Attackers continue scanning for WordPress sites running outdated, vulnerable versions of popular plugins. Here’s what’s currently under threat and how to stay ahead of plugin exploits.
#1 – Critical Security Risks in Popular Plugin
We’ve listed this plugin first because it poses the most serious security risk right now. Prioritise updating it as soon as possible.
JetEngine Plugin
SQL Injection; 9.3/10; Update to v3.8.8.2+
Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.
#2 – Other Security Risks in Popular Plugins
These widely used plugins include several outdated versions currently being targeted by XSS attacks. Update all to the latest releases, with particular attention to the unpatched one.
Otter – Gutenberg Block Plugin
Broken Authentication; 7.5/10; Update to v3.1.5+
Check & Log Email Plugin
XSS; 7.1/10; Update to v2.0.13+
Elementor Website Builder Plugin
XSS; 6.5/10; Update to v4.0.5+
Event Tickets Plugin
Bypass Vulnerability; 6.5/10; Update to v5.27.6.1+
Custom WooCommerce Checkout Fields Editor Plugin
XSS; 6.1/10; No fix; Remove/or replace.
TablePress Plugin
XSS; 6.1/10; Update to v3.0.3+
Ocean Extra Plugin
XSS; 6.1/10; Update to v2.4.4+
Shortcodes Ultimate Plugin
XSS; 6.1/10; Update to v7.3.4+
Post SMTP Plugin
XSS; 6.1/10; Update to v3.1.0+
Unlimited Elements For Elementor (Free Widgets, Addons, Templates) Plugin
XSS; 6.1/10; Update to v1.5.141+
FooGallery Plugin
XSS; 6.1/10; Update to v2.4.29+
Independent Analytics – Google Analytics Alternative for WordPress Plugin
XSS; 6.1/10; Update to v2.10.0+
Ivory Search Plugin
XSS; 6.1/10; Update to v5.5.9+
Internal Link Juicer: SEO Auto Linker for WordPress Plugin
XSS; 6.1/10; Update to v2.25.2+
WP Meta and Date Remover Plugin
XSS; 6.1/10; Update to v2.3.5+
FooBox Image Lightbox Plugin
XSS; 6.1/10; Update to v2.7.34+
Menu Image, Icons Made Easy Plugin
XSS; 6.1/10; Update to v3.13+
Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.
#3 – High Security Risks in Less Popular Plugins
Low popularity aside, these plugins are extremely risky, especially the first one patched but removed from wp.org due to a backdoor affecting 70,000+ installations.
Quick Page/Post Redirect Plugin
Backdoor; 10/10; Removed from wp.org; Update to v5.2.4+
Order Delivery Date for WooCommerce Plugin
SQL Injection; 9.3/10; Update to v4.5.2+
Funnel Builder by FunnelKit Plugin
SQL Injection; 9.3/10; Update to v3.15.0.2+
JoomSport Plugin
SQL Injection; 9.3/10; Update to v5.7.8+
GD Rating System Plugin
SQL Injection; 9.3/10; Update to v3.7+
Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.
#4 – Our blog: Audit Your Plugins, Tighten Your Security
Smart plugin management protects both speed and security on your WordPress site. Routine reviews reveal heavy, outdated, or vulnerable plugins that need attention. Updating or removing them keeps your site responsive and harder to exploit.
Thanks for reading, and have a wonderful week!
Paul Goodchild
Shield Security for WordPress
