Another batch of vulnerabilities impacts popular WordPress plugins, including one with a top-severity flaw.
While fake CAPTCHA malware continues to circulate, we also explore what truly makes a WordPress site secure.
#1 – Critical Security Risks in Popular Plugin
This plugin contains a highest-severity RCE vulnerability that allows attackers to gain backdoor access and take full control of the site. We strongly recommend updating to the latest version.
Everest Forms Pro Plugin
RCE; 10/10; Update to v1.9.13+
Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.
#2 – Other Security Risks in Popular Plugins
While not critical, millions of sites rely on these plugins, making them prime targets. Updating promptly helps keep your site secure.
Amelia Plugin
IDOR; 8.8/10; Update to v2.2+
MW WP Form Plugin
Directory Traversal; 8.1/10; Update to v5.1.1+
Ultimate Member Plugin
Privilege Escalation; 8/10; Update to v2.11.3+
W3 Total Cache Plugin
Sensitive Data Exposure; 7.5/10; Update to v2.9.4+
Loco Translate Plugin
XSS; 7.1/10; Update to v2.8.3+
Gutenberg Blocks by Kadence Blocks Plugin
Broken Access Control; 7.1/10; Update to v3.6.4+
Query Monitor Plugin
XSS; 7.1/10; Update to v3.20.4+
Royal Elementor Addons Plugin
XSS; 6.5/10; Update to v1.7.1050+
ElementsKit Elementor addons Lite Plugin
XSS; 6.5/10; Update to v3.8.0+
Shortcodes Ultimate Plugin
XSS; 6.5/10; Update to v7.4.8+
ProfilePress Plugin
Content Injection; 6.5/10; Update to v4.16.12+
Ocean Extra Plugin
Broken Access Control; 5.4/10; Update to v2.5.4+
Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.
#3 – High Security Risks in Less Popular Plugins
Niche plugins, major threats—don’t underestimate the risks they carry. Quick action now keeps your site secure in the long run.
Ninja Forms File Uploads Extension Plugin
Arbitrary File Upload; 10/10; Update to v3.3.27+
Contact Form by Supsystic Plugin
RCE; 10/10; Update to v1.8.0+
JS Help Desk Plugin
SQL Injection; 9.3/10; Update to v3.0.5+
Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.
#4 – Fake CAPTCHA Targets WordPress Sites to Spread Malware
Hacked WordPress sites are being weaponised in a campaign that uses fake CAPTCHA prompts as bait. Behind the scenes, injected code guides users into executing malicious commands that install the Vidar infostealer.
#5 – Our blog: Demystifying WordPress security: Common myths and misconceptions
A secure WordPress site is the foundation of a trustworthy online presence. Explore how choosing the right host, managing plugins carefully, and following security best practices can help you stay protected from cyber threats.
Thanks for reading, and have a wonderful week!
Paul Goodchild
Shield Security for WordPress
