Last week, there were 179 vulnerabilities disclosed in 163 WordPress Plugins and 2 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 57 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected. Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to implement layered security, aligning with our overarching mission to secure WordPress with defense in depth strategies. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report. As the world’s leading quality vulnerability database provider for WordPress, site owners can rest assured knowing Wordfence has their back. Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 31,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free. Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. New Firewall Rules Deployed Last Week The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection. The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week: WAF-RULE-880 – Data redacted while we work with the vendor on a patch. Motors <= 5.6.82 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation Soledad < = 8.6.9 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay. Total Unpatched & Patched Vulnerabilities Last Week Patch Status Number of Vulnerabilities Patched 90 Unpatched 89 Total Vulnerabilities by CVSS Severity Last Week Severity Rating Number of Vulnerabilities Medium Severity 149 High Severity 22 Critical Severity 8 Total Vulnerabilities by CWE Type Last Week Vulnerability Type by CWE Number of Vulnerabilities Missing Authorization 54 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') 52 Cross-Site Request Forgery (CSRF) 29 Exposure of Sensitive Information to an Unauthorized Actor 11 Unrestricted Upload of File with Dangerous Type 10 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') 7 Authorization Bypass Through User-Controlled Key 3 Improper Authorization 2 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') 2 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') 2 Improper Privilege Management 2 External Control of File Name or Path 1 Improper Authentication 1 Improper Control of Generation of Code ('Code Injection') 1 Incorrect Implementation of Authentication Algorithm 1 Server-Side Request Forgery (SSRF) 1 Researchers That Contributed to WordPress Security Last Week Researcher Name Number of Vulnerabilities Legion Hunter 17 Nabil Irawan 15 Athiwat Tiprasaharn (Jitlada) 14 Muhammad Yudha - DJ 9 Abdulsamad Yusuf (0xVenus) 8 type5afe 6 Ryan Kozak 6 kr0d 5 daroo 5 Md. Moniruzzaman Prodhan (NomanProdhan) 5 Muhammad Nur Ibnu Hubab (Ibnu) 4 Jonas Benjamin Friedli 4 Rafshanzani Suhada 4 Abu Hurayra (HurayraIIT) 4 Kishan Vyas 3 Ivan Cese 3 shark3y 3 Itthidej Aramsri (Boeing777) 3 Ananda Dhakal 3 dayea song 3 zaim 3 Mdr 3 Gilang - DJ 3 Certus Cybersecurity 2 benzdeus 2 Peter Thaleikis 2 NumeX 2 Phat RiO - BlueRock 2 lucky_buddy 2 YC_Infosec 2 Deadbee 2 mikemyers 2 Dmitrii Ignatyev 2 Doan Dinh Van 2 João Pedro S Alcântara (Kinorth) 2 ChamlaVic 2 Peerapat Samatathanyakorn 2 theviper17y 2 ISMAILSHADOW 1 Moose Love 1 Kai Aizen 1 Denver Jackson 1 0xQRx 1 Aurélien BOURDOIS (Elymaro) 1 Adrian Lukita 1 Powpy 1 Waris Damkham 1 zhenhua fan 1 Nicolai Hellesnes (nico_) 1 mahdi salhi (CaptinSharky01) 1 Farhan Dio Arrafiq 1 Rooting 1 Marcin Dudek (dudekmar) 1 シルAsuna 1 tmrswrr 1 Sarawut Poolkhet (MisterHelloz) 1 Jarno Vos (jarnovos) 1 Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report. WordPress Plugins with Reported Vulnerabilities Last Week Software Name Software Slug 10Web Booster – Website speed optimization, Cache & Page Speed optimizer tenweb-speed-optimizer Accessiy by CodeConfig Widget for ADA, EAA & WCAG Compliance codeconfig-accessibility Actionwear products sync actionwear-products-sync Add Custom Codes – Insert Header, Footer, Custom PHP Snippets, CSS, Javascript add-custom-codes Advanced Custom Fields: Extended acf-extended Advanced FAQ Manager advanced-faq-manager All-in-One Video Gallery all-in-one-video-gallery Application Passwords application-passwords Arconix Shortcodes arconix-shortcodes ARK Related Posts ark-relatedpost Auto Alt Text auto-alt-text Auto Thumbnailer auto-thumbnailer Autoptimize autoptimize Backup, Restore and Migrate your sites with XCloner xcloner-backup-and-restore Beaver Builder Page Builder – Drag and Drop Website Builder beaver-builder-lite-version BlockArt Blocks – Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library blockart-blocks Booking Calendar booking Bread & Butter: Gate content & Improve lead conversion in 60 seconds bread-butter Business Directory Plugin – Easy Listing Directories for WordPress business-directory-plugin Canadian Nutrition Facts Label canadian-nutrition-facts-label Chartify – WordPress Chart Plugin chart-builder Clik stats clikstats Constant Contact + WooCommerce constant-contact-woocommerce Contact Form by BestWebSoft – Advanced WP Contact Form Builder for WordPress contact-form-plugin ContentStudio contentstudio Cool Tag Cloud cool-tag-cloud CoSign Single Signon cosign-sso Cost Calculator Builder cost-calculator-builder CRM Memberships crm-memberships CryptX cryptx CSS3 Buttons css3-buttons CSSIgniter Shortcodes cssigniter-shortcodes CSV Sumotto csv-sumotto Custom Layouts – Post + Product grids made easy custom-layouts Custom Post Type UI custom-post-type-ui Custom Sidebars by ProteusThemes custom-sidebars-by-proteusthemes Cute News Ticker cute-news-ticker Demo Importer Plus demo-importer-plus DesignThemes LMS designthemes-lms dream gallery dream-gallery Easy Jump Links Menus easy-jump-links-menus ELEX WordPress HelpDesk & Customer Ticketing System elex-helpdesk-customer-support-ticket-system Envo Extra envo-extra EPROLO-Dropshipping eprolo-dropshipping Ergonet Cache ergonet-varnish-cache Event Booking Manager for WooCommerce mage-eventpress Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin everest-backup Export All Posts, Products, Orders, Refunds & Users wp-ultimate-exporter Extra Post Images extra-post-images Featured Image via URL featured-image-via-url Feedback Modal for Website feedback-modal-for-website Feeds for TikTok – Display Video Feeds in Grid Layouts b-tiktok-feed FitVids for WordPress fitvids-for-wordpress Flex QR Code Generator flex-qr-code-generator Fluent Booking – The Ultimate Appointments Scheduling, Events Booking, Events Calendar Solution fluent-booking Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder fluentform FluentCart A New Era of eCommerce – Faster, Lighter, and Simpler fluent-cart Formstack Online Forms formstack Frontend Admin by DynamiApps acf-frontend-form-element FunnelKit – Funnel Builder for WooCommerce Checkout funnel-builder g-FFL Cockpit g-ffl-cockpit Generic Elements generic-elements-for-elementor Gravitec.net – Web Push Notifications gravitec-net-web-push-notifications GSheetConnector For WPForms gsheetconnector-wpforms Gutenverse News – Advanced News Magazine Blog Gutenberg Blocks Addons gutenverse-news Happy Addons for Elementor happy-elementor-addons Hide Categories Or Products On Shop Page hide-categories-or-products-on-shop-page HUSKY – Products Filter Professional for WooCommerce woocommerce-products-filter Hype pico Image Cleanup image-cleanup Image Gallery – Photo Grid & Video Gallery modula-best-grid-gallery Image Optimizer by wps.sk image-optimizer-wpssk Jabbernotification jabberbenachrichtigung JNews Gallery jnews-gallery JNews Paywall jnews-paywall Kadence WooCommerce Email Designer kadence-woocommerce-email-designer Link Whisper Free link-whisper List Attachments Shortcode list-attachments-shortcode Listar – Directory Listing & Classifieds WordPress Plugin listar-directory-listing Live CSS Preview live-css-preview Live Sales Notification for Woocommerce – Woomotiv woomotiv Make Section & Column Clickable For Elementor make-section-column-clickable-elementor Master Addons For Elementor – White Label, Free Widgets, Hover Effects, Conditions, & Animations master-addons Media Library Downloader media-library-downloader MultiParcels Shipping For WooCommerce multiparcels-shipping-for-woocommerce MxChat – AI Chatbot for WordPress mxchat-basic My auctions allegro my-auctions-allegro-free-edition My Tickets – Accessible Event Ticketing my-tickets myLCO mylco Nexter Extension – Site Enhancements Toolkit nexter-extension Norby AI norby-ai Nouri.sh Newsletter newsletters-from-rss-to-email-newsletters-using-nourish Omnichannel for WooCommerce: Google, Amazon, eBay & Walmart Integration – Powered by Codisto codistoconnect Omnipress omnipress Order Delivery Date for WooCommerce order-delivery-date-for-woocommerce Payaza payaza Paysera Payment Gateway for WooCommerce woo-payment-gateway-paysera PDF Catalog for WooCommerce pdf-catalog-for-woocommerce PDF Invoices & Packing Slips for WooCommerce woocommerce-pdf-invoices-packing-slips PDF Thumbnail Generator pdf-thumbnail-generator Photo Gallery by Ays – Responsive Image Gallery gallery-photo-gallery Plug your WooCommerce into the largest catalog of customized print products from Helloprint helloprint Portfolio and Projects portfolio-and-projects Post Cloner post-cloner Post SMTP – Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App post-smtp PostGallery postgallery Projectopia – Project Management Tool projectopia-core Quantic Social Image Hover tw-image-hover-share Quiz Maker quiz-maker RevInsite revinsite Rich Shortcodes for Google Reviews widget-google-reviews Salon Booking System – Free Version salon-booking-system Search, Filters & Merchandising for WooCommerce instantsearch-for-woocommerce Sermon Manager sermon-manager-for-wordpress ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution shopengine SMS Alert Order Notifications – WooCommerce sms-alert SMTP Mail smtp-mail Social Feed Gallery Portfolio social-feed-gallery-portfolio SSP Debug ssp-debugging Starter Templates – AI-Powered Templates for Elementor & Gutenberg astra-sites SureMail – SMTP and Email Logs Plugin with Amazon SES, Postmark, and Other Providers suremails SurveyFunnel – Survey Plugin for WordPress surveyfunnel-lite SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity surveyjs Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent tablesome Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI simple-tags Takeads monetize-link Thai Lottery Widget thai-lottery-widget Thank You Page Customizer for WooCommerce – Increase Your Sales woo-thank-you-page-customizer The7 Elements dt-the7-core Thim Kit for Elementor – Pre-built Templates & Widgets for Elementor thim-elementor-kit Time Sheets time-sheets Torod – The smart shipping and delivery portal for e-shops and retailers torod TR Timthumb tr-timthumb Trail Manager trail-manager Twitscription twitscription Ultra Skype Button ultra-skype-button User Generator and Importer user-importer-and-generator User Spam Remover user-spam-remover User Verification by PickPlugins user-verification VikRentCar Car Rental Management System vikrentcar Visualizer: Tables and Charts Manager for WordPress visualizer Voidek Employee Portal voidek-employee-portal WC Vendors – WooCommerce Multivendor, WooCommerce Marketplace, Product Vendors wc-vendors Webcake – Landing Page Builder webcake WebP Express webp-express weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot wedocs Weekly Planner weekly-planner Widgets for Google Reviews wp-reviews-plugin-for-google WP AI CoPilot – AI content writer plugin, ChatGPT WordPress, GPT-3/4 , Ai assistance ai-co-pilot-for-wp WP Directory Kit wpdirectorykit WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting erp WP Google Analytics Events – No-Code Custom Event Tracking for Google Analytics wp-google-analytics-events WP Landing Page wp-landing-page Wp Social Login and Register Social Counter wp-social WP Social Ninja – Embed Social Feeds, User Reviews & Chat Widgets wp-social-reviews WP Ultimate Review wp-ultimate-review WP-SOS-Donate Donation Sidebar Plugin wp-sos-donate WPKoi Templates for Elementor wpkoi-templates-for-elementor Xagio SEO – AI Powered SEO xagio-seo Xpro Addons — 140+ Widgets for Elementor xpro-elementor-addons Yandex.Metrica wp-yandex-metrika Yet Another WebClap for WordPress yet-another-webclap-for-wordpress Zigaform – Price Calculator & Cost Estimation Form Builder Lite zigaform-calculator-cost-estimation-form-builder-lite WordPress Themes with Reported Vulnerabilities Last Week Software Name Software Slug AdForest adforest REHub - Price Comparison, Multi Vendor Marketplace Wordpress Theme rehub-theme Vulnerability Details Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize. WP Directory Kit <= 1.4.4 - Authentication Bypass to Privilege Escalation via Account Takeover 10.0 CVSS Rating Critical (10.0) CVE-ID CVE-2025-13390 Patch Status Patched Published Dec 3, 2025 Affected Software WP Directory Kit Researcher Ryan Kozak More Details > Advanced Custom Fields: Extended 0.9.0.5 - 0.9.1.1 - Unauthenticated Remote Code Execution in prepare_form 9.8 CVSS Rating Critical (9.8) CVE-ID CVE-2025-13486 Patch Status Patched Published Dec 2, 2025 Affected Software Advanced Custom Fields: Extended Researcher Marcin Dudek (dudekmar) More Details > CRM Memberships <= 2.5 - Missing Authorization to Privilege Escalation via Unauthenticated Password Reset in 'ntzcrm_changepassword' AJAX Endpoint 9.8 CVSS Rating Critical (9.8) CVE-ID CVE-2025-13313 Patch Status Unpatched Published Dec 4, 2025 Affected Software CRM Memberships Researcher Athiwat Tiprasaharn (Jitlada) More Details > DesignThemes LMS <= 1.0.4 - Unauthenticated Privilege Escalation 9.8 CVSS Rating Critical (9.8) CVE-ID CVE-2025-13542 Patch Status Patched Published Dec 2, 2025 Affected Software DesignThemes LMS Researcher シルAsuna More Details > Email Verification, Email OTP, Block Spam Email, Passwordless login, Hide Login, Magic Login – User Verification <= 2.0.39 - Authentication Bypass to Account Takeover 9.8 CVSS Rating Critical (9.8) CVE-ID CVE-2025-12374 Patch Status Unpatched Published Dec 4, 2025 Affected Software User Verification by PickPlugins Researcher lucky_buddy More Details > Flex QR Code Generator <= 1.2.7 - Unauthenticated Arbitrary File Upload 9.8 CVSS Rating Critical (9.8) CVE-ID CVE-2025-12673 Patch Status Patched Published Dec 5, 2025 Affected Software Flex QR Code Generator Researcher Ryan Kozak More Details > Frontend Admin by DynamiApps <= 3.28.20 - Unauthenticated Arbitrary Options Update 9.8 CVSS Rating Critical (9.8) CVE-ID CVE-2025-13342 Patch Status Patched Published Dec 3, 2025 Affected Software Frontend Admin by DynamiApps Researcher YC_Infosec More Details > 10Web Booster <= 2.32.7 - Authenticated (Subscriber+) Arbitrary Folder Deletion via two_clear_page_cache 9.6 CVSS Rating Critical (9.6) CVE-ID CVE-2025-13377 Patch Status Patched Published Dec 5, 2025 Affected Software 10Web Booster – Website speed optimization, Cache & Page Speed optimizer Researcher shark3y More Details > All-in-One Video Gallery 4.5.4 - 4.5.7 – Authenticated (Author+) Arbitrary File Upload via Import ZIP 8.8 CVSS Rating High (8.8) CVE-ID CVE-2025-12966 Patch Status Patched Published Dec 5, 2025 Affected Software All-in-One Video Gallery Researcher kr0d More Details > Auto Thumbnailer <= 1.0 - Authenticated (Contributor+) Arbitrary File Upload 8.8 CVSS Rating High (8.8) CVE-ID CVE-2025-12154 Patch Status Unpatched Published Dec 4, 2025 Affected Software Auto Thumbnailer Researcher kr0d More Details > ContentStudio <= 1.3.7 - Authenticated (Author+) Arbitrary File Upload 8.8 CVSS Rating High (8.8) CVE-ID CVE-2025-12181 Patch Status Patched Published Dec 4, 2025 Affected Software ContentStudio Researcher kr0d More Details > Cost Calculator Builder <= 3.6.3 - Unauthenticated Arbitrary File Deletion 8.8 CVSS Rating High (8.8) CVE-ID CVE-2025-12529 Patch Status Patched Published Dec 1, 2025 Affected Software Cost Calculator Builder Researcher YC_Infosec More Details > Demo Importer Plus <= 2.0.6 - Authenticated (Author+) Arbitrary File Upload via WXR Upload Bypass 8.8 CVSS Rating High (8.8) CVE-ID CVE-2025-13066 Patch Status Patched Published Dec 4, 2025 Affected Software Demo Importer Plus Researcher mikemyers More Details > Featured Image via URL <= 0.1 - Authenticated (Contributor+) Arbitrary FIle Upload 8.8 CVSS Rating High (8.8) CVE-ID CVE-2025-12153 Patch Status Unpatched Published Dec 4, 2025 Affected Software Featured Image via URL Researcher kr0d More Details > PostGallery <= 1.12.5 - Authenticated (Subscriber+) Arbitrary File Upload 8.8 CVSS Rating High (8.8) CVE-ID CVE-2025-13543 Patch Status Unpatched Published Dec 4, 2025 Affected Software PostGallery Researcher Moose Love More Details > Starter Templates <= 4.4.41 - Authenticated (Author+) Arbitrary File Upload via WXR Upload Bypass 8.8 CVSS Rating High (8.8) CVE-ID CVE-2025-13065 Patch Status Patched Published Dec 5, 2025 Affected Software Starter Templates – AI-Powered Templates for Elementor & Gutenberg Researcher mikemyers More Details > User Generator and Importer <= 1.2.2 - Cross-Site Request Forgery to Privilege Escalation via Arbitrary Administrator Account Creation 8.8 CVSS Rating High (8.8) CVE-ID CVE-2025-12879 Patch Status Unpatched Published Dec 4, 2025 Affected Software User Generator and Importer Researcher Ivan Cese More Details > Cool Tag Cloud <= 2.29 - Authenticated (Contributor+) Stored Cross-Site Scripting 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-13614 Patch Status Unpatched Published Dec 4, 2025 Affected Software Cool Tag Cloud Researcher Muhammad Yudha - DJ More Details > My auctions allegro <= 3.6.32 - Unauthenticated Local File Inclusion via controller 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-12851 Patch Status Patched Published Dec 4, 2025 Affected Software My auctions allegro Researcher type5afe More Details > SureMail – SMTP and Email Logs Plugin with Amazon SES, Postmark, and Other Providers <= 1.9.0 - Unauthenticated Arbitrary File Upload 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-13516 Patch Status Patched Published Dec 1, 2025 Affected Software SureMail – SMTP and Email Logs Plugin with Amazon SES, Postmark, and Other Providers Researcher type5afe More Details > Modula 2.13.1 - 2.13.2 - Authenticated (Author+) Arbitrary File Upload via Race Condition 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-13646 Patch Status Patched Published Dec 2, 2025 Affected Software Image Gallery – Photo Grid & Video Gallery Researcher 0xQRx More Details > My auctions allegro <= 3.6.32 - Unauthenticated SQL Injection via auction_id 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-12850 Patch Status Patched Published Dec 4, 2025 Affected Software My auctions allegro Researcher type5afe More Details > The7 Elements < 2.7.12 - Authenticated (Contributor+) Local File Inclusion 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-63076 Patch Status Patched Published Dec 5, 2025 Affected Software The7 Elements Researcher João Pedro S Alcântara (Kinorth) More Details > VikRentCar Car Rental Management System <= 1.4.4 - Authenticated (Author+) SQL Injection via 'month' Parameter 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-13724 Patch Status Patched Published Dec 1, 2025 Affected Software VikRentCar Car Rental Management System Researcher zhenhua fan More Details > Kadence WooCommerce Email Designer <= 1.5.17 - Unauthenticated Stored Cross-Site Scripting 7.2 CVSS Rating High (7.2) CVE-ID CVE-2025-13387 Patch Status Patched Published Dec 1, 2025 Affected Software Kadence WooCommerce Email Designer Researcher shark3y More Details > Modula 2.13.1 - 2.13.2 - Authenticated (Author+) Arbitrary File Deletion 7.2 CVSS Rating High (7.2) CVE-ID CVE-2025-13645 Patch Status Patched Published Dec 2, 2025 Affected Software Image Gallery – Photo Grid & Video Gallery Researcher ISMAILSHADOW More Details > Omnichannel for WooCommerce: Google, Amazon, eBay & Walmart Integration - Powered by Codisto <= 1.3.65 - Unauthenticated Stored Cross-Site Scripting 7.2 CVSS Rating High (7.2) CVE-ID CVE-2025-11727 Patch Status Unpatched Published Dec 3, 2025 Affected Software Omnichannel for WooCommerce: Google, Amazon, eBay & Walmart Integration – Powered by Codisto Researcher shark3y More Details > Rich Shortcodes for Google Reviews <= 6.8 - Unauthenticated Stored Cross-Site Scripting via Google Review 7.2 CVSS Rating High (7.2) CVE-ID CVE-2025-12499 Patch Status Patched Published Dec 5, 2025 Affected Software Rich Shortcodes for Google Reviews Researcher Kishan Vyas More Details > Time Sheets <= 2.1.3 - Use of Known Vulnerable Component 7.2 CVSS Rating High (7.2) CVE-ID CVE-2013-6880 Patch Status Unpatched Published Dec 4, 2025 Affected Software Time Sheets Researcher Athiwat Tiprasaharn (Jitlada) More Details > Widgets for Google Reviews <= 13.2.4 - Unauthenticated Stored Cross-Site Scripting via Google Reviews 7.2 CVSS Rating High (7.2) CVE-ID CVE-2025-12510 Patch Status Patched Published Dec 5, 2025 Affected Software Widgets for Google Reviews Researcher Kishan Vyas More Details > Export All Posts, Products, Orders, Refunds & Users <= 2.19 - Cross-Site Request Forgery to Sensitive Information Exposure 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2025-13606 Patch Status Patched Published Dec 1, 2025 Affected Software Export All Posts, Products, Orders, Refunds & Users Researcher lucky_buddy More Details > Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI <= 3.40.1 - Authenticated (Contributor+) SQL Injection 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2025-13359 Patch Status Patched Published Dec 3, 2025 Affected Software Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI Researcher type5afe More Details > Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI <= 3.40.1 - Authenticated (Contributor+) SQL Injection via ORDER BY Clause 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2025-13922 Patch Status Patched Published Dec 5, 2025 Affected Software Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI Researcher Dmitrii Ignatyev More Details > Visualizer: Tables and Charts Manager for WordPress <= 3.11.12 - Authenticated (Contributor+) SQL Injection 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2025-12483 Patch Status Patched Published Dec 1, 2025 Affected Software Visualizer: Tables and Charts Manager for WordPress Researcher Rafshanzani Suhada More Details > Advanced FAQ Manager <= 1.5.2 - Authenticated (Author+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-67556 Patch Status Patched Published Dec 6, 2025 Affected Software Advanced FAQ Manager Researcher Nabil Irawan More Details > Arconix Shortcodes <= 2.1.19 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-13835 Patch Status Unpatched Published Dec 1, 2025 Affected Software Arconix Shortcodes Researcher Rooting More Details > Autoptimize <= 3.1.13 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-13401 Patch Status Patched Published Dec 3, 2025 Affected Software Autoptimize Researcher Muhammad Yudha - DJ More Details > BlockArt Blocks – Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library <= 2.2.13 - Authenticated (Contributor+) Stored Cross-Site Scripting via `timestamp` Attribute 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-13697 Patch Status Patched Published Dec 1, 2025 Affected Software BlockArt Blocks – Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library Researcher Farhan Dio Arrafiq More Details > Booking Calendar <= 10.14.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via bookingcalendar Shortcode 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-12804 Patch Status Patched Published Dec 4, 2025 Affected Software Booking Calendar Researcher Muhammad Yudha - DJ More Details > Canadian Nutrition Facts Label <= 3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Nutrition Label Custom Post Type 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-12715 Patch Status Unpatched Published Dec 5, 2025 Affected Software Canadian Nutrition Facts Label Researcher Muhammad Yudha - DJ More Details > CryptX <= 4.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-13739 Patch Status Patched Published Dec 4, 2025 Affected Software CryptX Researcher Muhammad Yudha - DJ More Details > CSS3 Buttons <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-13907 Patch Status Unpatched Published Dec 5, 2025 Affected Software CSS3 Buttons Researcher Gilang - DJ More Details > CSSIgniter Shortcodes <= 2.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'element' Shortcode Attribute 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-13448 Patch Status Patched Published Dec 2, 2025 Affected Software CSSIgniter Shortcodes Researcher Athiwat Tiprasaharn (Jitlada) More Details > Cute News Ticker <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'color' Shortcode Attribute 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-13656 Patch Status Unpatched Published Dec 5, 2025 Affected Software Cute News Ticker Researcher ChamlaVic More Details > Easy Jump Links Menus <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-13860 Patch Status Unpatched Published Dec 4, 2025 Affected Software Easy Jump Links Menus Researcher theviper17y More Details > Envo Extra <= 1.9.11 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-66066 Patch Status Patched Published Dec 5, 2025 Affected Software Envo Extra Researcher Abu Hurayra (HurayraIIT) More Details > Extra Post Images <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-13856 Patch Status Unpatched Published Dec 5, 2025 Affected Software Extra Post Images Researcher Gilang - DJ More Details > Funnel Builder by FunnelKit <= 3.13.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-66067 Patch Status Patched Published Dec 6, 2025 Affected Software FunnelKit – Funnel Builder for WooCommerce Checkout Researcher zaim More Details > Generic Elements <= 1.2.8 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-62082 Patch Status Unpatched Published Dec 7, 2025 Affected Software Generic Elements Researcher Abu Hurayra (HurayraIIT) More Details > JNews Gallery < 12.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-67538 Patch Status Patched Published Dec 6, 2025 Affected Software JNews Gallery Researcher Ananda Dhakal More Details > List Attachments Shortcode <= 0.4.1a - Authenticated (Author+) Stored Cross-Site Scripting via list-attachments Shortcode 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-12717 Patch Status Unpatched Published Dec 5, 2025 Affected Software List Attachments Shortcode Researcher Muhammad Yudha - DJ More Details > Master Addons for Elementor <= 2.0.9.9.3 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-63055 Patch Status Unpatched Published Dec 5, 2025 Affected Software Master Addons For Elementor – White Label, Free Widgets, Hover Effects, Conditions, & Animations Researcher Abu Hurayra (HurayraIIT) More Details > Nexter Extension <= 4.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-13731 Patch Status Patched Published Dec 1, 2025 Affected Software Nexter Extension – Site Enhancements Toolkit Researcher Muhammad Yudha - DJ More Details > Omnipress <= 1.6.5 - Authenticated (Author+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-12163 Patch Status Patched Published Dec 4, 2025 Affected Software Omnipress Researcher Kai Aizen More Details > RevInsite <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-13863 Patch Status Unpatched Published Dec 5, 2025 Affected Software RevInsite Researcher theviper17y More Details > Sermon Manager <= 2.30.0 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-12368 Patch Status Unpatched Published Dec 4, 2025 Affected Software Sermon Manager Researcher zaim More Details > Social Feed Gallery Portfolio <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'id' Shortcode Attribute 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-13896 Patch Status Unpatched Published Dec 5, 2025 Affected Software Social Feed Gallery Portfolio Researcher Muhammad Yudha - DJ More Details > SurveyFunnel – Survey Plugin for WordPress <= 1.1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-12417 Patch Status Unpatched Published Dec 4, 2025 Affected Software SurveyFunnel – Survey Plugin for WordPress Researcher Peter Thaleikis More Details > Thai Lottery Widget <= 2.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-13678 Patch Status Unpatched Published Dec 4, 2025 Affected Software Thai Lottery Widget Researcher Peerapat Samatathanyakorn More Details > TR Timthumb <= 1.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-13899 Patch Status Unpatched Published Dec 5, 2025 Affected Software TR Timthumb Researcher Peter Thaleikis More Details > Ultimate Review <= 2.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-63057 Patch Status Unpatched Published Dec 7, 2025 Affected Software WP Ultimate Review Researcher zaim More Details > Ultra Skype Button <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'btn_id' Shortcode Attribute 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-13898 Patch Status Unpatched Published Dec 5, 2025 Affected Software Ultra Skype Button Researcher Muhammad Yudha - DJ More Details > Xpro Elementor Addons <= 1.4.19.1 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-63044 Patch Status Unpatched Published Dec 6, 2025 Affected Software Xpro Addons — 140+ Widgets for Elementor Researcher Abu Hurayra (HurayraIIT) More Details > Yet Another WebClap for WordPress <= 0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-13857 Patch Status Unpatched Published Dec 5, 2025 Affected Software Yet Another WebClap for WordPress Researcher Gilang - DJ More Details > ELEX WordPress HelpDesk & Customer Ticketing System <= 3.3.2 - Authenticated (Contributor+) Privilege Escalation via eh_crm_edit_agent AJAX Action 6.3 CVSS Rating Medium (6.3) CVE-ID CVE-2025-13534 Patch Status Patched Published Dec 1, 2025 Affected Software ELEX WordPress HelpDesk & Customer Ticketing System Researcher Athiwat Tiprasaharn (Jitlada) More Details > Clik stats <= 0.8 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF'] 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-13513 Patch Status Unpatched Published Dec 3, 2025 Affected Software Clik stats Researcher Abdulsamad Yusuf (0xVenus) More Details > CoSign Single Signon <= 0.3.1 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF'] 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-13512 Patch Status Unpatched Published Dec 4, 2025 Affected Software CoSign Single Signon Researcher Abdulsamad Yusuf (0xVenus) More Details > CSV Sumotto <= 1.0 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-13894 Patch Status Unpatched Published Dec 5, 2025 Affected Software CSV Sumotto Researcher Abdulsamad Yusuf (0xVenus) More Details > dream gallery <= 1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting via 'dreampluginsmain' AJAX Action 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-13621 Patch Status Unpatched Published Dec 4, 2025 Affected Software dream gallery Researcher dayea song More Details > Jabbernotification <= 0.99-RC2 - Reflected Cross-Site Scripting via admin.php PATH_INFO 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-13622 Patch Status Unpatched Published Dec 4, 2025 Affected Software Jabbernotification Researcher Abdulsamad Yusuf (0xVenus) More Details > Link Whisper Free <= 0.8.8 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-11263 Patch Status Patched Published Dec 5, 2025 Affected Software Link Whisper Free Researcher Nicolai Hellesnes (nico_) More Details > Live Sales Notification for Woocommerce – Woomotiv <= 3.6.3 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-13137 Patch Status Unpatched Published Dec 5, 2025 Affected Software Live Sales Notification for Woocommerce – Woomotiv Researcher Muhammad Nur Ibnu Hubab (Ibnu) More Details > myLCO <= 0.8.1 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF'] 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-13626 Patch Status Unpatched Published Dec 5, 2025 Affected Software myLCO Researcher Abdulsamad Yusuf (0xVenus) More Details > Nouri.sh Newsletter <= 1.0.1.3 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF'] 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-13515 Patch Status Unpatched Published Dec 4, 2025 Affected Software Nouri.sh Newsletter Researcher Abdulsamad Yusuf (0xVenus) More Details > Twitscription <= 0.1.1 - Reflected Cross-Site Scripting via admin.php PATH_INFO 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-13623 Patch Status Unpatched Published Dec 4, 2025 Affected Software Twitscription Researcher Abdulsamad Yusuf (0xVenus) More Details > WP Social Ninja – Embed Social Feeds, Customer Reviews, Chat Widgets (Google Reviews, YouTube Feed, Photo Feeds, and More) <= 3.20.3 - Unauthenticated Stored Cross-Site Scripting via External Content Import 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-13007 Patch Status Patched Published Dec 1, 2025 Affected Software WP Social Ninja – Embed Social Feeds, User Reviews & Chat Widgets Researcher Kishan Vyas More Details > WP-SOS-Donate Donation Sidebar Plugin <= 0.9.2 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF'] 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-13625 Patch Status Unpatched Published Dec 4, 2025 Affected Software WP-SOS-Donate Donation Sidebar Plugin Researcher Abdulsamad Yusuf (0xVenus) More Details > Application Passwords <= 0.1.3 - Reflected Cross-Site Scripting via reject_url 5.4 CVSS Rating Medium (5.4) CVE-ID CVE-2025-13308 Patch Status Unpatched Published Dec 5, 2025 Affected Software Application Passwords Researcher Rafshanzani Suhada More Details > PDF Catalog for WooCommerce <= 1.1.18 - Authenticated (Subscriber+) Stored Cross-Site Scripting 5.4 CVSS Rating Medium (5.4) CVE-ID CVE-2025-12191 Patch Status Unpatched Published Dec 4, 2025 Affected Software PDF Catalog for WooCommerce Researcher kr0d More Details > Post SMTP – Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App <= 3.6.1 - Missing Authorization to Authenticated (Subscriber+) OAuth Token Update 5.4 CVSS Rating Medium (5.4) CVE-ID CVE-2025-12887 Patch Status Patched Published Dec 3, 2025 Affected Software Post SMTP – Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App Researcher type5afe More Details > weDocs <= 2.1.14 - Missing Authorization to Settings Update 5.4 CVSS Rating Medium (5.4) CVE-ID CVE-2025-12505 Patch Status Patched Published Dec 5, 2025 Affected Software weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot Researcher Md. Moniruzzaman Prodhan (NomanProdhan) More Details > Accessiy By CodeConfig Accessibility <= 1.0.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Page Creation 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-13358 Patch Status Unpatched Published Dec 5, 2025 Affected Software Accessiy by CodeConfig Widget for ADA, EAA & WCAG Compliance Researcher Athiwat Tiprasaharn (Jitlada) More Details > AdForest <= 6.0.11 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-67569 Patch Status Patched Published Dec 4, 2025 Affected Software AdForest Researcher João Pedro S Alcântara (Kinorth) More Details > Constant Contact + WooCommerce <= 2.4.1 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-67580 Patch Status Patched Published Dec 5, 2025 Affected Software Constant Contact + WooCommerce Researcher Legion Hunter More Details > CRM Memberships <= 2.5 - Missing Authorization to Unauthenticated 'ntzcrm_add_new_tag' AJAX Action 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-13312 Patch Status Unpatched Published Dec 4, 2025 Affected Software CRM Memberships Researcher Athiwat Tiprasaharn (Jitlada) More Details > ERP <= 1.16.7 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-63008 Patch Status Unpatched Published Dec 4, 2025 Affected Software WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting Researcher Legion Hunter More Details > Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin <= 2.3.8 - Missing Authorization to Unauthenticated Backup Failure 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-10304 Patch Status Patched Published Dec 2, 2025 Affected Software Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin Researcher Jonas Benjamin Friedli More Details > Feedback Modal for Website <= 1.0.1 - Missing Authorization to Unauthenticated Arbitrary Feedback Data Exfiltration via 'export_data' Parameter 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-13528 Patch Status Unpatched Published Dec 4, 2025 Affected Software Feedback Modal for Website Researcher Legion Hunter More Details > Fluent Forms <= 6.1.7 - Unauthenticated Insecure Direct Object Reference to Payment Status Tampering via submission_id 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-13748 Patch Status Patched Published Dec 5, 2025 Affected Software Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder Researcher Md. Moniruzzaman Prodhan (NomanProdhan) More Details > Formstack Online Forms <= 2.0.2 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-62738 Patch Status Unpatched Published Dec 5, 2025 Affected Software Formstack Online Forms Researcher Legion Hunter More Details > g-FFL Cockpit <= 1.7.1 - Improper Authorization to Unauthenticated Product Deletion 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-12720 Patch Status Patched Published Dec 5, 2025 Affected Software g-FFL Cockpit Researcher Ryan Kozak More Details > g-FFL Cockpit <= 1.7.1 - Missing Authorization to Unauthenticated Information Exposure 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-12721 Patch Status Patched Published Dec 5, 2025 Affected Software g-FFL Cockpit Researcher Ryan Kozak More Details > Google Analytics Events <= 2.8.2 - Unauthenticated Information Exposure 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-63009 Patch Status Unpatched Published Dec 4, 2025 Affected Software WP Google Analytics Events – No-Code Custom Event Tracking for Google Analytics Researcher Legion Hunter More Details > Helloprint <= 2.1.2 - Missing Authorization to Unauthenticated Arbitrary Order Status Modification 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-13666 Patch Status Unpatched Published Dec 5, 2025 Affected Software Plug your WooCommerce into the largest catalog of customized print products from Helloprint Researcher Md. Moniruzzaman Prodhan (NomanProdhan) More Details > Hype <= 1.0.5 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-49348 Patch Status Unpatched Published Dec 4, 2025 Affected Software Hype Researcher NumeX More Details > Image Cleanup <= 1.9.2 - Unauthenticated Information Exposure 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-62737 Patch Status Unpatched Published Dec 4, 2025 Affected Software Image Cleanup Researcher Nabil Irawan More Details > MxChat – AI Chatbot for WordPress <= 2.5.5 - Unauthenticated Information Exposure 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-12585 Patch Status Patched Published Dec 2, 2025 Affected Software MxChat – AI Chatbot for WordPress Researcher Ryan Kozak More Details > Order Delivery Date for WooCommerce <= 4.3.1 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-63024 Patch Status Unpatched Published Dec 3, 2025 Affected Software Order Delivery Date for WooCommerce Researcher Legion Hunter More Details > Payaza <= 0.3.8 - Missing Authorization to Unauthenticated Order Status Update 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-12355 Patch Status Unpatched Published Dec 4, 2025 Affected Software Payaza Researcher Legion Hunter More Details > Post Cloner <= 1.0.0 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-62865 Patch Status Unpatched Published Dec 5, 2025 Affected Software Post Cloner Researcher Nabil Irawan More Details > Projectopia – WordPress Project Management <= 5.1.19 - Missing Authorization to Unauthenticated Arbitrary Attachment Deletion 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-12876 Patch Status Patched Published Dec 4, 2025 Affected Software Projectopia – Project Management Tool Researcher Athiwat Tiprasaharn (Jitlada) More Details > Rehub <= 19.9.9.1 - Unauthenticated Information Exposure 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-67565 Patch Status Patched Published Dec 6, 2025 Affected Software REHub - Price Comparison, Multi Vendor Marketplace Wordpress Theme Researcher Ananda Dhakal More Details > SMS Alert Order Notifications <= 3.8.8 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-66086 Patch Status Patched Published Dec 5, 2025 Affected Software SMS Alert Order Notifications – WooCommerce Researcher benzdeus More Details > SSP Debug <= 1.0.0 - Unauthenticated Sensitive Information Exposure 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-13494 Patch Status Unpatched Published Dec 4, 2025 Affected Software SSP Debug Researcher Itthidej Aramsri (Boeing777) More Details > SurveyFunnel – Survey Plugin for WordPress <= 1.1.5 - Unauthenticated Information Exposure 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-13006 Patch Status Unpatched Published Dec 4, 2025 Affected Software SurveyFunnel – Survey Plugin for WordPress Researcher Deadbee More Details > Tiktok Feed <= 1.0.23 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-66110 Patch Status Unpatched Published Dec 2, 2025 Affected Software Feeds for TikTok – Display Video Feeds in Grid Layouts Researcher Legion Hunter More Details > User Spam Remover <= 1.1 - Unauthenticated Information Exposure 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-62735 Patch Status Unpatched Published Dec 4, 2025 Affected Software User Spam Remover Researcher Nabil Irawan More Details > Voidek Employee Portal <= 1.0.6 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-12093 Patch Status Unpatched Published Dec 4, 2025 Affected Software Voidek Employee Portal Researcher Athiwat Tiprasaharn (Jitlada) More Details > WebP Express <= 0.25.9 - Unauthenticated Information Exposure 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-11379 Patch Status Unpatched Published Dec 3, 2025 Affected Software WebP Express Researcher Rafshanzani Suhada More Details > Wp Social Login and Register Social Counter <= 3.1.3 - Missing Authorization in Cache REST Endpoints to Social Counter Tampering 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-13620 Patch Status Patched Published Dec 4, 2025 Affected Software Wp Social Login and Register Social Counter Researcher Dmitrii Ignatyev More Details > WpEvently <= 5.0.4 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-66083 Patch Status Patched Published Dec 4, 2025 Affected Software Event Booking Manager for WooCommerce Researcher Legion Hunter More Details > WPForms Google Sheet Connector <= 4.0.0 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-67570 Patch Status Patched Published Dec 4, 2025 Affected Software GSheetConnector For WPForms Researcher Legion Hunter More Details > Yandex.Metrica <= 1.2.2 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-63063 Patch Status Unpatched Published Dec 7, 2025 Affected Software Yandex.Metrica Researcher NumeX More Details > Zigaform <= 7.6.5 - Unauthenticated Form Submission Data Disclosure in rocket_front_payment_seesummary AJAX Endpoint 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-13696 Patch Status Patched Published Dec 1, 2025 Affected Software Zigaform – Price Calculator & Cost Estimation Form Builder Lite Researcher Md. Moniruzzaman Prodhan (NomanProdhan) More Details > FluentCart A New Era of eCommerce <= 1.3.1 - Authenticated (Administrator+) SQL Injection via 'groupKey' Parameter 4.9 CVSS Rating Medium (4.9) CVE-ID CVE-2025-13495 Patch Status Patched Published Dec 2, 2025 Affected Software FluentCart A New Era of eCommerce – Faster, Lighter, and Simpler Researcher Itthidej Aramsri (Boeing777) More Details > WP Directory Kit <= 1.4.6 - Authenticated (Admin+) SQL Injection 4.9 CVSS Rating Medium (4.9) CVE-ID CVE-2025-13090 Patch Status Patched Published Dec 1, 2025 Affected Software WP Directory Kit Researcher tmrswrr More Details > Custom Post Type UI <= 1.18.0 - Missing Authorization to Unauthenticated (Previously Administrator+) Custom Post Type Modification 4.8 CVSS Rating Medium (4.8) CVE-ID CVE-2025-12826 Patch Status Patched Published Dec 3, 2025 Affected Software Custom Post Type UI Researcher mahdi salhi (CaptinSharky01) More Details > FitVids for WordPress <= 4.0.1 - Authenticated (Admin+) Stored Cross-Site Scripting 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2025-12124 Patch Status Unpatched Published Dec 4, 2025 Affected Software FitVids for WordPress Researcher Jonas Benjamin Friedli More Details > Make Section & Column Clickable For Elementor <= 2.4 - Authenticated (Editor+) Stored Cross-Site Scripting 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2025-63033 Patch Status Unpatched Published Dec 7, 2025 Affected Software Make Section & Column Clickable For Elementor Researcher Mdr More Details > Trail Manager <= 1.0.0 - Authenticated (Admin+) Stored Cross-Site Scripting 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2025-13682 Patch Status Unpatched Published Dec 4, 2025 Affected Software Trail Manager Researcher ChamlaVic More Details > Weekly Planner <= 1.0 - Authenticated (Admin+) Stored Cross-Site Scripting 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2025-12186 Patch Status Unpatched Published Dec 4, 2025 Affected Software Weekly Planner Researcher Ivan Cese More Details > Accessiy By CodeConfig Accessibility – Easy One-Click Accessibility Toolbar That Truly Matters <= 1.0.2 - Authenticated (Subscriber+) Missing Authorization to Modify Accessibility Settings 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-13309 Patch Status Unpatched Published Dec 5, 2025 Affected Software Accessiy by CodeConfig Widget for ADA, EAA & WCAG Compliance Researcher Peerapat Samatathanyakorn More Details > Actionwear products sync <= 2.3.3 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-49350 Patch Status Unpatched Published Dec 6, 2025 Affected Software Actionwear products sync Researcher Jarno Vos (jarnovos) More Details > Add Custom Codes <= 4.80 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-62739 Patch Status Unpatched Published Dec 5, 2025 Affected Software Add Custom Codes – Insert Header, Footer, Custom PHP Snippets, CSS, Javascript Researcher Certus Cybersecurity More Details > AI CoPilot <= 1.2.7 - Authenticated (Contributor+) Information Exposure 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-62994 Patch Status Unpatched Published Dec 4, 2025 Affected Software WP AI CoPilot – AI content writer plugin, ChatGPT WordPress, GPT-3/4 , Ai assistance Researcher daroo More Details > ARK Related Posts <= 2.19 - Cross-Site Request Forgery to Settings Update 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-13684 Patch Status Patched Published Dec 4, 2025 Affected Software ARK Related Posts Researcher Muhammad Nur Ibnu Hubab (Ibnu) More Details > Auto Alt Text <= 2.5.2 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-62866 Patch Status Patched Published Dec 6, 2025 Affected Software Auto Alt Text Researcher Nabil Irawan More Details > Backup, Restore and Migrate your sites with XCloner <= 4.8.2 - Cross-Site Request Forgery in Xcloner_Remote_Storage:save() 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-11759 Patch Status Patched Published Dec 4, 2025 Affected Software Backup, Restore and Migrate your sites with XCloner Researcher Rafshanzani Suhada More Details > Beaver Builder – WordPress Page Builder <= 2.9.4 - Missing Authorization to Authenticated (Contributor+) Builder Status Tampering 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-12782 Patch Status Patched Published Dec 3, 2025 Affected Software Beaver Builder Page Builder – Drag and Drop Website Builder Researchers Athiwat Tiprasaharn (Jitlada)Itthidej Aramsri (Boeing777)PowpyWaris Damkham More Details > Beaver Builder – WordPress Page Builder <= 2.9.4 - Missing Authorization to Authenticated (Contributor+) Global Preset Modification 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-11726 Patch Status Patched Published Dec 1, 2025 Affected Software Beaver Builder Page Builder – Drag and Drop Website Builder Researcher Athiwat Tiprasaharn (Jitlada) More Details > Bread & Butter: Gate content + Capture leads + Collect first-party data + Nurture with Ai agents <= 7.11.1374 - Cross-Site Request Forgery to Arbitrary File Upload 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-12189 Patch Status Patched Published Dec 4, 2025 Affected Software Bread & Butter: Gate content & Improve lead conversion in 60 seconds Researcher Ryan Kozak More Details > Business Directory <= 6.4.19 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-67596 Patch Status Patched Published Dec 3, 2025 Affected Software Business Directory Plugin – Easy Listing Directories for WordPress Researcher Legion Hunter More Details > Chartify <= 3.6.3 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-66529 Patch Status Patched Published Dec 3, 2025 Affected Software Chartify – WordPress Chart Plugin Researcher Doan Dinh Van More Details > Contact Form by BestWebSoft <= 4.3.5 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-63056 Patch Status Unpatched Published Dec 7, 2025 Affected Software Contact Form by BestWebSoft – Advanced WP Contact Form Builder for WordPress Researcher Phat RiO - BlueRock More Details > ContentStudio <= 1.3.7 - Cross-Site Request Forgery to Settings Update 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-13144 Patch Status Patched Published Dec 4, 2025 Affected Software ContentStudio Researcher Muhammad Nur Ibnu Hubab (Ibnu) More Details > Custom Layouts – Post + Product grids made easy <= 1.4.12 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-62996 Patch Status Patched Published Dec 5, 2025 Affected Software Custom Layouts – Post + Product grids made easy Researcher daroo More Details > Custom Sidebars by ProteusThemes <= 1.0.3 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-62733 Patch Status Unpatched Published Dec 4, 2025 Affected Software Custom Sidebars by ProteusThemes Researcher Nabil Irawan More Details > EPROLO Dropshipping <= 2.3.1 - Missing Authorization to Authenticated (Subscriber+) Tracking Data Modification 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-12133 Patch Status Patched Published Dec 4, 2025 Affected Software EPROLO-Dropshipping Researcher Legion Hunter More Details > Ergonet Cache <= 1.0.11 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-62867 Patch Status Unpatched Published Dec 6, 2025 Affected Software Ergonet Cache Researcher Nabil Irawan More Details > Fluent Booking – The Ultimate Appointments Scheduling, Events Booking, Events Calendar Solution <= 1.9.11 - Authenticated (Subscriber+) Missing Authorization to Calendar Import and Management 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-13756 Patch Status Patched Published Dec 3, 2025 Affected Software Fluent Booking – The Ultimate Appointments Scheduling, Events Booking, Events Calendar Solution Researcher Md. Moniruzzaman Prodhan (NomanProdhan) More Details > Gravitec.net – Web Push Notifications <= 2.9.17 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-62869 Patch Status Unpatched Published Dec 6, 2025 Affected Software Gravitec.net – Web Push Notifications Researcher Nabil Irawan More Details > Gutenverse News – Advanced News Magazine Blog Gutenberg Blocks Addons <= 3.0.2 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-62090 Patch Status Unpatched Published Dec 3, 2025 Affected Software Gutenverse News – Advanced News Magazine Blog Gutenberg Blocks Addons Researcher Denver Jackson More Details > Happy Addons for Elementor <= 3.20.3 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-63077 Patch Status Unpatched Published Dec 4, 2025 Affected Software Happy Addons for Elementor Researcher Mdr More Details > Hide Categories Or Products On Shop Page <= 1.0.7 - Cross-Site Request Forgery to Settings Update 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-12128 Patch Status Unpatched Published Dec 4, 2025 Affected Software Hide Categories Or Products On Shop Page Researcher Jonas Benjamin Friedli More Details > HUSKY – Products Filter Professional for WooCommerce <= 1.3.7.2 - Authenticated (Subscriber+) Insecure Direct Object Reference via 'woof_add_query/woof_remove_query' 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-13109 Patch Status Patched Published Dec 3, 2025 Affected Software HUSKY – Products Filter Professional for WooCommerce Researcher Athiwat Tiprasaharn (Jitlada) More Details > Image Cleanup <= 1.9.2 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-62736 Patch Status Unpatched Published Dec 4, 2025 Affected Software Image Cleanup Researcher Nabil Irawan More Details > Image Optimizer by wps.sk <= 1.2.0 - Cross-Site Request Forgery to Bulk Image Optimization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-12190 Patch Status Unpatched Published Dec 4, 2025 Affected Software Image Optimizer by wps.sk Researcher Sarawut Poolkhet (MisterHelloz) More Details > JNews Paywall < 12.0.1 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-67591 Patch Status Patched Published Dec 6, 2025 Affected Software JNews Paywall Researcher Ananda Dhakal More Details > Listar – Directory Listing & Classifieds WordPress Plugin <= 3.0.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Deletion 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-12574 Patch Status Unpatched Published Dec 5, 2025 Affected Software Listar – Directory Listing & Classifieds WordPress Plugin Researcher Athiwat Tiprasaharn (Jitlada) More Details > Listar – Directory Listing & Classifieds WordPress Plugin <= 3.0.0 - Missing Authorization to Authenticated (Subscriber+) Listing Update 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-12577 Patch Status Unpatched Published Dec 5, 2025 Affected Software Listar – Directory Listing & Classifieds WordPress Plugin Researcher Athiwat Tiprasaharn (Jitlada) More Details > Live CSS Preview <= 2.0.0 - Missing Authorization to Authenticated (Subscriber+) Settings Update 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-12354 Patch Status Unpatched Published Dec 4, 2025 Affected Software Live CSS Preview Researcher Legion Hunter More Details > Media Library Downloader <= 1.4.0 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-62734 Patch Status Unpatched Published Dec 4, 2025 Affected Software Media Library Downloader Researcher Nabil Irawan More Details > MultiParcels Shipping For WooCommerce <= 1.30.12 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-62995 Patch Status Unpatched Published Dec 5, 2025 Affected Software MultiParcels Shipping For WooCommerce Researcher Legion Hunter More Details > My Tickets <= 2.1.0 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-64257 Patch Status Patched Published Dec 6, 2025 Affected Software My Tickets – Accessible Event Ticketing Researcher daroo More Details > Norby AI <= 1.0.3 - Cross-Site Request Forgery to Settings Update 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-13362 Patch Status Unpatched Published Dec 4, 2025 Affected Software Norby AI Researcher dayea song More Details > PDF Thumbnail Generator <= 1.4 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-67469 Patch Status Patched Published Dec 6, 2025 Affected Software PDF Thumbnail Generator Researcher Nabil Irawan More Details > Photo Gallery by Ays <= 6.4.8 - Cross-Site Request Forgery to Bulk Actions 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-13685 Patch Status Patched Published Dec 1, 2025 Affected Software Photo Gallery by Ays – Responsive Image Gallery Researcher Deadbee More Details > Portfolio and Projects <= 1.5.5 - Authenticated (Contributor+) Information Exposure 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-67470 Patch Status Patched Published Dec 5, 2025 Affected Software Portfolio and Projects Researcher Nabil Irawan More Details > Quantic Social Image Hover <= 1.0.8 - Cross-Site Request Forgery to Settings Update 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-13360 Patch Status Unpatched Published Dec 4, 2025 Affected Software Quantic Social Image Hover Researcher dayea song More Details > Quiz Maker <= 6.7.0.82 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-67595 Patch Status Patched Published Dec 2, 2025 Affected Software Quiz Maker Researcher Doan Dinh Van More Details > Salon booking system <= 10.30.3 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-66531 Patch Status Patched Published Dec 7, 2025 Affected Software Salon Booking System – Free Version Researcher daroo More Details > Search, Filters & Merchandising for WooCommerce <= 3.0.67 - Missing Authorization to Authenticated (Subscriber+) Plugin Deactivation 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-12091 Patch Status Patched Published Dec 5, 2025 Affected Software Search, Filters & Merchandising for WooCommerce Researcher Athiwat Tiprasaharn (Jitlada) More Details > ShopEngine <= 4.8.5 - Cross-Site Request Forgery to Wishlist Manipulation 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-12358 Patch Status Patched Published Dec 2, 2025 Affected Software ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution Researcher Adrian Lukita More Details > SMTP Mail <= 1.3.49 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-62762 Patch Status Unpatched Published Dec 4, 2025 Affected Software SMTP Mail Researcher Nabil Irawan More Details > SurveyJS: Drag & Drop WordPress Form Builder <= 1.12.20 - Cross-Site Request Forgery to Survey Deletion 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-13140 Patch Status Patched Published Dec 1, 2025 Affected Software SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity Researcher Muhammad Nur Ibnu Hubab (Ibnu) More Details > Tablesome <= 1.1.34 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-66526 Patch Status Patched Published Dec 5, 2025 Affected Software Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent Researcher Certus Cybersecurity More Details > Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI <= 3.40.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Taxonomy Term Manipulation 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-13354 Patch Status Patched Published Dec 3, 2025 Affected Software Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI Researcher type5afe More Details > Takeads <= 1.0.13 - Missing Authorization to Plugin Settings Deletion 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-12370 Patch Status Unpatched Published Dec 4, 2025 Affected Software Takeads Researcher Nabil Irawan More Details > Thank You Page Customizer for WooCommerce <= 1.1.8 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-66528 Patch Status Patched Published Dec 5, 2025 Affected Software Thank You Page Customizer for WooCommerce – Increase Your Sales Researcher daroo More Details > Thim Elementor Kit <= 1.3.3 - Authenticated (Contributor+) Insecure Direct Object Reference 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-67594 Patch Status Patched Published Dec 6, 2025 Affected Software Thim Kit for Elementor – Pre-built Templates & Widgets for Elementor Researcher Mdr More Details > Time Sheets <= 2.1.3 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-10055 Patch Status Unpatched Published Dec 4, 2025 Affected Software Time Sheets Researcher Aurélien BOURDOIS (Elymaro) More Details > Torod – The smart shipping and delivery portal for e-shops and retailers <= 1.9 - Cross-Site Request Forgery To Plugin's Settings Modification 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-12373 Patch Status Patched Published Dec 4, 2025 Affected Software Torod – The smart shipping and delivery portal for e-shops and retailers Researcher Nabil Irawan More Details > WC Vendors – WooCommerce Multivendor, WooCommerce Marketplace, Product Vendors <= 2.6.4 - Cross-Site Request Forgery to Vendor Product Deletion 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-12130 Patch Status Patched Published Dec 4, 2025 Affected Software WC Vendors – WooCommerce Multivendor, WooCommerce Marketplace, Product Vendors Researcher Jonas Benjamin Friedli More Details > Webcake – Landing Page Builder <= 1.1 - Missing Authorization to Authenticated (Subscriber+) Settings Update 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-12165 Patch Status Patched Published Dec 4, 2025 Affected Software Webcake – Landing Page Builder Researcher Legion Hunter More Details > WooCommerce Payment Gateway – Paysera <= 3.9.0 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-63015 Patch Status Unpatched Published Dec 4, 2025 Affected Software Paysera Payment Gateway for WooCommerce Researcher Legion Hunter More Details > WooCommerce PDF Invoices & Packing Slips <= 4.9.1 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-67589 Patch Status Patched Published Dec 7, 2025 Affected Software PDF Invoices & Packing Slips for WooCommerce Researcher Phat RiO - BlueRock More Details > WP Landing Page <= 0.9.3 - Cross-Site Request Forgery to Arbitrary Post Meta Update 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-13629 Patch Status Unpatched Published Dec 5, 2025 Affected Software WP Landing Page Researcher Ivan Cese More Details > WPKoi Templates for Elementor <= 3.4.4 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-64274 Patch Status Patched Published Dec 6, 2025 Affected Software WPKoi Templates for Elementor Researcher benzdeus More Details > Xagio SEO <= 7.1.0.29 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-63025 Patch Status Unpatched Published Dec 4, 2025 Affected Software Xagio SEO – AI Powered SEO Researcher Legion Hunter More Details > As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence. This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can. Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. The post Wordfence Intelligence Weekly WordPress Vulnerability Report (December 1, 2025 to December 7, 2025) appeared first on Wordfence.