WordPress Security Vulnerabilities
June 2025
As the world’s most popular CMS, WordPress continues to be a prime target for cyberattacks. June 2025 was no exception, with several notable vulnerabilities disclosed affecting core, themes, and popular plugins. Website administrators must act quickly to patch these issues and ensure site integrity. Here’s a roundup of the most critical WordPress-related security vulnerabilities identified this month.
1. Critical RCE Vulnerability in Bricks Builder (<= 1.9.6.1)
Severity: ★★★★★ (9.8 Critical)
A critical Remote Code Execution (RCE) flaw was discovered in the popular Bricks Builder theme, allowing unauthenticated users to execute arbitrary PHP code on vulnerable installations.
This vulnerability stemmed from insecure handling of user input via REST API endpoints. If exploited, it could allow full site takeover.
Mitigation: Update to version 1.9.6.2 or later immediately.
More info: Wordfence disclosure
2. Motors Theme Admin Takeover Vulnerability (CVE‑2025‑4322)
Severity: ★★★★★ (9.8 Critical)
A severe flaw in the Motors WordPress theme (versions ≤ 5.6.67) allowed unauthenticated attackers to reset the passwords of any user, including admins, by exploiting a broken password reset mechanism.
Details:
Attackers used malformed hash_check parameters to hijack admin accounts. The flaw existed in a custom login and password reset feature built into the theme. Exploits spiked in early June, with over 23,000 known attacks tracked by Wordfence.
Fix: Update to version 5.6.68 or newer immediately.
Audit: Check for unexpected admin accounts, malicious uploads, or lockouts.
More info:
3. Backdoor Risk via Abandoned Plugin – ReviewX
Severity: ★★★★☆ (8.2 High)
The once-popular ReviewX plugin (used for WooCommerce product reviews) was reported to contain code that allows the creation of admin users through a hidden API. The plugin has been removed from the WordPress repository, suggesting potential abuse or hijack by a malicious actor.
Action: Uninstall ReviewX immediately and check your admin user list for unauthorized accounts.
More info: WPScan advisory
4. Privilege Escalation in GiveWP Donations Plugin
Severity: ★★★★☆ (7.6 High)
GiveWP, a donation plugin used by non-profits, had a privilege escalation issue that allowed low-level users to escalate their access to admin.
Fixed in: Version 2.36.3
More info: GiveWP changelog
5. Unauthenticated Data Leak – WP Job Manager
Severity: ★★★☆☆ (6.5 Medium)
An information disclosure vulnerability was found in WP Job Manager (versions prior to 1.41.1), exposing user-submitted job listings and applicant data to unauthenticated users via REST API queries.
Impact: Could lead to GDPR violations and data privacy breaches.
Fix: Upgrade to version 1.41.1 or later.
More info: Patchstack advisory
Conclusion
The vulnerabilities revealed in June 2025 serve as a clear reminder: WordPress sites are only as secure as their weakest plugin, theme, or configuration. From critical theme flaws like the Motors vulnerability to plugin backdoors and data leaks, the attack surface is wide—and actively targeted.
Keeping your site safe means more than updating WordPress core. You need to:
Regularly update all themes and plugins
Remove unused or abandoned software
Monitor for suspicious activity
Use a web application firewall (WAF)
Perform regular security audits
Proactive maintenance is not optional—it’s your best defense.
Hey there! If you run a WordPress site, read this now. June 2025 brought some big security issues. Hackers are targeting weak plugins and themes. This guide will tell you what happened and what to fix – FAST.
1. Bricks Builder – Big RCE Flaw (v1.9.6.1 or lower)
Danger: Hackers can run any code and take over your site
No login needed
Fix: Update to v1.9.6.2+
2. Motors Theme – Total Admin Takeover (v5.6.67 or lower)
Problem: Anyone can reset your admin password
Exploited in real attacks
Fix: Update to v5.6.68 ASAP
Check for weird admin accounts
3. ReviewX Plugin – Backdoor Risk
Plugin lets strangers create admin users via a hidden trick
Plugin is abandoned
Fix: Uninstall it immediately
4. GiveWP Plugin – User Privilege Escalation
Low-level users could become admins
Plugin is for donations
Fix: Update to v2.36.3
5. WP Job Manager – Data Leak
Exposed job listings + applicant data
Could cause GDPR issues
Fix: Update to v1.41.1
What You Should Do Right Now
Here’s your quick to-do list:
Update all plugins, themes, and core
Remove unused or old plugins
Use a WAF like Sucuri
Check your user list for strange accounts
Turn on two-factor authentication (2FA)
TL;DR – Bottom Line
June was rough for WordPress security. Update your stuff. Check for hacks. Don’t wait.
Need expert help securing your WordPress encironment?
Get Started