Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.

To help educate website owners about potential threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.

The vulnerabilities listed below are virtually patched by the Sucuri Firewall and existing clients are protected. If you don’t have it installed yet, you can use our web application firewall to protect your site against known vulnerabilities.

Plugins

Elementor Website Builder – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: 2024-50555
Number of Installations: 10,000,000+
Affected Software: Elementor Website Builder <= 3.29.0
Patched Versions: Elementor Website Builder 3.29.1

Mitigation steps: Update to Elementor Website Builder plugin version 3.29.1 or greater.

Essential Addons for Elementor – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: 2024-9994
Number of Installations: 2,000,000+
Affected Software: Essential Addons for Elementor <= 6.1.12
Patched Versions: Essential Addons for Elementor 6.1.13

Mitigation steps: Update to Essential Addons for Elementor plugin version 6.1.13 or greater.

WP-Optimize – SQL Injection

Security Risk: High
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: SQL Injection
CVE: 2025-3951
Number of Installations: 1,000,000+
Affected Software: WP-Optimize <= 4.1.9
Patched Versions: WP-Optimize 4.2.0

Mitigation steps: Update to WP-Optimize plugin version 4.2.0 or greater.

ElementsKit Elementor Addons and Templates – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: 2025-4479
Number of Installations: 1,000,000+
Affected Software: ElementsKit Elementor Addons and Templates <= 3.5.2
Patched Versions: ElementsKit Elementor Addons and Templates 3.5.3

Mitigation steps: Update to ElementsKit Elementor Addons and Templates plugin version 3.5.3 or greater.

Premium Addons for Elementor – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: 2025-4774
Number of Installations: 700,000+
Affected Software: Premium Addons for Elementor <= 4.11.8
Patched Versions: Premium Addons for Elementor 4.11.9

Mitigation steps: Update to Premium Addons for Elementor plugin version 4.11.9 or greater.

The Events Calendar – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: 2025-5144
Number of Installations: 700,000+
Affected Software: The Events Calendar <= 6.13.2
Patched Versions: The Events Calendar 6.13.2.1

Mitigation steps: Update to The Events Calendar plugin version 6.13.2.1 or greater.

Popup Maker – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: 2025-4205
Number of Installations: 700,000+
Affected Software: Popup Maker <= 1.20.4
Patched Versions: Popup Maker 1.20.5

Mitigation steps: Update to Popup Maker plugin version 1.20.5 or greater.

Click to Chat – HoliThemes – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: 2025-5336
Number of Installations: 600,000+
Affected Software: Click to Chat – HoliThemes <= 4.22
Patched Versions: Click to Chat – HoliThemes 4.23

Mitigation steps: Update to Click to Chat – HoliThemes plugin version 4.23 or greater.

Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: 2025-5337
Number of Installations: 600,000+
Affected Software: MetaSlider <= 3.98.9
Patched Versions: MetaSlider 3.99.0

Mitigation steps: Update to MetaSlider plugin version 3.99.0 or greater.

YITH WooCommerce Wishlist – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: 2025-5238
Number of Installations: 600,000+
Affected Software: YITH WooCommerce Wishlist <= 4.5.9
Patched Versions: YITH WooCommerce Wishlist 4.6.0

Mitigation steps: Update to YITH WooCommerce Wishlist plugin version 4.6.0 or greater.

Forminator Forms – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: 2025-5341
Number of Installations: 600,000+
Affected Software: Forminator Forms <= 1.44.1
Patched Versions: Forminator Forms 1.44.2

Mitigation steps: Update to Forminator Forms plugin version 1.44.2 or greater.

Broken Link Checker – Sensitive Data Exposure

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Sensitive Data Exposure
CVE: 2025-4047
Number of Installations: 600,000+
Affected Software: Broken Link Checker <= 2.4.4
Patched Versions: Broken Link Checker 2.4.5

Mitigation steps: Update to Broken Link Checker plugin version 2.4.5 or greater.

Ocean Extra – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: 2025-49068
Number of Installations: 600,000+
Affected Software: Ocean Extra <= 2.4.8
Patched Versions: Ocean Extra 2.4.9

Mitigation steps: Update to Ocean Extra plugin version 2.4.9 or greater.

WP Shortcodes Plugin — Shortcodes Ultimate – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: 2025-49244
Number of Installations: 500,000+
Affected Software: Shortcodes Ultimate <= 7.3.9
Patched Versions: Shortcodes Ultimate 7.4.0

Mitigation steps: Update to Shortcodes Ultimate plugin version 7.4.0 or greater.

Breeze – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: 2025-23999
Number of Installations: 400,000+
Affected Software: Breeze <= 2.2.13
Patched Versions: Breeze 2.2.14

Mitigation steps: Update to Breeze plugin version 2.2.14 or greater.

Simple History – Sensitive Data Exposure

Security Risk: Medium
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Sensitive Data Exposure
CVE: 2025-5760
Number of Installations: 300,000+
Affected Software: Simple History <= 5.8.1
Patched Versions: Simple History 5.8.2

Mitigation steps: Update to Simple History plugin version 5.8.2 or greater.

Smash Balloon Social Post Feed – Simple Social Feeds for WordPress – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: 2025-4577
Number of Installations: 200,000+
Affected Software: Smash Balloon Social Post Feed <= 4.3.1
Patched Versions: Smash Balloon Social Post Feed 4.3.2

Mitigation steps: Update to Smash Balloon Social Post Feed plugin version 4.3.2 or greater.

Firelight Lightbox – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: 2025-52707
Number of Installations: 200,000+
Affected Software: Firelight Lightbox <= 2.3.16
Patched Versions: Firelight Lightbox 2.3.17

Mitigation steps: Update to Firelight Lightbox plugin version 2.3.17 or greater.

File Manager Pro – Filester – Arbitrary File Upload

Security Risk: Critical
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Arbitrary File Upload
CVE: 2025-3234
Number of Installations: 100,000+
Affected Software: File Manager Pro – Filester <= 1.8.8
Patched Versions: File Manager Pro – Filester 1.8.9

Mitigation steps: Update to File Manager Pro – Filester plugin version 1.8.9 or greater.

Real Cookie Banner: GDPR & ePrivacy Cookie Consent – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: 2025-1485
Number of Installations: 100,000+
Affected Software: Real Cookie Banner <= 5.1.5
Patched Versions: Real Cookie Banner 5.1.6

Mitigation steps: Update to Real Cookie Banner plugin version 5.1.6 or greater.

The Plus Addons for Elementor – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: 2025-49076
Number of Installations: 100,000+
Affected Software: The Plus Addons for Elementor <= 6.2.7
Patched Versions: The Plus Addons for Elementor 6.2.8

Mitigation steps: Update to The Plus Addons for Elementor plugin version 6.2.8 or greater.

Widget Logic – Remote Code Execution (RCE)

Security Risk: Critical
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Remote Code Execution (RCE)
CVE: 2025-32222
Number of Installations: 100,000+
Affected Software: Widget Logic (No fix available)
Patched Versions: No Fix

Mitigation steps: No patch currently available. Consider disabling or removing the plugin until a fix is released.

Social Sharing Plugin – Sassy Social Share – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: 2025-5528
Number of Installations: 100,000+
Affected Software: Sassy Social Share <= 3.3.75
Patched Versions: Sassy Social Share 3.3.76

Mitigation steps: Update to Sassy Social Share plugin version 3.3.76 or greater.

Ivory Search – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: 2025-5209
Number of Installations: 100,000+
Affected Software: Ivory Search <= 5.5.9
Patched Versions: Ivory Search 5.5.10

Mitigation steps: Update to Ivory Search plugin version 5.5.10 or greater.

AI Engine – Broken Access Control

Security Risk: High
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: 2025-5071
Number of Installations: 100,000+
Affected Software: AI Engine <= 2.8.3
Patched Versions: AI Engine 2.8.4

Mitigation steps: Update to AI Engine plugin version 2.8.4 or greater.

Download Manager – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Author or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: 2025-4367
Number of Installations: 100,000+
Affected Software: Download Manager <= 3.3.18
Patched Versions: Download Manager 3.3.19

Mitigation steps: Update to Download Manager plugin version 3.3.19 or greater.

File Manager Pro – Filester – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: 2025-52710
Number of Installations: 100,000+
Affected Software: File Manager Pro – Filester <= 1.8.8
Patched Versions: File Manager Pro – Filester 1.8.9

Mitigation steps: Update to File Manager Pro – Filester plugin version 1.8.9 or greater.

GiveWP – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Broken Access Control
CVE: 2025-4571
Number of Installations: 100,000+
Affected Software: GiveWP <= 4.3.0
Patched Versions: GiveWP 4.3.1

Mitigation steps: Update to GiveWP plugin version 4.3.1 or greater.

HUSKY – Local File Inclusion

Security Risk: High
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Local File Inclusion
CVE: 2025-52708
Number of Installations: 100,000+
Affected Software: HUSKY <= 1.3.7
Patched Versions: HUSKY 1.3.7.1

Mitigation steps: Update to HUSKY plugin version 1.3.7.1 or greater.

Ninja Tables – PHP Object Injection

Security Risk: Critical
Exploitation Level: No authentication required.
Vulnerability: PHP Object Injection
CVE: 2025-2939
Number of Installations: 80,000+
Affected Software: Ninja Tables <= 5.0.18
Patched Versions: Ninja Tables 5.0.19

Mitigation steps: Update to Ninja Tables plugin version 5.0.19 or greater.

Master Slider – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: 2025-5291
Number of Installations: 70,000+
Affected Software: Master Slider <= 3.10.8
Patched Versions: Master Slider 3.10.9

Mitigation steps: Update to Master Slider plugin version 3.10.9 or greater.

WP Table Builder – WordPress Table Plugin – Cross Site Request Forgery (CSRF)

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Cross Site Request Forgery (CSRF)
CVE: 2025-49286
Number of Installations: 60,000+
Affected Software: WP Table Builder <= 2.0.6
Patched Versions: WP Table Builder 2.0.7

Mitigation steps: Update to WP Table Builder plugin version 2.0.7 or greater.

WPtouch – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: 2025-49318
Number of Installations: 60,000+
Affected Software: WPtouch <= 4.3.60
Patched Versions: WPtouch 4.3.61

Mitigation steps: Update to WPtouch plugin version 4.3.61 or greater.

Drag and Drop Multiple File Upload for Contact Form 7 – Arbitrary File Upload

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Arbitrary File Upload
CVE: 2025-3515
Number of Installations: 60,000+
Affected Software: Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.8.9
Patched Versions: Drag and Drop Multiple File Upload for Contact Form 7 1.3.9.0

Mitigation steps: Update to Drag and Drop Multiple File Upload for Contact Form 7 plugin version 1.3.9.0 or greater.

Post and Page Builder by BoldGrid – Server Side Request Forgery (SSRF)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Server Side Request Forgery (SSRF)
CVE: 2025-52713
Number of Installations: 60,000+
Affected Software: Post and Page Builder by BoldGrid <= 1.27.8
Patched Versions: Post and Page Builder by BoldGrid 1.27.9

Mitigation steps: Update to Post and Page Builder by BoldGrid plugin version 1.27.9 or greater.

Post and Page Builder by BoldGrid – Cross Site Request Forgery (CSRF)

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Cross Site Request Forgery (CSRF)
CVE: 2025-52711
Number of Installations: 60,000+
Affected Software: Post and Page Builder by BoldGrid <= 1.27.8
Patched Versions: Post and Page Builder by BoldGrid 1.27.9

Mitigation steps: Update to Post and Page Builder by BoldGrid plugin version 1.27.9 or greater.

Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: 2025-4667
Number of Installations: 60,000+
Affected Software: Simply Schedule Appointments <= 1.6.8.31
Patched Versions: Simply Schedule Appointments 1.6.8.32

Mitigation steps: Update to Simply Schedule Appointments plugin version 1.6.8.32 or greater.

Ultra Addons for Contact Form 7 – Arbitrary File Upload

Security Risk: High
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Arbitrary File Upload
CVE: 2025-6220
Number of Installations: 60,000+
Affected Software: Ultra Addons for Contact Form 7 <= 3.5.12
Patched Versions: Ultra Addons for Contact Form 7 3.5.13

Mitigation steps: Update to Ultra Addons for Contact Form 7 plugin version 3.5.13 or greater.

WP-Members Membership Plugin – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: 2025-50051
Number of Installations: 60,000+
Affected Software: WP-Members Membership Plugin <= 3.5.4
Patched Versions: WP-Members Membership Plugin 3.5.4.1

Mitigation steps: Update to WP-Members Membership Plugin version 3.5.4.1 or greater.

Calculated Fields Form – Cross Site Request Forgery (CSRF)

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Cross Site Request Forgery (CSRF)
CVE: 2025-49291
Number of Installations: 50,000+
Affected Software: Calculated Fields Form <= 5.3.58
Patched Versions: Calculated Fields Form 5.3.59

Mitigation steps: Update to Calculated Fields Form plugin version 5.3.59 or greater.

Greenshift – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: 2025-49301
Number of Installations: 50,000+
Affected Software: Greenshift <= 11.5.6
Patched Versions: Greenshift 11.5.7

Mitigation steps: Update to Greenshift plugin version 11.5.7 or greater.

Uncanny Automator – Broken Access Control

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Broken Access Control
CVE: 2025-48133
Number of Installations: 50,000+
Affected Software: Uncanny Automator (No fix available)
Patched Versions: No Fix

Mitigation steps: No patch currently available. Consider disabling or removing the plugin until a fix is released.

User Profile Builder – Content Spoofing

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Content Spoofing
CVE: 2025-49292
Number of Installations: 50,000+
Affected Software: User Profile Builder <= 3.13.8
Patched Versions: User Profile Builder 3.13.9

Mitigation steps: Update to User Profile Builder plugin version 3.13.9 or greater.

User Profile Builder – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: 2025-4671
Number of Installations: 50,000+
Affected Software: User Profile Builder <= 3.13.8
Patched Versions: User Profile Builder 3.13.9

Mitigation steps: Update to User Profile Builder plugin version 3.13.9 or greater.

Sina Extension for Elementor – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: 2025-49262
Number of Installations: 50,000+
Affected Software: Sina Extension for Elementor <= 3.6.9
Patched Versions: Sina Extension for Elementor 3.7.0

Mitigation steps: Update to Sina Extension for Elementor plugin version 3.7.0 or greater.

Slim SEO – SQL Injection

Security Risk: High
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: SQL Injection
CVE: 2025-49854
Number of Installations: 50,000+
Affected Software: Slim SEO <= 4.5.4
Patched Versions: Slim SEO 4.5.5

Mitigation steps: Update to Slim SEO plugin version 4.5.5 or greater.

Zapier for WordPress – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: 2025-50010
Number of Installations: 50,000+
Affected Software: Zapier for WordPress (No fix available)
Patched Versions: No Fix

Mitigation steps: No patch currently available. Consider disabling or removing the plugin until a fix is released.

Blog2Social: Social Media Auto Post & Scheduler – SQL Injection

Security Risk: High
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: SQL Injection
CVE: 2025-5673
Number of Installations: 50,000+
Affected Software: Blog2Social <= 8.4.4
Patched Versions: Blog2Social 8.4.5

Mitigation steps: Update to Blog2Social plugin version 8.4.5 or greater.

Login & Register Customizer – Popup | Slider | Inline | WooCommerce – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: 2025-50027
Number of Installations: 50,000+
Affected Software: Login & Register Customizer <= 2.9.4
Patched Versions: Login & Register Customizer 2.9.5

Mitigation steps: Update to Login & Register Customizer plugin version 2.9.5 or greater.

Pixel Manager for WooCommerce – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: 2025-6201
Number of Installations: 50,000+
Affected Software: Pixel Manager for WooCommerce <= 1.49.0
Patched Versions: Pixel Manager for WooCommerce 1.49.1

Mitigation steps: Update to Pixel Manager for WooCommerce plugin version 1.49.1 or greater.

Themes

OceanWP – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: 2025-5524
Number of Installations: 8,544,159 downloads
Affected Software: OceanWP Theme <= 4.0.9
Patched Versions: OceanWP Theme 4.1.0

Mitigation steps: Update to OceanWP theme version 4.1.0 or greater.

Zita – Local File Inclusion

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Local File Inclusion
CVE: 2025-52816
Number of Installations: 405,453 downloads
Affected Software: Zita Theme (No fix available)
Patched Versions: No Fix

Mitigation steps: No patch currently available. Consider disabling or removing the theme until a fix is released.

Update your website software to mitigate risk. Users who are not able to update their software with the latest version are encouraged to use a web application firewall to help virtually patch known vulnerabilities and protect their website.