November 2025: Popular WordPress plugins with vulnerabilities

I work with WordPress every day – building new projects, developing custom plugins or configuring external tools – so reports like the latest WordPress Vulnerability Report from SolidWP are basically my morning newspaper. The November 12, 2025 edition lists as many as 199 new vulnerabilities (197 in plugins, 2 in themes), of which around 95 remain unpatched in the repository. And these aren’t obscure add-ons no one uses – many of them affect extremely popular tools used daily across the WP ecosystem.

The Events Calendar – critical SQL injection and data exposure

If you manage events or calendars in WordPress, there’s a good chance you use The Events Calendar. It appears twice in the report: first with a SQL Injection vulnerability (severity: critical) and additionally with an issue related to sensitive data exposure. Both issues were fixed in version 6.15.10, so if you see anything lower in your dashboard, the update is an absolute must. In practice, these types of bugs can allow an attacker to manipulate database queries or access information that should never be publicly visible.

Gravity Forms and the Jet ecosystem – forms and widgets can hurt too

The second important case is Gravity Forms – a classic when it comes to advanced WordPress forms. The report highlights an Arbitrary File Upload vulnerability (severity: critical), meaning the risk of uploading any file to the server, such as a webshell, which in the worst scenario can lead to a full site takeover. The issue was patched in Gravity Forms 2.9.21, so only this version (and newer) is considered safe.

In the same report we also see JetElements for Elementor – a plugin from the Jet family that many users install alongside JetEngine. This one had an XSS vulnerability (Cross Site Scripting, severity: medium), patched in version 2.7.12.1. XSS is a classic – the ability to inject malicious JS that can, for example, steal an admin session or modify what the user sees.

FunnelKit, FunnelKit Automations, WPFunnels – hitting sales funnels where it hurts

The report also highlights multiple issues in tools used to build sales funnels. FunnelKit – Funnel Builder for WooCommerce Checkout was flagged for an XSS vulnerability (severity: high), patched in 3.12.0.1.
Meanwhile, FunnelKit Automations (email & CRM automations) appears twice: sensitive data exposure and broken access control – both fixed in version 3.6.4.2.
On top of that, WPFunnels – Easy WordPress Funnel Builder – had broken access control and arbitrary file deletion, patched only in version 3.6.3.

In simple terms: these are plugins that handle leads, customer data and money – so several unpatched holes in this area can hurt badly if not updated quickly.

What to do in practice (and how not to lose your mind)?

This is not a call to remove every plugin mentioned in the report. Vulnerabilities happen to every vendor – the key point is whether patches appear quickly, and whether you actually install them.

Check whether a plugin you use is on the list (here: The Events Calendar, Gravity Forms, JetElements, FunnelKit, FunnelKit Automations, WPFunnels).
Compare your installed version with the patched version mentioned in the report – if yours is lower, update should be your priority.
Minimize the number of plugins – every extra package of external code is another potential attack vector.
Maintain backups and a staging environment – apply updates on staging first, test them, only then deploy to production.
Check security reports regularly.

If you need help with your WP site – maybe you want me to review your plugins, clean up your updates or tighten your security – get in touch!