Unauthenticated WP MAR 2025
Managed WP/Woo Security Report
Be informed about the latest Unauthenticated WP MAR 2025 - WP Security Circumvention, identified and reported publicly. It is a +28% INCREASE compared to previous month, as specifically going around existing security. Consider for your online safety, a managed WP/Woo security AUDIT, – OR – switching with a TOP10LIST alternative WP Security Plugin – OR – Hire us for your recurrent needs of managed WordPress Security and managed WooCommerce Security.
WHO needs managed WP security? EVERYBODY!
Today's reality needs a Web Application Firewall (WAF) plus an Intrusion Prevention System (IPS) to mitigate "gazillion" different threats in your WordPress. Get your Unauthenticated WP MAR 2025 Patch Management.
The following cases made headlines PUBLICLY just last month in the Unauthenticated WP MAR 2025 category:
| 1 Click WordPress Migration | Unauthenticated Private Information Exposure from Database Backup in class-ocm-backupphp |
| Actionwear products sync | Unauthenticated Private Full Path Disclosure |
| Affiliate Links Lite | Missing Authorization (BAC) to Unauthenticated Import/Export and PHP Object Injection |
| AForms Eats | Unauthenticated Private Full Path Disclosure |
| Ark Theme Core | Unauthenticated Remote Code Execution (RCE) |
| Avada Theme | Unauthenticated Shortcode Execution (BAC) |
| BigBuy Dropshipping Connector for WooCommerce | Unauthenticated Private Full Path Disclosure |
| Booking Calendar | Unauthenticated Post-Confirmation Booking Manipulation (BAC) |
| C9 Blocks | Unauthenticated Private Full Path Disclosure |
| Campress Theme | Unauthenticated Local File Inclusion (LFi) |
| CarSpot Theme | Unauthenticated Password Reset/Account Takeover (BAC) |
| Classified Listing | Unauthenticated Settings Exposure (BAC) |
| Contact Manager | Unauthenticated Double File Extension Upload (BAC) |
| Contest Gallery | Unauthenticated Cross-Site Scripting (XSS) |
| CURCY | Unauthenticated Shortcode Execution (BAC) from get_products_price Function |
| Custom Post Type Date Archives | Missing Authorization (BAC) to Unauthenticated Shortcode Execution (BAC) |
| DHVC Form | Unauthenticated Privilege Escalation (BAC) |
| Download IP2Location Country Blocker | Missing Authorization (BAC) to Unauthenticated Information Exposure from admin_init Function |
| Ebook Downloader | Unauthenticated SQL Injection (SQLi) |
| Elements kit Elementor addons | Unauthenticated Information Exposure from get_megamenu_content Function |
| Eventer | Missing Authorization (BAC) to Unauthenticated Event Ticket Download |
| Events Manager | Unauthenticated SQL Injection (SQLi) from Event Status Parameter |
| Everest Forms | Unauthenticated File Upload (BAC), Read (BAC), and Deletion (BAC) |
| File Upload (BAC)s Addon for WooCommerce | Unauthenticated Private Information Exposure Through Unprotected Directory |
| FoodBakery | Unauthenticated File Upload (BAC) |
| FoodBakery | Unauthenticated Privilege Escalation (BAC) in foodbakery_registration_validation |
| Fresh Framework | Unauthenticated Remote Code Execution (RCE) |
| Fusion Builder | Unauthenticated Shortcode Execution (BAC) |
| Gift Vouchers | Missing Authorization (BAC) to Unauthenticated Price, Date, and Note Updates |
| Hide My WP Ghost | Unauthenticated Private Login Page Disclosure |
| JS Help Desk | Unauthenticated Private Information Exposure Through Unprotected Directory |
| Keap Official Opt-in Forms | Unauthenticated Local File Inclusion (LFi) |
| K Elements | Unauthenticated Account Takeover (BAC) |
| Lenix Elementor Leads addon | Unauthenticated Cross-Site Scripting (XSS) from URL Form Field |
| LTL Freight Quotes – ABF Freight Edition | Unauthenticated SQL Injection (SQLi) |
| LTL Freight Quotes – Estes Edition | Unauthenticated SQL Injection (SQLi) |
| LTL Freight Quotes – For Customers of FedEx Freight | Unauthenticated SQL Injection (SQLi) |
| LTL Freight Quotes – GlobalTranz Edition | Unauthenticated SQL Injection (SQLi) |
| LTL Freight Quotes – GlobalTranz Edition | Missing Authorization (BAC) to Unauthenticated Settings Update (BAC) |
| LTL Freight Quotes – Old Dominion Edition | Unauthenticated SQL Injection (SQLi) |
| LTL Freight Quotes – Purolator Edition | Unauthenticated SQL Injection (SQLi) |
| LTL Freight Quotes – R+L Carriers Edition | Unauthenticated SQL Injection (SQLi) |
| LTL Freight Quotes – SAIA Edition | Unauthenticated SQL Injection (SQLi) |
| LTL Freight Quotes – SEFL Edition | Unauthenticated SQL Injection (SQLi) |
| LTL Freight Quotes – TForce Edition | Unauthenticated SQL Injection (SQLi) |
| LTL Freight Quotes – Unishippers Edition | Unauthenticated SQL Injection (SQLi) |
| LTL Freight Quotes – XPO Edition | Unauthenticated SQL Injection (SQLi) |
| Majestic Support | Unauthenticated Private Information Exposure Through Unprotected Directory |
| OneStore Sites | Unauthenticated Blind Server-Side Request Forgery (SSRF) |
| Order Attachments for WooCommerce | Unauthenticated Private Information Exposure Through Unprotected Directory |
| PeproDev Ultimate Invoice | Insecure Direct Object Reference (IDOR) to Unauthenticated Order Private Information Exposure |
| Post Grid and Gutenberg Blocks | Unauthenticated Paid Order Creation |
| Post Grid and Gutenberg Blocks | Unauthenticated Private User Information Exposure |
| Post SMTP | Unauthenticated Cross-Site Scripting (XSS) |
| PressMart Theme | Unauthenticated Shortcode Execution (BAC) |
| PrivateContent | Unauthenticated Account Takeover (BAC) |
| Puzzles Theme | Unauthenticated PHP Object Injection |
| Rapid Cache | Unauthenticated Cache Poisoning |
| Raptive Ads | Missing Authorization (BAC) to Unauthenticated Data/Settings Reset |
| Real Estate 7 Theme | Unauthenticated Privilege Escalation (BAC) to Administrator |
| Return Refund and Exchange For WooCommerce | Unauthenticated Private Information Exposure Through Unprotected Directory |
| s2Member Pro | Unauthenticated PHP Object Injection |
| Scratch & Win – Giveaways and Contests | Missing Authorization (BAC) to Unauthenticated Coupon Creation |
| Security & Malware scan by CleanTalk | Unauthenticated File Upload (BAC) |
| Sensei LMS | Unauthenticated Private sensei_email/sensei_message Disclosure |
| ShipEngine Shipping Quotes | Unauthenticated SQL Injection (SQLi) |
| Show Me The Cookies | Unauthenticated Shortcode Execution (BAC) |
| Site Mailer | Unauthenticated Cross-Site Scripting (XSS) |
| Small Package Quotes – For Customers of FedEx | Unauthenticated SQL Injection (SQLi) |
| Small Package Quotes – Purolator Edition | Unauthenticated SQL Injection (SQLi) |
| Small Package Quotes – UPS Edition | Unauthenticated SQL Injection (SQLi) |
| Small Package Quotes – USPS Edition | Unauthenticated SQL Injection (SQLi) |
| SMTP for Amazon SES | Unauthenticated Cross-Site Scripting (XSS) from Email Logs |
| SMTP for SendGrid – YaySMTP | Unauthenticated Cross-Site Scripting (XSS) from Email Logs |
| SMTP for Sendinblue – YaySMTP | Unauthenticated Cross-Site Scripting (XSS) from Email Logs |
| Subscribe2 | Unauthenticated Cross-Site Scripting (XSS) from IP Parameter |
| Super Store Finder | Unauthenticated SQL Injection (SQLi) to Cross-Site Scripting (XSS) |
| Testimonials | Unauthenticated Cross-Site Scripting (XSS) |
| Themes Coder | Unauthenticated SQLi |
| The Ultimate WordPress Toolkit – WP Extended | Missing Authorization (BAC) to Unauthenticated Post Order Manipulation (BAC) |
| Trash Duplicate and 301 Redirect | Missing Authorization (BAC) to Unauthenticated Post Deletion (BAC) |
| Uncode Theme | Unauthenticated File Read (BAC) in uncode_admin_get_oembed |
| Welcart e-Commerce | Unauthenticated Cross-Site Scripting (XSS) from name Parameter |
| WHMpress | Unauthenticated Local File Inclusion (LFi) to Options Update (BAC) |
| Wise Forms | Unauthenticated Cross-Site Scripting (XSS) |
| WooCommerce Food - Restaurant Menu & Food ordering | Unauthenticated Shortcode Execution (BAC) from ids |
| WooCommerce Ultimate Gift Card - Create, Sell and Manage Gift Cards with Customized Email Templates | Unauthenticated File Upload (BAC) |
| WooODT Lite | Unauthenticated Private Full Path Disclosure |
| WordPress form builder plugin for contact forms, surveys and quizzes – Tripetto | Unauthenticated Private Information Exposure |
| WordPress FormCraft - Premium WordPress Form Builder plugin | Unauthenticated Cross-Site Scripting (XSS) from SVG File Upload (BAC) |
| WordPress Portfolio Builder – Portfolio Gallery | Missing Authorization (BAC) to Unauthenticated Portfolio Update |
| WP Activity Log | Unauthenticated Cross-Site Scripting (XSS) |
| WP ALL Export Pro | Unauthenticated Remote Code Execution from Custom Export Fields |
| WP Job Board Pro | Unauthenticated Privilege Escalation (BAC) from process_register |
| WP Job Portal | Insecure Direct Object Reference (IDOR) to Unauthenticated Resume Download |
| Yawave | Unauthenticated SQL Injection (SQLi) |
| YaySMTP | Unauthenticated Cross-Site Scripting (XSS) |
| Unauthenticated WordPress reported in 2023: | 235 |
| Unauthenticated WordPress reported in 2024: | 628 |
| Unauthenticated WordPress reported in 2025: | 233 |
WHO needs managed WP Maintenance? EVERYBODY!
Today’s reality requires daily clean-ups with database optimisations, weekly updates and upgrades for both free & premium modules, plus the occasional emergency changes when critical vulnerabilities are publicly disclosed without patches. Order Unauthenticated WP MAR 2025 Patch Management.
Security is not a single-task job
Need managed WP Security and got no clue where to start? Hire an expert. Pay a coffee per week, its cheaper than 1 hour for a freelancer.
