September 2025 WordPress Vulnerability & Patch Roundup

Stay updated on WordPress vulnerabilities and patch releases in September 2025. Learn risks, affected plugins/themes, and mitigation strategies to secure your site.

September 2025 WordPress Vulnerability & Patch Roundup

Staying informed about the latest WordPress vulnerabilities and patches is crucial for maintaining a secure website environment. Automated attacks exploiting known software weaknesses remain a leading cause of website compromises globally. In this article, we provide a comprehensive overview of the September 2025 WordPress security updates, focusing on recent vulnerabilities discovered in the core WordPress software, popular plugins, and themes.

Introduction to WordPress Security

With WordPress powering over 43% of all websites worldwide as of 2024 (W3Techs), securing this ecosystem is more important than ever. Vulnerabilities such as Cross-Site Scripting (XSS), SQL Injection (SQLi), and Broken Access Control enable attackers to steal sensitive information, alter website behavior, or take full control of websites.

This roundup highlights reported vulnerabilities during September 2025, along with the current status of fixes or mitigations. Notably, some vulnerabilities remain unpatched, underscoring the importance of risk awareness and alternative protective measures like web application firewalls (WAFs).

WordPress Core Vulnerabilities

Two medium-risk vulnerabilities were reported in WordPress Core during this period:

  • Sensitive Data Exposure (CVE-2025-58246): Exploitable by users with Contributor or higher permissions. Currently, no fix has been released. Administrators should monitor for forthcoming updates and apply recommended security best practices.
  • Cross-Site Scripting (XSS) (CVE-2025-58674): Requires Author or higher level authentication. No patches are available yet. Maintaining strict access control and vigilance is advised.

Key Vulnerabilities in Popular WordPress Plugins

September witnessed several critical and medium-risk vulnerabilities across widely used plugins. Below are notable examples:

All in One SEO Plugin

  • Over 3 million installations.
  • Sensitive Data Exposure (CVE-2025-58649) and Broken Access Control (CVE-2025-58650).
  • Both vulnerabilities require Contributor or higher authentication.
  • No official fixes currently released.

Given its widespread use, this represents a significant risk. Website owners should consider disabling the plugin or exploring alternative SEO solutions until patches become available.

The Events Calendar

  • Installed on more than 700,000 sites.
  • Broken Access Control (CVE-2025-9808) – No authentication required. Fixed in version 6.15.3.
  • SQL Injection (CVE-2025-9807) – No authentication required. Patched in version 6.15.1.1.

Due to the critical nature of these flaws, timely plugin updates are strongly recommended.

Ninja Forms

  • 600,000+ installations.
  • PHP Object Injection (CVE-2025-9083) with no authentication required; critical risk.
  • Fix available in version 3.11.1.

Fluent Forms

  • 600,000+ installations.
  • PHP Object Injection (CVE-2025-9260), requires Subscriber or higher authentication.
  • Patched in version 6.1.2.

Other Important Plugin Vulnerabilities

  • Admin Menu Editor: XSS (CVE-2025-9493), fixed in 1.14.1.
  • Post SMTP: Broken Access Control (CVE-2025-9219), patched in 3.4.2.
  • Sticky Header Effects for Elementor: Broken Access Control (CVE-2025-58251), no fix available.
  • Blocksy Companion: Cross-Site Scripting (CVE-2025-9565), fixed in 2.1.11.
  • SureForms: Broken Access Control (CVE-2025-10489), patched in 1.12.1.
  • Download Manager: XSS vulnerability (CVE-2025-10146), fixed in 3.3.24.
  • Tutor LMS: SQL Injection (CVE-2025-58993), high risk, patched in 3.8.0.
  • User Registration & Membership: SQL Injection (CVE-2025-9085), patched in 4.4.0.

These plugin vulnerabilities demonstrate the diverse risks affecting WordPress sites, ranging from data leaks to remote code execution. In a 2023 study, it was found that 55% of WordPress-related breaches stem from compromised plugins (WPScan 2023 Annual Report).

WordPress Themes Vulnerabilities

Themes are often overlooked, yet can harbor serious vulnerabilities. September updates identified multiple issues affecting popular themes:

  • OceanWP: Settings Change vulnerability (CVE-2025-8944), patched in 4.1.2.
  • Sydney Theme: Broken Access Control (CVE-2025-8999), fixed in version 2.57.
  • Themes such as ColorWay, ConsultStreet, Themia Lite, Dzonia Lite, and Cloriato Lite suffer from Sensitive Data Exposure (CVE-2025-59003) without patches currently available.
  • Other themes like Shk Corporate and SoftMe have Broken Access Control issues with no fixes.

Due to millions of downloads for these themes, any unpatched vulnerabilities pose serious security threats. Theme developers and site administrators must prioritize updates or consider alternative themes with ongoing security support.

Mitigation and Best Practices

Given the variety of vulnerabilities detected, the following strategies are crucial to maintaining WordPress security:

  1. Regularly Update Core, Plugins, and Themes: Most fixes are released through updates. Staying current minimizes exposure to known risks.
  2. Avoid Inactive or Unsupported Plugins and Themes: Vulnerabilities in less maintained components can linger indefinitely.
  3. Use Strong Authentication and Access Controls: Limiting permissions reduces risk from vulnerabilities requiring authenticated exploitation.
  4. Deploy a Web Application Firewall (WAF): WAFs can provide virtual patching for unpatched vulnerabilities by blocking exploit traffic.
  5. Conduct Regular Security Audits and Monitoring: Continuous scanning of websites helps detect suspicious activities early.

According to the 2024 Verizon Data Breach Investigations Report, 43% of breaches involve vulnerabilities with available patches that were not applied. This statistic underscores the fatal consequences of neglecting updates.

Conclusion

September 2025 introduced several critical and medium-risk vulnerabilities across the WordPress core, plugins, and themes. While patches are available for many of these issues, a number remain unaddressed, emphasizing the necessity for heightened vigilance and defensive strategies.

Staying proactive in applying security updates, auditing installed components, and leveraging tools like web application firewalls are essential steps to minimize risk. As WordPress continues to dominate the web, the security community must maintain collective awareness and rapid response to emerging threats.

For further details on specific vulnerabilities and recommended actions, referencing official CVE databases and vendor advisories is highly encouraged.