Vulnerability & Patch Roundup – October 2025

* [Security Advisory](https://blog.sucuri.net/category/security-advisory)* [Website Security](https://blog.sucuri.net/category/website-security)* [WordPress Security](https://blog.sucuri.net/category/wordpress-security)Vulnerability -& Patch Roundup — October 2025===============================================![](https://blog.sucuri.net/wp-content/uploads/2024/07/avatar_user_112_1721420180-60×60.png) [Sucuri Malware Research Team](https://blog.sucuri.net/author/malware-research)* October 31, 2025 ![Vulnerability & Patch Roundup – October 2025](https://blog.sucuri.net/wp-content/uploads/2025/10/October-2025.jpg) Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.To help educate website owners about potential threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.The vulnerabilities listed below are virtually patched by the Sucuri Firewall and existing clients are protected. If you don’t have it installed yet, you can use our [web application firewall](https://sucuri.net/website-firewall/) to protect your site against known vulnerabilities.*** ** * ** ***Plugins——-*** ** * ** ***### Ultimate Addons for Elementor (Formerly Elementor Header -& Footer Builder) — Cross Site Scripting (XSS)“`Security Risk: MediumExploitation Level: Requires Author or higher level authentication.Vulnerability: Cross Site Scripting (XSS)CVE: CVE-2025-9703Number of Installations: 2,000,000+Affected Software: Ultimate Addons for Elementor (Formerly Elementor Header & Footer Builder) <= 2.4.9Patched Versions: Ultimate Addons for Elementor (Formerly Elementor Header & Footer Builder) 2.5.0“`**Mitigation steps:** Update to Ultimate Addons for Elementor (Formerly Elementor Header -& Footer Builder) plugin version 2.5.0 or greater.*** ** * ** ***### Enable Media Replace — Cross Site Scripting (XSS)“`Security Risk: MediumExploitation Level: Requires Contributor or higher level authentication.Vulnerability: Cross Site Scripting (XSS)CVE: CVE-2025-9496Number of Installations: 600,000+Affected Software: Enable Media Replace <= 4.1.6Patched Versions: Enable Media Replace 4.1.7“`**Mitigation steps:** Update to Enable Media Replace plugin version 4.1.7 or greater.*** ** * ** ***### BackWPup — WordPress Backup -& Restore Plugin — Broken Access Control“`Security Risk: MediumExploitation Level: Requires Subscriber or higher level authentication.Vulnerability: Broken Access ControlCVE: CVE-2025-10579Number of Installations: 500,000+Affected Software: BackWPup – WordPress Backup & Restore Plugin <= 5.5.0Patched Versions: BackWPup – WordPress Backup & Restore Plugin 5.5.1“`**Mitigation steps:** Update to BackWPup — WordPress Backup -& Restore Plugin version 5.5.1 or greater.*** ** * ** ***### PixelYourSite — Your smart PIXEL (TAG) -& API Manager — Local File Inclusion“`Security Risk: HighExploitation Level: Requires Administrator or higher level authentication.Vulnerability: Local File InclusionCVE: CVE-2025-10723Number of Installations: 500,000+Affected Software: PixelYourSite – Your smart PIXEL (TAG) & API Manager <= 11.1.1Patched Versions: PixelYourSite – Your smart PIXEL (TAG) & API Manager 11.1.2“`**Mitigation steps:** Update to PixelYourSite — Your smart PIXEL (TAG) -& API Manager plugin version 11.1.2 or greater.*** ** * ** ***### WP Reset — Sensitive Data Exposure“`Security Risk: MediumExploitation Level: No authentication required.Vulnerability: Sensitive Data ExposureCVE: CVE-2025-10645Number of Installations: 400,000+Affected Software: WP Reset <= 2.05Patched Versions: WP Reset 2.06“`**Mitigation steps:** Update to WP Reset plugin version 2.06 or greater.*** ** * ** ***### ShortPixel Image Optimizer — Optimize Images, Convert WebP -& AVIF — Broken Access Control“`Security Risk: MediumExploitation Level: Requires Contributor or higher level authentication.Vulnerability: Broken Access ControlCVE: CVE-2025-11378Number of Installations: 300,000+Affected Software: ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF <= 6.3.4Patched Versions: ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF 6.3.5“`**Mitigation steps:** Update to ShortPixel Image Optimizer — Optimize Images, Convert WebP -& AVIF plugin version 6.3.5 or greater.*** ** * ** ***### Blocksy Companion — Cross Site Scripting (XSS)“`Security Risk: MediumExploitation Level: Requires Contributor or higher level authentication.Vulnerability: Cross Site Scripting (XSS)CVE: CVE-2025-12475Number of Installations: 300,000+Affected Software: Blocksy Companion <= 2.1.14Patched Versions: Blocksy Companion 2.1.15“`**Mitigation steps:** Update to Blocksy Companion plugin version 2.1.15 or greater.*** ** * ** ***### SureForms — Drag and Drop Contact Form Builder — Multi-step Forms, Conversational Forms and more — Broken Access Control“`Security Risk: MediumExploitation Level: Requires Contributor or higher level authentication.Vulnerability: Broken Access ControlCVE: CVE-2025-10732Number of Installations: 300,000+Affected Software: SureForms – Drag and Drop Contact Form Builder – Multi-step Forms, Conversational Forms and more <= 1.12.1Patched Versions: SureForms – Drag and Drop Contact Form Builder – Multi-step Forms, Conversational Forms and more 1.12.2“`**Mitigation steps:** Update to SureForms — Drag and Drop Contact Form Builder — Multi-step Forms, Conversational Forms and more plugin version 1.12.2 or greater.*** ** * ** ***### WP Go Maps (formerly WP Google Maps) — Content Injection“`Security Risk: MediumExploitation Level: No authentication required.Vulnerability: Content InjectionCVE: CVE-2025-11703Number of Installations: 300,000+Affected Software: WP Go Maps (formerly WP Google Maps) <= 9.0.48Patched Versions: WP Go Maps (formerly WP Google Maps) 9.0.49“`**Mitigation steps:** Update to WP Go Maps (formerly WP Google Maps) plugin version 9.0.49 or greater.*** ** * ** ***### Redirection for Contact Form 7 — Cross Site Scripting (XSS)“`Security Risk: MediumExploitation Level: Requires Contributor or higher level authentication.Vulnerability: Cross Site Scripting (XSS)CVE: CVE-2025-9562Number of Installations: 300,000+Affected Software: Redirection for Contact Form 7 <= 3.2.6Patched Versions: Redirection for Contact Form 7 3.2.7“`**Mitigation steps:** Update to Redirection for Contact Form 7 plugin version 3.2.7 or greater.*** ** * ** ***### Jeg Kit for Elementor — Powerful Elementor Addons, Widgets -& Templates for WordPress — Cross Site Scripting (XSS)“`Security Risk: MediumExploitation Level: Requires Author or higher level authentication.Vulnerability: Cross Site Scripting (XSS)CVE: CVE-2025-9978Number of Installations: 300,000+Affected Software: Jeg Kit for Elementor – Powerful Elementor Addons, Widgets & Templates for WordPress <= 2.6.9Patched Versions: Jeg Kit for Elementor – Powerful Elementor Addons, Widgets & Templates for WordPress 2.7.0“`**Mitigation steps:** Update to Jeg Kit for Elementor — Powerful Elementor Addons, Widgets -& Templates for WordPress plugin version 2.7.0 or greater.*** ** * ** ***### Password Protected — Lock Entire Site, Pages, Posts, Categories, and Partial Content — Bypass Vulnerability“`Security Risk: LowExploitation Level: No authentication required.Vulnerability: Bypass VulnerabilityCVE: CVE-2025-11244Number of Installations: 300,000+Affected Software: Password Protected – Lock Entire Site, Pages, Posts, Categories, and Partial Content <= 2.7.11Patched Versions: Password Protected – Lock Entire Site, Pages, Posts, Categories, and Partial Content 2.7.12“`**Mitigation steps:** Update to Password Protected — Lock Entire Site, Pages, Posts, Categories, and Partial Content plugin version 2.7.12 or greater.*** ** * ** ***### GenerateBlocks — Sensitive Data Exposure“`Security Risk: MediumExploitation Level: Requires Contributor or higher level authentication.Vulnerability: Sensitive Data ExposureCVE: CVE-2025-11879Number of Installations: 200,000+Affected Software: GenerateBlocks <= 2.1.1Patched Versions: GenerateBlocks 2.1.2“`**Mitigation steps:** Update to GenerateBlocks plugin version 2.1.2 or greater.*** ** * ** ***### User Feedback — Create Interactive Feedback Form, User Surveys, and Polls in Seconds — Broken Access Control“`Security Risk: MediumExploitation Level: No authentication required.Vulnerability: Broken Access ControlCVE: CVE-2025-10694Number of Installations: 200,000+Affected Software: User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds <= 1.8.9Patched Versions: User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds 1.9.0“`**Mitigation steps:** Update to User Feedback — Create Interactive Feedback Form, User Surveys, and Polls in Seconds plugin version 1.9.0 or greater.*** ** * ** ***### Gutenberg Essential Blocks — Page Builder for Gutenberg Blocks -& Patterns — Cross Site Scripting (XSS)“`Security Risk: MediumExploitation Level: Requires Contributor or higher level authentication.Vulnerability: Cross Site Scripting (XSS)CVE: CVE-2025-11270Number of Installations: 200,000+Affected Software: Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns <= 5.7.1Patched Versions: Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns 5.7.2“`**Mitigation steps:** Update to Gutenberg Essential Blocks — Page Builder for Gutenberg Blocks -& Patterns plugin version 5.7.2 or greater.*** ** * ** ***### Gutenberg Essential Blocks — Page Builder for Gutenberg Blocks -& Patterns — Server Side Request Forgery (SSRF)“`Security Risk: MediumExploitation Level: Requires Author or higher level authentication.Vulnerability: Server Side Request Forgery (SSRF)CVE: CVE-2025-11361Number of Installations: 200,000+Affected Software: Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns <= 5.7.1Patched Versions: Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns 5.7.2“`**Mitigation steps:** Update to Gutenberg Essential Blocks — Page Builder for Gutenberg Blocks -& Patterns plugin version 5.7.2 or greater.*** ** * ** ***### FileBird — WordPress Media Library Folders -& File Manager — Broken Access Control“`Security Risk: MediumExploitation Level: Requires Author or higher level authentication.Vulnerability: Broken Access ControlCVE: CVE-2025-11510Number of Installations: 200,000+Affected Software: FileBird – WordPress Media Library Folders & File Manager <= 6.4.9Patched Versions: FileBird – WordPress Media Library Folders & File Manager 6.5.0“`**Mitigation steps:** Update to FileBird — WordPress Media Library Folders -& File Manager plugin version 6.5.0 or greater.*** ** * ** ***### Optimole — Optimize Images -| Convert WebP -& AVIF -| CDN -& Lazy Load -| Image Optimization — Insecure Direct Object References (IDOR)“`Security Risk: MediumExploitation Level: Requires Author or higher level authentication.Vulnerability: Insecure Direct Object References (IDOR)CVE: CVE-2025-11519Number of Installations: 200,000+Affected Software: Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization <= 4.1.0Patched Versions: Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization 4.1.1“`**Mitigation steps:** Update to Optimole — Optimize Images -| Convert WebP -& AVIF -| CDN -& Lazy Load -| Image Optimization plugin version 4.1.1 or greater.*** ** * ** ***### Element Pack Addons for Elementor — Server Side Request Forgery (SSRF)“`Security Risk: MediumExploitation Level: Requires Subscriber or higher level authentication.Vulnerability: Server Side Request Forgery (SSRF)CVE: CVE-2025-11536Number of Installations: 100,000+Affected Software: Element Pack Addons for Elementor <= 8.2.5Patched Versions: Element Pack Addons for Elementor 8.2.6“`**Mitigation steps:** Update to Element Pack Addons for Elementor plugin version 8.2.6 or greater.*** ** * ** ***### WPC Smart Quick View for WooCommerce — Insecure Direct Object References (IDOR)“`Security Risk: MediumExploitation Level: No authentication required.Vulnerability: Insecure Direct Object References (IDOR)CVE: CVE-2025-11741Number of Installations: 100,000+Affected Software: WPC Smart Quick View for WooCommerce <= 4.2.5Patched Versions: WPC Smart Quick View for WooCommerce 4.2.6“`**Mitigation steps:** Update to WPC Smart Quick View for WooCommerce plugin version 4.2.6 or greater.*** ** * ** ***### WPC Smart Wishlist for WooCommerce — Broken Access Control“`Security Risk: MediumExploitation Level: Requires Subscriber or higher level authentication.Vulnerability: Broken Access ControlCVE: CVE-2025-11742Number of Installations: 100,000+Affected Software: WPC Smart Wishlist for WooCommerce <= 5.0.4Patched Versions: WPC Smart Wishlist for WooCommerce 5.0.5“`**Mitigation steps:** Update to WPC Smart Wishlist for WooCommerce plugin version 5.0.5 or greater.*** ** * ** ***### GiveWP — Donation Plugin and Fundraising Platform — Broken Access Control“`Security Risk: MediumExploitation Level: No authentication required.Vulnerability: Broken Access ControlCVE: CVE-2025-11227Number of Installations: 100,000+Affected Software: GiveWP – Donation Plugin and Fundraising Platform <= 4.10.0Patched Versions: GiveWP – Donation Plugin and Fundraising Platform 4.10.1“`**Mitigation steps:** Update to GiveWP — Donation Plugin and Fundraising Platform plugin version 4.10.1 or greater.*** ** * ** ***### GiveWP — Donation Plugin and Fundraising Platform — Broken Access Control“`Security Risk: MediumExploitation Level: No authentication required.Vulnerability: Broken Access ControlCVE: CVE-2025-11228Number of Installations: 100,000+Affected Software: GiveWP – Donation Plugin and Fundraising Platform <= 4.10.0Patched Versions: GiveWP – Donation Plugin and Fundraising Platform 4.10.1“`**Mitigation steps:** Update to GiveWP — Donation Plugin and Fundraising Platform plugin version 4.10.1 or greater.*** ** * ** ***### Responsive Lightbox -& Gallery — Cross Site Scripting (XSS)“`Security Risk: HighExploitation Level: No authentication required.Vulnerability: Cross Site Scripting (XSS)CVE: CVE-2025-9710Number of Installations: 100,000+Affected Software: Responsive Lightbox & Gallery <= 2.5.2Patched Versions: Responsive Lightbox & Gallery 2.5.3“`**Mitigation steps:** Update to Responsive Lightbox -& Gallery plugin version 2.5.3 or greater.*** ** * ** ***### Schema -& Structured Data for WP -& AMP — Cross Site Scripting (XSS)“`Security Risk: HighExploitation Level: No authentication required.Vulnerability: Cross Site Scripting (XSS)CVE: CVE-2025-9512Number of Installations: 100,000+Affected Software: Schema & Structured Data for WP & AMP <= 1.49Patched Versions: Schema & Structured Data for WP & AMP 1.50“`**Mitigation steps:** Update to Schema -& Structured Data for WP -& AMP plugin version 1.50 or greater.*** ** * ** ***### Colibri Page Builder — Cross Site Scripting (XSS)“`Security Risk: MediumExploitation Level: Requires Contributor or higher level authentication.Vulnerability: Cross Site Scripting (XSS)CVE: CVE-2025-9560Number of Installations: 100,000+Affected Software: Colibri Page Builder <= 1.0.334Patched Versions: Colibri Page Builder 1.0.335“`**Mitigation steps:** Update to Colibri Page Builder plugin version 1.0.335 or greater.*** ** * ** ***### The Plus Addons for Elementor — Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce — Cross Site Scripting (XSS)“`Security Risk: MediumExploitation Level: Requires Author or higher level authentication.Vulnerability: Cross Site Scripting (XSS)CVE: CVE-2025-9698Number of Installations: 100,000+Affected Software: The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce <= 6.3.15Patched Versions: The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce 6.3.16“`**Mitigation steps:** Update to The Plus Addons for Elementor — Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin version 6.3.16 or greater.*** ** * ** ***### WPC Smart Wishlist for WooCommerce — Insecure Direct Object References (IDOR)“`Security Risk: MediumExploitation Level: No authentication required.Vulnerability: Insecure Direct Object References (IDOR)CVE: CVE-2025-11518Number of Installations: 100,000+Affected Software: WPC Smart Wishlist for WooCommerce <= 5.0.3Patched Versions: WPC Smart Wishlist for WooCommerce 5.0.4“`**Mitigation steps:** Update to WPC Smart Wishlist for WooCommerce plugin version 5.0.4 or greater.*** ** * ** ***### Real Cookie Banner: GDPR -& ePrivacy Cookie Consent — Server Side Request Forgery (SSRF)“`Security Risk: MediumExploitation Level: Requires Administrator or higher level authentication.Vulnerability: Server Side Request Forgery (SSRF)CVE: CVE-2025-12136Number of Installations: 100,000+Affected Software: Real Cookie Banner: GDPR & ePrivacy Cookie Consent <= 5.2.4Patched Versions: Real Cookie Banner: GDPR & ePrivacy Cookie Consent 5.2.5“`**Mitigation steps:** Update to Real Cookie Banner: GDPR -& ePrivacy Cookie Consent plugin version 5.2.5 or greater.*** ** * ** ***### Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts -& More — Server Side Request Forgery (SSRF)“`Security Risk: MediumExploitation Level: Requires Author or higher level authentication.Vulnerability: Server Side Request Forgery (SSRF)CVE: CVE-2025-10874Number of Installations: 100,000+Affected Software: Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More <= 3.0.1Patched Versions: Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More 3.0.2“`**Mitigation steps:** Update to Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts -& More plugin version 3.0.2 or greater.*** ** * ** ***### Tutor LMS — eLearning and online course solution — Broken Access Control“`Security Risk: MediumExploitation Level: No authentication required.Vulnerability: Broken Access ControlCVE: CVE-2025-11564Number of Installations: 100,000+Affected Software: Tutor LMS – eLearning and online course solution <= 3.8.9Patched Versions: Tutor LMS – eLearning and online course solution 3.9.0“`**Mitigation steps:** Update to Tutor LMS — eLearning and online course solution plugin version 3.9.0 or greater.*** ** * ** ***### Widget Options — Advanced Conditional Visibility for Gutenberg Blocks -& Classic Widgets — Cross Site Scripting (XSS)“`Security Risk: MediumExploitation Level: Requires Contributor or higher level authentication.Vulnerability: Cross Site Scripting (XSS)CVE: CVE-2025-10580Number of Installations: 100,000+Affected Software: Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets <= 4.1.2Patched Versions: Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets 4.1.3“`**Mitigation steps:** Update to Widget Options — Advanced Conditional Visibility for Gutenberg Blocks -& Classic Widgets plugin version 4.1.3 or greater.*** ** * ** ***### ShopLentor — WooCommerce Builder for Elementor -& Gutenberg +21 Modules — All in One Solution (formerly WooLentor) — Cross Site Scripting (XSS)“`Security Risk: MediumExploitation Level: Requires Contributor or higher level authentication.Vulnerability: Cross Site Scripting (XSS)CVE: CVE-2025-11823Number of Installations: 100,000+Affected Software: ShopLentor – WooCommerce Builder for Elementor & Gutenberg +21 Modules – All in One Solution (formerly WooLentor) <= 3.2.4Patched Versions: ShopLentor – WooCommerce Builder for Elementor & Gutenberg +21 Modules – All in One Solution (formerly WooLentor) 3.2.5“`**Mitigation steps:** Update to ShopLentor — WooCommerce Builder for Elementor -& Gutenberg +21 Modules — All in One Solution (formerly WooLentor) plugin version 3.2.5 or greater.*** ** * ** ***### Event Tickets and Registration — Broken Authentication“`Security Risk: HighExploitation Level: No authentication required.Vulnerability: Broken AuthenticationCVE: CVE-2025-11517Number of Installations: 90,000+Affected Software: Event Tickets and Registration <= 5.26.5Patched Versions: Event Tickets and Registration 5.26.6“`**Mitigation steps:** Update to Event Tickets and Registration plugin version 5.26.6 or greater.*** ** * ** ***### Event Tickets and Registration — Broken Access Control“`Security Risk: MediumExploitation Level: Requires Subscriber or higher level authentication.Vulnerability: Broken Access ControlCVE: CVE-2025-62027Number of Installations: 90,000+Affected Software: Event Tickets and Registration <= 5.26.3Patched Versions: Event Tickets and Registration 5.26.4“`**Mitigation steps:** Update to Event Tickets and Registration plugin version 5.26.4 or greater.*** ** * ** ***### Social Feed Gallery — Broken Access Control“`Security Risk: MediumExploitation Level: No authentication required.Vulnerability: Broken Access ControlCVE: CVE-2025-10637Number of Installations: 90,000+Affected Software: Social Feed Gallery <= 4.9.2Patched Versions: Social Feed Gallery 4.9.3“`**Mitigation steps:** Update to Social Feed Gallery plugin version 4.9.3 or greater.*** ** * ** ***### Ajax Search Lite — Live Search -& Filter — PHP Object Injection“`Security Risk: MediumExploitation Level: Requires Administrator or higher level authentication.Vulnerability: PHP Object InjectionCVE: CVE-2025-48086Number of Installations: 80,000+Affected Software: Ajax Search Lite – Live Search & Filter <= 4.13.3Patched Versions: Ajax Search Lite – Live Search & Filter 4.13.4“`**Mitigation steps:** Update to Ajax Search Lite — Live Search -& Filter plugin version 4.13.4 or greater.*** ** * ** ***### LearnPress — WordPress LMS Plugin — Broken Access Control“`Security Risk: MediumExploitation Level: No authentication required.Vulnerability: Broken Access ControlCVE: CVE-2025-11372Number of Installations: 80,000+Affected Software: LearnPress – WordPress LMS Plugin <= 4.2.9.3Patched Versions: LearnPress – WordPress LMS Plugin 4.2.9.4“`**Mitigation steps:** Update to LearnPress — WordPress LMS Plugin version 4.2.9.4 or greater.*** ** * ** ***### Featured Image from URL (FIFU) — Cross Site Scripting (XSS)“`Security Risk: MediumExploitation Level: Requires Contributor or higher level authentication.Vulnerability: Cross Site Scripting (XSS)CVE: CVE-2025-7400Number of Installations: 80,000+Affected Software: Featured Image from URL (FIFU) <= 5.2.7Patched Versions: Featured Image from URL (FIFU) 5.2.8“`**Mitigation steps:** Update to Featured Image from URL (FIFU) plugin version 5.2.8 or greater.*** ** * ** ***### Meta Tag Manager — Open Redirection“`Security Risk: MediumExploitation Level: Requires Contributor or higher level authentication.Vulnerability: Open RedirectionCVE: CVE-2025-5983Number of Installations: 80,000+Affected Software: Meta Tag Manager <= 3.2Patched Versions: Meta Tag Manager 3.3“`**Mitigation steps:** Update to Meta Tag Manager plugin version 3.3 or greater.*** ** * ** ***### ShopEngine Elementor WooCommerce Builder Addon — All in One WooCommerce Solution — Broken Access Control“`Security Risk: LowExploitation Level: Requires Editor or higher level authentication.Vulnerability: Broken Access ControlCVE: CVE-2025-11888Number of Installations: 70,000+Affected Software: ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution <= 4.8.4Patched Versions: ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution 4.8.5“`**Mitigation steps:** Update to ShopEngine Elementor WooCommerce Builder Addon — All in One WooCommerce Solution plugin version 4.8.5 or greater.*** ** * ** ***### All In One Login — WP Admin Login Page Security and Customization with Google reCAPTCHA, Social Login, Limit Login Attempt, 2FA, and more. — Bypass Vulnerability“`Security Risk: MediumExploitation Level: No authentication required.Vulnerability: Bypass VulnerabilityCVE: CVE-2025-58595Number of Installations: 70,000+Affected Software: All In One Login – WP Admin Login Page Security and Customization with Google reCAPTCHA, Social Login, Limit Login Attempt, 2FA, and more. <= 2.0.8Patched Versions: All In One Login – WP Admin Login Page Security and Customization with Google reCAPTCHA, Social Login, Limit Login Attempt, 2FA, and more. 2.0.9“`**Mitigation steps:** Update to All In One Login — WP Admin Login Page Security and Customization with Google reCAPTCHA, Social Login, Limit Login Attempt, 2FA, and more. plugin version 2.0.9 or greater.*** ** * ** ***### Media Library Assistant — Arbitrary File Download“`Security Risk: MediumExploitation Level: No authentication required.Vulnerability: Arbitrary File DownloadCVE: CVE-2025-11738Number of Installations: 70,000+Affected Software: Media Library Assistant <= 3.29Patched Versions: Media Library Assistant 3.30“`**Mitigation steps:** Update to Media Library Assistant plugin version 3.30 or greater.*** ** * ** ***### Product Filter by WBW — SQL Injection“`Security Risk: CriticalExploitation Level: No authentication required.Vulnerability: SQL InjectionCVE: CVE-2025-8416Number of Installations: 60,000+Affected Software: Product Filter by WBW <= 2.9.7Patched Versions: Product Filter by WBW 2.9.8“`**Mitigation steps:** Update to Product Filter by WBW plugin version 2.9.8 or greater.*** ** * ** ***### Product Filter by WBW — Broken Access Control“`Security Risk: MediumExploitation Level: No authentication required.Vulnerability: Broken Access ControlCVE: CVE-2025-11269Number of Installations: 60,000+Affected Software: Product Filter by WBW <= 3.0.0Patched Versions: Product Filter by WBW 3.0.1“`**Mitigation steps:** Update to Product Filter by WBW plugin version 3.0.1 or greater.*** ** * ** ***### Quick Featured Images — Insecure Direct Object References (IDOR)“`Security Risk: MediumExploitation Level: Requires Author or higher level authentication.Vulnerability: Insecure Direct Object References (IDOR)CVE: CVE-2025-11176Number of Installations: 50,000+Affected Software: Quick Featured Images <= 13.7.2Patched Versions: Quick Featured Images 13.7.3“`**Mitigation steps:** Update to Quick Featured Images plugin version 13.7.3 or greater.*** ** * ** ***### Bold Page Builder — Cross Site Scripting (XSS)“`Security Risk: MediumExploitation Level: Requires Contributor or higher level authentication.Vulnerability: Cross Site Scripting (XSS)CVE: CVE-2025-7730Number of Installations: 50,000+Affected Software: Bold Page Builder <= 5.4.5Patched Versions: Bold Page Builder 5.4.6“`**Mitigation steps:** Update to Bold Page Builder plugin version 5.4.6 or greater.*** ** * ** ***### RSS Aggregator by Feedzy — Feed to Post, Autoblogging, News -& YouTube Video Feeds Aggregator — Server Side Request Forgery (SSRF)“`Security Risk: MediumExploitation Level: Requires Subscriber or higher level authentication.Vulnerability: Server Side Request Forgery (SSRF)CVE: CVE-2025-11128Number of Installations: 50,000+Affected Software: RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator <= 5.1.0Patched Versions: RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator 5.1.1“`**Mitigation steps:** Update to RSS Aggregator by Feedzy — Feed to Post, Autoblogging, News -& YouTube Video Feeds Aggregator plugin version 5.1.1 or greater.*** ** * ** ***### Simple Banner — Easily add multiple Banners/Bars/Notifications/Announcements to the top or bottom of your website — Cross Site Scripting (XSS)“`Security Risk: MediumExploitation Level: Requires Administrator or higher level authentication.Vulnerability: Cross Site Scripting (XSS)CVE: CVE-2025-12033Number of Installations: 50,000+Affected Software: Simple Banner – Easily add multiple Banners/Bars/Notifications/Announcements to the top or bottom of your website <= 3.0.9Patched Versions: Simple Banner – Easily add multiple Banners/Bars/Notifications/Announcements to the top or bottom of your website 3.1.0“`**Mitigation steps:** Update to Simple Banner — Easily add multiple Banners/Bars/Notifications/Announcements to the top or bottom of your website plugin version 3.1.0 or greater.*** ** * ** ***Themes——*** ** * ** ***### Newsup — Broken Access Control“`Security Risk: MediumExploitation Level: Requires Subscriber or higher level authentication.Vulnerability: Broken Access ControlCVE: CVE-2025-8682Number of Downloads: 2,613,735Affected Software: Newsup <= 5.0.10Patched Versions: Newsup 5.0.11“`**Mitigation steps:** Update to Newsup theme version 5.0.11 or greater.*** ** * ** ***Update your website software to mitigate risk. Users who are not able to update their software with the latest version are encouraged to use a [web application firewall](https://sucuri.net/website-firewall/) to help virtually patch known vulnerabilities and protect their website. ![](https://blog.sucuri.net/wp-content/uploads/2024/07/avatar_user_112_1721420180-120×120.png) ##### [Sucuri Malware Research Team](https://blog.sucuri.net/author/malware-research)We are a group of website security professionals who are passionate about discovering emerging web-based malware and software vulnerabilities. Not only do we create tools and detection rules for our customers, we also bring awareness to the website security community. Our mission is to help make the internet a safer place.##### Related Tags* [SQL Injection](https://blog.sucuri.net/tag/sql-injection),* [WordPress Plugins and Themes](https://blog.sucuri.net/tag/wordpress-plugins-and-themes),* [WordPress Security](https://blog.sucuri.net/tag/wordpress-security),* [XSS](https://blog.sucuri.net/tag/xss)##### Related Categories* [Security Advisory](https://blog.sucuri.net/category/security-advisory)* [Website Security](https://blog.sucuri.net/category/website-security)* [WordPress Security](https://blog.sucuri.net/category/wordpress-security)![How to Protect Personally Identifiable Information (PII) from Search Engines](https://blog.sucuri.net/wp-content/uploads/2020/03/20-how_to_protect_personally_identified_information_from_search_engines_blog_image-390×183.jpg) * [Security Education](https://blog.sucuri.net/category/security-education)* [Web Pros](https://blog.sucuri.net/category/web-pros)* [Website Security](https://blog.sucuri.net/category/website-security)[](https://blog.sucuri.net/2020/03/protect-private-data.html) [How to Protect Personally Identifiable Information (PII) from Search Engines](https://blog.sucuri.net/2020/03/protect-private-data.html)—————————————————————————————————————————————–* ![](https://secure.gravatar.com/avatar/108fef16f8912ede77125c7646b2cbc2f38b7ad3c2912f7a0b8770570271134c?s=20&d=mm&r=g)Krasimir Konov* March 30, 2020 In today’s internet age we take our privacy for granted. We sign up for many services which are ‘free.’ We participate in giveaways and generally… [Read the Post](https://blog.sucuri.net/2020/03/protect-private-data.html) ![New WooCommerce Security Guide](https://blog.sucuri.net/wp-content/uploads/2023/06/23-BlogPost_Feature-Image_1490x700_New-WooCommerce-Security-Best-Practices-Guide-390×183.jpg) * [Ecommerce Security](https://blog.sucuri.net/category/ecommerce-security)* [Security Education](https://blog.sucuri.net/category/security-education)* [WordPress Security](https://blog.sucuri.net/category/wordpress-security)[](https://blog.sucuri.net/2023/06/new-woocommerce-security-best-practices-guide.html) [New WooCommerce Security Best Practices Guide](https://blog.sucuri.net/2023/06/new-woocommerce-security-best-practices-guide.html)———————————————————————————————————————————–* ![](https://secure.gravatar.com/avatar/b2a47b57affd449fb66751c7eec943a5943c2ebaa128f8ba6926982c6e066627?s=20&d=mm&r=g)Rianna MacLeod* June 20, 2023 WooCommerce is a widely used e-commerce platform, powering nearly 6 million online stores worldwide. Its popularity makes it a prime target for cybercriminals looking to… [Read the Post](https://blog.sucuri.net/2023/06/new-woocommerce-security-best-practices-guide.html) ![](https://blog.sucuri.net/wp-content/uploads/2022/04/BlogPost_FeatureImage_1490x700_The-Case-for-2FA-by-Default-for-WordPress-390×183.jpg) * [Website Security](https://blog.sucuri.net/category/website-security)* [WordPress Security](https://blog.sucuri.net/category/wordpress-security)[](https://blog.sucuri.net/2022/04/the-case-for-2fa-by-default-for-wordpress.html) [The Case for 2FA by Default for WordPress](https://blog.sucuri.net/2022/04/the-case-for-2fa-by-default-for-wordpress.html)—————————————————————————————————————————* ![](https://secure.gravatar.com/avatar/49a04d32074892dc04d9ed823aa114f8492a90e9c88852302b083c90aa322c21?s=20&d=mm&r=g)Ben Martin* April 8, 2022 Administrator panel compromises are one of the most common attacks that everyday WordPress website admins face. We work with thousands of clients who have encountered… [Read the Post](https://blog.sucuri.net/2022/04/the-case-for-2fa-by-default-for-wordpress.html) ![Labs Note](https://blog.sucuri.net/wp-content/uploads/2020/07/sucuri-labs-og1-390×181.png) * [Sucuri Labs](https://blog.sucuri.net/category/sucuri-labs)* [Website Malware Infections](https://blog.sucuri.net/category/website-malware-infections)* [WordPress Security](https://blog.sucuri.net/category/wordpress-security)[](https://blog.sucuri.net/2019/07/wptf-hybrid-composer-unauthenticated-arbitrary-options-update.html) [WPTF Hybrid Composer — Unauthenticated Arbitrary Options Update](https://blog.sucuri.net/2019/07/wptf-hybrid-composer-unauthenticated-arbitrary-options-update.html)———————————————————————————————————————————————————————-* ![](https://secure.gravatar.com/avatar/acdc15f160ef94b9c16d86e7ce7a1630d537ea0323a8bd6d1608a5ef3a0fa5e7?s=20&d=mm&r=g)John Castro* July 11, 2019 With almost 300 installs, WPTF — Hybrid Composer is a framework that helps users easily create custom themes for WordPress. We recently noticed an increase… [Read the Post](https://blog.sucuri.net/2019/07/wptf-hybrid-composer-unauthenticated-arbitrary-options-update.html) ![Labs Note](https://blog.sucuri.net/wp-content/uploads/2020/07/sucuri-labs-og-servers-390×205.png) * [Sucuri Labs](https://blog.sucuri.net/category/sucuri-labs)* [Website Malware Infections](https://blog.sucuri.net/category/website-malware-infections)* [WordPress Security](https://blog.sucuri.net/category/wordpress-security)[](https://blog.sucuri.net/2019/04/defunct-malware-can-cause-problems-too.html) [Defunct Malware Can Cause Problems Too](https://blog.sucuri.net/2019/04/defunct-malware-can-cause-problems-too.html)———————————————————————————————————————* ![](https://secure.gravatar.com/avatar/?s=20&d=mm&r=g)Harshad Mane* April 18, 2019 Recently our incident response analyst Harshad Mane worked on a site that redirected users to a third-party malicious site whenever they logged into the WordPress… [Read the Post](https://blog.sucuri.net/2019/04/defunct-malware-can-cause-problems-too.html) ![Labs Note](https://blog.sucuri.net/wp-content/uploads/2020/07/sucuri-labs-og1-390×181.png) * [Sucuri Labs](https://blog.sucuri.net/category/sucuri-labs)* [Website Malware Infections](https://blog.sucuri.net/category/website-malware-infections)* [WordPress Security](https://blog.sucuri.net/category/wordpress-security)[](https://blog.sucuri.net/2018/07/using-innocent-roles-to-hide-admin-users-2.html) [Using Innocent roles to hide admin users](https://blog.sucuri.net/2018/07/using-innocent-roles-to-hide-admin-users-2.html)—————————————————————————————————————————* ![](https://secure.gravatar.com/avatar/8510ace8bb7c5cbee9ae2b972ebfce56edaa1c7b63e58ab3b725349c2c73e66d?s=20&d=mm&r=g)Cesar Anjos* July 18, 2018 All across the internet we find guides and tutorials on how to keep your WordPress site secure, and they all approach the concept of user… [Read the Post](https://blog.sucuri.net/2018/07/using-innocent-roles-to-hide-admin-users-2.html) ![How to know if you are under ddos attack](https://blog.sucuri.net/wp-content/uploads/2019/06/07092019-how-to-know-if-you-are-under-ddos-attack_blog-390×183.png) * [Security Education](https://blog.sucuri.net/category/security-education)* [Website Security](https://blog.sucuri.net/category/website-security)[](https://blog.sucuri.net/2019/10/what-are-ethical-hackers.html) [What Are Ethical Hackers?](https://blog.sucuri.net/2019/10/what-are-ethical-hackers.html)——————————————————————————————* ![](https://secure.gravatar.com/avatar/f0f0c70ecaa3512f94200db1f9f5990ed52b2bee29da251f8929adb115a3febf?s=20&d=mm&r=g)Alycia Mitchell* October 11, 2019 There’s an issue with how some people define the word ‘hacker.’ For some, it’s a word synonymous with ‘cybercriminal,’ but not in the infosec community…. [Read the Post](https://blog.sucuri.net/2019/10/what-are-ethical-hackers.html) ![Optimize Setup to Improve your Website Resilience for DDoS Attacks](https://blog.sucuri.net/wp-content/uploads/2018/06/06072018-website-reilience-for-ddos-attacks-part-i_en-blog-390×183.png) * [Security Advisory](https://blog.sucuri.net/category/security-advisory)* [Security Education](https://blog.sucuri.net/category/security-education)* [Website Security](https://blog.sucuri.net/category/website-security)[](https://blog.sucuri.net/2018/06/how-to-improve-website-resilience-for-ddos-attacks-part-i.html) [How to Improve Website Resilience for DDoS Attacks — Part I](https://blog.sucuri.net/2018/06/how-to-improve-website-resilience-for-ddos-attacks-part-i.html)————————————————————————————————————————————————————–* ![](https://secure.gravatar.com/avatar/78e57d704a3dc75b71988c1310af1c6d09141a637eab995a5f2b3d92f332216e?s=20&d=mm&r=g)Northon Torga* June 12, 2018 Denial of Service (Dos) and Distributed Denial of Service (DDoS) attacks are unforgiving. They test the limits of your web server and application resources by sending… [Read the Post](https://blog.sucuri.net/2018/06/how-to-improve-website-resilience-for-ddos-attacks-part-i.html) ![](https://blog.sucuri.net/wp-content/uploads/2024/05/Blog-Post-NET__ERR_CERT_DATE_INVALID-390×183.png) * [Security Education](https://blog.sucuri.net/category/security-education)* [Website Security](https://blog.sucuri.net/category/website-security)[](https://blog.sucuri.net/2024/05/fix-err_cert_date_invalid_error.html) [How to Fix the NET::ERR_CERT_DATE_INVALID Error](https://blog.sucuri.net/2024/05/fix-err_cert_date_invalid_error.html)———————————————————————————————————————–* ![](https://secure.gravatar.com/avatar/b2a47b57affd449fb66751c7eec943a5943c2ebaa128f8ba6926982c6e066627?s=20&d=mm&r=g)Rianna MacLeod* May 24, 2024 Encountering the NET::ERR_CERT_DATE_INVALID error can be frustrating, but it’s important to address it promptly to ensure your website remains secure and trustworthy. This error typically… [Read the Post](https://blog.sucuri.net/2024/05/fix-err_cert_date_invalid_error.html) ![Googlebot or a DDoS Attack?](https://blog.sucuri.net/wp-content/uploads/2019/01/01312019-googlebot-or-a-ddos-attack_blog-390×183.png) * [Security Advisory](https://blog.sucuri.net/category/security-advisory)* [Security Education](https://blog.sucuri.net/category/security-education)* [Website Security](https://blog.sucuri.net/category/website-security)[](https://blog.sucuri.net/2019/02/googlebot-or-a-ddos-attack.html) [Googlebot or a DDoS Attack?](https://blog.sucuri.net/2019/02/googlebot-or-a-ddos-attack.html)———————————————————————————————-* ![](https://secure.gravatar.com/avatar/78e57d704a3dc75b71988c1310af1c6d09141a637eab995a5f2b3d92f332216e?s=20&d=mm&r=g)Northon Torga* February 12, 2019 A bot is a software application that uses automation to run scripts on the internet. Also called crawlers or spiders, these guys take on the… [Read the Post](https://blog.sucuri.net/2019/02/googlebot-or-a-ddos-attack.html)

Related Tags:
CVE-2025-11378

CVE-2025-11128

CVE-2025-58595

CVE-2025-11741

CVE-2025-10694

CVE-2025-12136

CVE-2025-11888

CVE-2025-12033

CVE-2025-11372

Associated Indicators:
4.2.9.4

Threat Intel Solutions

Vulnerability & Patch Roundup – October 2025

Search

Popular Posts

Dangerous runC flaws could allow hackers to escape Docker containers

Lost iPhone? Don’t fall for phishing texts saying it was found

NAKIVO Introduces v11.1 with Upgraded Disaster Recovery and MSP Features

Categories

Pages

Archives

Tags

Follow Us