Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.

To help educate website owners about potential threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.

The vulnerabilities listed below are virtually patched by the Sucuri Firewall and existing clients are protected. If you don’t have it installed yet, you can use our web application firewall to protect your site against known vulnerabilities.

Dynamic Conditions – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-22642
Number of Installations: 60,000+
Affected Software: Dynamic Conditions
Patched Versions: No Fix

Mitigation steps: Currently, there is no fix available. Consider seeking alternative plugins or additional security measures.

WPForms – Easy Form Builder for WordPress – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-13403
Number of Installations: 6,000,000+
Affected Software: WPForms – Easy Form Builder for WordPress <= 1.9.3.1
Patched Versions: WPForms 1.9.3.2

Mitigation steps: Update to WPForms plugin version 1.9.3.2 or greater.

Orbit Fox by ThemeIsle – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-22659
Number of Installations: 200,000+
Affected Software: Orbit Fox by ThemeIsle <= 2.10.44
Patched Versions: Orbit Fox by ThemeIsle 2.10.45

Mitigation steps: Update to Orbit Fox by ThemeIsle plugin version 2.10.45 or greater.

The Plus Addons for Elementor – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-11829
Number of Installations: 100,000+
Affected Software: The Plus Addons for Elementor <= 6.1.9
Patched Versions: The Plus Addons for Elementor 6.2.0

Mitigation steps: Update to The Plus Addons for Elementor plugin version 6.2.0 or greater.

Import any XML, CSV or Excel File to WordPress – PHP Object Injection

Security Risk: Low
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: PHP Object Injection
CVE: CVE-2024-9664
Number of Installations: 100,000+
Affected Software: Import any XML, CSV or Excel File to WordPress <= 3.7.9
Patched Versions: Import any XML, CSV or Excel File to WordPress 3.8.0

Mitigation steps: Update to Import any XML, CSV or Excel File to WordPress plugin version 3.8.0 or greater.

HT Mega – Absolute Addons For Elementor – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-12597
Number of Installations: 90,000+
Affected Software: HT Mega – Absolute Addons For Elementor <= 2.7.6
Patched Versions: HT Mega – Absolute Addons For Elementor 2.7.7

Mitigation steps: Update to HT Mega – Absolute Addons For Elementor plugin version 2.7.7 or greater.

Jupiter X Core – Local File Inclusion

Security Risk: High
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Local File Inclusion
CVE: CVE-2025-0366
Number of Installations: 90,000+
Affected Software: Jupiter X Core <= 4.8.7
Patched Versions: Jupiter X Core 4.8.8

Mitigation steps: Update to Jupiter X Core plugin version 4.8.8 or greater.

Jupiter X Core – Arbitrary File Download

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Arbitrary File Download
CVE: CVE-2025-0365
Number of Installations: 90,000+
Affected Software: Jupiter X Core <= 4.8.7
Patched Versions: Jupiter X Core 4.8.8

Mitigation steps: Update to Jupiter X Core plugin version 4.8.8 or greater.

Qi Addons For Elementor – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-13699
Number of Installations: 200,000+
Affected Software: Qi Addons For Elementor <= 1.8.7
Patched Versions: Qi Addons For Elementor 1.8.8

Mitigation steps: Update to Qi Addons For Elementor plugin version 1.8.8 or greater.

HT Mega – Absolute Addons For Elementor – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-12599
Number of Installations: 90,000+
Affected Software: HT Mega – Absolute Addons For Elementor <= 2.8.1
Patched Versions: HT Mega – Absolute Addons For Elementor 2.8.2

Mitigation steps: Update to HT Mega – Absolute Addons For Elementor plugin version 2.8.2 or greater.

Post and Page Builder by BoldGrid – Path Traversal

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Path Traversal
CVE: CVE-2025-0859
Number of Installations: 70,000+
Affected Software: Post and Page Builder by BoldGrid <= 1.27.6
Patched Versions: Post and Page Builder by BoldGrid 1.27.7

Mitigation steps: Update to Post and Page Builder by BoldGrid plugin version 1.27.7 or greater.

Rank Math SEO – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2024-13229
Number of Installations: 3,000,000+
Affected Software: Rank Math SEO <= 1.0.235
Patched Versions: Rank Math SEO 1.0.236

Mitigation steps: Update to Rank Math SEO plugin version 1.0.236 or greater.

Rank Math SEO – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-13227
Number of Installations: 3,000,000+
Affected Software: Rank Math SEO <= 1.0.235
Patched Versions: Rank Math SEO 1.0.236

Mitigation steps: Update to Rank Math SEO plugin version 1.0.236 or greater.

ElementsKit Elementor addons – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-1005
Number of Installations: 1,000,000+
Affected Software: ElementsKit Elementor addons <= 3.4.0
Patched Versions: ElementsKit Elementor addons 3.4.1

Mitigation steps: Update to ElementsKit Elementor addons plugin version 3.4.1 or greater.

Slider, Gallery, and Carousel by MetaSlider – PHP Object Injection

Security Risk: Medium
Exploitation Level: Requires Editor or higher level authentication.
Vulnerability: PHP Object Injection
CVE: CVE-2025-26763
Number of Installations: 600,000+
Affected Software: Slider, Gallery, and Carousel by MetaSlider <= 3.94.0
Patched Versions: Slider, Gallery, and Carousel by MetaSlider 3.95.0

Mitigation steps: Update to Slider, Gallery, and Carousel by MetaSlider plugin version 3.95.0 or greater.

Forminator Forms – Cross Site Scripting (XSS)

Security Risk: Low
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-7052
Number of Installations: 500,000+
Affected Software: Forminator Forms <= 1.38.2
Patched Versions: Forminator Forms 1.38.3

Mitigation steps: Update to Forminator Forms plugin version 1.38.3 or greater.

Post SMTP – Cross Site Scripting (XSS)

Security Risk: Critical
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-0521
Number of Installations: 400,000+
Affected Software: Post SMTP <= 3.0.9
Patched Versions: Post SMTP 3.1.0

Mitigation steps: Update to Post SMTP plugin version 3.1.0 or greater.

WP Ghost (Hide My WP Ghost) – Bypass Vulnerability

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Bypass Vulnerability
CVE: CVE-2024-13794
Number of Installations: 200,000+
Affected Software: WP Ghost (Hide My WP Ghost) <= 5.4.00
Patched Versions: WP Ghost (Hide My WP Ghost) 5.4.01

Mitigation steps: Update to WP Ghost (Hide My WP Ghost) plugin version 5.4.01 or greater.

WP Activity Log – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-0924
Number of Installations: 200,000+
Affected Software: WP Activity Log <= 5.2.9
Patched Versions: WP Activity Log 5.3.0

Mitigation steps: Update to WP Activity Log plugin version 5.3.0 or greater.

ProfilePress – Cross Site Scripting (XSS)

Security Risk: Low
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-13119
Number of Installations: 200,000+
Affected Software: ProfilePress <= 4.15.19
Patched Versions: ProfilePress 4.15.20

Mitigation steps: Update to ProfilePress plugin version 4.15.20 or greater.

Everest Forms – Cross Site Scripting (XSS)

Security Risk: Low
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-13125
Number of Installations: 100,000+
Affected Software: Everest Forms <= 3.0.8
Patched Versions: Everest Forms 3.0.8.1

Mitigation steps: Update to Everest Forms plugin version 3.0.8.1 or greater.

Widget Options – Arbitrary Code Execution

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Arbitrary Code Execution
CVE: CVE-2025-22630
Number of Installations: 100,000+
Affected Software: Widget Options <= 4.1.0
Patched Versions: Widget Options 4.1.1

Mitigation steps: Update to Widget Options plugin version 4.1.1 or greater.

Brizy – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Author or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-10322
Number of Installations: 80,000+
Affected Software: Brizy <= 2.6.8
Patched Versions: Brizy 2.6.9

Mitigation steps: Update to Brizy plugin version 2.6.9 or greater.

Brizy – Arbitrary File Upload

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Arbitrary File Upload
CVE: CVE-2024-10960
Number of Installations: 80,000+
Affected Software: Brizy <= 2.6.4
Patched Versions: Brizy 2.6.5

Mitigation steps: Update to Brizy plugin version 2.6.5 or greater.

Spotlight Social Feeds – Sensitive Data Exposure

Security Risk: Low
Exploitation Level: No authentication required.
Vulnerability: Sensitive Data Exposure
CVE: CVE-2025-26758
Number of Installations: 60,000+
Affected Software: Spotlight Social Feeds <= 1.7.1
Patched Versions: Spotlight Social Feeds 1.7.2

Mitigation steps: Update to Spotlight Social Feeds plugin version 1.7.2 or greater.

WP Booking Calendar – Broken Access Control

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Broken Access Control
CVE: CVE-2024-13821
Number of Installations: 50,000+
Affected Software: WP Booking Calendar <= 10.10.0
Patched Versions: WP Booking Calendar 10.10.1

Mitigation steps: Update to WP Booking Calendar plugin version 10.10.1 or greater.

Elementor Website Builder – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-54444
Number of Installations: 10,000,000+
Affected Software: Elementor Website Builder <= 3.25.10
Patched Versions: Elementor Website Builder 3.25.11

Mitigation steps: Update to Elementor Website Builder plugin version 3.25.11 or greater.

Elementor Website Builder – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-13445
Number of Installations: 10,000,000+
Affected Software: Elementor Website Builder <= 3.27.4
Patched Versions: Elementor Website Builder 3.27.5

Mitigation steps: Update to Elementor Website Builder plugin version 3.27.5 or greater.

ElementsKit Elementor addons – Broken Access Control

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Broken Access Control
CVE: CVE-2025-0968
Number of Installations: 1,000,000+
Affected Software: ElementsKit Elementor addons <= 3.4.0
Patched Versions: ElementsKit Elementor addons 3.4.1

Mitigation steps: Update to ElementsKit Elementor addons plugin version 3.4.1 or greater.

SVG Support – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2022-23638
Number of Installations: 1,000,000+
Affected Software: SVG Support <= 2.5.8
Patched Versions: SVG Support 2.5.9

Mitigation steps: Update to SVG Support plugin version 2.5.9 or greater.

SVG Support – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Author or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-10222
Number of Installations: 1,000,000+
Affected Software: SVG Support <= 2.5.10
Patched Versions: SVG Support 2.5.11

Mitigation steps: Update to SVG Support plugin version 2.5.11 or greater.

WPvivid Backup & Migration – Arbitrary File Upload

Security Risk: Low
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Arbitrary File Upload
CVE: CVE-2024-13869
Number of Installations: 600,000+
Affected Software: WPvivid Backup & Migration <= 0.9.112
Patched Versions: WPvivid Backup & Migration 0.9.113

Mitigation steps: Update to WPvivid Backup & Migration plugin version 0.9.113 or greater.

Head, Footer and Post Injections – Remote Code Execution (RCE)

Security Risk: Low
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Remote Code Execution (RCE)
CVE: CVE-2024-13900
Number of Installations: 300,000+
Affected Software: Head, Footer and Post Injections <= 3.3.0
Patched Versions: Head, Footer and Post Injections 3.3.1

Mitigation steps: Update to Head, Footer and Post Injections plugin version 3.3.1 or greater.

Unlimited Elements For Elementor – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-13155
Number of Installations: 300,000+
Affected Software: Unlimited Elements For Elementor <= 1.5.140
Patched Versions: Unlimited Elements For Elementor 1.5.141

Mitigation steps: Update to Unlimited Elements For Elementor plugin version 1.5.141 or greater.

FileBird – Insecure Direct Object References (IDOR)

Security Risk: Low
Exploitation Level: Requires Author or higher level authentication.
Vulnerability: Insecure Direct Object References (IDOR)
CVE: CVE-2025-26977
Number of Installations: 200,000+
Affected Software: FileBird <= 6.4.5
Patched Versions: FileBird 6.4.6

Mitigation steps: Update to FileBird plugin version 6.4.6 or greater.

Essential Blocks – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2025-26871
Number of Installations: 100,000+
Affected Software: Essential Blocks <= 4.8.3
Patched Versions: Essential Blocks 4.8.4

Mitigation steps: Update to Essential Blocks plugin version 4.8.4 or greater.

Everest Forms – Arbitrary File Upload

Security Risk: Critical
Exploitation Level: No authentication required.
Vulnerability: Arbitrary File Upload
CVE: CVE-2025-1128
Number of Installations: 100,000+
Affected Software: Everest Forms <= 3.0.9.4
Patched Versions: Everest Forms 3.0.9.5

Mitigation steps: Update to Everest Forms plugin version 3.0.9.5 or greater.

Strong Testimonials – Broken Access Control

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Broken Access Control
CVE: CVE-2025-26975
Number of Installations: 100,000+
Affected Software: Strong Testimonials <= 3.2.3
Patched Versions: Strong Testimonials 3.2.4

Mitigation steps: Update to Strong Testimonials plugin version 3.2.4 or greater.

Event Tickets and Registration – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2025-1402
Number of Installations: 90,000+
Affected Software: Event Tickets and Registration <= 5.19.1.1
Patched Versions: Event Tickets and Registration 5.19.1.2

Mitigation steps: Update to Event Tickets and Registration plugin version 5.19.1.2 or greater.

Ajax Search Lite – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-13585
Number of Installations: 80,000+
Affected Software: Ajax Search Lite <= 4.12.4
Patched Versions: Ajax Search Lite 4.12.5

Mitigation steps: Update to Ajax Search Lite plugin version 4.12.5 or greater.

Booking for Appointments and Events Calendar – Insecure Direct Object References (IDOR)

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Insecure Direct Object References (IDOR)
CVE: CVE-2025-26965
Number of Installations: 80,000+
Affected Software: Booking for Appointments and Events Calendar <= 1.2.16
Patched Versions: Booking for Appointments and Events Calendar 1.2.17

Mitigation steps: Update to Booking for Appointments and Events Calendar plugin version 1.2.17 or greater.

Events Manager – SQL Injection

Security Risk: Critical
Exploitation Level: No authentication required.
Vulnerability: SQL Injection
CVE: CVE-2024-11260
Number of Installations: 80,000+
Affected Software: Events Manager <= 6.6.3
Patched Versions: Events Manager 6.6.4

Mitigation steps: Update to Events Manager plugin version 6.6.4 or greater.

Master Slider – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Editor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-12173
Number of Installations: 80,000+
Affected Software: Master Slider <= 3.10.4
Patched Versions: Master Slider 3.10.5

Mitigation steps: Update to Master Slider plugin version 3.10.5 or greater.

WP ULike – Cross Site Scripting (XSS)

Security Risk: Low
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-12770
Number of Installations: 80,000+
Affected Software: WP ULike <= 4.7.5
Patched Versions: WP ULike 4.7.6

Mitigation steps: Update to WP ULike plugin version 4.7.6 or greater.

Simple Image Sizes – Cross Site Scripting (XSS)

Security Risk: Low
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-24810
Number of Installations: 70,000+
Affected Software: Simple Image Sizes <= 3.2.2
Patched Versions: Simple Image Sizes 3.2.3

Mitigation steps: Update to Simple Image Sizes plugin version 3.2.3 or greater.

Embed Any Document – Server Side Request Forgery (SSRF)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Server Side Request Forgery (SSRF)
CVE: CVE-2025-1043
Number of Installations: 60,000+
Affected Software: Embed Any Document <= 2.7.5
Patched Versions: Embed Any Document 2.7.6

Mitigation steps: Update to Embed Any Document plugin version 2.7.6 or greater.

WP Carousel – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Editor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-4002
Number of Installations: 60,000+
Affected Software: WP Carousel <= 2.6.8
Patched Versions: WP Carousel 2.6.9

Mitigation steps: Update to WP Carousel plugin version 2.6.9 or greater.

WP Carousel – Cross Site Scripting (XSS)

Security Risk: Low
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-13314
Number of Installations: 60,000+
Affected Software: WP Carousel <= 2.7.3
Patched Versions: WP Carousel 2.7.4

Mitigation steps: Update to WP Carousel plugin version 2.7.4 or greater.

Login/Signup Popup – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-1064
Number of Installations: 50,000+
Affected Software: Login/Signup Popup <= 2.8.5
Patched Versions: Login/Signup Popup 2.8.6

Mitigation steps: Update to Login/Signup Popup plugin version 2.8.6 or greater.

Form Maker by 10Web – Cross Site Scripting (XSS)

Security Risk: Low
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-13605
Number of Installations: 50,000+
Affected Software: Form Maker by 10Web <= 1.15.32
Patched Versions: Form Maker by 10Web 1.15.33

Mitigation steps: Update to Form Maker by 10Web plugin version 1.15.33 or greater.

Update your website software to mitigate risk. Users who are not able to update their software with the latest version are encouraged to use a web application firewall to help virtually patch known vulnerabilities and protect their website.