Wordfence Intelligence Weekly WordPress Vulnerability Report (April 14, 2025 to...

Vulnerability Details

Basic Information

Title	Wordfence Intelligence Weekly WordPress Vulnerability Report (April 14, 2025 to April 20, 2025)
Type	wordfence
Published	2025-04-24T13:46:39
Last Seen	2025-04-24T13:53:27
CVSS Score	10.0 (CRITICAL)

CVSS v3 Details

Attack Vector	NETWORK
Attack Complexity	LOW
Privileges Required	NONE
User Interaction	NONE
Scope	CHANGED
Confidentiality Impact	HIGH
Integrity Impact	HIGH
Availability Impact	HIGH

CVE Information

CVE IDs	CVE-2024-13452, CVE-2024-13650, CVE-2025-1093, CVE-2025-1457, CVE-2025-2010, CVE-2025-2083, CVE-2025-2111, CVE-2025-2225, CVE-2025-22774, CVE-2025-2314, CVE-2025-23958, CVE-2025-2613, CVE-2025-26730, CVE-2025-26735, CVE-2025-26872, CVE-2025-26889, CVE-2025-26892, CVE-2025-26942, CVE-2025-26944, CVE-2025-26953, CVE-2025-26954, CVE-2025-26958, CVE-2025-26968, CVE-2025-26992, CVE-2025-26996, CVE-2025-27008, CVE-2025-27009, CVE-2025-27010, CVE-2025-3056, CVE-2025-3077, CVE-2025-30960, CVE-2025-3103, CVE-2025-3104, CVE-2025-3106, CVE-2025-3247, CVE-2025-32486, CVE-2025-32507, CVE-2025-32508, CVE-2025-32513, CVE-2025-32527, CVE-2025-32540, CVE-2025-32545, CVE-2025-32546, CVE-2025-32561, CVE-2025-32571, CVE-2025-32572, CVE-2025-32573, CVE-2025-32583, CVE-2025-32592, CVE-2025-32596, CVE-2025-32602, CVE-2025-32605, CVE-2025-32608, CVE-2025-32609, CVE-2025-32622, CVE-2025-32626, CVE-2025-32634, CVE-2025-32635, CVE-2025-32636, CVE-2025-32637, CVE-2025-32638, CVE-2025-32647, CVE-2025-32648, CVE-2025-32657, CVE-2025-32658, CVE-2025-32660, CVE-2025-32662, CVE-2025-32665, CVE-2025-32666, CVE-2025-32682, CVE-2025-32686, CVE-2025-32688, CVE-2025-3275, CVE-2025-3278, CVE-2025-3284, CVE-2025-32923, CVE-2025-32929, CVE-2025-3294, CVE-2025-3295, CVE-2025-3404, CVE-2025-3453, CVE-2025-3470, CVE-2025-3479, CVE-2025-3487, CVE-2025-3520, CVE-2025-3598, CVE-2025-3615, CVE-2025-3661, CVE-2025-3809, CVE-2025-39351, CVE-2025-39353, CVE-2025-39381, CVE-2025-39385, CVE-2025-39388, CVE-2025-39390, CVE-2025-39392, CVE-2025-39394, CVE-2025-39395, CVE-2025-39396, CVE-2025-39401, CVE-2025-39402, CVE-2025-39403, CVE-2025-39404, CVE-2025-39405, CVE-2025-39406, CVE-2025-39407, CVE-2025-39408, CVE-2025-39409, CVE-2025-39410, CVE-2025-39411, CVE-2025-39412, CVE-2025-39413, CVE-2025-39414, CVE-2025-39415, CVE-2025-39416, CVE-2025-39418, CVE-2025-39419, CVE-2025-39420, CVE-2025-39421, CVE-2025-39422, CVE-2025-39423, CVE-2025-39424, CVE-2025-39425, CVE-2025-39426, CVE-2025-39427, CVE-2025-39428, CVE-2025-39429, CVE-2025-39430, CVE-2025-39431, CVE-2025-39432, CVE-2025-39433, CVE-2025-39434, CVE-2025-39435, CVE-2025-39436, CVE-2025-39437, CVE-2025-39438, CVE-2025-39439, CVE-2025-39440, CVE-2025-39441, CVE-2025-39442, CVE-2025-39443, CVE-2025-39444, CVE-2025-39445, CVE-2025-39446, CVE-2025-39447, CVE-2025-39448, CVE-2025-39449, CVE-2025-39450, CVE-2025-39451, CVE-2025-39452, CVE-2025-39453, CVE-2025-39454, CVE-2025-39455, CVE-2025-39456, CVE-2025-39457, CVE-2025-39458, CVE-2025-39459, CVE-2025-39460, CVE-2025-39461, CVE-2025-39462, CVE-2025-39463, CVE-2025-39464, CVE-2025-39465, CVE-2025-39466, CVE-2025-39467, CVE-2025-39468, CVE-2025-39469, CVE-2025-39470, CVE-2025-39471, CVE-2025-39472, CVE-2025-39512, CVE-2025-39513, CVE-2025-39514, CVE-2025-39515, CVE-2025-39516, CVE-2025-39517, CVE-2025-39518, CVE-2025-39519, CVE-2025-39520, CVE-2025-39521, CVE-2025-39522, CVE-2025-39523, CVE-2025-39524, CVE-2025-39525, CVE-2025-39526, CVE-2025-39527, CVE-2025-39528, CVE-2025-39529, CVE-2025-39530, CVE-2025-39533, CVE-2025-39535, CVE-2025-39538, CVE-2025-39540, CVE-2025-39541, CVE-2025-39542, CVE-2025-39543, CVE-2025-39544, CVE-2025-39545, CVE-2025-39546, CVE-2025-39547, CVE-2025-39548, CVE-2025-39549, CVE-2025-39550, CVE-2025-39551, CVE-2025-39553, CVE-2025-39554, CVE-2025-39555, CVE-2025-39556, CVE-2025-39557, CVE-2025-39558, CVE-2025-39559, CVE-2025-39560, CVE-2025-39562, CVE-2025-39563, CVE-2025-39564, CVE-2025-39565, CVE-2025-39566, CVE-2025-39567, CVE-2025-39568, CVE-2025-39569, CVE-2025-39570, CVE-2025-39571, CVE-2025-39572, CVE-2025-39573, CVE-2025-39574, CVE-2025-39575, CVE-2025-39576, CVE-2025-39577, CVE-2025-39578, CVE-2025-39579, CVE-2025-39580, CVE-2025-39581, CVE-2025-39582, CVE-2025-39583, CVE-2025-39584, CVE-2025-39585, CVE-2025-39586, CVE-2025-39587, CVE-2025-39588, CVE-2025-39589, CVE-2025-39590, CVE-2025-39592, CVE-2025-39593, CVE-2025-39594, CVE-2025-39595, CVE-2025-39596, CVE-2025-39597, CVE-2025-39598, CVE-2025-39599, CVE-2025-39600, CVE-2025-39601
CWE
Bulletin Family	info

Description

* * *

_![📢](https://s.w.org/images/core/emoji/15.0.3/72×72/1f4e2.png)**In case you missed it, Wordfence just published itsannual WordPress security report for 2024. Read it now to learn more about the evolving risk landscape of WordPress so you can keep your sites protected in 2025 and beyond. **_

* * *

Last week, there were 252 vulnerabilities disclosed in 215 WordPress Plugins and 15 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 56 Vulnerability Researchers that contributed to WordPress Security last week. **Review those vulnerabilities in this report now to ensure your site is not affected.**

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data**to implement layered security, aligning with our overarching mission to secure WordPress with defense in depth strategies.** That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our **database of over 25,000 vulnerabilities** and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, **all for free**.

_Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published._

* * *

### New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

* WAF-RULE-821 – Data redacted while we work with the vendor on a patch.

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

* * *

### Total Unpatched & Patched Vulnerabilities Last Week

Patch Status | Number of Vulnerabilities
—|—
Patched | 137
Unpatched | 115

* * *

### Total Vulnerabilities by CVSS Severity Last Week

* * *

### Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE | Number of Vulnerabilities
—|—
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 79
Cross-Site Request Forgery (CSRF) | 44
Missing Authorization | 35
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) | 21
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 17
Deserialization of Untrusted Data | 12
Unrestricted Upload of File with Dangerous Type | 10
Exposure of Sensitive Information to an Unauthorized Actor | 8
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | 6
Improper Privilege Management | 6
Improper Control of Generation of Code (‘Code Injection’) | 4
URL Redirection to Untrusted Site (‘Open Redirect’) | 4
Authorization Bypass Through User-Controlled Key | 2
Improper Validation of Integrity Check Value | 2
External Control of File Name or Path | 1
Incorrect Authorization | 1

* * *

### Researchers That Contributed to WordPress Security Last Week

Researcher Name | Number of Vulnerabilities
—|—
![](https://www.gravatar.com/avatar/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g) johska | 22
![](https://www.gravatar.com/avatar/f894d5600bcba5e947d6dde37a3cec1b.jpg?s=32&d=mp&r=g) stealthcopter | 18
![](https://www.gravatar.com/avatar/97a1f88460217867f45b925b3af1bb6a.jpg?s=32&d=mp&r=g) muhammad yudha | 17
![](https://www.gravatar.com/avatar/15c7bc3e71963fdd7c656346bcf8b159.jpg?s=32&d=mp&r=g) Trương Hữu Phúc (truonghuuphuc) | 17
![](https://www.gravatar.com/avatar/e37bf2a629b6924efb95f289b0a7f7e4.jpg?s=32&d=mp&r=g) Nguyen Xuan Chien | 14
![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g) LVT-tholv2k | 13
![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g) Bonds | 13
![](https://www.gravatar.com/avatar/2a1b4c1c638eb4f66b0677e71058a830.jpg?s=32&d=mp&r=g) 0xd4rk5id3 | 11
![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g) astra.r3verii | 9
![](https://www.gravatar.com/avatar/86a1429aeb8e473ec62cf8dd3d4e4571.jpg?s=32&d=mp&r=g) Nabil Irawan | 8
![](https://www.gravatar.com/avatar/385d41daf781fbf4dbac2a1ff894d7fc.jpg?s=32&d=mp&r=g) Le Ngoc Anh | 8
![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g) Ananda Dhakal | 7
![](https://www.gravatar.com/avatar/01dce303f1fab51371215f21992679d9.jpg?s=32&d=mp&r=g) theviper17y | 6
![](https://www.gravatar.com/avatar/585bd77d4bbe100a43b04223fd09a74f.jpg?s=32&d=mp&r=g) João Pedro Soares de Alcântara | 6
![](https://www.gravatar.com/avatar/b5bd58d8a8029c69877dc8a75d7889fd.jpg?s=32&d=mp&r=g) Kévin Mosbahi (Mika) | 6
![](https://www.gravatar.com/avatar/f1b68a12f61846b7fbcd7f1338106a1f.jpg?s=32&d=mp&r=g) Dimas Maulana | 5
![](https://www.gravatar.com/avatar/258c774aecd81b7d1fa67abf3b576b33.jpg?s=32&d=mp&r=g) Peter Thaleikis | 5
![](https://www.gravatar.com/avatar/11dfabc58a06f06c9123a7e17a41cecb.jpg?s=32&d=mp&r=g) Aiden (Thái An) | 5
![](https://www.gravatar.com/avatar/e4a8b174c9f284d94094cf7722e1ec31.jpg?s=32&d=mp&r=g) Asaf Mozes | 4
![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g) Phan Trong Quan | 4
![](https://www.gravatar.com/avatar/ef74f4dbe7907a62f177592f647c1afa.jpg?s=32&d=mp&r=g) Webbernaut | 4
![](https://www.gravatar.com/avatar/54d48d97cbd2b84eb914943109eb7d14.jpg?s=32&d=mp&r=g) Nguyễn Trung Kiên | 4
![](https://www.gravatar.com/avatar/4c2bd6964b38518385c4e8d1791fd762.jpg?s=32&d=mp&r=g) zaim | 3
![](https://www.gravatar.com/avatar/c36a7211a54c34d3d52be3b1bd8d253e.jpg?s=32&d=mp&r=g) lucky_buddy | 3
![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g) Skalucy | 3
![](https://www.gravatar.com/avatar/c070414ac7706c1f7345b025f413df56.jpg?s=32&d=mp&r=g) Brian Sans-Souci (liardom) | 2
![](https://www.gravatar.com/avatar/5a1c57ff7dc66a0d8702f856ceb355fd.jpg?s=32&d=mp&r=g) the sneaky squirrel | 2
![](https://www.gravatar.com/avatar/c14731a0f8a0d24cbda30f561fc03441.jpg?s=32&d=mp&r=g) SOPROBRO | 2
![](https://www.gravatar.com/avatar/14c9ac0f163cbf6d8b0f77fce5836577.jpg?s=32&d=mp&r=g) wesley (wcraft) | 2
![](https://www.gravatar.com/avatar/37cc74b0e1957fee81825154abeae540.jpg?s=32&d=mp&r=g) nquangit | 2
![](https://www.gravatar.com/avatar/7b8cd550e860295a0dcf86632e3c79be.jpg?s=32&d=mp&r=g) Phat RiO – BlueRock | 2
![](https://www.gravatar.com/avatar/dfc42784669accf02da36cb658a6a355.jpg?s=32&d=mp&r=g) ch4r0n | 2
![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g) chuck | 2
![](https://www.gravatar.com/avatar/9d46e040922297c1834a9af4e8278abe.jpg?s=32&d=mp&r=g) khanhhnahk1 | 1
![](https://www.gravatar.com/avatar/0c476cecff9cf0286378f2943694146f.jpg?s=32&d=mp&r=g) Foxyyy | 1
![](https://www.gravatar.com/avatar/4f335379e6c22b34c96df34218ac155f.jpg?s=32&d=mp&r=g) broccoli | 1
![](https://www.gravatar.com/avatar/a964068aac6d7229783a0ea643877251.jpg?s=32&d=mp&r=g) zer0gh0st | 1
![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g) Doan Dinh Van | 1
![](https://www.gravatar.com/avatar/d30e6a858b269fc0c2ddccf3c3327313.jpg?s=32&d=mp&r=g) haidv35 | 1
![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g) Deltree | 1
![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g) Tran Nguyen Bao Khanh | 1
![](https://www.gravatar.com/avatar/80711f5dab8609bebef4ab99b37e869a.jpg?s=32&d=mp&r=g) Carlos Ferreira | 1
![](https://www.gravatar.com/avatar/faefcd06abcb00b4db5324b629c6424e.jpg?s=32&d=mp&r=g) Muhamad Visat | 1
![](https://www.gravatar.com/avatar/2b99835f57008d2a5ee94f41555327d4.jpg?s=32&d=mp&r=g) Alyudin Nafiie | 1
![](https://www.gravatar.com/avatar/697aca1b58dce62b53c47e23b571f54c.jpg?s=32&d=mp&r=g) ayato | 1
![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g) Pham Van Phuoc | 1
![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g) domiee13 | 1
![](https://www.gravatar.com/avatar/b20f9553188fa04cbd937e5df1e718af.jpg?s=32&d=mp&r=g) Tim Coen | 1
![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g) Abdi Pranata | 1
![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g) tahu.datar | 1
![](https://www.gravatar.com/avatar/1c6327bca62253f0bec06a3d18c37f2a.jpg?s=32&d=mp&r=g) Yassine Neggaoui (Y45NG) | 1
![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g) Affan Ali | 1
![](https://www.gravatar.com/avatar/7d4a68019ac73014fd7a41bf4de262d6.jpg?s=32&d=mp&r=g) Arshid KV | 1
![](https://www.gravatar.com/avatar/4c8e47602daa5f66a49fdf2c7555c730.jpg?s=32&d=mp&r=g) siavashvafshar | 1
![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g) Rafie Muhammad | 1
![](https://www.gravatar.com/avatar/eb428a7b41bcec038cb1bd520e1bc384.jpg?s=32&d=mp&r=g) Prissy | 1

_Are you a security researcher who would like to be featured in our weekly vulnerability report?_ You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

* * *

### WordPress Plugins with Reported Vulnerabilities Last Week

Software Name | Software Slug
—|—
ActiveDEMAND | activedemand
Add to Header | add-to-header
Administrator Z | administrator-z
AdminQuickbar | adminquickbar
Advanced Dynamic Pricing for WooCommerce | advanced-dynamic-pricing-for-woocommerce
AI Text to Speech – TTS Plugin For WordPress | ai-text-to-speech
All push notification for WP | all-push-notification
Amazon Showcase WordPress Plugin | amazon-showcase-wordpress-widget
AnalyticsWP | analyticswp
Anthologize | anthologize
Arigato Autoresponder and Newsletter | bft-autoresponder
Asgaros Forum | asgaros-forum
Attendance Manager | attendance-manager
Author WIP Progress Bar | author-work-in-progress-bar
Avatar | avatar
Barcode Generator for WooCommerce – Show barcodes on products, orders, invoices and other pages | embedding-barcodes-into-product-pages-and-orders
Basic Interactive World Map | basic-interactive-world-map
bbPress2 shortcode whitelist | bbpress2-shortcode-whitelist
BERTHA AI. Your AI co-pilot for WordPress and Chrome | bertha-ai-free
Bknewsticker | bknewsticker
BMA Lite – Appointment Booking and Scheduling Plugin | bma-lite-appointment-booking-and-scheduling
Booking and Rental Manager for Bike | Car | Resort | Appointment | Dress | Equipment | booking-and-rental-manager-for-woocommerce
Booster Plus for WooCommerce | booster-plus-for-woocommerce
Bring Fraktguiden for WooCommerce | bring-fraktguiden-for-woocommerce
Broken Links Remover | broken-links-remover
BruteGuard – Brute Force Login Protection | bruteguard
Bulk Page Stub Creator | bulk-page-stub-creator
Bulk Term Editor | bulk-term-editor
Checkout Files Upload for WooCommerce | checkout-files-upload-woocommerce
Checkout for PayPal | checkout-for-paypal
Church Admin | church-admin
CLEVER – HTML5 Radio Player With History – Shoutcast and Icecast – Elementor Widget Addon | elementor_widget_clever_radio_player
Cloak Front End Email | cloak-front-end-email
Conditional Payments for WooCommerce | conditional-payments-for-woocommerce
Conditional Shipping for WooCommerce | conditional-shipping-for-woocommerce
Contact Form 7 | contact-form-7
Contact Form by Supsystic | contact-form-by-supsystic
Contact Form vCard Generator | contact-form-vcard-generator
Contact Form, Drag and Drop Form Builder Plugin – Live Forms | liveforms
Cost Calculator Builder | cost-calculator-builder
Coupon Affiliates – Affiliate Plugin for WooCommerce | woo-coupon-usage
Course Booking System | course-booking-system
CRM Perks – WordPress HelpDesk Integration – Zendesk, Freshdesk, HelpScout | support-x
CRUDLab Scroll to Top | crudlab-scroll-to-top
Custom CSS, JS & PHP | custom-css
Dashboard Notepads | dashboard-notepads
Dashi | dashi
Debug Log Manager | debug-log-manager
Directory Listings WordPress plugin – uListing | ulisting
Docket Cache – Object Cache Accelerator | docket-cache
Download Manager | download-manager
Dynamic Post | dynamic-post
Editor Wysiwyg Background Color | editor-wysiwyg-background-color
Element Pack Addons for Elementor – Best Elementor addons with Ready Templates, Blocks, Widgets and WooCommerce Builder | bdthemes-element-pack-lite
ElementsReady Addons for Elementor | element-ready-lite
Essential Addons for Elementor – Popular Elementor Addon With Ready Templates, Advanced Widgets, Kits & WooCommerce Builders | essential-addons-for-elementor-lite
Event Espresso – Custom Email Template Shortcode | email-shortcode
Event Manager, Events Calendar, Tickets, Registrations – Eventin | wp-event-solution
Ever Accounting – WordPress Accounting and Invoice Plugin | wp-ever-accounting
Fast eBay Listings | fast-ebay-listings
Feedify – Web Push Notifications | push-notification-by-feedify
Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder | fluentform
FluentBoards – Project Management, Task Management, Goal Tracking, Kanban Board, and, Team Collaboration | fluent-boards
FluentCommunity – Ultra-Fast High-Performance Social Network, Community, LMS & Online Courses Plugin | fluent-community
Forminator Forms – Contact Form, Payment Form & Custom Form Builder | forminator
FS Poster – WordPress Social media Auto Poster & Scheduler [Facebook, Instagram, Twitter, Pinterest] | fs-poster
GoodBarber | goodbarber
Gravity Forms CSS Themes with Fontawesome and Placeholders | gravity-forms-css-themes-with-fontawesome-and-placeholder-support
HelpGent – The Ultimate Form Builder & TypeForm Alternative on WordPress | Craft Conversational Multi Step Form with Video, Voice, Screen Recording, & Text Messaging | helpgent
Hive Support | AI-Powered Help Desk, Live Chat & AI Chat Bot Plugin for WordPress | hive-support
hockeydata LOS | hockeydata-los
Hostel | hostel
Hotel Booking | nd-booking
HTML5 Audio Player- Best WordPress Audio Player Plugin | html5-audio-player
I Draw | idraw
illow – Cookies Consent | lgpd-compliant-cookie-banner
Insert Headers And Footers | wp-headers-and-footers
Integration for WooCommerce and QuickBooks | wp-woocommerce-quickbooks
IP2Location Variables | ip2location-variables
JetBlocks for Elementor | jet-blocks
JetBlog for Elementor | jet-blog
JetElements | jet-elements
JetMenu for Elementor | jet-menu
JetPopup | jet-popup
JetReviews for Elementor | jet-reviews
JetTabs for Elementor | jet-tabs
JetTricks for Elementor | jet-tricks
JetWooBuilder for Elementor | jet-woo-builder
JobWP – Job Board, Job Listing, Career Page and Recruitment Plugin | jobwp
JS Job Manager | js-jobs
Kadence WooCommerce Email Designer | kadence-woocommerce-email-designer
Kata Plus – Addons for Elementor – Widgets, Extensions and Templates | kata-plus
KiotViet Sync | kiotvietsync
LA-Studio Element Kit for Elementor | lastudio-element-kit
Landing Page Cat – Coming Soon Page, Maintenance Page & Squeeze Pages | landing-page-cat
Listdom – Business Directory and Classified Ads Listings WordPress Plugin | listdom
Local Magic | local-magic
Login Manager – Design Login Page, View Login Activity, Limit Login Attempts | customized-login
Logo Carousel Gutenberg Block | awesome-logo-carousel-block
Logo Carousel Slider | logo-carousel-slider
Macro Calculator with Admin Email Optin & Data | macro-admin-email-data-optin-calculator
MapSVG – Vector maps, Image maps, Google Maps | mapsvg-lite-interactive-vector-maps
Master Slider – Responsive Touch Slider | master-slider
Material Dashboard | material-dashboard
Mediavine Control Panel | mediavine-control-panel
MelaPress Login Security | melapress-login-security
Memberpress | memberpress
Membership For WooCommerce | membership-for-woocommerce
mLanguage | mlanguage
modal-survey | modal-survey
Most And Least Read Posts Widget | most-and-least-read-posts-widget
Movylo Marketing Automation | movylo-widget
My auctions allegro | my-auctions-allegro-free-edition
My Marginalia | my-marginalia
Name Directory | name-directory
Office Locator | office-locator
OTP-less one tap Sign in | otpless
Password Protected – Password Protect your WordPress Site, Pages, & WooCommerce Products – Restrict Content, Protect WooCommerce Category and more | password-protected
Payment Form for PayPal Pro | payment-form-for-paypal-pro
PDF 2 Post | pdf2post
Piotnet Addons For Elementor | piotnet-addons-for-elementor
ProfileGrid – User Profiles, Groups and Communities | profilegrid-user-profiles-groups-and-communities
Projectopia – WordPress Project Management | projectopia-core
Property Hive | propertyhive
Quentn WP | quentn-wp
Question Answer | question-answer
Rating by BestWebSoft | rating-bws
Real Estate Manager – Property Listing and Agent Management | real-estate-manager
Rescue Shortcodes | rescue-shortcodes
Responsive Addons for Elementor – Free Elementor Addons Plugin and Elementor Templates | responsive-addons-for-elementor
Responsive Blocks – WordPress Gutenberg Blocks | responsive-block-editor-addons
Review Wave – Google Places Reviews | review-wave-google-places-reviews
Revision Diet | revision-diet
Right Click Disable OR Ban | right-click-disable-or-ban
Royal Elementor Addons and Templates | royal-elementor-addons
RSS Manager | rss-manager
Run Contests, Raffles, and Giveaways with ContestsWP | contest-code-checker
SB Chart block | sb-chart-block
Scriptless Social Sharing | scriptless-social-sharing
Sell access, Automate, and add Engaging Exclusive Discord Access: Introducing the MemberPress Discord Addon — Elevate Your Community! | expresstechsoftwares-memberpress-discord-add-on
ShopApper: Mobile App for WooCommerce | mobile-app-for-woocommerce
Sign-up Sheets | sign-up-sheets
Simple Maps | interactive-maps
Simple Sitemap – Create a Responsive HTML Sitemap | simple-sitemap
Site Search 360 | site-search-360
Smart Agreements | smart-agreements
Social Media Links | social-media-links
Social Sharing Plugin – Sassy Social Share | sassy-social-share
spam-stopper | spam-stopper
Starfish Review Generation & Marketing for WordPress | starfish-reviews
StoreContrl Woocommerce | storecontrl-wp-connection
Style Manager – Auto-magical system to style your entire WordPress site | style-manager
Subscribe to Unlock Lite – Opt In Content Locker Plugin for WordPress | subscribe-to-unlock-lite
Super Store Finder | superstorefinder-wp
Széchenyi 2020 Logo | szechenyi-2020-logo
T&P Gallery Slider | tp-gallery-slider
TableOn – WordPress Posts Table Filterable | posts-table-filterable
Target Video Easy Publish | brid-video-easy-publish
Taskbuilder – WordPress Project & Task Management plugin | taskbuilder
Team Members – Best WordPress Team Plugin with Team Slider, Team Showcase & Team Builder | wps-team
Testimonial Slider And Showcase Pro | testimonial-slider-showcase-pro
Theme Changer | theme-changer
Themesflat Addons For Elementor | themesflat-addons-for-elementor
Themify Shortcodes | themify-shortcodes
Total processing card payments for WooCommerce | totalprocessing-card-payments
Tour Master – Tour Booking, Travel, Hotel | tourmaster
Tourfic Toolkit | travelfic-toolkit
translit it! | translit-it
TS Poll – Survey, Versus Poll, Image Poll, Video Poll | poll-wp
TuriTop Booking System | turitop-booking-system
Uix Shortcodes | uix-shortcodes
Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin | ultimate-member
Ultimate Store Kit – Elementor powered WooCommerce Builder, 80+ Widgets and Template Builder | ultimate-store-kit
Unlimited Timeline | unlimited-timeline
UrbanGo Membership | urbango-membership
User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor | profile-builder
User Registration PRO – Custom Registration Form, Login Form, and User Profile WordPress Plugin | user-registration-pro
Verge3D Publishing and E-Commerce | verge3d
Verowa Connect | verowa-connect
visucom-smart-sections | visucom-smart-sections
Vitepos – Point of sale (POS) plugin for WooCommerce | vitepos-lite
Web Directory Free | web-directory-free
WooCommerce – Social Login | woo-social-login
WooCommerce Builder & Gutenberg WooCommerce Blocks – WowStore | product-blocks
WooCommerce Products without featured images | woocommerce-products-without-featured-images
WooMS | wooms
WordPress Button Plugin MaxButtons | maxbuttons
WordPress Internal Link Optimiser | internal-link-finder
WordPress REST API Authentication | wp-rest-api-authentication
WordPress Video Robot – The Ultimate Video Importer | wp-video-robot
WordPress WP-Advanced-Search | wp-advanced-search
WP Data Access – App, Table, Form, Chart & Map Builder plugin | wp-data-access
WP Donate | wp-donate
WP Editor | wp-editor
WP Flipclock | wp-flipclock
WP Logger | wp-data-logger
WP Post to PDF Enhanced | wp-post-to-pdf-enhanced
WP Posts Carousel | wp-posts-carousel
WP Simple Booking Calendar | wp-simple-booking-calendar
WP Social Bookmarking | wp-social-bookmarking
WP STAGING Pro WordPress Backup Plugin | wp-staging-pro
WP Sticky Side Buttons | wp-sticky-side-buttons
WP Tools Increase Maximum Limits, Repair, Server PHP Info, Javascript errors, File Permissions, Transients, Error Log | wptools
WP Twitter Button | wp-twitter-button
wp-google-map-gold | wp-google-map-gold
WP_DEBUG Toggle | enable-wp-debug-toggle
WPAdverts – Classifieds Plugin | wpadverts
WPAMS – Apartment Management System for wordpress | apartment-management
WPCafe: Food Menu, Ordering, Reservation, and Delivery Solution – All in One Place! | wp-cafe
WPCasa | wpcasa
WPCOM Member | wpcom-member
wpLike2Get | wplike2get
wpt-whatsapp | wpt-whatsapp
Xelion Webchat | xelion-webchat
ZooEffect Plugin for Video player, Photo Gallery Slideshow jQuery and audio / music / podcast – HTML5 | 1-jquery-photo-gallery-slideshow-flash

* * *

### WordPress Themes with Reported Vulnerabilities Last Week

* * *

### Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

#### AIHub <= 1.3.7 - Unauthenticated Arbitrary File Upload in generate_image 9.8 CVSS Rating **Critical (9.8)** CVE-ID **CVE-2025-1093** Patch Status **Patched** Published **Apr 18, 2025** **Affected Software** AI Hub - Startup & Technology WordPress Theme **Researcher** ![](https://www.gravatar.com/avatar/0c476cecff9cf0286378f2943694146f.jpg?s=32&d=mp&r=g)Foxyyy More Details >

#### Dessau < 1.9 - Unauthenticated Local File Inclusion 9.8 CVSS Rating **Critical (9.8)** CVE-ID **CVE-2025-39463** Patch Status **Patched** Published **Apr 17, 2025** **Affected Software** Dessau - Contemporary Theme for Architects and Interior Designers **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Bonds More Details >

#### Docket Cache <= 24.07.02 - Unauthenticated Local File Inclusion 9.8 CVSS Rating **Critical (9.8)** CVE-ID **CVE-2025-39461** Patch Status **Patched** Published **Apr 17, 2025** **Affected Software** Docket Cache – Object Cache Accelerator **Researcher** ![](https://www.gravatar.com/avatar/f1b68a12f61846b7fbcd7f1338106a1f.jpg?s=32&d=mp&r=g)Dimas Maulana More Details >

#### Dør <= 2.4 - Unauthenticated Local File Inclusion 9.8 CVSS Rating **Critical (9.8)** CVE-ID **CVE-2025-39466** Patch Status **Patched** Published **Apr 17, 2025** **Affected Software** Dør - Modern Architecture and Interior Design Theme **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Bonds More Details >

#### FluentBoards <= 1.47 - Unauthenticated PHP Object Injection 9.8 CVSS Rating **Critical (9.8)** CVE-ID **CVE-2025-39551** Patch Status **Patched** Published **Apr 17, 2025** **Affected Software** FluentBoards – Project Management, Task Management, Goal Tracking, Kanban Board, and, Team Collaboration **Researcher** ![](https://www.gravatar.com/avatar/15c7bc3e71963fdd7c656346bcf8b159.jpg?s=32&d=mp&r=g)Trương Hữu Phúc (truonghuuphuc) More Details >

#### FluentCommunity <= 1.2.15 - Unauthenticated PHP Object Injection 9.8 CVSS Rating **Critical (9.8)** CVE-ID **CVE-2025-39550** Patch Status **Patched** Published **Apr 17, 2025** **Affected Software** FluentCommunity – Ultra-Fast High-Performance Social Network, Community, LMS & Online Courses Plugin **Researcher** ![](https://www.gravatar.com/avatar/15c7bc3e71963fdd7c656346bcf8b159.jpg?s=32&d=mp&r=g)Trương Hữu Phúc (truonghuuphuc) More Details >

#### Foton <= 2.5.2 - Unauthenticated Local File Inclusion 9.8 CVSS Rating **Critical (9.8)** CVE-ID **CVE-2025-39458** Patch Status **Patched** Published **Apr 17, 2025** **Affected Software** Foton - Software and App Landing Page Theme **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Bonds More Details >

#### Grip <= 1.0.9 - Unauthenticated Local File Inclusion 9.8 CVSS Rating **Critical (9.8)** CVE-ID **CVE-2025-26735** Patch Status **Unpatched** Published **Apr 14, 2025** **Affected Software** Grip **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)tahu.datar More Details >

#### HelpGent <= 2.2.4 - Unauthenticated PHP Object Injection 9.8 CVSS Rating **Critical (9.8)** CVE-ID **CVE-2025-32658** Patch Status **Unpatched** Published **Apr 16, 2025** **Affected Software** HelpGent – The Ultimate Form Builder & TypeForm Alternative on WordPress | Craft Conversational Multi Step Form with Video, Voice, Screen Recording, & Text Messaging **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)LVT-tholv2k More Details >

#### hockeydata LOS <= 1.2.4 - Unauthenticated Local File Inclusion 9.8 CVSS Rating **Critical (9.8)** CVE-ID **CVE-2025-26889** Patch Status **Unpatched** Published **Apr 15, 2025** **Affected Software** hockeydata LOS **Researcher** ![](https://www.gravatar.com/avatar/f1b68a12f61846b7fbcd7f1338106a1f.jpg?s=32&d=mp&r=g)Dimas Maulana More Details >

#### Hotel Booking <= 3.6 - Unauthenticated Local File Inclusion 9.8 CVSS Rating **Critical (9.8)** CVE-ID **CVE-2025-39526** Patch Status **Unpatched** Published **Apr 17, 2025** **Affected Software** Hotel Booking **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)LVT-tholv2k More Details >

#### IvyPrep <= 1.6.0 - Unauthenticated Local File Inclusion 9.8 CVSS Rating **Critical (9.8)** CVE-ID **CVE-2025-39470** Patch Status **Patched** Published **Apr 17, 2025** **Affected Software** IvyPrep - Education & School WordPress Theme **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Bonds More Details >

#### JS Job Manager <= 2.0.2 - Unauthenticated Arbitrary File Upload 9.8 CVSS Rating **Critical (9.8)** CVE-ID **CVE-2025-32660** Patch Status **Unpatched** Published **Apr 14, 2025** **Affected Software** JS Job Manager **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)LVT-tholv2k More Details >

#### Kata Plus <= 1.5.2 - Unauthenticated PHP Object Injection 9.8 CVSS Rating **Critical (9.8)** CVE-ID **CVE-2025-32572** Patch Status **Unpatched** Published **Apr 15, 2025** **Affected Software** Kata Plus – Addons for Elementor – Widgets, Extensions and Templates **Researcher** ![](https://www.gravatar.com/avatar/385d41daf781fbf4dbac2a1ff894d7fc.jpg?s=32&d=mp&r=g)Le Ngoc Anh More Details >

#### Material Dashboard <= 1.4.6 - Unauthenticated Privilege Escalation 9.8 CVSS Rating **Critical (9.8)** CVE-ID **CVE-2025-32486** Patch Status **Patched** Published **Apr 14, 2025** **Affected Software** Material Dashboard **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)astra.r3verii More Details >

#### Modal Survey <= 2.0.2.0.1 - Unauthenticated Local File Inclusion 9.8 CVSS Rating **Critical (9.8)** CVE-ID **CVE-2025-39468** Patch Status **Unpatched** Published **Apr 16, 2025** **Affected Software** modal-survey **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Bonds More Details >

#### Projectopia <= 5.1.16 - Unauthenticated Privilege Escalation via Account Takeover 9.8 CVSS Rating **Critical (9.8)** CVE-ID **CVE-2025-32648** Patch Status **Unpatched** Published **Apr 14, 2025** **Affected Software** Projectopia – WordPress Project Management **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)astra.r3verii More Details >

#### Quentn WP <= 1.2.8 - Unauthenticated Privilege Escalation 9.8 CVSS Rating **Critical (9.8)** CVE-ID **CVE-2025-39596** Patch Status **Patched** Published **Apr 17, 2025** **Affected Software** Quentn WP **Researcher** ![](https://www.gravatar.com/avatar/385d41daf781fbf4dbac2a1ff894d7fc.jpg?s=32&d=mp&r=g)Le Ngoc Anh More Details >

#### Real Estate 7 <= 3.5.2 - Unauthenticated Privilege Escalation 9.8 CVSS Rating **Critical (9.8)** CVE-ID **CVE-2025-39459** Patch Status **Patched** Published **Apr 17, 2025** **Affected Software** Real Estate 7 WordPress **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Ananda Dhakal More Details >

#### Real Estate Manager <= 7.3 - Unauthenticated Remote Code Execution 9.8 CVSS Rating **Critical (9.8)** CVE-ID **CVE-2025-32596** Patch Status **Unpatched** Published **Apr 15, 2025** **Affected Software** Real Estate Manager – Property Listing and Agent Management **Researcher** ![](https://www.gravatar.com/avatar/01dce303f1fab51371215f21992679d9.jpg?s=32&d=mp&r=g)theviper17y More Details >

#### Smart Agreements <= 1.0.3 - Unauthenticated Local File Inclusion 9.8 CVSS Rating **Critical (9.8)** CVE-ID **CVE-2025-39462** Patch Status **Patched** Published **Apr 17, 2025** **Affected Software** Smart Agreements **Researcher** ![](https://www.gravatar.com/avatar/f1b68a12f61846b7fbcd7f1338106a1f.jpg?s=32&d=mp&r=g)Dimas Maulana More Details >

#### Smart Sections Theme Builder – WPBakery Page Builder Addon <= 1.7.8 - Unauthenticated PHP Object Injection 9.8 CVSS Rating **Critical (9.8)** CVE-ID **CVE-2025-39410** Patch Status **Unpatched** Published **Apr 17, 2025** **Affected Software** visucom-smart-sections **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Bonds More Details >

#### Széchenyi 2020 Logo <= 1.1 - Unauthenticated Local File Inclusion 9.8 CVSS Rating **Critical (9.8)** CVE-ID **CVE-2025-39429** Patch Status **Unpatched** Published **Apr 17, 2025** **Affected Software** Széchenyi 2020 Logo **Researcher** ![](https://www.gravatar.com/avatar/e37bf2a629b6924efb95f289b0a7f7e4.jpg?s=32&d=mp&r=g)Nguyen Xuan Chien More Details >

#### Tastyc < 2.5.2 - Unauthenticated Local File Inclusion 9.8 CVSS Rating **Critical (9.8)** CVE-ID **CVE-2025-27010** Patch Status **Patched** Published **Apr 15, 2025** **Affected Software** Tastyc - Cafe Restaurant Theme **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Bonds More Details >

#### Ultimate Store Kit Elementor Addons <= 2.4.0 - Unauthenticated PHP Object Injection 9.8 CVSS Rating **Critical (9.8)** CVE-ID **CVE-2025-39588** Patch Status **Patched** Published **Apr 17, 2025** **Affected Software** Ultimate Store Kit – Elementor powered WooCommerce Builder, 80+ Widgets and Template Builder **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)domiee13 More Details >

#### UrbanGo Membership <= 1.0.4 - Unauthenticated Privilege Escalation 9.8 CVSS Rating **Critical (9.8)** CVE-ID **CVE-2025-3278** Patch Status **Patched** Published **Apr 18, 2025** **Affected Software** UrbanGo Membership **Researcher** ![](https://www.gravatar.com/avatar/2b99835f57008d2a5ee94f41555327d4.jpg?s=32&d=mp&r=g)Alyudin Nafiie More Details >

#### Wanderland <= 1.7.1 - Unauthenticated Local File Inclusion 9.8 CVSS Rating **Critical (9.8)** CVE-ID **CVE-2025-39467** Patch Status **Patched** Published **Apr 17, 2025** **Affected Software** Wanderland - Travel Blog **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Bonds More Details >

#### WhatsApp Click to Chat Plugin for WordPress <= 2.2.12 - Unauthenticated Local File Inclusion 9.8 CVSS Rating **Critical (9.8)** CVE-ID **CVE-2025-39411** Patch Status **Unpatched** Published **Apr 17, 2025** **Affected Software** wpt-whatsapp **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Bonds More Details >

#### WPAMS <= 44.0 - Unauthenticated Local File Inclusion 9.8 CVSS Rating **Critical (9.8)** CVE-ID **CVE-2025-39406** Patch Status **Unpatched** Published **Apr 17, 2025** **Affected Software** WPAMS - Apartment Management System for wordpress **Researcher** ![](https://www.gravatar.com/avatar/11dfabc58a06f06c9123a7e17a41cecb.jpg?s=32&d=mp&r=g)Aiden (Thái An) More Details >

#### WPAMS <= 44.0 (17-08-2023) - Unauthenticated Arbitrary File Upload 9.8 CVSS Rating **Critical (9.8)** CVE-ID **CVE-2025-39401** Patch Status **Unpatched** Published **Apr 17, 2025** **Affected Software** WPAMS - Apartment Management System for wordpress **Researcher** ![](https://www.gravatar.com/avatar/15c7bc3e71963fdd7c656346bcf8b159.jpg?s=32&d=mp&r=g)Trương Hữu Phúc (truonghuuphuc) More Details >

#### Celestial Aura <= 2.2 - Authenticated (Subscriber+) Arbitrary File Upload 8.8 CVSS Rating **High (8.8)** CVE-ID **CVE-2025-26892** Patch Status **Unpatched** Published **Apr 14, 2025** **Affected Software** Celestial Aura **Researcher** ![](https://www.gravatar.com/avatar/f894d5600bcba5e947d6dde37a3cec1b.jpg?s=32&d=mp&r=g)stealthcopter More Details >

#### Custom CSS, JS & PHP <= 2.4.1 - Cross-Site Request Forgery to Remote Code Exectuiron 8.8 CVSS Rating **High (8.8)** CVE-ID **CVE-2025-39601** Patch Status **Patched** Published **Apr 16, 2025** **Affected Software** Custom CSS, JS & PHP **Researcher** ![](https://www.gravatar.com/avatar/e37bf2a629b6924efb95f289b0a7f7e4.jpg?s=32&d=mp&r=g)Nguyen Xuan Chien More Details >

#### Download Manager <= 3.3.12 - Authenticated (Author+) Arbitrary File Deletion 8.8 CVSS Rating **High (8.8)** CVE-ID **CVE-2025-3404** Patch Status **Patched** Published **Apr 18, 2025** **Affected Software** Download Manager **Researchers** ![](https://www.gravatar.com/avatar/c070414ac7706c1f7345b025f413df56.jpg?s=32&d=mp&r=g)Brian Sans-Souci (liardom) ![](https://www.gravatar.com/avatar/5a1c57ff7dc66a0d8702f856ceb355fd.jpg?s=32&d=mp&r=g)the sneaky squirrel More Details >

#### Eventin <= 4.0.25 - Authenticated (Contributor+) Local File Inclusion 8.8 CVSS Rating **High (8.8)** CVE-ID **CVE-2025-39584** Patch Status **Patched** Published **Apr 16, 2025** **Affected Software** Event Manager, Events Calendar, Tickets, Registrations – Eventin **Researcher** ![](https://www.gravatar.com/avatar/01dce303f1fab51371215f21992679d9.jpg?s=32&d=mp&r=g)theviper17y More Details >

#### Eximius <= 2.2 - Authenticated (Subscriber+) Arbitrary File Upload 8.8 CVSS Rating **High (8.8)** CVE-ID **CVE-2025-26872** Patch Status **Unpatched** Published **Apr 14, 2025** **Affected Software** Eximius **Researcher** ![](https://www.gravatar.com/avatar/f894d5600bcba5e947d6dde37a3cec1b.jpg?s=32&d=mp&r=g)stealthcopter More Details >

#### I Draw <= 1.0 - Authenticated (Author+) Arbitrary File Upload 8.8 CVSS Rating **High (8.8)** CVE-ID **CVE-2025-39436** Patch Status **Unpatched** Published **Apr 17, 2025** **Affected Software** I Draw **Researcher** ![](https://www.gravatar.com/avatar/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska More Details >

#### JetReviews <= 2.3.6 - Authenticated (Contributor+) Local File Inclusion 8.8 CVSS Rating **High (8.8)** CVE-ID **CVE-2025-39396** Patch Status **Patched** Published **Apr 18, 2025** **Affected Software** JetReviews for Elementor **Researcher** ![](https://www.gravatar.com/avatar/f894d5600bcba5e947d6dde37a3cec1b.jpg?s=32&d=mp&r=g)stealthcopter More Details >

#### MapSVG Lite <= 8.5.34 - Authenticated (Contributor+) Arbitrary File Upload 8.8 CVSS Rating **High (8.8)** CVE-ID **CVE-2025-32682** Patch Status **Unpatched** Published **Apr 15, 2025** **Affected Software** MapSVG – Vector maps, Image maps, Google Maps **Researcher** ![](https://www.gravatar.com/avatar/54d48d97cbd2b84eb914943109eb7d14.jpg?s=32&d=mp&r=g)Nguyễn Trung Kiên More Details >

#### PDF 2 Post <= 2.4.0 - Authenticated (Subscriber+) Remote Code Execution 8.8 CVSS Rating **High (8.8)** CVE-ID **CVE-2025-32583** Patch Status **Unpatched** Published **Apr 15, 2025** **Affected Software** PDF 2 Post **Researcher** ![](https://www.gravatar.com/avatar/385d41daf781fbf4dbac2a1ff894d7fc.jpg?s=32&d=mp&r=g)Le Ngoc Anh More Details >

#### Question Answer <= 1.2.70 - Authenticated (Subscriber+) PHP Object Injection 8.8 CVSS Rating **High (8.8)** CVE-ID **CVE-2025-32647** Patch Status **Unpatched** Published **Apr 14, 2025** **Affected Software** Question Answer **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)LVT-tholv2k More Details >

#### Rating by BestWebSoft <= 1.7 - Authenticated (Subscriber+) PHP Object Injection 8.8 CVSS Rating **High (8.8)** CVE-ID **CVE-2025-39527** Patch Status **Unpatched** Published **Apr 17, 2025** **Affected Software** Rating by BestWebSoft **Researcher** ![](https://www.gravatar.com/avatar/385d41daf781fbf4dbac2a1ff894d7fc.jpg?s=32&d=mp&r=g)Le Ngoc Anh More Details >

#### Starfish Review Generation & Marketing <= 3.1.14 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update 8.8 CVSS Rating **High (8.8)** CVE-ID **CVE-2025-39533** Patch Status **Unpatched** Published **Apr 16, 2025** **Affected Software** Starfish Review Generation & Marketing for WordPress **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)LVT-tholv2k More Details >

#### Subscribe to Unlock Lite <= 1.3.0 - Authenticated (Contributor+) Local File Inclusion 8.8 CVSS Rating **High (8.8)** CVE-ID **CVE-2025-39592** Patch Status **Patched** Published **Apr 16, 2025** **Affected Software** Subscribe to Unlock Lite – Opt In Content Locker Plugin for WordPress **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)LVT-tholv2k More Details >

#### Team Members <= 3.4.1 - Authenticated (Contributor+) PHP Object Injection 8.8 CVSS Rating **High (8.8)** CVE-ID **CVE-2025-32686** Patch Status **Unpatched** Published **Apr 15, 2025** **Affected Software** Team Members – Best WordPress Team Plugin with Team Slider, Team Showcase & Team Builder **Researcher** ![](https://www.gravatar.com/avatar/7b8cd550e860295a0dcf86632e3c79be.jpg?s=32&d=mp&r=g)Phat RiO - BlueRock More Details >

#### Testimonial Slider And Showcase Pro <= 2.1.7 - Authenticated (Subscriber+) Local File Inclusion 8.8 CVSS Rating **High (8.8)** CVE-ID **CVE-2025-32657** Patch Status **Unpatched** Published **Apr 14, 2025** **Affected Software** Testimonial Slider And Showcase Pro **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)LVT-tholv2k More Details >

#### TuriTop Booking System <= 1.0.10 - Authenticated (Subscriber+) PHP Object Injection 8.8 CVSS Rating **High (8.8)** CVE-ID **CVE-2025-32571** Patch Status **Unpatched** Published **Apr 14, 2025** **Affected Software** TuriTop Booking System **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)LVT-tholv2k More Details >

#### uListing <= 2.2.0 - Authenticated (Subscriber+) PHP Object Injection 8.8 CVSS Rating **High (8.8)** CVE-ID **CVE-2025-32662** Patch Status **Unpatched** Published **Apr 15, 2025** **Affected Software** Directory Listings WordPress plugin – uListing **Researcher** ![](https://www.gravatar.com/avatar/7b8cd550e860295a0dcf86632e3c79be.jpg?s=32&d=mp&r=g)Phat RiO - BlueRock More Details >

#### WPAMS <= 44.0 (17-08-2023) - Authenticated (Subscriber+) Arbitrary File Upload 8.8 CVSS Rating **High (8.8)** CVE-ID **CVE-2025-39402** Patch Status **Unpatched** Published **Apr 17, 2025** **Affected Software** WPAMS - Apartment Management System for wordpress **Researcher** ![](https://www.gravatar.com/avatar/15c7bc3e71963fdd7c656346bcf8b159.jpg?s=32&d=mp&r=g)Trương Hữu Phúc (truonghuuphuc) More Details >

#### WPAMS <= 44.0 (17-08-2023) - Authenticated (Subscriber+) Privilege Escalation 8.8 CVSS Rating **High (8.8)** CVE-ID **CVE-2025-39405** Patch Status **Unpatched** Published **Apr 17, 2025** **Affected Software** WPAMS - Apartment Management System for wordpress **Researcher** ![](https://www.gravatar.com/avatar/11dfabc58a06f06c9123a7e17a41cecb.jpg?s=32&d=mp&r=g)Aiden (Thái An) More Details >

#### WPCafe <= 2.2.32 - Authenticated (Contributor+) Local File Inclusion 8.8 CVSS Rating **High (8.8)** CVE-ID **CVE-2025-39452** Patch Status **Patched** Published **Apr 17, 2025** **Affected Software** WPCafe: Food Menu, Ordering, Reservation, and Delivery Solution – All in One Place! **Researcher** ![](https://www.gravatar.com/avatar/01dce303f1fab51371215f21992679d9.jpg?s=32&d=mp&r=g)theviper17y More Details >

#### WPCOM Member <= 1.7.7 - Authenticated (Contributor+) Local File Inclusion 8.8 CVSS Rating **High (8.8)** CVE-ID **CVE-2025-39570** Patch Status **Patched** Published **Apr 16, 2025** **Affected Software** WPCOM Member **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)astra.r3verii More Details >

#### Xelion Webchat <= 9.1.0 - Authenticated (Subscriber+) Privilege Escalation 8.8 CVSS Rating **High (8.8)** CVE-ID **CVE-2025-39542** Patch Status **Unpatched** Published **Apr 16, 2025** **Affected Software** Xelion Webchat **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)LVT-tholv2k More Details >

#### Avatar <= 0.1.4 - Authenticated (Subscriber+) Arbitrary File Deletion 8.1 CVSS Rating **High (8.1)** CVE-ID **CVE-2025-3520** Patch Status **Unpatched** Published **Apr 17, 2025** **Affected Software** Avatar **Researcher** ![](https://www.gravatar.com/avatar/01dce303f1fab51371215f21992679d9.jpg?s=32&d=mp&r=g)theviper17y More Details >

#### CLEVER – HTML5 Radio Player With History – Shoutcast and Icecast – Elementor Widget Addon <= 2.4 - Unauthenticated Arbitrary File Read 7.5 CVSS Rating **High (7.5)** CVE-ID **CVE-2025-3103** Patch Status **Patched** Published **Apr 18, 2025** **Affected Software** CLEVER - HTML5 Radio Player With History - Shoutcast and Icecast - Elementor Widget Addon **Researcher** ![](https://www.gravatar.com/avatar/9d46e040922297c1834a9af4e8278abe.jpg?s=32&d=mp&r=g)khanhhnahk1 More Details >

#### Cost Calculator Builder <= 3.2.65 - Unauthenticated SQL Injection 7.5 CVSS Rating **High (7.5)** CVE-ID **CVE-2025-39587** Patch Status **Patched** Published **Apr 16, 2025** **Affected Software** Cost Calculator Builder **Researcher** ![](https://www.gravatar.com/avatar/15c7bc3e71963fdd7c656346bcf8b159.jpg?s=32&d=mp&r=g)Trương Hữu Phúc (truonghuuphuc) More Details >

#### JobWP – Job Board, Job Listing, Career Page and Recruitment Plugin <= 2.3.9 - Unauthenticated SQL Injection 7.5 CVSS Rating **High (7.5)** CVE-ID **CVE-2025-2010** Patch Status **Patched** Published **Apr 18, 2025** **Affected Software** JobWP – Job Board, Job Listing, Career Page and Recruitment Plugin **Researcher** ![](https://www.gravatar.com/avatar/f894d5600bcba5e947d6dde37a3cec1b.jpg?s=32&d=mp&r=g)stealthcopter More Details >

#### JS Job Manager <= 2.0.2 - Unauthenticated SQL Injection 7.5 CVSS Rating **High (7.5)** CVE-ID **CVE-2025-32626** Patch Status **Unpatched** Published **Apr 15, 2025** **Affected Software** JS Job Manager **Researcher** ![](https://www.gravatar.com/avatar/15c7bc3e71963fdd7c656346bcf8b159.jpg?s=32&d=mp&r=g)Trương Hữu Phúc (truonghuuphuc) More Details >

#### Local Magic <= 2.6.0 - Unauthenticated SQL Injection 7.5 CVSS Rating **High (7.5)** CVE-ID **CVE-2025-32636** Patch Status **Unpatched** Published **Apr 14, 2025** **Affected Software** Local Magic **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)LVT-tholv2k More Details >

#### Modal Survey <= 2.0.2.0.1 - Unauthenticated SQL Injection 7.5 CVSS Rating **High (7.5)** CVE-ID **CVE-2025-39471** Patch Status **Unpatched** Published **Apr 16, 2025** **Affected Software** modal-survey **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Bonds More Details >

#### Office Locator <= 1.3.0 - Unauthenticated SQL Injection 7.5 CVSS Rating **High (7.5)** CVE-ID **CVE-2025-32665** Patch Status **Unpatched** Published **Apr 15, 2025** **Affected Software** Office Locator **Researcher** ![](https://www.gravatar.com/avatar/15c7bc3e71963fdd7c656346bcf8b159.jpg?s=32&d=mp&r=g)Trương Hữu Phúc (truonghuuphuc) More Details >

#### Quentn WP <= 1.2.8 - Unauthenticated SQL Injection 7.5 CVSS Rating **High (7.5)** CVE-ID **CVE-2025-39595** Patch Status **Patched** Published **Apr 17, 2025** **Affected Software** Quentn WP **Researcher** ![](https://www.gravatar.com/avatar/385d41daf781fbf4dbac2a1ff894d7fc.jpg?s=32&d=mp&r=g)Le Ngoc Anh More Details >

#### StoreContrl Woocommerce <= 4.1.3 - Unauthenticated Arbitrary File Download 7.5 CVSS Rating **High (7.5)** CVE-ID **CVE-2025-39568** Patch Status **Patched** Published **Apr 17, 2025** **Affected Software** StoreContrl Woocommerce **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)astra.r3verii More Details >

#### Super Store Finder <= 7.2 - Unauthenticated SQL Injection 7.5 CVSS Rating **High (7.5)** CVE-ID **CVE-2025-39445** Patch Status **Patched** Published **Apr 17, 2025** **Affected Software** Super Store Finder **Researcher** ![](https://www.gravatar.com/avatar/54d48d97cbd2b84eb914943109eb7d14.jpg?s=32&d=mp&r=g)Nguyễn Trung Kiên More Details >

#### Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin <= 2.10.1 - Unauthenticated Blind SQL Injection 7.5 CVSS Rating **High (7.5)** CVE-ID **Unknown** Patch Status **Patched** Published **Apr 16, 2025** **Affected Software** Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin **Researcher** ![](https://www.gravatar.com/avatar/faefcd06abcb00b4db5324b629c6424e.jpg?s=32&d=mp&r=g)Muhamad Visat More Details >

#### WP Headers And Footers <= 3.1.1 - Cross-Site Request Forgery to Arbitrary Options Update 7.5 CVSS Rating **High (7.5)** CVE-ID **CVE-2025-2111** Patch Status **Patched** Published **Apr 18, 2025** **Affected Software** Insert Headers And Footers **Researcher** ![](https://www.gravatar.com/avatar/80711f5dab8609bebef4ab99b37e869a.jpg?s=32&d=mp&r=g)Carlos Ferreira More Details >

#### WPAMS <= 44.0 (17-08-2023) - Unauthenticated SQL Injection 7.5 CVSS Rating **High (7.5)** CVE-ID **CVE-2025-39395** Patch Status **Unpatched** Published **Apr 17, 2025** **Affected Software** WPAMS - Apartment Management System for wordpress **Researcher** ![](https://www.gravatar.com/avatar/11dfabc58a06f06c9123a7e17a41cecb.jpg?s=32&d=mp&r=g)Aiden (Thái An) More Details >

#### Debug Log Manager <= 2.3.4 - Unauthenticated Stored Cross-Site Scripting 7.2 CVSS Rating **High (7.2)** CVE-ID **CVE-2025-3809** Patch Status **Patched** Published **Apr 18, 2025** **Affected Software** Debug Log Manager **Researcher** ![](https://www.gravatar.com/avatar/1c6327bca62253f0bec06a3d18c37f2a.jpg?s=32&d=mp&r=g)Yassine Neggaoui (Y45NG) More Details >

#### Kadence WooCommerce Email Designer <= 1.5.14 - Authenticated (Admin+) Arbitrary File Upload 7.2 CVSS Rating **High (7.2)** CVE-ID **CVE-2025-39557** Patch Status **Patched** Published **Apr 16, 2025** **Affected Software** Kadence WooCommerce Email Designer **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Phan Trong Quan More Details >

#### MelaPress Login Security <= 2.1.0 - Authenticated (Administrator+) PHP Object Injection 7.2 CVSS Rating **High (7.2)** CVE-ID **CVE-2025-39565** Patch Status **Patched** Published **Apr 16, 2025** **Affected Software** MelaPress Login Security **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Phan Trong Quan More Details >

#### T&P Gallery Slider <= 1.2 - Unauthenticated Stored Cross-Site Scripting 7.2 CVSS Rating **High (7.2)** CVE-ID **CVE-2025-32527** Patch Status **Unpatched** Published **Apr 14, 2025** **Affected Software** T&P Gallery Slider **Researcher** ![](https://www.gravatar.com/avatar/b5bd58d8a8029c69877dc8a75d7889fd.jpg?s=32&d=mp&r=g)Kévin Mosbahi (Mika) More Details >

#### WP Editor <= 1.2.9.1 - Authenticated (Administrator+) Directory Traversal to Arbitrary File Update 7.2 CVSS Rating **High (7.2)** CVE-ID **CVE-2025-3294** Patch Status **Patched** Published **Apr 16, 2025** **Affected Software** WP Editor **Researcher** ![](https://www.gravatar.com/avatar/37cc74b0e1957fee81825154abeae540.jpg?s=32&d=mp&r=g)nquangit More Details >

#### WP-Advanced-Search <= 3.3.9.3 - Authenticated (Admin+) Arbitrary File Upload 7.2 CVSS Rating **High (7.2)** CVE-ID **CVE-2025-39538** Patch Status **Unpatched** Published **Apr 16, 2025** **Affected Software** WordPress WP-Advanced-Search **Researcher** ![](https://www.gravatar.com/avatar/86a1429aeb8e473ec62cf8dd3d4e4571.jpg?s=32&d=mp&r=g)Nabil Irawan More Details >

#### Editor Wysiwyg Background Color <= 1.0 - Missing Authorization 6.5 CVSS Rating **Medium (6.5)** CVE-ID **CVE-2025-23958** Patch Status **Unpatched** Published **Apr 16, 2025** **Affected Software** Editor Wysiwyg Background Color **Researcher** ![](https://www.gravatar.com/avatar/b5bd58d8a8029c69877dc8a75d7889fd.jpg?s=32&d=mp&r=g)Kévin Mosbahi (Mika) More Details >

#### KiotViet Sync <= 1.8.3 - Authenticated (Subscriber+) SQL Injection 6.5 CVSS Rating **Medium (6.5)** CVE-ID **CVE-2025-32573** Patch Status **Unpatched** Published **Apr 15, 2025** **Affected Software** KiotViet Sync **Researcher** ![](https://www.gravatar.com/avatar/385d41daf781fbf4dbac2a1ff894d7fc.jpg?s=32&d=mp&r=g)Le Ngoc Anh More Details >

#### ProfileGrid <= 5.9.4.8 - Authenticated (Subscriber+) SQL Injection 6.5 CVSS Rating **Medium (6.5)** CVE-ID **CVE-2025-39586** Patch Status **Patched** Published **Apr 17, 2025** **Affected Software** ProfileGrid – User Profiles, Groups and Communities **Researcher** ![](https://www.gravatar.com/avatar/15c7bc3e71963fdd7c656346bcf8b159.jpg?s=32&d=mp&r=g)Trương Hữu Phúc (truonghuuphuc) More Details >

#### Sign-up Sheets <= 2.3.0.1 - Unauthenticated Arbitrary Shortcode Execution 6.5 CVSS Rating **Medium (6.5)** CVE-ID **CVE-2025-26996** Patch Status **Patched** Published **Apr 15, 2025** **Affected Software** Sign-up Sheets **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Phan Trong Quan More Details >

#### Taskbuilder <= 4.0.1 - Authenticated (Subscriber+) SQL Injection 6.5 CVSS Rating **Medium (6.5)** CVE-ID **CVE-2025-39569** Patch Status **Patched** Published **Apr 17, 2025** **Affected Software** Taskbuilder – WordPress Project & Task Management plugin **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)astra.r3verii More Details >

#### WP Tools <= 5.18 - Cross-Site Request Forgery to Arbitrary File Renaming 6.5 CVSS Rating **Medium (6.5)** CVE-ID **CVE-2025-39544** Patch Status **Patched** Published **Apr 16, 2025** **Affected Software** WP Tools Increase Maximum Limits, Repair, Server PHP Info, Javascript errors, File Permissions, Transients, Error Log **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)chuck More Details >

#### WPAMS <= 44.0 (17-08-2023) - Authenticated (Subscriber+) SQL Injection 6.5 CVSS Rating **Medium (6.5)** CVE-ID **CVE-2025-39403** Patch Status **Unpatched** Published **Apr 17, 2025** **Affected Software** WPAMS - Apartment Management System for wordpress **Researcher** ![](https://www.gravatar.com/avatar/11dfabc58a06f06c9123a7e17a41cecb.jpg?s=32&d=mp&r=g)Aiden (Thái An) More Details >

#### Asgaros Forum <= 3.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-39514** Patch Status **Unpatched** Published **Apr 16, 2025** **Affected Software** Asgaros Forum **Researcher** ![](https://www.gravatar.com/avatar/97a1f88460217867f45b925b3af1bb6a.jpg?s=32&d=mp&r=g)muhammad yudha More Details >

#### Attendance Manager <= 0.6.2 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-39515** Patch Status **Unpatched** Published **Apr 16, 2025** **Affected Software** Attendance Manager **Researcher** ![](https://www.gravatar.com/avatar/97a1f88460217867f45b925b3af1bb6a.jpg?s=32&d=mp&r=g)muhammad yudha More Details >

#### Author WIP Progress Bar <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-39516** Patch Status **Unpatched** Published **Apr 16, 2025** **Affected Software** Author WIP Progress Bar **Researcher** ![](https://www.gravatar.com/avatar/97a1f88460217867f45b925b3af1bb6a.jpg?s=32&d=mp&r=g)muhammad yudha More Details >

#### Betheme <= 28.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-3077** Patch Status **Patched** Published **Apr 15, 2025** **Affected Software** Betheme **Researcher** ![](https://www.gravatar.com/avatar/ef74f4dbe7907a62f177592f647c1afa.jpg?s=32&d=mp&r=g)Webbernaut More Details >

#### Checkout Files Upload for WooCommerce <= 2.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-39520** Patch Status **Unpatched** Published **Apr 16, 2025** **Affected Software** Checkout Files Upload for WooCommerce **Researcher** ![](https://www.gravatar.com/avatar/97a1f88460217867f45b925b3af1bb6a.jpg?s=32&d=mp&r=g)muhammad yudha More Details >

#### Checkout for PayPal <= 1.0.38 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-39572** Patch Status **Patched** Published **Apr 16, 2025** **Affected Software** Checkout for PayPal **Researcher** ![](https://www.gravatar.com/avatar/97a1f88460217867f45b925b3af1bb6a.jpg?s=32&d=mp&r=g)muhammad yudha More Details >

#### Church Admin <= 5.0.23 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-39555** Patch Status **Patched** Published **Apr 16, 2025** **Affected Software** Church Admin **Researcher** ![](https://www.gravatar.com/avatar/4c2bd6964b38518385c4e8d1791fd762.jpg?s=32&d=mp&r=g)zaim More Details >

#### Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid, Carousel and Remote Arrows) <= 5.10.28 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-1457** Patch Status **Patched** Published **Apr 18, 2025** **Affected Software** Element Pack Addons for Elementor – Best Elementor addons with Ready Templates, Blocks, Widgets and WooCommerce Builder **Researcher** ![](https://www.gravatar.com/avatar/ef74f4dbe7907a62f177592f647c1afa.jpg?s=32&d=mp&r=g)Webbernaut More Details >

#### Essential Addons for Elementor <= 6.1.9 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-39590** Patch Status **Patched** Published **Apr 16, 2025** **Affected Software** Essential Addons for Elementor – Popular Elementor Addon With Ready Templates, Advanced Widgets, Kits & WooCommerce Builders **Researcher** ![](https://www.gravatar.com/avatar/f894d5600bcba5e947d6dde37a3cec1b.jpg?s=32&d=mp&r=g)stealthcopter More Details >

#### Fluent Forms <= 6.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-3615** Patch Status **Patched** Published **Apr 16, 2025** **Affected Software** Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder **Researcher** ![](https://www.gravatar.com/avatar/e4a8b174c9f284d94094cf7722e1ec31.jpg?s=32&d=mp&r=g)Asaf Mozes More Details >

#### Forminator <= 1.42.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'limit' 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-3487** Patch Status **Patched** Published **Apr 16, 2025** **Affected Software** Forminator Forms – Contact Form, Payment Form & Custom Form Builder **Researcher** ![](https://www.gravatar.com/avatar/e4a8b174c9f284d94094cf7722e1ec31.jpg?s=32&d=mp&r=g)Asaf Mozes More Details >

#### Html5 Audio Player <= 2.2.28 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-39524** Patch Status **Patched** Published **Apr 16, 2025** **Affected Software** HTML5 Audio Player- Best WordPress Audio Player Plugin **Researcher** ![](https://www.gravatar.com/avatar/97a1f88460217867f45b925b3af1bb6a.jpg?s=32&d=mp&r=g)muhammad yudha More Details >

#### JetElements For Elementor <= 2.7.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-39448** Patch Status **Patched** Published **Apr 17, 2025** **Affected Software** JetElements **Researcher** ![](https://www.gravatar.com/avatar/f894d5600bcba5e947d6dde37a3cec1b.jpg?s=32&d=mp&r=g)stealthcopter More Details >

#### JetTabs <= 2.2.7 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-39450** Patch Status **Patched** Published **Apr 17, 2025** **Affected Software** JetTabs for Elementor **Researcher** ![](https://www.gravatar.com/avatar/f894d5600bcba5e947d6dde37a3cec1b.jpg?s=32&d=mp&r=g)stealthcopter More Details >

#### LA-Studio Element Kit for Elementor <= 1.4.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Table of Contents Widget 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-3106** Patch Status **Patched** Published **Apr 17, 2025** **Affected Software** LA-Studio Element Kit for Elementor **Researcher** ![](https://www.gravatar.com/avatar/ef74f4dbe7907a62f177592f647c1afa.jpg?s=32&d=mp&r=g)Webbernaut More Details >

#### Logo Carousel Gutenberg Block <= 2.1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via sliderId Parameter 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-2083** Patch Status **Patched** Published **Apr 14, 2025** **Affected Software** Logo Carousel Gutenberg Block **Researcher** ![](https://www.gravatar.com/avatar/258c774aecd81b7d1fa67abf3b576b33.jpg?s=32&d=mp&r=g)Peter Thaleikis More Details >

#### Logo Carousel Slider <= 2.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-39525** Patch Status **Unpatched** Published **Apr 16, 2025** **Affected Software** Logo Carousel Slider **Researcher** ![](https://www.gravatar.com/avatar/97a1f88460217867f45b925b3af1bb6a.jpg?s=32&d=mp&r=g)muhammad yudha More Details >

#### Membership For WooCommerce <= 2.8.0 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-39579** Patch Status **Patched** Published **Apr 16, 2025** **Affected Software** Membership For WooCommerce **Researcher** ![](https://www.gravatar.com/avatar/4c2bd6964b38518385c4e8d1791fd762.jpg?s=32&d=mp&r=g)zaim More Details >

#### Most And Least Read Posts Widget <= 2.5.20 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-39549** Patch Status **Patched** Published **Apr 16, 2025** **Affected Software** Most And Least Read Posts Widget **Researcher** ![](https://www.gravatar.com/avatar/97a1f88460217867f45b925b3af1bb6a.jpg?s=32&d=mp&r=g)muhammad yudha More Details >

#### Piotnet Addons For Elementor <= 2.4.34 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2024-13650** Patch Status **Unpatched** Published **Apr 17, 2025** **Affected Software** Piotnet Addons For Elementor **Researcher** ![](https://www.gravatar.com/avatar/a964068aac6d7229783a0ea643877251.jpg?s=32&d=mp&r=g)zer0gh0st More Details >

#### PropertyHive <= 2.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-39577** Patch Status **Patched** Published **Apr 16, 2025** **Affected Software** Property Hive **Researcher** ![](https://www.gravatar.com/avatar/97a1f88460217867f45b925b3af1bb6a.jpg?s=32&d=mp&r=g)muhammad yudha More Details >

#### Rescue Shortcodes <= 3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-39528** Patch Status **Unpatched** Published **Apr 16, 2025** **Affected Software** Rescue Shortcodes **Researcher** ![](https://www.gravatar.com/avatar/97a1f88460217867f45b925b3af1bb6a.jpg?s=32&d=mp&r=g)muhammad yudha More Details >

#### Responsive Addons for Elementor – Free Elementor Addons Plugin and Elementor Templates <= 1.6.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'rael_title_tag' 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-2225** Patch Status **Patched** Published **Apr 14, 2025** **Affected Software** Responsive Addons for Elementor – Free Elementor Addons Plugin and Elementor Templates **Researcher** ![](https://www.gravatar.com/avatar/eb428a7b41bcec038cb1bd520e1bc384.jpg?s=32&d=mp&r=g)Prissy More Details >

#### Responsive Blocks <= 2.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-39578** Patch Status **Patched** Published **Apr 16, 2025** **Affected Software** Responsive Blocks – WordPress Gutenberg Blocks **Researcher** ![](https://www.gravatar.com/avatar/4c2bd6964b38518385c4e8d1791fd762.jpg?s=32&d=mp&r=g)zaim More Details >

#### Royal Elementor Addons <= 1.3.977 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-39543** Patch Status **Patched** Published **Apr 16, 2025** **Affected Software** Royal Elementor Addons and Templates **Researcher** ![](https://www.gravatar.com/avatar/f894d5600bcba5e947d6dde37a3cec1b.jpg?s=32&d=mp&r=g)stealthcopter More Details >

#### SB Chart block <= 1.2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via className Parameter 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-3661** Patch Status **Patched** Published **Apr 18, 2025** **Affected Software** SB Chart block **Researcher** ![](https://www.gravatar.com/avatar/258c774aecd81b7d1fa67abf3b576b33.jpg?s=32&d=mp&r=g)Peter Thaleikis More Details >

#### Scriptless Social Sharing <= 3.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-39529** Patch Status **Unpatched** Published **Apr 16, 2025** **Affected Software** Scriptless Social Sharing **Researcher** ![](https://www.gravatar.com/avatar/97a1f88460217867f45b925b3af1bb6a.jpg?s=32&d=mp&r=g)muhammad yudha More Details >

#### Themesflat Addons For Elementor <= 2.2.5 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-3275** Patch Status **Patched** Published **Apr 18, 2025** **Affected Software** Themesflat Addons For Elementor **Researcher** ![](https://www.gravatar.com/avatar/ef74f4dbe7907a62f177592f647c1afa.jpg?s=32&d=mp&r=g)Webbernaut More Details >

#### Themify Shortcodes <= 2.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-39581** Patch Status **Patched** Published **Apr 16, 2025** **Affected Software** Themify Shortcodes **Researcher** ![](https://www.gravatar.com/avatar/258c774aecd81b7d1fa67abf3b576b33.jpg?s=32&d=mp&r=g)Peter Thaleikis More Details >

#### Travelfic Toolkit <= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-39585** Patch Status **Patched** Published **Apr 16, 2025** **Affected Software** Tourfic Toolkit **Researcher** ![](https://www.gravatar.com/avatar/585bd77d4bbe100a43b04223fd09a74f.jpg?s=32&d=mp&r=g)João Pedro Soares de Alcântara More Details >

#### Uix Shortcodes <= 2.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-39574** Patch Status **Patched** Published **Apr 16, 2025** **Affected Software** Uix Shortcodes **Researcher** ![](https://www.gravatar.com/avatar/97a1f88460217867f45b925b3af1bb6a.jpg?s=32&d=mp&r=g)muhammad yudha More Details >

#### User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor <= 3.13.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-2314** Patch Status **Patched** Published **Apr 15, 2025** **Affected Software** User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor **Researcher** ![](https://www.gravatar.com/avatar/97a1f88460217867f45b925b3af1bb6a.jpg?s=32&d=mp&r=g)muhammad yudha More Details >

#### WP Data Access <= 5.5.36 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-39582** Patch Status **Patched** Published **Apr 16, 2025** **Affected Software** WP Data Access – App, Table, Form, Chart & Map Builder plugin **Researcher** ![](https://www.gravatar.com/avatar/258c774aecd81b7d1fa67abf3b576b33.jpg?s=32&d=mp&r=g)Peter Thaleikis More Details >

#### WP Flipclock <= 1.9 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-39540** Patch Status **Unpatched** Published **Apr 16, 2025** **Affected Software** WP Flipclock **Researcher** ![](https://www.gravatar.com/avatar/01dce303f1fab51371215f21992679d9.jpg?s=32&d=mp&r=g)theviper17y More Details >

#### WP Posts Carousel <= 1.3.10 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-39573** Patch Status **Patched** Published **Apr 16, 2025** **Affected Software** WP Posts Carousel **Researcher** ![](https://www.gravatar.com/avatar/97a1f88460217867f45b925b3af1bb6a.jpg?s=32&d=mp&r=g)muhammad yudha More Details >

#### WPAdverts <= 2.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-39576** Patch Status **Patched** Published **Apr 16, 2025** **Affected Software** WPAdverts – Classifieds Plugin **Researcher** ![](https://www.gravatar.com/avatar/97a1f88460217867f45b925b3af1bb6a.jpg?s=32&d=mp&r=g)muhammad yudha More Details >

#### WPCasa <= 1.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-39575** Patch Status **Patched** Published **Apr 16, 2025** **Affected Software** WPCasa **Researcher** ![](https://www.gravatar.com/avatar/97a1f88460217867f45b925b3af1bb6a.jpg?s=32&d=mp&r=g)muhammad yudha More Details >

#### Add to Header <= 1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-39423** Patch Status **Unpatched** Published **Apr 17, 2025** **Affected Software** Add to Header **Researcher** ![](https://www.gravatar.com/avatar/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska More Details >

#### AdminQuickbar <= 1.9.1 - Reflected Cross-Site Scripting 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-39464** Patch Status **Patched** Published **Apr 17, 2025** **Affected Software** AdminQuickbar **Researcher** ![](https://www.gravatar.com/avatar/f1b68a12f61846b7fbcd7f1338106a1f.jpg?s=32&d=mp&r=g)Dimas Maulana More Details >

#### All push notification for WP <= 1.5.3 - Reflected Cross-Site Scripting 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-32546** Patch Status **Unpatched** Published **Apr 14, 2025** **Affected Software** All push notification for WP **Researcher** ![](https://www.gravatar.com/avatar/2a1b4c1c638eb4f66b0677e71058a830.jpg?s=32&d=mp&r=g)0xd4rk5id3 More Details >

#### Amazon Showcase WordPress Plugin <= 2.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-39431** Patch Status **Unpatched** Published **Apr 17, 2025** **Affected Software** Amazon Showcase WordPress Plugin **Researcher** ![](https://www.gravatar.com/avatar/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska More Details >

#### Arigato Autoresponder and Newsletter <= 2.7.2.4 - Reflected Cross-Site Scripting 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-39594** Patch Status **Patched** Published **Apr 17, 2025** **Affected Software** Arigato Autoresponder and Newsletter **Researcher** ![](https://www.gravatar.com/avatar/385d41daf781fbf4dbac2a1ff894d7fc.jpg?s=32&d=mp&r=g)Le Ngoc Anh More Details >

#### Booster Plus for WooCommerce <= 7.2.4 - Reflected Cross-Site Scripting 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-39446** Patch Status **Patched** Published **Apr 17, 2025** **Affected Software** Booster Plus for WooCommerce **Researcher** ![](https://www.gravatar.com/avatar/15c7bc3e71963fdd7c656346bcf8b159.jpg?s=32&d=mp&r=g)Trương Hữu Phúc (truonghuuphuc) More Details >

#### Broken Links Remover <= 1.2.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-39440** Patch Status **Unpatched** Published **Apr 17, 2025** **Affected Software** Broken Links Remover **Researcher** ![](https://www.gravatar.com/avatar/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska More Details >

#### BruteGuard – Brute Force Login Protection <= 0.1.4 - Reflected Cross-Site Scripting 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-39408** Patch Status **Unpatched** Published **Apr 17, 2025** **Affected Software** BruteGuard – Brute Force Login Protection **Researcher** ![](https://www.gravatar.com/avatar/2a1b4c1c638eb4f66b0677e71058a830.jpg?s=32&d=mp&r=g)0xd4rk5id3 More Details >

#### Bulk Page Stub Creator <= 1.1 - Reflected Cross-Site Scripting 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-39519** Patch Status **Unpatched** Published **Apr 17, 2025** **Affected Software** Bulk Page Stub Creator **Researcher** ![](https://www.gravatar.com/avatar/e37bf2a629b6924efb95f289b0a7f7e4.jpg?s=32&d=mp&r=g)Nguyen Xuan Chien More Details >

#### Contact Form by Supsystic <= 1.7.29 - Cross-Site Request Forgery to Stored Cross-Site Scripting via saveAsCopy AJAX Action 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2024-13452** Patch Status **Patched** Published **Apr 15, 2025** **Affected Software** Contact Form by Supsystic **Researcher** ![](https://www.gravatar.com/avatar/b20f9553188fa04cbd937e5df1e718af.jpg?s=32&d=mp&r=g)Tim Coen More Details >

#### Contact Form vCard Generator <= 2.4 - Reflected Cross-Site Scripting 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-39521** Patch Status **Unpatched** Published **Apr 17, 2025** **Affected Software** Contact Form vCard Generator **Researcher** ![](https://www.gravatar.com/avatar/e37bf2a629b6924efb95f289b0a7f7e4.jpg?s=32&d=mp&r=g)Nguyen Xuan Chien More Details >

#### Coupon Affiliates – Affiliate Plugin for WooCommerce <= 6.3.0 - Reflected Cross-Site Scripting via 'commission_summary' Parameter 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-3598** Patch Status **Patched** Published **Apr 17, 2025** **Affected Software** Coupon Affiliates – Affiliate Plugin for WooCommerce **Researcher** ![](https://www.gravatar.com/avatar/14c9ac0f163cbf6d8b0f77fce5836577.jpg?s=32&d=mp&r=g)wesley (wcraft) More Details >

#### Course Booking System <= 6.1 - Reflected Cross-Site Scripting 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-32508** Patch Status **Unpatched** Published **Apr 14, 2025** **Affected Software** Course Booking System **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)LVT-tholv2k More Details >

#### CRM Perks <= 1.1.7 - Reflected Cross-Site Scripting 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-39558** Patch Status **Patched** Published **Apr 16, 2025** **Affected Software** CRM Perks – WordPress HelpDesk Integration – Zendesk, Freshdesk, HelpScout **Researcher** ![](https://www.gravatar.com/avatar/2a1b4c1c638eb4f66b0677e71058a830.jpg?s=32&d=mp&r=g)0xd4rk5id3 More Details >

#### CRUDLab Scroll to Top <= 1.0.1 - Reflected Cross-Site Scripting 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-22774** Patch Status **Unpatched** Published **Apr 14, 2025** **Affected Software** CRUDLab Scroll to Top **Researcher** ![](https://www.gravatar.com/avatar/585bd77d4bbe100a43b04223fd09a74f.jpg?s=32&d=mp&r=g)João Pedro Soares de Alcântara More Details >

#### Dashboard Notepads <= 1.2.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-39441** Patch Status **Unpatched** Published **Apr 17, 2025** **Affected Software** Dashboard Notepads **Researcher** ![](https://www.gravatar.com/avatar/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska More Details >

#### Event Espresso – Custom Email Template Shortcode <= 1.0.0 - Reflected Cross-Site Scripting 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-32507** Patch Status **Unpatched** Published **Apr 14, 2025** **Affected Software** Event Espresso – Custom Email Template Shortcode **Researcher** ![](https://www.gravatar.com/avatar/585bd77d4bbe100a43b04223fd09a74f.jpg?s=32&d=mp&r=g)João Pedro Soares de Alcântara More Details >

#### Fast eBay Listings <= 2.12.15 - Open Redirect 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-39597** Patch Status **Patched** Published **Apr 16, 2025** **Affected Software** Fast eBay Listings **Researcher** ![](https://www.gravatar.com/avatar/e37bf2a629b6924efb95f289b0a7f7e4.jpg?s=32&d=mp&r=g)Nguyen Xuan Chien More Details >

#### Feedify – Web Push Notifications <= 2.4.5 - Reflected Cross-Site Scripting 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-32540** Patch Status **Patched** Published **Apr 15, 2025** **Affected Software** Feedify – Web Push Notifications **Researcher** ![](https://www.gravatar.com/avatar/585bd77d4bbe100a43b04223fd09a74f.jpg?s=32&d=mp&r=g)João Pedro Soares de Alcântara More Details >

#### GoodBarber <= 1.0.26 - Open Redirect 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-39523** Patch Status **Patched** Published **Apr 16, 2025** **Affected Software** GoodBarber **Researcher** ![](https://www.gravatar.com/avatar/385d41daf781fbf4dbac2a1ff894d7fc.jpg?s=32&d=mp&r=g)Le Ngoc Anh More Details >

#### Hive Support <= 1.2.2 - Reflected Cross-Site Scripting 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-32666** Patch Status **Unpatched** Published **Apr 15, 2025** **Affected Software** Hive Support | AI-Powered Help Desk, Live Chat & AI Chat Bot Plugin for WordPress **Researcher** ![](https://www.gravatar.com/avatar/15c7bc3e71963fdd7c656346bcf8b159.jpg?s=32&d=mp&r=g)Trương Hữu Phúc (truonghuuphuc) More Details >

#### Internal Link Optimiser <= 5.1.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-39547** Patch Status **Patched** Published **Apr 16, 2025** **Affected Software** WordPress Internal Link Optimiser **Researcher** ![](https://www.gravatar.com/avatar/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska More Details >

#### KiotViet Sync <= 1.8.4 - Cross-Site Request Forgery to Stored Cross-Site Scripting 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-39381** Patch Status **Unpatched** Published **Apr 18, 2025** **Affected Software** KiotViet Sync **Researcher** ![](https://www.gravatar.com/avatar/e37bf2a629b6924efb95f289b0a7f7e4.jpg?s=32&d=mp&r=g)Nguyen Xuan Chien More Details >

#### Landing Page Cat <= 1.7.8 - Reflected Cross-Site Scripting 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-26992** Patch Status **Patched** Published **Apr 14, 2025** **Affected Software** Landing Page Cat – Coming Soon Page, Maintenance Page & Squeeze Pages **Researcher** ![](https://www.gravatar.com/avatar/e37bf2a629b6924efb95f289b0a7f7e4.jpg?s=32&d=mp&r=g)Nguyen Xuan Chien More Details >

#### Listdom <= 4.0.0 - Open Redirect 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-39599** Patch Status **Patched** Published **Apr 16, 2025** **Affected Software** Listdom – Business Directory and Classified Ads Listings WordPress Plugin **Researcher** ![](https://www.gravatar.com/avatar/e37bf2a629b6924efb95f289b0a7f7e4.jpg?s=32&d=mp&r=g)Nguyen Xuan Chien More Details >

#### Memberpress <= 1.11.37 - Reflected Cross-Site Scripting 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-39407** Patch Status **Unpatched** Published **Apr 17, 2025** **Affected Software** Memberpress **Researcher** ![](https://www.gravatar.com/avatar/2a1b4c1c638eb4f66b0677e71058a830.jpg?s=32&d=mp&r=g)0xd4rk5id3 More Details >

#### MemberPress Discord Addon <= 1.1.1 - Reflected Cross-Site Scripting 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-32605** Patch Status **Patched** Published **Apr 14, 2025** **Affected Software** Sell access, Automate, and add Engaging Exclusive Discord Access: Introducing the MemberPress Discord Addon — Elevate Your Community! **Researcher** ![](https://www.gravatar.com/avatar/2a1b4c1c638eb4f66b0677e71058a830.jpg?s=32&d=mp&r=g)0xd4rk5id3 More Details >

#### Modal Survey <= 2.0.2.0.1 - Reflected Cross-Site Scripting 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-39469** Patch Status **Unpatched** Published **Apr 17, 2025** **Affected Software** modal-survey **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Bonds More Details >

#### Movylo Marketing Automation <= 2.0.7 - Reflected Cross-Site Scripting 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-32608** Patch Status **Unpatched** Published **Apr 14, 2025** **Affected Software** Movylo Marketing Automation **Researcher** ![](https://www.gravatar.com/avatar/2a1b4c1c638eb4f66b0677e71058a830.jpg?s=32&d=mp&r=g)0xd4rk5id3 More Details >

#### My Marginalia <= 1.0.6 - Cross-Site Request Forgery to Stored Cross-Site Scripting 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-39435** Patch Status **Unpatched** Published **Apr 17, 2025** **Affected Software** My Marginalia **Researcher** ![](https://www.gravatar.com/avatar/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska More Details >

#### Nomupay Payment Processing Gateway <= 7.1.6 - Reflected Cross-Site Scripting 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-32513** Patch Status **Patched** Published **Apr 14, 2025** **Affected Software** Total processing card payments for WooCommerce **Researcher** ![](https://www.gravatar.com/avatar/585bd77d4bbe100a43b04223fd09a74f.jpg?s=32&d=mp&r=g)João Pedro Soares de Alcântara More Details >

#### OTP-less one tap Sign in <= 2.0.58 - Reflected Cross-Site Scripting 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-32622** Patch Status **Patched** Published **Apr 14, 2025** **Affected Software** OTP-less one tap Sign in **Researcher** ![](https://www.gravatar.com/avatar/2a1b4c1c638eb4f66b0677e71058a830.jpg?s=32&d=mp&r=g)0xd4rk5id3 More Details >

#### Revision Diet <= 1.0.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-39419** Patch Status **Unpatched** Published **Apr 17, 2025** **Affected Software** Revision Diet **Researcher** ![](https://www.gravatar.com/avatar/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska More Details >

#### Right Click Disable OR Ban <= 1.1.17 - Cross-Site Request Forgery to Stored Cross-Site Scripting 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-39548** Patch Status **Patched** Published **Apr 16, 2025** **Affected Software** Right Click Disable OR Ban **Researcher** ![](https://www.gravatar.com/avatar/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska More Details >

#### RSS Manager <= 0.06 - Cross-Site Request Forgery to Stored Cross-Site Scripting 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-39418** Patch Status **Unpatched** Published **Apr 17, 2025** **Affected Software** RSS Manager **Researcher** ![](https://www.gravatar.com/avatar/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska More Details >

#### Run Contests, Raffles, and Giveaways with ContestsWP <= 2.0.6 - Reflected Cross-Site Scripting 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-32634** Patch Status **Unpatched** Published **Apr 15, 2025** **Affected Software** Run Contests, Raffles, and Giveaways with ContestsWP **Researcher** ![](https://www.gravatar.com/avatar/585bd77d4bbe100a43b04223fd09a74f.jpg?s=32&d=mp&r=g)João Pedro Soares de Alcântara More Details >

#### Sassy Social Share <= 3.3.73 - Open Redirect 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-39404** Patch Status **Patched** Published **Apr 17, 2025** **Affected Software** Social Sharing Plugin – Sassy Social Share **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Affan Ali More Details >

#### ShopApper <= 0.4.39 - Unauthenticated Stored Cross-Site Scripting 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-32638** Patch Status **Unpatched** Published **Apr 14, 2025** **Affected Software** ShopApper: Mobile App for WooCommerce **Researcher** ![](https://www.gravatar.com/avatar/f894d5600bcba5e947d6dde37a3cec1b.jpg?s=32&d=mp&r=g)stealthcopter More Details >

#### Site Search 360 <= 2.1.7 - Cross-Site Request Forgery to Stored Cross-Site Scripting 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-39530** Patch Status **Unpatched** Published **Apr 16, 2025** **Affected Software** Site Search 360 **Researcher** ![](https://www.gravatar.com/avatar/e37bf2a629b6924efb95f289b0a7f7e4.jpg?s=32&d=mp&r=g)Nguyen Xuan Chien More Details >

#### Social Media Links <= 1.0.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-39415** Patch Status **Unpatched** Published **Apr 17, 2025** **Affected Software** Social Media Links **Researcher** ![](https://www.gravatar.com/avatar/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska More Details >

#### spam-stopper <= 3.1.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-39414** Patch Status **Unpatched** Published **Apr 17, 2025** **Affected Software** spam-stopper **Researcher** ![](https://www.gravatar.com/avatar/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska More Details >

#### TableOn – WordPress Posts Table Filterable <= 1.0.3 - Unauthenticated Stored Cross-Site Scripting 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-32592** Patch Status **Patched** Published **Apr 14, 2025** **Affected Software** TableOn – WordPress Posts Table Filterable **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Abdi Pranata More Details >

#### Tourmaster < 5.4.1 - Reflected Cross-Site Scripting 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-32923** Patch Status **Patched** Published **Apr 15, 2025** **Affected Software** Tour Master - Tour Booking, Travel, Hotel **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Bonds More Details >

#### translit it! <= 1.6 - Cross-Site Request Forgery to Stored Cross-Site Scripting 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-39416** Patch Status **Unpatched** Published **Apr 17, 2025** **Affected Software** translit it! **Researcher** ![](https://www.gravatar.com/avatar/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska More Details >

#### Verowa Connect <= 3.0.4 - Reflected Cross-Site Scripting 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-32609** Patch Status **Patched** Published **Apr 14, 2025** **Affected Software** Verowa Connect **Researcher** ![](https://www.gravatar.com/avatar/2a1b4c1c638eb4f66b0677e71058a830.jpg?s=32&d=mp&r=g)0xd4rk5id3 More Details >

#### Web Directory Free <= 1.7.8 - Reflected Cross-Site Scripting 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-39567** Patch Status **Patched** Published **Apr 17, 2025** **Affected Software** Web Directory Free **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)astra.r3verii More Details >

#### WooMS <= 9.12 - Reflected Cross-Site Scripting 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-32602** Patch Status **Unpatched** Published **Apr 15, 2025** **Affected Software** WooMS **Researcher** ![](https://www.gravatar.com/avatar/2a1b4c1c638eb4f66b0677e71058a830.jpg?s=32&d=mp&r=g)0xd4rk5id3 More Details >

#### WordPress Video Robot – The Ultimate Video Importer <= 1.20.0 - Reflected Cross-Site Scripting 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-39409** Patch Status **Unpatched** Published **Apr 17, 2025** **Affected Software** WordPress Video Robot - The Ultimate Video Importer **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Bonds More Details >

#### WP Donate <= 2.0 - Unauthenticated Stored Cross-Site Scripting 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-32637** Patch Status **Unpatched** Published **Apr 15, 2025** **Affected Software** WP Donate **Researcher** ![](https://www.gravatar.com/avatar/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska More Details >

#### WP_DEBUG Toggle <= 1.1 - Reflected Cross-Site Scripting 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-32561** Patch Status **Unpatched** Published **Apr 14, 2025** **Affected Software** WP_DEBUG Toggle **Researcher** ![](https://www.gravatar.com/avatar/c14731a0f8a0d24cbda30f561fc03441.jpg?s=32&d=mp&r=g)SOPROBRO More Details >

#### WPAMS <= 44.0 (17-08-2023) - Unauthenticated Stored Cross-Site Scripting 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-39392** Patch Status **Unpatched** Published **Apr 17, 2025** **Affected Software** WPAMS - Apartment Management System for wordpress **Researcher** ![](https://www.gravatar.com/avatar/11dfabc58a06f06c9123a7e17a41cecb.jpg?s=32&d=mp&r=g)Aiden (Thái An) More Details >

#### ZooEffect <= 1.11 - Reflected Cross-Site Scripting 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-26954** Patch Status **Unpatched** Published **Apr 14, 2025** **Affected Software** ZooEffect Plugin for Video player, Photo Gallery Slideshow jQuery and audio / music / podcast – HTML5 **Researcher** ![](https://www.gravatar.com/avatar/f1b68a12f61846b7fbcd7f1338106a1f.jpg?s=32&d=mp&r=g)Dimas Maulana More Details >

#### Gravity Forms CSS Themes with Fontawesome and Placeholders <= 8.5 - Authenticated (Administrator+) Stored Cross-Site Scripting 5.5 CVSS Rating **Medium (5.5)** CVE-ID **CVE-2025-39428** Patch Status **Unpatched** Published **Apr 17, 2025** **Affected Software** Gravity Forms CSS Themes with Fontawesome and Placeholders **Researcher** ![](https://www.gravatar.com/avatar/86a1429aeb8e473ec62cf8dd3d4e4571.jpg?s=32&d=mp&r=g)Nabil Irawan More Details >

#### Download Manager <= 3.3.12 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload 5.4 CVSS Rating **Medium (5.4)** CVE-ID **CVE-2025-3056** Patch Status **Patched** Published **Apr 17, 2025** **Affected Software** Download Manager **Researcher** ![](https://www.gravatar.com/avatar/4c8e47602daa5f66a49fdf2c7555c730.jpg?s=32&d=mp&r=g)siavashvafshar More Details >

#### Target Video Easy Publish <= 3.8.5 - Authenticated (Subscriber+) Arbitrary Shortcode Execution 5.4 CVSS Rating **Medium (5.4)** CVE-ID **CVE-2025-32688** Patch Status **Unpatched** Published **Apr 17, 2025** **Affected Software** Target Video Easy Publish **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Phan Trong Quan More Details >

#### ActiveDEMAND <= 0.2.46 - Missing Authorization 5.3 CVSS Rating **Medium (5.3)** CVE-ID **CVE-2025-39513** Patch Status **Unpatched** Published **Apr 16, 2025** **Affected Software** ActiveDEMAND **Researcher** ![](https://www.gravatar.com/avatar/15c7bc3e71963fdd7c656346bcf8b159.jpg?s=32&d=mp&r=g)Trương Hữu Phúc (truonghuuphuc) More Details >

#### AI Text to Speech <= 3.0.3 - Missing Authorization 5.3 CVSS Rating **Medium (5.3)** CVE-ID **CVE-2025-39554** Patch Status **Patched** Published **Apr 17, 2025** **Affected Software** AI Text to Speech – TTS Plugin For WordPress **Researcher** ![](https://www.gravatar.com/avatar/b5bd58d8a8029c69877dc8a75d7889fd.jpg?s=32&d=mp&r=g)Kévin Mosbahi (Mika) More Details >

#### AnalyticsWP <= 2.0.0 - Missing Authorization 5.3 CVSS Rating **Medium (5.3)** CVE-ID **CVE-2025-39388** Patch Status **Unpatched** Published **Apr 18, 2025** **Affected Software** AnalyticsWP **Researcher** ![](https://www.gravatar.com/avatar/15c7bc3e71963fdd7c656346bcf8b159.jpg?s=32&d=mp&r=g)Trương Hữu Phúc (truonghuuphuc) More Details >

#### AnalyticsWP <= 2.1.2 - Unauthenticated Sensitive Information Exposure 5.3 CVSS Rating **Medium (5.3)** CVE-ID **CVE-2025-39394** Patch Status **Unpatched** Published **Apr 18, 2025** **Affected Software** AnalyticsWP **Researcher** ![](https://www.gravatar.com/avatar/15c7bc3e71963fdd7c656346bcf8b159.jpg?s=32&d=mp&r=g)Trương Hữu Phúc (truonghuuphuc) More Details >

#### Booking and Rental Manager <= 2.2.8 - Missing Authorization 5.3 CVSS Rating **Medium (5.3)** CVE-ID **CVE-2025-39457** Patch Status **Patched** Published **Apr 17, 2025** **Affected Software** Booking and Rental Manager for Bike | Car | Resort | Appointment | Dress | Equipment **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)LVT-tholv2k More Details >

#### Booking and Rental Manager <= 2.3.8 - Missing Authorization 5.3 CVSS Rating **Medium (5.3)** CVE-ID **CVE-2025-39390** Patch Status **Patched** Published **Apr 18, 2025** **Affected Software** Booking and Rental Manager for Bike | Car | Resort | Appointment | Dress | Equipment **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)LVT-tholv2k More Details >

#### Church Admin <= 5.0.9 - Unauthenticated Information Disclosure 5.3 CVSS Rating **Medium (5.3)** CVE-ID **CVE-2025-39553** Patch Status **Patched** Published **Apr 16, 2025** **Affected Software** Church Admin **Researcher** ![](https://www.gravatar.com/avatar/b5bd58d8a8029c69877dc8a75d7889fd.jpg?s=32&d=mp&r=g)Kévin Mosbahi (Mika) More Details >

#### Cloak Front End Email <= 1.9.5 - Missing Authorization 5.3 CVSS Rating **Medium (5.3)** CVE-ID **CVE-2025-26968** Patch Status **Patched** Published **Apr 17, 2025** **Affected Software** Cloak Front End Email **Researcher** ![](https://www.gravatar.com/avatar/97a1f88460217867f45b925b3af1bb6a.jpg?s=32&d=mp&r=g)muhammad yudha More Details >

#### Contact Form 7 <= 6.0.5 - Order Replay Vulnerability 5.3 CVSS Rating **Medium (5.3)** CVE-ID **CVE-2025-3247** Patch Status **Patched** Published **Apr 15, 2025** **Affected Software** Contact Form 7 **Researcher** ![](https://www.gravatar.com/avatar/e4a8b174c9f284d94094cf7722e1ec31.jpg?s=32&d=mp&r=g)Asaf Mozes More Details >

#### Dashi <= 3.1.8 - Missing Authorization 5.3 CVSS Rating **Medium (5.3)** CVE-ID **CVE-2025-39580** Patch Status **Patched** Published **Apr 17, 2025** **Affected Software** Dashi **Researcher** ![](https://www.gravatar.com/avatar/2a1b4c1c638eb4f66b0677e71058a830.jpg?s=32&d=mp&r=g)0xd4rk5id3 More Details >

#### Eduma <= 5.6.4 - Missing Authorization 5.3 CVSS Rating **Medium (5.3)** CVE-ID **CVE-2025-39460** Patch Status **Patched** Published **Apr 17, 2025** **Affected Software** Eduma **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Ananda Dhakal More Details >

#### Forminator <= 1.42.0 - Order Replay Vulnerability 5.3 CVSS Rating **Medium (5.3)** CVE-ID **CVE-2025-3479** Patch Status **Patched** Published **Apr 16, 2025** **Affected Software** Forminator Forms – Contact Form, Payment Form & Custom Form Builder **Researcher** ![](https://www.gravatar.com/avatar/e4a8b174c9f284d94094cf7722e1ec31.jpg?s=32&d=mp&r=g)Asaf Mozes More Details >

#### Grand Restaurant WordPress <= 7.0 - Missing Authorization 5.3 CVSS Rating **Medium (5.3)** CVE-ID **CVE-2025-39353** Patch Status **Unpatched** Published **Apr 18, 2025** **Affected Software** Grand Restaurant WordPress **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Ananda Dhakal More Details >

#### Hive Support <= 1.2.2 - Unauthenticated Sensitive Information Exposure 5.3 CVSS Rating **Medium (5.3)** CVE-ID **CVE-2025-32635** Patch Status **Unpatched** Published **Apr 15, 2025** **Affected Software** Hive Support | AI-Powered Help Desk, Live Chat & AI Chat Bot Plugin for WordPress **Researcher** ![](https://www.gravatar.com/avatar/f894d5600bcba5e947d6dde37a3cec1b.jpg?s=32&d=mp&r=g)stealthcopter More Details >

#### JetBlocks For Elementor <= 1.3.16 - Missing Authorization 5.3 CVSS Rating **Medium (5.3)** CVE-ID **CVE-2025-39451** Patch Status **Patched** Published **Apr 17, 2025** **Affected Software** JetBlocks for Elementor **Researcher** ![](https://www.gravatar.com/avatar/f894d5600bcba5e947d6dde37a3cec1b.jpg?s=32&d=mp&r=g)stealthcopter More Details >

#### JetBlog <= 2.4.3 - Missing Authorization 5.3 CVSS Rating **Medium (5.3)** CVE-ID **CVE-2025-26958** Patch Status **Patched** Published **Apr 15, 2025** **Affected Software** JetBlog for Elementor **Researcher** ![](https://www.gravatar.com/avatar/f894d5600bcba5e947d6dde37a3cec1b.jpg?s=32&d=mp&r=g)stealthcopter More Details >

#### JetElements For Elementor <= 2.7.4.1 - Missing Authorization 5.3 CVSS Rating **Medium (5.3)** CVE-ID **CVE-2025-39447** Patch Status **Patched** Published **Apr 17, 2025** **Affected Software** JetElements **Researcher** ![](https://www.gravatar.com/avatar/f894d5600bcba5e947d6dde37a3cec1b.jpg?s=32&d=mp&r=g)stealthcopter More Details >

#### JetMenu <= 2.4.9 - Missing Authorization 5.3 CVSS Rating **Medium (5.3)** CVE-ID **CVE-2025-26953** Patch Status **Patched** Published **Apr 15, 2025** **Affected Software** JetMenu for Elementor **Researcher** ![](https://www.gravatar.com/avatar/f894d5600bcba5e947d6dde37a3cec1b.jpg?s=32&d=mp&r=g)stealthcopter More Details >

#### JetPopup <= 2.0.11 - Missing Authorization 5.3 CVSS Rating **Medium (5.3)** CVE-ID **CVE-2025-26944** Patch Status **Patched** Published **Apr 15, 2025** **Affected Software** JetPopup **Researcher** ![](https://www.gravatar.com/avatar/f894d5600bcba5e947d6dde37a3cec1b.jpg?s=32&d=mp&r=g)stealthcopter More Details >

#### JetTricks <= 1.5.1 - Missing Authorization 5.3 CVSS Rating **Medium (5.3)** CVE-ID **CVE-2025-26942** Patch Status **Patched** Published **Apr 15, 2025** **Affected Software** JetTricks for Elementor **Researcher** ![](https://www.gravatar.com/avatar/f894d5600bcba5e947d6dde37a3cec1b.jpg?s=32&d=mp&r=g)stealthcopter More Details >

#### JetWooBuilder <= 2.1.18 - Missing Authorization 5.3 CVSS Rating **Medium (5.3)** CVE-ID **CVE-2025-39449** Patch Status **Patched** Published **Apr 17, 2025** **Affected Software** JetWooBuilder for Elementor **Researcher** ![](https://www.gravatar.com/avatar/f894d5600bcba5e947d6dde37a3cec1b.jpg?s=32&d=mp&r=g)stealthcopter More Details >

#### Macro Calculator with Admin Email Optin & Data <= 1.0 - Unauthenticated Information Disclosure 5.3 CVSS Rating **Medium (5.3)** CVE-ID **CVE-2025-26730** Patch Status **Unpatched** Published **Apr 15, 2025** **Affected Software** Macro Calculator with Admin Email Optin & Data **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Deltree More Details >

#### Mediavine Control Panel <= 2.10.6 - Unauthenticated Information Exposure 5.3 CVSS Rating **Medium (5.3)** CVE-ID **CVE-2025-39556** Patch Status **Patched** Published **Apr 16, 2025** **Affected Software** Mediavine Control Panel **Researcher** ![](https://www.gravatar.com/avatar/54d48d97cbd2b84eb914943109eb7d14.jpg?s=32&d=mp&r=g)Nguyễn Trung Kiên More Details >

#### Password Protected – Password Protect your WordPress Site, Pages, & WooCommerce Products <= 2.7.7 - Unauthenticated Sensitive Information Exposure 5.3 CVSS Rating **Medium (5.3)** CVE-ID **CVE-2025-3453** Patch Status **Patched** Published **Apr 16, 2025** **Affected Software** Password Protected – Password Protect your WordPress Site, Pages, & WooCommerce Products – Restrict Content, Protect WooCommerce Category and more **Researchers** ![](https://www.gravatar.com/avatar/c070414ac7706c1f7345b025f413df56.jpg?s=32&d=mp&r=g)Brian Sans-Souci (liardom) ![](https://www.gravatar.com/avatar/5a1c57ff7dc66a0d8702f856ceb355fd.jpg?s=32&d=mp&r=g)the sneaky squirrel More Details >

#### Unlimited Timeline < 1.6.1 - Missing Authorization 5.3 CVSS Rating **Medium (5.3)** CVE-ID **CVE-2025-27008** Patch Status **Patched** Published **Apr 15, 2025** **Affected Software** Unlimited Timeline **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Tran Nguyen Bao Khanh More Details >

#### WP Staging Pro <= 6.1.2 - Unauthenticated Information Exposure via getOutdatedPluginsRequest Function 5.3 CVSS Rating **Medium (5.3)** CVE-ID **CVE-2025-3104** Patch Status **Patched** Published **Apr 15, 2025** **Affected Software** WP STAGING Pro WordPress Backup Plugin **Researcher** ![](https://www.gravatar.com/avatar/d30e6a858b269fc0c2ddccf3c3327313.jpg?s=32&d=mp&r=g)haidv35 More Details >

#### wpLike2Get <= 1.2.9 - Unauthenticated Information Exposure 5.3 CVSS Rating **Medium (5.3)** CVE-ID **CVE-2025-39439** Patch Status **Unpatched** Published **Apr 17, 2025** **Affected Software** wpLike2Get **Researcher** ![](https://www.gravatar.com/avatar/dfc42784669accf02da36cb658a6a355.jpg?s=32&d=mp&r=g)ch4r0n More Details >

#### BMA Lite <= 1.4.2 - Authenticated (Administrator+) SQL Injection 4.9 CVSS Rating **Medium (4.9)** CVE-ID **CVE-2025-39518** Patch Status **Unpatched** Published **Apr 16, 2025** **Affected Software** BMA Lite – Appointment Booking and Scheduling Plugin **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Pham Van Phuoc More Details >

#### Hostel <= 1.1.5.6 - Authenticated (Administrator+) SQL Injection 4.9 CVSS Rating **Medium (4.9)** CVE-ID **CVE-2025-39566** Patch Status **Patched** Published **Apr 16, 2025** **Affected Software** Hostel **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)astra.r3verii More Details >

#### TS Poll – Survey, Versus Poll, Image Poll, Video Poll <= 2.4.6 - Authenticated (Administrator+) SQL Injection via 's' Parameter 4.9 CVSS Rating **Medium (4.9)** CVE-ID **CVE-2025-3470** Patch Status **Patched** Published **Apr 14, 2025** **Affected Software** TS Poll – Survey, Versus Poll, Image Poll, Video Poll **Researcher** ![](https://www.gravatar.com/avatar/4f335379e6c22b34c96df34218ac155f.jpg?s=32&d=mp&r=g)broccoli More Details >

#### WP Editor <= 1.2.9.1 - Authenticated (Administrator+) Directory Traversal to Arbitrary File Read 4.9 CVSS Rating **Medium (4.9)** CVE-ID **CVE-2025-3295** Patch Status **Patched** Published **Apr 16, 2025** **Affected Software** WP Editor **Researcher** ![](https://www.gravatar.com/avatar/37cc74b0e1957fee81825154abeae540.jpg?s=32&d=mp&r=g)nquangit More Details >

#### Login Manager – Design Login Page, View Login Activity, Limit Login Attempts <= 2.0.5 - Authenticated (Administrator+) Stored Cross-Site Scripting via Custom URL 4.4 CVSS Rating **Medium (4.4)** CVE-ID **CVE-2025-2613** Patch Status **Unpatched** Published **Apr 17, 2025** **Affected Software** Login Manager – Design Login Page, View Login Activity, Limit Login Attempts **Researcher** ![](https://www.gravatar.com/avatar/7d4a68019ac73014fd7a41bf4de262d6.jpg?s=32&d=mp&r=g)Arshid KV More Details >

#### MaxButtons <= 9.8.3 - Authenticated (Administrator+) Stored Cross-Site Scripting 4.4 CVSS Rating **Medium (4.4)** CVE-ID **CVE-2025-39444** Patch Status **Patched** Published **Apr 17, 2025** **Affected Software** WordPress Button Plugin MaxButtons **Researcher** ![](https://www.gravatar.com/avatar/697aca1b58dce62b53c47e23b571f54c.jpg?s=32&d=mp&r=g)ayato More Details >

#### Payment Form for PayPal Pro <= 1.1.72 - Authenticated (Administrator+) Stored Cross-Site Scripting 4.4 CVSS Rating **Medium (4.4)** CVE-ID **CVE-2025-39562** Patch Status **Patched** Published **Apr 17, 2025** **Affected Software** Payment Form for PayPal Pro **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Doan Dinh Van More Details >

#### WP Post to PDF Enhanced <= 1.1.1 - Authenticated (Administrator+) Stored Cross-Site Scripting 4.4 CVSS Rating **Medium (4.4)** CVE-ID **CVE-2025-39427** Patch Status **Unpatched** Published **Apr 17, 2025** **Affected Software** WP Post to PDF Enhanced **Researcher** ![](https://www.gravatar.com/avatar/86a1429aeb8e473ec62cf8dd3d4e4571.jpg?s=32&d=mp&r=g)Nabil Irawan More Details >

#### Advanced Dynamic Pricing for WooCommerce <= 4.9.3 - Cross-Site Request Forgery to Settings Update 4.3 CVSS Rating **Medium (4.3)** CVE-ID **CVE-2025-39453** Patch Status **Patched** Published **Apr 17, 2025** **Affected Software** Advanced Dynamic Pricing for WooCommerce **Researcher** ![](https://www.gravatar.com/avatar/c36a7211a54c34d3d52be3b1bd8d253e.jpg?s=32&d=mp&r=g)lucky_buddy More Details >

#### Advanced Google Maps <= 5.8.4 - Missing Authorization 4.3 CVSS Rating **Medium (4.3)** CVE-ID **CVE-2025-39465** Patch Status **Patched** Published **Apr 17, 2025** **Affected Software** wp-google-map-gold **Researcher** ![](https://www.gravatar.com/avatar/54d48d97cbd2b84eb914943109eb7d14.jpg?s=32&d=mp&r=g)Nguyễn Trung Kiên More Details >

#### Anthologize <= 0.8.3 - Cross-Site Request Forgery 4.3 CVSS Rating **Medium (4.3)** CVE-ID **CVE-2025-39437** Patch Status **Unpatched** Published **Apr 17, 2025** **Affected Software** Anthologize **Researcher** ![](https://www.gravatar.com/avatar/86a1429aeb8e473ec62cf8dd3d4e4571.jpg?s=32&d=mp&r=g)Nabil Irawan More Details >

#### Avatar <= 0.1.4 - Authenticated (Subscriber+) Insecure Direct Object Reference 4.3 CVSS Rating **Medium (4.3)** CVE-ID **CVE-2025-39434** Patch Status **Unpatched** Published **Apr 17, 2025** **Affected Software** Avatar **Researcher** ![](https://www.gravatar.com/avatar/e37bf2a629b6924efb95f289b0a7f7e4.jpg?s=32&d=mp&r=g)Nguyen Xuan Chien More Details >

#### Barcode Generator for WooCommerce <= 2.0.4 - Authenticated (Subscriber+) Arbitrary Content Deletion 4.3 CVSS Rating **Medium (4.3)** CVE-ID **CVE-2025-32929** Patch Status **Patched** Published **Apr 15, 2025** **Affected Software** Barcode Generator for WooCommerce – Show barcodes on products, orders, invoices and other pages **Researcher** ![](https://www.gravatar.com/avatar/b5bd58d8a8029c69877dc8a75d7889fd.jpg?s=32&d=mp&r=g)Kévin Mosbahi (Mika) More Details >

#### Basic Interactive World Map <= 2.7 - Cross-Site Request Forgery to Settings Update 4.3 CVSS Rating **Medium (4.3)** CVE-ID **CVE-2025-39517** Patch Status **Unpatched** Published **Apr 16, 2025** **Affected Software** Basic Interactive World Map **Researcher** ![](https://www.gravatar.com/avatar/e37bf2a629b6924efb95f289b0a7f7e4.jpg?s=32&d=mp&r=g)Nguyen Xuan Chien More Details >

#### bbPress2 shortcode whitelist <= 2.2.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting 4.3 CVSS Rating **Medium (4.3)** CVE-ID **CVE-2025-39432** Patch Status **Unpatched** Published **Apr 17, 2025** **Affected Software** bbPress2 shortcode whitelist **Researcher** ![](https://www.gravatar.com/avatar/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska More Details >

#### BERTHA AI <= 1.12.10.2 - Authenticated (Subscriber+) Arbitrary Content Deletion 4.3 CVSS Rating **Medium (4.3)** CVE-ID **CVE-2025-39583** Patch Status **Patched** Published **Apr 17, 2025** **Affected Software** BERTHA AI. Your AI co-pilot for WordPress and Chrome **Researcher** ![](https://www.gravatar.com/avatar/01dce303f1fab51371215f21992679d9.jpg?s=32&d=mp&r=g)theviper17y More Details >

#### Bknewsticker <= 1.0.5 - Cross-Site Request Forgery 4.3 CVSS Rating **Medium (4.3)** CVE-ID **CVE-2025-39433** Patch Status **Unpatched** Published **Apr 17, 2025** **Affected Software** Bknewsticker **Researcher** ![](https://www.gravatar.com/avatar/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska More Details >

#### Bring Fraktguiden for WooCommerce <= 1.11.4 - Missing Authorization 4.3 CVSS Rating **Medium (4.3)** CVE-ID **CVE-2025-39559** Patch Status **Patched** Published **Apr 16, 2025** **Affected Software** Bring Fraktguiden for WooCommerce **Researcher** ![](https://www.gravatar.com/avatar/15c7bc3e71963fdd7c656346bcf8b159.jpg?s=32&d=mp&r=g)Trương Hữu Phúc (truonghuuphuc) More Details >

#### Bulk Term Editor <= 1.1.4 - Cross-Site Request Forgery 4.3 CVSS Rating **Medium (4.3)** CVE-ID **CVE-2025-39512** Patch Status **Unpatched** Published **Apr 16, 2025** **Affected Software** Bulk Term Editor **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Skalucy More Details >

#### Conditional Payments for WooCommerce <= 3.3.0 - Cross-Site Request Forgery 4.3 CVSS Rating **Medium (4.3)** CVE-ID **CVE-2025-39563** Patch Status **Patched** Published **Apr 16, 2025** **Affected Software** Conditional Payments for WooCommerce **Researcher** ![](https://www.gravatar.com/avatar/c36a7211a54c34d3d52be3b1bd8d253e.jpg?s=32&d=mp&r=g)lucky_buddy More Details >

#### Conditional Shipping for WooCommerce <= 3.4.0 - Cross-Site Request Forgery 4.3 CVSS Rating **Medium (4.3)** CVE-ID **CVE-2025-39564** Patch Status **Patched** Published **Apr 16, 2025** **Affected Software** Conditional Shipping for WooCommerce **Researcher** ![](https://www.gravatar.com/avatar/c36a7211a54c34d3d52be3b1bd8d253e.jpg?s=32&d=mp&r=g)lucky_buddy More Details >

#### Dynamic Post <= 4.10 - Missing Authorization to Authenticated (Subscriber+) Settings Update 4.3 CVSS Rating **Medium (4.3)** CVE-ID **CVE-2025-39522** Patch Status **Unpatched** Published **Apr 16, 2025** **Affected Software** Dynamic Post **Researcher** ![](https://www.gravatar.com/avatar/15c7bc3e71963fdd7c656346bcf8b159.jpg?s=32&d=mp&r=g)Trương Hữu Phúc (truonghuuphuc) More Details >

#### ElementsReady Addons for Elementor <= 6.6.2 - Cross-Site Request Forgery 4.3 CVSS Rating **Medium (4.3)** CVE-ID **CVE-2025-39546** Patch Status **Patched** Published **Apr 16, 2025** **Affected Software** ElementsReady Addons for Elementor **Researcher** ![](https://www.gravatar.com/avatar/86a1429aeb8e473ec62cf8dd3d4e4571.jpg?s=32&d=mp&r=g)Nabil Irawan More Details >

#### Essential Addons for Elementor <= 6.1.9 - Authenticated (Contributor+) Information Disclosure 4.3 CVSS Rating **Medium (4.3)** CVE-ID **CVE-2025-39589** Patch Status **Patched** Published **Apr 16, 2025** **Affected Software** Essential Addons for Elementor – Popular Elementor Addon With Ready Templates, Advanced Widgets, Kits & WooCommerce Builders **Researcher** ![](https://www.gravatar.com/avatar/f894d5600bcba5e947d6dde37a3cec1b.jpg?s=32&d=mp&r=g)stealthcopter More Details >

#### Ever Accounting <= 2.1.5 - Cross-Site Request Forgery 4.3 CVSS Rating **Medium (4.3)** CVE-ID **CVE-2025-39593** Patch Status **Patched** Published **Apr 16, 2025** **Affected Software** Ever Accounting – WordPress Accounting and Invoice Plugin **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Skalucy More Details >

#### FS Poster <= 6.5.8 - Missing Authorization 4.3 CVSS Rating **Medium (4.3)** CVE-ID **CVE-2025-30960** Patch Status **Patched** Published **Apr 15, 2025** **Affected Software** FS Poster - WordPress Social media Auto Poster & Scheduler [Facebook, Instagram, Twitter, Pinterest] **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Rafie Muhammad More Details >

#### Grand Restaurant WordPress <= 7.0 - Cross-Site Request Forgery 4.3 CVSS Rating **Medium (4.3)** CVE-ID **CVE-2025-39351** Patch Status **Unpatched** Published **Apr 18, 2025** **Affected Software** Grand Restaurant WordPress **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Ananda Dhakal More Details >

#### illow – Cookies Consent <= 0.2.0 - Cross-Site Request Forgery 4.3 CVSS Rating **Medium (4.3)** CVE-ID **CVE-2025-39426** Patch Status **Unpatched** Published **Apr 17, 2025** **Affected Software** illow – Cookies Consent **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Skalucy More Details >

#### Integration for WooCommerce and QuickBooks <= 1.3.1 - Cross-Site Request Forgery 4.3 CVSS Rating **Medium (4.3)** CVE-ID **CVE-2025-39600** Patch Status **Patched** Published **Apr 16, 2025** **Affected Software** Integration for WooCommerce and QuickBooks **Researcher** ![](https://www.gravatar.com/avatar/e37bf2a629b6924efb95f289b0a7f7e4.jpg?s=32&d=mp&r=g)Nguyen Xuan Chien More Details >

#### IP2Location Variables <= 2.9.5 - Cross-Site Request Forgery 4.3 CVSS Rating **Medium (4.3)** CVE-ID **CVE-2025-39455** Patch Status **Patched** Published **Apr 17, 2025** **Affected Software** IP2Location Variables **Researcher** ![](https://www.gravatar.com/avatar/c14731a0f8a0d24cbda30f561fc03441.jpg?s=32&d=mp&r=g)SOPROBRO More Details >

#### Live Forms <= 4.8.4 - Missing Authorization 4.3 CVSS Rating **Medium (4.3)** CVE-ID **CVE-2025-39560** Patch Status **Patched** Published **Apr 16, 2025** **Affected Software** Contact Form, Drag and Drop Form Builder Plugin – Live Forms **Researcher** ![](https://www.gravatar.com/avatar/e37bf2a629b6924efb95f289b0a7f7e4.jpg?s=32&d=mp&r=g)Nguyen Xuan Chien More Details >

#### Master Slider <= 3.10.7 - Missing Authorization 4.3 CVSS Rating **Medium (4.3)** CVE-ID **CVE-2025-39412** Patch Status **Unpatched** Published **Apr 17, 2025** **Affected Software** Master Slider – Responsive Touch Slider **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Ananda Dhakal More Details >

#### mLanguage <= 1.6.1 - Cross-Site Request Forgery 4.3 CVSS Rating **Medium (4.3)** CVE-ID **CVE-2025-39430** Patch Status **Unpatched** Published **Apr 17, 2025** **Affected Software** mLanguage **Researcher** ![](https://www.gravatar.com/avatar/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska More Details >

#### My auctions allegro <= 3.6.20 - Cross-Site Request Forgery 4.3 CVSS Rating **Medium (4.3)** CVE-ID **CVE-2025-27009** Patch Status **Unpatched** Published **Apr 14, 2025** **Affected Software** My auctions allegro **Researcher** ![](https://www.gravatar.com/avatar/86a1429aeb8e473ec62cf8dd3d4e4571.jpg?s=32&d=mp&r=g)Nabil Irawan More Details >

#### Name Directory <= 1.30.0 - Missing Authorization 4.3 CVSS Rating **Medium (4.3)** CVE-ID **CVE-2025-39454** Patch Status **Patched** Published **Apr 17, 2025** **Affected Software** Name Directory **Researcher** ![](https://www.gravatar.com/avatar/15c7bc3e71963fdd7c656346bcf8b159.jpg?s=32&d=mp&r=g)Trương Hữu Phúc (truonghuuphuc) More Details >

#### Review Wave – Google Places Reviews <= 1.4.7 - Cross-Site Request Forgery 4.3 CVSS Rating **Medium (4.3)** CVE-ID **CVE-2025-39442** Patch Status **Unpatched** Published **Apr 17, 2025** **Affected Software** Review Wave – Google Places Reviews **Researcher** ![](https://www.gravatar.com/avatar/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska More Details >

#### Simple Maps <= 0.98 - Cross-Site Request Forgery 4.3 CVSS Rating **Medium (4.3)** CVE-ID **CVE-2025-39424** Patch Status **Unpatched** Published **Apr 17, 2025** **Affected Software** Simple Maps **Researcher** ![](https://www.gravatar.com/avatar/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska More Details >

#### Simple Sitemap – Create a Responsive HTML Sitemap <= 3.5.14 - Missing Authorization 4.3 CVSS Rating **Medium (4.3)** CVE-ID **CVE-2025-39413** Patch Status **Unpatched** Published **Apr 17, 2025** **Affected Software** Simple Sitemap – Create a Responsive HTML Sitemap **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Ananda Dhakal More Details >

#### Sirat <= 1.5.1 - Missing Authorization 4.3 CVSS Rating **Medium (4.3)** CVE-ID **CVE-2025-39385** Patch Status **Unpatched** Published **Apr 18, 2025** **Affected Software** Sirat **Researcher** ![](https://www.gravatar.com/avatar/258c774aecd81b7d1fa67abf3b576b33.jpg?s=32&d=mp&r=g)Peter Thaleikis More Details >

#### Style Manager <= 2.2.7 - Cross-Site Request Forgery to Settings Update 4.3 CVSS Rating **Medium (4.3)** CVE-ID **CVE-2025-39425** Patch Status **Unpatched** Published **Apr 17, 2025** **Affected Software** Style Manager – Auto-magical system to style your entire WordPress site **Researcher** ![](https://www.gravatar.com/avatar/86a1429aeb8e473ec62cf8dd3d4e4571.jpg?s=32&d=mp&r=g)Nabil Irawan More Details >

#### Theme Changer <= 1.3 - Cross-Site Request Forgery 4.3 CVSS Rating **Medium (4.3)** CVE-ID **CVE-2025-39438** Patch Status **Unpatched** Published **Apr 17, 2025** **Affected Software** Theme Changer **Researcher** ![](https://www.gravatar.com/avatar/dfc42784669accf02da36cb658a6a355.jpg?s=32&d=mp&r=g)ch4r0n More Details >

#### User Registration & Membership PRO – Custom Registration Form, Login Form, and User Profile <= 5.1.3 - Cross-Site Request Forgery to User Deletion 4.3 CVSS Rating **Medium (4.3)** CVE-ID **CVE-2025-3284** Patch Status **Patched** Published **Apr 18, 2025** **Affected Software** User Registration PRO – Custom Registration Form, Login Form, and User Profile WordPress Plugin **Researcher** ![](https://www.gravatar.com/avatar/14c9ac0f163cbf6d8b0f77fce5836577.jpg?s=32&d=mp&r=g)wesley (wcraft) More Details >

#### Verge3D <= 4.9.0 - Cross-Site Request Forgery 4.3 CVSS Rating **Medium (4.3)** CVE-ID **CVE-2025-39443** Patch Status **Patched** Published **Apr 17, 2025** **Affected Software** Verge3D Publishing and E-Commerce **Researcher** ![](https://www.gravatar.com/avatar/86a1429aeb8e473ec62cf8dd3d4e4571.jpg?s=32&d=mp&r=g)Nabil Irawan More Details >

#### Vitepos <= 3.1.7 - Missing Authorization 4.3 CVSS Rating **Medium (4.3)** CVE-ID **CVE-2025-39535** Patch Status **Patched** Published **Apr 17, 2025** **Affected Software** Vitepos – Point of sale (POS) plugin for WooCommerce **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)astra.r3verii More Details >

#### WooCommerce Products without featured images <= 0.1 - Cross-Site Request Forgery 4.3 CVSS Rating **Medium (4.3)** CVE-ID **CVE-2025-32545** Patch Status **Unpatched** Published **Apr 14, 2025** **Affected Software** WooCommerce Products without featured images **Researcher** ![](https://www.gravatar.com/avatar/2a1b4c1c638eb4f66b0677e71058a830.jpg?s=32&d=mp&r=g)0xd4rk5id3 More Details >

#### WooCommerce Social Login <= 2.8.2 - Cross-Site Request Forgery 4.3 CVSS Rating **Medium (4.3)** CVE-ID **CVE-2025-39472** Patch Status **Unpatched** Published **Apr 16, 2025** **Affected Software** WooCommerce - Social Login **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Ananda Dhakal More Details >

#### WordPress REST API Authentication <= 3.6.3 - Missing Authorization to Authenticated (Subscriber+) Limited Options Update 4.3 CVSS Rating **Medium (4.3)** CVE-ID **CVE-2025-39545** Patch Status **Patched** Published **Apr 16, 2025** **Affected Software** WordPress REST API Authentication **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)chuck More Details >

#### WowStore <= 4.2.4 - Missing Authorization 4.3 CVSS Rating **Medium (4.3)** CVE-ID **CVE-2025-39571** Patch Status **Patched** Published **Apr 16, 2025** **Affected Software** WooCommerce Builder & Gutenberg WooCommerce Blocks – WowStore **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)astra.r3verii More Details >

#### WP Logger <= 2.2 - Missing Authorization 4.3 CVSS Rating **Medium (4.3)** CVE-ID **CVE-2025-39456** Patch Status **Patched** Published **Apr 17, 2025** **Affected Software** WP Logger **Researcher** ![](https://www.gravatar.com/avatar/b5bd58d8a8029c69877dc8a75d7889fd.jpg?s=32&d=mp&r=g)Kévin Mosbahi (Mika) More Details >

#### WP Simple Booking Calendar <= 2.0.13 - Missing Authorization 4.3 CVSS Rating **Medium (4.3)** CVE-ID **CVE-2025-39541** Patch Status **Patched** Published **Apr 16, 2025** **Affected Software** WP Simple Booking Calendar **Researcher** ![](https://www.gravatar.com/avatar/15c7bc3e71963fdd7c656346bcf8b159.jpg?s=32&d=mp&r=g)Trương Hữu Phúc (truonghuuphuc) More Details >

#### WP Social Bookmarking <= 3.6 - Cross-Site Request Forgery 4.3 CVSS Rating **Medium (4.3)** CVE-ID **CVE-2025-39422** Patch Status **Unpatched** Published **Apr 17, 2025** **Affected Software** WP Social Bookmarking **Researcher** ![](https://www.gravatar.com/avatar/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska More Details >

#### WP Sticky Side Buttons <= 2.1 - Cross-Site Request Forgery 4.3 CVSS Rating **Medium (4.3)** CVE-ID **CVE-2025-39421** Patch Status **Unpatched** Published **Apr 17, 2025** **Affected Software** WP Sticky Side Buttons **Researcher** ![](https://www.gravatar.com/avatar/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska More Details >

#### WP Twitter Button <= 1.4.1 - Cross-Site Request Forgery 4.3 CVSS Rating **Medium (4.3)** CVE-ID **CVE-2025-39420** Patch Status **Unpatched** Published **Apr 17, 2025** **Affected Software** WP Twitter Button **Researcher** ![](https://www.gravatar.com/avatar/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska More Details >

#### Administrator Z <= 2025.03.28 - Authenticated (Admin+) Directory Traversal 2.7 CVSS Rating **Low (2.7)** CVE-ID **CVE-2025-39598** Patch Status **Patched** Published **Apr 16, 2025** **Affected Software** Administrator Z **Researcher** ![](https://www.gravatar.com/avatar/e37bf2a629b6924efb95f289b0a7f7e4.jpg?s=32&d=mp&r=g)Nguyen Xuan Chien More Details >

* * *

_As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence._

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (April 14, 2025 to April 20, 2025) appeared first on Wordfence.

Impact Assessment

Base Score	10.0
Severity	CRITICAL

View full CVE details

Vulnerability Details

Basic Information

CVSS v3 Details

CVE Information

Description

Impact Assessment

💭 Join the Security Discussion ❌ Cancel Reply