WordPress, the CMS that powers over 43% of the internet, faced a defining month in July 2025. From security crises and forward-looking development updates to governance disputes that shook its open-source core, this month revealed both the platform’s strengths and the growing pains of its maturity. This detailed recap covers the most important stories, insights, and expert commentary from the last 30 days—including quotes and references from developers, security researchers, and community leaders.
Widespread Vulnerabilities: July’s Cybersecurity Wake-Up Call
WordPress’s vast plugin ecosystem is a double-edged sword—offering functionality but also exposing sites to risk. July 2025 was particularly rough, with over 37 new vulnerabilities reported in Sucuri’s monthly roundup. These included XSS flaws, SQL injections, PHP Object Injections, and Remote Code Execution (RCE) vulnerabilities.
Notable Exploits
- Elementor Website Builder: With over 10 million active installations, this plugin faced an XSS flaw (CVE-2025-4566). “If you’re running v3.30.2 or below, you’re exposed,” warned @sucurisecurity.
- WPvivid Backup & Migration: Over 700,000 sites were exposed to an unauthenticated file upload vulnerability (CVE-2025-5961), allowing full site takeover. Wordfence noted, “The impact could be catastrophic for poorly maintained installs.”
- Forminator Forms: A trifecta of vulnerabilities included PHP Object Injection, Arbitrary File Deletion, and SQL Injection, all patched in v1.45.1.
- Post SMTP (CVE-2025-24000): With 400,000 active users, 160,000 were unpatched as of July 28. Attackers could reset passwords and hijack admin accounts. @R4yt3d tweeted: “It’s not just a plugin flaw—it’s an entry point for mass exploitation.”
- Alone Theme (CVE-2025-5394): One of the most severe. Exploited in the wild, the RCE vulnerability affected 9,000+ sites. @wordfence reported over 120,000 blocked attempts: “We’ve seen backdoor uploads masquerading as plugin installs. Immediate update to v7.8.5 is mandatory.”
Community Reaction
On X, conversations exploded around the sheer volume of high-severity issues. @TweetThreatNews said, “From Australia to Europe, we’re tracking active WP exploits linked to Chinese APT groups. Not just script kiddies.”
As one developer, @goodwebsitesnz, put it: “Running WordPress in 2025 without a security firewall is like driving without brakes.”
Developers and agencies alike began reevaluating their plugin stacks, some even publishing their own internal vulnerability audits for clients.
Development Bright Spots: Coding Standards and the Road to 6.9
In contrast to the ongoing security challenges, WordPress’s development community released important enhancements.
Coding Standards 3.2.0
On July 24, the WordPress Coding Standards (WPCS) 3.2.0 release delivered faster linting, improved support for deprecated functions, better heredoc/nowdoc formatting rules, and compatibility with PHP 8.4.
A developer involved in the release noted: “This iteration ensures WordPress code quality aligns with modern PHP practices while also reducing performance bottlenecks in large repositories.”
WordPress 6.9 Roadmap
Scheduled for December 2, 2025, WordPress 6.9 promises advancements in the block editor, AI-assisted tooling, and overall performance. Highlights include:
- Block-level commenting and collaboration support
- Support for multiple templates per slug
- Expansion of the Command Palette for admin workflows
- AI-ready functions using the new Abilities API
A lead contributor summarized the release vision: “6.9 is not a flashy update. It’s a foundational one. We’re laying track for what WordPress will be capable of in 2026.”
Developers are especially excited about the MCP Adapter, a new plugin acting as a standard interface between WordPress and AI tools, including large language models and automation workflows.
Admin UI Overhaul: Introducing a New Paradigm
A proposal emerged on July 26 via GitHub suggesting a comprehensive redesign of the WordPress admin interface. The proposed overhaul aims to shift WordPress toward a modern, component-based UI system that offers more flexibility and better user experience for site builders.
Key concepts include:
- Materials: foundational elements like canvas and layout surfaces
- Concepts: navigation, collections, forms, and state
- Screens: reconfigurable templates for Pages, Posts, and Plugins sections
Some praised the vision as a long-overdue update. someone tweeted, “This is the reboot WP needed years ago. Finally a plan for real admin personalization.”
Yet others raised practical concerns. “This can’t just be a shiny toy. We need a clear migration strategy for plugins,” noted one plugin developer on the GitHub thread. Given the scale of the change, full rollout is likely a 2026+ objective.
Structural Criticisms: Is WordPress Losing Its Way?
One of the most widely read pieces in July was “The Slow Implosion of WordPress”, which argued that WordPress is becoming increasingly complex, commercialized, and detached from its open-source ethos.
“What used to be flexible and free is now trapped behind plugin paywalls,” the article claimed. “Users need to spend $500/year to get the kind of experience WordPress promised out of the box.”
The criticisms focused on the Gutenberg editing experience, Full Site Editing confusion, and Automattic’s corporate strategy. @treb0r remarked on X: “WordPress isn’t dying. It’s calcifying. Still dominant, but increasingly unapproachable.”
Some developers called for forks, while others advocated for simplifying onboarding and prioritizing backward compatibility. Yet the consensus remains that while WordPress is under pressure, it remains too valuable—and too community-driven—to simply collapse.
Leadership and Legal Drama: Mullenweg vs. WP Engine
The drama between @photomatt (Matt Mullenweg) and @wpengine continued to dominate governance conversations in July.
What started in 2024 as a disagreement over brand usage escalated into lawsuits and community-wide implications. In January 2025, Automattic reduced WordPress.org contributions and blacklisted WP Engine from key tools. In response, WP Engine filed suit, accusing Automattic of monopolizing WordPress’s ecosystem.
In July, a class-action suit was filed on behalf of affected users. According to court documents, the bans disrupted site performance, caused plugin errors, and violated antitrust expectations.
“This is bigger than one company. It’s about whether WordPress remains a neutral open platform,” said one hosting provider CTO anonymously. Meanwhile, community voices like @JakeTtheWizard questioned whether Mullenweg’s dual role as CEO of Automattic and WordPress project lead is sustainable.
While some bans were lifted in April, the trust damage remains. Contributors are increasingly calling for a more distributed governance structure to ensure neutrality.
July by the Numbers
- 37 new plugin and theme vulnerabilities
- 160,000+ sites still running vulnerable versions of Post SMTP
- 120,900+ blocked attacks on the Alone Theme RCE flaw
- 10+ new plugins released or updated with AI features
- 1 major class-action lawsuit filed
Looking Ahead
WordPress in July 2025 was a microcosm of the platform’s complex reality: aging architecture but forward momentum; open-source values but corporate pressure; a thriving ecosystem but increasingly sophisticated threats.
The rest of 2025 promises critical developments:
- The release of WordPress 6.9 in December
- Admin interface prototyping and testing
- Final outcomes of WP Engine vs. Automattic lawsuits
- Growing influence of AI in content and site management
For now, the takeaway is clear: WordPress is evolving, but that evolution demands transparency, vigilance, and above all, community.
Stay updated with @sucurisecurity, @wordfence, and the development blog at make.wordpress.org.
What’s your take? Will WordPress overcome its challenges or fracture under pressure? Let us know in the comments.
