WordPress Vulnerability Report — May 7, 2025

In this report, 88 vulnerabilities have been publicly disclosed. Security patches for 46 of these plugins and themes are available now, so run those updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Additionally, there are 42 plugin and theme vulnerabilities, and no patch has been available yet. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

Along with poor user account security, vulnerable plugins and themes are among the top reasons why WordPress websites get hacked. Unfortunately, cyberattacks are increasing in volume and sophistication. They’re also increasingly aimed at small to mid-sized businesses.

1. WordPress Core
2. WordPress Plugins — 40 Patched / 42 Unpatched

2.1
Team Members – Best WordPress Team Plugin with Team Slider, Team Showcase & Team Builder
2.2
Section Widget
2.3
Section Widget
2.4
Crossword Compiler Puzzles
2.5
A/B Testing, Popups, Website Personalization, Email Popup, Exit Intent Pop Up, Upsell Pop Up – Personizely
2.6
Total processing card payments for WooCommerce
2.7
Abundatrade
2.8
Advanced Reorder Image Text Slider
2.9
AHAthat
2.10
Alink Tap
2.11
Buddyboss Platform
2.12
Category Widget
2.13
Custom PC Builder Lite for WooCommerce
2.14
Database Toolset
2.15
EC Authorize.net
2.16
External image replace
2.17
Flynax Bridge
2.18
GmapsMania
2.19
IGIT Related Posts With Thumb Image After Posts
2.20
Job Listings
2.21
KiwiChat NextClient
2.22
kStats Reloaded
2.23
LayoutBoxx
2.24
Web3Press
2.25
Custom Login and Registration
2.26
Nautic Pages
2.27
occupancyplan
2.28
OTP-less one tap Sign in
2.29
Remote Images Grabber
2.30
Separator Shortcode and Widget
2.31
Reales WP STPT
2.32
Reales WP STPT
2.33
Subpage List
2.34
Syndicate Out
2.35
Theme Blvd Sliders
2.36
Total Donations
2.37
VerticalResponse Newsletter Widget
2.38
Visual Builder
2.39
Widgets as Shortcodes
2.40
Meta Keywords & Description
2.41
Xavin’s Review Ratings
2.42
Yame
2.43
WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin
2.44
Newsletter – Send awesome emails from WordPress
2.45
SureForms – Drag and Drop Form Builder for WordPress
2.46
SureForms – Drag and Drop Form Builder for WordPress
2.47
Admin and Site Enhancements (ASE)
2.48
Popup and Slider Builder by Depicter – Add Email collecting Popup, Popup Modal, Coupon Popup, Image Slider, Carousel Slider, Post Slider Carousel
2.49
OttoKit: All-in-One Automation Platform (Formerly SureTriggers)
2.50
User Registration & Membership – Custom Registration Form, Login Form, and User Profile
2.51
WP Maps – Display Google Maps Perfectly with Ease
2.52
Calculated Fields Form
2.53
Seraphinite Accelerator
2.54
WordPress Tag, Category, and Taxonomy Manager – AI Autotagger
2.55
FULL – Cliente
2.56
SecuPress Free — WordPress Security
2.57
Gutenverse – Ultimate Block Addons and Page Builder for Site Editor
2.58
Page View Count
2.59
WordPress Simple Shopping Cart
2.60
WordPress Simple Shopping Cart
2.61
MStore API – Create Native Android & iOS Apps On The Cloud
2.62
WP-Recall – Registration, Profile, Commerce & More
2.63
Product Category Slider for WooCommerce
2.64
Ultimate Store Kit – Elementor powered WooCommerce Builder, 80+ Widgets and Template Builder
2.65
AM LottiePlayer
2.66
SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity
2.67
Projectopia – WordPress Project Management
2.68
BP Messages Tool
2.69
Formality
2.70
Cision Block
2.71
List Children
2.72
Taxonomy Chain Menu
2.73
Ads Pro Plugin
2.74
BuddyPress Platform Pro
2.75
Envolve Plugin
2.76
Gravity Forms WebHooks
2.77
Order Delivery Date for WP e-Commerce
2.78
Advance Seat Reservation Management for WooCommerce
2.79
Multilingual CMS
2.80
tagDiv Composer
2.81
tagDiv Opt-In Builder
2.82
Ultimate Auction Pro

3. WordPress Themes — 6 Patched / 0 Unpatched

3.1
NewsBlogger
3.2
NewsBlogger
3.3
Homey
3.4
Homey
3.5
Kleo
3.6
Motors

Our WordPress Vulnerability Report covers the latest emerging WordPress plugin, theme, and core vulnerabilities. Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure of vulnerabilities is essential to keeping the WordPress community safe. Please share this report to help spread the word and make WordPress — and the web — more secure.

WordPress Core

WordPress 6.8.1 has been released! This maintenance release includes fixes for 15 bugs throughout Core and the Block Editor, addressing issues affecting multiple areas of WordPress, including the block editor, multisite, and REST API. For a full list, refer to the release candidate announcement.

Plus, WordCamp Europe 2025 lands in Basel, Switzerland, June 5-7! Connect with WordPress enthusiasts, developers, and pros for three days of learning, networking, and collaboration with the global community.

WordPress Plugins — 40 Patched / 42 Unpatched

Plugin Slug:: wps-team
Installations: 3,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium

Plugin Slug:: section-widget
Installations: 600+
Vulnerability:: Path Traversal
Patched in Version:: No Fix
Severity Score:: Medium

Plugin Slug:: section-widget
Installations: 600+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High

Plugin Slug:: crossword-compiler-puzzles
Installations: 400+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium

Plugin Slug:: personizely
Installations: 300+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium

Plugin Slug:: totalprocessing-card-payments
Installations: 200+
Vulnerability:: Arbitrary File Download
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Abundatrade
Plugin Slug:: abundatrade-plugin
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High

Plugin:: Advanced Reorder Image Text Slider
Plugin Slug:: advanced-reorder-image-text-slider
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High

Plugin:: AHAthat
Plugin Slug:: ahathat
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Alink Tap
Plugin Slug:: alink-tap
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High

Plugin:: Buddyboss Platform
Plugin Slug:: buddyboss-platform
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Category Widget
Plugin Slug:: category-widget
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High

Plugin:: Custom PC Builder Lite for WooCommerce
Plugin Slug:: custom-pc-builder-lite-for-woocommerce
Vulnerability:: Settings Change
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Database Toolset
Plugin Slug:: database-toolset
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: EC Authorize.net
Plugin Slug:: ec-authorizenet
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High

Plugin:: External image replace
Plugin Slug:: external-image-replace
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: High

Plugin:: Flynax Bridge
Plugin Slug:: flynax-bridge
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: GmapsMania
Plugin Slug:: gmapsmania
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: IGIT Related Posts With Thumb Image After Posts
Plugin Slug:: igit-related-posts-with-thumb-images-after-posts
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Job Listings
Plugin Slug:: job-listings
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: Critical

Plugin:: KiwiChat NextClient
Plugin Slug:: kiwichat
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: kStats Reloaded
Plugin Slug:: kstats-reloaded
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High

Plugin:: LayoutBoxx
Plugin Slug:: layoutboxx
Vulnerability:: Content Injection
Patched in Version:: No Fix
Severity Score:: High

Plugin:: Web3Press
Plugin Slug:: likecoin
Vulnerability:: Arbitrary File Download
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Custom Login and Registration
Plugin Slug:: ms-registration
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Nautic Pages
Plugin Slug:: nautic-pages
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: occupancyplan
Plugin Slug:: occupancyplan
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High

Plugin:: OTP-less one tap Sign in
Plugin Slug:: otpless
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: Critical

Plugin:: Remote Images Grabber
Plugin Slug:: remote-images-grabber
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High

Plugin:: Separator Shortcode and Widget
Plugin Slug:: separator-shortcode-and-widget
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High

Plugin:: Reales WP STPT
Plugin Slug:: short-tax-post
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Reales WP STPT
Plugin Slug:: short-tax-post
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: High

Plugin:: Subpage List
Plugin Slug:: subpage-view
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Syndicate Out
Plugin Slug:: syndicate-out
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High

Plugin:: Theme Blvd Sliders
Plugin Slug:: theme-blvd-sliders
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High

Plugin:: Total Donations
Plugin Slug:: total-donations
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High

Plugin:: VerticalResponse Newsletter Widget
Plugin Slug:: vertical-response-newsletter-widget
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Visual Builder
Plugin Slug:: visual-builder
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High

Plugin:: Widgets as Shortcodes
Plugin Slug:: widgets-as-shortcodes
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High

Plugin:: Meta Keywords & Description
Plugin Slug:: wp-meta-keywords-meta-description
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High

Plugin:: Xavin’s Review Ratings
Plugin Slug:: xavins-review-ratings
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium

Plugin:: Yame
Plugin Slug:: yame-linkinbio
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium

Plugin Slug:: wp-statistics
Installations: 600,000+
Vulnerability:: Broken Access Control
Patched in Version:: 14.13.4
Severity Score:: Medium

Plugin Slug:: newsletter
Installations: 300,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 8.7.1
Severity Score:: Medium

Plugin Slug:: sureforms
Installations: 200,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.4.4
Severity Score:: Medium

Plugin Slug:: sureforms
Installations: 200,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.4.4
Severity Score:: Medium

Plugin Slug:: admin-site-enhancements
Installations: 100,000+
Vulnerability:: Bypass Vulnerability
Patched in Version:: 7.6.10
Severity Score:: Medium

Plugin Slug:: depicter
Installations: 100,000+
Vulnerability:: SQL Injection
Patched in Version:: 3.6.2
Severity Score:: Critical

Plugin Slug:: suretriggers
Installations: 100,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 1.0.83
Severity Score:: Critical

Plugin Slug:: user-registration
Installations: 70,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 4.2.2
Severity Score:: Medium

Plugin Slug:: wp-google-map-plugin
Installations: 70,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.7.2
Severity Score:: Medium

Plugin Slug:: calculated-fields-form
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.2.62
Severity Score:: Medium

Plugin Slug:: seraphinite-accelerator
Installations: 50,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.27.22
Severity Score:: Medium

Plugin Slug:: simple-tags
Installations: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.30.0
Severity Score:: Medium

Plugin Slug:: full-customer
Installations: 40,000+
Vulnerability:: SQL Injection
Patched in Version:: 3.1.26
Severity Score:: High

Plugin Slug:: secupress
Installations: 40,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.3.10
Severity Score:: Medium

Plugin Slug:: gutenverse
Installations: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.0.0
Severity Score:: Medium

Plugin Slug:: page-views-count
Installations: 20,000+
Vulnerability:: Settings Change
Patched in Version:: 2.8.5
Severity Score:: High

Plugin Slug:: wordpress-simple-paypal-shopping-cart
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.1.4
Severity Score:: Medium

Plugin Slug:: wordpress-simple-paypal-shopping-cart
Installations: 10,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 5.1.4
Severity Score:: Medium

Plugin Slug:: mstore-api
Installations: 4,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 4.17.5
Severity Score:: Medium

Plugin Slug:: wp-recall
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 16.26.12
Severity Score:: Medium

Plugin Slug:: woo-category-slider-by-pluginever
Installations: 1,000+
Vulnerability:: Local File Inclusion
Patched in Version:: 4.3.5
Severity Score:: High

Plugin Slug:: ultimate-store-kit
Installations: 900+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.5.0
Severity Score:: Medium

Plugin Slug:: am-lottieplayer
Installations: 700+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.5.4
Severity Score:: Medium

Plugin Slug:: surveyjs
Installations: 600+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.12.33
Severity Score:: Medium

Plugin Slug:: projectopia-core
Installations: 400+
Vulnerability:: Broken Access Control
Patched in Version:: 5.1.17
Severity Score:: High

Plugin Slug:: bp-messages-tool
Installations: 200+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.5
Severity Score:: High

Plugin Slug:: formality
Installations: 200+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.5.9
Severity Score:: Medium

Plugin Slug:: cision-block
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.4.0
Severity Score:: Medium

Plugin Slug:: list-children
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.2.0
Severity Score:: Medium

Plugin Slug:: taxonomy-chain-menu
Installations: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.9
Severity Score:: Medium

Plugin:: Ads Pro Plugin
Plugin Slug:: ap-plugin-scripteo
Vulnerability:: SQL Injection
Patched in Version:: 4.89
Severity Score:: Critical

Plugin:: BuddyPress Platform Pro
Plugin Slug:: buddyboss-platform-pro
Vulnerability:: Broken Authentication
Patched in Version:: 2.7.10
Severity Score:: Critical

Plugin:: Envolve Plugin
Plugin Slug:: envolve-plugin
Vulnerability:: Broken Access Control
Patched in Version:: 1.1.0
Severity Score:: Medium

Plugin:: Gravity Forms WebHooks
Plugin Slug:: gravityformswebhooks
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 1.7.0
Severity Score:: Medium

Plugin:: Order Delivery Date for WP e-Commerce
Plugin Slug:: order-delivery-date
Vulnerability:: Privilege Escalation
Patched in Version:: 12.3.1
Severity Score:: Critical

Plugin:: Advance Seat Reservation Management for WooCommerce
Plugin Slug:: scw-seat-reservation
Vulnerability:: SQL Injection
Patched in Version:: 3.4
Severity Score:: Critical

Plugin:: Multilingual CMS
Plugin Slug:: sitepress-multilingual-cms
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.7.4
Severity Score:: Medium

Plugin:: tagDiv Composer
Plugin Slug:: td-composer
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.4.1
Severity Score:: Medium

Plugin:: tagDiv Opt-In Builder
Plugin Slug:: td-subscription
Vulnerability:: SQL Injection
Patched in Version:: 1.7.1
Severity Score:: High

Plugin:: Ultimate Auction Pro
Plugin Slug:: ultimate-woocommerce-auction-pro
Vulnerability:: SQL Injection
Patched in Version:: 1.5.3
Severity Score:: Critical

WordPress Themes — 6 Patched / 0 Unpatched

Theme Slug:: newsblogger
Downloads: 100,624
Vulnerability:: Arbitrary File Upload
Patched in Version:: 0.2.5.2
Severity Score:: High

Theme Slug:: newsblogger
Downloads: 100,624
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 0.2.5.5
Severity Score:: High

Theme:: Homey
Theme Slug:: homey
Vulnerability:: Broken Access Control
Patched in Version:: 2.4.5
Severity Score:: Medium

Theme:: Homey
Theme Slug:: homey
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 2.4.5
Severity Score:: Medium

Theme:: Kleo
Theme Slug:: kleo
Vulnerability:: Broken Access Control
Patched in Version:: 5.4.4
Severity Score:: Medium

Theme:: Motors
Theme Slug:: motors
Vulnerability:: Content Injection
Patched in Version:: 5.6.66
Severity Score:: High

Solid Security is part of Solid Suite — The best foundation for WordPress websites.

Every WordPress site needs security, backups, and management tools. That’s Solid Suite — an integrated bundle of three plugins: Solid Security, Solid Backups, and Solid Central. You also get access to Solid Academy’s learning resources for WordPress professionals. Build your next WordPress website on a solid foundation with Solid Suite!

Get Solid Security