WordPress Security Vulnerabilities
July 2025
The WordPress ecosystem continues to be a prime target for attackers due to its massive market share and reliance on third-party plugins and themes. Each month, hundreds of new vulnerabilities are disclosed, ranging from minor flaws to critical zero-day exploits. Staying informed and updating regularly is the only way to keep your sites secure. This report provides an overview of the most notable vulnerabilities and trends detected in July 2025.
Summary of This Month’s Vulnerabilities
1. Forminator Plugin (CVE‑2025‑6463)
A critical arbitrary file deletion flaw impacting Forminator up to version 1.44.2 (CVSS 8.8), affecting over 600,000 installations. Attackers could delete wp-config.php and trigger a full site takeover. A patch (version 1.44.3) was released on June 30, 2025—update immediately.
2. HT Contact Form Plugin Attack
Disclosed on June 24, an arbitrary file upload and deletion vulnerability in HT Contact Form affected around 10,000 sites. Users should apply the vendor’s patch or disable the plugin.
3. Gravity Forms Supply Chain Breach
During July 9–10, malicious versions 2.9.11.1 and 2.9.12 were briefly distributed during manual downloads and Composer installs. The malware enabled remote code execution, metadata exfiltration, and unauthorized admin creation. The safe version 2.9.13 is now available. Automatic updates via the Gravity API were not affected.
Ecosystem-Wide Overview
SolidWP reports (as of July 16):
109 new issues—89 plugins, 20 themes. 65 have been patched; 44 remain unpatched.WP Scout July 23 report:
167 new vulnerabilities detected: 162 plugins and 5 themes. 125 had patches; 42 still unpatched.Wordfence Intelligence (July 14–20):
140 vulnerabilities across 120 plugins and 5 themes were disclosed in just one week.Patchstack statistics (last 30 days):
584 total vulnerabilities reported; 416 from independent researchers.
Critical Updates & Actions
Key mitigations:
Update Forminator to 1.44.3 immediately.
Patch or remove HT Contact Form plugin.
For Gravity Forms users who installed manually or via Composer: ensure version 2.9.13.
Audit and update all detected vulnerable plugins/themes.
Temporarily deactivate any unpatched plugin/theme until a patch is released.
Virtual patching options (e.g. Patchstack, Wordfence/Solid Security Pro) offer interim protection.
WordPress Core Notice: Legacy Versions Dropped
As of July 2025, WordPress version 4.1 through 4.6 no longer receive security updates from the WordPress Security Team. These are essentially end-of-life platforms, and running them poses severe risk—even if only ~1% of sites remain on those versions.
If any of your clients are still on these legacy versions—or using outdated PHP/MySQL stacks—you must upgrade immediately to avoid exposure.
Recommended Action Plan
Urgent Updates:
Forminator → 1.44.3
Gravity Forms → at least 2.9.13
HT Contact Form → patched or deactivated
Review Weekly Reports (SolidWP, WP Scout, Wordfence) for additional plugin/theme risks.
Deactivate or replace any unpatched plugins/themes until vendor patches arrive.
Enforce virtual patching if you use services like Patchstack, Wordfence Premium, or Solid Security Pro.
Audit older WordPress core installs for versions 4.1–4.6 and plan a timely upgrade to supported versions.
Conclusion
July 2025 was a busy month for WordPress security, with multiple critical plugin vulnerabilities, a supply chain attack, and the official end-of-life for several older core versions. Keeping your websites safe requires a proactive approach: monitor vulnerabilities, apply patches quickly, and retire outdated software. If you’re managing multiple sites, consider implementing a robust monitoring and virtual patching solution to minimize the window of exposure. By staying vigilant, you can significantly reduce the risk of compromise and maintain your site’s integrity.
WordPress sites were hit with several serious security issues this month. Here’s what you need to know and do:
Main Issues This Month
Forminator Plugin – Critical bug that could let hackers delete important files and take over your site. Fix: Update to version 1.44.3.
HT Contact Form Plugin – Security hole could let attackers upload or delete files. Fix: Update or remove the plugin.
Gravity Forms – Some hacked versions were briefly released (2.9.11.1 and 2.9.12). Fix: Update to 2.9.13 if you installed manually.
Bigger Picture
Over 500 vulnerabilities were reported in plugins and themes this month.
Many were fixed quickly, but some remain unpatched.
What You Need to Do
Update immediately: Forminator, HT Contact Form, and Gravity Forms.
Check all plugins and themes and update them.
Remove or replace anything with no patch available.
If you still run WordPress versions 4.1–4.6, upgrade now – these versions no longer get security updates.
Final Thoughts
July 2025 saw a big wave of plugin security problems and even a supply chain attack. The best way to protect your site is to keep everything updated and remove old software. If you manage many sites, consider using security tools that block attacks while you patch.
Need expert help securing your WordPress environment?
Get Started