WordPress Security Vulnerabilities
August 2025
August brought plenty of new WordPress security issues, affecting both the core software and popular plugins. Some of these vulnerabilities are critical and leave sites wide open if left unpatched. To keep your site safe, it’s important to know which problems matter most and which updates you need to apply right away. This roundup gives you a clear overview so you can act quickly and avoid unnecessary risks.
WordPress Core: Quick Update
Version 6.5.5 just dropped on August 10, 2025, patching a serious REST API flaw that could’ve let attackers tamper with content or escalate privileges. A few other sneaky input validation and authorization bugs were also squashed. If you haven’t updated yet, drop what you’re doing and hit that button.
Big Plugin & Theme Alerts
1. Bit Form Builder (CVE-2025-6679) — Critical
A file upload bug in versions ≤ 2.20.4 lets unauthenticated attackers inject files—including PHP shells—leading to remote code execution. Ouch.
2. miniOrange Custom API Plugin (CVE-2025-54048) — High (CVSS 9.3)
Earlier versions (4.2.2 and below) are vulnerable to SQL injection. Update to 4.2.3 ASAP.
3. Plugins and Themes—It’s Raining Vulnerabilities
SolidWP reports: 191 new vulnerabilities across August (174 plugins, 17 themes), with 93 already patched—great—but 98 still hanging unpatched.
Wordfence adds: 161 plugin and theme vulnerabilities popped up recently.
4. Mid-Year Trend Check
According to Patchstack, 6,700 new vulnerabilities in H1 2025, with over 41% exploitable in the wild, often without authentication. Plugins are the main culprit (89% of cases).
What This Means for Site Owners
The biggest lesson from August is that plugins continue to be the weak spot in WordPress security. Critical flaws are often found in widely used tools, and attackers don’t wait long before trying to exploit them. For site owners, the most effective defense is simple: keep WordPress core plugins, and themes fully updated. If you rely on a plugin that isn’t patched yet, consider whether you really need it, removing unused or outdated software is often the safest choice.
Final Word: Stay Sharp, Stay Secure
Update WordPress core to 6.5.5 asap.
Patch or uninstall Bit Form (≤ 2.20.4) and miniOrange API (≤ 4.2.2).
Audit plugins/themes regularly—prioritize high-severity CVEs.
Consider virtual patching or WAF protection for unpatched yet essential tools.
Keep your guard up—update fast, update often.
August was a busy month for WordPress security. Here’s a quick look at what happened and what you should do to keep your site safe.
Core WordPress Update
WordPress released version 6.5.5 on August 10.
It fixes a serious bug in the REST API that could let attackers mess with site content or gain higher access. A few smaller security issues were also patched.
If you haven’t updated yet, do it now.
Major Plugin Issues
Older versions had a flaw that let hackers upload dangerous files.
Fixed in version 2.20.5 — update immediately if you use this plugin.
Versions up to 4.2.2 had a database bug attackers could exploit.
Fixed in 4.2.3 — update if you run this plugin.
Security teams found over 190 issues this month across different plugins and themes.
About half are patched, half are still waiting.
Quick Checklist for Site Owners
Update WordPress core to 6.5.5.
Update or remove Bit Form Builder and miniOrange API if you use them.
Check all your plugins and themes for updates.
If a plugin you use is unpatched but essential, consider adding a web application firewall (WAF) for extra protection
Final Word
The WordPress ecosystem is strong, but it’s also a big target. The easiest way to stay safe is simple:
Update fast, update often.
Need expert help protecting your environment?
Get Started