OttoKit scored a 9.8 severity this week, topping a fresh list of WordPress plugin and theme vulnerabilities. Time to patch, and time to restrict what your connected tools can actually access.
#1 – Critical Security Risks in Popular Plugin
This plugin’s flaws let attackers run code, manipulate your database, and access restricted file paths. Update without delay.
OttoKit Plugin
PHP Object Injection; 9.8/10; Update to v1.1.28+
Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.
#2 – Other Security Risks in Popular Plugins and Themes
These plugins and theme are open doors. Millions of sites are already leaving them wide open. Close yours. Update now.
Blocksy Theme
Deserialisation of untrusted data; 8.8/10; Update to v2.1.42+
LatePoint Plugin
Privilege Escalation; 7.5/10; Update to v5.5.2+
Email Encoder Premium Plugin
XSS; 7.1/10; Update to v0.3.12+
Email Address Encoder Plugin
XSS; 7.1/10; Update to v1.0.25+
EmbedPress Plugin
XSS; 7.1/10; Update to v4.5.4+
Click to Chat Plugin
XSS; 6.5/10; Update to v4.40+
Enable Media Replace Plugin
XSS; 5.9/10; Update to v4.1.9+
Essential Blocks for Gutenberg Plugin
SSRF; 5.5/10; Update to v6.1.4+
Contact Form by WPForms Plugin
Other Vulnerability Type; 5.3/10; Update to v1.10.0.5+
LearnPress Plugin
Broken Access Control; 5.3/10; Update to v4.3.7+
Smart Slider 3 Plugin
Directory Traversal; 4.9/10; Update to v3.5.1.37+
WPvivid Backup and Migration Plugin
Directory Traversal; 3.8/10; Update to v0.9.129+
Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.
#3 – High Security Risks in Less Popular Plugins
These plugins are under active attack right now, and 200,000+ sites are in the crosshairs. Update if yours is one of them.
Product Slider Pro for WooCommerce Plugin
Backdoor; 10/10; Update to v3.5.4+
WP User Manager Plugin
Arbitrary File Deletion; 9.9/10; Update to v2.9.17+
ARMember Premium Plugin
Broken Authentication; 9.8/10; Update to v7.3.2+
Thrive Apprentice Plugin
PHP Object Injection; 9.8/10; Update to v10.8.10.2+
RegistrationMagic Plugin
Broken Authentication; 9.8/10; Update to v6.0.8.7+
Integration for Contact Form 7 HubSpot Plugin
PHP Object Injection; 9.8/10; Update to v1.3.8+
Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms Plugin
PHP Object Injection; 9.8/10; Update to v1.1.9+
JetSearch Plugin
SQL Injection; 9.3/10; Update to v3.5.17.1+
Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.
#4 – Our blog: Control Your App Password Permissions in WordPress
WordPress Application Passwords let external tools authenticate without using a person’s login password. What they do not do is limit what those tools can access once they’re in. Explore how to close that gap.
Thanks for reading, and have a wonderful week!
Paul Goodchild
Shield Security for WordPress
