Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.
To help educate website owners about potential threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.
The vulnerabilities listed below are virtually patched by the Sucuri Firewall and existing clients are protected. If you don’t have it installed yet, you can use our web application firewall to protect your site against known vulnerabilities.
Plugins
Elementor Website Builder – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-4566 Number of Installations: 10,000,000+ Affected Software: Elementor Website Builder <= 3.30.2 Patched Versions: Elementor Website Builder 3.30.3
Mitigation steps: Update to Elementor Website Builder plugin version 3.30.3 or greater.
Essential Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-6244 Number of Installations: 2,000,000+ Affected Software: Essential Addons for Elementor <= 6.1.19 Patched Versions: Essential Addons for Elementor 6.1.20
Mitigation steps: Update to Essential Addons for Elementor plugin version 6.1.20 or greater.
Premium Addons for Elementor – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-11937 Number of Installations: 700,000+ Affected Software: Premium Addons for Elementor <= 4.10.69 Patched Versions: Premium Addons for Elementor 4.10.70
Mitigation steps: Update to Premium Addons for Elementor plugin version 4.10.70 or greater.
WPvivid Backup & Migration – Arbitrary File Upload
Security Risk: Critical Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Arbitrary File Upload CVE: CVE-2025-5961 Number of Installations: 700,000+ Affected Software: WPvivid Backup & Migration <= 0.9.116 Patched Versions: WPvivid Backup & Migration 0.9.117
Mitigation steps: Update to WPvivid Backup & Migration plugin version 0.9.117 or greater.
Contact Form 7 Database Addon – CFDB7 – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-6740 Number of Installations: 600,000+ Affected Software: Contact Form 7 Database Addon – CFDB7 <= 1.3.1 Patched Versions: Contact Form 7 Database Addon – CFDB7 1.3.2
Mitigation steps: Update to Contact Form 7 Database Addon – CFDB7 plugin version 1.3.2 or greater.
Forminator Forms – PHP Object Injection
Security Risk: High Exploitation Level: No authentication required. Vulnerability: PHP Object Injection CVE: CVE-2025-6464 Number of Installations: 600,000+ Affected Software: Forminator Forms <= 1.44.2 Patched Versions: Forminator Forms 1.44.3
Mitigation steps: Update to Forminator Forms plugin version 1.44.3 or greater.
Forminator Forms – Arbitrary File Deletion
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Arbitrary File Deletion CVE: CVE-2025-6463 Number of Installations: 600,000+ Affected Software: Forminator Forms <= 1.44.2 Patched Versions: Forminator Forms 1.44.3
Mitigation steps: Update to Forminator Forms plugin version 1.44.3 or greater.
Forminator Forms – SQL Injection
Security Risk: High Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: SQL Injection CVE: CVE-2025-7638 Number of Installations: 600,000+ Affected Software: Forminator Forms <= 1.45.0 Patched Versions: Forminator Forms 1.45.1
Mitigation steps: Update to Forminator Forms plugin version 1.45.1 or greater.
Gutenberg Blocks with AI by Kadence WP – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-5678 Number of Installations: 500,000+ Affected Software: Gutenberg Blocks with AI by Kadence WP <= 3.5.10 Patched Versions: Gutenberg Blocks with AI by Kadence WP 3.5.11
Mitigation steps: Update to Gutenberg Blocks with AI by Kadence WP plugin version 3.5.11 or greater.
WP Shortcodes Plugin — Shortcodes Ultimate – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-5567 Number of Installations: 500,000+ Affected Software: WP Shortcodes Plugin — Shortcodes Ultimate <= 7.4.0 Patched Versions: WP Shortcodes Plugin — Shortcodes Ultimate 7.4.1
Mitigation steps: Update to WP Shortcodes Plugin — Shortcodes Ultimate version 7.4.1 or greater.
WP Shortcodes Plugin — Shortcodes Ultimate – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-7354 Number of Installations: 500,000+ Affected Software: WP Shortcodes Plugin — Shortcodes Ultimate <= 7.4.2 Patched Versions: WP Shortcodes Plugin — Shortcodes Ultimate 7.4.3
Mitigation steps: Update to WP Shortcodes Plugin — Shortcodes Ultimate version 7.4.3 or greater.
WP Shortcodes Plugin — Shortcodes Ultimate – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Author or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-8015 Number of Installations: 500,000+ Affected Software: WP Shortcodes Plugin — Shortcodes Ultimate <= 7.4.2 Patched Versions: WP Shortcodes Plugin — Shortcodes Ultimate 7.4.3
Mitigation steps: Update to WP Shortcodes Plugin — Shortcodes Ultimate version 7.4.3 or greater.
Post SMTP – Broken Authentication
Security Risk: High Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Broken Authentication CVE: CVE-2025-24000 Number of Installations: 400,000+ Affected Software: Post SMTP <= 3.2.3 Patched Versions: Post SMTP 3.3.0
Mitigation steps: Update to Post SMTP plugin version 3.3.0 or greater.
SureForms – Arbitrary File Deletion
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Arbitrary File Deletion CVE: CVE-2025-6691 Number of Installations: 200,000+ Affected Software: SureForms <= 1.7.3 Patched Versions: SureForms 1.7.4
Mitigation steps: Update to SureForms plugin version 1.7.4 or greater.
SureForms – PHP Object Injection
Security Risk: High Exploitation Level: No authentication required. Vulnerability: PHP Object Injection CVE: CVE-2025-6742 Number of Installations: 200,000+ Affected Software: SureForms <= 1.7.3 Patched Versions: SureForms 1.7.4
Mitigation steps: Update to SureForms plugin version 1.7.4 or greater.
SureForms – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-5921 Number of Installations: 200,000+ Affected Software: SureForms <= 1.7.1 Patched Versions: SureForms 1.7.2
Mitigation steps: Update to SureForms plugin version 1.7.2 or greater.
Mollie Payments for WooCommerce – Insecure Direct Object References (IDOR)
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Insecure Direct Object References (IDOR) CVE: CVE-2025-39362 Number of Installations: 100,000+ Affected Software: Mollie Payments for WooCommerce <= 8.0.2 Patched Versions: Mollie Payments for WooCommerce 8.0.3
Mitigation steps: Consider disabling the plugin until a fix is released or seek alternative solutions.
Dear Flipbook – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-5314 Number of Installations: 100,000+ Affected Software: Dear Flipbook <= 2.3.66 Patched Versions: Dear Flipbook 2.3.67
Mitigation steps: Update to Dear Flipbook plugin version 2.3.67 or greater.
AI Engine – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-5570 Number of Installations: 100,000+ Affected Software: AI Engine <= 2.8.4 Patched Versions: AI Engine 2.8.5
Mitigation steps: Update to AI Engine plugin version 2.8.5 or greater.
AI Engine – Open Redirection
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Open Redirection CVE: CVE-2025-6238 Number of Installations: 100,000+ Affected Software: AI Engine <= 2.8.4 Patched Versions: AI Engine 2.8.5
Mitigation steps: Update to AI Engine plugin version 2.8.5 or greater.
Element Pack Elementor Addons and Templates – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-5944 Number of Installations: 100,000+ Affected Software: Element Pack Elementor Addons and Templates <= 8.0.9 Patched Versions: Element Pack Elementor Addons and Templates 8.1.0
Mitigation steps: Update to Element Pack Elementor Addons and Templates plugin version 8.1.0 or greater.
AI Engine – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-5570 Number of Installations: 100,000+ Affected Software: AI Engine <= 2.8.4 Patched Versions: AI Engine 2.8.5
Mitigation steps: Update to AI Engine plugin version 2.8.5 or greater.
FooGallery – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-6068 Number of Installations: 100,000+ Affected Software: FooGallery <= 2.4.31 Patched Versions: FooGallery 2.4.32
Mitigation steps: Update to FooGallery plugin version 2.4.32 or greater.
Strong Testimonials – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Author or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-7367 Number of Installations: 100,000+ Affected Software: Strong Testimonials <= 3.2.11 Patched Versions: Strong Testimonials 3.2.12
Mitigation steps: Update to Strong Testimonials plugin version 3.2.12 or greater.
AI Engine – Arbitrary File Download
Security Risk: Medium Exploitation Level: Requires Subscriber or higher level authentication. Vulnerability: Arbitrary File Download CVE: CVE-2025-7780 Number of Installations: 100,000+ Affected Software: AI Engine <= 2.9.4 Patched Versions: AI Engine 2.9.5
Mitigation steps: Update to AI Engine plugin version 2.9.5 or greater.
Events Manager – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-6976 Number of Installations: 80,000+ Affected Software: Events Manager <= 7.0.3 Patched Versions: Events Manager 7.0.4
Mitigation steps: Update to Events Manager plugin version 7.0.4 or greater.
Events Manager – SQL Injection
Security Risk: Critical Exploitation Level: No authentication required. Vulnerability: SQL Injection CVE: CVE-2025-6970 Number of Installations: 80,000+ Affected Software: Events Manager <= 7.0.3 Patched Versions: Events Manager 7.0.4
Mitigation steps: Update to Events Manager plugin version 7.0.4 or greater.
Events Manager – Cross Site Scripting (XSS)
Security Risk: High Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-6975 Number of Installations: 80,000+ Affected Software: Events Manager <= 7.0.3 Patched Versions: Events Manager 7.0.4
Mitigation steps: Update to Events Manager plugin version 7.0.4 or greater.
JetFormBuilder – PHP Object Injection
Security Risk: High Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: PHP Object Injection CVE: CVE-2025-53990 Number of Installations: 80,000+ Affected Software: JetFormBuilder <= 3.5.1 Patched Versions: JetFormBuilder 3.5.2
Mitigation steps: Update to JetFormBuilder plugin version 3.5.2 or greater.
Brizy – Page Builder – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2025-4370 Number of Installations: 80,000+ Affected Software: Brizy – Page Builder <= 2.6.20 Patched Versions: Brizy – Page Builder 2.6.21
Mitigation steps: Update to Brizy – Page Builder plugin version 2.6.21 or greater.
Media Library Assistant – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-7035 Number of Installations: 70,000+ Affected Software: Media Library Assistant <= 3.26 Patched Versions: Media Library Assistant 3.27
Mitigation steps: Update to Media Library Assistant plugin version 3.27 or greater.
WPC Smart Compare for WooCommerce – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-5530 Number of Installations: 70,000+ Affected Software: WPC Smart Compare for WooCommerce <= 6.4.6 Patched Versions: WPC Smart Compare for WooCommerce 6.4.7
Mitigation steps: Update to WPC Smart Compare for WooCommerce plugin version 6.4.7 or greater.
Ultra Addons for Contact Form 7 – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-6756 Number of Installations: 60,000+ Affected Software: Ultra Addons for Contact Form 7 <= 3.5.21 Patched Versions: Ultra Addons for Contact Form 7 3.5.22
Mitigation steps: Update to Ultra Addons for Contact Form 7 plugin version 3.5.22 or greater.
Ultra Addons for Contact Form 7 – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-6756 Number of Installations: 60,000+ Affected Software: Ultra Addons for Contact Form 7 <= 3.5.21 Patched Versions: Ultra Addons for Contact Form 7 3.5.22
Mitigation steps: Update to Ultra Addons for Contact Form 7 plugin version 3.5.22 or greater.
User Registration & Membership – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-6831 Number of Installations: 60,000+ Affected Software: User Registration & Membership <= 4.2.9 Patched Versions: User Registration & Membership 4.3.0
Mitigation steps: Update to User Registration & Membership plugin version 4.3.0 or greater.
WP-Members Membership Plugin – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-7495 Number of Installations: 60,000+ Affected Software: WP-Members Membership Plugin <= 3.5.4.1 Patched Versions: WP-Members Membership Plugin 3.5.4.2
Mitigation steps: Update to WP-Members Membership Plugin version 3.5.4.2 or greater.
Post and Page Builder by BoldGrid – Path Traversal
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Path Traversal CVE: CVE-2025-52712 Number of Installations: 60,000+ Affected Software: Post and Page Builder by BoldGrid <= 1.27.8 Patched Versions: Post and Page Builder by BoldGrid 1.27.9
Mitigation steps: Update to Post and Page Builder by BoldGrid plugin version 1.27.9 or greater.
Companion Auto Update – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Administrator or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-4369 Number of Installations: 50,000+ Affected Software: Companion Auto Update <= 3.9.2 Patched Versions: Companion Auto Update 3.9.3
Mitigation steps: Update to Companion Auto Update plugin version 3.9.3 or greater.
Bold Page Builder – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-54006 Number of Installations: 50,000+ Affected Software: Bold Page Builder <= 5.4.1 Patched Versions: Bold Page Builder 5.4.2
Mitigation steps: Update to Bold Page Builder plugin version 5.4.2 or greater.
Stop User Enumeration – Bypass Vulnerability
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Bypass Vulnerability CVE: CVE-2025-4302 Number of Installations: 50,000+ Affected Software: Stop User Enumeration <= 1.7.2 Patched Versions: Stop User Enumeration 1.7.3
Mitigation steps: Update to Stop User Enumeration plugin version 1.7.3 or greater.
Structured Content (JSON-LD) #wpsc – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-4608 Number of Installations: 50,000+ Affected Software: Structured Content (JSON-LD) #wpsc <= 1.6.4 Patched Versions: No Fix
Mitigation steps: Consider disabling the plugin until a fix is released or seek alternative solutions.
Advanced iFrame – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-6987 Number of Installations: 50,000+ Affected Software: Advanced iFrame <= 2025.5 Patched Versions: Advanced iFrame 2025.6
Mitigation steps: Update to Advanced iFrame plugin version 2025.6 or greater.
Themes
Hestia – Broken Access Control
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2025-53986 Number of Downloads: 4,446,823 Affected Software: Hestia <= 3.2.10 Patched Versions: Hestia 3.2.11
Mitigation steps: Update to Hestia theme version 3.2.11 or greater.
Educenter – Cross Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires Contributor or higher level authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2025-5529 Number of Downloads: 175,744 Affected Software: Educenter <= 1.6.2 Patched Versions: No Fix
Mitigation steps: Consider disabling the theme until a fix is released or seek alternative solutions.
Update your website software to mitigate risk. Users who are not able to update their software with the latest version are encouraged to use a web application firewall to help virtually patch known vulnerabilities and protect their website.
Kyle Knight
Allison Bondi
Art Martori
Marc-Alexandre Montpas
Victor Santoyo
Denis Sinegubko
Pilar Garcia
Gerson Ruiz
Ben Martin