Weekly WP Vulnerabilities: 6/23/25 – 6/29/25

via Wordfence Email

Last week, there were 197 vulnerabilities disclosed in 161 WordPress Plugins and 33 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 48 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Table of Contents

Have ServiceNow & WordPress? Purchase ServicePress Core and get ServicePress: Wordfence Security (add-on) for Free.

Wordfence Plugin

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our PremiumCare, and Response customers last week:

Wordfence PremiumCare, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Patch StatusNumber of Vulnerabilities
Patched58
Unpatched139

Total Vulnerabilities by CVSS Severity Last Week

Severity RatingNumber of Vulnerabilities
Medium Severity138
High Severity49
Critical Severity10

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWENumber of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)76
Cross-Site Request Forgery (CSRF)36
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’)32
Missing Authorization19
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)9
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)6
Deserialization of Untrusted Data4
Authorization Bypass Through User-Controlled Key3
Exposure of Sensitive Information to an Unauthorized Actor3
Absolute Path Traversal2
Unrestricted Upload of File with Dangerous Type2
Authentication Bypass Using an Alternate Path or Channel1
Improper Control of Generation of Code (‘Code Injection’)1
Improper Privilege Management1
Server-Side Request Forgery (SSRF)1
Unverified Password Change1

Have ServiceNow & WordPress? Purchase ServicePress Core and get ServicePress: Wordfence Security (add-on) for Free.

Wordfence Plugin

WordPress Themes with Reported Vulnerabilities Last Week

Software NameSoftware Slug
Amely – Fashion Shop WordPress Theme for WooCommerceamely
Blogbyteblogbyte
Blogmineblogmine
Blogpriseblogprise
Blogtyblogty
Blogvyblogvy
CityGov – City Government & Municipal WordPress Themecitygov
Constructorconstructor
Domnoo – Pizza & Restaurant WordPress Themedomnoo
DWT – Directory & Listing WordPress Themedwt-listing
Elessi – WooCommerce AJAX WordPress Theme – RTL supportelessi-theme
GreenMart – Organic & Food WooCommerce WordPress Themegreenmart
Homeyhomey
Katerio – Magazine & Blog WordPress Themekaterio
LMS – Education WordPress Themelms
MagOnemagone
Magtymagty
Magwaysmagways
Magzemagze
MBStore – Digital WooCommerce WordPress Themembstore
Nuss – Hotel Booking WordPressnuss
Pressroom – News Magazine WordPress Themepressroom
PrintXtore – Printing Services & Design Online WordPress WooCommerce Themebw-printxtore
Puca – Optimized Mobile WooCommerce Themepuca
RealtyElite – Real Estate & Property Sales WordPress Themerealtyelite
Red Art | Artist Portfolio WordPressredart
Sala – Startup & SaaS WordPress Themesala
Samex – Clean, Minimal Shop WooCommerce WordPress Themesamex
Seven Stars – Modern Responsive MultiPurpose Themesevenstars
SNS Vicky – Cosmetic WooCommerce WordPress Themesnsvicky
Sofass – Elementor WooCommerce WordPress Themesofass
Zenny – Jewelry, Watches & Glasses Elementor WooCommerce WordPress Themebw-zenny
Zitazita
Software NameSoftware Slug
Fitness Parkfitness-park
Hello FSE Bloghello-fse-blog
HYDRO – One Page Portfolio WordPress Themehydro
OceanWPoceanwp
Spark Multipurposespark-multipurpose

WordPress Plugins with Reported Vulnerabilities Last Week

Software NameSoftware Slug
A/B Testing for WordPressab-testing-for-wp
Abandoned Contact Form 7abandoned-contact-form-7
Accept Authorize.NET Payments Using Contact Form 7accept-authorize-net-payments-using-contact-form-7
Accept Stripe Payments Using Contact Form 7accept-stripe-payments-using-contact-form-7
Add & Replace Affiliate Links for Amazonadd-replace-affiliate-links-for-amazon
Additional Order Filters for WooCommerceadditional-order-filters-for-woocommerce
Address Autocomplete via Google for Gravity Formsgf-google-address-autocomplete
AI ChatBot for WordPress – WPBotchatbot
Aiomatic – Automatic AI Content Writer & Editor, GPT-3 & GPT-4, ChatGPT ChatBot & AI Toolkitaiomatic-automatic-ai-content-writer
Aioseo Multibyte Descriptionsaioseo-multibyte-descriptions
Amazon Products to WooCommerceimport-products-to-wc
Audio Editor & Recorderaudio-editor-recorder
Beauty Contact Popup Formbeauty-contact-popup-form
BeeTeam368 Extensionsbeeteam368-extensions
BeeTeam368 Extensions Probeeteam368-extensions-pro
BRW – Booking Rental Plugin WooCommerceova-brw
Burst Statistics – Privacy-Friendly Analytics for WordPressburst-statistics
Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & Morecharitable
CMS Blockscms-blocks
Conference Schedulerconference-scheduler
Contact Form – 7 : Hide Success Messagecontact-form-7-hide-success-message
Content Manager Lightcontent-manager-light
Content No Cache | Serve uncached partial content even when you add it to a page that is fully cached.content-no-cache
Cron Loggercron-logger
CTUsersctuser
Cyrlitera – transliteration of links and file namescyrlitera
Dashboard Widget Sidebardashboard-widget-sidebar
Davenport – Versatile Blog and Magazine WordPress Themedavenport
Devnex Addons For Elementordevnex-addons-for-elementor
DirectIQ Email Marketingdirectiq-wp
Download Manager and Payment Form WordPress Plugin – WP SmartPaysmartpay
Drive Folder Embedderdrive-folder-embeder
e.nigma buttonsenigma-buttons
EC Stars Ratingec-stars-rating
Evangelische Termineevangtermine
Event Manager, Events Calendar, Booking, Registrations and Tickets – Eventinwp-event-solution
Event RSVP and Simple Event Management Pluginwp-easy-events
Everest Forms Proeverest-forms-pro
EZ SQL Reports Shortcode Widget and DB Backupelisqlreports
File Manager Plugin For WordPressfile-manager-plugin-for-wordpress
FL3R Accessibility Suitefl3r-accessibility-suite
Flexo Counterflexo-countdown
Football Poolfootball-pool
Free Downloads EDDfree-downloads-edd
Frontend Admin by DynamiAppsacf-frontend-form-element
FW Food Menu – Responsive food menu with ordering & delivery solutionsfw-food-menu
FW Gallery – Photo, video, audio media presentation and management system with players and slideshowfw-gallery
Game Users Share Buttonsgame-users-share-buttons
GC Social Wallgc-social-wall
GG Bought Together for WooCommercegg-bought-together
Gmedia Photo Gallerygrand-media
Guest posting / Frontend Posting / Front Editor – WP Front User Submitfront-editor
Hide Admin Bar From Front Endhide-admin-bar-from-front-end
HidePosthidepost
Homerunnerhomerunner-smartcheckout
Hotel Bookingnd-booking
Hover Effects – easily create any hover effecthover-effects
HT Mega – Absolute Addons for WPBakery Page Builderht-mega-for-wpbakery
HT Slider For Elementorht-slider-for-elementor
HurryTimer – An Scarcity and Urgency Countdown Timer for WordPress & WooCommercehurrytimer
iCount Payment Gatewayicount
Image Cleanupimage-cleanup
Image Editor by Pixoimage-editor-by-pixo
Image Shadowimage-shadow
Image slider with descriptionimage-slider-with-description
Import external attachmentsimport-external-attachments
Infility Globalinfility-global
IS-theme-companionweblizar-companion
isMobile() Shortcode for WordPressismobile
JetEnginejet-engine
JobSearch WP Job Boardwp-jobsearch
Leykaleyka
MDJM Event Managementmobile-dj-manager
MicroPayments – Fans Paysite: Paid Creator Subscriptions, Digital Assets, Walletpaid-membership
Modern Design Librarymdl-shortcodes
Mollie Payments for WooCommercemollie-payments-for-woocommerce
My Resume Buildermy-resume-builder
My Wp Brand – Hide menu & Hide Pluginmy-wp-brand
Namasha By Mdesignnamasha-by-mdesign
National Weather Service Alertsnational-weather-service-alerts
Navayan Subscribenavayan-subscribe
Ninja Forms – The Contact Form Builder That Grows With Youninja-forms
Ninja Tables – Easy Data Table Builderninja-tables
Off-Canvas Sidebars & Menus (Slidebars)off-canvas-sidebars
Omnipressomnipress
ONet Regenerate Thumbnailsonet-regenerate-thumbnails
OnionBuzzonionbuzz-viral-quiz
Osom Blocksosomblocks
Owl carousel responsiveresponsive-owl-carousel
PDF Builder for WooCommerce. Create invoices,packing slips and morewoo-pdf-invoice-builder
Photo Express for Googlephoto-express-for-google
PlatiOnline Paymentsplationline
Plugin Inspectorplugin-inspector
Podcast Feed Player Widget and Shortcodepodcast-feed-player-widget
Popup addon for Ninja Formspopup-addon-for-ninja-forms
Post Carousel Slider for Elementorpost-carousel-slider-for-elementor
Post Rating and Reviewpost-rating-and-review
Pre-Publish Post Checklistpre-publish-post-checklist
PT Project Notebooks – Take Meeting minutes, create budgets, track task management, and moreproject-notebooks
Qi Addons For Elementorqi-addons-for-elementor
Quick Faviconquick-favicon
Raise The Moneyraise-the-money
Rankie – WordPress Rank Tracker Pluginvalvepress-rankie
re.placereplace
Relocate Uploadrelocate-upload
Responsive Blocks – WordPress Gutenberg Blocksresponsive-block-editor-addons
Responsive Food and Drink Menuresponsive-food-and-drink-menu
Royal Elementor Addons and Templatesroyal-elementor-addons
RSS Digestrss-digest
SB Breadcrumbssb-breadcrumbs
SERPed.netserped-net
Simple Link Directory Proqc-simple-link-directory
Simple Paymentsimple-payment
Simple User Registrationwp-registration
SiteOrigin Widgets Bundleso-widgets-bundle
Slickstream: Engagement and Conversionsslick-engagement
SmartAgenda – Prise de rendez-vous en lignesmart-agenda-prise-de-rendez-vous-en-ligne
Społecznościowa 6 PL 2013spolecznosciowa-6-pl-2013
Team Showcaseteam-showcase-cm
The Countdown – Block Countdown Timerthe-countdown
The Pack Elementor addonthe-pack-addon
Theme Junkie Team Contenttheme-junkie-team-content
Thumbnail Editorthumbnail-editor
TimeZoneCalculatortimezonecalculator
Tournament Bracket Generatortournament-bracket-generator
Track Everythingtrack-everything
Trusty Whistleblowing Solutiontrusty-whistleblowing-solution
Twitch TV Embed Suitetwitch-tv-embed-suite
Ultra Addons for Contact Form 7ultimate-addons-for-contact-form-7
Usercentrics Cookiebot – Automatic Cookie Banner for GDPR/CCPA & Google Consent Modecookiebot
VG WORT METISvgw-metis
Video List Managervideo-list-manager
Virusdie – One-click website securityvirusdie
VR Calendarvr-calendar-sync
web-camweb-cam
WP AdCenter – Ad Manager & Adsense Adswpadcenter
WP CTA – Call To Action Plugin, Sticky CTA, Sticky Buttonseasy-sticky-sidebar
WP DataTablewp-datatable
WP DB Boosterwp-db-booster
WP Editwp-edit
WP Forum Serverforum-server
WP Masonry & Infinite Scrollwp-masonry-infinite-scroll
WP Optimize By xTrafficwp-optimize-by-xtraffic
WP Optimizerwp-optimizer
WP Permalink Translatorwp-permalink-translator
WP SoundSystemwp-soundsystem
WP Visual Sitemapwp-visual-sitemap
WP VR – 360 Panorama and Free Virtual Tour Builder For WordPresswpvr
WP Wallwp-wall
WP YouTube Livewp-youtube-live
wp-gdpr-cookie-consenwp-gdpr-cookie-consen
WP-PhotoNavwp-photonav
WP-Recall – Registration, Profile, Commerce & Morewp-recall
WPB Category Slider for WooCommerce – Product Categories Carousel Slider & Grid with Icon and Imageswpb-woocommerce-category-slider
WPCRM – CRM for Contact form CF7 & WooCommercewpcrm
WPKit For Elementorwpkit-elementor
WPShapere Litewpshapere-lite
Writesonicwritesonic
xili-dictionaryxili-dictionary
YaySMTP and Email Logs: Amazon SES, SendGrid, Outlook, Mailgun, Brevo, Google and Any SMTP Serviceyaysmtp
Zikzag Corezikzag-core

Have ServiceNow & WordPress? Purchase ServicePress Core and get ServicePress: Wordfence Security (add-on) for Free.

Wordfence Plugin

Leave a Reply

Your email address will not be published. Required fields are marked *