Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.

To help educate website owners about potential threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.

The vulnerabilities listed below are virtually patched by the Sucuri Firewall and existing clients are protected. If you don’t have it installed yet, you can use our web application firewall to protect your site against known vulnerabilities.

Smart Custom Fields – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-22308
Number of Installations: 50,000+
Affected Software: Smart Custom Fields <= 5.0.0
Patched Versions: No Fix

Mitigation steps: Currently, there is no fix available. Consider seeking alternative plugins or additional security measures.

Royal Elementor Addons and Templates – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-0393
Number of Installations: 500,000+
Affected Software: Royal Elementor Addons and Templates <= 1.7.1006
Patched Versions: Royal Elementor Addons and Templates 1.7.1007

Mitigation steps: Update to Royal Elementor Addons and Templates plugin version 1.7.1007 or greater.

Post SMTP – WordPress SMTP Plugin with Email Logs and Mobile App for Failure Notifications – Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES and more – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2025-22800
Number of Installations: 400,000+
Affected Software: Post SMTP <= 2.9.11
Patched Versions: Post SMTP 2.9.12

Mitigation steps: Update to Post SMTP plugin version 2.9.12 or greater.

Orbit Fox by ThemeIsle – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-0311
Number of Installations: 200,000+
Affected Software: Orbit Fox by ThemeIsle <= 2.10.43
Patched Versions: Orbit Fox by ThemeIsle 2.10.44

Mitigation steps: Update to Orbit Fox by ThemeIsle plugin version 2.10.44 or greater.

GiveWP – Donation Plugin and Fundraising Platform – PHP Object Injection

Security Risk: Critical
Exploitation Level: No authentication required.
Vulnerability: PHP Object Injection
CVE: CVE-2025-22777
Number of Installations: 100,000+
Affected Software: GiveWP <= 3.19.3
Patched Versions: GiveWP 3.19.4

Mitigation steps: Update to GiveWP plugin version 3.19.4 or greater.

Post and Page Builder by BoldGrid – Visual Drag and Drop Editor – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-22759
Number of Installations: 70,000+
Affected Software: Post and Page Builder by BoldGrid <= 1.27.5
Patched Versions: No Fix

Mitigation steps: Currently, there is no fix available. Consider seeking alternative plugins or additional security measures.

UpdraftPlus: WP Backup & Migration Plugin – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-0215
Number of Installations: 3,000,000+
Affected Software: UpdraftPlus <= 1.25.0
Patched Versions: UpdraftPlus 1.25.1

Mitigation steps: Update to UpdraftPlus plugin version 1.25.1 or greater.

Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin – Sensitive Data Exposure

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Sensitive Data Exposure
CVE: CVE-2025-0318
Number of Installations: 200,000+
Affected Software: Ultimate Member <= 2.9.1
Patched Versions: Ultimate Member 2.9.2

Mitigation steps: Update to Ultimate Member plugin version 2.9.2 or greater.

Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin – SQL Injection

Security Risk: Critical
Exploitation Level: No authentication required.
Vulnerability: SQL Injection
CVE: CVE-2025-0308
Number of Installations: 200,000+
Affected Software: Ultimate Member <= 2.9.1
Patched Versions: Ultimate Member 2.9.2

Mitigation steps: Update to Ultimate Member plugin version 2.9.2 or greater.

Widget Options – The #1 WordPress Widget & Block Control Plugin – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2025-22722
Number of Installations: 100,000+
Affected Software: Widget Options <= 4.0.8
Patched Versions: Widget Options 4.0.9

Mitigation steps: Update to Widget Options plugin version 4.0.9 or greater.

WP ULike – All-in-One Engagement Toolkit – Cross Site Scripting (XSS)

Security Risk: Low
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-22738
Number of Installations: 80,000+
Affected Software: WP ULike <= 4.7.6
Patched Versions: WP ULike 4.7.7

Mitigation steps: Update to WP ULike plugin version 4.7.7 or greater.

Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-24746
Number of Installations: 700,000+
Affected Software: Popup Maker <= 1.20.2
Patched Versions: Popup Maker 1.20.3

Mitigation steps: Update to Popup Maker plugin version 1.20.3 or greater.

Page Builder Gutenberg Blocks – CoBlocks – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2025-24751
Number of Installations: 400,000+
Affected Software: Page Builder Gutenberg Blocks – CoBlocks <= 3.1.13
Patched Versions: Page Builder Gutenberg Blocks – CoBlocks 3.1.14

Mitigation steps: Update to Page Builder Gutenberg Blocks – CoBlocks plugin version 3.1.14 or greater.

ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2025-24750
Number of Installations: 400,000+
Affected Software: ExactMetrics <= 8.1.9
Patched Versions: ExactMetrics 8.2.0

Mitigation steps: Update to ExactMetrics plugin version 8.2.0 or greater.

Gutenberg Blocks with AI by Kadence WP – Page Builder Features – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2025-24753
Number of Installations: 400,000+
Affected Software: Gutenberg Blocks with AI by Kadence WP <= 3.3.1
Patched Versions: Gutenberg Blocks with AI by Kadence WP 3.3.2

Mitigation steps: Update to Gutenberg Blocks with AI by Kadence WP plugin version 3.3.2 or greater.

Page Builder: Pagelayer – Drag and Drop website builder – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-24573
Number of Installations: 200,000+
Affected Software: Page Builder: Pagelayer <= 1.9.4
Patched Versions: Page Builder: Pagelayer 1.9.5

Mitigation steps: Update to Page Builder: Pagelayer plugin version 1.9.5 or greater.

Post Duplicator – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2025-24736
Number of Installations: 200,000+
Affected Software: Post Duplicator <= 2.35
Patched Versions: Post Duplicator 2.36

Mitigation steps: Update to Post Duplicator plugin version 2.36 or greater.

Admin and Site Enhancements (ASE) – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2025-24649
Number of Installations: 100,000+
Affected Software: Admin and Site Enhancements (ASE) <= 7.6.2
Patched Versions: Admin and Site Enhancements (ASE) 7.6.3

Mitigation steps: Update to Admin and Site Enhancements (ASE) plugin version 7.6.3 or greater.

LearnPress – WordPress LMS Plugin – Open Redirection

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Open Redirection
CVE: CVE-2025-24740
Number of Installations: 90,000+
Affected Software: LearnPress <= 4.2.7.1
Patched Versions: LearnPress 4.2.7.2

Mitigation steps: Update to LearnPress plugin version 4.2.7.2 or greater.

Nested Pages – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-24579
Number of Installations: 90,000+
Affected Software: Nested Pages <= 3.2.9
Patched Versions: Nested Pages 3.2.10

Mitigation steps: Update to Nested Pages plugin version 3.2.10 or greater.

Import and export users and customers – Sensitive Data Exposure

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Sensitive Data Exposure
CVE: CVE-2025-24689
Number of Installations: 70,000+
Affected Software: Import and export users and customers <= 1.27.12
Patched Versions: Import and export users and customers 1.27.13

Mitigation steps: Update to Import and export users and customers plugin version 1.27.13 or greater.

WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Shop Manager or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-24644
Number of Installations: 60,000+
Affected Software: WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels <= 4.7.1
Patched Versions: WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels 4.7.2

Mitigation steps: Update to WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels plugin version 4.7.2 or greater.

Better Find and Replace – Privilege Escalation

Security Risk: High
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Privilege Escalation
CVE: CVE-2025-24734
Number of Installations: 50,000+
Affected Software: Better Find and Replace <= 1.6.7
Patched Versions: Better Find and Replace 1.6.8

Mitigation steps: Update to Better Find and Replace plugin version 1.6.8 or greater.

Store Commerce – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-22339
Number of Downloads: 50,956
Affected Software: Store Commerce <= 1.2.3
Patched Versions: No Fix

Mitigation steps: Currently, there is no fix available. Consider seeking alternative themes or additional security measures.

StorePress – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-22821
Number of Downloads: 53,724
Affected Software: StorePress <= 1.0.12
Patched Versions: No Fix

Mitigation steps: Currently, there is no fix available. Consider seeking alternative themes or additional security measures.

Update your website software to mitigate risk. Users who are not able to update their software with the latest version are encouraged to use a web application firewall to help virtually patch known vulnerabilities and protect their website.