Calling all Vulnerability Researchers and Bug Bounty Hunters!   Operation: Maximum Impact Challenge! Now through November 10, 2025, earn 2X bounty rewards for all in-scope submissions in software with at least 5,000 active installs and fewer than 5 million active installs. Bounties up to $31,200 per vulnerability. Submit bold. Earn big! The LFInder Challenge: Refine your LFI hunting skills with an expanded scope. Now through November 24, 2025, all LFI vulnerabilities in software with at least 25 active installs are considered in-scope for all researchers, regardless of researcher tier, AND earn a 30% bonus on all Local File Inclusion vulnerability submissions not already increased by another promotion. Last week, there were 125 vulnerabilities disclosed in 116 WordPress Plugins and 4 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 55 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected. Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to implement layered security, aligning with our overarching mission to secure WordPress with defense in depth strategies. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report. As the world’s leading quality vulnerability database provider for WordPress, site owners can rest assured knowing Wordfence has their back. Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 29,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free. Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. New Firewall Rules Deployed Last Week The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection. The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week: WAF-RULE-869 – Data redacted while we work with the vendor on a patch. WAF-RULE-870 – Data redacted while we work with the vendor on a patch. Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay. Total Unpatched & Patched Vulnerabilities Last Week Patch Status Number of Vulnerabilities Patched 81 Unpatched 44 Total Vulnerabilities by CVSS Severity Last Week Severity Rating Number of Vulnerabilities Low Severity 2 Medium Severity 103 High Severity 16 Critical Severity 4 Total Vulnerabilities by CWE Type Last Week Vulnerability Type by CWE Number of Vulnerabilities Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') 51 Missing Authorization 21 Cross-Site Request Forgery (CSRF) 9 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') 8 Server-Side Request Forgery (SSRF) 6 Improper Authorization 5 Exposure of Sensitive Information to an Unauthorized Actor 3 Unrestricted Upload of File with Dangerous Type 3 Authorization Bypass Through User-Controlled Key 2 Improper Control of Generation of Code ('Code Injection') 2 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') 2 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) 2 Improper Privilege Management 2 Deserialization of Untrusted Data 1 Improper Access Control 1 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') 1 Improper Input Validation 1 Improper Neutralization of Formula Elements in a CSV File 1 Incorrect Authorization 1 Incorrect Privilege Assignment 1 Insertion of Sensitive Information into Log File 1 URL Redirection to Untrusted Site ('Open Redirect') 1 Researchers That Contributed to WordPress Security Last Week Researcher Name Number of Vulnerabilities Jonas Benjamin Friedli 15 Muhammad Yudha - DJ 12 Peter Thaleikis 7 zakaria 7 Gilang - DJ 6 Rafshanzani Suhada 5 Nabil Irawan 5 Legion Hunter 5 Dmitrii Ignatyev 4 Khaled Alenazi (Nxploited) 4 Lucas Montes (Nirox) 3 mikemyers 3 daroo 2 sergioframi 2 Cody Sixteen 2 zer0gh0st 2 Bonds 2 Nguyen Ngoc Quang Bach (maysbachs) 2 Kim YunJi 1 dayea song 1 LVT-tholv2k 1 Thái An 1 Naoya Takahashi (nakko) 1 Craig Webb 1 zaim 1 Arkadiusz Hydzik 1 Gregory Allegoet 1 ifoundbug 1 theviper17y 1 John Lee 1 Bao - BlueRock 1 kr0d 1 Drew Webber (mcdruid) 1 tmrswrr 1 Najib Sinjari 1 Tran Nguyen Bao Khanh 1 SpiderSec 1 João Pedro S Alcântara (Kinorth) 1 Jin Yub 1 Abu Hurayra (HurayraIIT) 1 Trương Hữu Phúc (truonghuuphuc) 1 LionTree 1 Kishan Vyas 1 3r1c (e) 1 Sulabh Jain (pentestmonkey11) 1 sunghoon kim 1 Powpy 1 Valentinos Chouris 1 Tonn 1 YC_Infosec 1 Jay 1 Nguyen Xuan Chien 1 dutafi 1 Mohamad Fattyr 1 Miguel Santareno 1 Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report. WordPress Plugins with Reported Vulnerabilities Last Week Software Name Software Slug Academy LMS Pro academy-pro ACF to REST API acf-to-rest-api Advanced Database Cleaner advanced-database-cleaner AI Chatbot Free Models – Customer Support, Live Chat, Virtual Assistant chatbot-ai-free-models AIO Forms – Craft Complex Forms Easily all-in-one-forms Ajax Search Lite – Live Search & Filter ajax-search-lite All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier aio-time-clock-lite BackWPup – WordPress Backup & Restore Plugin backwpup Beaver Builder Plugin (Starter Version) bb-plugin Bg Book Publisher bg-book-publisher Bold Page Builder bold-page-builder Builderall for WordPress builderall-cheetah-for-wp Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More charitable Check Plagiarism check-plagiarism Cinza Grid cinza-grid Client Invoicing by Sprout Invoices – Easy Estimates and Invoices for WordPress sprout-invoices Creta Testimonial Showcase creta-testimonial-showcase Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings directorist Disable Content Editor For Specific Template disable-contect-editor-for-specific-template Discussion Board – WordPress Forum Plugin wp-discussion-board Dynamic User Directory dynamic-user-directory Easy Social Share Buttons for WordPress easy-social-share-buttons3 Element Pack Addons for Elementor bdthemes-element-pack-lite Email Subscription Popup email-subscribe Email Tracker – Email Log, Email Open Tracking, Email Analytics & Email Management for WordPress Emails email-tracker eRoom – Webinar & Meeting Plugin for Zoom, Google Meet, Microsoft Teams eroom-zoom-meetings-webinar FanBridge signup fanbridge-signup Fast Velocity Minify fast-velocity-minify Flexible Refund and Return Order for WooCommerce flexible-refund-and-return-order-for-woocommerce FuseWP – WordPress User Sync to Email List & Marketing Automation (Mailchimp, Constant Contact, ActiveCampaign etc.) fusewp GenerateBlocks generateblocks Gutenberg gutenberg Gutenberg Blocks – PublishPress Blocks Controls, Visibility, Reusable Blocks advanced-gutenberg HAPPY – Helpdesk Support Ticket System happy-helpdesk-support-ticket-system IndieAuth indieauth JB News Ticker jb-news-ticker King Addons for Elementor – 4,000+ ready Elementor sections, 650+ templates, 70+ FREE widgets for Elementor king-addons KiotViet Sync kiotvietsync LLM Hubspot Blog Import llm-hubspot-blog-import Make Email Customizer for WooCommerce make-email-customizer-for-woocommerce MasterStudy LMS WordPress Plugin – for Online Courses and Education masterstudy-lms-learning-management-system Material Design Iconic Font Integration material-design-iconic-font-integration MDTF – Meta Data and Taxonomies Filter wp-meta-data-filter-and-taxonomy-filter Microsoft Azure Storage for WordPress windows-azure-storage Mixlr Shortcode mixlr-shortcode Multi Item Responsive Slider mislider MxChat – AI Chatbot for WordPress mxchat-basic Name: Print Button Shortcode print-button-shortcode NGINX Cache Optimizer nginx-cache-optimizer NS Maintenance Mode for WP ns-maintenance-mode-for-wp Oboxmedia Ads oboxmedia-ads Originality.ai AI Checker originality-ai Password Policy Manager | Password Manager password-policy-manager Password Protected — Lock Entire Site, Pages, Posts, Categories, and Partial Content password-protected Persian Admnin Fonts persian-admin-fonts Photographers galleries photographers-galleries PixelYourSite – Your smart PIXEL (TAG) & API Manager pixelyoursite Playerzbr playerzbr Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers popup-builder-block Posts By Tag posts-by-tag PowerPress Podcasting plugin by Blubrry powerpress Premium Age Verification / Restriction for WordPress age-restriction Product Filter by WBW woo-product-filter qnotsquiz qnotsquiz Quickcreator – AI Blog Writer quickcreator RapidResult rapidresult Real Cookie Banner: GDPR & ePrivacy Cookie Consent real-cookie-banner Responsive iframe GoogleMap responsive-iframe-googlemap Responsive Progress Bar responsive-progress-bar RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator feedzy-rss-feeds ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution shopengine ShopLentor – WooCommerce Builder for Elementor & Gutenberg +21 Modules – All in One Solution (formerly WooLentor) woolentor-addons Simple Banner – Easily add multiple Banners/Bars/Notifications/Announcements to the top or bottom of your website simple-banner Simple Business Data simple-business-data Simple Excel Pricelist for WooCommerce simple-excel-pricelist-for-woocommerce Simple Pull Quote simple-pull-quote Simple Registration for WooCommerce woocommerce-simple-registration Simple Tableau Viz simple-tableau-viz Simple Youtube Shortcode simple-youtube-shortcode Slider Templates slider-templates SM CountDown Widget smcountdown Social Feed Gallery insta-gallery SpendeOnline.org spendeonline ST Categories Widget st-category-wp Stockie Extra stockie-extra Stripe Payment Forms by WP Full Pay – Accept Credit Card Payments, Donations & Subscriptions wp-full-stripe-free Supervisor supervisor Team Members Showcase wps-team Testimonial Carousel For Elementor testimonials-carousel-elementor This-or-That this-or-that Time Clock – A WordPress Employee & Volunteer Time Clock Plugin time-clock Tutor LMS Pro tutor-pro Tutor LMS – eLearning and online course solution tutor URL Shortener Plugin For WordPress exact-links User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds userfeedback-lite VikBooking Hotel Booking Engine & PMS vikbooking VNPAY Payment gateway vnpay-for-woocommerce Watu Quiz watu Welcart e-Commerce usc-e-shop WhyDonate – FREE Donate button – Crowdfunding – Fundraising wp-whydonate Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets widget-options WooCommerce Designer Pro wc-designer-pro WP AD Gallery wp-ad-gallery WP AdCenter – Ad Manager & Adsense Ads wpadcenter WP Go Maps (formerly WP Google Maps) wp-google-maps WP Gravity Forms Zoho CRM and Bigin gf-zoho WP Responsive Meet The Team wp-responsive-meet-the-team WP Restaurant Listings wp-restaurant-listings WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress wpvr WP-Force Images Download wp-force-images-download WP-Thumbnail wp-thumbnail WPC Countdown Timer for WooCommerce wpc-countdown-timer WPComplete wpcomplete wpForo Forum wpforo WPMobile.App wpappninja ZoloBlocks – Gutenberg Block Editor Plugin with Advanced Blocks, Dynamic Content, Templates & Patterns zoloblocks WordPress Themes with Reported Vulnerabilities Last Week Software Name Software Slug Bard - A Theatre and Performing Arts WordPress Theme bardwp Listeo - Directory & Listings With Booking - WordPress Theme listeo Open Source Genesis Framework genesis The7 — Website and eCommerce Builder for WordPress dt-the7 Vulnerability Details Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize. HAPPY <= 1.0.7 - Unauthenticated Remote Code Execution 9.8 CVSS Rating Critical (9.8) CVE-ID CVE-2025-49372 Patch Status Patched Published Oct 25, 2025 Affected Software HAPPY – Helpdesk Support Ticket System Researcher Drew Webber (mcdruid) More Details > King Addons for Elementor <= 51.1.36 - Unauthenticated Arbitrary File Upload 9.8 CVSS Rating Critical (9.8) CVE-ID CVE-2025-6327 Patch Status Patched Published Oct 21, 2025 Affected Software King Addons for Elementor – 4,000+ ready Elementor sections, 650+ templates, 70+ FREE widgets for Elementor Researcher Najib Sinjari More Details > King Addons for Elementor <= 51.1.36 - Unauthenticated Privilege Escalation 9.8 CVSS Rating Critical (9.8) CVE-ID CVE-2025-6325 Patch Status Patched Published Oct 21, 2025 Affected Software King Addons for Elementor – 4,000+ ready Elementor sections, 650+ templates, 70+ FREE widgets for Elementor Researcher Abu Hurayra (HurayraIIT) More Details > WooCommerce Designer Pro <= 1.9.26 - Unauthenticated Arbitrary File Upload 9.8 CVSS Rating Critical (9.8) CVE-ID CVE-2025-6440 Patch Status Unpatched Published Oct 23, 2025 Affected Software WooCommerce Designer Pro Researcher Tonn More Details > Age Restriction <= 3.0.2 - Authenticated (Subscriber+) Privilege Escalation 8.8 CVSS Rating High (8.8) CVE-ID CVE-2025-11855 Patch Status Unpatched Published Oct 21, 2025 Affected Software Premium Age Verification / Restriction for WordPress Researcher Khaled Alenazi (Nxploited) More Details > IndieAuth <= 4.5.4 - Cross-Site Request Forgery to Account Takeover via Stolen OAuth Tokens 8.8 CVSS Rating High (8.8) CVE-ID CVE-2025-12028 Patch Status Patched Published Oct 23, 2025 Affected Software IndieAuth Researcher Jonas Benjamin Friedli More Details > Make Email Customizer for WooCommerce <= 1.0.6 - Authenticated (Subscriber+) Arbitrary Options Update 8.8 CVSS Rating High (8.8) CVE-ID CVE-2025-11237 Patch Status Unpatched Published Oct 21, 2025 Affected Software Make Email Customizer for WooCommerce Researcher Khaled Alenazi (Nxploited) More Details > Simple Registration for WooCommerce <= 1.5.8 - Cross-Site Request Forgery to Privilege Escalation via Role Request Approval 8.8 CVSS Rating High (8.8) CVE-ID CVE-2025-12095 Patch Status Patched Published Oct 24, 2025 Affected Software Simple Registration for WooCommerce Researcher Jonas Benjamin Friedli More Details > Academy LMS Pro <= 3.3.7 - Unauthenticated Privilege Escalation via Social Login Addon 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-11086 Patch Status Patched Published Oct 21, 2025 Affected Software Academy LMS Pro Researcher Thái An More Details > Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings <= 8.4.8 - Authenticated (Subscriber+) Arbitrary File Move 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-10488 Patch Status Patched Published Oct 24, 2025 Affected Software Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings Researcher Arkadiusz Hydzik More Details > Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers <= 2.1.4 - Unauthenticated Server-Side Request Forgery 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-10861 Patch Status Patched Published Oct 23, 2025 Affected Software Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers Researcher Rafshanzani Suhada More Details > Product Filter by WBW <= 2.9.7 - Unauthenticated SQL Injection 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-8416 Patch Status Patched Published Oct 24, 2025 Affected Software Product Filter by WBW Researcher mikemyers More Details > Quickcreator – AI Blog Writer 0.0.9 - 0.1.17 - Unauthenticated API Key Exposure 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-11504 Patch Status Patched Published Oct 23, 2025 Affected Software Quickcreator – AI Blog Writer Researcher kr0d More Details > Stripe Payment Forms <= 8.3.1 - Unauthenticated SQL Injection 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-9322 Patch Status Patched Published Oct 24, 2025 Affected Software Stripe Payment Forms by WP Full Pay – Accept Credit Card Payments, Donations & Subscriptions Researcher mikemyers More Details > wpForo Forum <= 2.4.8 - Unauthenticated SQL Injection via get_members Function 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-4203 Patch Status Patched Published Oct 24, 2025 Affected Software wpForo Forum Researcher mikemyers More Details > AIO Forms <= 1.3.15 - Authenticated (Admin+) Arbitrary File Upload via Zip Import 7.2 CVSS Rating High (7.2) CVE-ID CVE-2025-11889 Patch Status Unpatched Published Oct 23, 2025 Affected Software AIO Forms – Craft Complex Forms Easily Researcher tmrswrr More Details > Easy Social Share Buttons < 10.7.1 - Unauthenticated Stored Cross-Site Scripting 7.2 CVSS Rating High (7.2) CVE-ID CVE-2025-64198 Patch Status Patched Published Oct 26, 2025 Affected Software Easy Social Share Buttons for WordPress Researcher João Pedro S Alcântara (Kinorth) More Details > Google Maps <= 9.0.47 - Unauthenticated Stored Cross-Site Scripting 7.2 CVSS Rating High (7.2) CVE-ID CVE-2025-11307 Patch Status Patched Published Oct 21, 2025 Affected Software WP Go Maps (formerly WP Google Maps) Researcher sunghoon kim More Details > Watu Quiz <= 3.4.4 - Unauthenticated Stored Cross-Site Scripting via HTTP Referer 7.2 CVSS Rating High (7.2) CVE-ID CVE-2025-11238 Patch Status Patched Published Oct 24, 2025 Affected Software Watu Quiz Researcher Naoya Takahashi (nakko) More Details > WPMobile.App <= 11.71 - Unauthenticated Stored Cross-Site Scripting 7.2 CVSS Rating High (7.2) CVE-ID CVE-2025-62074 Patch Status Patched Published Oct 26, 2025 Affected Software WPMobile.App Researcher LVT-tholv2k More Details > Real Cookie Banner: GDPR & ePrivacy Cookie Consent <= 5.2.4 - Authenticated (Admin+) Server-Side Request Forgery via scan-without-login Endpoint 6.8 CVSS Rating Medium (6.8) CVE-ID CVE-2025-12136 Patch Status Patched Published Oct 23, 2025 Affected Software Real Cookie Banner: GDPR & ePrivacy Cookie Consent Researcher SpiderSec More Details > Ajax Search Lite <= 4.13.3 - Authenticated (Administrator+) PHP Object Injection 6.6 CVSS Rating Medium (6.6) CVE-ID CVE-2025-48086 Patch Status Patched Published Oct 21, 2025 Affected Software Ajax Search Lite – Live Search & Filter Researcher Valentinos Chouris More Details > Creta Testimonial Showcase <= 1.2.3 - Authenticated (Editor+) Local File Inclusion 6.6 CVSS Rating Medium (6.6) CVE-ID CVE-2025-10686 Patch Status Patched Published Oct 24, 2025 Affected Software Creta Testimonial Showcase Researcher Khaled Alenazi (Nxploited) More Details > PixelYourSite – Your smart PIXEL (TAG) Manager < 11.1.2 - Authenticated (Administrator+) Local File Inclusion 6.6 CVSS Rating Medium (6.6) CVE-ID CVE-2025-10723 Patch Status Patched Published Oct 24, 2025 Affected Software PixelYourSite – Your smart PIXEL (TAG) & API Manager Researcher Dmitrii Ignatyev More Details > Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More <= 1.8.8.4 - Authenticated (Subscriber+) SQL Injection 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2025-11893 Patch Status Patched Published Oct 24, 2025 Affected Software Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More Researcher Rafshanzani Suhada More Details > GenerateBlocks <= 2.1.1 - Improper Authorization to Authenticated (Contributor+) Arbitrary Options Disclosure 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2025-11879 Patch Status Patched Published Oct 24, 2025 Affected Software GenerateBlocks Researcher Lucas Montes (Nirox) More Details > MasterStudy LMS <= 3.6.27 - Authenticated (Instructor+) SQL Injection 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2025-64366 Patch Status Patched Published Oct 23, 2025 Affected Software MasterStudy LMS WordPress Plugin – for Online Courses and Education Researcher YC_Infosec More Details > RapidResult <= 1.2 - Authenticated (Contributor+) SQL Injection 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2025-10748 Patch Status Patched Published Oct 23, 2025 Affected Software RapidResult Researcher John Lee More Details > Beaver Builder Plugin (Starter Version) <= 2.9.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'auto_play' 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-8427 Patch Status Patched Published Oct 22, 2025 Affected Software Beaver Builder Plugin (Starter Version) Researcher Sulabh Jain (pentestmonkey11) More Details > Bg Book Publisher <= 1.25 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-11867 Patch Status Unpatched Published Oct 21, 2025 Affected Software Bg Book Publisher Researcher Muhammad Yudha - DJ More Details > Bold Page Builder <= 5.4.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via `percentage` Parameter 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-7730 Patch Status Patched Published Oct 23, 2025 Affected Software Bold Page Builder Researcher Peter Thaleikis More Details > Builderall Builder for WordPress <= 3.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-62987 Patch Status Unpatched Published Oct 23, 2025 Affected Software Builderall for WordPress Researcher Muhammad Yudha - DJ More Details > Cinza Grid <= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Skin Content Field 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-11824 Patch Status Patched Published Oct 21, 2025 Affected Software Cinza Grid Researcher Nabil Irawan More Details > Dynamic User Directory <= 2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-62982 Patch Status Patched Published Oct 21, 2025 Affected Software Dynamic User Directory Researcher Jin Yub More Details > Gutenberg <= 21.8.2 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-64354 Patch Status Patched Published Oct 25, 2025 Affected Software Gutenberg Researcher Peter Thaleikis More Details > Gutenberg Blocks – PublishPress Blocks Controls, Visibility, Reusable Blocks <= 3.3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-8588 Patch Status Patched Published Oct 24, 2025 Affected Software Gutenberg Blocks – PublishPress Blocks Controls, Visibility, Reusable Blocks Researcher zer0gh0st More Details > JB News Ticker <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-11804 Patch Status Unpatched Published Oct 21, 2025 Affected Software JB News Ticker Researcher Gilang - DJ More Details > Listeo <= 2.0.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via soundcloud Shortcode 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-8413 Patch Status Patched Published Oct 24, 2025 Affected Software Listeo - Directory & Listings With Booking - WordPress Theme Researcher Craig Webb More Details > Material Design Iconic Font Integration <= 2 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-11872 Patch Status Unpatched Published Oct 21, 2025 Affected Software Material Design Iconic Font Integration Researcher Gilang - DJ More Details > Mixlr Shortcode <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-11807 Patch Status Unpatched Published Oct 21, 2025 Affected Software Mixlr Shortcode Researcher zakaria More Details > Oboxmedia Ads <= 1.9.8 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-11827 Patch Status Unpatched Published Oct 21, 2025 Affected Software Oboxmedia Ads Researcher zaim More Details > Open Source Genesis Framework <= 3.6.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Shortcodes 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-10737 Patch Status Patched Published Oct 24, 2025 Affected Software Open Source Genesis Framework Researcher Muhammad Yudha - DJ More Details > Photographers galleries <= 1.1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-11866 Patch Status Unpatched Published Oct 21, 2025 Affected Software Photographers galleries Researcher Muhammad Yudha - DJ More Details > Playerzbr <= 1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via URL Meta Field 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-11825 Patch Status Unpatched Published Oct 21, 2025 Affected Software Playerzbr Researcher Nabil Irawan More Details > Posts By Tag <= 3.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-62983 Patch Status Unpatched Published Oct 22, 2025 Affected Software Posts By Tag Researcher Muhammad Yudha - DJ More Details > Print Button Shortcode <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-11810 Patch Status Unpatched Published Oct 21, 2025 Affected Software Name: Print Button Shortcode Researcher zakaria More Details > Responsive iframe GoogleMap <= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-11813 Patch Status Unpatched Published Oct 21, 2025 Affected Software Responsive iframe GoogleMap Researcher zakaria More Details > Responsive Progress Bar <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-11883 Patch Status Unpatched Published Oct 21, 2025 Affected Software Responsive Progress Bar Researcher zakaria More Details > ShopLentor – WooCommerce Builder for Elementor & Gutenberg +21 Modules – All in One Solution <= 3.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-11823 Patch Status Patched Published Oct 24, 2025 Affected Software ShopLentor – WooCommerce Builder for Elementor & Gutenberg +21 Modules – All in One Solution (formerly WooLentor) Researcher theviper17y More Details > Simple Business Data <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-11870 Patch Status Unpatched Published Oct 21, 2025 Affected Software Simple Business Data Researcher Gilang - DJ More Details > Simple Excel Pricelist for WooCommerce <= 1.13 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-12096 Patch Status Unpatched Published Oct 23, 2025 Affected Software Simple Excel Pricelist for WooCommerce Researcher Peter Thaleikis More Details > Simple Pull Quote <= 1.6.3 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-62985 Patch Status Unpatched Published Oct 23, 2025 Affected Software Simple Pull Quote Researcher Muhammad Yudha - DJ More Details > Simple Tableau Viz <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-11817 Patch Status Unpatched Published Oct 21, 2025 Affected Software Simple Tableau Viz Researcher zakaria More Details > Simple Youtube Shortcode <= 1.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-11811 Patch Status Unpatched Published Oct 21, 2025 Affected Software Simple Youtube Shortcode Researcher zakaria More Details > Slider Templates <= 1.0.3 - Authenticated (Subscriber+) Server-Side Request Forgery 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-62988 Patch Status Unpatched Published Oct 24, 2025 Affected Software Slider Templates Researcher Nabil Irawan More Details > SM CountDown Widget <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-11880 Patch Status Unpatched Published Oct 21, 2025 Affected Software SM CountDown Widget Researcher Gilang - DJ More Details > SpendeOnline.org <= 3.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-11875 Patch Status Patched Published Oct 24, 2025 Affected Software SpendeOnline.org Researcher Gilang - DJ More Details > ST Categories Widget <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-11878 Patch Status Unpatched Published Oct 21, 2025 Affected Software ST Categories Widget Researcher Gilang - DJ More Details > Testimonial Carousel For Elementor <= 11.6.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-8666 Patch Status Patched Published Oct 24, 2025 Affected Software Testimonial Carousel For Elementor Researcher zer0gh0st More Details > The7 — Ultimate WordPress & WooCommerce Theme <= 12.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'the7_fancy_title_css' 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-11897 Patch Status Patched Published Oct 24, 2025 Affected Software The7 — Website and eCommerce Builder for WordPress Researcher Muhammad Yudha - DJ More Details > This-or-That by André Boekhorst <= 1.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-10138 Patch Status Unpatched Published Oct 21, 2025 Affected Software This-or-That Researcher Muhammad Yudha - DJ More Details > Time Clock – A WordPress Employee & Volunteer Time Clock Plugin <= 1.3.1 - Authenticated (Custom+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-10701 Patch Status Patched Published Oct 23, 2025 Affected Software Time Clock – A WordPress Employee & Volunteer Time Clock Plugin Researcher Jonas Benjamin Friedli More Details > Widget Options – The #1 WordPress Widget & Block Control Plugin <= 4.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-10580 Patch Status Patched Published Oct 24, 2025 Affected Software Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets Researcher Nguyen Ngoc Quang Bach (maysbachs) More Details > WP AD Gallery <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-11834 Patch Status Unpatched Published Oct 21, 2025 Affected Software WP AD Gallery Researcher Muhammad Yudha - DJ More Details > WP AdCenter <= 2.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-62984 Patch Status Unpatched Published Oct 22, 2025 Affected Software WP AdCenter – Ad Manager & Adsense Ads Researcher Peter Thaleikis More Details > WP Responsive Meet The Team <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-11818 Patch Status Unpatched Published Oct 21, 2025 Affected Software WP Responsive Meet The Team Researcher Peter Thaleikis More Details > WP Restaurant Listings <= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-11830 Patch Status Unpatched Published Oct 21, 2025 Affected Software WP Restaurant Listings Researcher Peter Thaleikis More Details > WP-Force Images Download <= 1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-11809 Patch Status Patched Published Oct 21, 2025 Affected Software WP-Force Images Download Researcher Peter Thaleikis More Details > WP-Thumbnail <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-11819 Patch Status Unpatched Published Oct 21, 2025 Affected Software WP-Thumbnail Researcher zakaria More Details > WPC Countdown Timer for WooCommerce <= 3.1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-49908 Patch Status Patched Published Oct 20, 2025 Affected Software WPC Countdown Timer for WooCommerce Researcher Muhammad Yudha - DJ More Details > Discussion Board – WordPress Forum Plugin <= 2.5.5 - Authenticated (Subscriber+) Arbitrary Shortcode Execution 6.3 CVSS Rating Medium (6.3) CVE-ID CVE-2025-8483 Patch Status Patched Published Oct 24, 2025 Affected Software Discussion Board – WordPress Forum Plugin Researcher Kishan Vyas More Details > URL Shortener Plugin For WordPress <= 3.0.7 - Missing Authorization to Authenticated (Subscriber+) Link Manipulation 6.3 CVSS Rating Medium (6.3) CVE-ID CVE-2025-10740 Patch Status Unpatched Published Oct 23, 2025 Affected Software URL Shortener Plugin For WordPress Researcher ifoundbug More Details > Multi Item Responsive Slider <= 1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-11992 Patch Status Unpatched Published Oct 23, 2025 Affected Software Multi Item Responsive Slider Researcher Muhammad Yudha - DJ More Details > Team Members Showcase <= 3.4.0 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-11560 Patch Status Patched Published Oct 22, 2025 Affected Software Team Members Showcase Researcher Gregory Allegoet More Details > VNPAY for Woocommerce <= 1.0.0 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-12017 Patch Status Unpatched Published Oct 23, 2025 Affected Software VNPAY Payment gateway Researcher Muhammad Yudha - DJ More Details > Welcart e-Commerce <= 2.11.22 - Authenticated (Editor+) Stored Cross-Site Scripting via order_mail 5.5 CVSS Rating Medium (5.5) CVE-ID CVE-2025-10651 Patch Status Patched Published Oct 21, 2025 Affected Software Welcart e-Commerce Researcher Miguel Santareno More Details > Microsoft Azure Storage for WordPress <= 4.5.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Media Deletion 5.4 CVSS Rating Medium (5.4) CVE-ID CVE-2025-10749 Patch Status Patched Published Oct 23, 2025 Affected Software Microsoft Azure Storage for WordPress Researcher Jonas Benjamin Friedli More Details > Tutor LMS Pro – eLearning and online course solution <= 3.8.3 - Authenticated (Subscriber+) Insecure Direct Object Reference to View/Edit Other Assignments 5.4 CVSS Rating Medium (5.4) CVE-ID CVE-2025-6639 Patch Status Patched Published Oct 24, 2025 Affected Software Tutor LMS Pro Researcher sergioframi More Details > ACF to REST API <= 3.3.4 - Unauthenticated Information Exposure 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-62979 Patch Status Unpatched Published Oct 20, 2025 Affected Software ACF to REST API Researcher Mohamad Fattyr More Details > BackWPup 5 - 5.5.0 - Missing Authorization to Sensitive Information Exposure 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-10579 Patch Status Patched Published Oct 24, 2025 Affected Software BackWPup – WordPress Backup & Restore Plugin Researcher Dmitrii Ignatyev More Details > eRoom – Webinar & Meeting Plugin for Zoom, Google Meet, Microsoft Teams <= 1.5.6 - Unauthenticated Sensitive Information Exposure 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-11760 Patch Status Patched Published Oct 24, 2025 Affected Software eRoom – Webinar & Meeting Plugin for Zoom, Google Meet, Microsoft Teams Researcher Rafshanzani Suhada More Details > MxChat – AI Chatbot for WordPress <= 2.4.6 - Unauthenticated Blind Server-Side Request Forgery 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-10705 Patch Status Patched Published Oct 22, 2025 Affected Software MxChat – AI Chatbot for WordPress Researcher Jonas Benjamin Friedli More Details > NS Maintenance Mode for WP <= 1.3.1 - Unauthenticated Information Exposure 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-10638 Patch Status Unpatched Published Oct 22, 2025 Affected Software NS Maintenance Mode for WP Researcher Khaled Alenazi (Nxploited) More Details > Product Filter by WBW <= 3.0.0 - Missing Authorization to Unauthenticated Settings Update 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-11269 Patch Status Patched Published Oct 24, 2025 Affected Software Product Filter by WBW Researcher Lucas Montes (Nirox) More Details > Social Feed Gallery <= 4.9.2 - Missing Authorization to Unauthenticated Information Exposure 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-10637 Patch Status Patched Published Oct 24, 2025 Affected Software Social Feed Gallery Researcher 3r1c (e) More Details > Tutor LMS – eLearning and online course solution <= 3.8.3 - Missing Authorization to Unauthenticated Payment Status Update 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-11564 Patch Status Patched Published Oct 24, 2025 Affected Software Tutor LMS – eLearning and online course solution Researcher Rafshanzani Suhada More Details > User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds <= 1.8.0 - Missing Authorization to Information Disclosure 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-10694 Patch Status Patched Published Oct 24, 2025 Affected Software User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds Researcher Nguyen Ngoc Quang Bach (maysbachs) More Details > VikBooking Hotel Booking Engine & PMS <= 1.8.2 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-5803 Patch Status Patched Published Oct 21, 2025 Affected Software VikBooking Hotel Booking Engine & PMS Researcher daroo More Details > Whydonate <= 4.0.15 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-49899 Patch Status Patched Published Oct 20, 2025 Affected Software WhyDonate – FREE Donate button – Crowdfunding – Fundraising Researcher Legion Hunter More Details > WPComplete <= 2.9.5.3 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-49906 Patch Status Patched Published Oct 24, 2025 Affected Software WPComplete Researcher Nabil Irawan More Details > ZoloBlocks <= 2.3.11 - Missing Authorization to Unauthenticated Popup Enable/Disable 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-12134 Patch Status Patched Published Oct 23, 2025 Affected Software ZoloBlocks – Gutenberg Block Editor Plugin with Advanced Blocks, Dynamic Content, Templates & Patterns Researcher Jay More Details > Element Pack Addons for Elementor <= 8.2.5 - Authenticated (Subscriber+) Blind Server-Side Request Forgery 5.0 CVSS Rating Medium (5.0) CVE-ID CVE-2025-11536 Patch Status Patched Published Oct 20, 2025 Affected Software Element Pack Addons for Elementor Researcher LionTree More Details > Feedzy RSS Feeds Lite <= 5.1.0 - Authenticated (Subscriber+) Server-Side Request Forgery 5.0 CVSS Rating Medium (5.0) CVE-ID CVE-2025-11128 Patch Status Patched Published Oct 22, 2025 Affected Software RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator Researcher Lucas Montes (Nirox) More Details > Email Tracker <= 5.3.12 - Authenticated (Admin+) SQL Injection 4.9 CVSS Rating Medium (4.9) CVE-ID CVE-2025-10047 Patch Status Unpatched Published Oct 21, 2025 Affected Software Email Tracker – Email Log, Email Open Tracking, Email Analytics & Email Management for WordPress Emails Researcher dutafi More Details > WP Gravity Forms Zoho CRM and Bigin <= 1.2.8 - Open Redirect 4.7 CVSS Rating Medium (4.7) CVE-ID CVE-2025-62981 Patch Status Patched Published Oct 21, 2025 Affected Software WP Gravity Forms Zoho CRM and Bigin Researcher Bonds More Details > Email Subscription Popup <= 1.2.26 - Authenticated (Administrator+) Stored Cross-Site Scripting 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2025-49912 Patch Status Patched Published Oct 22, 2025 Affected Software Email Subscription Popup Researcher Kim YunJi More Details > Fast Velocity Minify <= 3.5.1 - Authenticated (Admin+) Stored Cross-Site Scripting 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2025-12034 Patch Status Patched Published Oct 24, 2025 Affected Software Fast Velocity Minify Researcher Cody Sixteen More Details > qnotsquiz <= 1.0.0 - Authenticated (Admin+) Stored Cross-Site Scripting 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2025-12016 Patch Status Unpatched Published Oct 23, 2025 Affected Software qnotsquiz Researcher dayea song More Details > Simple Banner <= 3.0.10 - Authenticated (Admin+) Stored Cross-Site Scripting 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2025-12033 Patch Status Patched Published Oct 21, 2025 Affected Software Simple Banner – Easily add multiple Banners/Bars/Notifications/Announcements to the top or bottom of your website Researcher Cody Sixteen More Details > Advanced Database Cleaner <= 3.1.6 - Cross-Site Request Forgery to Settings Manipulation 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-11497 Patch Status Patched Published Oct 24, 2025 Affected Software Advanced Database Cleaner Researcher Bao - BlueRock More Details > AI Chatbot Free Models – Customer Support, Live Chat, Virtual Assistant <= 1.6.5 - Unauthenticated CSV Injection 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-11576 Patch Status Patched Published Oct 23, 2025 Affected Software AI Chatbot Free Models – Customer Support, Live Chat, Virtual Assistant Researcher Jonas Benjamin Friedli More Details > All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier <= 2.0 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Clocking In/Out 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-6833 Patch Status Patched Published Oct 21, 2025 Affected Software All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier Researcher Jonas Benjamin Friedli More Details > Bard <= 1.6 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-64368 Patch Status Patched Published Oct 21, 2025 Affected Software Bard - A Theatre and Performing Arts WordPress Theme Researcher Tran Nguyen Bao Khanh More Details > Check Plagiarism <= 2.0 - Missing Authorization to Authenticated (Subscriber+) Settings Update 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-11172 Patch Status Unpatched Published Oct 23, 2025 Affected Software Check Plagiarism Researcher Jonas Benjamin Friedli More Details > Client Invoicing by Sprout Invoices <= 20.8.7 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-64229 Patch Status Patched Published Oct 24, 2025 Affected Software Client Invoicing by Sprout Invoices – Easy Estimates and Invoices for WordPress Researcher Trương Hữu Phúc (truonghuuphuc) More Details > Disable Content Editor For Specific Template <= 2.0 - Cross-Site Request Forgery to Template Configuration Update 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-12072 Patch Status Unpatched Published Oct 23, 2025 Affected Software Disable Content Editor For Specific Template Researcher Nabil Irawan More Details > FanBridge signup <= 0.6 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-62986 Patch Status Unpatched Published Oct 23, 2025 Affected Software FanBridge signup Researcher Nguyen Xuan Chien More Details > Flexible Refund and Return Order for WooCommerce <= 1.0.38 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Order Refund 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-10570 Patch Status Patched Published Oct 21, 2025 Affected Software Flexible Refund and Return Order for WooCommerce Researcher Powpy More Details > FuseWP – WordPress User Sync to Email List & Marketing Automation (Mailchimp, Constant Contact, ActiveCampaign etc.) <= 1.1.23.0 - Cross-Site Request Forgery to Sync Rule Creation 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-11976 Patch Status Patched Published Oct 24, 2025 Affected Software FuseWP – WordPress User Sync to Email List & Marketing Automation (Mailchimp, Constant Contact, ActiveCampaign etc.) Researcher Jonas Benjamin Friedli More Details > KiotViet Sync <= 1.8.5 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-62978 Patch Status Unpatched Published Oct 20, 2025 Affected Software KiotViet Sync Researcher Legion Hunter More Details > LLM Hubspot Blog Import <= 1.0.1 - Missing Authorization to Authenticated (Subscriber+) Hubspot Import 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-11257 Patch Status Unpatched Published Oct 23, 2025 Affected Software LLM Hubspot Blog Import Researcher Jonas Benjamin Friedli More Details > MDTF <= 1.3.3.9 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-49907 Patch Status Patched Published Oct 24, 2025 Affected Software MDTF – Meta Data and Taxonomies Filter Researcher Legion Hunter More Details > NGINX Cache Optimizer <= 1.1 - Missing Authorization to Authenticated (Subscriber+) Dynamic Caching Exclusion Update 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-12014 Patch Status Unpatched Published Oct 23, 2025 Affected Software NGINX Cache Optimizer Researcher Legion Hunter More Details > Originality.ai AI Checker <= 1.0.15 - Missing Authorization to Authenticated (Subscriber+) Scan Log Deletion via ' ai_scan_result_remove' 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-10902 Patch Status Patched Published Oct 23, 2025 Affected Software Originality.ai AI Checker Researcher Jonas Benjamin Friedli More Details > Originality.ai AI Checker <= 1.0.16 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Disclosure via 'ai_get_table' 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-10901 Patch Status Patched Published Oct 23, 2025 Affected Software Originality.ai AI Checker Researcher Jonas Benjamin Friedli More Details > Password Policy Manager | Password Manager <= 2.0.5 - Missing Authorization to Authenticated (Subscriber+) Configuration Log Out 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-11255 Patch Status Patched Published Oct 24, 2025 Affected Software Password Policy Manager | Password Manager Researcher Jonas Benjamin Friedli More Details > Persian Admnin Fonts <= 4.1.03 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-62980 Patch Status Unpatched Published Oct 21, 2025 Affected Software Persian Admnin Fonts Researcher Legion Hunter More Details > PixelYourSite <= 11.1.2 – Cross-Site Request Forgery to GDPR Options Modification 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-10588 Patch Status Patched Published Oct 21, 2025 Affected Software PixelYourSite – Your smart PIXEL (TAG) & API Manager Researcher Dmitrii Ignatyev More Details > PowerPress Podcasting <= 11.13.12 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-64201 Patch Status Patched Published Oct 21, 2025 Affected Software PowerPress Podcasting plugin by Blubrry Researcher daroo More Details > Stockie Extra <= 1.2.11 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-64226 Patch Status Patched Published Oct 21, 2025 Affected Software Stockie Extra Researcher Bonds More Details > Supervisor <= 1.3.2 - Missing Authorization to Authenticated (Subscriber+) Settings Update 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-11887 Patch Status Patched Published Oct 23, 2025 Affected Software Supervisor Researcher Jonas Benjamin Friedli More Details > Tutor LMS <= 3.8.3 - Missing Authorization to Sensitive Information Exposure 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-6680 Patch Status Patched Published Oct 24, 2025 Affected Software Tutor LMS – eLearning and online course solution Researcher sergioframi More Details > WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress <= 8.5.41 - Improper Authorization to Authenticated (Contributor+) Plugin Settings Update 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-12005 Patch Status Patched Published Oct 24, 2025 Affected Software WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress Researcher Rafshanzani Suhada More Details > Password Protected <= 2.7.11 - Unauthenticated Authorization Bypass via IP Address Spoofing 3.7 CVSS Rating Low (3.7) CVE-ID CVE-2025-11244 Patch Status Patched Published Oct 24, 2025 Affected Software Password Protected — Lock Entire Site, Pages, Posts, Categories, and Partial Content Researcher Dmitrii Ignatyev More Details > ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution <= 4.8.4 - Incorrect Authorization to Authenticated (Editor+) License Status Update 2.7 CVSS Rating Low (2.7) CVE-ID CVE-2025-11888 Patch Status Patched Published Oct 24, 2025 Affected Software ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution Researcher Jonas Benjamin Friedli More Details > As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence. This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can. Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. The post Wordfence Intelligence Weekly WordPress Vulnerability Report (October 20, 2025 to October 26, 2025) appeared first on Wordfence.