July 2025 WordPress Vulnerability and Patch Overview

In the fast-evolving landscape of website security, staying updated on vulnerability disclosures and patches is vital to safeguarding your WordPress environment. Automated cyberattacks frequently exploit known vulnerabilities in plugins and themes to compromise websites, emphasizing the importance of robust security hygiene.

Introduction to WordPress Security Risks

WordPress, powering over 40% of all websites globally according to W3Techs (2025), remains a core target for cyber attackers due to its vast ecosystem of plugins and themes. Vulnerabilities like Cross-Site Scripting (XSS), SQL Injection, Arbitrary File Upload, and Broken Access Control are among the most prevalent threats that hackers leverage to execute unauthorized actions or data breaches.

Ensuring your WordPress setup is patched promptly not only minimizes security risks but also reinforces site reliability and user trust. This article summarizes critical vulnerabilities discovered in July 2025, offering insights into the nature of these issues and their mitigations.

Key Vulnerabilities in WordPress Plugins and Themes (July 2025)

The following sections detail major vulnerabilities identified in popular WordPress plugins and themes this month. Each entry includes the type of vulnerability, risk level, exploitation conditions, affected installations, and remediation steps.

Cross-Site Scripting (XSS) Vulnerabilities

• Elementor Website Builder (CVE-2025-4566): Over 10 million installations affected by medium-risk XSS vulnerability exploitable by users with Contributor or higher roles. Fixed in version 3.30.3.
• Essential Addons for Elementor (CVE-2025-6244): Medium-risk XSS affecting 2 million+ installations, requiring Contributor+ authentication. Patched in 6.1.20.
• Premium Addons for Elementor (CVE-2024-11937): Over 700,000 sites impacted by medium-risk XSS exploitable with Contributor-level access. Update to 4.10.70.
• Contact Form 7 Database Addon – CFDB7 (CVE-2025-6740): High-risk XSS vulnerability with no authentication required, affecting 600,000+ sites. Patched in 1.3.2.

SQL Injection Vulnerabilities

• Forminator Forms (CVE-2025-7638): High-risk SQL Injection vulnerability exploitable by Administrator or higher users, present in 600,000+ installations. Fixed in version 1.45.1.
• Events Manager (CVE-2025-6970): Critical SQL Injection flaw with no authentication required, affecting 80,000+ sites. Resolved in version 7.0.4.

Arbitrary File Operations and Object Injection

• WPvivid Backup & Migration (CVE-2025-5961): Critical Arbitrary File Upload vulnerability requiring Administrator access, observed in 700,000+ sites. Patch available in 0.9.117.
• Forminator Forms (CVE-2025-6463, CVE-2025-6464): High-risk Arbitrary File Deletion and PHP Object Injection vulnerabilities without authentication needed, impacting 600,000+ installations. Fixed in 1.44.3.
• JetFormBuilder (CVE-2025-53990): PHP Object Injection with Administrator-level access, affecting 80,000+ installs. Patched in 3.5.2.
• SureForms (Multiple CVEs): Includes Arbitrary File Deletion, PHP Object Injection, and XSS vulnerabilities with no authentication needed on 200,000+ sites. Patched in versions 1.7.2 to 1.7.4.

Broken Authentication and Access Control

• Post SMTP (CVE-2025-24000): High-risk broken authentication affecting 400,000+ sites, requiring Subscriber or higher roles. Fixed in version 3.3.0.
• Brizy – Page Builder (CVE-2025-4370): Medium-risk broken access control with no authentication needed on 80,000+ installs. Patched in 2.6.21.
• Stop User Enumeration (CVE-2025-4302): Medium-risk bypass vulnerability without authentication required, impacting 50,000+ installations. Patched in 1.7.3.
• Hestia Theme (CVE-2025-53986): Medium-risk broken access control without authentication, with over 4.4 million downloads. Patch issued in 3.2.11.

Themes with Noted Vulnerabilities

• Educenter Theme (CVE-2025-5529): Medium-risk XSS vulnerability, requiring Contributor+ authentication, affecting 175,744 downloads. Currently no fix available.

Mitigating WordPress Security Risks

To reduce the risk of exploitation, website administrators should adopt a proactive security posture encompassing the following:

• Regular Software Updates: Consistently update WordPress core, plugins, and themes to their latest secure versions.
• Least Privilege Access: Limit user permissions to only what is necessary to minimize exploitation potential.
• Use Web Application Firewalls (WAFs): Tools such as virtual patching can protect sites from known vulnerabilities even when updates are delayed.
• Backup and Recovery Planning: Maintain secure and tested backups to enable quick recovery from incidents.
• Monitor Security Advisories: Stay informed by following security blogs and vulnerability databases such as WPScan, CVE Details, and vendor advisories.

Importance of Responsible Disclosure

Vulnerability reports and responsible disclosures play a crucial role in the WordPress security ecosystem. By notifying developers and the community promptly, researchers enable timely patches, thereby reducing the attack surface and potential compromises.

According to WPScan’s 2024 WordPress Security Report, over 50% of successful WordPress site compromises occur due to outdated plugins and themes with known vulnerabilities. This underscores the indispensable role of patch management and security awareness.

Conclusion

July 2025’s patch roundup reinforces the persistent evolution of WordPress vulnerabilities, especially in widely used plugins and themes. Cross-Site Scripting and SQL Injection remain prevalent risks requiring immediate attention.

By maintaining current software versions and employing layered security measures like web application firewalls, WordPress site owners can substantially mitigate these security threats and protect their digital assets.

Staying vigilant and informed is the best defense in today’s cybersecurity landscape.