Welcome to the July mid-month edition of our WordPress Weekly News Digest, where we cover critical updates, plugin vulnerabilities, ecosystem news, and security advisories that matter to developers, site owners, and WordPress professionals. This edition is rich with must-know insights, from the release of WordPress 6.8.2 to alarming security breaches, emerging CVEs, and product launches shaping the future of the ecosystem.
WordPress & WooCommerce Releases
WordPress 6.8.2 Now Available
The WordPress team officially announced the release of WordPress 6.8.2, a maintenance update addressing 20 core issues and 15 block editor bugs. While not a security release, users are encouraged to upgrade for better stability and compatibility. You can read the full changelog here.
WooCommerce 10.0 Released
If you run an online store, WooCommerce 10.0 is now out with a performance-boosted engine, refined compatibility for PHP 8.3, and improvements for the WooCommerce block experience. WPExperts.io shared details on its feature-rich rollout.
Plugin Vulnerabilities & CVEs
Gravity Forms Plugin Compromised
The biggest security shocker came from a supply-chain attack involving the widely used Gravity Forms plugin. SecurityWeek and TheCyberSecHub confirmed that attackers compromised the plugin to distribute backdoored versions, impacting thousands of websites. This exploit marks one of the most dangerous plugin supply-chain compromises since 2023.
Additional coverage by Heise Online and Michael Sieg supports concerns of widespread infection. Immediate audits and clean reinstalls are strongly advised.
SureForms Arbitrary File Deletion (CVE-2025-6691)
Wordfence revealed an unauthenticated file deletion vulnerability in the SureForms plugin, which puts over 200,000 WordPress sites at risk. The flaw, CVE-2025-6691, allows attackers to remove critical files remotely.
Simple File List Plugin RCE (CVE-2025-34085)
A high-severity Remote Code Execution (RCE) vulnerability targeting the Simple File List plugin was disclosed by researcher @wtf_brut. The multi-target PoC automates exploit attempts across multiple domains.
JobWP SQL Injection (CVE-2025-2010)
A critical SQL Injection vulnerability in JobWP <= 2.3.9 has been flagged as CVE-2025-2010. Plugin users should patch immediately.
Ads Pro Plugin LFI (CVE-2025-4380)
Also reported by @pdnuclei_bot, the Ads Pro Plugin was found vulnerable to Local File Inclusion, exposing sensitive internal data on affected sites.
HT Contact Form File Upload Vulnerabilities
Multiple vulnerabilities were reported in the HT Contact Form plugin, including CVE-2025-7340 allowing arbitrary file uploads. Netlas.io confirmed additional CVEs with ratings reaching 9.8.
Additional CVEs in Themes
Two popular WordPress themes were found with improper input handling:
These issues may allow malicious code execution or unauthorized data access.
Vulnerable Malware Scanner Plugin
Ironically, a plugin meant to scan for malware was itself vulnerable. Search Engine Journal confirmed this breach, highlighting the risk of trusting under-reviewed security tools.
Security Ecosystem Updates
Wordfence Launches Vulnerability Management Portal
Wordfence announced a powerful new portal designed to assist over 130 plugin developers with responsible vulnerability disclosure and patching. This centralized tool is expected to streamline communication between researchers and vendors. Read the launch post
SolidWP Reports 258 Vulnerabilities in July
SolidWP released two security reports this week:
- July 9 Report: 149 plugin and theme flaws.
- July 16 Report: 109 vulnerabilities.
Malicious Theme Redirects via Footer.php
Sucuri discovered threat actors injecting malicious redirects into the footer.php of WordPress themes, hijacking traffic to scam sites. Learn more here
Fake CAPTCHA Attacks
A malware campaign uncovered by MoeSecCom uses fake CAPTCHA popups to deliver payloads via compromised WordPress sites. It reinforces the need for advanced malware detection tools.
Platform & Developer Updates
Developer Update: July 2025
@courtneyr_dev shared July’s developer update, focusing on REST API improvements, internationalization enhancements, and block pattern support.
Fueled’s WordPress Framework
Fueled released their internal WP Framework, designed to provide a stable scaffolding foundation for custom WordPress development. Read the release
WP User Frontend Update
weDevs added new controls in WPUF, including sorting for subscription plans and form layout improvements.
WordPress Community & Event Buzz
WordCamp US 2025 News
@pootlepress announced a WordPress portfolio workshop to be held at WordCamp US 2025. Additionally, @harsh98trivedi reminded applicants about the Kim Parsell Scholarship.
Tumblr’s Migration Delayed
The Verge revealed that Tumblr’s much-anticipated migration to WordPress and Fediverse integration is now on hold, due to technical complexity and strategic realignment.
Tips, Tools & Commentary
- Cloudways advised site owners to keep plugins updated to avoid crashes and intrusions.
- WPBeginner highlighted WordPress’s built-in privacy policy generator for PDPL compliance.
- Oliver Sild criticized the WordPress dev community for treating security as an afterthought.
- Rocket.net emphasized restricting admin access for enhanced safety.
- Security Scorecard noted continued exploitation of CVE-2016-10033 involving PHPMailer and Joomla extensions embedded in WordPress installs.
Podcasts & Outreach
- WP Content Co released a new podcast episode discussing WordPress 6.9, WooCommerce block themes, and more.
- PraxisMedHat continues using WordPress to inspire kids with science.
Final Thoughts
This week reminds us that the WordPress ecosystem—while powerful—is also a massive target. From high-severity plugin CVEs to supply chain compromises, it’s crucial to keep core, plugins, and themes up to date and practice smart security hygiene.
Let us know which stories you’d like us to explore in depth next week!
Curated by AttoWP – Your trusted WordPress partner.
