<< back

WordPress vulnerability &amp; patch roundup: September 2025

September saw a steady stream of WordPress core, plugin and theme vulnerabilities — some critical, some with no fixes yet. If you run a WordPress site, this is your prompt to review updates and tighten your defences to protect revenue, reputation and SEO.


What’s going on?

Attackers routinely scan the web for known weaknesses. When popular plugins or themes publish a security fix, criminals quickly try to exploit sites that haven’t updated. This month’s issues include SQL injection (data theft or full compromise), PHP object injection (remote code execution), cross-site scripting (malicious scripts in visitors’ browsers) and access control flaws (unauthorised changes).


Headline risks to prioritise

  • The Events CalendarCritical SQL injection. Update to 6.15.1.1+.
  • Ninja FormsCritical PHP object injection. Update to 3.11.1+.
  • Download Manager — High-risk unauthenticated XSS. Update to 3.3.24+.
  • Tutor LMS — High-risk SQL injection. Update to 3.8.0+.
  • Import any XML, CSV or Excel File to WordPress — High-risk arbitrary file upload. Update to 3.9.4+.


Items with no patch available (consider disabling)

  • All in One SEO — Sensitive data exposure & broken access control (no fix yet).
  • Sticky Header Effects for Elementor — Broken access control (no fix yet).
  • TI WooCommerce Wishlist — Broken access control (no fix yet).
  • 3D FlipBook, Jupiter X Core, Getwid, Image Hover Effects for Elementor Addon, Perfect Brands for WooCommerce, Better Find and Replace – AI-Powered Suggestions — various issues (no fixes yet).

If a plugin you rely on has no patch, weigh up temporary deactivation or an alternative. A web application firewall (WAF) can provide virtual patching to block known exploit patterns while you plan next steps.


WordPress core

Two medium-risk issues — Sensitive Data Exposure and XSS — have been disclosed without fixes at the time of writing. Limit user roles to the minimum required, monitor for updates, and harden authentication (MFA, strong passwords, least privilege).


Themes worth updating

  • OceanWP — Settings change issue. Update to 4.1.2+.
  • Sydney — Broken access control. Update to 2.57+.
  • ColorWay, Themia Lite, ConsultStreet, SoftMe — issues reported with no current fix; review usage and consider alternatives.


Business impact (plain English)

  • Trust & brand: Malware and spam damage credibility and conversion rates.
  • SEO: Search engines can flag or demote infected sites.
  • Compliance: Data exposure (e.g. via SQL injection) risks fines and notifications.
  • Costs: Outages and clean-ups disrupt sales and waste internal time.


How to recognise trouble?

  • Unexpected redirects, pop-ups, or injected ads.
  • Admin users you don’t recognise, or email alerts about settings changing.
  • Spike in server resources or unexplained outbound traffic.
  • Search results showing spam pages or warnings.


Prevention & resolution checklist

  1. Update now: Prioritise the critical/high items above, then work through medium-risk updates. Use managed updates to keep pace.
  2. Remove or replace unpatched plugins/themes: If there’s no fix, temporarily disable or switch to a supported alternative.
  3. Add a WAF: A web application firewall provides virtual patching, blocks common exploit attempts and helps with rate-limiting brute-force attacks.
  4. Harden access: Multi-factor authentication, limited admin accounts, and the principle of least privilege.
  5. Backups & recovery: Test daily off-site backups so you can roll back fast after malware removal.
  6. Security monitoring: Enable uptime alerts, file-change monitoring and malware scanning to catch issues early.


Need a hand?

If you’re unsure which updates are safe on your setup, or you suspect a compromise, get expert help. A calm, methodical response is the quickest route back to business as usual.


How matm can help

  • Managed WordPress, plugin & theme updates
  • Security monitoring and WAF setup (virtual patching)
  • Regular backups & fast site recovery
  • Malware removal and emergency response

Talk to us at [email protected] or 01952 883 526.

Based on research by Sucuri — see the full roundup: Vulnerability & Patch Roundup — September 2025.