Critical vulnerabilities in WordPress plugins – May 2025

To ensure that your WordPress website is secure and stays that way, you need to have a security plugin.
One reason is that they report regularly on critical vulnerabilities of plugins you might use.
There are few available, although my preference goes to Wordfence.
- Critical vulnerabilities in WordPress plugins – May 2025
- Arbitrary File Read vulnerability in Eventin, a WordPress plugin with more than 10,000 active installations.
- OttoKit: All-in-One Automation Platform (Formerly SureTriggers)
- Privilege Escalation vulnerability in Motors, a WordPress theme with more than 22,000 sales.
- Arbitrary File Upload vulnerability in TheGem, a WordPress theme with more than 82,000 sales.
- Annual WordPress security report for 2024.
Critical vulnerabilities in WordPress plugins – May 2025
The Wordfence Threat Intelligence team found sofar these vulnerabilities:
Arbitrary File Read vulnerability in Eventin, a WordPress plugin with more than 10,000 active installations.
On April 6th, 2025, they received a submission for an Arbitrary File Read vulnerability in Eventin, a WordPress plugin with more than 10,000 active installations. This vulnerability makes it possible for an unauthenticated attacker to read arbitrary files on the server, which can contain sensitive information.
OttoKit: All-in-One Automation Platform (Formerly SureTriggers)
On May 2nd, 2025 the Wordfence Threat Intelligence team added a new critical vulnerability to the Wordfence Intelligence vulnerability database in the OttoKit: All-in-One Automation Platform (Formerly SureTriggers) plugin publicly disclosed by a third-party CNA on April 30th, 2025.
This vulnerability makes it possible for unauthenticated attackers to gain administrative level access to vulnerable sites, where the site has never used an application password or by authenticated attackers with a valid application password.
Privilege Escalation vulnerability in Motors, a WordPress theme with more than 22,000 sales.
On May 2nd, 2025, they received a submission for a Privilege Escalation vulnerability in Motors, a WordPress theme with more than 22,000 sales. This vulnerability makes it possible for an unauthenticated attacker to change the password of any user, including an administrator, which allows them to take over the account and the website.
Arbitrary File Upload vulnerability in TheGem, a WordPress theme with more than 82,000 sales.
On May 4th, 2025, they received a submission for an Arbitrary File Upload vulnerability in TheGem, a WordPress theme with more than 82,000 sales. This vulnerability can be used by authenticated attackers, with subscriber-level access and above, to upload arbitrary files to a vulnerable site and achieve remote code execution, which is typically leveraged for a complete site takeover.
Annual WordPress security report for 2024.
In case you missed it, Wordfence just published its annual WordPress security report for 2024. Read it now to learn more about the evolving risk landscape of WordPress so you can keep your sites protected in 2025 and beyond.
All the best,
Luc

Thank you for your time. All you have to do now is click one of the buttons below to share with people you know or leave a comment, or subscribe to my newsletter (and enjoy my gift to you). I thank you if you do. 😉