Last week, there were 74 vulnerabilities disclosed in 67 WordPress Plugins and 2 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 41 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to implement layered security, aligning with our overarching mission to secure WordPress with defense in depth strategies. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report. As the world’s leading quality vulnerability database provider for WordPress, site owners can rest assured knowing Wordfence has their back.
Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 31,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
-
- WAF-RULE-877 – Data redacted while we work with the vendor on a patch.
- Frontend Admin by DynamiApps <= 3.28.20 – Unauthenticated Arbitrary Options Update
- WP Directory Kit <= 1.4.4 – Authentication Bypass to Privilege Escalation via Account Takeover
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
| Patch Status | Number of Vulnerabilities |
|---|---|
| Patched | 47 |
| Unpatched | 27 |
Total Vulnerabilities by CVSS Severity Last Week
| Severity Rating | Number of Vulnerabilities |
|---|---|
| Medium Severity | 59 |
| High Severity | 6 |
| Critical Severity | 9 |
Total Vulnerabilities by CWE Type Last Week
| Vulnerability Type by CWE | Number of Vulnerabilities |
|---|---|
| Missing Authorization | 21 |
| Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 19 |
| Authorization Bypass Through User-Controlled Key | 6 |
| Cross-Site Request Forgery (CSRF) | 5 |
| Improper Privilege Management | 5 |
| Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 4 |
| Unrestricted Upload of File with Dangerous Type | 4 |
| Deserialization of Untrusted Data | 2 |
| Exposure of Sensitive Information to an Unauthorized Actor | 2 |
| Authentication Bypass Using an Alternate Path or Channel | 1 |
| Client-Side Enforcement of Server-Side Security | 1 |
| External Control of File Name or Path | 1 |
| Improper Control of Generation of Code (‘Code Injection’) | 1 |
| Incorrect Authorization | 1 |
| Server-Side Request Forgery (SSRF) | 1 |
Researchers That Contributed to WordPress Security Last Week
| Researcher Name | Number of Vulnerabilities |
|---|---|
| 7 | |
| 4 | |
| 4 | |
| 3 | |
| 3 | |
| 3 | |
| 3 | |
| 3 | |
| 3 | |
| 3 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 |
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| Ace Post Type Builder | ace-post-type-builder |
| Admin and Customer Messages After Order for WooCommerce: OrderConvo | admin-and-client-message-after-order-for-woocommerce |
| AI ChatBot with ChatGPT and Content Generator by AYS | ays-chatgpt-assistant |
| AI Engine for WordPress: ChatGPT, GPT Content Generator | liquid-chatgpt |
| AI Feeds | ai-feeds |
| Analytics Germanized for Google Analytics (GDPR / DSGVO) | ga-germanized |
| atec Duplicate Page & Post | atec-duplicate-page-post |
| Autochat Automatic Conversation | auyautochat-for-wp |
| Blog2Social: Social Media Auto Post & Scheduler | blog2social |
| Bold Page Builder | bold-page-builder |
| Bookme – Free Online Appointment Booking and Scheduling Plugin | bookme-free-appointment-booking-system |
| Chamber Dashboard Business Directory | chamber-dashboard-business-directory |
| CIBELES AI | cibeles-ai |
| Conditionnal Maintenance Mode for WordPress | maintenance-mode-based-on-user-roles |
| Customer Reviews Collector for WooCommerce | customer-reviews-collector-for-woocommerce |
| EduKart Pro | edukart-pro |
| Featured Post Creative | featured-post-creative |
| FindAll Listing | findall-listing |
| FindAll Membership | findall-membership |
| FluentCommunity – Ultra-Fast High-Performance Social Network, Community, LMS & Online Courses | fluent-community |
| Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager | folders |
| Frontend File Manager Plugin | nmedia-user-file-uploader |
| Google Drive upload and download link | google-drive-upload-and-download-link |
| Gutenverse Form – Contact Form Builder, Booking, Reservation, Subscribe for Block Editor | gutenverse-form |
| Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem | gutenverse |
| Hide Category by User Role for WooCommerce | hide-category-by-user-role-for-woocommerce |
| Inline frame – Iframe | inline-frame-iframe |
| JetFormBuilder — Dynamic Blocks Form Builder | jetformbuilder |
| Job Board by BestWebSoft | job-board |
| Just Highlight | just-highlight |
| KiviCare – Clinic & Patient Management System (EHR) | kivicare-clinic-management-system |
| Locker Content | locker-content |
| Nextend Social Login and Register | nextend-facebook-connect |
| Peer Publish | peer-publish |
| Perfect Brands for WooCommerce | perfect-woocommerce-brands |
| Poll, Survey & Quiz Maker Plugin by Opinion Stage | social-polls-by-opinionstage |
| PowerPress Podcasting plugin by Blubrry | powerpress |
| ProjectList | projectlist |
| Property Hive | propertyhive |
| QODE Wishlist for WooCommerce | qode-wishlist-for-woocommerce |
| Quick View for WooCommerce | woo-quickview |
| Refund Request for WooCommerce | refund-request-for-woocommerce |
| Reuters Direct | reuters-direct |
| Search Exclude | search-exclude |
| Shouty | shouty |
| Show Variations as Single Products Woocommerce | woo-show-single-variations-shop-category |
| Simple Folio | simple-folio |
| SKT PayPal for WooCommerce | skt-paypal-for-woocommerce |
| Sneeit Framework | sneeit-framework |
| Social Images Widget | social-images-widget |
| SortTable Post | sorttable-post |
| Soundslides | soundslides |
| StaffList | stafflist |
| StreamTube Core | streamtube-core |
| Subscriptions & Memberships for PayPal | subscriptions-memberships-for-paypal |
| Telegram Bot & Channel | telegram-bot |
| Tiare Membership | tiare-membership |
| Unlimited Elements For Elementor | unlimited-elements-for-elementor |
| Unlimited Elements for Elementor (Premium) | unlimited-elements-for-elementor-premium |
| UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP | userswp |
| Wishlist for WooCommerce | th-wishlist |
| WP Directory Kit | wpdirectorykit |
| WP Fastest Cache | wp-fastest-cache |
| WP Webhooks – Automate repetitive tasks by creating powerful automation workflows directly within WordPress | wp-webhooks |
| wp-twitpic | wp-twitpic |
| YouTube Subscribe | easy-youtube-subscribe |
| Zweb Social Mobile – Ứng Dụng Nút Gọi Mobile | zweb-social-mobile |
WordPress Themes with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| Houzez | houzez |
| Tiger | tiger |
Vulnerability Details
Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.
CVE-2025-13597
Patched
Nov 25, 2025
AI Feeds
CVE-2025-13595
Patched
Nov 25, 2025
CIBELES AI
CVE-2025-13559
Unpatched
Nov 24, 2025
EduKart Pro
CVE-2025-13538
Patched
Nov 26, 2025
FindAll Listing
CVE-2025-13539
Patched
Nov 26, 2025
FindAll Membership
CVE-2025-6389
Patched
Nov 24, 2025
Sneeit Framework
CVE-2025-13615
Patched
Nov 29, 2025
StreamTube Core
CVE-2025-13540
Patched
Nov 26, 2025
Tiare Membership
CVE-2025-13536
Patched
Nov 26, 2025
PowerPress Podcasting plugin by Blubrry
CVE-2025-13680
Unpatched
Nov 26, 2025
Tiger
CVE-2025-7820
Patched
Nov 26, 2025
SKT PayPal for WooCommerce
CVE-2025-13376
Unpatched
Nov 24, 2025
ProjectList
Telegram Bot & Channel <= 4.1 – Unauthenticated Stored Cross-Site Scripting via Telegram Username
CVE-2025-13068
Patched
Nov 24, 2025
Telegram Bot & Channel
CVE-2025-13692
Patched
Nov 26, 2025
CVE-2025-66073
Patched
Nov 26, 2025
CVE-2025-13378
Patched
Nov 26, 2025
AI ChatBot with ChatGPT and Content Generator by AYS
CVE-2025-13380
Unpatched
Nov 24, 2025
AI Engine for WordPress: ChatGPT, GPT Content Generator
CVE-2025-66095
Patched
Nov 27, 2025
KiviCare – Clinic & Patient Management System (EHR)
CVE-2025-10144
Patched
Nov 24, 2025
Perfect Brands for WooCommerce
CVE-2025-12040
Patched
Nov 24, 2025
Wishlist for WooCommerce
CVE-2025-64292
Patched
Nov 28, 2025
Analytics Germanized for Google Analytics (GDPR / DSGVO)
CVE-2025-66057
Patched
Nov 27, 2025
Bold Page Builder
CVE-2025-12666
Unpatched
Nov 26, 2025
Google Drive upload and download link
CVE-2025-12645
Unpatched
Nov 24, 2025
Inline frame – Iframe
CVE-2025-12712
Unpatched
Nov 26, 2025
Shouty
CVE-2025-12151
Patched
Nov 26, 2025
Simple Folio
CVE-2025-12649
Unpatched
Nov 26, 2025
SortTable Post
CVE-2025-12713
Unpatched
Nov 26, 2025
Soundslides
CVE-2025-12670
Unpatched
Nov 26, 2025
wp-twitpic
CVE-2025-9191
Patched
Nov 26, 2025
Houzez
CVE-2025-12123
Patched
Nov 26, 2025
Customer Reviews Collector for WooCommerce
CVE-2025-9163
Patched
Nov 26, 2025
Houzez
CVE-2025-13383
Patched
Nov 24, 2025
Job Board by BestWebSoft
CVE-2025-13525
Patched
Nov 26, 2025
WP Directory Kit
Blog2Social <= 8.7.0 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Trashing
CVE-2025-13558
Patched
Nov 24, 2025
Blog2Social: Social Media Auto Post & Scheduler
CVE-2025-13405
Unpatched
Nov 24, 2025
Ace Post Type Builder
CVE-2025-13389
Unpatched
Nov 24, 2025
Admin and Customer Messages After Order for WooCommerce: OrderConvo
CVE-2025-13381
Patched
Nov 26, 2025
AI ChatBot with ChatGPT and Content Generator by AYS
CVE-2025-13404
Patched
Nov 24, 2025
atec Duplicate Page & Post
Autochat Automatic Conversation <= 1.1.9 – Missing Authorization to Unauthenticated Settings Update
CVE-2025-12043
Unpatched
Nov 24, 2025
Autochat Automatic Conversation
CVE-2025-13414
Unpatched
Nov 24, 2025
Chamber Dashboard Business Directory
CVE-2025-13441
Patched
Nov 26, 2025
Hide Category by User Role for WooCommerce
CVE-2025-64384
Patched
Nov 29, 2025
JetFormBuilder — Dynamic Blocks Form Builder
CVE-2025-12525
Patched
Nov 24, 2025
Locker Content
CVE-2025-13157
Patched
Nov 26, 2025
QODE Wishlist for WooCommerce
CVE-2025-12584
Patched
Nov 26, 2025
Quick View for WooCommerce
CVE-2025-12579
Unpatched
Nov 26, 2025
Reuters Direct
CVE-2025-66114
Patched
Nov 28, 2025
Show Variations as Single Products Woocommerce
CVE-2025-13386
Unpatched
Nov 24, 2025
Social Images Widget
CVE-2025-66107
Patched
Nov 28, 2025
Subscriptions & Memberships for PayPal
CVE-2025-66072
Patched
Nov 25, 2025
UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP
CVE-2025-13385
Unpatched
Nov 24, 2025
Bookme – Free Online Appointment Booking and Scheduling Plugin
CVE-2025-13370
Unpatched
Nov 24, 2025
ProjectList
CVE-2025-13311
Unpatched
Nov 24, 2025
Just Highlight
CVE-2025-12025
Unpatched
Nov 24, 2025
YouTube Subscribe
CVE-2025-12032
Unpatched
Nov 24, 2025
Zweb Social Mobile – Ứng Dụng Nút Gọi Mobile
CVE-2025-13452
Unpatched
Nov 24, 2025
Admin and Customer Messages After Order for WooCommerce: OrderConvo
CVE-2025-12586
Patched
Nov 24, 2025
Conditionnal Maintenance Mode for WordPress
CVE-2025-66106
Patched
Nov 26, 2025
Featured Post Creative
CVE-2025-66084
Patched
Nov 28, 2025
FluentCommunity – Ultra-Fast High-Performance Social Network, Community, LMS & Online Courses
CVE-2025-12971
Patched
Nov 26, 2025
Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager
CVE-2025-13382
Unpatched
Nov 24, 2025
Frontend File Manager Plugin
CVE-2025-66065
Patched
Nov 28, 2025
Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem
CVE-2025-66079
Patched
Nov 28, 2025
Gutenverse Form – Contact Form Builder, Booking, Reservation, Subscribe for Block Editor
Nextend Social Login and Register <= 3.1.21 – Cross-Site Request Forgery to Unlink User Social Login
CVE-2025-13737
Patched
Nov 27, 2025
Nextend Social Login and Register
CVE-2025-12587
Unpatched
Nov 24, 2025
Peer Publish
CVE-2025-13143
Patched
Nov 26, 2025
Poll, Survey & Quiz Maker Plugin by Opinion Stage
CVE-2025-66087
Patched
Nov 24, 2025
Property Hive
CVE-2025-12634
Unpatched
Nov 24, 2025
Refund Request for WooCommerce
CVE-2025-12578
Unpatched
Nov 26, 2025
Reuters Direct
CVE-2025-10646
Patched
Nov 24, 2025
Search Exclude
WP Fastest Cache <= 1.4.0 – Missing Authorization to Authenticated (Subscriber+) DB Cleanup Actions
CVE-2025-10476
Patched
Nov 26, 2025
WP Fastest Cache
As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.
This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
The post Wordfence Intelligence Weekly WordPress Vulnerability Report (November 24, 2025 to November 30, 2025) appeared first on Wordfence.
