Calling all Vulnerability Researchers and Bug Bounty Hunters! The LFInder Challenge: Refine your LFI hunting skills with an expanded scope. Now through November 24, 2025, all LFI vulnerabilities in software with at least 25 active installs are considered in-scope for all researchers, regardless of researcher tier, AND earn a 30% bonus on all Local File Inclusion vulnerability submissions not already increased by another promotion. Last week, there were 123 vulnerabilities disclosed in 114 WordPress Plugins and 2 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 55 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected. Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to implement layered security, aligning with our overarching mission to secure WordPress with defense in depth strategies. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report. As the world’s leading quality vulnerability database provider for WordPress, site owners can rest assured knowing Wordfence has their back. Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 29,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free. Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. New Firewall Rules Deployed Last Week The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection. The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week: WAF-RULE-874 – Data redacted while we work with the vendor on a patch. Gravity Forms <= 2.9.21.1 – Unauthenticated Arbitrary File Upload via Legacy Chunked Upload Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay. Total Unpatched & Patched Vulnerabilities Last Week Patch Status Number of Vulnerabilities Patched 70 Unpatched 53 Total Vulnerabilities by CVSS Severity Last Week Severity Rating Number of Vulnerabilities Medium Severity 104 High Severity 15 Critical Severity 4 Total Vulnerabilities by CWE Type Last Week Vulnerability Type by CWE Number of Vulnerabilities Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') 44 Missing Authorization 27 Cross-Site Request Forgery (CSRF) 9 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') 8 Authorization Bypass Through User-Controlled Key 7 Exposure of Sensitive Information to an Unauthorized Actor 4 Improper Control of Generation of Code ('Code Injection') 3 Improper Privilege Management 3 Improper Authorization 2 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) 2 Unrestricted Upload of File with Dangerous Type 2 Client-Side Enforcement of Server-Side Security 1 Deserialization of Untrusted Data 1 Exposure of Private Personal Information to an Unauthorized Actor 1 External Control of File Name or Path 1 Improper Access Control 1 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') 1 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') 1 Insecure Storage of Sensitive Information 1 Insertion of Sensitive Information into Externally-Accessible File or Directory 1 Missing Authentication for Critical Function 1 URL Redirection to Untrusted Site ('Open Redirect') 1 Use of Insufficiently Random Values 1 Researchers That Contributed to WordPress Security Last Week Researcher Name Number of Vulnerabilities Muhammad Yudha - DJ 14 zakaria 12 Jonas Benjamin Friedli 8 kr0d 6 type5afe 5 daroo 4 Gilang - DJ 4 Athiwat Tiprasaharn (Jitlada) 4 Ivan Cese 4 shark3y 3 Legion Hunter 3 johska 3 DityaRA 3 Nabil Irawan 3 ZAST.AI 3 Kévin Mosbahi (Mika) 3 Yousof Nahya 2 Itthidej Aramsri (Boeing777) 2 Marco Aniello Guida 2 Ahmad Salem (a7mad.cc) 2 Rafshanzani Suhada 2 Dmitrii Ignatyev 2 João Pedro S Alcântara (Kinorth) 2 dutafi 1 Rafie Muhammad 1 Tran Nguyen Bao Khanh 1 Naoya Takahashi (nakko) 1 Md. Moniruzzaman Prodhan (NomanProdhan) 1 theviper17y 1 Marcin Dudek (dudekmar) 1 Kim YunJi 1 Peerapat Samatathanyakorn 1 Adrian Lukita 1 Jarno Vos (jarnovos) 1 Powpy 1 kai 1 Kathleen Walsh 1 kwakbumjun 1 dayea song 1 mikemyers 1 Maktoum (bRpsd) 1 Brian Mungai 1 tmrswrr 1 zaim 1 Moose Love 1 Webbernaut 1 Truong Nguyen Long (thewindghost) 1 Hoang The Vinh (Indig0) 1 Nguyen Tran Tuan Dung (domiee13) 1 ISMAILSHADOW 1 Peter Thaleikis 1 YC_Infosec 1 stealthcopter 1 Ilkeggs 1 Bhayanak Atma 1 Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report. WordPress Plugins with Reported Vulnerabilities Last Week Software Name Software Slug 0 Day Analytics 0-day-analytics Add Multiple Marker add-multiple-marker AI Engine ai-engine All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic all-in-one-seo-pack Alt Text Generator AI – Auto Generate & Bulk Update Alt Texts For Images alt-text-generator Appointment Booking Calendar appointment-booking-calendar Asgaros Forum asgaros-forum Astra Security Suite – Firewall & Malware Scan getastra Authors List authors-list Auto Amazon Links – Amazon Associates Affiliate Plugin amazon-auto-links Blocksy Companion blocksy-companion Booking Calendar booking Booking Calendar | Appointment Booking | Bookit bookit Booking for Appointments and Events Calendar – Amelia ameliabooking Chart Expert chart-expert Chat Help – Click to Chat Button & Form chat-help Classified Listing – AI-Powered Classified ads & Business Directory Plugin classified-listing Comment Edit Core – Simple Comment Editing simple-comment-editing Contact Form Email contact-form-to-email Contest Gallery – Upload, Vote & Sell with PayPal and Stripe contest-gallery Convert WebP & AVIF | Quicq | Best image optimizer and compression plugin | Improve your Google Pagespeed quicq Coon Google Maps coon-google-maps Crypto Tool crypto CTL Arcade Lite ctl-arcade-lite Data Tables Generator by Supsystic data-tables-generator-by-supsystic db-access db-access Document Pro Elementor – Documentation & Knowledge Base document-pro-elementor donation donation Double the Donation – A workplace giving tool double-the-donation Easy Email Subscription email-subscription-with-secure-captcha Easy WordPress Funnel Builder To Collect Leads And Increase Sales – WPFunnels wpfunnels EasyCommerce – AI-Powered Ecommerce To Sell Physical & Digital Products easycommerce Elastic Theme Editor elastic-theme-editor Eventbee Ticketing Widget eventbee-ticketing-widget Featured Image featured-image Find Unused Images find-unused-images Five9 Live Chat five9 Fleet Manager fleet Flickr Show wp-flickrshow Gallery Plugin for WordPress – Envira Photo Gallery envira-gallery-lite GeoDirectory – WP Business Directory Plugin and Classified Listings Directory geodirectory Geopost geopost GitHub Gist Shortcode Plugin github-gist-shortcode Holiday class post calendar holiday-class-post-calendar Hydra Booking — Appointment Scheduling & Booking Calendar hydra-booking Image Gallery – Photo Grid & Video Gallery modula-best-grid-gallery Import any XML, CSV or Excel File to WordPress wp-all-import Include Fussball.de Widgets include-fussball-de-widgets Jeba Cute forkit jeba-cute-forkit LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes lifterlms Live Photos on WordPress live-photos Magazine Companion bnm-blocks MembershipWorks – Membership, Events & Directory memberfindme Mementor Core mementor-core My Geo Posts Free my-geo-posts-free Ninja Countdown | Fastest Countdown Builder ninja-countdown Nonaki – Drag and Drop Email Template builder and Newsletter plugin for WordPress nonaki-email-template-customizer Online Booking & Scheduling Calendar for WordPress by vcita meeting-scheduler-by-vcita Page Builder: Pagelayer – Drag and Drop website builder pagelayer Payment Plugins Braintree For WooCommerce woo-payment-gateway Paypal Donation Shortcode paypal-donation-shortcode PDF Builder for WooCommerce. Create invoices,packing slips and more woo-pdf-invoice-builder Poll Maker – Versus Polls, Anonymous Polls, Image Polls poll-maker Precise Columns precise-columns Preload Current Images preload-current-images Private Google Calendars private-google-calendars Progress Bar Blocks for Gutenberg progressmatify-blocks Project Manager – AI-Powered Project & Task Manager with Kanban Board & Gantt Chart wedevs-project-manager Qi Blocks qi-blocks RandomQuotr randomquotr Save as PDF Button save-as-pdf School Management System – WPSchoolPress wpschoolpress Select Core select-core Seriously Simple Podcasting seriously-simple-podcasting Share to Google Classroom share-to-google-classroom Shopkeeper Extender shopkeeper-extender Simple Donate simple-donate Skip to Timestamp skip-to-timestamp SKT Skill Bar skt-skill-bar Slippy Slider – Responsive Touch Navigation Slider slippy-slider-responsive-touch-navigation-slider SNORDIAN's H5PxAPIkatchu h5pxapikatchu Specific Content For Mobile – Customize the mobile version without redirections specific-content-for-mobile Squirrels Auto Inventory squirrels-auto-inventory Stock Management for WooCommerce by Shelf Planner shelf-planner Stylish Cost Calculator – Quote Generator, Lead Gen & Price Estimator stylish-cost-calculator SureForms – Contact Form, Payment Form & Other Custom Form Builder sureforms Survey Maker survey-maker The Total Book Project the-total-book-project Theater for WordPress theatre Thumbnail Slider With Lightbox wp-responsive-slider-with-lightbox Timetable and Event Schedule by MotoPress mp-timetable TNC Toolbox: Web Performance tnc-toolbox Twitter Feed ot-twitter-feed Ungapped Widgets ungapped-widgets USB Qr Code Scanner For Woocommerce usb-qr-code-scanner-for-woocommerce Welcart e-Commerce usc-e-shop Wishlist and Save for later for Woocommerce aco-wishlist-for-woocommerce Wisly wisly Woffice Core woffice-core Woocommerce – Products By Custom Tax woocommerce-products-by-custom-tax WordPress Content Flipper wp-flipper WP BBCode wp-bbcode WP Bootstrap Tabs wp-bootstrap-tabs WP Count Down Timer wp-count-down-timer WP Custom Admin Login Page Logo wp-custom-login-page-logo WP Google Review Slider wp-google-places-review-slider WP Import – Ultimate CSV XML Importer for WordPress wp-ultimate-csv-importer WP Plugin Manager – Deactivate plugins per page wp-plugin-manager WP YouTube Lyte wp-youtube-lyte WP-Iconics wp-iconics WP-OAuth wp-oauth WP-Walla wp-walla WP移行専用プラグイン for CPI cpi-wp-migration YSlider yslider WordPress Themes with Reported Vulnerabilities Last Week Software Name Software Slug Angel – Fashion Model Agency WordPress CMS Theme angel Lobo - WordPress Portfolio for Freelancers & Agencies lobo Vulnerability Details Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize. TNC Toolbox: Web Performance <= 1.4.2 - Unauthenticated Sensitive Information Exposure to Privilege Escalation/cPanel Account Takeover 10.0 CVSS Rating Critical (10.0) CVE-ID CVE-2025-12539 Patch Status Patched Published Nov 10, 2025 Affected Software TNC Toolbox: Web Performance Researcher kr0d More Details > EasyCommerce – AI-Powered, Blazing-Fast & Beautiful WordPress Ecommerce Plugin 0.9.0-beta2 - 1.8.2 - Unauthenticated Privilege Escalation 9.8 CVSS Rating Critical (9.8) CVE-ID CVE-2025-11457 Patch Status Patched Published Nov 10, 2025 Affected Software EasyCommerce – AI-Powered Ecommerce To Sell Physical & Digital Products Researcher kr0d More Details > Holiday class post calendar <= 7.1 - Unauthenticated Remote Code Execution via 'contents' 9.8 CVSS Rating Critical (9.8) CVE-ID CVE-2025-12813 Patch Status Patched Published Nov 10, 2025 Affected Software Holiday class post calendar Researcher kr0d More Details > WP移行専用プラグイン for CPI <= 1.0.2 - Unauthenticated Arbitrary File Upload 9.8 CVSS Rating Critical (9.8) CVE-ID CVE-2025-11170 Patch Status Unpatched Published Nov 10, 2025 Affected Software WP移行専用プラグイン for CPI Researcher kr0d More Details > Blocksy Companion <= 2.1.19 - Authenticated (Author+) Arbitrary File Upload via SVG Upload Bypass 8.8 CVSS Rating High (8.8) CVE-ID CVE-2025-12846 Patch Status Patched Published Nov 10, 2025 Affected Software Blocksy Companion Researcher shark3y More Details > Elastic Theme Editor <= 0.0.3 - Authenticated (Subscriber+) Arbitrary File Upload 8.8 CVSS Rating High (8.8) CVE-ID CVE-2025-12637 Patch Status Unpatched Published Nov 10, 2025 Affected Software Elastic Theme Editor Researcher kr0d More Details > Import any XML, CSV or Excel File to WordPress (WP All Import) <= 3.9.6 - Authenticated (Administrator+) Remote Code Execution via Conditional Logic 8.8 CVSS Rating High (8.8) CVE-ID CVE-2025-12733 Patch Status Patched Published Nov 12, 2025 Affected Software Import any XML, CSV or Excel File to WordPress Researcher tmrswrr More Details > LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes - Various Versions - Authenticated (Student+) Privilege Escalation 8.8 CVSS Rating High (8.8) CVE-ID CVE-2025-11923 Patch Status Patched Published Nov 12, 2025 Affected Software LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes Researcher shark3y More Details > Mementor Core <= 2.2.5 - Authenticated (Subscriber+) Privilege Escalation 8.8 CVSS Rating High (8.8) CVE-ID CVE-2025-11168 Patch Status Unpatched Published Nov 10, 2025 Affected Software Mementor Core Researcher theviper17y More Details > Astra Security Suite – Firewall & Malware Scan <= 0.2 - Unauthenticated Arbitrary File Upload 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-11521 Patch Status Unpatched Published Nov 10, 2025 Affected Software Astra Security Suite – Firewall & Malware Scan Researcher kr0d More Details > Auto Amazon Links – Amazon Associates Affiliate Plugin <= 5.4.3 - Unauthenticated Arbitrary File Read 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-11451 Patch Status Unpatched Published Nov 10, 2025 Affected Software Auto Amazon Links – Amazon Associates Affiliate Plugin Researcher Rafshanzani Suhada More Details > Booking Calendar | Appointment Booking | Bookit <= 2.5.0 - Missing Authorization to Unauthenticated Stripe Connection 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-12633 Patch Status Patched Published Nov 11, 2025 Affected Software Booking Calendar | Appointment Booking | Bookit Researcher Md. Moniruzzaman Prodhan (NomanProdhan) More Details > Booking for Appointments and Events Calendar – Amelia <= 1.2.35 - Unauthenticated SQL Injection via search 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-12482 Patch Status Patched Published Nov 15, 2025 Affected Software Booking for Appointments and Events Calendar – Amelia Researcher YC_Infosec More Details > Donation <= 1.0 - Authenticated (Admin+) SQL Injection 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-13001 Patch Status Unpatched Published Nov 11, 2025 Affected Software donation Researcher Yousof Nahya More Details > Payment Plugins Braintree For WooCommerce <= 3.2.78 - Missing Authorization to Payment Token Exposure and Transaction Fraud 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-12903 Patch Status Patched Published Nov 11, 2025 Affected Software Payment Plugins Braintree For WooCommerce Researcher type5afe More Details > Select Core < 2.6 - Authenticated (Contributor+) Local File Inclusion 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-67521 Patch Status Patched Published Nov 14, 2025 Affected Software Select Core Researcher João Pedro S Alcântara (Kinorth) More Details > Easy Email Subscription <= 1.3 - Unauthenticated Stored Cross-Site Scripting 7.2 CVSS Rating High (7.2) CVE-ID CVE-2025-11994 Patch Status Patched Published Nov 11, 2025 Affected Software Easy Email Subscription Researcher Muhammad Yudha - DJ More Details > SNORDIAN's H5PxAPIkatchu <= 0.4.17 - Unauthenticated Stored Cross-Site Scripting via insert_data 7.2 CVSS Rating High (7.2) CVE-ID CVE-2025-12904 Patch Status Patched Published Nov 13, 2025 Affected Software SNORDIAN's H5PxAPIkatchu Researcher Moose Love More Details > AI Engine <= 3.1.8 - Authenticated (Subscriber+) PHP Object Injection via PHAR Deserialization 7.1 CVSS Rating High (7.1) CVE-ID CVE-2025-12844 Patch Status Patched Published Nov 12, 2025 Affected Software AI Engine Researcher ISMAILSHADOW More Details > Authors List <= 2.0.6.1 - Authenticated (Contributor+) Sensitive Information Exposure via Limited Method Call in Plugin's Shortcode 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2025-12010 Patch Status Patched Published Nov 10, 2025 Affected Software Authors List Researcher kai More Details > Data Tables Generator by Supsystic <= 1.10.45 - Authenticated (Admin+) Arbitrary File Deletion 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2025-12089 Patch Status Patched Published Nov 12, 2025 Affected Software Data Tables Generator by Supsystic Researcher Naoya Takahashi (nakko) More Details > Specific Content For Mobile – Customize the mobile version without redirections <= 0.5.5 - Authenticated (Contributor+) SQL Injection 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2025-11454 Patch Status Patched Published Nov 11, 2025 Affected Software Specific Content For Mobile – Customize the mobile version without redirections Researcher Jonas Benjamin Friedli More Details > WP Project Manager <= 2.6.26 - Authenticated (Subscriber+) SQL Injection via 'completed_at_operator' 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2025-8994 Patch Status Patched Published Nov 14, 2025 Affected Software Project Manager – AI-Powered Project & Task Manager with Kanban Board & Gantt Chart Researcher mikemyers More Details > Angel – Fashion Model Agency WordPress CMS Theme <= 3.2.3 - Authenticated (Subscriber+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-10295 Patch Status Unpatched Published Nov 12, 2025 Affected Software Angel – Fashion Model Agency WordPress CMS Theme Researchers Truong Nguyen Long (thewindghost)Hoang The Vinh (Indig0) More Details > Booking Calendar <= 10.14.7 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-64381 Patch Status Patched Published Nov 13, 2025 Affected Software Booking Calendar Researcher Peter Thaleikis More Details > Chart Expert <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-12753 Patch Status Unpatched Published Nov 10, 2025 Affected Software Chart Expert Researcher Muhammad Yudha - DJ More Details > Coon Google Maps <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-12662 Patch Status Unpatched Published Nov 10, 2025 Affected Software Coon Google Maps Researcher zakaria More Details > Eventbee Ticketing Widget <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-11856 Patch Status Unpatched Published Nov 10, 2025 Affected Software Eventbee Ticketing Widget Researcher Muhammad Yudha - DJ More Details > Five9 Live Chat <= 1.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-11829 Patch Status Unpatched Published Nov 10, 2025 Affected Software Five9 Live Chat Researcher Muhammad Yudha - DJ More Details > Flickr Show <= 1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-12672 Patch Status Unpatched Published Nov 10, 2025 Affected Software Flickr Show Researcher zakaria More Details > Geopost <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-12754 Patch Status Unpatched Published Nov 10, 2025 Affected Software Geopost Researcher Muhammad Yudha - DJ More Details > GitHub Gist Shortcode Plugin <= 0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-12667 Patch Status Unpatched Published Nov 10, 2025 Affected Software GitHub Gist Shortcode Plugin Researcher zakaria More Details > Include fussball.de Widgets <= 4.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'api' and 'type' 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-11129 Patch Status Unpatched Published Nov 10, 2025 Affected Software Include Fussball.de Widgets Researchers stealthcopterIlkeggs More Details > Jeba Cute forkit <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-12663 Patch Status Unpatched Published Nov 10, 2025 Affected Software Jeba Cute forkit Researcher zakaria More Details > Live Photos on WordPress <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-12651 Patch Status Unpatched Published Nov 10, 2025 Affected Software Live Photos on WordPress Researcher zakaria More Details > Magazine Companion <= 1.2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-11828 Patch Status Patched Published Nov 10, 2025 Affected Software Magazine Companion Researcher zaim More Details > My Geo Posts Free <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-11863 Patch Status Unpatched Published Nov 10, 2025 Affected Software My Geo Posts Free Researcher Gilang - DJ More Details > Nonaki – Drag and Drop Email Template builder and Newsletter plugin for WordPress <= 1.0.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Fields 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-12644 Patch Status Unpatched Published Nov 10, 2025 Affected Software Nonaki – Drag and Drop Email Template builder and Newsletter plugin for WordPress Researcher Muhammad Yudha - DJ More Details > Paypal Donation Shortcode <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-11859 Patch Status Unpatched Published Nov 10, 2025 Affected Software Paypal Donation Shortcode Researcher Muhammad Yudha - DJ More Details > Precise Columns <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-11869 Patch Status Unpatched Published Nov 10, 2025 Affected Software Precise Columns Researcher Muhammad Yudha - DJ More Details > Preload Current Images <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-12658 Patch Status Unpatched Published Nov 10, 2025 Affected Software Preload Current Images Researcher zakaria More Details > Save as PDF Button <= 1.9.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via restpackpdfbutton Shortcode 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-8397 Patch Status Unpatched Published Nov 12, 2025 Affected Software Save as PDF Button Researcher Muhammad Yudha - DJ More Details > Select Core < 2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-67539 Patch Status Patched Published Nov 14, 2025 Affected Software Select Core Researcher João Pedro S Alcântara (Kinorth) More Details > Share to Google Classroom <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via share_to_google Shortcode 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-12711 Patch Status Unpatched Published Nov 10, 2025 Affected Software Share to Google Classroom Researcher Muhammad Yudha - DJ More Details > Shopkeeper Extender < 7.0 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-67544 Patch Status Patched Published Nov 13, 2025 Affected Software Shopkeeper Extender Researcher Jarno Vos (jarnovos) More Details > Simple Donate <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-11882 Patch Status Unpatched Published Nov 10, 2025 Affected Software Simple Donate Researcher Gilang - DJ More Details > Skip to Timestamp <= 1.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-11805 Patch Status Unpatched Published Nov 10, 2025 Affected Software Skip to Timestamp Researcher zakaria More Details > SKT Skill Bar <= 2.5 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-66090 Patch Status Patched Published Nov 14, 2025 Affected Software SKT Skill Bar Researcher Muhammad Yudha - DJ More Details > Stylish Cost Calculator <= 8.1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-66091 Patch Status Patched Published Nov 14, 2025 Affected Software Stylish Cost Calculator – Quote Generator, Lead Gen & Price Estimator Researcher Muhammad Yudha - DJ More Details > Thumbnail Slider With Lightbox <= 1.0.21 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2024-5020 Patch Status Patched Published Nov 11, 2025 Affected Software Thumbnail Slider With Lightbox Researcher Webbernaut More Details > Twitter Feed <= 1.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-11860 Patch Status Unpatched Published Nov 10, 2025 Affected Software Twitter Feed Researcher Muhammad Yudha - DJ More Details > Ungapped Widgets <= 1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-12652 Patch Status Unpatched Published Nov 10, 2025 Affected Software Ungapped Widgets Researcher zakaria More Details > Woocommerce – Products By Custom Tax <= 2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-11821 Patch Status Unpatched Published Nov 10, 2025 Affected Software Woocommerce – Products By Custom Tax Researcher zakaria More Details > WordPress Content Flipper <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-11769 Patch Status Unpatched Published Nov 12, 2025 Affected Software WordPress Content Flipper Researcher Muhammad Yudha - DJ More Details > WP BBCode <= 1.8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-11873 Patch Status Unpatched Published Nov 10, 2025 Affected Software WP BBCode Researcher Gilang - DJ More Details > WP Bootstrap Tabs <= 1.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-11822 Patch Status Unpatched Published Nov 10, 2025 Affected Software WP Bootstrap Tabs Researcher zakaria More Details > WP Count Down Timer <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-12668 Patch Status Unpatched Published Nov 10, 2025 Affected Software WP Count Down Timer Researcher zakaria More Details > WP-Iconics <= 0.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-12671 Patch Status Unpatched Published Nov 10, 2025 Affected Software WP-Iconics Researcher zakaria More Details > WP-OAuth <= 0.4.1 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-12021 Patch Status Unpatched Published Nov 10, 2025 Affected Software WP-OAuth Researcher Jonas Benjamin Friedli More Details > WP-Walla <= 0.5.3.5 - Cross-Site Request Forgery to Stored Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-12589 Patch Status Unpatched Published Nov 10, 2025 Affected Software WP-Walla Researcher johska More Details > YSlider <= 1.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-12590 Patch Status Unpatched Published Nov 10, 2025 Affected Software YSlider Researcher johska More Details > RandomQuotr <= 1.0.4 - Authenticated (Admin+) Stored Cross-Site Scripting 5.5 CVSS Rating Medium (5.5) CVE-ID CVE-2025-12632 Patch Status Unpatched Published Nov 10, 2025 Affected Software RandomQuotr Researchers Ivan CeseMarco Aniello Guida More Details > Progress Bar Blocks for Gutenberg <= 1.0.0 - Authenticated (Author+) Stored Cross-Site Scripting via SVG 5.4 CVSS Rating Medium (5.4) CVE-ID CVE-2025-12880 Patch Status Unpatched Published Nov 10, 2025 Affected Software Progress Bar Blocks for Gutenberg Researcher Peerapat Samatathanyakorn More Details > Slippy Slider – Responsive Touch Navigation Slider <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting 5.4 CVSS Rating Medium (5.4) CVE-ID CVE-2025-11874 Patch Status Unpatched Published Nov 10, 2025 Affected Software Slippy Slider – Responsive Touch Navigation Slider Researcher Gilang - DJ More Details > The Total Book Project <= 1.0 - Insecure Direct Object Reference to Authenticated (Contributor+) Book Manipulation 5.4 CVSS Rating Medium (5.4) CVE-ID CVE-2025-12126 Patch Status Patched Published Nov 10, 2025 Affected Software The Total Book Project Researcher Athiwat Tiprasaharn (Jitlada) More Details > Add Multiple Marker <= 1.2 - Missing Authorization to Unauthenticated Settings Update 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-11999 Patch Status Unpatched Published Nov 10, 2025 Affected Software Add Multiple Marker Researcher Bhayanak Atma More Details > Chat Help <= 3.1.3 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-66099 Patch Status Patched Published Nov 11, 2025 Affected Software Chat Help – Click to Chat Button & Form Researcher Kim YunJi More Details > Comment Edit Core – Simple Comment Editing <= 3.1.0 - Unauthenticated Sensitive Information Exposure 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-12681 Patch Status Patched Published Nov 12, 2025 Affected Software Comment Edit Core – Simple Comment Editing Researcher Powpy More Details > Contest Gallery <= 28.0.2 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-12849 Patch Status Patched Published Nov 14, 2025 Affected Software Contest Gallery – Upload, Vote & Sell with PayPal and Stripe Researcher type5afe More Details > Crypto Tool <= 2.22 - Unauthenticated Information Exposure via Global Authentication State 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-11986 Patch Status Unpatched Published Nov 10, 2025 Affected Software Crypto Tool Researcher Jonas Benjamin Friedli More Details > Crypto Tool <= 2.22 - Missing Authentication to Unauthenticated Limited File Deletion 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-11988 Patch Status Unpatched Published Nov 10, 2025 Affected Software Crypto Tool Researcher Jonas Benjamin Friedli More Details > Document Pro Elementor – Documentation & Knowledge Base <= 1.0.9 - Unauthenticated Information Exposure 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-11997 Patch Status Unpatched Published Nov 10, 2025 Affected Software Document Pro Elementor – Documentation & Knowledge Base Researcher Nabil Irawan More Details > Find Unused Images <= 1.0.7 - Missing Authorization to Unauthenticated Arbitrary Attachment Deletion 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-11996 Patch Status Unpatched Published Nov 10, 2025 Affected Software Find Unused Images Researcher johska More Details > Hydra Booking – All in One Appointment Booking System | Appointment Scheduling, Booking Calendar & WooCommerce Bookings <= 1.1.27 - Missing Payment Verification to Unauthenticated Payment Bypass 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-12788 Patch Status Patched Published Nov 10, 2025 Affected Software Hydra Booking — Appointment Scheduling & Booking Calendar Researcher Ahmad Salem (a7mad.cc) More Details > Hydra Booking – All in One Appointment Booking System | Appointment Scheduling, Booking Calendar & WooCommerce Bookings <= 1.1.27 - Unauthenticated Arbitrary Booking Cancellation via Weak Hash Generation 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-12787 Patch Status Patched Published Nov 10, 2025 Affected Software Hydra Booking — Appointment Scheduling & Booking Calendar Researcher Ahmad Salem (a7mad.cc) More Details > Shelf Planner <= 2.8.1 - Missing Authorization to Unauthenticated Settings Update 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-11894 Patch Status Patched Published Nov 10, 2025 Affected Software Stock Management for WooCommerce by Shelf Planner Researcher Jonas Benjamin Friedli More Details > Shelf Planner <= 2.8.1 - Unauthenticated Information Exposure via Log Files 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-11891 Patch Status Patched Published Nov 10, 2025 Affected Software Stock Management for WooCommerce by Shelf Planner Researcher Jonas Benjamin Friedli More Details > SureForms <= 1.13.1 - Missing Authorization to Unauthenticated Sensitive Information Exposure 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-12536 Patch Status Patched Published Nov 12, 2025 Affected Software SureForms – Contact Form, Payment Form & Other Custom Form Builder Researcher type5afe More Details > Survey Maker <= 5.1.9.4 - Missing Authorization to Unauthenticated Information Exposure 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-12891 Patch Status Patched Published Nov 12, 2025 Affected Software Survey Maker Researcher DityaRA More Details > Survey Maker <= 5.1.9.4 - Missing Authorization to Unauthenticated Limited Option Update 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-12892 Patch Status Patched Published Nov 12, 2025 Affected Software Survey Maker Researcher DityaRA More Details > Theater for WordPress <= 0.18.8 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-64259 Patch Status Patched Published Nov 13, 2025 Affected Software Theater for WordPress Researcher Legion Hunter More Details > Timetable and Event Schedule by MotoPress <= 2.4.15 - Insecure Direct Object Reference to Authenticated (Contributor+) Event Disclosure 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-12954 Patch Status Patched Published Nov 12, 2025 Affected Software Timetable and Event Schedule by MotoPress Researcher Maktoum (bRpsd) More Details > Welcart e-Commerce <= 2.11.24 - Missing Authorization to Unauthenticated Information Exposure 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-12979 Patch Status Patched Published Nov 12, 2025 Affected Software Welcart e-Commerce Researcher Marcin Dudek (dudekmar) More Details > Wisly <= 1.0.0 - Insecure Direct Object Reference to Unauthenticated Wishlist Manipulation 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-11532 Patch Status Unpatched Published Nov 10, 2025 Affected Software Wisly Researcher Itthidej Aramsri (Boeing777) More Details > Woffice Core <= 5.4.30 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-67566 Patch Status Patched Published Nov 14, 2025 Affected Software Woffice Core Researcher Rafie Muhammad More Details > WPFunnels <= 3.6.2 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-67571 Patch Status Patched Published Nov 15, 2025 Affected Software Easy WordPress Funnel Builder To Collect Leads And Increase Sales – WPFunnels Researcher Athiwat Tiprasaharn (Jitlada) More Details > 0 Day Analytics <= 4.0.0 - Authenticated (Administrator+) SQL Injection 4.9 CVSS Rating Medium (4.9) CVE-ID CVE-2025-64293 Patch Status Patched Published Nov 12, 2025 Affected Software 0 Day Analytics Researcher kwakbumjun More Details > Double the Donation <= 3.0.0 - Authenticated (Admin+) Stored Cross-Site Scripting 4.9 CVSS Rating Medium (4.9) CVE-ID CVE-2025-12020 Patch Status Patched Published Nov 10, 2025 Affected Software Double the Donation – A workplace giving tool Researchers ZAST.AIKathleen Walsh More Details > Poll Maker – Versus Polls, Anonymous Polls, Image Polls <= 6.0.7 - Authenticated (Administrator+) SQL Injection via `filterbyauthor` Parameter 4.9 CVSS Rating Medium (4.9) CVE-ID CVE-2025-12620 Patch Status Patched Published Nov 12, 2025 Affected Software Poll Maker – Versus Polls, Anonymous Polls, Image Polls Researcher type5afe More Details > School Management System – WPSchoolPress <= 2.2.23 - Authenticated (Administrator+) SQL Injection 4.9 CVSS Rating Medium (4.9) CVE-ID CVE-2025-11981 Patch Status Patched Published Nov 13, 2025 Affected Software School Management System – WPSchoolPress Researcher dutafi More Details > YouTube Lyte <= 1.7.28 - Open Redirect 4.7 CVSS Rating Medium (4.7) CVE-ID CVE-2025-66062 Patch Status Patched Published Nov 14, 2025 Affected Software WP YouTube Lyte Researcher Nabil Irawan More Details > Featured Image <= 2.1 - Authenticated (Admin+) Stored Cross-Site Scripting 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2025-12019 Patch Status Patched Published Nov 10, 2025 Affected Software Featured Image Researcher ZAST.AI More Details > Fleet Manager <= 2.5.1 - Authenticated (Editor+) Stored Cross-Site Scripting 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2025-12538 Patch Status Patched Published Nov 10, 2025 Affected Software Fleet Manager Researchers Ivan CeseMarco Aniello Guida More Details > MembershipWorks <= 6.14 - Authenticated (Admin+) Stored Cross-Site Scripting 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2025-12018 Patch Status Patched Published Nov 11, 2025 Affected Software MembershipWorks – Membership, Events & Directory Researcher ZAST.AI More Details > Squirrels Auto Inventory <= 1.0.3 - Authenticated (Admin+) Stored Cross-Site Scripting 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2025-12631 Patch Status Unpatched Published Nov 10, 2025 Affected Software Squirrels Auto Inventory Researcher Ivan Cese More Details > All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic <= 4.8.9 - Missing Authorization to Authenticated (Contributor+) Arbitrary Media Deletion 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-12847 Patch Status Patched Published Nov 14, 2025 Affected Software All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic Researcher shark3y More Details > Alt Text Generator AI – Auto Generate & Bulk Update Alt Texts For Images <= 1.8.3 - Missing Authorization to Authenticated (Subscriber+) API Key Deletion 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-12113 Patch Status Patched Published Nov 11, 2025 Affected Software Alt Text Generator AI – Auto Generate & Bulk Update Alt Texts For Images Researcher Legion Hunter More Details > Appointment Booking Calendar <= 1.3.95 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-64261 Patch Status Patched Published Nov 15, 2025 Affected Software Appointment Booking Calendar Researcher daroo More Details > Asgaros Forum <= 3.2.1 - Cross-Site Request Forgery to Subscription Settings Update 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-12901 Patch Status Patched Published Nov 11, 2025 Affected Software Asgaros Forum Researcher Brian Mungai More Details > Classified Listing – AI-Powered Classified ads & Business Directory Plugin <= 5.2.0 - Missing Authorization to Authenticated (Subscriber+) Listing Types Tampering 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-12953 Patch Status Patched Published Nov 10, 2025 Affected Software Classified Listing – AI-Powered Classified ads & Business Directory Plugin Researcher Rafshanzani Suhada More Details > Contact Form Email <= 1.3.58 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-64369 Patch Status Patched Published Nov 15, 2025 Affected Software Contact Form Email Researcher daroo More Details > Convert WebP & AVIF | Quicq | Best image optimizer and compression plugin | Improve your Google Pagespeed <= 2.0.0 - Missing Authorization to Authenticated (Subscriber+) Afosto Disconnect 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-12015 Patch Status Unpatched Published Nov 12, 2025 Affected Software Convert WebP & AVIF | Quicq | Best image optimizer and compression plugin | Improve your Google Pagespeed Researcher Legion Hunter More Details > CTL Arcade Lite <= 1.0 - Cross-Site Request Forgery to Plugin Activation and Deactivation 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-11886 Patch Status Unpatched Published Nov 10, 2025 Affected Software CTL Arcade Lite Researcher Jonas Benjamin Friedli More Details > DB Access <= 0.8.7 - Authenticated (Subscriber+) SQL Injection 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-13000 Patch Status Unpatched Published Nov 11, 2025 Affected Software db-access Researcher Yousof Nahya More Details > Gallery Plugin for WordPress – Envira Photo Gallery <= 1.12.0 - Missing Authorization to Authenticated (Author+) Multiple Gallery Actions 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-12377 Patch Status Patched Published Nov 12, 2025 Affected Software Gallery Plugin for WordPress – Envira Photo Gallery Researcher Dmitrii Ignatyev More Details > GeoDirectory – WP Business Directory Plugin and Classified Listings Directory <= 2.8.139 - Missing Authorization to Authenticated (Author+) Arbitrary Image Attachment 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-12833 Patch Status Patched Published Nov 11, 2025 Affected Software GeoDirectory – WP Business Directory Plugin and Classified Listings Directory Researcher DityaRA More Details > Google Review Slider <= 17.4 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-66063 Patch Status Patched Published Nov 14, 2025 Affected Software WP Google Review Slider Researcher Nabil Irawan More Details > Image Gallery – Photo Grid & Video Gallery <= 2.12.28 - Improper Authorization to Authenticated (Author+) Arbitrary Image File Move 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-12494 Patch Status Patched Published Nov 14, 2025 Affected Software Image Gallery – Photo Grid & Video Gallery Researcher Dmitrii Ignatyev More Details > Lobo <= 2.8.6 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-66527 Patch Status Patched Published Nov 14, 2025 Affected Software Lobo - WordPress Portfolio for Freelancers & Agencies Researcher Tran Nguyen Bao Khanh More Details > Ninja Countdown <= 1.5.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Countdown Deletion 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-12665 Patch Status Unpatched Published Nov 10, 2025 Affected Software Ninja Countdown | Fastest Countdown Builder Researcher Ivan Cese More Details > Online Booking & Scheduling Calendar for WordPress by vcita <= 4.5.5 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-67472 Patch Status Patched Published Nov 12, 2025 Affected Software Online Booking & Scheduling Calendar for WordPress by vcita Researcher Kévin Mosbahi (Mika) More Details > Online Booking & Scheduling Calendar for WordPress by vcita <= 4.5.5 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-67559 Patch Status Patched Published Nov 12, 2025 Affected Software Online Booking & Scheduling Calendar for WordPress by vcita Researcher Kévin Mosbahi (Mika) More Details > Page Builder: Pagelayer – Drag and Drop website builder <= 2.0.5 - Authenticated (Author+) Insecure Direct Object Reference 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-12366 Patch Status Patched Published Nov 12, 2025 Affected Software Page Builder: Pagelayer – Drag and Drop website builder Researcher Athiwat Tiprasaharn (Jitlada) More Details > Plugin Manager <= 1.4.7 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-64271 Patch Status Patched Published Nov 13, 2025 Affected Software WP Plugin Manager – Deactivate plugins per page Researcher Kévin Mosbahi (Mika) More Details > Private Google Calendars <= 20250811 - Missing Authorization to Authenticated (Subscriber+) Settings Reset 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-12526 Patch Status Patched Published Nov 10, 2025 Affected Software Private Google Calendars Researcher Athiwat Tiprasaharn (Jitlada) More Details > Qi Blocks <= 1.4.3 - Missing Authorization to Arbitrary Attachment Resize 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-12182 Patch Status Patched Published Nov 14, 2025 Affected Software Qi Blocks Researcher Adrian Lukita More Details > Seriously Simple Podcasting <= 3.13.0 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-66061 Patch Status Patched Published Nov 11, 2025 Affected Software Seriously Simple Podcasting Researcher daroo More Details > Survey Maker <= 5.1.9.4 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-64276 Patch Status Patched Published Nov 14, 2025 Affected Software Survey Maker Researcher daroo More Details > USB Qr Code Scanner For Woocommerce <= 1.0.0 - Cross-Site Request Forgery to Settings Update 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-12588 Patch Status Unpatched Published Nov 10, 2025 Affected Software USB Qr Code Scanner For Woocommerce Researcher dayea song More Details > Wishlist and Save for later for Woocommerce <= 1.1.22 - Insecure Direct Object Reference to Authenticated (Subscriber+) Wishlist Item Deletion 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-12087 Patch Status Patched Published Nov 11, 2025 Affected Software Wishlist and Save for later for Woocommerce Researcher Itthidej Aramsri (Boeing777) More Details > WooCommerce PDF Invoice Builder <= 1.2.150 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-64269 Patch Status Patched Published Nov 14, 2025 Affected Software PDF Builder for WooCommerce. Create invoices,packing slips and more Researcher Nguyen Tran Tuan Dung (domiee13) More Details > WP Custom Admin Login Page Logo <= 1.4.8.4 - Cross-Site Request Forgery to Settings Update 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-12132 Patch Status Unpatched Published Nov 10, 2025 Affected Software WP Custom Admin Login Page Logo Researcher Jonas Benjamin Friedli More Details > WP Import – Ultimate CSV XML Importer for WordPress <= 7.33 - Missing Authorization to Authenticated (Author+) Sensitive Information Exposure 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-12732 Patch Status Patched Published Nov 11, 2025 Affected Software WP Import – Ultimate CSV XML Importer for WordPress Researcher type5afe More Details > As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence. This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can. Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. The post Wordfence Intelligence Weekly WordPress Vulnerability Report (November 10, 2025 to November 16, 2025) appeared first on Wordfence.