Another week, another set of serious security risks in popular WordPress plugins and themes, including a critical Slider Revolution flaw.
Our latest blog shows where the real danger lies and how to eliminate it.
#1 – Critical Security Risks in Popular Plugin and Theme
A highly critical security risk in this plugin and theme allows attackers to upload arbitrary files, including executable backdoors. Be sure to update to the latest version if you’re affected.
Slider Revolution Plugin
Arbitrary File Upload; 9.9/10; Update to v7.0.11+
Betheme Theme
Arbitrary File Upload; 9.1/10; Update to v28.4.1+
Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.
#2 – Other Security Risks in Popular Plugins
Ongoing attacks against these plugins have left more than 65 million sites exposed. Apply patches as soon as possible.
Widget Options – Extended Plugin
Arbitrary Code Execution; 8.8/10; Update to v5.3.3+
WP-Optimize Plugin
Arbitrary File Deletion; 8.1/10; Update to v4.5.3+
Forminator Plugin
Arbitrary File Download; 7.5/10; Update to v1.52.2+
PixelYourSite PRO Plugin
SSRF; 7.2/10; Update to v12.5.0.2+
LatePoint Plugin
XSS; 7.1/10; Update to v5.5.1+
Gravity Forms Plugin
XSS; 7.1/10; Update to v2.10.1+
Royal Elementor Addons Plugin
XSS; 7.1/10; Update to v1.7.1057+
Paid Memberships Pro Plugin
Broken Access Control; 7.1/10; Update to v3.6.6+
All-in-One WP Migration Unlimited Extension Plugin
Broken Access Control; 6.5/10; Update to v2.84+
Simple Cloudflare Turnstile Plugin
Broken Authentication; 5.8/10; Update to v1.38.1+
YITH WooCommerce Wishlist Plugin
IDOR; 5.3/10; Update to v4.13.0+
Mercado Pago Payments for WooCommerce Plugin
Broken Access Control; 5.3/10; Update to v8.7.12+
Happy Addons for Elementor Plugin
Sensitive Data Exposure; 5.3/10; Update to v3.21.0+
Fluent Forms Plugin
Arbitrary File Download; 4.9/10; Update to v6.2.2+
Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.
#3 – High Security Risks in Less Popular Plugins
Not widely known by name, but affecting over 250,000+ sites, these high-severity plugins are under active attack. Take action to stay secure.
User Registration Advanced Fields Plugin
Arbitrary File Upload; 10/10; Update to v1.6.21+
Profile Builder Pro Plugin
Deserialization of untrusted data; 9.8/10; Update to v3.14.6+
Temporary Login Plugin
Other Vulnerability Type; 9.8/10; Update to v1.1.0+
GeekyBot Plugin
Broken Access Control; 9.8/10; Update to v1.2.3+
ARMember Plugin
SQL Injection; 9.3/10; Removed from wp.org; No fix; Remove/or replace.
BetterDocs Pro Plugin
SQL Injection; 9.3/10; Update to v3.7.1+
Form Maker by 10Web Plugin
SQL Injection; 9.3/10; Update to v1.15.43+
WP Data Access Plugin
SQL Injection; 9.3/10; Update to v5.5.71+
wpForo Forum Plugin
SQL Injection; 9.3/10; Update to v3.0.5+
WeePie Cookie Allow Plugin
SQL Injection; 9.3/10; Update to v3.4.12+
AWP Classifieds Plugin
SQL Injection; 9.3/10; Update to v4.4.6.1+
Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.
#4 – Our blog: Identify and Close WordPress Security Gaps
Security risks in WordPress mostly come from plugins and themes, not the core system. Typical protections target the platform itself instead of its weakest link. This leaves many sites exposed despite appearing secure.
Thanks for reading, and have a wonderful week!
Paul Goodchild
Shield Security for WordPress
