October 2025 WordPress: Critical SQL Injection + 40+ Plugin CVEs
Category:Advisory / CMS
Sucuri's October 2025 WordPress roundup highlights several critical plugin vulnerabilities exploited in the wild. What's concerning: unauthenticated SQL injection in Product Filter by WBW (CVE-2025-8416) rated Critical, broken access control across multiple plugins (BackWPup, ShortPixel, SureForms), and numerous XSS flaws in popular addons. Many vulnerabilities require only Contributor or Subscriber authentication—relatively low-privilege accounts often given to guest bloggers or low-trust users. The WP Reset plugin exposed sensitive data with no auth required (CVE-2025-10645). Exploitation paths lead to site takeover, data exfiltration, and customer data theft. Shared hosting environments face amplified risk as vulnerabilities cascade across multiple sites. The roundup covers 40+ plugin/theme vulnerabilities affecting installations ranging from 50K to 2M+ sites.
CORTEX Protocol Intelligence Assessment
WordPress plugin security remains a persistent weak point—the ecosystem's openness enables rapid feature development but introduces continuous vulnerability churn. The SQL injection in Product Filter by WBW is particularly nasty: Critical severity with no auth required, making it prime for automated exploitation. Several plugins with 300K+ installations have XSS or broken access control requiring only Contributor access. The Newsup theme vulnerability (2.6M downloads) affects Subscriber-level accounts.
Strategic Intelligence Guidance
- Critical: Product Filter by WBW SQL injection (CVE-2025-8416) - no authentication required
- High: WP Reset sensitive data exposure (CVE-2025-10645) - no authentication required
- Medium: 30+ XSS, broken access control, IDOR vulnerabilities across popular plugins
- Common requirement: Contributor, Subscriber, or Author authentication levels
- Impact range: 50K to 2M+ installations per affected plugin
CVEs
Vendors
Targets
Intelligence Source: Vulnerability & Patch Roundup - October 2025 | Nov 1, 2025