
3 Urgent WordPress Vulnerabilities (Summer 2025)
Staying on top of WordPress updates is more important than ever. In 2025, plugin and theme vulnerabilities are still one of the biggest security threats to websites. At WHC, we closely monitor the WordPress ecosystem to help keep your site protected.
This summer, three major security flaws were uncovered, impacting more than 1.2 million websites in the world. These issues involve one popular theme and two commonly used plugins. While patches are available, any sites that haven’t updated yet are in serious danger.
Let’s dive into what’s going on and how to fix it fast.
1. Post SMTP Mailer Plugin (CVE‑2025‑24000)
- Affected versions: Up to 3.2.4
- Patched in: Version 3.3.0
- Active installs: Around 400,000
- Severity (CVSS): 8.8 / 10 (High)
What’s the problem?
A major flaw in the plugin’s REST API lets any registered user, including basic subscribers, view private email content and even trigger admin password resets. That’s a potential backdoor to full site control.
What to do:
Update to version 3.3.0 or later right away. Not using this plugin? Delete it to cut down your security risks.
2. Forminator Plugin (CVE‑2025‑6463)
- Affected versions: Up to 1.44.2
- Patched in: Version 1.44.3
- Active installs: 600,000+
- Severity (CVSS): 8.8 / 10 (High)
What’s the problem?
A vulnerability lets attackers send fake form submissions that can delete critical files from your server, like wp-config.php. That could bring your site down and open it up to a full takeover.
What to do:
Upgrade to version 1.44.3 or higher ASAP. Also, check your file permissions and disable any file deletion options that aren’t absolutely necessary.
3. Motors Theme (CVE‑2025‑4322)
- Affected versions: Up to 5.6.67
- Patched in: Version 5.6.68
- Active installs: Over 250,000
- Severity (CVSS): 9.8 / 10 (Critical)
What’s the problem?
A bug in the password reset feature can let anyone gain full admin access. No login needed. It’s already being exploited in the wild, so this one’s very serious.
What to do:
Update the theme to version 5.6.68 or later right away. Not sure what version you’re using? Talk to your developer or hosting provider immediately.
Final tips to stay safe
If your site uses any of these tools, now’s the time to take action. These security holes can lead to hacked sites, data leaks, and much worse.
Here’s how to protect your WordPress website:
- ✅ Keep plugins, themes, and core files updated
- ✅ Remove anything unused or outdated
- ✅ Run regular backups
- ✅ Use strong, unique admin passwords
- ✅ Activate a Web Application Firewall (WAF)
At WHC, we’re here to help. Our Managed WordPress Hosting, malware scanning, and 24/7 support are designed to keep your website secure and running smoothly.
Need help? Reach out to our team or check out our WordPress security services.
Also on the WHC Blog

WordPress vs Sitejet: Which One’s Right for Your Website?
So, you're thinking about launching a website. Maybe it’s for your small business, a personal project, or your freelance gig that’s finally taking off. You’ve got ideas. Maybe even a logo. But now you’re stuck on...
Read full article
The True Cost of Website Downtime (and How to Avoid It)
Picture this: Your campaign is live, traffic is pouring in, conversions are climbing… and suddenly, everything stops. A spinning wheel at checkout. A sale lost. Then another. And another. No alert, no backup plan, just...
Read full article