Vulnerability & Patch Roundup - October 2025

Sucuri's October 2025 WordPress roundup highlights several critical plugin vulnerabilities exploited in the wild. What's concerning: unauthenticated SQL injection in Product Filter by WBW (CVE-2025-8416) rated Critical, broken access control across multiple plugins (BackWPup, ShortPixel, SureForms), and numerous XSS flaws in popular addons. Many vulnerabilities require only Contributor or Subscriber authentication—relatively low-privilege accounts often given to guest bloggers or low-trust users. The WP Reset plugin exposed sensitive data with no auth required (CVE-2025-10645). Exploitation paths lead to site takeover, data exfiltration, and customer data theft. Shared hosting environments face amplified risk as vulnerabilities cascade across multiple sites. The roundup covers 40+ plugin/theme vulnerabilities affecting installations ranging from 50K to 2M+ sites.

📂 Cms

October 2025 WordPress: Critical SQL Injection + 40+ Plugin CVEs