Two things every WordPress site owner needs to know this week. One: ACF Extended joins a growing list of critically vulnerable plugins. Two: Shield is waving goodbye to PHP 7.4 support. Recurring risks, big names, real consequences. Ready? Let’s go.
#1 – Critical Security Risks in Popular Plugin
An alarming vulnerability in this plugin lets unauthorised users hijack admin rights and take full control. One update could make all the difference.
ACF Extended Plugin
Privilege Escalation; 9.8/10; Update to v0.9.2.6+
Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.
#2 – Other Security Risks in Popular Plugins
Millions of sites are exposed through these broken plugins, and attackers aren’t waiting around. Is yours one of them? Update now.
Photo Gallery by 10Web Plugin
SQL Injection; 8.5/10; Update to v1.8.41+
CloudSecure WP Security Plugin
Broken Authentication; 8.1/10; Update to v1.4.8+
Contact Form by WPForms Plugin
Broken Access Control; 7.5/10; Update to v1.10.0.5+
AI Engine Plugin
Privilege Escalation; 7.2/10; Update to v3.5.0+
LiteSpeed Cache Plugin
XSS; 7.1/10; Update to v7.8+
Post SMTP Plugin
XSS; 7.1/10; Update to v3.6.3+
Easy Updates Manager Plugin
XSS; 7.1/10; Update to v9.0.21+
Favicon Plugin
XSS; 7.1/10; Update to v1.3.47+
Independent Analytics – Google Analytics Alternative for WordPress Plugin
SSRF; 6.5/10; Update to v2.14.10+
a3 Lazy Load Plugin
XSS; 6.5/10; Update to v2.7.7+
Rank Math SEO Plugin
Broken Access Control; 5.3/10; Update to v1.0.271.1+
Breeze Plugin
Sensitive Data Exposure; 5.3/10; Update to v2.5.3+
PDF Embedder Plugin
Sensitive Data Exposure; 4.3/10; Update to v5.0.0+
Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.
#3 – High Security Risks in Less Popular Plugins
Don’t overlook these plugins. The risks are high and active exploitation is already underway. Update now and don’t let them catch you off guard.
QuickWebP – SEO Friendly Plugin
Arbitrary File Deletion; 9.9/10; Update to v3.2.8+
WPify Woo Czech Plugin
Arbitrary File Upload; 9.9/10; Update to v5.4.2+
Advanced Google Maps Plugin
Broken Authentication; 9.8/10; Update to v6.1.1+
Simply Schedule Appointments Plugin
SQL Injection; 9.3/10; Update to v1.6.11.9+
GEO my WordPress Plugin
SQL Injection; 9.3/10; Update to v4.5.5+
WP Travel Pro Plugin
Broken Access Control; 9.1/10; No fix; Remove/or replace.
Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.
#4 – Important Notice: Shield Security is Dropping PHP 7.4 Support
In Shield Security’s next major release, PHP 8.2 will be the minimum supported version. If your site is still running PHP 7.4, 8.0, or 8.1, you’ll need to upgrade before you can continue receiving Shield updates. Read on for the full picture.
Thanks for reading, and have a wonderful week!
Paul Goodchild
Shield Security for WordPress
