Last week, there were 155 vulnerabilities disclosed in 141 WordPress Plugins and 2 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 64 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected. Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to implement layered security, aligning with our overarching mission to secure WordPress with defense in depth strategies. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report. As the world’s leading quality vulnerability database provider for WordPress, site owners can rest assured knowing Wordfence has their back. Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 31,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free. Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. New Firewall Rules Deployed Last Week The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection. The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week: WAF-RULE-876 – Data redacted while we work with the vendor on a patch. Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay. Total Unpatched & Patched Vulnerabilities Last Week Patch Status Number of Vulnerabilities Patched 108 Unpatched 47 Total Vulnerabilities by CVSS Severity Last Week Severity Rating Number of Vulnerabilities Medium Severity 124 High Severity 30 Critical Severity 1 Total Vulnerabilities by CWE Type Last Week Vulnerability Type by CWE Number of Vulnerabilities Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') 52 Missing Authorization 39 Cross-Site Request Forgery (CSRF) 11 Unrestricted Upload of File with Dangerous Type 8 Exposure of Sensitive Information to an Unauthorized Actor 7 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') 6 Server-Side Request Forgery (SSRF) 6 Authorization Bypass Through User-Controlled Key 5 Improper Authorization 4 External Control of File Name or Path 2 Files or Directories Accessible to External Parties 2 Improper Control of Generation of Code ('Code Injection') 2 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) 2 Missing Authentication for Critical Function 2 Deserialization of Untrusted Data 1 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') 1 Improper Input Validation 1 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') 1 Improper Neutralization of Formula Elements in a CSV File 1 Insufficient Verification of Data Authenticity 1 URL Redirection to Untrusted Site ('Open Redirect') 1 Researchers That Contributed to WordPress Security Last Week Researcher Name Number of Vulnerabilities Athiwat Tiprasaharn (Jitlada) 14 Muhammad Yudha - DJ 11 zakaria 8 Legion Hunter 8 Powpy 6 Jonas Benjamin Friedli 6 Ivan Cese 6 Md. Moniruzzaman Prodhan (NomanProdhan) 5 Rafshanzani Suhada 5 Gilang - DJ 4 Nabil Irawan 4 zer0gh0st 3 kr0d 3 Dmitrii Ignatyev 3 Peter Thaleikis 3 Alex Tselevich (nos3curity) 3 Deadbee 2 Lucas Montes (Nirox) 2 Jarno Vos (jarnovos) 2 type5afe 2 Muhammad Nur Ibnu Hubab (Ibnu) 2 Nicolai Hellesnes (nico_) 2 mikemyers 2 zaim 2 johska 2 Abu Hurayra (HurayraIIT) 2 Ryan Kozak 2 Moose Love 2 NumeX 2 Webbernaut 2 abrahack 2 daroo 2 Michelle Porter 1 Milinxee 1 Adrian Lukita 1 tmrswrr 1 István Márton 1 Bonds 1 Sushi Com Abacate 1 Vanh 1 Sandeep Kambhampati 1 Md Shofiur Rahman 1 Trương Hữu Phúc (truonghuuphuc) 1 Bhayanak Atma 1 apolo2 1 Dieu Link 1 GCSC Vietnam 1 Itthidej Aramsri (Boeing777) 1 Naoya Takahashi (nakko) 1 Yousof Nahya 1 Ahmad Salem (a7mad.cc) 1 Teuniz 1 shark3y 1 Varakorn Chanthasri (iCreaM) 1 Supakiad S. (m3ez) 1 ifoundbug 1 Talal Nasraddeen 1 0xd4rk5id3 1 Sornram9254 1 Kishan Vyas 1 Mohamed amine Ouamar 1 NAKLEH ZEIDAN 1 stealthcopter 1 João Pedro S Alcântara (Kinorth) 1 Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report. WordPress Plugins with Reported Vulnerabilities Last Week Software Name Software Slug Accordion Slider accordion-slider ACF Flexible Layouts Manager acf-flexible-layouts-manager Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager ap-plugin-scripteo Affiliate AI Lite affiliate-ai-lite AI Engine ai-engine Appointment Booking Calendar appointment-booking-calendar Appointment Bookings for Zoom GoogleMeet and more – Wappointment wappointment ArtiBot Free Chat Bot for WebSites artibot ArtPlacer Widget artplacer-widget AudioTube audiotube AuthorSure authorsure Better Chat Support for Messenger better-chat-support BigBuy Dropshipping Connector for WooCommerce bigbuy-wc-dropshipping-connector Booking Calendar Contact Form booking-calendar-contact-form Booking for Appointments and Events Calendar – Amelia ameliabooking BrightTALK WordPress Shortcode brighttalk-wp-shortcode Broken Link Checker by AIOSEO – Easily Fix/Monitor Internal and External links broken-link-checker-seo Bulma Shortcodes bulma-shortcodes Category and Product Woocommerce Tabs category-and-product-woocommerce-tabs CBX Bookmark & Favorite cbxwpbookmark Chat Help – Click to Chat Button & Form chat-help Checkbox checkbox Checkout Files Upload for WooCommerce checkout-files-upload-woocommerce Classified Listing – AI-Powered Classified ads & Business Directory Plugin classified-listing Code Snippets code-snippets Coil Web Monetization coil-web-monetization Community Events community-events Cookie Notice & Compliance for GDPR / CCPA cookie-notice CP Contact Form with PayPal cp-contact-form-with-paypal Cryptocurrency (Token), Launchpad (Presale), ICO & IDO, Airdrop by TokenICO tokenico-cryptocurrency-token-launchpad-presale-ico-ido-airdrop Cryptocurrency Payment Gateway for WooCommerce triplea-cryptocurrency-payment-gateway-for-woocommerce CSV to SortTable csv-to-sorttable Custom Admin Menu custom-admin-menu Custom Order Numbers for WooCommerce custom-order-numbers-for-woocommerce Custom Post Type custom-post-type Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings directorist Display Pages Shortcode display-pages-shortcode Download Panel (Biggiko Team) download-panel EchBay Admin Security echbay-admin-security Element Pack Addons for Elementor bdthemes-element-pack-lite ELEX WordPress HelpDesk & Customer Ticketing System elex-helpdesk-customer-support-ticket-system Email Subscribers & Newsletters – Powerful Email Marketing, Post Notification & Newsletter Plugin for WordPress & WooCommerce email-subscribers Enable SVG, WebP, and ICO Upload enable-svg-webp-ico-upload everviz – Charts, Maps and Tables – Interactive and responsive everviz Extensions for Leaflet Map extensions-leaflet-map Flo Forms – Easy Drag & Drop Form Builder flo-forms FluentCRM – Email Newsletter, Automation, Email Marketing, Email Campaigns, Optins, Leads, and CRM Solution fluent-crm ForumWP – Forum & Discussion Board forumwp FunnelKit – Funnel Builder for WooCommerce Checkout funnel-builder Gallery with thumbnail slider gallery-with-thumbnail-slider Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers rafflepress GiveWP – Donation Plugin and Fundraising Platform give GoDAM – Organize WordPress Media Library & File Manager with Unlimited Folders for Images, Videos & more godam Gravity Forms gravityforms Groundhogg — CRM, Newsletters, and Marketing Automation groundhogg GSheetConnector For Ninja Forms gsheetconnector-ninja-forms Gutenify – Visual Site Builder Blocks & Site Templates. gutenify HandL UTM Grabber / Tracker handl-utm-grabber HotelRunner Booking Widget hotelrunner HT Mega – Absolute Addons For Elementor ht-mega-for-elementor Ibtana – WordPress Website Builder ibtana-visual-editor Icon List Block – Add Icon-Based Lists with Custom Styles icon-list-block IDonate – Blood Donation, Request And Donor Management System idonate Image Hover Effects Ultimate image-hover-effects-ultimate Import WP – Export and Import CSV and XML files to WordPress jc-importer Islamic Phrases islamic-phrases LearnPress – WordPress LMS Plugin learnpress Legal Pages – Privacy Policy, Terms & Conditions, GDPR, CCPA, and Cookie Notice Generator legal-pages LightGallery WP lightgallerywp Like-it like-it Live sales notification for WooCommerce live-sales-notifications-for-woocommerce Local Syndication local-syndication Magical Products Display – Elementor WooCommerce Widgets | Product Sliders, Grids & AJAX Search magical-products-display Meta Display Block meta-display-block Multiple Roles per User multiple-roles-per-user New User Approve new-user-approve OneClick Chat to Order oneclick-whatsapp-order Padlet Shortcode wallwisher-shortcode Pet-Manager – Petfinder tier-management-petfinder Photonic Gallery & Lightbox for Flickr, SmugMug & Others photonic Pie Forms — Drag & Drop Form Builder pie-forms-for-wp Pixel Manager for WooCommerce – Track Conversions and Analytics, Google Ads, TikTok and more woocommerce-google-adwords-conversion-tracking-tag Pollcaster Shortcode Plugin pollcaster-shortcode Portfolio, Gallery, Product Catalog – Grid KIT Portfolio portfolio-wp Post Type Switcher post-type-switcher PPOM – Product Addons & Custom Fields for WooCommerce woocommerce-product-addon Premmerce Wholesale Pricing for WooCommerce premmerce-woocommerce-wholesale-pricing Project Honey Pot Spam Trap project-honey-pot-spam-trap Quiz Maker quiz-maker Realty Portal realty-portal Responsive Lightbox & Gallery responsive-lightbox Restrictions for BuddyPress bp-restrict Return Refund and Exchange For WooCommerce woo-refund-and-exchange-lite Royal Addons for Elementor – Addons and Templates Kit for Elementor royal-elementor-addons RTMKit rometheme-for-elementor S2B AI Assistant – ChatBot, AI Agents, ChatGPT API, Image Generator s2b-ai-assistant Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories post-expirator Shortcode for Google Street View wp-google-street-view-shortcode Shortcodes Bootstrap shortcodes-bootstrap Simple User Import Export a3-user-importer Simple User Registration wp-registration SiteSEO – SEO Simplified siteseo Stock Tools stock-tools Subscriptions & Memberships for PayPal subscriptions-memberships-for-paypal SupportCandy – Helpdesk & Customer Support Ticket System supportcandy Surbma | MiniCRM Shortcode surbma-minicrm-shortcode SureForms – Contact Form, Payment Form & Other Custom Form Builder sureforms Tainacan tainacan The Permalinks Cascade the-permalinks-cascade Time Slot – Booking and Appointment Scheduling timeslot Tips Shortcode tips-shortcode Top Friends top-friends TP WooCommerce Product Gallery tp-woocommerce-product-gallery UiPress lite | Effortless custom dashboards, admin themes and pages uipress-lite Ultimate Member Widgets for Elementor – WordPress User Directory ultimate-member-widgets-for-elementor URL Image Importer url-image-importer User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor profile-builder Vitepos – Point of Sale (POS) for WooCommerce vitepos-lite VK All in One Expansion Unit vk-all-in-one-expansion-unit Walker Core walker-core wModes – Catalog Mode, Product Pricing, Enquiry Forms & Promotions | for WooCommerce catalog-mode-pricing-enquiry-forms-promotions WP Admin Microblog wp-admin-microblog WP AUDIO GALLERY wp-audio-gallery WP Company Info wp-company-info WP Delete Post Copies etruel-del-post-copies WP Directory Kit wpdirectorykit WP Dropzone wp-dropzone WP Duplicate Page wp-duplicate-page WP Gravity Forms FreshDesk Plugin gf-freshdesk WP Import – Ultimate CSV XML Importer for WordPress wp-ultimate-csv-importer WP Login and Register using JWT login-register-using-jwt WP Migrate Lite – Migration Made Easy wp-migrate-db WP Shortcodes Plugin — Shortcodes Ultimate shortcodes-ultimate WP Twitter Auto Publish twitter-auto-publish WPBookit wpbookit WPeMatico RSS Feed Fetcher wpematico WPSite Shortcode wpsite-shortcode WSChat – WordPress Live Chat wschat-live-chat YITH WooCommerce Wishlist yith-woocommerce-wishlist Zegen Core zegen-core 简数采集器 keydatas WordPress Themes with Reported Vulnerabilities Last Week Software Name Software Slug basel basel OnePress onepress Vulnerability Details Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize. ELEX WordPress HelpDesk & Customer Ticketing System <= 3.3.1 - Unauthenticated Arbitrary File Upload 9.8 CVSS Rating Critical (9.8) CVE-ID CVE-2025-11456 Patch Status Patched Published Nov 20, 2025 Affected Software ELEX WordPress HelpDesk & Customer Ticketing System Researcher ifoundbug More Details > Category and Product Woocommerce Tabs <= 1.0 - Authenticated (Contributor+) Local File Inclusion 8.8 CVSS Rating High (8.8) CVE-ID CVE-2025-13088 Patch Status Unpatched Published Nov 17, 2025 Affected Software Category and Product Woocommerce Tabs Researcher Muhammad Yudha - DJ More Details > Enable SVG, WebP, and ICO Upload <= 1.1.3 - Authenticated (Author+) Arbitrary File Upload via ICO Upload Bypass 8.8 CVSS Rating High (8.8) CVE-ID CVE-2025-13069 Patch Status Patched Published Nov 17, 2025 Affected Software Enable SVG, WebP, and ICO Upload Researcher mikemyers More Details > Realty Portal <= 0.4.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update 8.8 CVSS Rating High (8.8) CVE-ID CVE-2025-11985 Patch Status Unpatched Published Nov 20, 2025 Affected Software Realty Portal Researcher kr0d More Details > URL Image Importer <= 1.0.6 - Authenticated (Author+) Arbitrary File Upload 8.8 CVSS Rating High (8.8) CVE-ID CVE-2025-12138 Patch Status Patched Published Nov 20, 2025 Affected Software URL Image Importer Researcher kr0d More Details > Vitepos – Point of Sale (POS) for WooCommerce <= 3.3.0 - Authenticated (Subscriber+) Arbitrary File Upload to Remote Code Execution 8.8 CVSS Rating High (8.8) CVE-ID CVE-2025-13156 Patch Status Patched Published Nov 20, 2025 Affected Software Vitepos – Point of Sale (POS) for WooCommerce Researcher Moose Love More Details > WP Dropzone <= 1.1.0 - Authenticated (Subscriber+) Arbitrary File Upload 8.8 CVSS Rating High (8.8) CVE-ID CVE-2025-12775 Patch Status Patched Published Nov 17, 2025 Affected Software WP Dropzone Researcher kr0d More Details > Zegen Core <= 2.0.1 - Cross-Site Request Forgery to Arbitrary File Upload 8.8 CVSS Rating High (8.8) CVE-ID CVE-2025-11087 Patch Status Patched Published Nov 21, 2025 Affected Software Zegen Core Researcher István Márton More Details > CSV to SortTable <= 4.2 - Authenticated (Contributor+) Local File Inclusion 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-13070 Patch Status Unpatched Published Nov 18, 2025 Affected Software CSV to SortTable Researcher Ivan Cese More Details > Gravity Forms <= 2.9.21.1 - Unauthenticated Arbitrary File Upload via Legacy Chunked Upload 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-12974 Patch Status Patched Published Nov 17, 2025 Affected Software Gravity Forms Researcher Talal Nasraddeen More Details > Pie Forms for WP <= 1.6 - Unauthenticated Arbitrary File Upload 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-12528 Patch Status Unpatched Published Nov 17, 2025 Affected Software Pie Forms — Drag & Drop Form Builder Researcher Vanh More Details > WP AUDIO GALLERY <= 2.0 - Authenticated (Subscriber+) Arbitrary File Deletion via 'audio_upload' Parameter 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-13322 Patch Status Unpatched Published Nov 20, 2025 Affected Software WP AUDIO GALLERY Researcher Muhammad Yudha - DJ More Details > Code Snippets <= 3.9.1 - Authenticated (Contributor+) PHP Code Injection via extract() and PHP Filter Chains 8.0 CVSS Rating High (8.0) CVE-ID CVE-2025-13035 Patch Status Patched Published Nov 18, 2025 Affected Software Code Snippets Researcher mikemyers More Details > Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager <= 4.95 - Unauthenticated SQL Injection via site_id 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-7402 Patch Status Unpatched Published Nov 23, 2025 Affected Software Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager Researcher Trương Hữu Phúc (truonghuuphuc) More Details > Basel <= 5.9.1 - Missing Authorization 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-67568 Patch Status Patched Published Nov 19, 2025 Affected Software basel Researcher João Pedro S Alcântara (Kinorth) More Details > Chat Help – Click to Chat Button & Form <= 3.1.3 - Missing Authorization to Unauthenticated Sensitive Information Exposure 7.5 CVSS Rating High (7.5) CVE-ID Unknown Patch Status Patched Published Nov 18, 2025 Affected Software Chat Help – Click to Chat Button & Form Researcher NumeX More Details > Community Events <= 1.5.4 - Unauthenticated SQL Injection 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-12646 Patch Status Patched Published Nov 18, 2025 Affected Software Community Events Researcher Muhammad Yudha - DJ More Details > CP Contact Form with PayPal <= 1.3.56 - Missing Authorization to Unauthenticated Arbitrary Payment Confirmation 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-13384 Patch Status Patched Published Nov 21, 2025 Affected Software CP Contact Form with PayPal Researcher Md. Moniruzzaman Prodhan (NomanProdhan) More Details > Live sales notification for WooCommerce <= 2.3.39 - Missing Authorization to Unauthenticated Customer Data Exposure 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-12955 Patch Status Patched Published Nov 17, 2025 Affected Software Live sales notification for WooCommerce Researcher Athiwat Tiprasaharn (Jitlada) More Details > OneClick Chat to Order <= 1.0.8 - Insecure Direct Object Reference to Unauthenticated Sensitive Information Exposure 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-13526 Patch Status Patched Published Nov 21, 2025 Affected Software OneClick Chat to Order Researcher Md Shofiur Rahman More Details > WP Directory Kit <= 1.4.3 - Unauthenticated SQL Injection via select_2_ajax() Function 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-13138 Patch Status Patched Published Nov 20, 2025 Affected Software WP Directory Kit Researcher tmrswrr More Details > Checkout Files Upload for WooCommerce <= 2.2.1 - Unauthenticated Stored Cross-Site Scripting 7.2 CVSS Rating High (7.2) CVE-ID CVE-2025-4212 Patch Status Patched Published Nov 17, 2025 Affected Software Checkout Files Upload for WooCommerce Researcher Milinxee More Details > Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers <= 1.12.19 - Unauthenticated Stored Cross-Site Scripting 7.2 CVSS Rating High (7.2) CVE-ID CVE-2025-12484 Patch Status Patched Published Nov 18, 2025 Affected Software Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers Researcher Naoya Takahashi (nakko) More Details > GiveWP - Donation Plugin and Fundraising Platform <= 4.13.0 - Unauthenticated Stored Cross-Site Scripting via 'name' 7.2 CVSS Rating High (7.2) CVE-ID CVE-2025-13206 Patch Status Patched Published Nov 18, 2025 Affected Software GiveWP – Donation Plugin and Fundraising Platform Researcher shark3y More Details > Multiple Roles per User <= 1.0 - Missing Authorization to Authenticated (Custom+) Privilege Escalation 7.2 CVSS Rating High (7.2) CVE-ID CVE-2025-11620 Patch Status Unpatched Published Nov 17, 2025 Affected Software Multiple Roles per User Researcher Jonas Benjamin Friedli More Details > S2B AI Assistant – ChatBot, ChatGPT, OpenAI, Content & Image Generator <= 1.7.8 - Authenticated (Editor+) Arbitrary File Upload 7.2 CVSS Rating High (7.2) CVE-ID CVE-2025-12973 Patch Status Patched Published Nov 20, 2025 Affected Software S2B AI Assistant – ChatBot, AI Agents, ChatGPT API, Image Generator Researcher Ryan Kozak More Details > Simple User Registration <= 6.6 - Unauthenticated Stored Cross-Site Scripting 7.2 CVSS Rating High (7.2) CVE-ID CVE-2025-12160 Patch Status Patched Published Nov 20, 2025 Affected Software Simple User Registration Researcher Athiwat Tiprasaharn (Jitlada) More Details > WP Import – Ultimate CSV XML Importer for WordPress <= 7.33.1 - Authenticated (Administrator+) PHP Object Injection via CSV Import 7.2 CVSS Rating High (7.2) CVE-ID CVE-2025-13145 Patch Status Patched Published Nov 18, 2025 Affected Software WP Import – Ultimate CSV XML Importer for WordPress Researchers Dieu LinkGCSC Vietnam More Details > WPBookit <= 1.0.6 - Unauthenticated Stored Cross-Site Scripting 7.2 CVSS Rating High (7.2) CVE-ID CVE-2025-12135 Patch Status Patched Published Nov 20, 2025 Affected Software WPBookit Researcher Ryan Kozak More Details > Flo Forms – Easy Drag & Drop Form Builder <= 1.0.43 - Unauthenticated Stored Cross-Site Scripting via SVG Upload 7.1 CVSS Rating High (7.1) CVE-ID CVE-2025-13159 Patch Status Unpatched Published Nov 20, 2025 Affected Software Flo Forms – Easy Drag & Drop Form Builder Researcher Moose Love More Details > Premmerce Wholesale Pricing for WooCommerce <= 1.1.10 - Authenticated (Subscriber+) SQL Injection 7.1 CVSS Rating High (7.1) CVE-ID CVE-2025-12411 Patch Status Unpatched Published Nov 17, 2025 Affected Software Premmerce Wholesale Pricing for WooCommerce Researcher Powpy More Details > AI Engine <= 3.1.8 - Authenticated (Editor+) Server-Side Request Forgery 6.8 CVSS Rating Medium (6.8) CVE-ID CVE-2025-8084 Patch Status Patched Published Nov 18, 2025 Affected Software AI Engine Researcher Jonas Benjamin Friedli More Details > Simple User Import Export <= 1.1.7 - Authenticated (Admin+) CSV Injection 6.6 CVSS Rating Medium (6.6) CVE-ID CVE-2025-13133 Patch Status Unpatched Published Nov 17, 2025 Affected Software Simple User Import Export Researcher Ivan Cese More Details > ACF Flexible Layouts Manager <= 1.1.6 - Missing Authorization to Unauthenticated Custom Field Update 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2025-12937 Patch Status Unpatched Published Nov 17, 2025 Affected Software ACF Flexible Layouts Manager Researcher Ahmad Salem (a7mad.cc) More Details > ArtPlacer Widget <= 2.22.9.2 - Authenticated (Contributor+) SQL Injection 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2025-67517 Patch Status Patched Published Nov 23, 2025 Affected Software ArtPlacer Widget Researcher Jarno Vos (jarnovos) More Details > Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings <= 8.5.2 - Missing Authorization to Authenticated (Subscriber+) Data Export and Slug Update 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2025-12174 Patch Status Patched Published Nov 18, 2025 Affected Software Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings Researcher Rafshanzani Suhada More Details > UiPress lite <= 3.5.08 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2025-10938 Patch Status Patched Published Nov 20, 2025 Affected Software UiPress lite | Effortless custom dashboards, admin themes and pages Researcher abrahack More Details > Accordion Slider <= 1.9.13 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-66092 Patch Status Patched Published Nov 23, 2025 Affected Software Accordion Slider Researcher Muhammad Yudha - DJ More Details > Affiliate AI Lite <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-11799 Patch Status Patched Published Nov 20, 2025 Affected Software Affiliate AI Lite Researcher Gilang - DJ More Details > AudioTube <= 0.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-11801 Patch Status Unpatched Published Nov 20, 2025 Affected Software AudioTube Researcher Muhammad Yudha - DJ More Details > BrightTALK WordPress Shortcode <= 2.4.0 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-11770 Patch Status Unpatched Published Nov 20, 2025 Affected Software BrightTALK WordPress Shortcode Researcher Gilang - DJ More Details > Bulma Shortcodes <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-11802 Patch Status Unpatched Published Nov 20, 2025 Affected Software Bulma Shortcodes Researcher Gilang - DJ More Details > Cookie Notice & Compliance for GDPR / CCPA <= 2.5.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-11186 Patch Status Patched Published Nov 21, 2025 Affected Software Cookie Notice & Compliance for GDPR / CCPA Researcher Muhammad Yudha - DJ More Details > CSV to SortTable <= 4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-12823 Patch Status Unpatched Published Nov 17, 2025 Affected Software CSV to SortTable Researcher Ivan Cese More Details > Display Pages Shortcode <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-11763 Patch Status Unpatched Published Nov 20, 2025 Affected Software Display Pages Shortcode Researcher zakaria More Details > Enable SVG, WebP, and ICO Upload <= 1.1.2 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Uploads 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-12457 Patch Status Patched Published Nov 17, 2025 Affected Software Enable SVG, WebP, and ICO Upload Researcher Sornram9254 More Details > everviz <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-11868 Patch Status Unpatched Published Nov 17, 2025 Affected Software everviz – Charts, Maps and Tables – Interactive and responsive Researcher Muhammad Yudha - DJ More Details > Extensions for Leaflet Map <= 4.8 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-66093 Patch Status Patched Published Nov 23, 2025 Affected Software Extensions for Leaflet Map Researcher zaim More Details > FluentCRM - Marketing Automation For WordPress <= 2.9.84 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'fluentcrm_content' Shortcode 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-12935 Patch Status Patched Published Nov 20, 2025 Affected Software FluentCRM – Email Newsletter, Automation, Email Marketing, Email Campaigns, Optins, Leads, and CRM Solution Researcher Muhammad Yudha - DJ More Details > FunnelKit – Funnel Builder for WooCommerce Checkout <= 3.13.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via wfop_phone Shortcode 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-12878 Patch Status Patched Published Nov 18, 2025 Affected Software FunnelKit – Funnel Builder for WooCommerce Checkout Researcher zaim More Details > Gutenify - Visual Site Builder Blocks & Site Templates <= 1.5.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Count Up block 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-8605 Patch Status Unpatched Published Nov 17, 2025 Affected Software Gutenify – Visual Site Builder Blocks & Site Templates. Researcher zer0gh0st More Details > HotelRunner Booking Widget <= 5.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-13135 Patch Status Unpatched Published Nov 20, 2025 Affected Software HotelRunner Booking Widget Researcher Mohamed amine Ouamar More Details > HT Mega – Absolute Addons For Elementor <= 3.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Tag Attribute Injection 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-13141 Patch Status Patched Published Nov 20, 2025 Affected Software HT Mega – Absolute Addons For Elementor Researcher Abu Hurayra (HurayraIIT) More Details > Icon List Block – Add Icon-Based Lists with Custom Styles <= 1.2.1 - Authenticated (Subscriber+) Server-Side Request Forgery 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-12376 Patch Status Patched Published Nov 18, 2025 Affected Software Icon List Block – Add Icon-Based Lists with Custom Styles Researcher Sushi Com Abacate More Details > Islamic Phrases <= 2.12.2015 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-11768 Patch Status Unpatched Published Nov 20, 2025 Affected Software Islamic Phrases Researcher zakaria More Details > Local Syndication <= 1.5a - Authenticated (Contributor+) Server-Side Request Forgery via Shortcode 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-12962 Patch Status Unpatched Published Nov 17, 2025 Affected Software Local Syndication Researcher Ivan Cese More Details > Magical Products Display <= 1.1.29 - Authenticated (Contributor+) Stored Cross-Site Scripting via MPD Pricing Table Widget 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-12964 Patch Status Patched Published Nov 20, 2025 Affected Software Magical Products Display – Elementor WooCommerce Widgets | Product Sliders, Grids & AJAX Search Researcher Abu Hurayra (HurayraIIT) More Details > Meta Display Block <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-12088 Patch Status Unpatched Published Nov 17, 2025 Affected Software Meta Display Block Researcher Itthidej Aramsri (Boeing777) More Details > Multiple Plugins and Themes <= (Various Versions) - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via lightGallery JavaScript Library 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-5092 Patch Status Patched Published Nov 19, 2025 Affected Software Gallery with thumbnail sliderIbtana – WordPress Website BuilderImage Hover Effects UltimateLightGallery WPOnePressPortfolio, Gallery, Product Catalog – Grid KIT PortfolioRoyal Addons for Elementor – Addons and Templates Kit for ElementorTP WooCommerce Product Gallery Researcher Webbernaut More Details > Padlet Shortcode <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-12660 Patch Status Unpatched Published Nov 20, 2025 Affected Software Padlet Shortcode Researcher zakaria More Details > Pet-Manager – Petfinder <= 3.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via kwm-petfinder Shortcode 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-12710 Patch Status Patched Published Nov 18, 2025 Affected Software Pet-Manager – Petfinder Researcher Muhammad Yudha - DJ More Details > Photonic Gallery & Lightbox for Flickr, SmugMug & Others <= 3.21 - Authenticated (Contributor+) Stored Cross-Site Scripting via Caption Attribute 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-12691 Patch Status Patched Published Nov 17, 2025 Affected Software Photonic Gallery & Lightbox for Flickr, SmugMug & Others Researcher Webbernaut More Details > Pollcaster Shortcode Plugin <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-12661 Patch Status Unpatched Published Nov 20, 2025 Affected Software Pollcaster Shortcode Plugin Researcher zakaria More Details > Royal Elementor Addons and Templates <= 1.7.1036 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-6251 Patch Status Patched Published Nov 18, 2025 Affected Software Royal Addons for Elementor – Addons and Templates Kit for Elementor Researcher stealthcopter More Details > RTMKit Addons <= 1.6.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Accordion Repeater Block Attribute 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-8609 Patch Status Patched Published Nov 17, 2025 Affected Software RTMKit Researcher zer0gh0st More Details > Shortcode for Google Street View <= 0.5.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-11808 Patch Status Unpatched Published Nov 20, 2025 Affected Software Shortcode for Google Street View Researcher Peter Thaleikis More Details > Shortcodes Bootstrap <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-11764 Patch Status Unpatched Published Nov 20, 2025 Affected Software Shortcodes Bootstrap Researcher zakaria More Details > Stock Tools <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-11765 Patch Status Unpatched Published Nov 20, 2025 Affected Software Stock Tools Researcher zakaria More Details > Surbma | MiniCRM Shortcode <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-11800 Patch Status Unpatched Published Nov 20, 2025 Affected Software Surbma | MiniCRM Shortcode Researcher zakaria More Details > Tips Shortcode <= 0.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-11767 Patch Status Unpatched Published Nov 20, 2025 Affected Software Tips Shortcode Researcher zakaria More Details > UiPress lite <= 3.5.08 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-11003 Patch Status Patched Published Nov 20, 2025 Affected Software UiPress lite | Effortless custom dashboards, admin themes and pages Researcher abrahack More Details > User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor <= 3.14.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-13054 Patch Status Patched Published Nov 18, 2025 Affected Software User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor Researcher Muhammad Yudha - DJ More Details > VK All in One Expansion Unit <= 9.112.1 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-11267 Patch Status Patched Published Nov 17, 2025 Affected Software VK All in One Expansion Unit Researcher Rafshanzani Suhada More Details > VK All in One Expansion Unit <= 9.112.1 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-11265 Patch Status Patched Published Nov 17, 2025 Affected Software VK All in One Expansion Unit Researcher Rafshanzani Suhada More Details > Walker Core <= 1.3.17 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-67552 Patch Status Patched Published Nov 19, 2025 Affected Software Walker Core Researcher Peter Thaleikis More Details > Wappointment <= 2.6.9 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-67551 Patch Status Patched Published Nov 17, 2025 Affected Software Appointment Bookings for Zoom GoogleMeet and more – Wappointment Researcher Muhammad Yudha - DJ More Details > WP Company Info <= 1.9.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-11826 Patch Status Unpatched Published Nov 20, 2025 Affected Software WP Company Info Researcher Peter Thaleikis More Details > WP Shortcodes Plugin — Shortcodes Ultimate <= 7.4.5 - Authenticated (Administrator+) Server-Side Request Forgery 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-12800 Patch Status Patched Published Nov 23, 2025 Affected Software WP Shortcodes Plugin — Shortcodes Ultimate Researcher apolo2 More Details > WPSite Shortcode <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-11803 Patch Status Unpatched Published Nov 20, 2025 Affected Software WPSite Shortcode Researcher Gilang - DJ More Details > ArtiBot Free Chat Bot for WebSites <= 1.1.7 - Reflected Cross-Site Scripting via PostMessage 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-12078 Patch Status Unpatched Published Nov 17, 2025 Affected Software ArtiBot Free Chat Bot for WebSites Researcher Nicolai Hellesnes (nico_) More Details > AuthorSure <= 2.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-13134 Patch Status Unpatched Published Nov 20, 2025 Affected Software AuthorSure Researcher Muhammad Nur Ibnu Hubab (Ibnu) More Details > Custom Admin Menu <= 1.0.0 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-13071 Patch Status Unpatched Published Nov 18, 2025 Affected Software Custom Admin Menu Researcher Yousof Nahya More Details > EchBay Admin Security <= 1.3.0 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-11885 Patch Status Patched Published Nov 20, 2025 Affected Software EchBay Admin Security Researcher Jonas Benjamin Friedli More Details > HandL UTM Grabber / Tracker <= 2.8.0 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-13073 Patch Status Patched Published Nov 19, 2025 Affected Software HandL UTM Grabber / Tracker Researcher Alex Tselevich (nos3curity) More Details > HandL UTM Grabber / Tracker <= 2.8.0 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-13072 Patch Status Patched Published Nov 19, 2025 Affected Software HandL UTM Grabber / Tracker Researcher Alex Tselevich (nos3curity) More Details > Like-it <= 2.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-12404 Patch Status Unpatched Published Nov 17, 2025 Affected Software Like-it Researcher johska More Details > Project Honey Pot Spam Trap <= 1.0.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-12406 Patch Status Unpatched Published Nov 17, 2025 Affected Software Project Honey Pot Spam Trap Researcher johska More Details > Tainacan <= 1.0.0 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-12746 Patch Status Patched Published Nov 20, 2025 Affected Software Tainacan Researcher Deadbee More Details > WP Twitter Auto Publish <= 1.7.4 - Reflected Cross-Site Scripting via PostMessage 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-12079 Patch Status Patched Published Nov 17, 2025 Affected Software WP Twitter Auto Publish Researcher Nicolai Hellesnes (nico_) More Details > WP Migrate Lite <= 2.7.6 - Unauthenticated Blind Server-Side Request Forgery 5.8 CVSS Rating Medium (5.8) CVE-ID CVE-2025-11427 Patch Status Patched Published Nov 17, 2025 Affected Software WP Migrate Lite – Migration Made Easy Researcher Dmitrii Ignatyev More Details > Broken Link Checker by AIOSEO – Easily Fix/Monitor Internal and External links <= 1.2.5 - Missing Authorization to Authenticated (Contributor+) Arbitrary Post Trashing 5.4 CVSS Rating Medium (5.4) CVE-ID CVE-2025-11734 Patch Status Patched Published Nov 17, 2025 Affected Software Broken Link Checker by AIOSEO – Easily Fix/Monitor Internal and External links Researcher Lucas Montes (Nirox) More Details > Classified Listing – Classified ads & Business Directory Plugin <= 5.0.3 - Authenticated (Subscriber+) Arbitrary Shortcode Execution via Listing Description 5.4 CVSS Rating Medium (5.4) CVE-ID CVE-2025-7711 Patch Status Patched Published Nov 17, 2025 Affected Software Classified Listing – AI-Powered Classified ads & Business Directory Plugin Researcher Kishan Vyas More Details > Element Pack Addons for Elementor <= 8.3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Open Street Map widget 5.4 CVSS Rating Medium (5.4) CVE-ID CVE-2025-13196 Patch Status Patched Published Nov 17, 2025 Affected Software Element Pack Addons for Elementor Researcher zer0gh0st More Details > Post Type Switcher <= 4.0.0 - Insecure Direct Object Reference to Authenticated (Author+) Post Type Change 5.4 CVSS Rating Medium (5.4) CVE-ID CVE-2025-12524 Patch Status Patched Published Nov 17, 2025 Affected Software Post Type Switcher Researcher Athiwat Tiprasaharn (Jitlada) More Details > Responsive Lightbox & Gallery <= 2.5.3 - Authenticated (Author+) Server-Side Request Forgery 5.4 CVSS Rating Medium (5.4) CVE-ID CVE-2025-12359 Patch Status Patched Published Nov 18, 2025 Affected Software Responsive Lightbox & Gallery Researcher Dmitrii Ignatyev More Details > Return Refund and Exchange For WooCommerce <= 4.5.5 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Order Message Read 5.4 CVSS Rating Medium (5.4) CVE-ID CVE-2025-12881 Patch Status Patched Published Nov 20, 2025 Affected Software Return Refund and Exchange For WooCommerce Researcher Powpy More Details > Amelia 1.2.18 - 1.2.36 - Unauthenticated Sensitive Information Exposure 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2023-49282 Patch Status Patched Published Nov 18, 2025 Affected Software Booking for Appointments and Events Calendar – Amelia Researcher Dmitrii Ignatyev More Details > Appointment Booking Calendar <= 1.3.96 - Missing Authorization to Arbitrary Booking Confirmation via 'cpabc_ipncheck' Parameter 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-13317 Patch Status Patched Published Nov 21, 2025 Affected Software Appointment Booking Calendar Researcher Md. Moniruzzaman Prodhan (NomanProdhan) More Details > Better Chat Support for Messenger <= 1.2.18 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-66113 Patch Status Patched Published Nov 20, 2025 Affected Software Better Chat Support for Messenger Researcher Legion Hunter More Details > BigBuy Dropshipping Connector for WooCommerce <= 2.0.5 - Unauthenticated IP Spoofing to phpinfo() Exposure 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-12039 Patch Status Unpatched Published Nov 20, 2025 Affected Software BigBuy Dropshipping Connector for WooCommerce Researcher Jarno Vos (jarnovos) More Details > Booking Calendar Contact Form <= 1.2.60 - Missing Authorization to Unauthenticated Arbitrary Booking Confirmation via 'dex_bccf_ipn' Parameter 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-13318 Patch Status Patched Published Nov 21, 2025 Affected Software Booking Calendar Contact Form Researcher Md. Moniruzzaman Prodhan (NomanProdhan) More Details > Booking Plugin for WordPress Appointments – Time Slot <= 1.4.7 - Unauthenticated Arbitrary Email Sending 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-12842 Patch Status Patched Published Nov 18, 2025 Affected Software Time Slot – Booking and Appointment Scheduling Researcher Md. Moniruzzaman Prodhan (NomanProdhan) More Details > Checkbox <= 2.8.10 - Missing Authorization to Unauthenticated Log Clearing 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-12170 Patch Status Patched Published Nov 20, 2025 Affected Software Checkbox Researcher Legion Hunter More Details > Cryptocurrency (Token), Launchpad (Presale), ICO & IDO, Airdrop by TokenICO <= 2.4.6 - Missing Authentication to Unauthenticated Presale Update 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-11771 Patch Status Unpatched Published Nov 20, 2025 Affected Software Cryptocurrency (Token), Launchpad (Presale), ICO & IDO, Airdrop by TokenICO Researcher Jonas Benjamin Friedli More Details > Cryptocurrency Payment Gateway for WooCommerce <= 2.0.22 - Missing Authorization to Unauthenticated Tracking Status Update 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-12392 Patch Status Unpatched Published Nov 17, 2025 Affected Software Cryptocurrency Payment Gateway for WooCommerce Researcher Legion Hunter More Details > Custom Order Numbers for WooCommerce <= 1.11.0 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-66071 Patch Status Patched Published Nov 22, 2025 Affected Software Custom Order Numbers for WooCommerce Researcher Legion Hunter More Details > ELEX WordPress HelpDesk & Customer Ticketing System <= 3.3.1 - Missing Authorization to Authenticated (Subscriber+) Role Removal 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-10054 Patch Status Patched Published Nov 20, 2025 Affected Software ELEX WordPress HelpDesk & Customer Ticketing System Researcher Michelle Porter More Details > Email Subscribers & Newsletters <= 5.9.10 - Missing Authentication to Unauthenticated Mailing Queue Trigger 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-12349 Patch Status Patched Published Nov 18, 2025 Affected Software Email Subscribers & Newsletters – Powerful Email Marketing, Post Notification & Newsletter Plugin for WordPress & WooCommerce Researcher Adrian Lukita More Details > GoDAM <= 1.4.6 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-67584 Patch Status Patched Published Nov 21, 2025 Affected Software GoDAM – Organize WordPress Media Library & File Manager with Unlimited Folders for Images, Videos & more Researcher 0xd4rk5id3 More Details > IDonate – Blood Donation, Request And Donor Management System <= 2.1.15 - Missing Authorization to Unauthenticated Arbitrary Post Deletion 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-12877 Patch Status Patched Published Nov 21, 2025 Affected Software IDonate – Blood Donation, Request And Donor Management System Researcher Varakorn Chanthasri (iCreaM) More Details > Import WP – Export and Import CSV and XML files to WordPress <= 2.14.17 - Unauthenticated Information Exposure 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-12894 Patch Status Patched Published Nov 20, 2025 Affected Software Import WP – Export and Import CSV and XML files to WordPress Researcher type5afe More Details > LearnPress – WordPress LMS Plugin <= 4.2.9.4 - Missing Authorization to Unauthenticated Arbitrary Callback Execution to Information Exposure 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-11368 Patch Status Patched Published Nov 20, 2025 Affected Software LearnPress – WordPress LMS Plugin Researcher Lucas Montes (Nirox) More Details > Legal Pages <= 1.4.6 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-66077 Patch Status Patched Published Nov 21, 2025 Affected Software Legal Pages – Privacy Policy, Terms & Conditions, GDPR, CCPA, and Cookie Notice Generator Researcher Legion Hunter More Details > New User Approve <= 3.0.9 - Unauthenticated Sensitive Information Disclosure via Type Juggling 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-12770 Patch Status Patched Published Nov 18, 2025 Affected Software New User Approve Researcher Powpy More Details > Pixel Manager for WooCommerce – Track Conversions and Analytics, Google Ads, TikTok and more <= 1.49.2 - Unauthenticated Information Exposure 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-12545 Patch Status Patched Published Nov 18, 2025 Affected Software Pixel Manager for WooCommerce – Track Conversions and Analytics, Google Ads, TikTok and more Researcher Athiwat Tiprasaharn (Jitlada) More Details > Quiz Maker <= 6.7.0.80 - Unauthenticated Sensitive Information Exposure 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-12426 Patch Status Patched Published Nov 18, 2025 Affected Software Quiz Maker Researcher Rafshanzani Suhada More Details > Restrictions for BuddyPress <= 1.5.2 - Missing Authorization to Unauthenticated Tracking Status Update 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-12391 Patch Status Unpatched Published Nov 17, 2025 Affected Software Restrictions for BuddyPress Researcher Legion Hunter More Details > SiteSEO – SEO Simplified <= 1.3.2 - Improper Authorization to Authenticated Settings Reset 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-12814 Patch Status Patched Published Nov 18, 2025 Affected Software SiteSEO – SEO Simplified Researcher Supakiad S. (m3ez) More Details > Subscriptions & Memberships for PayPal <= 1.1.7 - Unauthenticated Fake Payment Creation 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-12752 Patch Status Patched Published Nov 21, 2025 Affected Software Subscriptions & Memberships for PayPal Researcher Md. Moniruzzaman Prodhan (NomanProdhan) More Details > SureForms <= 1.13.1 - Cross-Site Request Forgery Protection Bypass via Improper Nonce Distribution 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-12535 Patch Status Patched Published Nov 18, 2025 Affected Software SureForms – Contact Form, Payment Form & Other Custom Form Builder Researcher type5afe More Details > Tainacan <= 1.0.0 - Unauthenticated Information Exposure 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-12747 Patch Status Patched Published Nov 20, 2025 Affected Software Tainacan Researcher Deadbee More Details > Ultimate Member Widgets for Elementor <= 2.3 - Missing Authorization to Unauthenticated Information Exposure 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-12778 Patch Status Patched Published Nov 19, 2025 Affected Software Ultimate Member Widgets for Elementor – WordPress User Directory Researcher Powpy More Details > YITH WooCommerce Wishlist <= 4.10.0 - Unauthenticated Insecure Direct Object Reference to Unauthenticated Wishlist Rename 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-12427 Patch Status Patched Published Nov 18, 2025 Affected Software YITH WooCommerce Wishlist Researcher Athiwat Tiprasaharn (Jitlada) More Details > YITH WooCommerce Wishlist <= 4.10.0 - Unauthenticated Wishlist Token Disclosure to Wishlist Item Deletion 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-12777 Patch Status Patched Published Nov 18, 2025 Affected Software YITH WooCommerce Wishlist Researcher Athiwat Tiprasaharn (Jitlada) More Details > Groundhogg <= 4.2.6.1 - Authenticated (Admin+) SQL Injection 4.9 CVSS Rating Medium (4.9) CVE-ID CVE-2025-12750 Patch Status Patched Published Nov 20, 2025 Affected Software Groundhogg — CRM, Newsletters, and Marketing Automation Researcher NAKLEH ZEIDAN More Details > 简数采集器 <= 2.6.3 - Authenticated (Admin+) Arbitrary File Read 4.9 CVSS Rating Medium (4.9) CVE-ID CVE-2025-11973 Patch Status Patched Published Nov 20, 2025 Affected Software 简数采集器 Researcher Jonas Benjamin Friedli More Details > Gravity Forms FreshDesk <= 1.3.5 - Unauthenticated Open Redirect 4.7 CVSS Rating Medium (4.7) CVE-ID CVE-2025-67587 Patch Status Patched Published Nov 18, 2025 Affected Software WP Gravity Forms FreshDesk Plugin Researcher Bonds More Details > WP Delete Post Copies <= 6.0.2 - Authenticated (Admin+) Stored Cross-Site Scripting 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2025-12066 Patch Status Patched Published Nov 20, 2025 Affected Software WP Delete Post Copies Researcher Teuniz More Details > WPeMatico RSS Feed Fetcher <= 2.8.12 - Authenticated (Editor+) Stored Cross-Site Scripting 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2025-13031 Patch Status Patched Published Nov 18, 2025 Affected Software WPeMatico RSS Feed Fetcher Researcher Alex Tselevich (nos3curity) More Details > CBX Bookmark & Favorite <= 2.0.1 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-66101 Patch Status Patched Published Nov 18, 2025 Affected Software CBX Bookmark & Favorite Researcher Nabil Irawan More Details > Coil Web Monetization <= 2.0.2 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-9625 Patch Status Unpatched Published Nov 17, 2025 Affected Software Coil Web Monetization Researcher Sandeep Kambhampati More Details > Cryptocurrency (Token), Launchpad (Presale), ICO & IDO, Airdrop by TokenICO <= 2.4.6 - Missing Authorization to Authenticated (Subscriber+) Contract Address Update 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-11773 Patch Status Unpatched Published Nov 20, 2025 Affected Software Cryptocurrency (Token), Launchpad (Presale), ICO & IDO, Airdrop by TokenICO Researcher Jonas Benjamin Friedli More Details > Custom Post Type <= 1.0 - Cross-Site Request Forgery to Custom Post Type Deletion 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-13142 Patch Status Unpatched Published Nov 20, 2025 Affected Software Custom Post Type Researcher Muhammad Nur Ibnu Hubab (Ibnu) More Details > Download Panel <= 1.3.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Settings Modification 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-12961 Patch Status Unpatched Published Nov 17, 2025 Affected Software Download Panel (Biggiko Team) Researcher Ivan Cese More Details > ELEX WordPress HelpDesk & Customer Ticketing System <= 3.2.9 - Authenticated (Subscriber+) Insecure Direct Object Reference via 'eh_crm_ticket_single_view_client' 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-10039 Patch Status Patched Published Nov 20, 2025 Affected Software ELEX WordPress HelpDesk & Customer Ticketing System Researcher Athiwat Tiprasaharn (Jitlada) More Details > ELEX WordPress HelpDesk & Customer Ticketing System <= 3.3.0 - Missing Authorization to Authenitcated (Subscriber+) to Scheduled Trigger Deletion 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-12169 Patch Status Patched Published Nov 20, 2025 Affected Software ELEX WordPress HelpDesk & Customer Ticketing System Researcher Legion Hunter More Details > ELEX WordPress HelpDesk & Customer Ticketing System <= 3.3.1 - Missing Authorization to Authenticated (Subscriber+) Ticket Restore 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-12023 Patch Status Patched Published Nov 20, 2025 Affected Software ELEX WordPress HelpDesk & Customer Ticketing System Researcher Athiwat Tiprasaharn (Jitlada) More Details > ELEX WordPress HelpDesk & Customer Ticketing System <= 3.3.1 - Missing Authorization to Authenticated (Subscriber+) Trash Empty 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-12085 Patch Status Patched Published Nov 20, 2025 Affected Software ELEX WordPress HelpDesk & Customer Ticketing System Researcher Athiwat Tiprasaharn (Jitlada) More Details > ELEX WordPress HelpDesk & Customer Ticketing System <= 3.3.1 - Missing Authorization to Authenticated (Subscriber+) Trash Restore 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-12022 Patch Status Patched Published Nov 20, 2025 Affected Software ELEX WordPress HelpDesk & Customer Ticketing System Researcher Athiwat Tiprasaharn (Jitlada) More Details > ForumWP <= 2.1.4 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-67474 Patch Status Patched Published Nov 21, 2025 Affected Software ForumWP – Forum & Discussion Board Researcher daroo More Details > Giveaways and Contests by RafflePress <= 1.12.20 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-66064 Patch Status Patched Published Nov 21, 2025 Affected Software Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers Researcher Nabil Irawan More Details > GSheetConnector For Ninja Forms <= 2.0.1 - Missing Authorization to Authenticated (Subscriber+) System Information Exposure 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-13136 Patch Status Patched Published Nov 21, 2025 Affected Software GSheetConnector For Ninja Forms Researcher Bhayanak Atma More Details > PPOM for WooCommerce <= 33.0.16 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-66069 Patch Status Patched Published Nov 17, 2025 Affected Software PPOM – Product Addons & Custom Fields for WooCommerce Researcher Legion Hunter More Details > Return Refund and Exchange For WooCommerce <= 4.5.5 - Insecure Direct Object Reference to Authenticated (Subscriber+) Refund Request Cancellation 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-12086 Patch Status Patched Published Nov 20, 2025 Affected Software Return Refund and Exchange For WooCommerce Researcher Powpy More Details > Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories <= 4.9.1 - Authenticated (Author+) Missing Authorization to Post/Page Status Modification 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-13149 Patch Status Patched Published Nov 20, 2025 Affected Software Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories Researcher Athiwat Tiprasaharn (Jitlada) More Details > SiteSEO – SEO Simplified <= 1.3.2 - Insecure Direct Object Reference to Sensitive Post Meta Disclosure 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-13085 Patch Status Patched Published Nov 18, 2025 Affected Software SiteSEO – SEO Simplified Researcher Athiwat Tiprasaharn (Jitlada) More Details > SupportCandy <= 3.4.1 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-67598 Patch Status Patched Published Nov 21, 2025 Affected Software SupportCandy – Helpdesk & Customer Support Ticket System Researcher daroo More Details > The Permalinks Cascade <= 2.2 - Missing Authorization To Authenticated (Subscriber+) Plugin Settings Update 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-12372 Patch Status Unpatched Published Nov 17, 2025 Affected Software The Permalinks Cascade Researcher Nabil Irawan More Details > Top Friends <= 0.3 - Cross-Site Request Forgery to Settings Update 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-12827 Patch Status Unpatched Published Nov 17, 2025 Affected Software Top Friends Researcher Ivan Cese More Details > UiPress lite | Effortless custom dashboards, admin themes and pages <= 3.5.08 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Update 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-11815 Patch Status Patched Published Nov 20, 2025 Affected Software UiPress lite | Effortless custom dashboards, admin themes and pages Researcher Rafshanzani Suhada More Details > wModes – Catalog Mode, Product Pricing, Enquiry Forms & Promotions | for WooCommerce <= 1.2.2 - Missing Authorization to Sensitive Information Disclosure 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-12639 Patch Status Patched Published Nov 17, 2025 Affected Software wModes – Catalog Mode, Product Pricing, Enquiry Forms & Promotions | for WooCommerce Researcher NumeX More Details > WP Admin Microblog <= 3.1.1 - Cross-Site Request Forgery to Message Creation 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-12173 Patch Status Unpatched Published Nov 17, 2025 Affected Software WP Admin Microblog Researcher Nabil Irawan More Details > WP Duplicate Page <= 1.7 - Missing Authorization to Authenticated (Contributor+) Sensitive Information Disclosure 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-12481 Patch Status Patched Published Nov 17, 2025 Affected Software WP Duplicate Page Researcher Athiwat Tiprasaharn (Jitlada) More Details > WP Login and Register using JWT <= 3.0.0 - Missing Authorization to Authenticated (Subscriber+) API Key Exposure 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-12822 Patch Status Patched Published Nov 18, 2025 Affected Software WP Login and Register using JWT Researcher Athiwat Tiprasaharn (Jitlada) More Details > WSChat – WordPress Live Chat <= 3.1.6 - Missing Authorization to Authenticated (Subscriber+) Settings Reset 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-12751 Patch Status Patched Published Nov 18, 2025 Affected Software WSChat – WordPress Live Chat Researcher Powpy More Details > As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence. This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can. Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. The post Wordfence Intelligence Weekly WordPress Vulnerability Report (November 17, 2025 to November 23, 2025) appeared first on Wordfence.