WordPress Security Vulnerabilities

October 2025

Standard-Version
Simplified-Version

October 2025 continued to be an active month for WordPress security, with a notable increase in plugin disclosures and renewed exploitation of older flaws. According to multiple trackers, more than 470 new vulnerabilities were identified across plugins and themes this month. While the WordPress core saw relatively minor issues, several third-party components presented high-risk attack surfaces affecting thousands of active installations worldwide.

Plugin and Theme Vulnerabilities

The majority of new disclosures this month involved third-party plugins and bundled themes. Notable cases include:Several older vulnerabilities resurfaced in October, particularly affecting GutenKit and Hunk Companion, which were exploited again after patches were ignored by users who had not updated.

 
Plugin / Theme CVE ID Risk Level Description
Service Finder Bookings CVE-2025-5947 Critical (9.8) Authentication bypass that allows login as any user, including admin. Actively exploited.
Keyy Two-Factor Authentication CVE-2025-10293 High (8.8) Privilege escalation due to missing capability checks. Plugin removed from repository.
Motors Car Dealership & Classified Listings CVE-2025-10494 High (8.1) Unauthenticated high-severity flaw enabling unauthorized actions.
Find and Replace Content CVE-2025-10313 High (7.2) Missing capability checks leading to stored XSS and unintended content replacement.
Core XML-RPC Pingback (legacy) CVE-2025-54352 Medium (3.7) Information disclosure of draft/private post titles on outdated core versions.

Several older vulnerabilities resurfaced in October, particularly affecting GutenKit and Hunk Companion, which were exploited again after patches were ignored by users who had not updated.

Risks and Impacts

Attackers continue to target unpatched sites to gain administrative access, inject malicious redirects, or distribute malware through compromised themes and plugins.
The most severe case this month – CVE-2025-5947 – has seen over 13,000 exploitation attempts reported in the wild. These incidents highlight how quickly public proof-of-concepts are weaponized once vulnerabilities are disclosed.

Website owners running outdated or abandoned plugins remain particularly vulnerable to mass exploitation campaigns that automate credential theft, SEO spam injection, and unauthorized user creation.

Recommendations for Site Owners

To minimize exposure:

  1. Update core immediately to WordPress 6.8.3 or later.

  2. Audit all plugins and themes and remove any that are abandoned or unmaintained.

  3. Apply available patches for all affected components listed above.

  4. Review user accounts and roles — remove unused admin accounts and enforce strong authentication.

  5. Check access logs for unusual login activity, especially involving the Service Finder or Keyy plugins.

  6. Maintain verified backups before performing large updates.

  7. Use a web application firewall (WAF) or virtual patching solution to block exploitation attempts.

Conclusion

While the WordPress core remains stable, plugin ecosystems continue to be the primary vector for exploitation. Regular maintenance, disciplined update routines, and layered protection remain the most reliable methods to preserve site integrity and uptime.

October saw many new plugin and theme issues. Core updates were minor. Most risk comes from third-party components that aren’t updated quickly.

WordPress Core Vulnerabilities

  • WordPress 6.8.3 fixed two medium issues: one data exposure bug and one XSS in menus.

  • If you’re on an older version, update to 6.8.3 or later.

Plugin and Theme Vulnerabilities

High-risk items to check first:

  • Service Finder Bookings (CVE-2025-5947): authentication bypass. Actively exploited.

  • Keyy Two-Factor Authentication (CVE-2025-10293): privilege escalation. Removed from the repo.

  • Motors Car Dealership & Classified Listings (CVE-2025-10494): unauthenticated actions.

  • Find and Replace Content (CVE-2025-10313): stored XSS via missing capability checks.

  • Legacy XML-RPC pingback (CVE-2025-54352): info disclosure on old WordPress versions.

Note: Older flaws in GutenKit and Hunk Companion are being targeted again where sites never applied updates.

Risks and Impacts

  • Attackers target outdated plugins to gain admin access, inject redirects, create rogue users, or spread malware.

  • The Service Finder issue has widespread, automated probing. Unpatched sites are easy targets.

Recommendations for Site Owners

  1. Update core to 6.8.3+.

  2. Patch or remove vulnerable plugins/themes listed above. If no fix, disable.

  3. Audit users and roles. Remove unused admins.

  4. Check logs for odd logins, new admin accounts, or unexpected file changes.

  5. Back up and verify you can restore.

  6. Reduce bloat. Remove unused plugins/themes.

  7. Use a WAF or virtual patching to block known exploits.

Conclusion

Core is stable. Most risk is from third-party components. Stay current, monitor, and keep only what you need. This keeps sites available and limits exposure.

Need expert help protecting your environment?

Get Started
Picture of Albert Abdul-Vakhed

Albert Abdul-Vakhed

Founder of Hostgard. When he’s not obsessing over server performance and digital security, he’s probably writing blog posts like this one to help creators build smarter, faster, and reliable websites.

Recent Posts

Follow Us

About the Simplified Version

This blog includes a Simplified Version to support readers who prefer:

  • Shorter paragraphs

  • Bullet points and summaries

  • A quicker, easier reading experience

Whether you’re short on time, feeling mentally tired, or just prefer a more direct format — this version is here to help.

Because good information should be easy for everyone to access.