Last week, there were 98 vulnerabilities disclosed in 89 WordPress Plugins and 4 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 49 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected. Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to implement layered security, aligning with our overarching mission to secure WordPress with defense in depth strategies. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report. As the world’s leading quality vulnerability database provider for WordPress, site owners can rest assured knowing Wordfence has their back. Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 31,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free. Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. New Firewall Rules Deployed Last Week The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection. The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week: WAF-RULE-877 – Data redacted while we work with the vendor on a patch. Frontend Admin by DynamiApps <= 3.28.20 – Unauthenticated Arbitrary Options Update WP Directory Kit <= 1.4.4 – Authentication Bypass to Privilege Escalation via Account Takeover Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay. Total Unpatched & Patched Vulnerabilities Last Week Patch Status Number of Vulnerabilities Patched 62 Unpatched 36 Total Vulnerabilities by CVSS Severity Last Week Severity Rating Number of Vulnerabilities Low Severity 1 Medium Severity 82 High Severity 6 Critical Severity 9 Total Vulnerabilities by CWE Type Last Week Vulnerability Type by CWE Number of Vulnerabilities Missing Authorization 35 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') 24 Cross-Site Request Forgery (CSRF) 9 Authorization Bypass Through User-Controlled Key 6 Improper Privilege Management 5 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') 4 Unrestricted Upload of File with Dangerous Type 4 Deserialization of Untrusted Data 2 Exposure of Sensitive Information to an Unauthorized Actor 2 Authentication Bypass Using an Alternate Path or Channel 1 Client-Side Enforcement of Server-Side Security 1 External Control of File Name or Path 1 Improper Control of Generation of Code ('Code Injection') 1 Incorrect Authorization 1 Server-Side Request Forgery (SSRF) 1 URL Redirection to Untrusted Site ('Open Redirect') 1 Researchers That Contributed to WordPress Security Last Week Researcher Name Number of Vulnerabilities Legion Hunter 12 Nabil Irawan 8 Muhammad Yudha - DJ 4 Athiwat Tiprasaharn (Jitlada) 4 blue0x1 3 シルAsuna 3 dayea song 3 Ivan Cese 3 Dmitrii Ignatyev 3 Powpy 3 Ryan Kozak 3 zakaria 2 Skalucy 2 Mdr 2 Md. Moniruzzaman Prodhan (NomanProdhan) 2 daroo 2 Tran Nguyen Bao Khanh 2 Denver Jackson 2 Jonas Benjamin Friedli 2 István Márton 2 Peter Thaleikis 2 Muhammad Nur Ibnu Hubab (Ibnu) 2 Alex Thomas 2 zaim 2 benzdeus 2 NumeX 1 ch4r0n 1 Jamshed Yergashvoyev (CVE Guy) 1 Theodoros Malachias 1 Deadbee 1 Bonds 1 Phat RiO - BlueRock 1 Tarcísio Luchesi(Poystick) 1 Ahmad 1 ZAST.AI 1 type5afe 1 t.t.brothers 1 0xd4rk5id3 1 0xVenus 1 Lucas Montes (Nirox) 1 Peerapat Samatathanyakorn 1 Tonn 1 Foxyyy 1 Alyudin Nafiie 1 ISMAILSHADOW 1 Que Thanh Tuan - Blue Rock 1 Doan Dinh Van 1 Sopon Tangpathum (SoNaJaa) 1 venom5iix 1 Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report. WordPress Plugins with Reported Vulnerabilities Last Week Software Name Software Slug Ace Post Type Builder ace-post-type-builder Admin and Customer Messages After Order for WooCommerce: OrderConvo admin-and-client-message-after-order-for-woocommerce AI ChatBot with ChatGPT and Content Generator by AYS ays-chatgpt-assistant AI Engine for WordPress: ChatGPT, GPT Content Generator liquid-chatgpt AI Feeds ai-feeds Analytics Germanized for Google Analytics (GDPR / DSGVO) ga-germanized atec Duplicate Page & Post atec-duplicate-page-post Autochat Automatic Conversation auyautochat-for-wp BERTHA AI. Your AI co-pilot for WordPress and Chrome bertha-ai-free Blog2Social: Social Media Auto Post & Scheduler blog2social Bold Page Builder bold-page-builder Bookme – Free Online Appointment Booking and Scheduling Plugin bookme-free-appointment-booking-system Cart Weight for WooCommerce woo-cart-weight Chamber Dashboard Business Directory chamber-dashboard-business-directory CIBELES AI cibeles-ai Conditionnal Maintenance Mode for WordPress maintenance-mode-based-on-user-roles Customer Reviews Collector for WooCommerce customer-reviews-collector-for-woocommerce Donation Thermometer donation-thermometer Duplicate Content Cure duplicate-content-cure EduKart Pro edukart-pro Elementor Website Builder – More Than Just a Page Builder elementor Essential Widgets essential-widgets Event Booking Manager for WooCommerce mage-eventpress Featured Post Creative featured-post-creative FindAll Listing findall-listing FindAll Membership findall-membership Flexmls® IDX Plugin flexmls-idx Fluent Booking – The Ultimate Appointments Scheduling, Events Booking, Events Calendar Solution fluent-booking FluentCommunity – Ultra-Fast High-Performance Social Network, Community, LMS & Online Courses fluent-community Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager folders Frontend File Manager Plugin nmedia-user-file-uploader Google Drive upload and download link google-drive-upload-and-download-link Gutenverse Form – Contact Form Builder, Booking, Reservation, Subscribe for Block Editor gutenverse-form Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem gutenverse Hide Category by User Role for WooCommerce hide-category-by-user-role-for-woocommerce Inline frame – Iframe inline-frame-iframe JetFormBuilder — Dynamic Blocks Form Builder jetformbuilder Job Board by BestWebSoft job-board Just Highlight just-highlight KiviCare – Clinic & Patient Management System (EHR) kivicare-clinic-management-system Locker Content locker-content Nextend Social Login and Register nextend-facebook-connect Notification for Telegram notification-for-telegram oik oik Payment Gateway for PayPal on WooCommerce woo-paypal-gateway Peer Publish peer-publish Perfect Brands for WooCommerce perfect-woocommerce-brands Poll, Survey & Quiz Maker Plugin by Opinion Stage social-polls-by-opinionstage Popup Builder – On Page Load Popup, Exit Popup, Login Popup, On Click, Sticky Bar, Anti-AdBlock – FireBox firebox PowerPress Podcasting plugin by Blubrry powerpress ProjectList projectlist Property Hive propertyhive QODE Wishlist for WooCommerce qode-wishlist-for-woocommerce Quick Contact Form quick-contact-form Quick Interest Slider quick-interest-slider Quick View for WooCommerce woo-quickview Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker quiz-master-next Refund Request for WooCommerce refund-request-for-woocommerce Rencontre – Dating Site rencontre Reuters Direct reuters-direct Search Exclude search-exclude Shouty shouty Show Variations as Single Products Woocommerce woo-show-single-variations-shop-category Simple Folio simple-folio SKT PayPal for WooCommerce skt-paypal-for-woocommerce Sneeit Framework sneeit-framework Social Images Widget social-images-widget SortTable Post sorttable-post Soundslides soundslides StaffList stafflist StreamTube Core streamtube-core Subscriptions & Memberships for PayPal subscriptions-memberships-for-paypal Telegram Bot & Channel telegram-bot Tiare Membership tiare-membership TNC Toolbox: Web Performance tnc-toolbox Translate WordPress Websites Globally with ConveyThis Translate conveythis-translate Tutor LMS Elementor Addons tutor-lms-elementor-addons Unlimited Elements For Elementor unlimited-elements-for-elementor Unlimited Elements for Elementor (Premium) unlimited-elements-for-elementor-premium UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP userswp Virtuaria PagBank / PagSeguro para Woocommerce virtuaria-pagseguro Wishlist for WooCommerce th-wishlist WP Directory Kit wpdirectorykit WP Fastest Cache wp-fastest-cache WP sIFR wp-sifr WP Webhooks – Automate repetitive tasks by creating powerful automation workflows directly within WordPress wp-webhooks wp-twitpic wp-twitpic YouTube Subscribe easy-youtube-subscribe Zweb Social Mobile – Ứng Dụng Nút Gọi Mobile zweb-social-mobile WordPress Themes with Reported Vulnerabilities Last Week Software Name Software Slug Houzez houzez Powerlift - Fitness and Gym WordPress Theme powerlift The Aisle - Elegant Wedding WordPress Theme theaisle Tiger tiger Vulnerability Details Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize. AI Feeds <= 1.0.11 - Unauthenticated Arbitrary File Upload 9.8 CVSS Rating Critical (9.8) CVE-ID CVE-2025-13597 Patch Status Patched Published Nov 25, 2025 Affected Software AI Feeds Researcher Ryan Kozak More Details > CIBELES AI <= 1.10.8 - Unauthenticated Arbitrary File Upload 9.8 CVSS Rating Critical (9.8) CVE-ID CVE-2025-13595 Patch Status Patched Published Nov 25, 2025 Affected Software CIBELES AI Researcher Ryan Kozak More Details > EduKart Pro <= 1.0.3 - Unauthenticated Privilege Escalation 9.8 CVSS Rating Critical (9.8) CVE-ID CVE-2025-13559 Patch Status Unpatched Published Nov 24, 2025 Affected Software EduKart Pro Researcher Alyudin Nafiie More Details > FindAll Listing <= 1.0.5 - Unauthenticated Privilege Escalation 9.8 CVSS Rating Critical (9.8) CVE-ID CVE-2025-13538 Patch Status Patched Published Nov 26, 2025 Affected Software FindAll Listing Researcher シルAsuna More Details > FindAll Membership <= 1.0.4 - Authentication Bypass via Social Login 9.8 CVSS Rating Critical (9.8) CVE-ID CVE-2025-13539 Patch Status Patched Published Nov 26, 2025 Affected Software FindAll Membership Researcher István Márton More Details > Sneeit Framework <= 8.3 - Unauthenticated Remote Code Execution in sneeit_articles_pagination_callback 9.8 CVSS Rating Critical (9.8) CVE-ID CVE-2025-6389 Patch Status Patched Published Nov 24, 2025 Affected Software Sneeit Framework Researcher Tonn More Details > StreamTube Core <= 4.78 - Unauthenticated Arbitrary User Password Change 9.8 CVSS Rating Critical (9.8) CVE-ID CVE-2025-13615 Patch Status Patched Published Nov 29, 2025 Affected Software StreamTube Core Researcher Foxyyy More Details > Tiare Membership <= 1.2 - Unauthenticated Privilege Escalation 9.8 CVSS Rating Critical (9.8) CVE-ID CVE-2025-13540 Patch Status Patched Published Nov 26, 2025 Affected Software Tiare Membership Researcher シルAsuna More Details > Tiger <= 101.2.1 - Unauthenticated Privilege Escalation 9.8 CVSS Rating Critical (9.8) CVE-ID CVE-2025-13675 Patch Status Unpatched Published Nov 26, 2025 Affected Software Tiger Researcher シルAsuna More Details > Blubrry PowerPress <= 11.15.2 - Authenticated (Contributor+) Arbitrary File Upload via 'powerpress_edit_post' 8.8 CVSS Rating High (8.8) CVE-ID CVE-2025-13536 Patch Status Patched Published Nov 26, 2025 Affected Software PowerPress Podcasting plugin by Blubrry Researcher ISMAILSHADOW More Details > Tiger <= 101.2.1 - Authenticated (Subscriber+) Privilege Escalation 8.8 CVSS Rating High (8.8) CVE-ID CVE-2025-13680 Patch Status Unpatched Published Nov 26, 2025 Affected Software Tiger Researcher István Márton More Details > SKT PayPal for WooCommerce <= 1.4 - Unauthenticated Payment Bypass 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-7820 Patch Status Patched Published Nov 26, 2025 Affected Software SKT PayPal for WooCommerce Researcher ch4r0n More Details > ProjectList <= 0.3.0 - Authenticated (Editor+) Arbitrary File Upload 7.2 CVSS Rating High (7.2) CVE-ID CVE-2025-13376 Patch Status Unpatched Published Nov 24, 2025 Affected Software ProjectList Researcher Ivan Cese More Details > Telegram Bot & Channel <= 4.1 - Unauthenticated Stored Cross-Site Scripting via Telegram Username 7.2 CVSS Rating High (7.2) CVE-ID CVE-2025-13068 Patch Status Patched Published Nov 24, 2025 Affected Software Telegram Bot & Channel Researcher venom5iix More Details > Unlimited Elements For Elementor and Unlimited Elements For Elementor (Premium) <= 2.0 - Unauthenticated Stored Cross-Site Scripting via SVG File Upload 7.2 CVSS Rating High (7.2) CVE-ID CVE-2025-13692 Patch Status Patched Published Nov 26, 2025 Affected Software Unlimited Elements For ElementorUnlimited Elements for Elementor (Premium) Researchers 0xd4rk5id30xVenus More Details > Webhooks <= 3.3.8 - Authenticated (Administrator+) PHP Object Injection 6.6 CVSS Rating Medium (6.6) CVE-ID CVE-2025-66073 Patch Status Patched Published Nov 26, 2025 Affected Software WP Webhooks – Automate repetitive tasks by creating powerful automation workflows directly within WordPress Researcher Phat RiO - BlueRock More Details > AI ChatBot with ChatGPT and Content Generator by AYS <= 2.7.0 - Unauthenticated Server-Side Request Forgery via 'pinecone_url' Parameter 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2025-13378 Patch Status Patched Published Nov 26, 2025 Affected Software AI ChatBot with ChatGPT and Content Generator by AYS Researcher blue0x1 More Details > AI Engine for WordPress: ChatGPT, GPT Content Generator <= 1.0.1 - Authenticated (Contributor+) Arbitrary File Read 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2025-13380 Patch Status Unpatched Published Nov 24, 2025 Affected Software AI Engine for WordPress: ChatGPT, GPT Content Generator Researcher Ryan Kozak More Details > KiviCare <= 3.6.13 - Authenticated (Patient+) SQL Injection 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2025-66095 Patch Status Patched Published Nov 27, 2025 Affected Software KiviCare – Clinic & Patient Management System (EHR) Researcher benzdeus More Details > Perfect Brands for WooCommerce <= 3.6.2 - Authenticated (Contributor+) SQL Injection 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2025-10144 Patch Status Patched Published Nov 24, 2025 Affected Software Perfect Brands for WooCommerce Researcher Jonas Benjamin Friedli More Details > Wishlist for WooCommerce <= 1.1.3 - Insecure Direct Object Reference to Unauthenticated Wishlist Manipulation 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2025-12040 Patch Status Patched Published Nov 24, 2025 Affected Software Wishlist for WooCommerce Researcher Powpy More Details > Analytics Germanized for Google Analytics <= 1.6.2 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-64292 Patch Status Patched Published Nov 28, 2025 Affected Software Analytics Germanized for Google Analytics (GDPR / DSGVO) Researcher zaim More Details > Bold Page Builder <= 5.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-66057 Patch Status Patched Published Nov 27, 2025 Affected Software Bold Page Builder Researcher Tarcísio Luchesi(Poystick) More Details > Donation Thermometer <= 2.2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-67550 Patch Status Patched Published Nov 26, 2025 Affected Software Donation Thermometer Researcher Muhammad Yudha - DJ More Details > Essential Widgets <= 2.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-67543 Patch Status Patched Published Nov 26, 2025 Affected Software Essential Widgets Researcher Mdr More Details > FireBox <= 3.1.0-free - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-67545 Patch Status Patched Published Nov 27, 2025 Affected Software Popup Builder – On Page Load Popup, Exit Popup, Login Popup, On Click, Sticky Bar, Anti-AdBlock – FireBox Researcher zaim More Details > Google Drive upload and download link <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-12666 Patch Status Unpatched Published Nov 26, 2025 Affected Software Google Drive upload and download link Researcher zakaria More Details > Inline frame – Iframe <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-12645 Patch Status Unpatched Published Nov 24, 2025 Affected Software Inline frame – Iframe Researcher Peter Thaleikis More Details > oik <= 4.15.3 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-67549 Patch Status Patched Published Nov 26, 2025 Affected Software oik Researcher Muhammad Yudha - DJ More Details > Shouty <= 0.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via shouty Shortcode Attributes 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-12712 Patch Status Unpatched Published Nov 26, 2025 Affected Software Shouty Researcher Muhammad Yudha - DJ More Details > Simple Folio <= 1.1.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-12151 Patch Status Patched Published Nov 26, 2025 Affected Software Simple Folio Researcher Nabil Irawan More Details > SortTable Post <= 4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-12649 Patch Status Unpatched Published Nov 26, 2025 Affected Software SortTable Post Researcher Peter Thaleikis More Details > Soundslides <= 1.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via soundslides Shortcode 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-12713 Patch Status Unpatched Published Nov 26, 2025 Affected Software Soundslides Researcher Muhammad Yudha - DJ More Details > Tutor LMS Elementor Addons <= 3.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-63042 Patch Status Unpatched Published Nov 30, 2025 Affected Software Tutor LMS Elementor Addons Researcher Mdr More Details > wp-twitpic <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-12670 Patch Status Unpatched Published Nov 26, 2025 Affected Software wp-twitpic Researcher zakaria More Details > Houzez <= 4.1.6 - Authenticated (Subscriber+) PHP Object Injection via Saved Search 6.3 CVSS Rating Medium (6.3) CVE-ID CVE-2025-9191 Patch Status Patched Published Nov 26, 2025 Affected Software Houzez Researcher Alex Thomas More Details > Customer Reviews Collector for WooCommerce <= 4.6.1 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-12123 Patch Status Patched Published Nov 26, 2025 Affected Software Customer Reviews Collector for WooCommerce Researcher Jonas Benjamin Friedli More Details > Houzez <= 4.1.6 - Unauthenticated Stored Cross-Site Scripting via SVG File Upload 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-9163 Patch Status Patched Published Nov 26, 2025 Affected Software Houzez Researcher Alex Thomas More Details > Job Board by BestWebSoft <= 1.2.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting via $_GET Array Storage 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-13383 Patch Status Patched Published Nov 24, 2025 Affected Software Job Board by BestWebSoft Researcher Jamshed Yergashvoyev (CVE Guy) More Details > WP Directory Kit <= 1.4.5 - Reflected Cross-Site Scripting via 'order_by' Parameter 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-13525 Patch Status Patched Published Nov 26, 2025 Affected Software WP Directory Kit Researcher blue0x1 More Details > Blog2Social <= 8.7.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Trashing 5.4 CVSS Rating Medium (5.4) CVE-ID CVE-2025-13558 Patch Status Patched Published Nov 24, 2025 Affected Software Blog2Social: Social Media Auto Post & Scheduler Researcher Dmitrii Ignatyev More Details > Ace Post Type Builder <= 1.9 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Custom Taxonomy Deletion via 'taxonomy' Parameter 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-13405 Patch Status Patched Published Nov 24, 2025 Affected Software Ace Post Type Builder Researcher Legion Hunter More Details > Admin and Customer Messages After Order for WooCommerce: OrderConvo <= 14 - Missing Authorization to Unauthenticated Information Disclosure 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-13389 Patch Status Unpatched Published Nov 24, 2025 Affected Software Admin and Customer Messages After Order for WooCommerce: OrderConvo Researcher Md. Moniruzzaman Prodhan (NomanProdhan) More Details > AI ChatBot with ChatGPT and Content Generator by AYS <= 2.7.0 - Missing Authorization to Unauthenticated Media File Uploads 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-13381 Patch Status Patched Published Nov 26, 2025 Affected Software AI ChatBot with ChatGPT and Content Generator by AYS Researcher blue0x1 More Details > atec Duplicate Page & Post <= 1.2.20 - Missing Authorization to Authenticated (Contributor+) Arbitrary Post Duplication and Data Exposure 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-13404 Patch Status Patched Published Nov 24, 2025 Affected Software atec Duplicate Page & Post Researcher Athiwat Tiprasaharn (Jitlada) More Details > Autochat Automatic Conversation <= 1.1.9 - Missing Authorization to Unauthenticated Settings Update 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-12043 Patch Status Unpatched Published Nov 24, 2025 Affected Software Autochat Automatic Conversation Researcher Legion Hunter More Details > BERTHA AI <= 1.13 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-62085 Patch Status Unpatched Published Nov 29, 2025 Affected Software BERTHA AI. Your AI co-pilot for WordPress and Chrome Researcher Legion Hunter More Details > Cart Weight for WooCommerce <= 1.9.11 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-66109 Patch Status Patched Published Nov 30, 2025 Affected Software Cart Weight for WooCommerce Researcher Legion Hunter More Details > Chamber Dashboard Business Directory <= 3.3.11 - Missing Authorization to Unauthenticated Business Information Export 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-13414 Patch Status Unpatched Published Nov 24, 2025 Affected Software Chamber Dashboard Business Directory Researcher Legion Hunter More Details > ConveyThis <= 268.10 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-62152 Patch Status Unpatched Published Nov 29, 2025 Affected Software Translate WordPress Websites Globally with ConveyThis Translate Researcher Nabil Irawan More Details > Hide Category by User Role for WooCommerce <= 2.3.1 - Missing Authorization to Unauthenticated Cache Flushing 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-13441 Patch Status Patched Published Nov 26, 2025 Affected Software Hide Category by User Role for WooCommerce Researcher Legion Hunter More Details > JetFormBuilder <= 3.5.3 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-64384 Patch Status Patched Published Nov 29, 2025 Affected Software JetFormBuilder — Dynamic Blocks Form Builder Researcher benzdeus More Details > Locker Content <= 1.0.0 - Unauthenticated Information Exposure 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-12525 Patch Status Patched Published Nov 24, 2025 Affected Software Locker Content Researcher Athiwat Tiprasaharn (Jitlada) More Details > Payment Gateway for PayPal on WooCommerce <= 9.0.52 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-63023 Patch Status Unpatched Published Nov 30, 2025 Affected Software Payment Gateway for PayPal on WooCommerce Researcher Legion Hunter More Details > QODE Wishlist for WooCommerce <= 1.2.7 - Unauthenticated Insecure Direct Object Reference to Wishlist Update 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-13157 Patch Status Patched Published Nov 26, 2025 Affected Software QODE Wishlist for WooCommerce Researchers Athiwat Tiprasaharn (Jitlada)PowpyPeerapat Samatathanyakorn More Details > Quick Interest Slider <= 3.1.5 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-62153 Patch Status Unpatched Published Nov 29, 2025 Affected Software Quick Interest Slider Researcher Nabil Irawan More Details > Quick View for WooCommerce <= 2.2.17 - Unauthenticated Private Product Disclosure 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-12584 Patch Status Patched Published Nov 26, 2025 Affected Software Quick View for WooCommerce Researcher Athiwat Tiprasaharn (Jitlada) More Details > Quiz And Survey Master <= 10.3.2 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-63054 Patch Status Unpatched Published Nov 30, 2025 Affected Software Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker Researcher Legion Hunter More Details > Reuters Direct <= 3.0.0 - Missing Authorization to Unauthenticated Settings Reset 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-12579 Patch Status Unpatched Published Nov 26, 2025 Affected Software Reuters Direct Researcher Nabil Irawan More Details > Show Variations as Single Products Woocommerce <= 2.0 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-66114 Patch Status Patched Published Nov 28, 2025 Affected Software Show Variations as Single Products Woocommerce Researcher Legion Hunter More Details > Social Images Widget <= 2.1 - Missing Authorization to Unauthenticated Arbitrary Plugin Settings Deletion 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-13386 Patch Status Unpatched Published Nov 24, 2025 Affected Software Social Images Widget Researcher Legion Hunter More Details > Subscriptions & Memberships for PayPal <= 1.1.7 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-66107 Patch Status Patched Published Nov 28, 2025 Affected Software Subscriptions & Memberships for PayPal Researcher NumeX More Details > UsersWP <= 1.2.47 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-66072 Patch Status Patched Published Nov 25, 2025 Affected Software UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP Researcher Legion Hunter More Details > Virtuaria PagBank / PagSeguro para Woocommerce <= 3.6.3 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-62151 Patch Status Unpatched Published Nov 28, 2025 Affected Software Virtuaria PagBank / PagSeguro para Woocommerce Researcher Legion Hunter More Details > WpEvently <= 5.0.4 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-66082 Patch Status Patched Published Nov 30, 2025 Affected Software Event Booking Manager for WooCommerce Researcher Que Thanh Tuan - Blue Rock More Details > Bookme <= 4.2 - Authenticated (Admin+) SQL Injection via 'filter[status]' Parameter 4.9 CVSS Rating Medium (4.9) CVE-ID CVE-2025-13385 Patch Status Unpatched Published Nov 24, 2025 Affected Software Bookme – Free Online Appointment Booking and Scheduling Plugin Researcher Sopon Tangpathum (SoNaJaa) More Details > ProjectList <= 0.3.0 - Authenticated (Editor+) SQL Injection via 'id' Parameter 4.9 CVSS Rating Medium (4.9) CVE-ID CVE-2025-13370 Patch Status Unpatched Published Nov 24, 2025 Affected Software ProjectList Researcher Ivan Cese More Details > Just Highlight <= 1.0.3 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Highlight Color' Setting 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2025-13311 Patch Status Unpatched Published Nov 24, 2025 Affected Software Just Highlight Researcher Muhammad Nur Ibnu Hubab (Ibnu) More Details > StaffList <= 3.2.6 - Authenticated (Admin+) Stored Cross-Site Scripting 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2025-12185 Patch Status Patched Published Nov 26, 2025 Affected Software StaffList Researcher Ivan Cese More Details > YouTube Subscribe <= 3.0.0 - Authenticated (Admin+) Stored Cross-Site Scripting via Title and Channel ID 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2025-12025 Patch Status Unpatched Published Nov 24, 2025 Affected Software YouTube Subscribe Researcher ZAST.AI More Details > ZWeb - Social Mobile <= 1.0.0 - Authenticated (Admin+) Stored Cross-Site Scripting 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2025-12032 Patch Status Unpatched Published Nov 24, 2025 Affected Software Zweb Social Mobile – Ứng Dụng Nút Gọi Mobile Researcher dayea song More Details > Admin and Customer Messages After Order for WooCommerce: OrderConvo <= 14 - Missing Authorization to Unauthenticated User Impersonation in Order Messages 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-13452 Patch Status Unpatched Published Nov 24, 2025 Affected Software Admin and Customer Messages After Order for WooCommerce: OrderConvo Researcher Md. Moniruzzaman Prodhan (NomanProdhan) More Details > Conditional Maintenance Mode for WordPress <= 1.0.0 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-12586 Patch Status Patched Published Nov 24, 2025 Affected Software Conditionnal Maintenance Mode for WordPress Researcher dayea song More Details > Duplicate Content Cure <= 1.0 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-59132 Patch Status Unpatched Published Nov 29, 2025 Affected Software Duplicate Content Cure Researcher Muhammad Nur Ibnu Hubab (Ibnu) More Details > Elementor Website Builder <= 3.33.0 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-67588 Patch Status Patched Published Nov 25, 2025 Affected Software Elementor Website Builder – More Than Just a Page Builder Researcher Bonds More Details > Featured Post Creative <= 1.5.5 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-66106 Patch Status Patched Published Nov 26, 2025 Affected Software Featured Post Creative Researcher Nabil Irawan More Details > Fluent Booking <= 1.9.11 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-67597 Patch Status Patched Published Nov 25, 2025 Affected Software Fluent Booking – The Ultimate Appointments Scheduling, Events Booking, Events Calendar Solution Researcher Theodoros Malachias More Details > FluentCommunity <= 2.0.0 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-66084 Patch Status Patched Published Nov 28, 2025 Affected Software FluentCommunity – Ultra-Fast High-Performance Social Network, Community, LMS & Online Courses Researcher daroo More Details > Folders <= 3.1.5 - Incorrect Authorization to Authenticated (Contributor+) Folder Content Manipulation 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-12971 Patch Status Patched Published Nov 26, 2025 Affected Software Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager Researcher Dmitrii Ignatyev More Details > Frontend File Manager Plugin <= 23.4 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary File Renaming 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-13382 Patch Status Unpatched Published Nov 24, 2025 Affected Software Frontend File Manager Plugin Researcher t.t.brothers More Details > Gutenverse <= 3.2.1 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-66065 Patch Status Patched Published Nov 28, 2025 Affected Software Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem Researcher Denver Jackson More Details > Gutenverse Form <= 2.2.0 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-66079 Patch Status Patched Published Nov 28, 2025 Affected Software Gutenverse Form – Contact Form Builder, Booking, Reservation, Subscribe for Block Editor Researcher Denver Jackson More Details > Nextend Social Login and Register <= 3.1.21 - Cross-Site Request Forgery to Unlink User Social Login 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-13737 Patch Status Patched Published Nov 27, 2025 Affected Software Nextend Social Login and Register Researcher type5afe More Details > Notification for Telegram <= 3.4.7 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-62993 Patch Status Unpatched Published Nov 29, 2025 Affected Software Notification for Telegram Researcher Ahmad More Details > Peer Publish <= 1.0 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-12587 Patch Status Unpatched Published Nov 24, 2025 Affected Software Peer Publish Researcher dayea song More Details > Poll, Survey & Quiz Maker Plugin by Opinion Stage <= 19.12.0 - Cross-Site Request Forgery to Account Disconnection 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-13143 Patch Status Patched Published Nov 26, 2025 Affected Software Poll, Survey & Quiz Maker Plugin by Opinion Stage Researcher Deadbee More Details > Powerlift < 3.2.1 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-66532 Patch Status Patched Published Nov 27, 2025 Affected Software Powerlift - Fitness and Gym WordPress Theme Researcher Tran Nguyen Bao Khanh More Details > PropertyHive <= 2.1.12 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-66087 Patch Status Patched Published Nov 24, 2025 Affected Software Property Hive Researcher daroo More Details > Quick Contact Form <= 8.2.5 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-67471 Patch Status Patched Published Nov 25, 2025 Affected Software Quick Contact Form Researcher Doan Dinh Van More Details > Refund Request for WooCommerce <= 1.0 - Missing Authorization to Authenticated (Subscriber+) Refund Status Update 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-12634 Patch Status Unpatched Published Nov 24, 2025 Affected Software Refund Request for WooCommerce Researcher Powpy More Details > Rencontre <= 3.13.7 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-67534 Patch Status Patched Published Nov 30, 2025 Affected Software Rencontre – Dating Site Researcher Skalucy More Details > Reuters Direct <= 3.0.0 - Cross-Site Request Forgery to Settings Reset 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-12578 Patch Status Unpatched Published Nov 26, 2025 Affected Software Reuters Direct Researcher Nabil Irawan More Details > Search Exclude <= 2.5.7 – Missing Authorization to Authenticated (Contributor+) Search Settings Modification via REST API 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-10646 Patch Status Patched Published Nov 24, 2025 Affected Software Search Exclude Researcher Lucas Montes (Nirox) More Details > sIFR <= 0.6.8.1 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-49347 Patch Status Unpatched Published Nov 29, 2025 Affected Software WP sIFR Researcher Skalucy More Details > The Aisle <= 2.9 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-66534 Patch Status Patched Published Nov 27, 2025 Affected Software The Aisle - Elegant Wedding WordPress Theme Researcher Tran Nguyen Bao Khanh More Details > TNC Toolbox: Web Performance <= 2.0.4 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-66108 Patch Status Patched Published Nov 29, 2025 Affected Software TNC Toolbox: Web Performance Researcher Nabil Irawan More Details > WP Fastest Cache <= 1.4.0 - Missing Authorization to Authenticated (Subscriber+) DB Cleanup Actions 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-10476 Patch Status Patched Published Nov 26, 2025 Affected Software WP Fastest Cache Researcher Dmitrii Ignatyev More Details > Flexmls® IDX <= 3.15.7 - Unauthenticated Open Redirect 3.4 CVSS Rating Low (3.4) CVE-ID CVE-2025-67585 Patch Status Patched Published Nov 29, 2025 Affected Software Flexmls® IDX Plugin Researcher Nabil Irawan More Details > As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence. This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can. Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. The post Wordfence Intelligence Weekly WordPress Vulnerability Report (November 24, 2025 to November 30, 2025) appeared first on Wordfence.