Wordpress: current security vulnerabilities July 2025

by Reading time: 2 minutes
WordPress Agentur JoeWP - Aktuelle WordPress-Schwachstellen

Wordpress: current security vulnerabilities July 2025

In July 2025, several critical vulnerabilities in WordPress plugins and themes became known that can affect numerous websites:

1. HT Contact Form Plugin (over 10,000 websites affected)

  • Weak spots: File upload, deletion and movement possible without authentication (CVSS up to 9.8).
  • Danger: Attackers can upload arbitrary files – including PHP malware – or delete critical files such as wp-config.php PHP malware. This enables the complete takeover of the website.
  • Update: Patch released on July 13, 2025 → update to version 2.2.2 highly recommended.

2. Post SMTP plugin (over 400,000 installations)

  • Vulnerability: Incorrect access rights (CVE-2025-24000): Every registered user can view email logs including password reset emails and thus take over admin accounts.
  • Danger: Complete control over the WordPress site possible.
  • Removal: Patch with version 3.3.0 on June 11, 2025 → install at least version 3.3.0.

3. Motors Theme

  • Vulnerability: Insufficient user validation allows privilege escalation (CVE-2025-4322).
  • Danger: Attackers can change admin passwords and gain full access without authentication.
  • Solution: Patch with version 5.6.68 (from June 12, 2025). Admins should check unusual activity and unknown accounts if necessary, and run theme update.

4. End of support for WordPress versions 4.1 to 4.6

  • Since July 2025, these old core versions will no longer receive security updates . Operators should definitely update to a current version to maintain protection against new vulnerabilities.

5. Other critical vulnerabilities (selection, according to Vulnerability Report July 2025)

  • Support Board (Plugin): Arbitrary file deletion – update to version 3.8.1 required.
  • WP File Download: Cross Site Scripting (XSS) – Patch available from version 6.2.6.
  • Really Simple Security: Admin takeover possible – update to at least version 9.1.2 required.

Recommendations for action for July 2025

  • Plugins, themes and the WordPress core can be updated to the latest versions immediately.
  • Especially with popular plugins such as HT Contact Form, Post SMTP, Support Board, Motors and Really Simple Security, pay attention to changelogs and security warnings.
  • Uninstall WordPress versions (older than 4.6) that are no longer supported or migrate them to a current version.
  • Regularly use security scanners and monitoring tools to detect suspicious activity and unauthorized accounts.

Current threats mainly concern security vulnerabilities in widely used plugins. Operators should always install the latest updates and ensure that plugins/themes come from trusted sources to ensure the protection of their site.

WordPress Agency JoeWP - Maintenance & Security
JoeWP WordPress Agency – WordPress

Do you want to commission us with the elimination of security gaps and vulnerabilities on your WordPress website?

Request emergency support!
Wordpress Agentur JoeWP - WordPress Website erstellen lassen
WooCommerce Agentur JoeWP
Wordpress Agentur JoeWP - Website Entwicklung Development
WordPress Agentur JoeWP - Klimaneutrales Hosting
WordPress Agentur JoeWP - Webdesign aus Deutschland - Made in Germany