Wordfence Intelligence Weekly WordPress Vulnerability Report (September 29, 2025 to October 5, 2025)

Patch Status	Number of Vulnerabilities
Patched	67
Unpatched	69

Severity Rating	Number of Vulnerabilities
Low Severity	1
Medium Severity	107
High Severity	19
Critical Severity	9

Vulnerability Type by CWE	Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')	58
Missing Authorization	22
Cross-Site Request Forgery (CSRF)	18
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')	6
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')	4
Exposure of Sensitive Information to an Unauthorized Actor	3
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')	3
Unrestricted Upload of File with Dangerous Type	3
Authentication Bypass Using an Alternate Path or Channel	2
Deserialization of Untrusted Data	2
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)	2
Server-Side Request Forgery (SSRF)	2
External Control of File Name or Path	1
Improper Access Control	1
Improper Authorization	1
Improper Control of Generation of Code ('Code Injection')	1
Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')	1
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')	1
Improper Verification of Cryptographic Signature	1
Missing Authentication for Critical Function	1
Unverified Password Change	1
URL Redirection to Untrusted Site ('Open Redirect')	1
Use of Hard-coded Cryptographic Key	1

Researcher Name	Number of Vulnerabilities
Muhammad Yudha - DJ	16
Nabil Irawan	15
zer0gh0st	12
Jonas Benjamin Friedli	9
Legion Hunter	8
Gilang - DJ	7
Abu Hurayra (HurayraIIT)	6
Peter Thaleikis	6
João Pedro Soares de Alcântara	6
zaim	5
kr0d	4
Rafshanzani Suhada	3
D01EXPLOIT OFFICIAL	2
0xd4rk5id3	2
Aurélien BOURDOIS (Elymaro)	2
johska	2
Thái An	2
Aril Aprilio (forsak3n)	2
Dmitrii Ignatyev	2
Moose Love	2
wesley (wcraft)	2
Tony	1
Khaled Alenazi (Nxploited)	1
Que Thanh Tuan - Blue Rock	1
Ryan Roth	1
Robert Kruczek (ProXy)	1
Kamil Szczurowski (Szczurowsky)	1
CVE_hunter	1
Pierre Rudloff	1
mikemyers	1
Denver Jackson	1
LionTree	1
Michael	1
Beatriz Fresno Naumova (beafn28)	1
Jarno Vos (jarnovos)	1
Drew Webber (mcdruid)	1
Tonn	1
stealthcopter	1
theviper17y	1
ch4r0n	1
Sulabh Jain (pentestmonkey11)	1
Bonds	1
Craig Webb	1
Bibek Dhakal	1

Software Name	Software Slug
A Simple Multilanguage Plugin	a-simple-multilanguage
AffiliateWP	affiliatewp
All in One Music Player	all-in-one-music-player
All Social Share Options	all-social-share-options
Any News Ticker	any-news-ticker
AP Background	ap-background
Appy Pie Connect for WooCommerce	appy-pie-connect-for-woocommerce
Auto Bulb Finder for WordPress	auto-bulb-finder-for-wp-wc
Avada (Fusion) Builder	fusion-builder
Backup Bolt	backup-bolt
Before After Image	majestic-before-after-image
Bei Fen – WordPress Backup Plugin	bei-fen
Big Post Shipping for WooCommerce	woo-bigpost-shipping
Blappsta Mobile App Plugin – Your native, mobile iPhone App and Android App	yournewsapp
Block for Mailchimp – Add Email Subscription Forms and Collect Leads	block-for-mailchimp
BP Direct Menus	bp-direct-menus
Bulk Auto Image Title Attribute (Image Title tag) optimizer (Image SEO)	bulk-image-title-attribute
CF7 Auto Responder Addon	CF7-autoresponder-addon
Chat by Chatwee	chatwee
Comment Info Detector	comment-info-detector
ContentMX Content Publisher	contentmx-content-publisher
Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe	contest-gallery
Conversios: Google Analytics (GA4), Google Ads, Conversion and Analytics Tracking for Multi-Channels	enhanced-e-commerce-for-woocommerce-store
Copypress Rest API	copypress-rest-api
Cost Calculator Builder	cost-calculator-builder
Custom Post Type Attachment	custom-post-type-pdf-attachment
dbview	dbview
Download Manager	download-manager
Duplicate Page, Hide Title, Custom CSS & JS, Exclude Search, Template Info – Pagely	current-template-name
Easy Elementor Addons – Addons Pack for Elementor Page Builder	easy-elementor-addons
Effect Maker	effect-maker
Epic Bootstrap Buttons	epic-bootstrap-buttons
Eulerpool Research Systems	alleaktien-quantitativ
Event Tickets, RSVPs, Calendar	ticket-spot
Export Categories	export-categories
FancyTabs	fancytabs
File Manager, Code Editor, and Backup by Managefy	softdiscover-db-file-manager
Fintelligence Calculator	fintelligence-calculator
Flexi – Guest Submit	flexi
FormGent – Next-Gen AI Form Builder for WordPress with Multi-Step, Quizzes, Payments & More	formgent
Generic Elements	generic-elements-for-elementor
GiveWP – Donation Plugin and Fundraising Platform	give
GutenBee – Gutenberg Blocks	gutenbee
IgnitionDeck Crowdfunding Platform	ignitiondeck
Integrate Dynamics 365 CRM	integrate-dynamics-365-crm
Interactive Human Anatomy with Clickable Body Parts	interactive-medical-drawing-of-human-body
Ird Slider	ird-slider
Jeg Kit for Elementor – Powerful Addons for Elementor, Widgets & Templates for WordPress	jeg-elementor-kit
JobSearch WP Job Board	wp-jobsearch
Jock On Air Now (JOAN)	joan
JoomSport – for Sports: Team & League, Football, Hockey & more	joomsport-sports-league-results-management
LatePoint – Calendar Booking Plugin for Appointments and Events	latepoint
Layers	layers
LockerPress – WordPress Security Plugin	lockerpress-wordpress-security
Maps from Yandex for Elementor	mihdan-elementor-yandex-maps
Marquee Addons for Elementor – Essential Motion Widgets & Templates	marquee-addons-for-elementor
Meks Easy Maps	meks-easy-maps
Meta Tag Manager	meta-tag-manager
Mobile Site Redirect	mobile-site-redirect
MPWizard – Create Mercado Pago Payment Links	mpwizard
My AskAI	my-askai
Nelio Content – Editorial Calendar & Social Media Auto-Posting	nelio-content
NEX-Forms LITE	nex-forms-lite
Nexa Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE	nexa-blocks
Notification Bar	simple-bar
OAuth Single Sign On – SSO (OAuth Client)	miniorange-login-with-eve-online-google-facebook
Opal Service	opal-service
Optimize More! – CSS	optimize-more-css
Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More	themeisle-companion
PayPal Forms	paypal-forms
planetcalc	planetcalc
Post By Email	post-by-email
Post Grid	post-grid
Qyrr – simply and modern QR-Code creation	qyrr-code
Restrict User Registration	restrict-user-registration
RestroPress – Online Food Ordering System	restropress
Rock Convert	rock-convert
s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions	s2member
Schema Plugin For Divi, Gutenberg & Shortcodes	wp-structured-data-schema
SEO Meta Description Updater	seo-meta-description-updater
SiteAlert (Formerly WP Health)	my-wp-health-check
SiteGround Email Marketing	siteground-email-marketing
Smart Docs	smart-docs
Smart WeTransfer	smart-wetransfer
SmartCrawl SEO checker, analyzer & optimizer	smartcrawl-seo
SMS Contact Form 7 Notifications by ClickSend	clicksend-contactform7
Spirit Framework	spirit-framework
Survey Anyplace	surveyanyplace
TableGen – Data Table Generator	table-creator
Taskbot	taskbot
Testimonial – Testimonial Slider, Reviews Slider, Testimonial By AI	testimonial
TextBuilder	textbuilder
The Pack Elementor addon	the-pack-addon
Tiny Bootstrap Elements Light	tiny-bootstrap-elements-light
Tooltipy (tooltips for WP)	bluet-keywords-tooltip-generator
Travel & Tours Meta Search	adiaha-hotel
Trinity Audio – Text to Speech AI audio player to convert content into audio	trinity-audio
TS Demo Importer	ts-demo-importer
Ultimate Learning Pro	indeed-learning-pro
Ultimate Multi Design Video Carousel	ultimate-multi-design-video-carousel
Ultimate Viral Quiz	ultimate-viral-quiz
Ultra Addons Lite for Elementor	ut-elementor-addons-lite
Unify	unify
Upload.am – File Hosting & VPN	upload-am-file-hosting-vpn
USERCENTRICS CMP	usercentrics-consent-management-platform
Video Gallery by Huzzaz	huzzaz-video-gallery
WDesignKit – Elementor & Gutenberg Starter Templates, Patterns, Cloud Workspace & Widget Builder	wdesignkit
WeedMaps Menu for WordPress	weedmaps-menu-embed
Woo superb slideshow transition gallery with random effect	woo-superb-slideshow-transition-gallery-with-random-effect
WooCommerce Vehicle Parts Finder	woo-vehicle-parts-finder
WP Attractive Donations System - Easy Stripe & Paypal donations	WP_AttractiveDonationsSystem
Wp cycle text announcement	wp-cycle-text-announcement
WP Dispatcher	wp-dispatcher
WP Photo Album Plus	wp-photo-album-plus
WP Photo Effects	wp-photo-effects
WP SinoType	wp-sinotype
WPRecovery	wprecovery
X Addons for Elementor	x-addons-elementor
Yoast SEO Premium	wordpress-seo-premium
Yoga Schedule Momoyoga	momoyoga-integration
ZoloBlocks – Advanced Gutenberg Blocks, Website Builder & Page Design Toolkit	zoloblocks

Software Name	Software Slug
Avada \| Website Builder For WordPress & WooCommerce	Avada
Constructor	constructor
Customify	customify
The7 — Website and eCommerce Builder for WordPress	dt-the7

Do Not Sell or Share My Personal Information

This form enables you to request that we stop selling or sharing your personal information with third parties. "Selling" includes exchanging your information for money or other benefits, while "sharing" refers to providing your data to third parties for targeted advertising purposes. For more information on how we process personal information, please review our Privacy Notice.

When you submit this form, we will:

Immediately disable retargeting and remarketing cookies on your current browser/device

Browser/Device Specific: This opt-out applies to the specific browser from which you submit the request. To opt out on additional devices or browsers, you will need to submit separate requests.

Cookie Management: You may also manage cookies directly through your browser settings, or on our Cookie Control form.

Questions?

Contact our Privacy Team at:

Email: privacy@defiant.com
Mail: Defiant Inc. Attn: Privacy Issues, 1700 Westlake Ave N Ste 200, Seattle, WA 98109

Wordfence Intelligence Weekly WordPress Vulnerability Report (September 29, 2025 to October 5, 2025)

Total Unpatched & Patched Vulnerabilities Last Week

Total Vulnerabilities by CVSS Severity Last Week

Total Vulnerabilities by CWE Type Last Week

Researchers That Contributed to WordPress Security Last Week

WordPress Plugins with Reported Vulnerabilities Last Week

WordPress Themes with Reported Vulnerabilities Last Week

Vulnerability Details

Trust Your Site to the Leader in WordPress Security

Comments

Breaking WordPress Security Research in your inbox as it happens.

Cookie Options

Strictly Necessary

Functional

Trust Your Site
to the Leader in WordPress Security