Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.

To help educate website owners about potential threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.

The vulnerabilities listed below are virtually patched by the Sucuri Firewall and existing clients are protected. If you don’t have it installed yet, you can use our web application firewall to protect your site against known vulnerabilities.

Plugins

Ultimate Addons for Elementor (Formerly Elementor Header & Footer Builder) – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Author or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-9703
Number of Installations: 2,000,000+
Affected Software: Ultimate Addons for Elementor (Formerly Elementor Header & Footer Builder) <= 2.4.9
Patched Versions: Ultimate Addons for Elementor (Formerly Elementor Header & Footer Builder) 2.5.0

Mitigation steps: Update to Ultimate Addons for Elementor (Formerly Elementor Header & Footer Builder) plugin version 2.5.0 or greater.

Enable Media Replace – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-9496
Number of Installations: 600,000+
Affected Software: Enable Media Replace <= 4.1.6
Patched Versions: Enable Media Replace 4.1.7

Mitigation steps: Update to Enable Media Replace plugin version 4.1.7 or greater.

BackWPup – WordPress Backup & Restore Plugin – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2025-10579
Number of Installations: 500,000+
Affected Software: BackWPup – WordPress Backup & Restore Plugin <= 5.5.0
Patched Versions: BackWPup – WordPress Backup & Restore Plugin 5.5.1

Mitigation steps: Update to BackWPup – WordPress Backup & Restore Plugin version 5.5.1 or greater.

PixelYourSite – Your smart PIXEL (TAG) & API Manager – Local File Inclusion

Security Risk: High
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Local File Inclusion
CVE: CVE-2025-10723
Number of Installations: 500,000+
Affected Software: PixelYourSite – Your smart PIXEL (TAG) & API Manager <= 11.1.1
Patched Versions: PixelYourSite – Your smart PIXEL (TAG) & API Manager 11.1.2

Mitigation steps: Update to PixelYourSite – Your smart PIXEL (TAG) & API Manager plugin version 11.1.2 or greater.

WP Reset – Sensitive Data Exposure

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Sensitive Data Exposure
CVE: CVE-2025-10645
Number of Installations: 400,000+
Affected Software: WP Reset <= 2.05
Patched Versions: WP Reset 2.06

Mitigation steps: Update to WP Reset plugin version 2.06 or greater.

ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2025-11378
Number of Installations: 300,000+
Affected Software: ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF <= 6.3.4
Patched Versions: ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF 6.3.5

Mitigation steps: Update to ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF plugin version 6.3.5 or greater.

Blocksy Companion – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-12475
Number of Installations: 300,000+
Affected Software: Blocksy Companion <= 2.1.14
Patched Versions: Blocksy Companion 2.1.15

Mitigation steps: Update to Blocksy Companion plugin version 2.1.15 or greater.

SureForms – Drag and Drop Contact Form Builder – Multi-step Forms, Conversational Forms and more – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2025-10732
Number of Installations: 300,000+
Affected Software: SureForms – Drag and Drop Contact Form Builder – Multi-step Forms, Conversational Forms and more <= 1.12.1
Patched Versions: SureForms – Drag and Drop Contact Form Builder – Multi-step Forms, Conversational Forms and more 1.12.2

Mitigation steps: Update to SureForms – Drag and Drop Contact Form Builder – Multi-step Forms, Conversational Forms and more plugin version 1.12.2 or greater.

WP Go Maps (formerly WP Google Maps) – Content Injection

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Content Injection
CVE: CVE-2025-11703
Number of Installations: 300,000+
Affected Software: WP Go Maps (formerly WP Google Maps) <= 9.0.48
Patched Versions: WP Go Maps (formerly WP Google Maps) 9.0.49

Mitigation steps: Update to WP Go Maps (formerly WP Google Maps) plugin version 9.0.49 or greater.

Redirection for Contact Form 7 – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-9562
Number of Installations: 300,000+
Affected Software: Redirection for Contact Form 7 <= 3.2.6
Patched Versions: Redirection for Contact Form 7 3.2.7

Mitigation steps: Update to Redirection for Contact Form 7 plugin version 3.2.7 or greater.

Jeg Kit for Elementor – Powerful Elementor Addons, Widgets & Templates for WordPress – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Author or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-9978
Number of Installations: 300,000+
Affected Software: Jeg Kit for Elementor – Powerful Elementor Addons, Widgets & Templates for WordPress <= 2.6.9
Patched Versions: Jeg Kit for Elementor – Powerful Elementor Addons, Widgets & Templates for WordPress 2.7.0

Mitigation steps: Update to Jeg Kit for Elementor – Powerful Elementor Addons, Widgets & Templates for WordPress plugin version 2.7.0 or greater.

Password Protected — Lock Entire Site, Pages, Posts, Categories, and Partial Content – Bypass Vulnerability

Security Risk: Low
Exploitation Level: No authentication required.
Vulnerability: Bypass Vulnerability
CVE: CVE-2025-11244
Number of Installations: 300,000+
Affected Software: Password Protected — Lock Entire Site, Pages, Posts, Categories, and Partial Content <= 2.7.11
Patched Versions: Password Protected — Lock Entire Site, Pages, Posts, Categories, and Partial Content 2.7.12

Mitigation steps: Update to Password Protected — Lock Entire Site, Pages, Posts, Categories, and Partial Content plugin version 2.7.12 or greater.

GenerateBlocks – Sensitive Data Exposure

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Sensitive Data Exposure
CVE: CVE-2025-11879
Number of Installations: 200,000+
Affected Software: GenerateBlocks <= 2.1.1
Patched Versions: GenerateBlocks 2.1.2

Mitigation steps: Update to GenerateBlocks plugin version 2.1.2 or greater.

User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds – Broken Access Control

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Broken Access Control
CVE: CVE-2025-10694
Number of Installations: 200,000+
Affected Software: User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds <= 1.8.9
Patched Versions: User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds 1.9.0

Mitigation steps: Update to User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds plugin version 1.9.0 or greater.

Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-11270
Number of Installations: 200,000+
Affected Software: Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns <= 5.7.1
Patched Versions: Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns 5.7.2

Mitigation steps: Update to Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns plugin version 5.7.2 or greater.

Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns – Server Side Request Forgery (SSRF)

Security Risk: Medium
Exploitation Level: Requires Author or higher level authentication.
Vulnerability: Server Side Request Forgery (SSRF)
CVE: CVE-2025-11361
Number of Installations: 200,000+
Affected Software: Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns <= 5.7.1
Patched Versions: Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns 5.7.2

Mitigation steps: Update to Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns plugin version 5.7.2 or greater.

FileBird – WordPress Media Library Folders & File Manager – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Author or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2025-11510
Number of Installations: 200,000+
Affected Software: FileBird – WordPress Media Library Folders & File Manager <= 6.4.9
Patched Versions: FileBird – WordPress Media Library Folders & File Manager 6.5.0

Mitigation steps: Update to FileBird – WordPress Media Library Folders & File Manager plugin version 6.5.0 or greater.

Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization – Insecure Direct Object References (IDOR)

Security Risk: Medium
Exploitation Level: Requires Author or higher level authentication.
Vulnerability: Insecure Direct Object References (IDOR)
CVE: CVE-2025-11519
Number of Installations: 200,000+
Affected Software: Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization <= 4.1.0
Patched Versions: Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization 4.1.1

Mitigation steps: Update to Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization plugin version 4.1.1 or greater.

Element Pack Addons for Elementor – Server Side Request Forgery (SSRF)

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Server Side Request Forgery (SSRF)
CVE: CVE-2025-11536
Number of Installations: 100,000+
Affected Software: Element Pack Addons for Elementor <= 8.2.5
Patched Versions: Element Pack Addons for Elementor 8.2.6

Mitigation steps: Update to Element Pack Addons for Elementor plugin version 8.2.6 or greater.

WPC Smart Quick View for WooCommerce – Insecure Direct Object References (IDOR)

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Insecure Direct Object References (IDOR)
CVE: CVE-2025-11741
Number of Installations: 100,000+
Affected Software: WPC Smart Quick View for WooCommerce <= 4.2.5
Patched Versions: WPC Smart Quick View for WooCommerce 4.2.6

Mitigation steps: Update to WPC Smart Quick View for WooCommerce plugin version 4.2.6 or greater.

WPC Smart Wishlist for WooCommerce – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2025-11742
Number of Installations: 100,000+
Affected Software: WPC Smart Wishlist for WooCommerce <= 5.0.4
Patched Versions: WPC Smart Wishlist for WooCommerce 5.0.5

Mitigation steps: Update to WPC Smart Wishlist for WooCommerce plugin version 5.0.5 or greater.

GiveWP – Donation Plugin and Fundraising Platform – Broken Access Control

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Broken Access Control
CVE: CVE-2025-11227
Number of Installations: 100,000+
Affected Software: GiveWP – Donation Plugin and Fundraising Platform <= 4.10.0
Patched Versions: GiveWP – Donation Plugin and Fundraising Platform 4.10.1

Mitigation steps: Update to GiveWP – Donation Plugin and Fundraising Platform plugin version 4.10.1 or greater.

GiveWP – Donation Plugin and Fundraising Platform – Broken Access Control

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Broken Access Control
CVE: CVE-2025-11228
Number of Installations: 100,000+
Affected Software: GiveWP – Donation Plugin and Fundraising Platform <= 4.10.0
Patched Versions: GiveWP – Donation Plugin and Fundraising Platform 4.10.1

Mitigation steps: Update to GiveWP – Donation Plugin and Fundraising Platform plugin version 4.10.1 or greater.

Responsive Lightbox & Gallery – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-9710
Number of Installations: 100,000+
Affected Software: Responsive Lightbox & Gallery <= 2.5.2
Patched Versions: Responsive Lightbox & Gallery 2.5.3

Mitigation steps: Update to Responsive Lightbox & Gallery plugin version 2.5.3 or greater.

Schema & Structured Data for WP & AMP – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-9512
Number of Installations: 100,000+
Affected Software: Schema & Structured Data for WP & AMP <= 1.49
Patched Versions: Schema & Structured Data for WP & AMP 1.50

Mitigation steps: Update to Schema & Structured Data for WP & AMP plugin version 1.50 or greater.

Colibri Page Builder – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-9560
Number of Installations: 100,000+
Affected Software: Colibri Page Builder <= 1.0.334
Patched Versions: Colibri Page Builder 1.0.335

Mitigation steps: Update to Colibri Page Builder plugin version 1.0.335 or greater.

The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Author or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-9698
Number of Installations: 100,000+
Affected Software: The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce <= 6.3.15
Patched Versions: The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce 6.3.16

Mitigation steps: Update to The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin version 6.3.16 or greater.

WPC Smart Wishlist for WooCommerce – Insecure Direct Object References (IDOR)

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Insecure Direct Object References (IDOR)
CVE: CVE-2025-11518
Number of Installations: 100,000+
Affected Software: WPC Smart Wishlist for WooCommerce <= 5.0.3
Patched Versions: WPC Smart Wishlist for WooCommerce 5.0.4

Mitigation steps: Update to WPC Smart Wishlist for WooCommerce plugin version 5.0.4 or greater.

Real Cookie Banner: GDPR & ePrivacy Cookie Consent – Server Side Request Forgery (SSRF)

Security Risk: Medium
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Server Side Request Forgery (SSRF)
CVE: CVE-2025-12136
Number of Installations: 100,000+
Affected Software: Real Cookie Banner: GDPR & ePrivacy Cookie Consent <= 5.2.4
Patched Versions: Real Cookie Banner: GDPR & ePrivacy Cookie Consent 5.2.5

Mitigation steps: Update to Real Cookie Banner: GDPR & ePrivacy Cookie Consent plugin version 5.2.5 or greater.

Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More – Server Side Request Forgery (SSRF)

Security Risk: Medium
Exploitation Level: Requires Author or higher level authentication.
Vulnerability: Server Side Request Forgery (SSRF)
CVE: CVE-2025-10874
Number of Installations: 100,000+
Affected Software: Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More <= 3.0.1
Patched Versions: Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More 3.0.2

Mitigation steps: Update to Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More plugin version 3.0.2 or greater.

Tutor LMS – eLearning and online course solution – Broken Access Control

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Broken Access Control
CVE: CVE-2025-11564
Number of Installations: 100,000+
Affected Software: Tutor LMS – eLearning and online course solution <= 3.8.9
Patched Versions: Tutor LMS – eLearning and online course solution 3.9.0

Mitigation steps: Update to Tutor LMS – eLearning and online course solution plugin version 3.9.0 or greater.

Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-10580
Number of Installations: 100,000+
Affected Software: Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets <= 4.1.2
Patched Versions: Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets 4.1.3

Mitigation steps: Update to Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets plugin version 4.1.3 or greater.

ShopLentor – WooCommerce Builder for Elementor & Gutenberg +21 Modules – All in One Solution (formerly WooLentor) – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-11823
Number of Installations: 100,000+
Affected Software: ShopLentor – WooCommerce Builder for Elementor & Gutenberg +21 Modules – All in One Solution (formerly WooLentor) <= 3.2.4
Patched Versions: ShopLentor – WooCommerce Builder for Elementor & Gutenberg +21 Modules – All in One Solution (formerly WooLentor) 3.2.5

Mitigation steps: Update to ShopLentor – WooCommerce Builder for Elementor & Gutenberg +21 Modules – All in One Solution (formerly WooLentor) plugin version 3.2.5 or greater.

Event Tickets and Registration – Broken Authentication

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Broken Authentication
CVE: CVE-2025-11517
Number of Installations: 90,000+
Affected Software: Event Tickets and Registration <= 5.26.5
Patched Versions: Event Tickets and Registration 5.26.6

Mitigation steps: Update to Event Tickets and Registration plugin version 5.26.6 or greater.

Event Tickets and Registration – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2025-62027
Number of Installations: 90,000+
Affected Software: Event Tickets and Registration <= 5.26.3
Patched Versions: Event Tickets and Registration 5.26.4

Mitigation steps: Update to Event Tickets and Registration plugin version 5.26.4 or greater.

Social Feed Gallery – Broken Access Control

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Broken Access Control
CVE: CVE-2025-10637
Number of Installations: 90,000+
Affected Software: Social Feed Gallery <= 4.9.2
Patched Versions: Social Feed Gallery 4.9.3

Mitigation steps: Update to Social Feed Gallery plugin version 4.9.3 or greater.

Ajax Search Lite – Live Search & Filter – PHP Object Injection

Security Risk: Medium
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: PHP Object Injection
CVE: CVE-2025-48086
Number of Installations: 80,000+
Affected Software: Ajax Search Lite – Live Search & Filter <= 4.13.3
Patched Versions: Ajax Search Lite – Live Search & Filter 4.13.4

Mitigation steps: Update to Ajax Search Lite – Live Search & Filter plugin version 4.13.4 or greater.

LearnPress – WordPress LMS Plugin – Broken Access Control

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Broken Access Control
CVE: CVE-2025-11372
Number of Installations: 80,000+
Affected Software: LearnPress – WordPress LMS Plugin <= 4.2.9.3
Patched Versions: LearnPress – WordPress LMS Plugin 4.2.9.4

Mitigation steps: Update to LearnPress – WordPress LMS Plugin version 4.2.9.4 or greater.

Featured Image from URL (FIFU) – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-7400
Number of Installations: 80,000+
Affected Software: Featured Image from URL (FIFU) <= 5.2.7
Patched Versions: Featured Image from URL (FIFU) 5.2.8

Mitigation steps: Update to Featured Image from URL (FIFU) plugin version 5.2.8 or greater.

Meta Tag Manager – Open Redirection

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Open Redirection
CVE: CVE-2025-5983
Number of Installations: 80,000+
Affected Software: Meta Tag Manager <= 3.2
Patched Versions: Meta Tag Manager 3.3

Mitigation steps: Update to Meta Tag Manager plugin version 3.3 or greater.

ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution – Broken Access Control

Security Risk: Low
Exploitation Level: Requires Editor or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2025-11888
Number of Installations: 70,000+
Affected Software: ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution <= 4.8.4
Patched Versions: ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution 4.8.5

Mitigation steps: Update to ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution plugin version 4.8.5 or greater.

All In One Login — WP Admin Login Page Security and Customization with Google reCAPTCHA, Social Login, Limit Login Attempt, 2FA, and more. – Bypass Vulnerability

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Bypass Vulnerability
CVE: CVE-2025-58595
Number of Installations: 70,000+
Affected Software: All In One Login — WP Admin Login Page Security and Customization with Google reCAPTCHA, Social Login, Limit Login Attempt, 2FA, and more. <= 2.0.8
Patched Versions: All In One Login — WP Admin Login Page Security and Customization with Google reCAPTCHA, Social Login, Limit Login Attempt, 2FA, and more. 2.0.9

Mitigation steps: Update to All In One Login — WP Admin Login Page Security and Customization with Google reCAPTCHA, Social Login, Limit Login Attempt, 2FA, and more. plugin version 2.0.9 or greater.

Media Library Assistant – Arbitrary File Download

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Arbitrary File Download
CVE: CVE-2025-11738
Number of Installations: 70,000+
Affected Software: Media Library Assistant <= 3.29
Patched Versions: Media Library Assistant 3.30

Mitigation steps: Update to Media Library Assistant plugin version 3.30 or greater.

Product Filter by WBW – SQL Injection

Security Risk: Critical
Exploitation Level: No authentication required.
Vulnerability: SQL Injection
CVE: CVE-2025-8416
Number of Installations: 60,000+
Affected Software: Product Filter by WBW <= 2.9.7
Patched Versions: Product Filter by WBW 2.9.8

Mitigation steps: Update to Product Filter by WBW plugin version 2.9.8 or greater.

Product Filter by WBW – Broken Access Control

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Broken Access Control
CVE: CVE-2025-11269
Number of Installations: 60,000+
Affected Software: Product Filter by WBW <= 3.0.0
Patched Versions: Product Filter by WBW 3.0.1

Mitigation steps: Update to Product Filter by WBW plugin version 3.0.1 or greater.

Quick Featured Images – Insecure Direct Object References (IDOR)

Security Risk: Medium
Exploitation Level: Requires Author or higher level authentication.
Vulnerability: Insecure Direct Object References (IDOR)
CVE: CVE-2025-11176
Number of Installations: 50,000+
Affected Software: Quick Featured Images <= 13.7.2
Patched Versions: Quick Featured Images 13.7.3

Mitigation steps: Update to Quick Featured Images plugin version 13.7.3 or greater.

Bold Page Builder – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-7730
Number of Installations: 50,000+
Affected Software: Bold Page Builder <= 5.4.5
Patched Versions: Bold Page Builder 5.4.6

Mitigation steps: Update to Bold Page Builder plugin version 5.4.6 or greater.

RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator – Server Side Request Forgery (SSRF)

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Server Side Request Forgery (SSRF)
CVE: CVE-2025-11128
Number of Installations: 50,000+
Affected Software: RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator <= 5.1.0
Patched Versions: RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator 5.1.1

Mitigation steps: Update to RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin version 5.1.1 or greater.

Simple Banner – Easily add multiple Banners/Bars/Notifications/Announcements to the top or bottom of your website – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-12033
Number of Installations: 50,000+
Affected Software: Simple Banner – Easily add multiple Banners/Bars/Notifications/Announcements to the top or bottom of your website <= 3.0.9
Patched Versions: Simple Banner – Easily add multiple Banners/Bars/Notifications/Announcements to the top or bottom of your website 3.1.0

Mitigation steps: Update to Simple Banner – Easily add multiple Banners/Bars/Notifications/Announcements to the top or bottom of your website plugin version 3.1.0 or greater.

Themes

Newsup – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2025-8682
Number of Downloads: 2,613,735
Affected Software: Newsup <= 5.0.10
Patched Versions: Newsup 5.0.11

Mitigation steps: Update to Newsup theme version 5.0.11 or greater.

Update your website software to mitigate risk. Users who are not able to update their software with the latest version are encouraged to use a web application firewall to help virtually patch known vulnerabilities and protect their website.