Vulnerability & Patch Roundup — May 2025

  • May 30, 2025
Sucuri WordPress Vulnerability Roundup May 2025

Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.

To help educate website owners about potential threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.

The vulnerabilities listed below are virtually patched by the Sucuri Firewall and existing clients are protected. If you don’t have it installed yet, you can use our web application firewall to protect your site against known vulnerabilities.

Plugins

Newsletter – Send awesome emails from WordPress – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-3583
Number of Installations: 300,000+
Affected Software: Newsletter – Send awesome emails from WordPress <= 8.7.0
Patched Versions: Newsletter – Send awesome emails from WordPress 8.7.1

Mitigation steps: Update to Newsletter – Send awesome emails from WordPress plugin version 8.7.1 or greater.

SureForms – Drag and Drop Form Builder for WordPress – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-3513
Number of Installations: 200,000+
Affected Software: SureForms – Drag and Drop Form Builder for WordPress <= 1.4.3
Patched Versions: SureForms – Drag and Drop Form Builder for WordPress 1.4.4

Mitigation steps: Update to SureForms – Drag and Drop Form Builder for WordPress plugin version 1.4.4 or greater.

Popup and Slider Builder by Depicter – SQL Injection

Security Risk: Critical
Exploitation Level: No authentication required.
Vulnerability: SQL Injection
CVE: CVE-2025-2011
Number of Installations: 100,000+
Affected Software: Popup and Slider Builder by Depicter <= 3.6.1
Patched Versions: Popup and Slider Builder by Depicter 3.6.2

Mitigation steps: Update to Popup and Slider Builder by Depicter plugin version 3.6.2 or greater.

OttoKit: All-in-One Automation Platform (Formerly SureTriggers) – Privilege Escalation

Security Risk: Critical
Exploitation Level: No authentication required.
Vulnerability: Privilege Escalation
CVE: CVE-2025-27007
Number of Installations: 100,000+
Affected Software: OttoKit: All-in-One Automation Platform (Formerly SureTriggers) <= 1.0.82
Patched Versions: OttoKit: All-in-One Automation Platform (Formerly SureTriggers) 1.0.83

Mitigation steps: Update to OttoKit: All-in-One Automation Platform (Formerly SureTriggers) plugin version 1.0.83 or greater.

User Registration & Membership – Custom Registration Form, Login Form, and User Profile – Insecure Direct Object References (IDOR)

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Insecure Direct Object References (IDOR)
CVE: CVE-2025-3281
Number of Installations: 70,000+
Affected Software: User Registration & Membership – Custom Registration Form, Login Form, and User Profile <= 4.2.1
Patched Versions: User Registration & Membership – Custom Registration Form, Login Form, and User Profile 4.2.2

Mitigation steps: Update to User Registration & Membership – Custom Registration Form, Login Form, and User Profile plugin version 4.2.2 or greater.

WP Maps – Display Google Maps Perfectly with Ease – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-3502
Number of Installations: 70,000+
Affected Software: WP Maps – Display Google Maps Perfectly with Ease <= 4.7.1
Patched Versions: WP Maps – Display Google Maps Perfectly with Ease 4.7.2

Mitigation steps: Update to WP Maps – Display Google Maps Perfectly with Ease plugin version 4.7.2 or greater.

Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin – Arbitrary Code Execution

Security Risk: Medium
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Arbitrary Code Execution
CVE: CVE-2025-47691
Number of Installations: 200,000+
Affected Software: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin (all versions)
Patched Versions: No Fix

Mitigation steps: No patch is currently available. Consider disabling the plugin until a fix is released.

Inline Related Posts – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-47604
Number of Installations: 100,000+
Affected Software: Inline Related Posts (all versions)
Patched Versions: No Fix

Mitigation steps: No patch is currently available. Consider disabling the plugin until a fix is released.

List category posts – Local File Inclusion

Security Risk: High
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Local File Inclusion
CVE: CVE-2025-47636
Number of Installations: 90,000+
Affected Software: List category posts (all versions)
Patched Versions: No Fix

Mitigation steps: No patch is currently available. Consider disabling the plugin until a fix is released.

WP Maintenance – PHP Object Injection

Security Risk: High
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: PHP Object Injection
CVE: CVE-2025-47683
Number of Installations: 50,000+
Affected Software: WP Maintenance (all versions)
Patched Versions: No Fix

Mitigation steps: No patch is currently available. Consider disabling the plugin until a fix is released.

LiteSpeed Cache – Server Side Request Forgery (SSRF)

Security Risk: Medium
Exploitation Level: Requires Editor or higher level authentication.
Vulnerability: Server Side Request Forgery (SSRF)
CVE: CVE-2025-47437
Number of Installations: 7,000,000+
Affected Software: LiteSpeed Cache <= 7.0.0
Patched Versions: LiteSpeed Cache 7.1

Mitigation steps: Update to LiteSpeed Cache plugin version 7.1 or greater.

WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-3794
Number of Installations: 6,000,000+
Affected Software: WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More <= 1.9.5
Patched Versions: WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More 1.9.5.1

Mitigation steps: Update to WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More plugin version 1.9.5.1 or greater.

Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2025-3949
Number of Installations: 800,000+
Affected Software: Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode <= 6.18.15
Patched Versions: Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode 6.18.16

Mitigation steps: Update to Website Builder by SeedProd plugin version 6.18.16 or greater.

MailPoet – Newsletters, Email Marketing, and Automation – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-12743
Number of Installations: 600,000+
Affected Software: MailPoet – Newsletters, Email Marketing, and Automation <= 5.5.1
Patched Versions: MailPoet – Newsletters, Email Marketing, and Automation 5.5.2

Mitigation steps: Update to MailPoet – Newsletters, Email Marketing, and Automation plugin version 5.5.2 or greater.

Royal Elementor Addons and Templates – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-39361
Number of Installations: 600,000+
Affected Software: Royal Elementor Addons and Templates <= 1.7.1017
Patched Versions: Royal Elementor Addons and Templates 1.7.1018

Mitigation steps: Update to Royal Elementor Addons and Templates plugin version 1.7.1018 or greater.

Jeg Elementor Kit – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-2944
Number of Installations: 300,000+
Affected Software: Jeg Elementor Kit <= 2.6.12
Patched Versions: Jeg Elementor Kit 2.6.13

Mitigation steps: Update to Jeg Elementor Kit plugin version 2.6.13 or greater.

Firelight Lightbox – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-3597
Number of Installations: 200,000+
Affected Software: Firelight Lightbox <= 2.3.14
Patched Versions: Firelight Lightbox 2.3.15

Mitigation steps: Update to Firelight Lightbox plugin version 2.3.15 or greater.

Advanced File Manager — Ultimate WordPress File Manager and Document Library Plugin – Broken Access Control

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Broken Access Control
CVE: CVE-2025-47688
Number of Installations: 200,000+
Affected Software: Advanced File Manager — Ultimate WordPress File Manager and Document Library Plugin <= 5.3.1
Patched Versions: Advanced File Manager — Ultimate WordPress File Manager and Document Library Plugin 5.3.2

Mitigation steps: Update to Advanced File Manager — Ultimate WordPress File Manager and Document Library Plugin version 5.3.2 or greater.

Login Lockdown & Protection – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2025-3766
Number of Installations: 100,000+
Affected Software: Login Lockdown & Protection <= 2.11
Patched Versions: Login Lockdown & Protection 2.12

Mitigation steps: Update to Login Lockdown & Protection plugin version 2.12 or greater.

Relevanssi – A Better Search – SQL Injection

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: SQL Injection
CVE: CVE-2025-4396
Number of Installations: 100,000+
Affected Software: Relevanssi – A Better Search <= 4.24.4
Patched Versions: Relevanssi – A Better Search 4.24.5

Mitigation steps: Update to Relevanssi – A Better Search plugin version 4.24.5 or greater.

Relevanssi – A Better Search – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-4054
Number of Installations: 100,000+
Affected Software: Relevanssi – A Better Search <= 4.24.3
Patched Versions: Relevanssi – A Better Search 4.24.4

Mitigation steps: Update to Relevanssi – A Better Search plugin version 4.24.4 or greater.

Download Monitor – Local File Inclusion

Security Risk: High
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Local File Inclusion
CVE: CVE-2025-47439
Number of Installations: 90,000+
Affected Software: Download Monitor <= 5.0.22
Patched Versions: Download Monitor 5.0.23

Mitigation steps: Update to Download Monitor plugin version 5.0.23 or greater.

Jupiter X Core – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-47475
Number of Installations: 90,000+
Affected Software: Jupiter X Core <= 4.8.11
Patched Versions: Jupiter X Core 4.8.12

Mitigation steps: Update to Jupiter X Core plugin version 4.8.12 or greater.

Contextual Related Posts – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-47506
Number of Installations: 70,000+
Affected Software: Contextual Related Posts <= 4.0.2
Patched Versions: Contextual Related Posts 4.0.3

Mitigation steps: Update to Contextual Related Posts plugin version 4.0.3 or greater.

Bold Page Builder – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-47525
Number of Installations: 50,000+
Affected Software: Bold Page Builder <= 5.3.0
Patched Versions: Bold Page Builder 5.3.1

Mitigation steps: Update to Bold Page Builder plugin version 5.3.1 or greater.

Bold Page Builder – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-47488
Number of Installations: 50,000+
Affected Software: Bold Page Builder <= 5.3.2
Patched Versions: Bold Page Builder 5.3.3

Mitigation steps: Update to Bold Page Builder plugin version 5.3.3 or greater.

Ultimate Blocks – WordPress Blocks Plugin – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-47493
Number of Installations: 50,000+
Affected Software: Ultimate Blocks – WordPress Blocks Plugin <= 3.2.9
Patched Versions: Ultimate Blocks – WordPress Blocks Plugin 3.3.0

Mitigation steps: Update to Ultimate Blocks – WordPress Blocks Plugin version 3.3.0 or greater.

TI WooCommerce Wishlist – Arbitrary File Upload

Security Risk: Critical
Exploitation Level: No authentication required.
Vulnerability: Arbitrary File Upload
CVE: CVE-2025-47577
Number of Installations: 100,000+
Affected Software: TI WooCommerce Wishlist (all versions)
Patched Versions: No Fix

Mitigation steps: No patch is currently available. Consider disabling the plugin until a fix is released.

TI WooCommerce Wishlist – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-32920
Number of Installations: 100,000+
Affected Software: TI WooCommerce Wishlist (all versions)
Patched Versions: No Fix

Mitigation steps: No patch is currently available. Consider disabling the plugin until a fix is released.

Jetpack – WP Security, Backup, Speed, & Growth – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-10076
Number of Installations: 4,000,000+
Affected Software: Jetpack – WP Security, Backup, Speed, & Growth <= 13.7
Patched Versions: Jetpack – WP Security, Backup, Speed, & Growth 13.8

Mitigation steps: Update to Jetpack – WP Security, Backup, Speed, & Growth plugin version 13.8 or greater.

Jetpack – WP Security, Backup, Speed, & Growth – Content Injection

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Content Injection
CVE: CVE-2024-10075
Number of Installations: 4,000,000+
Affected Software: Jetpack – WP Security, Backup, Speed, & Growth <= 13.7
Patched Versions: Jetpack – WP Security, Backup, Speed, & Growth 13.8

Mitigation steps: Update to Jetpack – WP Security, Backup, Speed, & Growth plugin version 13.8 or greater.

All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-2892
Number of Installations: 3,000,000+
Affected Software: All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic <= 4.8.1
Patched Versions: All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic 4.8.2

Mitigation steps: Update to All in One SEO plugin version 4.8.2 or greater.

Ninja Forms – The Contact Form Builder That Grows With You – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-2524
Number of Installations: 700,000+
Affected Software: Ninja Forms – The Contact Form Builder That Grows With You <= 3.10.0
Patched Versions: Ninja Forms – The Contact Form Builder That Grows With You 3.10.1

Mitigation steps: Update to Ninja Forms plugin version 3.10.1 or greater.

The Events Calendar – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2025-48246
Number of Installations: 700,000+
Affected Software: The Events Calendar <= 6.11.7
Patched Versions: The Events Calendar 6.12.0

Mitigation steps: Update to The Events Calendar plugin version 6.12.0 or greater.

The Events Calendar – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-8493
Number of Installations: 700,000+
Affected Software: The Events Calendar <= 6.6.3
Patched Versions: The Events Calendar 6.6.4

Mitigation steps: Update to The Events Calendar plugin version 6.6.4 or greater.

Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-5878
Number of Installations: 400,000+
Affected Software: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery <= 3.59.4
Patched Versions: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery 3.59.5

Mitigation steps: Update to NextGEN Gallery plugin version 3.59.5 or greater.

Page Builder: Pagelayer – Drag and Drop website builder – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-8618
Number of Installations: 300,000+
Affected Software: Page Builder: Pagelayer – Drag and Drop website builder <= 1.8.9
Patched Versions: Page Builder: Pagelayer – Drag and Drop website builder 1.9.0

Mitigation steps: Update to Pagelayer plugin version 1.9.0 or greater.

PrettyLinks – Affiliate Links, Link Branding, Link Tracking, Marketing and Stripe Payments Plugin – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2025-48247
Number of Installations: 300,000+
Affected Software: PrettyLinks – Affiliate Links, Link Branding, Link Tracking, Marketing and Stripe Payments Plugin <= 3.6.15
Patched Versions: PrettyLinks – Affiliate Links, Link Branding, Link Tracking, Marketing and Stripe Payments Plugin 3.6.16

Mitigation steps: Update to PrettyLinks plugin version 3.6.16 or greater.

Photo Gallery by 10Web – Mobile-Friendly Image Gallery – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-8670
Number of Installations: 200,000+
Affected Software: Photo Gallery by 10Web – Mobile-Friendly Image Gallery <= 1.8.28
Patched Versions: Photo Gallery by 10Web – Mobile-Friendly Image Gallery 1.8.29

Mitigation steps: Update to Photo Gallery by 10Web plugin version 1.8.29 or greater.

Download Manager – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-8284
Number of Installations: 100,000+
Affected Software: Download Manager <= 3.2.98
Patched Versions: Download Manager 3.2.99

Mitigation steps: Update to Download Manager plugin version 3.2.99 or greater.

Everest Forms – Contact Form, Quiz, Survey, Newsletter & Payment Form Builder for WordPress – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-8542
Number of Installations: 100,000+
Affected Software: Everest Forms – Contact Form, Quiz, Survey, Newsletter & Payment Form Builder for WordPress <= 3.0.3
Patched Versions: Everest Forms – Contact Form, Quiz, Survey, Newsletter & Payment Form Builder for WordPress 3.0.3.1

Mitigation steps: Update to Everest Forms plugin version 3.0.3.1 or greater.

Floating Notification Bar, Sticky Menu on Scroll, Announcement Banner, and Sticky Header for Any Theme – My Sticky Bar (formerly myStickymenu) – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-2643
Number of Installations: 100,000+
Affected Software: Floating Notification Bar, Sticky Menu on Scroll, Announcement Banner, and Sticky Header for Any Theme – My Sticky Bar (formerly myStickymenu) <= 2.6.7
Patched Versions: Floating Notification Bar, Sticky Menu on Scroll, Announcement Banner, and Sticky Header for Any Theme – My Sticky Bar (formerly myStickymenu) 2.6.8

Mitigation steps: Update to My Sticky Bar plugin version 2.6.8 or greater.

Responsive Lightbox & Gallery – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-3742
Number of Installations: 100,000+
Affected Software: Responsive Lightbox & Gallery <= 2.5.0
Patched Versions: Responsive Lightbox & Gallery 2.5.1

Mitigation steps: Update to Responsive Lightbox & Gallery plugin version 2.5.1 or greater.

Simple Lightbox – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-3516
Number of Installations: 100,000+
Affected Software: Simple Lightbox <= 2.9.3
Patched Versions: Simple Lightbox 2.9.4

Mitigation steps: Update to Simple Lightbox plugin version 2.9.4 or greater.

Tracking Code Manager – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-6335
Number of Installations: 100,000+
Affected Software: Tracking Code Manager <= 2.2.9
Patched Versions: Tracking Code Manager 2.3.0

Mitigation steps: Update to Tracking Code Manager plugin version 2.3.0 or greater.

Social Media Share Buttons & Social Sharing Icons – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-10362
Number of Installations: 100,000+
Affected Software: Social Media Share Buttons & Social Sharing Icons <= 2.9.0
Patched Versions: Social Media Share Buttons & Social Sharing Icons 2.9.1

Mitigation steps: Update to Social Media Share Buttons & Social Sharing Icons plugin version 2.9.1 or greater.

Hustle – Email Marketing, Lead Generation, Optins, Popups – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-8492
Number of Installations: 100,000+
Affected Software: Hustle – Email Marketing, Lead Generation, Optins, Popups <= 7.8.4
Patched Versions: Hustle – Email Marketing, Lead Generation, Optins, Popups 7.8.5

Mitigation steps: Update to Hustle plugin version 7.8.5 or greater.

Jupiter X Core – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-3888
Number of Installations: 90,000+
Affected Software: Jupiter X Core <= 4.9.0
Patched Versions: Jupiter X Core 4.9.1

Mitigation steps: Update to Jupiter X Core plugin version 4.9.1 or greater.

LearnPress – WordPress LMS Plugin – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-13128
Number of Installations: 90,000+
Affected Software: LearnPress – WordPress LMS Plugin <= 4.2.7.5
Patched Versions: LearnPress – WordPress LMS Plugin 4.2.7.5.1

Mitigation steps: Update to LearnPress plugin version 4.2.7.5.1 or greater.

Nested Pages – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Editor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-8759
Number of Installations: 90,000+
Affected Software: Nested Pages <= 3.2.8
Patched Versions: Nested Pages 3.2.9

Mitigation steps: Update to Nested Pages plugin version 3.2.9 or greater.

Ajax Search Lite – Live Search & Filter – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-8619
Number of Installations: 80,000+
Affected Software: Ajax Search Lite – Live Search & Filter <= 4.12.2
Patched Versions: Ajax Search Lite – Live Search & Filter 4.12.3

Mitigation steps: Update to Ajax Search Lite – Live Search & Filter plugin version 4.12.3 or greater.

ImageMagick Engine – Remote Code Execution (RCE)

Security Risk: Critical
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Remote Code Execution (RCE)
CVE: CVE-2024-6486
Number of Installations: 70,000+
Affected Software: ImageMagick Engine <= 1.7.10
Patched Versions: ImageMagick Engine 1.7.11

Mitigation steps: Update to ImageMagick Engine plugin version 1.7.11 or greater.

Exclusive Addons for Elementor – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-48244
Number of Installations: 60,000+
Affected Software: Exclusive Addons for Elementor <= 2.7.9
Patched Versions: Exclusive Addons for Elementor 2.7.9.1

Mitigation steps: Update to Exclusive Addons for Elementor plugin version 2.7.9.1 or greater.

Qi Blocks – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-1625
Number of Installations: 60,000+
Affected Software: Qi Blocks <= 1.3.9
Patched Versions: Qi Blocks 1.4

Mitigation steps: Update to Qi Blocks plugin version 1.4 or greater.

WP-Members Membership Plugin – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-4610
Number of Installations: 60,000+
Affected Software: WP-Members Membership Plugin <= 3.5.2
Patched Versions: WP-Members Membership Plugin 3.5.3

Mitigation steps: Update to WP-Members Membership Plugin version 3.5.3 or greater.

Popup Box – Create Countdown, Coupon, Video, Contact Form Popups – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-9599
Number of Installations: 50,000+
Affected Software: Popup Box – Create Countdown, Coupon, Video, Contact Form Popups <= 4.7.7
Patched Versions: Popup Box – Create Countdown, Coupon, Video, Contact Form Popups 4.7.8

Mitigation steps: Update to Popup Box plugin version 4.7.8 or greater.

WP Booking Calendar – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-4669
Number of Installations: 50,000+
Affected Software: WP Booking Calendar <= 10.11.1
Patched Versions: WP Booking Calendar 10.11.2

Mitigation steps: Update to WP Booking Calendar plugin version 10.11.2 or greater.

User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-6708
Number of Installations: 50,000+
Affected Software: User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor <= 3.12.1
Patched Versions: User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor 3.12.2

Mitigation steps: Update to User Profile Builder plugin version 3.12.2 or greater.

Ultimate Blocks – WordPress Blocks Plugin – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-48234
Number of Installations: 50,000+
Affected Software: Ultimate Blocks – WordPress Blocks Plugin <= 3.3.0
Patched Versions: Ultimate Blocks – WordPress Blocks Plugin 3.3.1

Mitigation steps: Update to Ultimate Blocks – WordPress Blocks Plugin version 3.3.1 or greater.

Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2025-4520
Number of Installations: 50,000+
Affected Software: Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin <= 6.4.9
Patched Versions: Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin 6.5.0

Mitigation steps: Update to Uncanny Automator plugin version 6.5.0 or greater.

Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin – PHP Object Injection

Security Risk: High
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: PHP Object Injection
CVE: CVE-2025-3623
Number of Installations: 50,000+
Affected Software: Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin <= 6.4.0.1
Patched Versions: Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin 6.4.0.2

Mitigation steps: Update to Uncanny Automator plugin version 6.4.0.2 or greater.

Visual Composer Website Builder – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-48276
Number of Installations: 50,000+
Affected Software: Visual Composer Website Builder <= 45.11.0
Patched Versions: Visual Composer Website Builder 45.12.0

Mitigation steps: Update to Visual Composer Website Builder plugin version 45.12.0 or greater.

WooCommerce – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-5062
Number of Installations: 8,000,000+
Affected Software: WooCommerce <= 9.3.3
Patched Versions: WooCommerce 9.3.4

Mitigation steps: Update to WooCommerce plugin version 9.3.4 or greater.

TablePress – Tables in WordPress made easy – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-5096
Number of Installations: 700,000+
Affected Software: TablePress – Tables in WordPress made easy <= 3.1.2
Patched Versions: TablePress – Tables in WordPress made easy 3.1.3

Mitigation steps: Update to TablePress plugin version 3.1.3 or greater.

Page Builder: Pagelayer – Drag and Drop website builder – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-4223
Number of Installations: 300,000+
Affected Software: Page Builder: Pagelayer – Drag and Drop website builder <= 2.0.0
Patched Versions: Page Builder: Pagelayer – Drag and Drop website builder 2.0.1

Mitigation steps: Update to Pagelayer plugin version 2.0.1 or greater.

Page Builder: Pagelayer – Drag and Drop website builder – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2024-13427
Number of Installations: 300,000+
Affected Software: Page Builder: Pagelayer – Drag and Drop website builder <= 2.0.0
Patched Versions: Page Builder: Pagelayer – Drag and Drop website builder 2.0.1

Mitigation steps: Update to Pagelayer plugin version 2.0.1 or greater.

Essential Blocks – AI-Powered Page Builder Gutenberg Blocks, Patterns & Templates – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-4682
Number of Installations: 100,000+
Affected Software: Essential Blocks – AI-Powered Page Builder Gutenberg Blocks, Patterns & Templates <= 5.4.0
Patched Versions: Essential Blocks – AI-Powered Page Builder Gutenberg Blocks, Patterns & Templates 5.4.1

Mitigation steps: Update to Essential Blocks plugin version 5.4.1 or greater.

Solid Mail – SMTP email and logging made by SolidWP – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-1123
Number of Installations: 70,000+
Affected Software: Solid Mail – SMTP email and logging made by SolidWP <= 2.1.5
Patched Versions: Solid Mail – SMTP email and logging made by SolidWP 2.1.6

Mitigation steps: Update to Solid Mail plugin version 2.1.6 or greater.

Exclusive Addons for Elementor – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-4783
Number of Installations: 60,000+
Affected Software: Exclusive Addons for Elementor <= 2.7.9.1
Patched Versions: Exclusive Addons for Elementor 2.7.9.2

Mitigation steps: Update to Exclusive Addons for Elementor plugin version 2.7.9.2 or greater.

Blog2Social: Social Media Auto Post & Scheduler – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-4133
Number of Installations: 50,000+
Affected Software: Blog2Social: Social Media Auto Post & Scheduler <= 8.3.1
Patched Versions: Blog2Social: Social Media Auto Post & Scheduler 8.4.0

Mitigation steps: Update to Blog2Social plugin version 8.4.0 or greater.

Slim SEO – Fast & Automated WordPress SEO Plugin – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-4611
Number of Installations: 50,000+
Affected Software: Slim SEO – Fast & Automated WordPress SEO Plugin <= 4.5.3
Patched Versions: Slim SEO – Fast & Automated WordPress SEO Plugin 4.5.4

Mitigation steps: Update to Slim SEO plugin version 4.5.4 or greater.

Themes

NewsBlogger – Arbitrary File Upload

Security Risk: High
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Arbitrary File Upload
CVE: CVE-2025-1304
Number of Downloads: 100,624
Affected Software: NewsBlogger <= 0.2.5.1
Patched Versions: NewsBlogger 0.2.5.2

Mitigation steps: Update to NewsBlogger theme version 0.2.5.2 or greater.

Blocksy – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2025-47465
Number of Downloads: 4,484,472
Affected Software: Blocksy <= 2.0.97
Patched Versions: Blocksy 2.0.98

Mitigation steps: Update to Blocksy theme version 2.0.98 or greater.

Update your website software to mitigate risk. Users who are not able to update their software with the latest version are encouraged to use a web application firewall to help virtually patch known vulnerabilities and protect their website.

We are a group of website security professionals who are passionate about discovering emerging web-based malware and software vulnerabilities. Not only do we create tools and detection rules for our customers, we also bring awareness to the website security community. Our mission is to help make the internet a safer place.

Related Tags
Related Categories
You May Also Like