Weekly WP Vulnerabilities: 9/15/25 – 9/21/25

via Wordfence Email

Table of Contents

Wordfence Plugin

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our PremiumCare, and Response customers last week:

Wordfence PremiumCare, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Patch StatusNumber of Vulnerabilities
Patched33
Unpatched10

Total Vulnerabilities by CVSS Severity Last Week

Severity RatingNumber of Vulnerabilities
Medium Severity32
High Severity10
Critical Severity1

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWENumber of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)9
Cross-Site Request Forgery (CSRF)8
Missing Authorization8
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)3
Authorization Bypass Through User-Controlled Key2
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’)2
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)2
Unrestricted Upload of File with Dangerous Type2
Authentication Bypass Using an Alternate Path or Channel1
Deserialization of Untrusted Data1
Exposure of Sensitive Information to an Unauthorized Actor1
External Control of File Name or Path1
Improper Control of Generation of Code (‘Code Injection’)1
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)1
Improper Restriction of Excessive Authentication Attempts1
Wordfence Plugin

WordPress Themes with Reported Vulnerabilities Last Week

Software NameSoftware Slug
Entradaentrada
Leblix – Laboratory & Research WordPress Themeleblix
Sydneysydney

WordPress Plugins with Reported Vulnerabilities Last Week

Software NameSoftware Slug
Appointmindappointmind
Blaze Demo Importerblaze-demo-importer
Blocksy Companionblocksy-companion
Browser Sniffbrowser-sniff
Catch Dark Modecatch-dark-mode
Chained Quizchained-quiz
ClickWhale – Link Manager, Link Shortener and Click Tracker for Affiliate Links & Link Pagesclickwhale
Custom Login And Signup Widgetcustom-login-and-signup-widget
Developer Loggers for Simple Historydeveloper-loggers-for-simple-history
Download Managerdownload-manager
Draft Listsimple-draft-list
Embed PDF for WPFormsembed-pdf-wpforms
Falang multilanguage for WordPressfalang
Ghost Kit – Page Builder Blocks, Motion Effects & Extensionsghostkit
Internal Links Managerseo-automated-link-building
Kubio AI Page Builderkubio
Media Player Addons for Elementor – Audio and Video Widgets for Elementormedia-player-addons-for-elementor
Memberlite Shortcodesmemberlite-shortcodes
Miniorange OTP Verification with Firebaseminiorange-firebase-sms-otp-verification
osTicket WP Bridgeosticket-wp-bridge
Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WP Legal Pageswplegalpages
Productive Style – Optimisations & Content Publishing Supportproductive-style
Quantities and Units for WooCommercequantities-and-units-for-woocommerce
Quiz Makerquiz-maker
Robcore Netatmorobcore-netatmo
Secure Passkeyssecure-passkeys
Service Finder Bookingssf-booking
Service Finder SMS Systemaone-sms
Social Media Shortcodessocial-media-shortcodes
StoreEngine – Powerful WordPress eCommerce Plugin for Payments, Memberships, Affiliates, Sales & Morestoreengine
SupportCandy – Helpdesk & Customer Support Ticket Systemsupportcandy
SureForms – Drag and Drop Contact Form Builder – Multi-step Forms, Conversational Forms and moresureforms
The Events Calendarthe-events-calendar
The Hack Repair Guy’s Plugin Archiverhackrepair-plugin-archiver
User Syncuser-sync
USS Upyunuss-upyun
Wide Bannerwide-banner
WP Import – Ultimate CSV XML Importer for WordPresswp-ultimate-csv-importer

Have ServiceNow & WordPress?

Purchase ServicePress Core and get ServicePress: Wordfence Security (add-on) for Free.

Wordfence Plugin

Leave a Reply

Your email address will not be published. Required fields are marked *