This edition is a wake-up call. Burst Statistics, OttoKit, MonsterInsights, ManageWP Worker, The7 and more are carrying active WordPress vulnerabilities right now. We also break down what WordPress security hardening really costs.
Stay patched. Stay sharp.
#1 – Critical Security Risks in Popular Plugins
Two plugins. Two critical flaws. One could hand over full admin access to a stranger.
Burst Statistics Plugin
Broken Authentication; 9.8/10; Update to v3.4.2+
OttoKit Plugin
SQL Injection; 9.3/10; Update to v1.1.23+
Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.
#2 – Other Security Risks in Popular Plugins and Themes
Familiar names. Recurring vulnerabilities. Time to update.
AI Engine Plugin
Privilege Escalation; 8.8/10; Update to v3.5.0+
Unlimited Elements For Elementor (Free Widgets, Addons, Templates) Plugin
SQL Injection; 8.5/10; Update to v2.0.8+
FluentForm Plugin
IDOR; 8.2/10; Update to v6.2.1+
Google Analytics by Monster Insights Plugin
Broken Access Control; 7.1/10; Update to v10.1.3+
ManageWP Worker Plugin
XSS; 7.1/10; Update to v4.9.32+
Custom Twitter Feeds (Tweets Widget) Plugin
XSS; 7.1/10; Update to v2.5.5+
Essential Addons for Elementor Plugin
Privilege Escalation; 6.5/10; Update to v6.6.0+
The Plus Addons for Elementor Page Builder Lite Plugin
XSS; 6.5/10; Update to v6.4.12+
Royal Elementor Addons Plugin
XSS; 6.5/10; Update to v1.7.1059+
Advanced Custom Fields: Font Awesome Field Plugin
XSS; 6.5/10; Update to v6.0.0+
ACF Extended Plugin
Content Injection; 6.5/10; Update to v0.9.2.4+
The7 Theme
XSS; 6.5/10; Update to v14.3.3+
Envira Photo Gallery Plugin
XSS; 5.9/10; Update to v1.12.4+
MW WP Form Plugin
Sensitive Data Exposure; 5.3/10; Update to v5.1.3+
Tutor LMS Plugin
IDOR; 5.3/10; Update to v3.9.10+
Hustle Plugin
Broken Access Control; 5.3/10; Update to v7.8.10.2+
LearnPress Plugin
Other Vulnerability Type; 4.3/10; Update to v4.3.6+
Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.
#3 – High Security Risks in Less Popular Plugins
Never heard of them? Attackers have. Same rules apply.
InfusedWoo Pro Plugin
Broken Access Control; 9.8/10; Update to v5.1.3+
Fusion Builder Plugin
SQL Injection; 9.3/10; Update to v3.15.2+
Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.
#4 – Our blog: What WordPress Security Hardening Services Actually Cost
WordPress security hardening costs $120-149/yr for plugins, $150-500 one-time, or $30-150/mo managed. See real vendor prices & bundled vs separate TCO math.
Thanks for reading, and have a wonderful week!
Paul Goodchild
Shield Security for WordPress
