With BookingPress Pro now flagged at a critical 10/10 severity level, other popular plugins following, and npm facing supply chain attacks, WordPress risk is rising fast.
Spot breach symptoms early and follow a clear recovery plan. (see below)
#1 – Critical Security Risks in Popular Plugin
This plugin currently carries a max‑severity risk that lets attackers upload arbitrary files, including backdoors. Update to the most recent version without delay.
BookingPress Appointment Booking Pro Plugin
Arbitrary File Upload; 10/10; Update to v5.7+
Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.
#2 – Other Security Risks in Popular Plugins
Known vulnerabilities in the following plugins are under active attack, impacting almost 2 million sites. Update now to stay ahead of these exploits.
WishList Member X Plugin
Privilege Escalation; 8.8/10; Update to v3.31.0+
Unlimited Elements For Elementor (Free Widgets, Addons, Templates) Plugin
SQL Injection; 8.5/10; Update to v2.0.9+
WooCommerce PayPal Payments Plugin
Broken Access Control; 8.2/10; Update to v4.0.2+
Kirki – Freeform Page Builder, Website Builder & Customizer Plugin
Arbitrary File Download; 7.5/10; Update to v6.0.7+
The Plus Addons for Elementor Page Builder Lite Plugin
XSS; 6.5/10; Update to v6.4.12+
Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.
#3 – High Security Risks in Less Popular Plugins
Attackers are actively targeting the plugins listed below as well. They might be less popular, but the vulnerabilities they carry are extremely serious.
Piotnet Addons For Elementor Pro Plugin
Arbitrary File Upload; 10/10; No fix; Remove/or replace.
Fusion Builder Plugin
RCE; 10/10; Update to v3.15.3+
WP Job Portal Plugin
SQL Injection; 9.3/10; Update to v2.5.2+
Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.
#4 – 300+ npm Packages Compromised in Supply Chain Attack
Over 300 npm packages, including popular libraries like TanStack, were compromised by the Shai‑Hulud malware that steals developer tokens and keys.
If you build WordPress plugins or themes with npm, a poisoned dependency can leak your credentials and let attackers push malicious code to WordPress sites.
npm has introduced staged publishing with extra review steps to make malicious releases harder.
#5 – Our blog: WordPress Security Breach Symptoms and 5-Step Recovery
Attackers don’t usually pick individual WordPress sites, they run automated scans to hit known vulnerabilities at scale. Breaches follow predictable patterns, which makes them easier to detect, clean up, and prevent if you know what to look for. Learn how to spot compromise signs, use a clear 5‑step recovery, and relaunch safely.
Thanks for reading, and have a wonderful week!
Paul Goodchild
Shield Security for WordPress
