One day, several critical vulnerabilities in WP plugins - LoginPress Pro, WooCommerce Refund And Exchange with RMA, School Management System for Wordpress, MasterStudy LMS, aapanel WP Toolkit, B1.lt for WooCommerce, Attachment Manager
I've checked multiple times today for new vulnerabilities, and the day went slowly. Almost nothing.
Went out for a while and came back - boom, 20+ new vulnerabilities, out of which seven seem rather severe.
Just look at this:
| Plugin | Severity Score | CVE ID | Description |
| LoginPress Pro | 9.8 |
CVE-2025-7444 |
Authentication Bypass |
| WooCommerce Refund And Exchange with RMA | 9.8 |
CVE-2025-6222 | Unauthenticated Arbitrary File Upload |
| School Management System for Wordpress | 8.8 |
CVE-2025-3740 |
Authenticated (Subscriber+) Local File Inclusion to Privilege Escalation |
| MasterStudy LMS – Online Courses, eLearning PRO Plus | 7.5 | CVE-2025-7438 | Authenticated (Subscriber+) Arbitrary File Upload |
| aapanel WP Toolkit | 8.8 |
CVE-2025-6813 |
Missing Authorization to Authenticated (Subscriber+) Privilege Escalation |
| B1.lt for WooCommerce | 8.8 | CVE-2025-6718 | Missing Authorization to Authenticated (Subscriber+) Arbitrary SQL Injection |
| Attachment Manager | 9.1 | CVE-2025-7643 | Unauthenticated Arbitrary File Deletion |
Four of the above affect only sites that have registrations enabled on their website, but the other three require zero authentication to exploit.
Needless to say, if you have any of these plugins on your website, you should update those that need a patch and remove those that don't.
(in the table above, the first 4 have the patch; the last 3 should be removed or replaced with an alternative.)
Act quickly and don't hesitate to get in touch if you need help!
If you need monthly maintenance or malware removal, get professional help today.