WordPress Security Vulnerabilities
September 2025
WordPress continues to dominate the CMS market, powering more than 40% of all websites. But with its massive plugin and theme ecosystem, vulnerabilities are discovered almost daily. September 2025 has been a particularly active month, with several high-impact disclosures in both WordPress core and third-party plugins.
This article summarizes the key security issues reported in September, highlights their potential impact, and provides recommendations for keeping your site secure.
WordPress Core Vulnerabilities
Two vulnerabilities in WordPress core (versions ≤ 6.8.2) were disclosed in September without patches being available at the time of disclosure:
CVE-2025-58246 — Input Validation / Sensitive Data Exposure
A flaw in input validation may allow Author-level users to extract configuration or user data.
Status: Unpatched.CVE-2025-58674 — Stored Cross-Site Scripting (XSS)
Author-level users can inject malicious JavaScript that executes in other users’ browsers (including admins).
Status: Unpatched.
Both disclosures were made public prematurely, leaving site owners exposed until the official WordPress security team issues fixes.
Plugin and Theme Vulnerabilities
While the core issues drew attention, the majority of September’s vulnerabilities came from plugins and themes:
Paid Memberships Pro — SQL Injection (CVE-2025-3987)
Allowed attackers to run arbitrary SQL queries against the database. Patched in version 2.9.1.Everest Forms — Privilege Escalation
Allowed unauthorized users to gain elevated capabilities or admin-level access. Patch released.Broader trends
Sept 1–7: 191 new vulnerabilities (178 plugins + 7 themes).
Sept 8–14: 99 new vulnerabilities (89 plugins + 12 themes).
Common flaws: XSS, CSRF, missing authorization checks, SQL injection, file upload vulnerabilities.
Many vulnerabilities remain unpatched at the time of reporting.
Risks and Impacts
Privilege escalation — Attackers can move from low-privilege accounts to full admin access.
Data leakage — Sensitive information (credentials, config files) may be exposed.
Site takeover — Exploits in SQLi or file upload vulnerabilities can grant attackers full control.
Extended exposure windows — Public disclosures without patches increase the risk of active exploitation.
Recommendations for Site Owners
Patch quickly — Apply plugin and theme updates as soon as they are released.
Restrict privileges — Minimize Author/Contributor access until the WordPress core issues are patched.
Audit installed plugins and themes — Remove inactive or unmaintained ones.
Use WAF or virtual patching — Mitigate exploitation while waiting for official patches.
Enable monitoring — Track file changes, privilege escalations, and suspicious logins.
Maintain backups — Test restore procedures regularly.
Test in staging — Verify updates in a safe environment before pushing to production.
Conclusion
September 2025 has been one of the busiest months for WordPress vulnerability disclosures this year. With two unpatched flaws in WordPress core and nearly 300 plugin and theme vulnerabilities reported in just the first half of the month, the risks are high for unmaintained sites.
Site owners should be proactive: update frequently, reduce unnecessary plugins, and invest in monitoring and security controls. The cost of patching quickly is far lower than recovering from a compromised website.
September was a busy month for WordPress security. Two problems were found in WordPress itself, and nearly 300 plugin and theme issues were reported. Some fixes are available, but a few important problems are still unpatched.
WordPress Core Problems
Two security flaws affect WordPress version 6.8.2 and below:
Sensitive Data Exposure – Users with “Author” access or higher could see hidden information.
Stored XSS – Authors could insert malicious code that runs in other users’ browsers.
Status: Not yet fixed. Website owners should be extra careful until an update is released.
Plugin and Theme Problems
Plugins and themes continue to be the biggest risk. Highlights from September:
Paid Memberships Pro – Had a database injection bug. Fixed in version 2.9.1.
Everest Forms – Had a bug that let attackers gain higher privileges. Fixed.
In total:
Early September (1–7): 191 vulnerabilities.
Second week (8–14): 99 vulnerabilities.
Most issues were XSS, SQL injection, missing checks, or unsafe file uploads.
Some plugins and themes are still unpatched.
What This Means
If your site uses vulnerable plugins or outdated WordPress versions:
Hackers could steal data.
Low-level accounts (like authors) could turn into full admin accounts.
In the worst cases, attackers could take over the entire site.
What To Do
Update fast – Install plugin, theme, and WordPress updates right away.
Review plugins – Remove unused or abandoned ones.
Limit user access – Give the lowest possible role to each user.
Add protection – Use a security plugin or Web Application Firewall.
Back up your site – Make sure you can restore quickly if something goes wrong.
Final Word
September showed again how fast WordPress vulnerabilities can pile up. Stay ahead by patching quickly, keeping plugins lean, and monitoring for unusual activity.
Need expert help protecting your environment?
Get Started