WordPress Security Vulnerabilities

November 2025

  • 3 minute read
Standard-Version
Simplified-Version

November delivered another round of WordPress security concerns, mostly driven by plugin issues rather than core itself. Several high-impact flaws surfaced this month, some already patched, others still outstanding, leaving many sites at risk if updates aren’t applied quickly. This summary gives you a focused breakdown of what matters most so you can secure your environment without digging through dozens of individual advisories.

WordPress Core: Quick Update

No new core vulnerabilities were disclosed in November. The most recent security release remains WordPress 6.8.3, which delivered REST API hardening and minor authorization fixes. If you’re not on 6.8.3 yet, now is the time, future security fixes will land on this branch.

Big Plugin & Theme Alerts

1. W3 Total Cache (CVE-2025-9501) — Critical

A dangerous command-injection flaw affects all versions prior to 2.8.13, enabling unauthenticated attackers to execute arbitrary PHP on vulnerable sites simply by posting crafted comments. This is a full site-takeover scenario.

Fix: Update to 2.8.13 or newer immediately.

2. King Addons for Elementor (CVE-2025-6327 & CVE-2025-6325) — Critical

Two separate issues hit this Elementor add-on:

  • Unauthenticated file upload allowing attackers to plant malicious files.

  • Privilege escalation that lets attackers create administrator accounts under certain configurations.

Both are extremely serious.

Fix: Patch to 51.1.37+ and audit your admin accounts and upload folders.

3. Simple User Capabilities (CVE-2025-12158) — Critical & Unpatched

This role-management plugin contains an authorization bypass that lets outsiders promote themselves to admin.

The plugin currently has no fix and was pulled from the WordPress repository.

Fix: Deactivate and remove this plugin entirely.

4. Bold Page Builder (CVE-2025-66057) — High

Versions ≤ 5.5.2 allow stored XSS through contributor-level input. Malicious scripts can persist in content and execute for visitors and admins.

Fix: Update to 5.5.3+.

5. MediCenter Theme — High

A PHP object-injection flaw in outdated builds of this widely used healthcare theme may allow code execution depending on server configuration.

Fix: Update to the latest vendor release.

Plugins and Themes: Another Heavy Month

Security intelligence feeds continue to show substantial activity:

  • SolidWP: 199 new vulnerabilities in November (197 plugins, 2 themes), with nearly half unpatched at disclosure.

  • Wordfence: Dozens of additional plugin vulnerabilities surfaced, including issues in widely installed form builders, media managers, and Elementor-adjacent tools.

Once again, plugins account for the overwhelming majority of WordPress attack surface.

Trend Check

Patchstack’s broader ecosystem reporting reinforces the trend: the majority of new WordPress vulnerabilities in 2025 remain plugin-driven, with many exploitable without authentication. W3 Total Cache and King Addons underscore that even large or trusted plugins can introduce high-risk exposure.

What This Means for Site Owners

November shows the same pattern as previous months: plugins remain the primary source of security risk, and attackers pivot toward newly disclosed flaws very quickly. For most site owners, the biggest protective step is simply staying current:

  • Remove unsupported or abandoned plugins.

  • Update immediately when critical flaws are announced.

  • Use a WAF or virtual patching layer for essential components that don’t have updates yet.

Outdated plugins are still the number one cause of compromises.

Final Word: Stay Sharp, Stay Secure

  • Update WordPress core to 6.8.3 if you haven’t already.

  • Patch or uninstall W3 Total Cache (≤ 2.8.12), King Addons (≤ 51.1.36), Bold Page Builder (≤ 5.5.2), and remove Simple User Capabilities entirely.

  • Review plugin and theme inventories, drop anything unused.

  • Apply WAF/virtual patching if you must keep unpatched tools online.

  • Keep your update cycle tight. Attackers move fast.

November brought several important security problems in WordPress plugins and themes. These issues can allow attackers to upload files, change accounts, or take control of a site. This summary highlights the main risks in a clear and direct way so anyone can follow it.

WordPress Core

There were no new security problems in the core WordPress software this month. The most recent secure version is WordPress 6.8.3, which includes small fixes to the REST API and access controls. If your site is not on 6.8.3 yet, update now.

Key Plugin and Theme Risks

1. W3 Total Cache Critical

Older versions before 2.8.13 contain a serious flaw. Attackers can make a comment that triggers code execution on the site. This can lead to full control of the website.

Fix: Update to version 2.8.13 or newer.

2. King Addons for Elementor — Critical

Two serious issues affect older versions. Attackers can upload files without logging in. In specific setups, they can also create administrator accounts.

Fix: Update to version 51.1.37 or newer. Check your list of administrator accounts and inspect upload folders.

3. Simple User Capabilities — Critical, No Fix

This role management plugin allows outsiders to give themselves administrator rights. It still has no fix and was removed from the official plugin directory.

Fix: Remove this plugin completely.

4. Bold Page Builder — High

Versions up to 5.5.2 allow stored cross-site scripting. Attackers can insert harmful JavaScript into content. This can affect visitors and administrators.

Fix: Update to version 5.5.3 or newer.

5. MediCenter Theme — High

Older versions of this theme contain a PHP object injection issue. Under some configurations, this can allow code execution.

Fix: Update to the latest version from the theme developer.

General Overview for November

Security reports show close to two hundred new plugin and theme vulnerabilities this month. Many were patched quickly but a significant number were not. Plugins continue to be the most common source of security problems in WordPress.

What Site Owners Should Do

Updates remain the strongest protection. Risk mainly comes from outdated or abandoned plugins. Removing unused tools and keeping the rest updated greatly reduces exposure. If you must use a plugin that has not been fixed yet, consider using a web application firewall to reduce the chance of exploitation.

Final Notes

Install WordPress 6.8.3 if you have not already.
Update or remove outdated versions of W3 Total Cache, King Addons, Bold Page Builder, and Simple User Capabilities.
Review your plugin and theme list and remove anything unnecessary.
Apply protection layers such as a WAF for items that do not have updates available.

Need expert help protecting your environment?

Get Started
Picture of Albert Abdul-Vakhed

Albert Abdul-Vakhed

Founder of Hostgard. When he’s not obsessing over server performance and digital security, he’s probably writing blog posts like this one to help creators build smarter, faster, and reliable websites.

Recent Posts

Follow Us

About the Simplified Version

This blog includes a Simplified Version to support readers who prefer:

  • Shorter paragraphs

  • Bullet points and summaries

  • A quicker, easier reading experience

Whether you’re short on time, feeling mentally tired, or just prefer a more direct format — this version is here to help.

Because good information should be easy for everyone to access.