE-2025-12482
Patch Status
Patched
Patched
Published
Nov 15, 2025
Nov 15, 2025
Affected Software
Booking for Appointments and Events Calendar â Amelia
Booking for Appointments and Events Calendar â Amelia
Researcher
CVE-ID
CVE-2025-12903
CVE-2025-12903
Patch Status
Patched
Patched
Published
Nov 11, 2025
Nov 11, 2025
Affected Software
Payment Plugins Braintree For WooCommerce
Payment Plugins Braintree For WooCommerce
Researcher
CVE-ID
CVE-2025-11994
CVE-2025-11994
Patch Status
Patched
Patched
Published
Nov 11, 2025
Nov 11, 2025
Affected Software
Easy Email Subscription
Easy Email Subscription
Researcher
SNORDIAN’s H5PxAPIkatchu <= 0.4.17 – Unauthenticated Stored Cross-Site Scripting via insert_data
7.2
CVE-ID
CVE-2025-12904
CVE-2025-12904
Patch Status
Patched
Patched
Published
Nov 13, 2025
Nov 13, 2025
Affected Software
SNORDIAN’s H5PxAPIkatchu
SNORDIAN’s H5PxAPIkatchu
Researcher
CVE-ID
CVE-2025-12844
CVE-2025-12844
Patch Status
Patched
Patched
Published
Nov 12, 2025
Nov 12, 2025
Affected Software
AI Engine
AI Engine
Researcher
CVE-ID
CVE-2025-12010
CVE-2025-12010
Patch Status
Unpatched
Unpatched
Published
Nov 10, 2025
Nov 10, 2025
Affected Software
Authors List
Authors List
Researcher
CVE-ID
CVE-2025-12089
CVE-2025-12089
Patch Status
Patched
Patched
Published
Nov 12, 2025
Nov 12, 2025
Affected Software
Data Tables Generator by Supsystic
Data Tables Generator by Supsystic
Researcher
CVE-ID
CVE-2025-11454
CVE-2025-11454
Patch Status
Patched
Patched
Published
Nov 11, 2025
Nov 11, 2025
Researcher
WP Project Manager <= 2.6.26 – Authenticated (Subscriber+) SQL Injection via ‘completed_at_operator’
6.5
CVE-ID
CVE-2025-8994
CVE-2025-8994
Patch Status
Patched
Patched
Published
Nov 14, 2025
Nov 14, 2025
Affected Software
AI-Powered Project Management & Task Manager with Kanban Board & Gantt Chart â WP Project Manager
AI-Powered Project Management & Task Manager with Kanban Board & Gantt Chart â WP Project Manager
Researcher
CVE-ID
CVE-2025-10295
CVE-2025-10295
Patch Status
Unpatched
Unpatched
Published
Nov 12, 2025
Nov 12, 2025
Affected Software
Angel â Fashion Model Agency WordPress CMS Theme
Angel â Fashion Model Agency WordPress CMS Theme
CVE-ID
CVE-2025-64381
CVE-2025-64381
Patch Status
Patched
Patched
Published
Nov 13, 2025
Nov 13, 2025
Affected Software
Booking Calendar
Booking Calendar
Researcher
CVE-ID
CVE-2025-12753
CVE-2025-12753
Patch Status
Unpatched
Unpatched
Published
Nov 10, 2025
Nov 10, 2025
Affected Software
Chart Expert
Chart Expert
Researcher
Coon Google Maps <= 1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
6.4
CVE-ID
CVE-2025-12662
CVE-2025-12662
Patch Status
Unpatched
Unpatched
Published
Nov 10, 2025
Nov 10, 2025
Affected Software
Coon Google Maps
Coon Google Maps
Researcher
CVE-ID
CVE-2025-11856
CVE-2025-11856
Patch Status
Unpatched
Unpatched
Published
Nov 10, 2025
Nov 10, 2025
Affected Software
Eventbee Ticketing Widget
Eventbee Ticketing Widget
Researcher
CVE-ID
CVE-2025-11829
CVE-2025-11829
Patch Status
Unpatched
Unpatched
Published
Nov 10, 2025
Nov 10, 2025
Affected Software
Five9 Live Chat
Five9 Live Chat
Researcher
CVE-ID
CVE-2025-12672
CVE-2025-12672
Patch Status
Unpatched
Unpatched
Published
Nov 10, 2025
Nov 10, 2025
Affected Software
Flickr Show
Flickr Show
Researcher
CVE-ID
CVE-2025-12754
CVE-2025-12754
Patch Status
Unpatched
Unpatched
Published
Nov 10, 2025
Nov 10, 2025
Affected Software
Geopost
Geopost
Researcher
CVE-ID
CVE-2025-12667
CVE-2025-12667
Patch Status
Unpatched
Unpatched
Published
Nov 10, 2025
Nov 10, 2025
Affected Software
GitHub Gist Shortcode Plugin
GitHub Gist Shortcode Plugin
Researcher
CVE-ID
CVE-2025-11129
CVE-2025-11129
Patch Status
Unpatched
Unpatched
Published
Nov 10, 2025
Nov 10, 2025
Affected Software
Include Fussball.de Widgets
Include Fussball.de Widgets
Researchers
Jeba Cute forkit <= 1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
6.4
CVE-ID
CVE-2025-12663
CVE-2025-12663
Patch Status
Unpatched
Unpatched
Published
Nov 10, 2025
Nov 10, 2025
Affected Software
Jeba Cute forkit
Jeba Cute forkit
Researcher
CVE-ID
CVE-2025-12651
CVE-2025-12651
Patch Status
Unpatched
Unpatched
Published
Nov 10, 2025
Nov 10, 2025
Affected Software
Live Photos on WordPress
Live Photos on WordPress
Researcher
CVE-ID
CVE-2025-11828
CVE-2025-11828
Patch Status
Patched
Patched
Published
Nov 10, 2025
Nov 10, 2025
Affected Software
Magazine Companion
Magazine Companion
Researcher
CVE-ID
CVE-2025-11863
CVE-2025-11863
Patch Status
Unpatched
Unpatched
Published
Nov 10, 2025
Nov 10, 2025
Affected Software
My Geo Posts Free
My Geo Posts Free
Researcher
CVE-ID
CVE-2025-12644
CVE-2025-12644
Patch Status
Unpatched
Unpatched
Published
Nov 10, 2025
Nov 10, 2025
Affected Software
Nonaki â Drag and Drop Email Template builder and Newsletter plugin for WordPress
Nonaki â Drag and Drop Email Template builder and Newsletter plugin for WordPress
Researcher
CVE-ID
CVE-2025-11859
CVE-2025-11859
Patch Status
Unpatched
Unpatched
Published
Nov 10, 2025
Nov 10, 2025
Affected Software
Paypal Donation Shortcode
Paypal Donation Shortcode
Researcher
CVE-ID
CVE-2025-11869
CVE-2025-11869
Patch Status
Unpatched
Unpatched
Published
Nov 10, 2025
Nov 10, 2025
Affected Software
Precise Columns
Precise Columns
Researcher
CVE-ID
CVE-2025-12658
CVE-2025-12658
Patch Status
Unpatched
Unpatched
Published
Nov 10, 2025
Nov 10, 2025
Affected Software
Preload Current Images
Preload Current Images
Researcher
CVE-ID
CVE-2025-8397
CVE-2025-8397
Patch Status
Unpatched
Unpatched
Published
Nov 12, 2025
Nov 12, 2025
Affected Software
Save as PDF Button
Save as PDF Button
Researcher
CVE-ID
CVE-2025-12711
CVE-2025-12711
Patch Status
Unpatched
Unpatched
Published
Nov 10, 2025
Nov 10, 2025
Affected Software
Share to Google Classroom
Share to Google Classroom
Researcher
CVE-ID
CVE-2025-11882
CVE-2025-11882
Patch Status
Unpatched
Unpatched
Published
Nov 10, 2025
Nov 10, 2025
Affected Software
Simple Donate
Simple Donate
Researcher
Skip to Timestamp <= 1.4.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
6.4
CVE-ID
CVE-2025-11805
CVE-2025-11805
Patch Status
Unpatched
Unpatched
Published
Nov 10, 2025
Nov 10, 2025
Affected Software
Skip to Timestamp
Skip to Timestamp
Researcher
CVE-ID
CVE-2024-5020
CVE-2024-5020
Patch Status
Patched
Patched
Published
Nov 11, 2025
Nov 11, 2025
Affected Software
Thumbnail Slider With Lightbox
Thumbnail Slider With Lightbox
Researcher
CVE-ID
CVE-2025-11860
CVE-2025-11860
Patch Status
Unpatched
Unpatched
Published
Nov 10, 2025
Nov 10, 2025
Affected Software
Twitter Feed
Twitter Feed
Researcher
CVE-ID
CVE-2025-12652
CVE-2025-12652
Patch Status
Unpatched
Unpatched
Published
Nov 10, 2025
Nov 10, 2025
Affected Software
Ungapped Widgets
Ungapped Widgets
Researcher
CVE-ID
CVE-2025-11821
CVE-2025-11821
Patch Status
Unpatched
Unpatched
Published
Nov 10, 2025
Nov 10, 2025
Affected Software
Woocommerce â Products By Custom Tax
Woocommerce â Products By Custom Tax
Researcher
CVE-ID
CVE-2025-11769
CVE-2025-11769
Patch Status
Unpatched
Unpatched
Published
Nov 12, 2025
Nov 12, 2025
Affected Software
WordPress Content Flipper
WordPress Content Flipper
Researcher
CVE-ID
CVE-2025-11873
CVE-2025-11873
Patch Status
Unpatched
Unpatched
Published
Nov 10, 2025
Nov 10, 2025
Affected Software
WP BBCode
WP BBCode
Researcher
WP Bootstrap Tabs <= 1.0.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
6.4
CVE-ID
CVE-2025-11822
CVE-2025-11822
Patch Status
Unpatched
Unpatched
Published
Nov 10, 2025
Nov 10, 2025
Affected Software
WP Bootstrap Tabs
WP Bootstrap Tabs
Researcher
CVE-ID
CVE-2025-12668
CVE-2025-12668
Patch Status
Unpatched
Unpatched
Published
Nov 10, 2025
Nov 10, 2025
Affected Software
WP Count Down Timer
WP Count Down Timer
Researcher
CVE-ID
CVE-2025-12671
CVE-2025-12671
Patch Status
Unpatched
Unpatched
Published
Nov 10, 2025
Nov 10, 2025
Affected Software
WP-Iconics
WP-Iconics
Researcher
CVE-ID
CVE-2025-12021
CVE-2025-12021
Patch Status
Unpatched
Unpatched
Published
Nov 10, 2025
Nov 10, 2025
Affected Software
WP-OAuth
WP-OAuth
Researcher
CVE-ID
CVE-2025-12632
CVE-2025-12632
Patch Status
Unpatched
Unpatched
Published
Nov 10, 2025
Nov 10, 2025
Affected Software
RandomQuotr
RandomQuotr
Researchers
CVE-ID
CVE-2025-12880
CVE-2025-12880
Patch Status
Unpatched
Unpatched
Published
Nov 10, 2025
Nov 10, 2025
Affected Software
Progress Bar Blocks for Gutenberg
Progress Bar Blocks for Gutenberg
Researcher
CVE-ID
CVE-2025-11874
CVE-2025-11874
Patch Status
Unpatched
Unpatched
Published
Nov 10, 2025
Nov 10, 2025
Affected Software
Slippy Slider â Responsive Touch Navigation Slider
Slippy Slider â Responsive Touch Navigation Slider
Researcher
CVE-ID
CVE-2025-12126
CVE-2025-12126
Patch Status
Patched
Patched
Published
Nov 10, 2025
Nov 10, 2025
Affected Software
The Total Book Project
The Total Book Project
Researcher
CVE-ID
CVE-2025-11999
CVE-2025-11999
Patch Status
Unpatched
Unpatched
Published
Nov 10, 2025
Nov 10, 2025
Affected Software
Add Multiple Marker
Add Multiple Marker
Researcher
CVE-ID
CVE-2025-12681
CVE-2025-12681
Patch Status
Patched
Patched
Published
Nov 12, 2025
Nov 12, 2025
Affected Software
Comment Edit Core â Simple Comment Editing
Comment Edit Core â Simple Comment Editing
Researcher
CVE-ID
CVE-2025-12849
CVE-2025-12849
Patch Status
Patched
Patched
Published
Nov 14, 2025
Nov 14, 2025
Affected Software
Contest Gallery â Upload, Vote & Sell with PayPal and Stripe
Contest Gallery â Upload, Vote & Sell with PayPal and Stripe
Researcher
CVE-ID
CVE-2025-11986
CVE-2025-11986
Patch Status
Unpatched
Unpatched
Published
Nov 10, 2025
Nov 10, 2025
Affected Software
Crypto Tool
Crypto Tool
Researcher
CVE-ID
CVE-2025-11988
CVE-2025-11988
Patch Status
Unpatched
Unpatched
Published
Nov 10, 2025
Nov 10, 2025
Affected Software
Crypto Tool
Crypto Tool
Researcher
CVE-ID
CVE-2025-11997
CVE-2025-11997
Patch Status
Unpatched
Unpatched
Published
Nov 10, 2025
Nov 10, 2025
Affected Software
Document Pro Elementor â Documentation & Knowledge Base
Document Pro Elementor â Documentation & Knowledge Base
Researcher
Find Unused Images <= 1.0.7 – Missing Authorization to Unauthenticated Arbitrary Attachment Deletion
5.3
CVE-ID
CVE-2025-11996
CVE-2025-11996
Patch Status
Unpatched
Unpatched
Published
Nov 10, 2025
Nov 10, 2025
Affected Software
Find Unused Images
Find Unused Images
Researcher
CVE-ID
CVE-2025-12377
CVE-2025-12377
Patch Status
Patched
Patched
Published
Nov 12, 2025
Nov 12, 2025
Affected Software
Gallery Plugin for WordPress â Envira Photo Gallery
Gallery Plugin for WordPress â Envira Photo Gallery
Researcher
CVE-ID
CVE-2025-12788
CVE-2025-12788
Patch Status
Patched
Patched
Published
Nov 10, 2025
Nov 10, 2025
Affected Software
Hydra Booking â Appointment Scheduling & Booking Calendar
Hydra Booking â Appointment Scheduling & Booking Calendar
Researcher
CVE-ID
CVE-2025-12787
CVE-2025-12787
Patch Status
Patched
Patched
Published
Nov 10, 2025
Nov 10, 2025
Affected Software
Hydra Booking â Appointment Scheduling & Booking Calendar
Hydra Booking â Appointment Scheduling & Booking Calendar
Researcher
CVE-ID
CVE-2025-11894
CVE-2025-11894
Patch Status
Unpatched
Unpatched
Published
Nov 10, 2025
Nov 10, 2025
Affected Software
Stock Management for WooCommerce by Shelf Planner
Stock Management for WooCommerce by Shelf Planner
Researcher
CVE-ID
CVE-2025-11891
CVE-2025-11891
Patch Status
Unpatched
Unpatched
Published
Nov 10, 2025
Nov 10, 2025
Affected Software
Stock Management for WooCommerce by Shelf Planner
Stock Management for WooCommerce by Shelf Planner
Researcher
CVE-ID
CVE-2025-12536
CVE-2025-12536
Patch Status
Patched
Patched
Published
Nov 12, 2025
Nov 12, 2025
Affected Software
SureForms â Contact Form, Custom Form Builder, Calculator & More
SureForms â Contact Form, Custom Form Builder, Calculator & More
Researcher
CVE-ID
CVE-2025-12891
CVE-2025-12891
Patch Status
Patched
Patched
Published
Nov 12, 2025
Nov 12, 2025
Affected Software
Survey Maker
Survey Maker
Researcher
CVE-ID
CVE-2025-12892
CVE-2025-12892
Patch Status
Patched
Patched
Published
Nov 12, 2025
Nov 12, 2025
Affected Software
Survey Maker
Survey Maker
Researcher
CVE-ID
CVE-2025-64259
CVE-2025-64259
Patch Status
Patched
Patched
Published
Nov 13, 2025
Nov 13, 2025
Affected Software
Theater for WordPress
Theater for WordPress
Researcher
CVE-ID
CVE-2025-12979
CVE-2025-12979
Patch Status
Patched
Patched
Published
Nov 12, 2025
Nov 12, 2025
Affected Software
Welcart e-Commerce
Welcart e-Commerce
Researcher
CVE-ID
CVE-2025-11532
CVE-2025-11532
Patch Status
Unpatched
Unpatched
Published
Nov 10, 2025
Nov 10, 2025
Affected Software
Wisly
Wisly
Researcher
CVE-ID
CVE-2025-64293
CVE-2025-64293
Patch Status
Patched
Patched
Published
Nov 12, 2025
Nov 12, 2025
Affected Software
0 Day Analytics
0 Day Analytics
Researcher
CVE-ID
CVE-2025-12020
CVE-2025-12020
Patch Status
Patched
Patched
Published
Nov 10, 2025
Nov 10, 2025
Affected Software
Double the Donation â A workplace giving tool
Double the Donation â A workplace giving tool
Researchers
CVE-ID
CVE-2025-12620
CVE-2025-12620
Patch Status
Patched
Patched
Published
Nov 12, 2025
Nov 12, 2025
Affected Software
Poll Maker â Versus Polls, Anonymous Polls, Image Polls
Poll Maker â Versus Polls, Anonymous Polls, Image Polls
Researcher
School Management System â WPSchoolPress <= 2.2.23 – Authenticated (Administrator+) SQL Injection
4.9
CVE-ID
CVE-2025-11981
CVE-2025-11981
Patch Status
Patched
Patched
Published
Nov 13, 2025
Nov 13, 2025
Affected Software
School Management System â WPSchoolPress
School Management System â WPSchoolPress
Researcher
CVE-ID
CVE-2025-12019
CVE-2025-12019
Patch Status
Patched
Patched
Published
Nov 10, 2025
Nov 10, 2025
Affected Software
Featured Image
Featured Image
Researcher
CVE-ID
CVE-2025-12538
CVE-2025-12538
Patch Status
Unpatched
Unpatched
Published
Nov 10, 2025
Nov 10, 2025
Affected Software
Fleet Manager
Fleet Manager
Researchers
CVE-ID
CVE-2025-12018
CVE-2025-12018
Patch Status
Patched
Patched
Published
Nov 11, 2025
Nov 11, 2025
Affected Software
MembershipWorks â Membership, Events & Directory
MembershipWorks â Membership, Events & Directory
Researcher
CVE-ID
CVE-2025-12631
CVE-2025-12631
Patch Status
Unpatched
Unpatched
Published
Nov 10, 2025
Nov 10, 2025
Affected Software
Squirrels Auto Inventory
Squirrels Auto Inventory
Researcher
CVE-ID
CVE-2025-12847
CVE-2025-12847
Patch Status
Patched
Patched
Published
Nov 14, 2025
Nov 14, 2025
Researcher
CVE-ID
CVE-2025-12113
CVE-2025-12113
Patch Status
Patched
Patched
Published
Nov 11, 2025
Nov 11, 2025
Researcher
CVE-ID
CVE-2025-64261
CVE-2025-64261
Patch Status
Patched
Patched
Published
Nov 15, 2025
Nov 15, 2025
Affected Software
Appointment Booking Calendar
Appointment Booking Calendar
Researcher
CVE-ID
CVE-2025-12901
CVE-2025-12901
Patch Status
Patched
Patched
Published
Nov 11, 2025
Nov 11, 2025
Affected Software
Asgaros Forum
Asgaros Forum
Researcher
CVE-ID
CVE-2025-12953
CVE-2025-12953
Patch Status
Patched
Patched
Published
Nov 10, 2025
Nov 10, 2025
Researcher
CVE-ID
CVE-2025-64369
CVE-2025-64369
Patch Status
Patched
Patched
Published
Nov 15, 2025
Nov 15, 2025
Affected Software
Contact Form Email
Contact Form Email
Researcher
CVE-ID
CVE-2025-12015
CVE-2025-12015
Patch Status
Unpatched
Unpatched
Published
Nov 12, 2025
Nov 12, 2025
Affected Software
Convert WebP & AVIF | Quicq | Best image optimizer and compression plugin | Improve your Google Pagespeed
Convert WebP & AVIF | Quicq | Best image optimizer and compression plugin | Improve your Google Pagespeed
Researcher
CVE-ID
CVE-2025-11886
CVE-2025-11886
Patch Status
Unpatched
Unpatched
Published
Nov 10, 2025
Nov 10, 2025
Affected Software
CTL Arcade Lite
CTL Arcade Lite
Researcher
CVE-ID
CVE-2025-12833
CVE-2025-12833
Patch Status
Patched
Patched
Published
Nov 11, 2025
Nov 11, 2025
Researcher
CVE-ID
CVE-2025-12494
CVE-2025-12494
Patch Status
Patched
Patched
Published
Nov 14, 2025
Nov 14, 2025
Affected Software
Image Gallery â Photo Grid & Video Gallery
Image Gallery â Photo Grid & Video Gallery
Researcher
CVE-ID
CVE-2025-12665
CVE-2025-12665
Patch Status
Unpatched
Unpatched
Published
Nov 10, 2025
Nov 10, 2025
Affected Software
Ninja Countdown | Fastest Countdown Builder
Ninja Countdown | Fastest Countdown Builder
Researcher
CVE-ID
CVE-2025-12366
CVE-2025-12366
Patch Status
Patched
Patched
Published
Nov 12, 2025
Nov 12, 2025
Affected Software
Page Builder: Pagelayer â Drag and Drop website builder
Page Builder: Pagelayer â Drag and Drop website builder
Researcher
CVE-ID
CVE-2025-64271
CVE-2025-64271
Patch Status
Patched
Patched
Published
Nov 13, 2025
Nov 13, 2025
Affected Software
WP Plugin Manager â Deactivate plugins per page
WP Plugin Manager â Deactivate plugins per page
Researcher
CVE-ID
CVE-2025-12526
CVE-2025-12526
Patch Status
Unpatched
Unpatched
Published
Nov 10, 2025
Nov 10, 2025
Affected Software
Private Google Calendars
Private Google Calendars
Researcher
CVE-ID
CVE-2025-12182
CVE-2025-12182
Patch Status
Patched
Patched
Published
Nov 14, 2025
Nov 14, 2025
Affected Software
Qi Blocks
Qi Blocks
Researcher
CVE-ID
CVE-2025-64276
CVE-2025-64276
Patch Status
Patched
Patched
Published
Nov 14, 2025
Nov 14, 2025
Affected Software
Survey Maker
Survey Maker
Researcher
CVE-ID
CVE-2025-12588
CVE-2025-12588
Patch Status
Unpatched
Unpatched
Published
Nov 10, 2025
Nov 10, 2025
Affected Software
USB Qr Code Scanner For Woocommerce
USB Qr Code Scanner For Woocommerce
Researcher
CVE-ID
CVE-2025-12087
CVE-2025-12087
Patch Status
Patched
Patched
Published
Nov 11, 2025
Nov 11, 2025
Affected Software
Wishlist and Save for later for Woocommerce
Wishlist and Save for later for Woocommerce
Researcher
CVE-ID
CVE-2025-64269
CVE-2025-64269
Patch Status
Patched
Patched
Published
Nov 14, 2025
Nov 14, 2025
Affected Software
PDF Builder for WooCommerce. Create invoices,packing slips and more
PDF Builder for WooCommerce. Create invoices,packing slips and more
Researcher
CVE-ID
CVE-2025-12132
CVE-2025-12132
Patch Status
Unpatched
Unpatched
Published
Nov 10, 2025
Nov 10, 2025
Affected Software
WP Custom Admin Login Page Logo
WP Custom Admin Login Page Logo
Researcher
CVE-ID
CVE-2025-12732
CVE-2025-12732
Patch Status
Patched
Patched
Published
Nov 11, 2025
Nov 11, 2025
Affected Software
WP Import â Ultimate CSV XML Importer for WordPress
WP Import â Ultimate CSV XML Importer for WordPress
Researcher
As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.
This database is continuously updated, maintained, and populated by Wordfenceâs highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
The post Wordfence Intelligence Weekly WordPress Vulnerability Report (November 10, 2025 to November 16, 2025) appeared first on Wordfence.
