CVE

CVE-2025-9816 is a critical stored cross-site scripting vulnerability in the widely used WP Statistics plugin (600k+ installs) that permits an attacker to persist a crafted User-Agent string into the plugin’s device model field and later execute arbitrary JavaScript inside the wp-admin interface when an administrator views the Devices → Device Models report. The root cause is a chain of weak protections: the UA string is lightly normalized by the parser but not fully sanitized or context-escaped before being stored and rendered, and the admin table renders the model value both into a text node and into an HTML attribute (title) without esc_html()/esc_attr() or equivalent context-aware escaping. Because administrators have high privileges and valid nonces in their browser context, any JavaScript that executes there can steal cookies, nonces, or trigger privileged actions—turning a seemingly low-signal analytics record into a direct path to full site takeover.

Simple SEO is a lightweight WordPress plugin that generates and manages SEO meta tags (title, meta description, keywords), supports quick-edit, sitemap generation and imports from other SEO plugins. In versions up to 2.0.32, the plugin contains a stored Cross-Site Scripting (XSS) vulnerability (CVE-2025-10357) that allows a user with Contributor (or higher) privileges to store malicious HTML/JS inside the plugin’s SEO fields (HTML-encoded Title). The injected script executes later when the field is rendered, potentially in the context of administrators or other privileged users.

CVE-2025-8282 affects the widely used SureForms plugin, with over 300,000 active installations, and revolves around a stored cross-site scripting flaw that undermines the integrity of form labels. SureForms allows Editors and Administrators to build complex forms using text blocks with customizable labels and placeholders. However, by embedding malicious JavaScript into the “Label” field when the “Use Labels as Placeholders” option is enabled, an attacker with Editor-level permissions can store a payload that executes whenever any user hovers over the affected form element. This vulnerability leverages the high-privilege context granted to Editors, turning a benign form builder feature into a powerful vector for account takeover and persistent backdoors.

CVE-2025-9331 impacts the widely used Spacious WordPress theme, currently active on over 30,000 sites. At its core lies a missing authorization check in the theme’s demo data import functionality. Normally, executing the “Import Demo Data” operation should be restricted to high-privileged users such as Administrators or Editors. However, due to an exposed nonce delivered via wp_localize_script, even Subscriber-level accounts can trigger the import_button AJAX action, enabling them to import arbitrary demo content and potentially manipulate site configuration or inject malicious data without proper oversight.

CVE-2025-8592 affects the popular Inspiro WordPress theme, which has amassed over 100,000 active installations. This vulnerability arises from an unauthenticated Cross-Site Request Forgery (CSRF) flaw in the theme’s AJAX handlers, specifically the inspiro_install_plugin action. By tricking an unsuspecting site administrator into visiting a malicious page, an attacker can silently install and activate plugins of their choosing from the official WordPress repository. If the forced plugin contains file-upload capabilities or known security weaknesses, the attacker can achieve full remote code execution (RCE) on the compromised site.

ColorMag is a widely used WordPress theme known for its magazine-style layouts and robust customization options, currently active on over 50,000 sites. It offers a seamless “import demo content” feature that loads theme demo data and recommended plugins via an AJAX action named import_button. However, a serious security flaw—CVE-2025-9202—has been discovered: the theme exposes the required nonce to Subscriber+ users through wp_localize_script, yet fails to enforce any capability checks. As a result, low-privileged users can invoke the import routine and install arbitrary plugins without proper authorization.

Ditty is a popular WordPress plugin for creating dynamic content displays—tickers, charts, and news feeds—through a user-friendly block editor interface. With over 50,000 active installations, it’s widely used to embed real-time data and media into pages and posts. However, a critical vulnerability—CVE-2025-8085—has been identified in its REST API: an unauthenticated Server-Side Request Forgery (SSRF) flaw in the endpoint wp-json/dittyeditor/v1/displayItems. This allows any unauthenticated visitor to coerce the server into fetching arbitrary external or internal URLs, potentially exposing internal network resources or enabling further exploits like remote code execution or data exfiltration.

WPBot is a WordPress plugin that provides an AI-powered chatbot for websites, enabling live chat support, lead generation, and data collection. It integrates with OpenAI, ChatGPT, and other LLM services, while also offering built-in automated support without external AI dependencies.

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in WPBot Lite that allows users to inject malicious scripts via the FAQ Builder, affecting users with sufficient access (such as contributors or admins reviewing FAQs). This vulnerability can lead to account compromise, data exfiltration, and site takeover.

OceanWP is a widely adopted WordPress theme, boasting over 50,000 active installations thanks to its performance-optimized code and extensive customization options. To further extend its capabilities, it relies on a companion plugin, Ocean Extra, which adds demo import, custom widgets, and additional theme settings. However, a critical vulnerability—CVE-2025-8891—has been discovered: an unauthenticated Cross-Site Request Forgery (CSRF) flaw that allows any visitor to invoke the oceanwp_notice_button_click AJAX action. This function, when called, automatically installs or activates the Ocean Extra plugin, effectively granting low-privileged users the ability to install new code on the site without any consent or proper authorization checks.

The Zakra WordPress theme, installed on over 50,000 websites, provides a one-click demo import feature that streamlines site setup by loading predefined layouts, widgets, and content. However, a critical vulnerability—CVE-2025-8595—allows even low-privileged Subscriber+ users to invoke the demo import process via the import_button AJAX action. By exploiting a publicly exposed nonce, attackers can import arbitrary demo content, modify site configuration, or trigger long-running operations, thereby disrupting the site or preparing for further privilege escalations.