June 2025 brought alarming news for WordPress site owners. Security researchers identified a series of severe vulnerabilities — each rated 9.8 on the CVSS scale — affecting widely used plugins and themes. These flaws, many of which require no authentication to exploit, enable attackers to bypass login mechanisms, escalate privileges to admin level, install malicious plugins, and even delete server files. Left unpatched, these vulnerabilities can quickly lead to full site takeovers, data theft, and irreversible damage.

Let's examine the most critical vulnerabilities discovered this month and consider their implications for your site's security.

One of the most severe flaws was found in the PT Project Notebooks plugin, affecting versions 1.0.0 through 1.1.3. Due to a missing authorization check in the wpnb_pto_new_users_add() function, unauthenticated users can elevate their privileges to that of an administrator. This makes it possible for attackers to take complete control of the WordPress site without any credentials.

A critical vulnerability in the Simple Payment plugin (versions 1.3.6 to 2.3.8) was discovered, allowing authentication bypass. The plugin fails to properly verify a user’s identity before logging them in via the create_user() function. As a result, unauthenticated attackers can exploit this flaw to gain access as admin-level users, posing a significant threat to website integrity.

Another high-risk issue is the Simple User Registration plugin, which affects all versions up to and including 6.3. This vulnerability allows privilege escalation during the registration process. By manipulating user meta values, attackers can create accounts with administrator privileges, effectively bypassing all intended access restrictions.

The widely used FunnelKit WooCommerce plugin, known for its cart abandonment and email marketing features, was found vulnerable in all versions up to 3.5.3. A weak nonce and missing capability checks in the install_or_activate_addon_plugins() function allow unauthenticated users to install and activate arbitrary plugins, opening the door to deeper infections and full site compromise.

All versions of the Image Resizer On The Fly plugin up to 1.1 suffer from a critical flaw that permits arbitrary file deletion. Due to insufficient file path validation in the delete task, attackers can remove critical files such as wp-config.php. This could disrupt site operations or even lead to remote code execution.

The REST API | Custom API Generator plugin (versions 1.0.0 to 2.0.3) is vulnerable due to a missing capability check in the process_handler() function. Attackers can exploit this to post specially crafted JSON data that creates new administrator accounts. No authentication is required, making it a serious threat to any site using the plugin.

A flaw in the Workreap plugin, affecting versions up to 3.3.1, allows unauthenticated attackers to bypass login and access user accounts — including administrators — simply by knowing their email address. The issue arises because the plugin doesn't correctly validate user identity during email-based account verification when the confirmation_key has not been set.

The WP Email Debug plugin, versions 1.0 to 1.1.0, contains a critical privilege escalation vulnerability. A missing capability check in the WPMDBUG_handle_settings() function enables attackers to redirect all emails to an address they control. By triggering a password reset, attackers can hijack admin accounts without detection.

The HyperComments plugin, which extends comment functionality on WordPress, is vulnerable in all versions up to 1.2.2. A missing capability check in the hc_request_handler function allows attackers to modify critical WordPress site options. This includes changing the default registration role to "administrator" and enabling open registration, leading to full site compromise.

Finally, the Golo – City Travel Guide WordPress Theme, up to version 1.7.0, is affected by a privilege escalation vulnerability. The theme fails to validate the user identity before setting an authorization cookie. If attackers know a user's email, they can log in as that user — including admins — and take over their accounts.

These vulnerabilities reveal a troubling trend in the WordPress ecosystem: they are easy to exploit, often require no authentication, and affect some of the most widely used plugins and themes. This makes it essential for website owners to stay vigilant and proactive in their security approach.

Keeping WordPress core, plugins, and themes up to date is one of the most effective ways to prevent attacks. Developers regularly release patches to fix known vulnerabilities, and delaying updates can leave your site exposed. It’s also wise to remove any unused plugins and themes, as even inactive code can be exploited if it contains security flaws.

In addition, using a reputable security plugin or web application firewall (WAF) can help detect and block suspicious activity before it causes harm. Restricting user permissions and applying the principle of least privilege will further reduce the chances of attackers gaining elevated access if an account is compromised. And finally, scheduling regular malware scans and site backups ensures that if something does go wrong, you can respond quickly and recover without significant damage.

Here at Quttera, we provide multi-layered website security solutions specifically tailored to protect WordPress websites from critical threats like those detailed above. Our platform offers real-time malware detection, blocklist monitoring, and automated threat response. With deep threat intelligence and expert support, Quttera helps you identify vulnerabilities, prevent exploitation, and recover from attacks — fast. Whether you're managing a single site or a fleet of WordPress installations, Quttera is your reliable security partner in the evolving landscape of web threats