Last week, there were 224 vulnerabilities disclosed in 205 WordPress Plugins and 9 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 74 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected. Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to implement layered security, aligning with our overarching mission to secure WordPress with defense in depth strategies. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report. As the world’s leading quality vulnerability database provider for WordPress, site owners can rest assured knowing Wordfence has their back. Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 31,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free. Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. New Firewall Rules Deployed Last Week The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection. The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week: WAF-RULE-884 – Data redacted while we work with the vendor on a patch. Demo Importer Plus <= 2.0.8 – Missing Authorization to Authenticated (Subscriber+) Site Reset and Privilege Escalation Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay. Total Unpatched & Patched Vulnerabilities Last Week Patch Status Number of Vulnerabilities Patched 106 Unpatched 118 Total Vulnerabilities by CVSS Severity Last Week Severity Rating Number of Vulnerabilities Low Severity 2 Medium Severity 188 High Severity 26 Critical Severity 8 Total Vulnerabilities by CWE Type Last Week Vulnerability Type by CWE Number of Vulnerabilities Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') 69 Missing Authorization 63 Cross-Site Request Forgery (CSRF) 23 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') 16 Exposure of Sensitive Information to an Unauthorized Actor 12 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') 10 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') 7 Unrestricted Upload of File with Dangerous Type 4 Authorization Bypass Through User-Controlled Key 3 Improper Control of Generation of Code ('Code Injection') 3 Deserialization of Untrusted Data 2 Server-Side Request Forgery (SSRF) 2 Authentication Bypass by Alternate Name 1 Exposure of Private Personal Information to an Unauthorized Actor 1 External Control of File Name or Path 1 Files or Directories Accessible to External Parties 1 Improper Input Validation 1 Improper Privilege Management 1 Missing Authentication for Critical Function 1 Reliance on Cookies without Validation and Integrity Checking 1 URL Redirection to Untrusted Site ('Open Redirect') 1 Use of Insufficiently Random Values 1 Researchers That Contributed to WordPress Security Last Week Researcher Name Number of Vulnerabilities Athiwat Tiprasaharn (Jitlada) 17 Phat RiO - BlueRock 17 Nabil Irawan 14 Gilang - DJ 13 Legion Hunter 10 dayea song 9 João Pedro S Alcântara (Kinorth) 9 Muhammad Yudha - DJ 9 kr0d 8 ChamlaVic 7 daroo 7 Muhammad Nur Ibnu Hubab (Ibnu) 6 Abdulsamad Yusuf (0xVenus) 6 zer0gh0st 6 Itthidej Aramsri (Boeing777) 5 Powpy 5 Md. Moniruzzaman Prodhan (NomanProdhan) 4 Ivan Cese 4 NumeX 3 Jonas Benjamin Friedli 3 Peter Thaleikis 3 Waris Damkham 3 Varakorn Chanthasri (iCreaM) 3 Sopon Tangpathum (SoNaJaa) 3 Peerapat Samatathanyakorn 3 Dmitrii Ignatyev 3 Long Nguyen 2 stealthcopter 2 jsonc 2 shark3y 2 benzdeus 2 Muhamad Visat 2 Rafshanzani Suhada 2 Naoya Takahashi (nakko) 2 theviper17y 2 Deadbee 2 Nicolai Hellesnes (nico_) 2 Abu Hurayra (HurayraIIT) 2 zaim 2 thinnawarth mathuros 2 Webbernaut 2 Foxyyy 2 Jarno Vos (jarnovos) 1 Moose Love 1 zakaria 1 Jochem Boender 1 ifoundbug 1 Khanh Nguyen 1 Bhumividh Treloges 1 Muhammad Zeeshan (Xib3rR4dAr) 1 Muhammad Hassan (jerry) 1 rajanhoyr 1 D01EXPLOIT OFFICIAL 1 Nguyen Ngoc Quang Bach (maysbachs) 1 Bartłomiej Bergier (bergee) 1 Lucas Montes (Nirox) 1 Karol 1 Kishan Vyas 1 lucky_buddy 1 0xd4rk5id3 1 Ala Arfaoui 1 type5afe 1 NosleeP++ 1 MD ISMAIL 1 pimschaaf 1 William Cooke 1 YC_Infosec 1 tmrswrr 1 Drew Webber (mcdruid) 1 Adrian Lukita 1 Yahya Oumani (cyb3rnoob) 1 Nguyen C 1 mikemyers 1 Marcin Dudek (dudekmar) 1 Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report. WordPress Plugins with Reported Vulnerabilities Last Week Software Name Software Slug 404 Solution 404-solution a3 Lazy Load a3-lazy-load Accept Stripe Payments Using Contact Form 7 accept-stripe-payments-using-contact-form-7 Accessibility by AudioEye accessibility-by-audioeye Accordion Slider PRO accordion_slider_pro Addon Elements for Elementor (formerly Elementor Addon Elements) addon-elements-for-elementor-page-builder Advanced Product Fields (Product Addons) for WooCommerce advanced-product-fields-for-woocommerce AI Feeds ai-feeds All-in-One Addons for Elementor – WidgetKit widgetkit-for-elementor Animated Pixel Marquee Creator animated-pixel-marquee-creator AnnunciFunebri Impresa annuncifunebri-onoranza App Landing Template Blocks for WPBakery (Visual Composer) Page Builder app-template-blocks-for-wpbakery-page-builder Ayo Shortcodes ayo-shortcodes Beaver Builder Page Builder – Drag and Drop Website Builder beaver-builder-lite-version Better Addons for Elementor better-elementor-addons Blaze Demo Importer blaze-demo-importer BMLT WordPress Plugin bmlt-wordpress-satellite-plugin Bold Timeline Lite bold-timeline-lite Brevo for WooCommerce woocommerce-sendinblue-newsletter-subscription Brizy – Page Builder brizy Broken Link Checker by AIOSEO – Easily Fix/Monitor Internal and External links broken-link-checker-seo BSK PDF Manager bsk-pdf-manager BuddyTask buddytask BUKAZU Search widget bukazu-search-widget Buttoner for Elementor buttoner-elementor Campay Woocommerce Payment Gateway campay-api Category Dropdown List dropdown-category-list Coder for Elementor coder-elementor Coding Blocks coding-blocks Colibri Page Builder colibri-page-builder Complag omplag Contact Form 7 with ChatWork contact-form-7-with-chatwork CountDown With Image or Video Background countdown_with_background Custom Field Template custom-field-template Custom Frames custom-frames Custom Post Type UI custom-post-type-ui Data Visualizer data-visualizer DebateMaster debatemaster Design Import/Export – Styles, Templates, Template Parts and Patterns design-import-export Devs CRM – Manage tasks, attendance and teams all together devs-crm Directory Pro directory-pro Divelogs Widget divelogs-widget Doubly – Cross Domain Copy Paste for WordPress doubly Easy Map Creator easy-map-creator Easy Notify Lite easy-notify-lite Easy Property Listings easy-property-listings Easy Theme Options easy-theme-options Elated Membership eltdf-membership Email Marketing Plugin – WP Email Capture wp-email-capture Email Subscribers & Newsletters – Powerful Email Marketing, Post Notification & Newsletter Plugin for WordPress & WooCommerce email-subscribers Emplibot – AI Content Writer with Keyword Research, Infographics, and Linking | SEO Optimized | Fully Automated emplibot Employee Spotlight – Team Member Showcase & Meet the Team Plugin employee-spotlight Enter Addons – Ultimate Template Builder for Elementor enteraddons Essential Real Estate essential-real-estate Eupago Gateway For Woocommerce eupago-gateway-for-woocommerce Events Manager – Calendar, Bookings, Tickets, and more! events-manager Export WP Pages to HTML & PDF – Simply Create a Static Website export-wp-page-to-static-html Extensive VC Addons for WPBakery page builder extensive-vc-addon Eyewear prescription form eyewear-prescription-form Fancy Product Designer fancy-product-designer Filter & Grids ymc-smart-filter Fix Media Library wow-media-library-fix Flow-Flow Social Feed Stream flow-flow-social-streams Foxtool All-in-One: Contact chat button, Custom login, Media optimize images foxtool Freshchat freshchat FunnelKit – Funnel Builder for WooCommerce Checkout funnel-builder FX Currency Converter fx-currency-converter Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery simply-gallery-block GenerateBlocks generateblocks Geo Controller cf-geoplugin GPXpress gpxpress Grider for Elementor grider-elementor Guest Support guest-support HAPPY – Helpdesk Support Ticket System happy-helpdesk-support-ticket-system Head Meta Data head-meta-data Header Footer Script Adder – Insert Code in Header, Body & Footer header-and-footer-script-adder Hide Email Address bg-hide-email-address Hippoo Mobile App for WooCommerce hippoo Homey Core homey-core HT Slider For Elementor ht-slider-for-elementor Huger for Elementor huger-elementor Image Gallery – Photo Grid & Video Gallery modula-best-grid-gallery Image Slider by Ays- Responsive Slider and Carousel ays-slider IMAQ CORE imaq-core Import external attachments import-external-attachments Infility Global infility-global InstaWP Connect – 1-click WP Staging & Migration instawp-connect Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms cf7-salesforce JAY Login & Register jay-login-register JetWidgets For Elementor jetwidgets-for-elementor Jobmonster Elementor Addon jobmonster-addon Just TinyMCE Custom Styles just-tinymce-styles King Addons for Elementor – 4,000+ ready Elementor sections, 650+ templates, 70+ FREE widgets for Elementor king-addons Kirim.Email WooCommerce Integration kirimemail-woocommerce-integration Laser laser LazyTasks – Project & Task Management with Collaboration, Kanban and Gantt Chart lazytasks-project-task-management Leaky Paywall leaky-paywall Lightweight Accordion lightweight-accordion Like DisLike Voting like-dislike-voting List category posts list-category-posts Livemesh SiteOrigin Widgets livemesh-siteorigin-widgets LJUsers ljusers Login Lockdown & Protection login-lockdown Login Security, FireWall, Malware removal by CleanTalk security-malware-firewall Lottier for WPBakery lottier-wpbakery LS Google Map Router ls-gmap-route LT Unleashed lt-unleashed Lucky Draw Contests lucky-draw Magical Posts Display – Elementor Advanced Posts widgets magical-posts-display MailerLite – Signup forms (official) official-mailerlite-sign-up-forms Mailgun Subscriptions mailgun-subscriptions Marquee Addons for Elementor – Advanced Elements & Modern Motion Widgets marquee-addons-for-elementor Masker for Elementor masker-elementor Media File Rename, Unused File Cleaner & CSV Export Import – Add Alt for Image SEO – Media Library Tools media-library-tools MediaCommander – Bring Folders to Media, Posts, and Pages mediacommander Modalier for Elementor modalier-elementor Multi Uploader for Gravity Forms gf-multi-uploader myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Program. mycred Nelio Popups nelio-popups NewStatPress newstatpress Page View Count page-views-count Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress wp-user-avatar Paypal Payment Shortcode paypal-payments-shortcode PDF for Contact Form 7 + Drag and Drop Template Builder pdf-for-contact-form-7 Player Leaderboard player-leaderboard Pochipp pochipp Popover Windows popover-windows Popup Builder – Create highly converting, mobile friendly marketing popups. popup-builder Postem Ipsum postem-ipsum Premmerce Brands for WooCommerce premmerce-woocommerce-brands Premmerce Wishlist for WooCommerce premmerce-woocommerce-wishlist Product Filtering by Categories, Tags, Price Range for WooCommerce – Filter Plus filter-plus Purchase and Expense Manager purchase-and-expense-manager Quick Testimonials quick-testimonials Rabbit Hole rabbit-hole Redux Framework redux-framework ReFormer – Multichannel Contact Form for Elementor reformer-elementor Resource Library for Logged In Users doubledome-resource-link-library Restrict Elementor Widgets, Columns and Sections restrict-elementor-widgets Reviews Sorted reviews-sorted Reviews Widget for Google, Yelp & Recommendations fb-reviews-widget RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator feedzy-rss-feeds RTL Tester rtl-tester rtMedia for WordPress, BuddyPress and bbPress buddypress-media Secure Copy Content Protection and Content Locking secure-copy-content-protection Shopping Cart & eCommerce Store wp-easycart Shortcode Ajax shortcode-ajax Simple AL Slider simple-al-slider Simple Bike Rental simple-bike-rental Simple CSV Table simple-csv-table Simple Download Counter simple-download-counter Simple Nivo Slider simple-nivo-slider Simple post listing simple-post-listing Simple Theme Changer simple-theme-changer SimplyConvert simplyconvert Social Media Auto Publish social-media-auto-publish Social Photo Fetcher facebook-photo-fetcher Solutions Ad Manager solutions-ad-manager Spoter for Elementor spoter-elementor Store Locator WordPress agile-store-locator Tableberg – Simple Gutenberg Table Block tableberg TI WooCommerce Wishlist ti-woocommerce-wishlist Trinity Audio – Text to Speech AI audio player to convert content into audio trinity-audio Truefy Embed truefy-embed TWW Protein Calculator twwc-protein Ultimate WordPress Auction Plugin ultimate-auction Ultra Addons for Contact Form 7 ultimate-addons-for-contact-form-7 Upcoming for Calendly upcoming-for-calendly URL Media Uploader url-media-uploader URL Shortener Plugin For WordPress exact-links Userback userback Video Merchant video-merchant VigLink SpotLight By ShortCode viglink-spotlight-by-shortcode VikRentItems Flexible Rental Management System vikrentitems Vimeo SimpleGallery vimeo-simplegallery Visitor Logic Lite logic-pro WatchTowerHQ watchtowerhq Widgets for Google Reviews wp-reviews-plugin-for-google WP AI CoPilot – AI content writer plugin, ChatGPT WordPress, GPT-3/4 , Ai assistance ai-co-pilot-for-wp WP CarDealer wp-cardealer WP Coupons and Deals – Click to Copy Coupons wp-coupons-and-deals WP Directory Kit wpdirectorykit WP Dropzone wp-dropzone WP Fastest Cache Premium wp-fastest-cache-premium WP Flashy Marketing Automation wp-flashy-marketing-automation WP Flot wp-flot WP Job Portal – AI-Powered Recruitment System for Company or Job Board website wp-job-portal WP Recipe Maker wp-recipe-maker WP to LinkedIn Auto Publish linkedin-auto-publish WP User Manager – User Profile Builder & Membership wp-user-manager WP Views Counter wpecounter WP Webhooks – Automate repetitive tasks by creating powerful automation workflows directly within WordPress wp-webhooks WP-CRM System – Manage Clients and Projects wp-crm-system WP3D Model Import Viewer wp3d-model-import-block wpForo Forum wpforo WPGancio wpgancio Wpik WordPress Basic Ajax Form wpik-wordpress-basic-ajax-form WPLG Default Mail From wplg-default-mail-from WPMasterToolKit (WPMTK) – All in one plugin wpmastertoolkit WPNakama – Team and multi-Client Collaboration, Editorial and Project Management wpnakama xPromoter top_bar_promoter YITH WooCommerce Quick View yith-woocommerce-quick-view Zenost Shortcodes zenost-shortcodes افزونه پیامک ووکامرس فوق حرفه ای (جدید) payamito sms woocommerce payamito-sms-woocommerce 评论小秘书 comments-secretary WordPress Themes with Reported Vulnerabilities Last Week Software Name Software Slug Digiqole - News Magazine WordPress Theme digiqole EduMall - Professional LMS Education Center WordPress Theme edumall Exhibz | Event Conference WordPress Theme (AI Powered) exhibz Kingcabs kingcabs Mavix Education mavix-education MinimogWP – The High Converting eCommerce WordPress Theme minimog Noo JobMonster noo-jobmonster PenNews - Multi-Purpose AMP WordPress Theme pennews Turitor - Education WordPress Theme turitor Vulnerability Details Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize. Elated Membership <= 1.2 - Authentication Bypass via Social Login 9.8 CVSS Rating Critical (9.8) CVE-ID CVE-2025-13613 Patch Status Patched Published Dec 9, 2025 Affected Software Elated Membership Researcher Foxyyy More Details > Export WP Page to Static HTML & PDF <= 4.3.4 - Unauthenticated Cookie Exposure via Log File 9.8 CVSS Rating Critical (9.8) CVE-ID CVE-2025-11693 Patch Status Patched Published Dec 12, 2025 Affected Software Export WP Pages to HTML & PDF – Simply Create a Static Website Researcher Jonas Benjamin Friedli More Details > JAY Login & Register <= 2.4.01 - Authentication Bypass via Cookie 9.8 CVSS Rating Critical (9.8) CVE-ID CVE-2025-14440 Patch Status Patched Published Dec 12, 2025 Affected Software JAY Login & Register Researcher kr0d More Details > LazyTasks – Project & Task Management with Collaboration, Kanban and Gantt Chart <= 1.2.29 - Missing Authorization to Uanuthenticated Privilege Escalation 9.8 CVSS Rating Critical (9.8) CVE-ID CVE-2025-12963 Patch Status Unpatched Published Dec 11, 2025 Affected Software LazyTasks – Project & Task Management with Collaboration, Kanban and Gantt Chart Researcher Athiwat Tiprasaharn (Jitlada) More Details > Multi Uploader for Gravity Forms <= 1.1.7 - Unauthenticated Arbitrary File Deletion 9.8 CVSS Rating Critical (9.8) CVE-ID CVE-2025-14344 Patch Status Unpatched Published Dec 11, 2025 Affected Software Multi Uploader for Gravity Forms Researcher Muhammad Yudha - DJ More Details > URL Shortener Plugin For WordPress <= 3.0.7 - Unauthenticated SQL Injection 9.8 CVSS Rating Critical (9.8) CVE-ID CVE-2025-10738 Patch Status Unpatched Published Dec 12, 2025 Affected Software URL Shortener Plugin For WordPress Researcher ifoundbug More Details > Webhooks <= 3.3.8 - Unauthenticated Arbitrary File Upload 9.8 CVSS Rating Critical (9.8) CVE-ID CVE-2025-66074 Patch Status Patched Published Dec 12, 2025 Affected Software WP Webhooks – Automate repetitive tasks by creating powerful automation workflows directly within WordPress Researcher Phat RiO - BlueRock More Details > WP CarDealer <= 1.2.16 - Unauthenticated Privilege Escalation 9.8 CVSS Rating Critical (9.8) CVE-ID CVE-2025-13764 Patch Status Patched Published Dec 10, 2025 Affected Software WP CarDealer Researcher Foxyyy More Details > Doubly <= 1.0.46 - Authenticated (Subscriber+) PHP Object Injection via ZIP File Import 8.8 CVSS Rating High (8.8) CVE-ID CVE-2025-14476 Patch Status Unpatched Published Dec 12, 2025 Affected Software Doubly – Cross Domain Copy Paste for WordPress Researcher Bartłomiej Bergier (bergee) More Details > Infility Global <= 2.14.23 - Authenticated (Subscriber+) Arbitrary File Upload 8.8 CVSS Rating High (8.8) CVE-ID CVE-2025-12968 Patch Status Unpatched Published Dec 11, 2025 Affected Software Infility Global Researcher kr0d More Details > Player Leaderboard 1.0.0 - 1.0.2 - Authenticated (Contributor+) Local File Inclusion 8.8 CVSS Rating High (8.8) CVE-ID CVE-2025-12824 Patch Status Patched Published Dec 11, 2025 Affected Software Player Leaderboard Researcher kr0d More Details > Postem Ipsum <= 3.0.1 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation in postem_ipsum_generate_users 8.8 CVSS Rating High (8.8) CVE-ID CVE-2025-14397 Patch Status Unpatched Published Dec 12, 2025 Affected Software Postem Ipsum Researcher kr0d More Details > Video Merchant <= 5.0.4 - Cross-Site Request Forgery to Arbitrary File Upload 8.8 CVSS Rating High (8.8) CVE-ID CVE-2025-14390 Patch Status Unpatched Published Dec 9, 2025 Affected Software Video Merchant Researcher Ala Arfaoui More Details > WP3D Model Import Viewer <= 1.0.7 - Authenticated (Contributor+) Arbitrary File Upload 8.8 CVSS Rating High (8.8) CVE-ID CVE-2025-13094 Patch Status Unpatched Published Dec 12, 2025 Affected Software WP3D Model Import Viewer Researcher kr0d More Details > Blaze Demo Importer 1.0.0 - 1.0.13 - Missing Authorization to Authenticated (Subscriber+) Database Reset and File Deletion 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-13334 Patch Status Patched Published Dec 11, 2025 Affected Software Blaze Demo Importer Researcher kr0d More Details > Extensive VC Addons for WPBakery page builder <= 1.9.1 - Unauthenticated Local File Inclusion via 'shortcode_name' Parameter 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-14475 Patch Status Unpatched Published Dec 12, 2025 Affected Software Extensive VC Addons for WPBakery page builder Researcher Naoya Takahashi (nakko) More Details > Visitor Logic Lite <= 1.0.3 - Unauthenticated PHP Object Injection via 'lpblocks' Cookie 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-14044 Patch Status Unpatched Published Dec 11, 2025 Affected Software Visitor Logic Lite Researcher Ivan Cese More Details > Digiqole < 2.2.7 - Authenticated (Contributor+) Local File Inclusion 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-67527 Patch Status Patched Published Dec 13, 2025 Affected Software Digiqole - News Magazine WordPress Theme Researcher João Pedro S Alcântara (Kinorth) More Details > EduMall <= 4.4.7 - Authenticated (Contributor+) Local File Inclusion 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-68061 Patch Status Unpatched Published Dec 14, 2025 Affected Software EduMall - Professional LMS Education Center WordPress Theme Researcher João Pedro S Alcântara (Kinorth) More Details > Exhibz <= 3.0.9 - Authenticated (Contributor+) Local File Inclusion 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-67523 Patch Status Patched Published Dec 13, 2025 Affected Software Exhibz | Event Conference WordPress Theme (AI Powered) Researcher João Pedro S Alcântara (Kinorth) More Details > FunnelKit – Funnel Builder for WooCommerce Checkout <= 3.13.1.5 - Unauthenticated SQL Injection 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-14169 Patch Status Patched Published Dec 11, 2025 Affected Software FunnelKit – Funnel Builder for WooCommerce Checkout Researcher Marcin Dudek (dudekmar) More Details > Hippoo Mobile App for WooCommerce <= 1.7.1 - Unauthenticated Arbitrary File Read 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-13339 Patch Status Patched Published Dec 9, 2025 Affected Software Hippoo Mobile App for WooCommerce Researcher Moose Love More Details > Jobmonster <= 4.8.2 - Authenticated (Contributor+) Local File Inclusion 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-67522 Patch Status Patched Published Dec 12, 2025 Affected Software Noo JobMonster Researcher João Pedro S Alcântara (Kinorth) More Details > Jobmonster Elementor Addon <= 1.1.4 - Authenticated (Contributor+) Local File Inclusion 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-67524 Patch Status Patched Published Dec 12, 2025 Affected Software Jobmonster Elementor Addon Researcher João Pedro S Alcântara (Kinorth) More Details > LT Unleashed <= 1.1.1 - Authenticated (Contributor+) Local File Inclusion via 'template' Parameter 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-13886 Patch Status Unpatched Published Dec 11, 2025 Affected Software LT Unleashed Researcher Muhammad Yudha - DJ More Details > MinimogWP <= 3.9.6 - Authenticated (Contributor+) Local File Inclusion 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-68062 Patch Status Unpatched Published Dec 13, 2025 Affected Software MinimogWP – The High Converting eCommerce WordPress Theme Researcher João Pedro S Alcântara (Kinorth) More Details > Turitor < 1.5.3 - Authenticated (Contributor+) Local File Inclusion 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-67531 Patch Status Patched Published Dec 13, 2025 Affected Software Turitor - Education WordPress Theme Researcher João Pedro S Alcântara (Kinorth) More Details > WP Directory Kit <= 1.4.7 - Unauthenticated SQL Injection 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-13089 Patch Status Patched Published Dec 12, 2025 Affected Software WP Directory Kit Researcher tmrswrr More Details > wpForo Forum <= 2.4.12 - Unauthenticated SQL Injection 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-13126 Patch Status Patched Published Dec 13, 2025 Affected Software wpForo Forum Researcher Muhamad Visat More Details > WPNakama <= 0.6.3 - Unauthenticated SQL Injection via 'order_by' Parameter 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-14068 Patch Status Patched Published Dec 11, 2025 Affected Software WPNakama – Team and multi-Client Collaboration, Editorial and Project Management Researchers Athiwat Tiprasaharn (Jitlada)Itthidej Aramsri (Boeing777)PowpyWaris DamkhamVarakorn Chanthasri (iCreaM)Peerapat SamatathanyakornSopon Tangpathum (SoNaJaa) More Details > افزونه پیامک ووکامرس فوق حرفه ای (جدید) payamito sms woocommerce <= 1.3.5 - Unauthenticated Time-Based Blind SQL Injection 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-13077 Patch Status Unpatched Published Dec 12, 2025 Affected Software افزونه پیامک ووکامرس فوق حرفه ای (جدید) payamito sms woocommerce Researcher lucky_buddy More Details > Fancy Product Designer <= 6.4.8 - Unauthenticated Stored Cross-Site Scripting via SVG File Upload 7.2 CVSS Rating High (7.2) CVE-ID CVE-2025-12570 Patch Status Patched Published Dec 11, 2025 Affected Software Fancy Product Designer Researchers Muhammad Zeeshan (Xib3rR4dAr)Muhammad Hassan (jerry) More Details > Login Security, FireWall, Malware removal by CleanTalk <= 2.168 - Unauthenticated Stored Cross-Site Scripting via Page URL 7.2 CVSS Rating High (7.2) CVE-ID CVE-2025-13604 Patch Status Patched Published Dec 8, 2025 Affected Software Login Security, FireWall, Malware removal by CleanTalk Researcher shark3y More Details > Social Reviews & Recommendations <= 2.5 - Unauthenticated Stored Cross-Site Scripting via Social Media Reviews 7.2 CVSS Rating High (7.2) CVE-ID CVE-2025-12705 Patch Status Patched Published Dec 8, 2025 Affected Software Reviews Widget for Google, Yelp & Recommendations Researcher Kishan Vyas More Details > WP User Manager <= 2.9.12 - Authenticated (Subscriber+) Arbitrary File Deletion via 'current_user_avatar' Parameter 6.8 CVSS Rating Medium (6.8) CVE-ID CVE-2025-13320 Patch Status Patched Published Dec 11, 2025 Affected Software WP User Manager – User Profile Builder & Membership Researcher YC_Infosec More Details > Accordion Slider PRO <= 1.2 - Authenticated (Contributor+) SQL Injection 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2025-67518 Patch Status Patched Published Dec 14, 2025 Affected Software Accordion Slider PRO Researcher Phat RiO - BlueRock More Details > Brizy – Page Builder <= 2.7.16 - Authenticated (Contributor+) Sensitive Information Exposure via get_users Function 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2025-0969 Patch Status Patched Published Dec 12, 2025 Affected Software Brizy – Page Builder Researcher stealthcopter More Details > Broken Link Checker <= 1.2.6 - Authenticated (Author+) SQL Injection 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2025-67962 Patch Status Patched Published Dec 9, 2025 Affected Software Broken Link Checker by AIOSEO – Easily Fix/Monitor Internal and External links Researcher Drew Webber (mcdruid) More Details > BuddyTask <= 1.3.0 - Missing Authorization to Authenticated (Subscriber+) Cross-Group Task Board Access and Manipulation 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2025-14064 Patch Status Patched Published Dec 11, 2025 Affected Software BuddyTask Researcher Itthidej Aramsri (Boeing777) More Details > CountDown With Image or Video Background <= 1.5 - Authenticated (Contributor+) SQL Injection 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2025-68054 Patch Status Unpatched Published Dec 14, 2025 Affected Software CountDown With Image or Video Background Researcher Phat RiO - BlueRock More Details > Image Gallery – Photo Grid & Video Gallery (Modula) <= 2.13.3 - Missing Authorization to Arbitrary Directory Listing 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2025-13891 Patch Status Patched Published Dec 11, 2025 Affected Software Image Gallery – Photo Grid & Video Gallery Researcher Dmitrii Ignatyev More Details > List Category Posts <= 0.91.0 - Authenticated (Contributor+) SQL Injection via Plugin's Shortcode 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2025-10163 Patch Status Patched Published Dec 10, 2025 Affected Software List category posts Researcher Khanh Nguyen More Details > Media Library Tools <= 1.6.15 - Authenticated (Author+) SQL Injection 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2025-67520 Patch Status Patched Published Dec 11, 2025 Affected Software Media File Rename, Unused File Cleaner & CSV Export Import – Add Alt for Image SEO – Media Library Tools Researcher daroo More Details > MediaCommander – Bring Folders to Media, Posts, and Pages <= 2.3.1 - Missing Authorization to Authenticated (Author+) Media Folder Deletion 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2025-14508 Patch Status Patched Published Dec 12, 2025 Affected Software MediaCommander – Bring Folders to Media, Posts, and Pages Researcher Athiwat Tiprasaharn (Jitlada) More Details > Popup Builder <= 1.1.37 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Settings Reset 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2025-14446 Patch Status Patched Published Dec 12, 2025 Affected Software Easy Notify Lite Researcher Athiwat Tiprasaharn (Jitlada) More Details > Simple CSV Table <= 1.0.1 - Directory Traversal to Authenticated (Contributor+) Arbitrary File Read 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2025-12960 Patch Status Patched Published Dec 11, 2025 Affected Software Simple CSV Table Researcher Ivan Cese More Details > Store Locator WordPress <= 1.6.2 - Authenticated (Contributor+) SQL Injection 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2025-67516 Patch Status Patched Published Dec 14, 2025 Affected Software Store Locator WordPress Researcher Jarno Vos (jarnovos) More Details > WP Job Portal <= 2.4.0 - Authenticated (Subscriber+) Arbitrary File Read 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2025-14293 Patch Status Unpatched Published Dec 11, 2025 Affected Software WP Job Portal – AI-Powered Recruitment System for Company or Job Board website Researcher Long Nguyen More Details > xPromoter <= 1.3.4 - Authenticated (Contributor+) SQL Injection 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2025-68053 Patch Status Unpatched Published Dec 14, 2025 Affected Software xPromoter Researcher Phat RiO - BlueRock More Details > a3 Lazy Load <= 2.7.5 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-9873 Patch Status Patched Published Dec 12, 2025 Affected Software a3 Lazy Load Researcher stealthcopter More Details > Addon Elements for Elementor <= 1.14.3 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-12537 Patch Status Patched Published Dec 13, 2025 Affected Software Addon Elements for Elementor (formerly Elementor Addon Elements) Researcher Webbernaut More Details > AI Feeds <= 1.0.22 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'aife_post_meta' Shortcode 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-14030 Patch Status Patched Published Dec 11, 2025 Affected Software AI Feeds Researcher Athiwat Tiprasaharn (Jitlada) More Details > All-in-One Addons for Elementor – WidgetKit <= 2.5.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Team and Countdown Widgets 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-8779 Patch Status Patched Published Dec 12, 2025 Affected Software All-in-One Addons for Elementor – WidgetKit Researcher zer0gh0st More Details > App Landing Template Blocks for WPBakery Page Builder <= 2.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-14119 Patch Status Unpatched Published Dec 11, 2025 Affected Software App Landing Template Blocks for WPBakery (Visual Composer) Page Builder Researcher Muhammad Yudha - DJ More Details > Ayo Shortcodes <= 0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'color' Shortcode Attribute 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-14143 Patch Status Unpatched Published Dec 11, 2025 Affected Software Ayo Shortcodes Researcher zakaria More Details > Better Elementor Addons <= 1.5.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Slider Widget 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-12830 Patch Status Unpatched Published Dec 11, 2025 Affected Software Better Addons for Elementor Researcher Abu Hurayra (HurayraIIT) More Details > Bold Timeline Lite <= 1.2.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'title' Parameter in 'bold_timeline_group' Shortcode 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-14032 Patch Status Patched Published Dec 11, 2025 Affected Software Bold Timeline Lite Researcher zaim More Details > BUKAZU Search widget <= 3.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'shortcode' Shortcode Attribute 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-13840 Patch Status Unpatched Published Dec 11, 2025 Affected Software BUKAZU Search widget Researcher Gilang - DJ More Details > Colibri Page Builder <= 1.0.335 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-11376 Patch Status Patched Published Dec 12, 2025 Affected Software Colibri Page Builder Researcher Rafshanzani Suhada More Details > Custom Frames <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'class' Shortcode Parameter 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-13705 Patch Status Unpatched Published Dec 12, 2025 Affected Software Custom Frames Researcher theviper17y More Details > Data Visualizer <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-13961 Patch Status Unpatched Published Dec 11, 2025 Affected Software Data Visualizer Researcher Gilang - DJ More Details > Divelogs Widget <= 1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-13962 Patch Status Patched Published Dec 11, 2025 Affected Software Divelogs Widget Researcher Gilang - DJ More Details > Easy Map Creator <= 3.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-13846 Patch Status Unpatched Published Dec 11, 2025 Affected Software Easy Map Creator Researcher Gilang - DJ More Details > Enter Addons <= 2.2.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown and Image Comparison Widgets 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-8687 Patch Status Patched Published Dec 12, 2025 Affected Software Enter Addons – Ultimate Template Builder for Elementor Researcher zer0gh0st More Details > Flow-Flow Social Feed Stream 3.0.0 - 4.7.5 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting via flow_flow_social_auth AJAX action 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-13866 Patch Status Unpatched Published Dec 11, 2025 Affected Software Flow-Flow Social Feed Stream Researcher kr0d More Details > FX Currency Converter <= 0.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-13963 Patch Status Patched Published Dec 11, 2025 Affected Software FX Currency Converter Researcher Gilang - DJ More Details > GPXpress <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-13960 Patch Status Unpatched Published Dec 11, 2025 Affected Software GPXpress Researcher Gilang - DJ More Details > Head Meta Data <= 20250327 - Authenticated (Author+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-66081 Patch Status Patched Published Dec 14, 2025 Affected Software Head Meta Data Researcher Athiwat Tiprasaharn (Jitlada) More Details > Header Footer Script Adder – Insert Code in Header, Body & Footer <= 2.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-12109 Patch Status Patched Published Dec 12, 2025 Affected Software Header Footer Script Adder – Insert Code in Header, Body & Footer Researcher Powpy More Details > Hide Email Address <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-13884 Patch Status Unpatched Published Dec 11, 2025 Affected Software Hide Email Address Researcher Muhammad Yudha - DJ More Details > HT Slider for Elementor <= 1.7.4 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-14278 Patch Status Patched Published Dec 12, 2025 Affected Software HT Slider For Elementor Researcher Webbernaut More Details > JetWidgets For Elementor <= 1.0.20 - Authenticated (Contributor+) Stored Cross-Site Scripting via Image Comparison and Subscribe Widgets 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-8195 Patch Status Patched Published Dec 12, 2025 Affected Software JetWidgets For Elementor Researcher zer0gh0st More Details > King Addons for Elementor <= 51.1.39 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-7960 Patch Status Unpatched Published Dec 12, 2025 Affected Software King Addons for Elementor – 4,000+ ready Elementor sections, 650+ templates, 70+ FREE widgets for Elementor Researcher zer0gh0st More Details > Kingcabs <= 1.1.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via progressbarLayout Parameter 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-7058 Patch Status Patched Published Dec 12, 2025 Affected Software Kingcabs Researcher Peter Thaleikis More Details > Lightweight Accordion <= 1.5.20 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-13740 Patch Status Patched Published Dec 14, 2025 Affected Software Lightweight Accordion Researcher Muhammad Yudha - DJ More Details > Livemesh SiteOrigin Widgets <= 3.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Hero Header and Pricing Table Widgets 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-8780 Patch Status Patched Published Dec 12, 2025 Affected Software Livemesh SiteOrigin Widgets Researcher zer0gh0st More Details > LJUsers <= 1.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'name' Shortcode Attribute 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-13839 Patch Status Unpatched Published Dec 11, 2025 Affected Software LJUsers Researcher Gilang - DJ More Details > LS Google Map Router <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-13850 Patch Status Unpatched Published Dec 11, 2025 Affected Software LS Google Map Router Researcher Gilang - DJ More Details > Magical Posts Display <= 1.2.54 - Authenticated (Author+) Stored Cross-Site Scripting via Magical Posts Accordion Widget 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-12965 Patch Status Patched Published Dec 11, 2025 Affected Software Magical Posts Display – Elementor Advanced Posts widgets Researcher Abu Hurayra (HurayraIIT) More Details > Mailgun Subscriptions <= 1.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-11876 Patch Status Patched Published Dec 11, 2025 Affected Software Mailgun Subscriptions Researcher Gilang - DJ More Details > MarqueeAddons <= 2.4.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Testimonial Marquee Widget 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-8199 Patch Status Patched Published Dec 12, 2025 Affected Software Marquee Addons for Elementor – Advanced Elements & Modern Motion Widgets Researcher zer0gh0st More Details > Nelio Popups <= 1.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-66111 Patch Status Patched Published Dec 10, 2025 Affected Software Nelio Popups Researcher daroo More Details > NewStatPress <= 1.4.3 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-13747 Patch Status Unpatched Published Dec 11, 2025 Affected Software NewStatPress Researcher Muhammad Yudha - DJ More Details > Paypal Payment Shortcode <= 1.01 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'buttom_image' Shortcode Attribute 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-13966 Patch Status Unpatched Published Dec 11, 2025 Affected Software Paypal Payment Shortcode Researcher Muhammad Yudha - DJ More Details > Popup Builder – Create highly converting, mobile friendly marketing popups. <= 4.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-9856 Patch Status Patched Published Dec 12, 2025 Affected Software Popup Builder – Create highly converting, mobile friendly marketing popups. Researcher Naoya Takahashi (nakko) More Details > Redux Framework <= 4.5.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via data Parameter 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-9488 Patch Status Patched Published Dec 12, 2025 Affected Software Redux Framework Researcher Muhammad Yudha - DJ More Details > Reviews Sorted <= 2.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'space' Shortcode Attribute 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-13969 Patch Status Unpatched Published Dec 11, 2025 Affected Software Reviews Sorted Researcher Gilang - DJ More Details > Simple Nivo Slider <= 0.5.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-13889 Patch Status Unpatched Published Dec 11, 2025 Affected Software Simple Nivo Slider Researcher Peter Thaleikis More Details > Simple post listing <= 0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-12650 Patch Status Unpatched Published Dec 11, 2025 Affected Software Simple post listing Researcher Peter Thaleikis More Details > VigLink SpotLight By ShortCode <= 1.0.a - Authenticated (Contributor+) Stored Cross-Site Scripting via 'float' Shortcode Attribute 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-13843 Patch Status Unpatched Published Dec 11, 2025 Affected Software VigLink SpotLight By ShortCode Researcher Gilang - DJ More Details > Widgets for Google Reviews <= 13.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via trustindex Shortcode 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-9436 Patch Status Patched Published Dec 10, 2025 Affected Software Widgets for Google Reviews Researcher Muhammad Yudha - DJ More Details > WP Dropzone <= 1.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'callback' Shortcode Attribute 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-13989 Patch Status Unpatched Published Dec 11, 2025 Affected Software WP Dropzone Researcher Itthidej Aramsri (Boeing777) More Details > WP Flot <= 0.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-13906 Patch Status Unpatched Published Dec 11, 2025 Affected Software WP Flot Researcher Gilang - DJ More Details > WPGancio <= 1.12 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-13904 Patch Status Unpatched Published Dec 11, 2025 Affected Software WPGancio Researcher Gilang - DJ More Details > Wpik WordPress Basic Ajax Form <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-14393 Patch Status Unpatched Published Dec 11, 2025 Affected Software Wpik WordPress Basic Ajax Form Researcher dayea song More Details > YITH WooCommerce Quick View <= 2.7.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via yith_quick_view Shortcode 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-8617 Patch Status Patched Published Dec 12, 2025 Affected Software YITH WooCommerce Quick View Researcher zaim More Details > Zenost Shortcodes <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-13885 Patch Status Unpatched Published Dec 11, 2025 Affected Software Zenost Shortcodes Researcher theviper17y More Details > Accept Stripe Payments Using Contact Form 7 <= 3.1 - Reflected Cross-Site Scripting via failure_message 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-12834 Patch Status Patched Published Dec 11, 2025 Affected Software Accept Stripe Payments Using Contact Form 7 Researcher Md. Moniruzzaman Prodhan (NomanProdhan) More Details > Category Dropdown List <= 1.0 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF'] 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-14132 Patch Status Unpatched Published Dec 11, 2025 Affected Software Category Dropdown List Researcher Abdulsamad Yusuf (0xVenus) More Details > Complag <= 1.0.2 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF'] 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-14125 Patch Status Unpatched Published Dec 11, 2025 Affected Software Complag Researcher Abdulsamad Yusuf (0xVenus) More Details > Like DisLike Voting <= 1.0.1 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF'] 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-14129 Patch Status Unpatched Published Dec 11, 2025 Affected Software Like DisLike Voting Researcher Abdulsamad Yusuf (0xVenus) More Details > Simple AL Slider <= 1.2.10 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF'] 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-14137 Patch Status Unpatched Published Dec 11, 2025 Affected Software Simple AL Slider Researcher Abdulsamad Yusuf (0xVenus) More Details > Social Media Auto Publish <= 3.6.5 - Reflected Cross-Site Scripting via PostMessage 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-12076 Patch Status Patched Published Dec 12, 2025 Affected Software Social Media Auto Publish Researcher Nicolai Hellesnes (nico_) More Details > VikRentItems Flexible Rental Management System <= 1.2.0 - Reflected Cross-Site Scripting via 'delto' Parameter 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-14049 Patch Status Patched Published Dec 11, 2025 Affected Software VikRentItems Flexible Rental Management System Researcher Athiwat Tiprasaharn (Jitlada) More Details > WP to LinkedIn Auto Publish <= 1.9.8 - Reflected Cross-Site Scripting via PostMessage 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-12077 Patch Status Patched Published Dec 12, 2025 Affected Software WP to LinkedIn Auto Publish Researcher Nicolai Hellesnes (nico_) More Details > WPLG Default Mail From <= 1.0.0 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF'] 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-14138 Patch Status Unpatched Published Dec 11, 2025 Affected Software WPLG Default Mail From Researcher Abdulsamad Yusuf (0xVenus) More Details > 评论小秘书 <= 1.3.2 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF'] 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-13988 Patch Status Unpatched Published Dec 11, 2025 Affected Software 评论小秘书 Researcher Abdulsamad Yusuf (0xVenus) More Details > Filter & Grids <= 3.2.0 - Unauthenticated SQL Injection 5.9 CVSS Rating Medium (5.9) CVE-ID CVE-2025-10289 Patch Status Patched Published Dec 12, 2025 Affected Software Filter & Grids Researcher mikemyers More Details > RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator <= 5.1.1 - Unauthenticated Blind Server-Side Request Forgery 5.8 CVSS Rating Medium (5.8) CVE-ID CVE-2025-11467 Patch Status Patched Published Dec 10, 2025 Affected Software RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator Researcher Lucas Montes (Nirox) More Details > BSK PDF Manager <= 3.7.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via SVG File Upload 5.5 CVSS Rating Medium (5.5) CVE-ID CVE-2025-4970 Patch Status Patched Published Dec 11, 2025 Affected Software BSK PDF Manager Researcher rajanhoyr More Details > MailerLite – Signup forms (official) <= 1.7.16 - Authenticated (Administrator+) Stored Cross-Site Scripting 5.5 CVSS Rating Medium (5.5) CVE-ID CVE-2025-13993 Patch Status Patched Published Dec 11, 2025 Affected Software MailerLite – Signup forms (official) Researcher NosleeP++ More Details > ProfilePress <= 4.16.7 - Authenticated (Subscriber+) Arbitrary Shortcode Execution 5.4 CVSS Rating Medium (5.4) CVE-ID CVE-2025-13642 Patch Status Patched Published Dec 8, 2025 Affected Software Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress Researcher Nguyen Ngoc Quang Bach (maysbachs) More Details > Shortcode Loader <= 1.0 - Unauthenticated Arbitrary Shortcode Execution via 'code' Parameter 5.4 CVSS Rating Medium (5.4) CVE-ID CVE-2025-14539 Patch Status Unpatched Published Dec 12, 2025 Affected Software Shortcode Ajax Researcher Ivan Cese More Details > AnnunciFunebri Impresa <= 4.7.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Options Deletion 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-14447 Patch Status Unpatched Published Dec 12, 2025 Affected Software AnnunciFunebri Impresa Researcher Legion Hunter More Details > Campay Woocommerce Payment Gateway <= 1.2.2 - Unauthenticated Payment Bypass 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-12883 Patch Status Unpatched Published Dec 11, 2025 Affected Software Campay Woocommerce Payment Gateway Researcher Md. Moniruzzaman Prodhan (NomanProdhan) More Details > Devs CRM – Manage tasks, attendance and teams all together <= 1.1.8 - Missing Authorization to Unauthenticated Lead Tag Update 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-13093 Patch Status Unpatched Published Dec 12, 2025 Affected Software Devs CRM – Manage tasks, attendance and teams all together Researcher Athiwat Tiprasaharn (Jitlada) More Details > Devs CRM – Manage tasks, attendance and teams all together <= 1.1.8 - Unauthenticated Information Expsoure 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-13092 Patch Status Unpatched Published Dec 12, 2025 Affected Software Devs CRM – Manage tasks, attendance and teams all together Researcher Athiwat Tiprasaharn (Jitlada) More Details > Easy Theme Options <= 1.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Settings Import 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-14367 Patch Status Unpatched Published Dec 12, 2025 Affected Software Easy Theme Options Researcher Legion Hunter More Details > EasyCart <= 5.8.11 - Unauthenticated Information Exposure 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-62997 Patch Status Unpatched Published Dec 8, 2025 Affected Software Shopping Cart & eCommerce Store Researcher benzdeus More Details > Email Subscribers & Newsletters <= 5.9.10 - Missing Authentication to Unauthenticated Action Scheduler Task Execution 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-12348 Patch Status Patched Published Dec 11, 2025 Affected Software Email Subscribers & Newsletters – Powerful Email Marketing, Post Notification & Newsletter Plugin for WordPress & WooCommerce Researcher Adrian Lukita More Details > Employee Spotlight – Team Member Showcase & Meet the Team Plugin <= 5.1.3 - Missing Authorization to Authenticated (Subscriber+) Tracking Opt-In/Opt-Out Modification 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-13403 Patch Status Patched Published Dec 12, 2025 Affected Software Employee Spotlight – Team Member Showcase & Meet the Team Plugin Researcher Legion Hunter More Details > Essential Real Estate <= 5.2.2 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-66127 Patch Status Unpatched Published Dec 14, 2025 Affected Software Essential Real Estate Researcher daroo More Details > Eupago Gateway For Woocommerce <= 4.6.3 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-62870 Patch Status Unpatched Published Dec 8, 2025 Affected Software Eupago Gateway For Woocommerce Researcher 0xd4rk5id3 More Details > Events Manager <= 7.2.2.2 - Unauthenticated Information Exposure 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-12408 Patch Status Patched Published Dec 11, 2025 Affected Software Events Manager – Calendar, Bookings, Tickets, and more! Researcher thinnawarth mathuros More Details > Eyewear prescription form <= 6.0.1 - Missing Authorization to Unauthenticated Arbitrary WooCommerce Category Deletion 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-14365 Patch Status Unpatched Published Dec 12, 2025 Affected Software Eyewear prescription form Researchers Athiwat Tiprasaharn (Jitlada)Itthidej Aramsri (Boeing777)PowpyPeerapat Samatathanyakorn More Details > Eyewear prescription form <= 6.0.1 - Missing Authorization to Unauthenticated Arbitrary WooCommerce Product Creation 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-14366 Patch Status Unpatched Published Dec 12, 2025 Affected Software Eyewear prescription form Researchers Athiwat Tiprasaharn (Jitlada)Waris DamkhamVarakorn Chanthasri (iCreaM)Sopon Tangpathum (SoNaJaa) More Details > Fix Media Library <= 2.0 - Unauthenticated Information Exposure 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-66126 Patch Status Unpatched Published Dec 12, 2025 Affected Software Fix Media Library Researcher Nabil Irawan More Details > Geo Controller <= 8.9.4 - Unauthenticated Information Exposure 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-62109 Patch Status Unpatched Published Dec 8, 2025 Affected Software Geo Controller Researcher Nabil Irawan More Details > Guest Support <= 1.2.3 - Unauthenticated User Email Disclosure in guest_support_handler AJAX Endpoint 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-13660 Patch Status Patched Published Dec 11, 2025 Affected Software Guest Support Researcher Md. Moniruzzaman Prodhan (NomanProdhan) More Details > HAPPY – Helpdesk Support Ticket System <= 1.0.9 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Ticket Reply 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-14581 Patch Status Patched Published Dec 12, 2025 Affected Software HAPPY – Helpdesk Support Ticket System Researcher Md. Moniruzzaman Prodhan (NomanProdhan) More Details > Hippoo Mobile App for WooCommerce <= 1.7.1 - Missing Authorization to Unauthenticated Limited File Write 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-12655 Patch Status Patched Published Dec 11, 2025 Affected Software Hippoo Mobile App for WooCommerce Researcher NumeX More Details > Homey Core <= 2.4.3 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-67965 Patch Status Patched Published Dec 10, 2025 Affected Software Homey Core Researcher João Pedro S Alcântara (Kinorth) More Details > InstaWP Connect <= 0.1.1.9 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-66068 Patch Status Patched Published Dec 12, 2025 Affected Software InstaWP Connect – 1-click WP Staging & Migration Researcher Legion Hunter More Details > Leaky Paywall <= 4.22.5 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-66124 Patch Status Unpatched Published Dec 10, 2025 Affected Software Leaky Paywall Researcher Legion Hunter More Details > Login Lockdown & Protection <= 2.14 - IP Block Bypass 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-11707 Patch Status Patched Published Dec 12, 2025 Affected Software Login Lockdown & Protection Researcher William Cooke More Details > myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Program <= 2.9.7 - Missing Authorization to Unauthenticated Withdrawal Request Approval 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-12362 Patch Status Patched Published Dec 12, 2025 Affected Software myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Program. Researcher Rafshanzani Suhada More Details > PDF for Contact Form 7 + Drag and Drop Template Builder <= 6.3.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Duplication 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-14074 Patch Status Patched Published Dec 11, 2025 Affected Software PDF for Contact Form 7 + Drag and Drop Template Builder Researcher Legion Hunter More Details > PenNews < 6.7.4 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-67572 Patch Status Patched Published Dec 14, 2025 Affected Software PenNews - Multi-Purpose AMP WordPress Theme Researcher João Pedro S Alcântara (Kinorth) More Details > Pochipp <= 1.18.0 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-66129 Patch Status Unpatched Published Dec 14, 2025 Affected Software Pochipp Researcher NumeX More Details > Premmerce Wishlist for WooCommerce <= 1.1.10 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Wishlist Deletion 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-13440 Patch Status Unpatched Published Dec 11, 2025 Affected Software Premmerce Wishlist for WooCommerce Researcher Legion Hunter More Details > Product Filtering by Categories, Tags, Price Range for WooCommerce <= 1.1.6 - Missing Authorization to Unauthenticated Plugin Settings Modification 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-13314 Patch Status Patched Published Dec 11, 2025 Affected Software Product Filtering by Categories, Tags, Price Range for WooCommerce – Filter Plus Researcher Athiwat Tiprasaharn (Jitlada) More Details > Secure Copy Content Protection and Content Locking <= 4.9.2 - Unauthenticated Sensitive Information Exposure via Exposed CSV Export File 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-14442 Patch Status Patched Published Dec 11, 2025 Affected Software Secure Copy Content Protection and Content Locking Researcher Deadbee More Details > Sendinblue for WooCommerce <= 4.0.49 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-66128 Patch Status Unpatched Published Dec 14, 2025 Affected Software Brevo for WooCommerce Researcher NumeX More Details > Simple Bike Rental <= 1.0.6 - Missing Authorization to Authenticated (Subscriber+) Sensitive Booking Data Exposure 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-14065 Patch Status Patched Published Dec 11, 2025 Affected Software Simple Bike Rental Researcher Athiwat Tiprasaharn (Jitlada) More Details > TI WooCommerce Wishlist <= 2.10.0 - Unauthenticated HTML Injection 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-9207 Patch Status Patched Published Dec 12, 2025 Affected Software TI WooCommerce Wishlist Researcher pimschaaf More Details > Ultimate Auction <= 4.3.2 - Unauthenticated Information Exposure 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-66125 Patch Status Unpatched Published Dec 12, 2025 Affected Software Ultimate WordPress Auction Plugin Researcher daroo More Details > Views Counter <= 2.1.2 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-66130 Patch Status Unpatched Published Dec 14, 2025 Affected Software WP Views Counter Researcher Legion Hunter More Details > Vimeo SimpleGallery <= 0.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Settings Modification 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-14170 Patch Status Unpatched Published Dec 11, 2025 Affected Software Vimeo SimpleGallery Researcher Legion Hunter More Details > WP-CRM System <= 3.4.5 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-62740 Patch Status Unpatched Published Dec 8, 2025 Affected Software WP-CRM System – Manage Clients and Projects Researcher Legion Hunter More Details > WPMasterToolKit (WPMTK) <= 2.13.0 - Authenticated (Contributor+) Code Injection 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-14166 Patch Status Patched Published Dec 11, 2025 Affected Software WPMasterToolKit (WPMTK) – All in one plugin Researchers Athiwat Tiprasaharn (Jitlada)Itthidej Aramsri (Boeing777)PowpyWaris DamkhamVarakorn Chanthasri (iCreaM)Peerapat SamatathanyakornSopon Tangpathum (SoNaJaa) More Details > 404 Solution <= 3.1.0 - Authenticated (Admin+) SQL Injection via 'filterText' Parameter 4.9 CVSS Rating Medium (4.9) CVE-ID CVE-2025-14477 Patch Status Patched Published Dec 12, 2025 Affected Software 404 Solution Researcher Muhamad Visat More Details > Design Import/Export <= 2.2 - Authenticated (Administrator+) SQL Injection via XML File Import 4.9 CVSS Rating Medium (4.9) CVE-ID CVE-2025-14050 Patch Status Patched Published Dec 12, 2025 Affected Software Design Import/Export – Styles, Templates, Template Parts and Patterns Researcher ChamlaVic More Details > Simple Download Counter <= 2.2.2 - Authenticated (Administrator+) Arbitrary File Read via Path Traversal 4.9 CVSS Rating Medium (4.9) CVE-ID CVE-2025-13677 Patch Status Patched Published Dec 9, 2025 Affected Software Simple Download Counter Researcher ChamlaVic More Details > WatchTowerHQ <= 3.15.0 - Authenticated (Administrator+) Arbitrary File Read via 'wht_download_big_object_origin' Parameter 4.9 CVSS Rating Medium (4.9) CVE-ID CVE-2025-13972 Patch Status Unpatched Published Dec 11, 2025 Affected Software WatchTowerHQ Researcher ChamlaVic More Details > Solutions Ad Manager <= 1.0.0 - Unauthenticated Open Redirect via 'sam-redirect-to' Parameter 4.7 CVSS Rating Medium (4.7) CVE-ID CVE-2025-14451 Patch Status Unpatched Published Dec 12, 2025 Affected Software Solutions Ad Manager Researcher Ivan Cese More Details > Contact Form 7 with ChatWork <= 1.1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'api_token' and 'roomid' Settings 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2025-13975 Patch Status Unpatched Published Dec 11, 2025 Affected Software Contact Form 7 with ChatWork Researcher Yahya Oumani (cyb3rnoob) More Details > Custom Post Type UI <= 1.18.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'label' Import Parameter 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2025-14056 Patch Status Patched Published Dec 12, 2025 Affected Software Custom Post Type UI Researcher type5afe More Details > DebateMaster <= 1.0.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via Color Options via 'debate' Shortcode 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2025-14035 Patch Status Unpatched Published Dec 11, 2025 Affected Software DebateMaster Researcher ChamlaVic More Details > Emplibot – AI Content Writer with Keyword Research, Infographics, and Linking | SEO Optimized | Fully Automated <= 1.0.9 - Authenticated (Admin+) Server-Side Request Forgery 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2025-11970 Patch Status Patched Published Dec 12, 2025 Affected Software Emplibot – AI Content Writer with Keyword Research, Infographics, and Linking | SEO Optimized | Fully Automated Researcher Jonas Benjamin Friedli More Details > Quick Testimonials <= 2.1 - Authenticated (Admin+) Stored Cross-Site Scripting 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2025-14378 Patch Status Unpatched Published Dec 12, 2025 Affected Software Quick Testimonials Researcher Jochem Boender More Details > SimplyConvert <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'simplyconvert_hash' Option 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2025-14048 Patch Status Unpatched Published Dec 11, 2025 Affected Software SimplyConvert Researcher Bhumividh Treloges More Details > TWW Protein Calculator <= 1.0.24 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Header' Setting 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2025-13971 Patch Status Unpatched Published Dec 11, 2025 Affected Software TWW Protein Calculator Researcher ChamlaVic More Details > WP Job Portal <= 2.3.9 - Authenticated (Editor+) Stored Cross-Site Scripting via Job Description Field 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2025-14467 Patch Status Unpatched Published Dec 11, 2025 Affected Software WP Job Portal – AI-Powered Recruitment System for Company or Job Board website Researcher Long Nguyen More Details > Accessibility by AudioEye <= 1.0.49 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-64246 Patch Status Patched Published Dec 14, 2025 Affected Software Accessibility by AudioEye Researcher Nabil Irawan More Details > Advanced Product Fields (Product Addons) for WooCommerce <= 1.6.17 - Cross-Site Request Forgery to Product Field Group Duplication and Publication 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-13924 Patch Status Patched Published Dec 8, 2025 Affected Software Advanced Product Fields (Product Addons) for WooCommerce Researcher Nguyen C More Details > AI CoPilot <= 1.2.7 - Authenticated (Contributor+) Sensitive Information Exposure 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-62998 Patch Status Unpatched Published Dec 8, 2025 Affected Software WP AI CoPilot – AI content writer plugin, ChatGPT WordPress, GPT-3/4 , Ai assistance Researcher benzdeus More Details > Animated Pixel Marquee Creator <= 1.0.0 - Cross-Site Request Forgery via 'marquee' Parameter 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-14062 Patch Status Unpatched Published Dec 11, 2025 Affected Software Animated Pixel Marquee Creator Researcher ChamlaVic More Details > Beaver Builder – WordPress Page Builder <= 2.9.4 - Authenticated (Contributor+) Sensitive Information Exposure 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-12558 Patch Status Patched Published Dec 8, 2025 Affected Software Beaver Builder Page Builder – Drag and Drop Website Builder Researcher Athiwat Tiprasaharn (Jitlada) More Details > BMLT WordPress Plugin <= 3.11.4 - Cross-Site Request Forgery to Settings Creation and Deletion 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-14162 Patch Status Unpatched Published Dec 11, 2025 Affected Software BMLT WordPress Plugin Researcher Muhammad Nur Ibnu Hubab (Ibnu) More Details > Buttoner for Elementor <= 1.0.6 - Missing Authorization to Authenticated (Subscriber+) Settings Change 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-68085 Patch Status Unpatched Published Dec 11, 2025 Affected Software Buttoner for Elementor Researcher Phat RiO - BlueRock More Details > Coder for Elementor <= 1.0.13 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-66147 Patch Status Unpatched Published Dec 10, 2025 Affected Software Coder for Elementor Researcher Phat RiO - BlueRock More Details > Coding Blocks <= 1.1.0 - Cross-Site Request Forgery to Settings Update 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-14158 Patch Status Unpatched Published Dec 11, 2025 Affected Software Coding Blocks Researcher Muhammad Nur Ibnu Hubab (Ibnu) More Details > Coupons and Deals <= 3.2.4 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-64241 Patch Status Unpatched Published Dec 11, 2025 Affected Software WP Coupons and Deals – Click to Copy Coupons Researcher Nabil Irawan More Details > Custom Field Template <= 2.7.5 - Authenticated (Subscriber+) Information Exposure 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-63058 Patch Status Unpatched Published Dec 8, 2025 Affected Software Custom Field Template Researcher Phat RiO - BlueRock More Details > Directory Pro <= 2.5.6 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-64243 Patch Status Unpatched Published Dec 12, 2025 Affected Software Directory Pro Researcher Phat RiO - BlueRock More Details > Easy Property Listings <= 3.5.16 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-64242 Patch Status Unpatched Published Dec 12, 2025 Affected Software Easy Property Listings Researcher daroo More Details > Email Capture <= 3.12.4 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-67578 Patch Status Patched Published Dec 8, 2025 Affected Software Email Marketing Plugin – WP Email Capture Researcher Nabil Irawan More Details > Essential Real Estate <= 5.2.2 - Authenticated (ERE Customer+) Insecure Direct Object Reference 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-68071 Patch Status Unpatched Published Dec 14, 2025 Affected Software Essential Real Estate Researcher daroo More Details > Events Manager – Calendar, Bookings, Tickets, and more! <= 7.2.2.2 - Cross-Site Request Forgery to Location Deletion 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-12407 Patch Status Patched Published Dec 11, 2025 Affected Software Events Manager – Calendar, Bookings, Tickets, and more! Researcher thinnawarth mathuros More Details > Flashy Marketing Automation <= 2.0.8 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-62873 Patch Status Unpatched Published Dec 8, 2025 Affected Software WP Flashy Marketing Automation Researcher Nabil Irawan More Details > Foxtool All-in-One: Contact chat button, Custom login, Media optimize images <= 2.5.2 - Cross-Site Request Forgery to Google OAuth Connection 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-13408 Patch Status Patched Published Dec 11, 2025 Affected Software Foxtool All-in-One: Contact chat button, Custom login, Media optimize images Researcher D01EXPLOIT OFFICIAL More Details > Freshchat <= 2.3.4 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-64240 Patch Status Unpatched Published Dec 11, 2025 Affected Software Freshchat Researcher Nabil Irawan More Details > Gallery Blocks with Lightbox <= 3.3.0 - Missing Authorization to Authenticated (Contributor+) Plugin Settings Modification 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-14288 Patch Status Patched Published Dec 12, 2025 Affected Software Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery Researcher Karol More Details > GenerateBlocks <= 2.1.2 - Authenticated (Contributor+) Information Exposure via Metadata 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-12512 Patch Status Patched Published Dec 12, 2025 Affected Software GenerateBlocks Researcher Athiwat Tiprasaharn (Jitlada) More Details > Grider for Elementor <= 1.0.8 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-66161 Patch Status Unpatched Published Dec 11, 2025 Affected Software Grider for Elementor Researcher Phat RiO - BlueRock More Details > Huger for Elementor <= 1.1.5 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-68088 Patch Status Unpatched Published Dec 11, 2025 Affected Software Huger for Elementor Researcher Phat RiO - BlueRock More Details > Image Slider by Ays- Responsive Slider and Carousel <= 2.7.0 - Cross-Site Request Forgery to Arbitrary Slider Deletion 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-14454 Patch Status Patched Published Dec 12, 2025 Affected Software Image Slider by Ays- Responsive Slider and Carousel Researcher ChamlaVic More Details > IMAQ Core <= 1.2.1 - Cross-Site Request Forgery to URL Structure Update 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-13363 Patch Status Unpatched Published Dec 11, 2025 Affected Software IMAQ CORE Researcher dayea song More Details > Import external attachments <= 1.5.12 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-64245 Patch Status Unpatched Published Dec 14, 2025 Affected Software Import external attachments Researcher Nabil Irawan More Details > Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms <= 1.4.6 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-67468 Patch Status Patched Published Dec 8, 2025 Affected Software Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms Researcher Nabil Irawan More Details > Just TinyMCE Custom Styles <= 1.2.1 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-62871 Patch Status Unpatched Published Dec 8, 2025 Affected Software Just TinyMCE Custom Styles Researcher Nabil Irawan More Details > Kirim.Email WooCommerce Integration <= 1.2.9 - Cross-Site Request Forgery to Settings Update 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-14165 Patch Status Unpatched Published Dec 11, 2025 Affected Software Kirim.Email WooCommerce Integration Researcher Muhammad Nur Ibnu Hubab (Ibnu) More Details > Laser <= 1.1.1 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-66164 Patch Status Unpatched Published Dec 11, 2025 Affected Software Laser Researcher Phat RiO - BlueRock More Details > Lottier for WPBakery <= 1.1.7 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-66165 Patch Status Unpatched Published Dec 11, 2025 Affected Software Lottier for WPBakery Researcher Phat RiO - BlueRock More Details > Lucky Draw Contests <= 4.2 - Cross-Site Request Forgery to Plugin Settings Update 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-14462 Patch Status Unpatched Published Dec 12, 2025 Affected Software Lucky Draw Contests Researcher Muhammad Nur Ibnu Hubab (Ibnu) More Details > Masker for Elementor <= 1.1.4 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-66163 Patch Status Unpatched Published Dec 11, 2025 Affected Software Masker for Elementor Researcher Phat RiO - BlueRock More Details > Mavix Education <= 1.0 - Missing Authorization to Authenticated (Subscriber+) 'Creativ Demo Importer' Plugin Activation 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-11164 Patch Status Patched Published Dec 12, 2025 Affected Software Mavix Education Researcher Jonas Benjamin Friedli More Details > Modalier for Elementor <= 1.0.6 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-68087 Patch Status Unpatched Published Dec 11, 2025 Affected Software Modalier for Elementor Researcher Phat RiO - BlueRock More Details > Page View Count <= 2.8.7 - Missing Authorization to Authenticated (Subscriber+) Settings Update 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-63034 Patch Status Unpatched Published Dec 8, 2025 Affected Software Page View Count Researcher Phat RiO - BlueRock More Details > Popover Windows <= 1.2 - Cross-Site Request Forgery to Arbitrary Popover Configuration Update 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-14394 Patch Status Unpatched Published Dec 12, 2025 Affected Software Popover Windows Researcher dayea song More Details > Popover Windows <= 1.2 - Missing Authorization to Authenticated (Subscriber+) Popover Configuration Update via AJAX Actions 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-14395 Patch Status Unpatched Published Dec 12, 2025 Affected Software Popover Windows Researcher dayea song More Details > Premmerce Brands for WooCommerce <= 1.2.13 - Missing Authorization To Authenticated (Subscriber+) Brand Permalink Settings Update 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-12783 Patch Status Unpatched Published Dec 11, 2025 Affected Software Premmerce Brands for WooCommerce Researchers Athiwat Tiprasaharn (Jitlada)Powpy More Details > Purchase and Expense Manager <= 1.1.2 - Cross-Site Request Forgery to Arbitrary Purchase Record Deletion 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-13987 Patch Status Unpatched Published Dec 11, 2025 Affected Software Purchase and Expense Manager Researcher dayea song More Details > Rabbit Hole <= 1.1 - Cross-Site Request Forgery to Settings Reset 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-13366 Patch Status Unpatched Published Dec 11, 2025 Affected Software Rabbit Hole Researcher dayea song More Details > Reformer for Elementor <= 1.0.6 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-68086 Patch Status Unpatched Published Dec 11, 2025 Affected Software ReFormer – Multichannel Contact Form for Elementor Researcher Phat RiO - BlueRock More Details > Resource Library for Logged In Users <= 1.4 - Cross-Site Request Forgery to Multiple Administrative Actions 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-14354 Patch Status Unpatched Published Dec 11, 2025 Affected Software Resource Library for Logged In Users Researcher Muhammad Nur Ibnu Hubab (Ibnu) More Details > Restrict Elementor Widgets, Columns and Sections <= 1.12 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-64244 Patch Status Unpatched Published Dec 13, 2025 Affected Software Restrict Elementor Widgets, Columns and Sections Researcher MD ISMAIL More Details > RTL Tester <= 1.2 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-64239 Patch Status Unpatched Published Dec 11, 2025 Affected Software RTL Tester Researcher Nabil Irawan More Details > Secure Copy Content Protection and Content Locking <= 4.9.2 - Cross-Site Request Forgery to Data Export 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-14159 Patch Status Patched Published Dec 11, 2025 Affected Software Secure Copy Content Protection and Content Locking Researcher Deadbee More Details > Simple Theme Changer <= 1.0 - Cross-Site Request Forgery to Arbitrary Theme Switcher Configuration Update 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-14391 Patch Status Unpatched Published Dec 11, 2025 Affected Software Simple Theme Changer Researcher dayea song More Details > Simple Theme Changer <= 1.0. - Missing Authorization to Plugin Settings Update via AJAX Actions 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-14392 Patch Status Unpatched Published Dec 11, 2025 Affected Software Simple Theme Changer Researcher dayea song More Details > Social Photo Fetcher <= 3.0.4 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-62872 Patch Status Unpatched Published Dec 8, 2025 Affected Software Social Photo Fetcher Researcher Nabil Irawan More Details > Spoter for Elementor <= 1.04 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-66162 Patch Status Unpatched Published Dec 11, 2025 Affected Software Spoter for Elementor Researcher Phat RiO - BlueRock More Details > Table Block by Tableberg <= 0.6.9 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-66096 Patch Status Patched Published Dec 8, 2025 Affected Software Tableberg – Simple Gutenberg Table Block Researcher Nabil Irawan More Details > Trinity Audio <= 5.23.3 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-67466 Patch Status Patched Published Dec 12, 2025 Affected Software Trinity Audio – Text to Speech AI audio player to convert content into audio Researcher Nabil Irawan More Details > Truefy Embed <= 1.1.0 - Cross-Site Request Forgery to 'truefy_embed_options_update' Settings Update 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-14161 Patch Status Unpatched Published Dec 11, 2025 Affected Software Truefy Embed Researcher dayea song More Details > Ultimate Auction <= 4.3.2 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-68084 Patch Status Unpatched Published Dec 12, 2025 Affected Software Ultimate WordPress Auction Plugin Researcher daroo More Details > Ultra Addons for Contact Form 7 <= 3.5.33 - Missing Authorization to Authenticated (Subscriber+) to Generate Form Submission PDF 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-14356 Patch Status Patched Published Dec 11, 2025 Affected Software Ultra Addons for Contact Form 7 Researcher shark3y More Details > Upcoming for Calendly <= 1.2.4 - Cross-Site Request Forgery to Settings Update 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-14160 Patch Status Patched Published Dec 11, 2025 Affected Software Upcoming for Calendly Researcher Muhammad Nur Ibnu Hubab (Ibnu) More Details > URL Media Uploader <= 1.0.1 - Missing Authorization to Authenticated (Contributor+) Safe File Upload 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-14045 Patch Status Unpatched Published Dec 11, 2025 Affected Software URL Media Uploader Researcher jsonc More Details > Userback <= 1.0.15 - Missing Authorization to Authenticated (Subscriber+) Plugin's Configuration Exposure 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-14540 Patch Status Unpatched Published Dec 12, 2025 Affected Software Userback Researcher jsonc More Details > WP Recipe Maker <= 10.2.2 - Insecure Direct Object Reference to Sensitive Information Exposure 4.3 CVSS Rating Medium (4.3) CVE-ID Unknown Patch Status Patched Published Dec 11, 2025 Affected Software WP Recipe Maker Researcher Dmitrii Ignatyev More Details > rtMedia for WordPress, BuddyPress and bbPress 4.7.0 - 4.7.3 - Missing Authorization to Unauthenticated Information Disclosure via handle_rest_pre_dispatch Function 3.7 CVSS Rating Low (3.7) CVE-ID CVE-2025-9218 Patch Status Patched Published Dec 12, 2025 Affected Software rtMedia for WordPress, BuddyPress and bbPress Researcher kr0d More Details > WP Fastest Cache Premium <= 1.7.4 - Missing Authorization to Authenticated (Subscriber+) Blind Server-Side Request Forgery 3.5 CVSS Rating Low (3.5) CVE-ID CVE-2025-10583 Patch Status Patched Published Dec 11, 2025 Affected Software WP Fastest Cache Premium Researcher Dmitrii Ignatyev More Details > As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence. This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can. Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. The post Wordfence Intelligence Weekly WordPress Vulnerability Report (December 8, 2025 to December 14, 2025) appeared first on Wordfence.