3 Urgent WordPress Vulnerabilities (Summer 2025)

3 Urgent WordPress Vulnerabilities (Summer 2025)

Share this article

Staying on top of WordPress updates is more important than ever. In 2025, plugin and theme vulnerabilities are still one of the biggest security threats to websites. At WHC, we closely monitor the WordPress ecosystem to help keep your site protected.

This summer, three major security flaws were uncovered, impacting more than 1.2 million websites in the world. These issues involve one popular theme and two commonly used plugins. While patches are available, any sites that haven’t updated yet are in serious danger.

Let’s dive into what’s going on and how to fix it fast.

1. Post SMTP Mailer Plugin (CVE‑2025‑24000)

  • Affected versions: Up to 3.2.4
  • Patched in: Version 3.3.0
  • Active installs: Around 400,000
  • Severity (CVSS): 8.8 / 10 (High)

What’s the problem?
A major flaw in the plugin’s REST API lets any registered user, including basic subscribers, view private email content and even trigger admin password resets. That’s a potential backdoor to full site control.

What to do:
Update to version 3.3.0 or later right away. Not using this plugin? Delete it to cut down your security risks.

2. Forminator Plugin (CVE‑2025‑6463)

  • Affected versions: Up to 1.44.2
  • Patched in: Version 1.44.3
  • Active installs: 600,000+
  • Severity (CVSS): 8.8 / 10 (High)

What’s the problem?
A vulnerability lets attackers send fake form submissions that can delete critical files from your server, like wp-config.php. That could bring your site down and open it up to a full takeover.

What to do:
Upgrade to version 1.44.3 or higher ASAP. Also, check your file permissions and disable any file deletion options that aren’t absolutely necessary.

3. Motors Theme (CVE‑2025‑4322)

  • Affected versions: Up to 5.6.67
  • Patched in: Version 5.6.68
  • Active installs: Over 250,000
  • Severity (CVSS): 9.8 / 10 (Critical)

What’s the problem?
A bug in the password reset feature can let anyone gain full admin access. No login needed. It’s already being exploited in the wild, so this one’s very serious.

What to do:
Update the theme to version 5.6.68 or later right away. Not sure what version you’re using? Talk to your developer or hosting provider immediately.

Final tips to stay safe

If your site uses any of these tools, now’s the time to take action. These security holes can lead to hacked sites, data leaks, and much worse.

Here’s how to protect your WordPress website:

  • ✅ Keep plugins, themes, and core files updated
  • ✅ Remove anything unused or outdated
  • ✅ Run regular backups
  • ✅ Use strong, unique admin passwords
  • ✅ Activate a Web Application Firewall (WAF)

At WHC, we’re here to help. Our Managed WordPress Hosting, malware scanning, and 24/7 support are designed to keep your website secure and running smoothly.

Need help? Reach out to our team or check out our WordPress security services.



About the author: Daniel Bedard

As WHC’s Content Writer, Dan spends much of his time click-clacking on his keyboard. Outside of work, he performs music and comedy, often pondering the crushing weight of existence.

See all articles from this author Interested in writing for Web Hosting Canada?
Web Hosting Canada manages fast and reliable online infrastructure with 24/7 support. Learn more about WHC