Several very popular plugins at-risk, with Jetpack impacting nearly 25M sites.
And, after WP.org assumed ownership of ACF, several other plugin devs have decided to mitigate this risk by running their own plugin hosting (see below)
#1 – Popular Plugins Under Attack
Plugins below impact countless sites with known vulnerabilities, including Jetpack affecting around 25 million and Nextend Pro leading the severity.
Update ASAP to avoid potential risks.
Jetpack
Broken Access Control; 4.3/10; Update to v13.9.1+
File Manager Pro Plugin
Arbitrary File Upload; 8.8/10; Update to v8.3.10+
Nextend Social Login Pro Plugin
Broken Authentication; 9.8/10; Update to v3.1.15+
Forminator Plugin
CSRF; 4.3/10; Update to v1.36.0+
Google Language Translator Plugin
XSS; 6.5/10; Update to v 6.0.10+
Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.
#2 – Less Popular Plugins Exploited
Despite being less widely used, the following plugins are also actively exploited and highly severe.
Update now.
Simple User Registration Plugin
Broken Authentication; 9.8/10; No official fix available. Remove it for now.
Time Clock Pro Plugin
RCE; 8.3/10; Update to v1.1.5+
Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.
#3 – Developers Remove Plugins from wp.org
The fallout from the upheaval from the last few weeks continues as several authors have now removed their plugins from the wp.org repo.
Gravity PDF plugin is now on GravityPDF.com, BE Media has moved to GitHub, and Paid Memberships Pro will provide updates from its own server, while remaining free for users.
This shows growing developer worries about the platform’s direction, and we predict this trend will continue.
#4 – Our Blog: Stop Brute Force Attacks with WordPress OTP
Protecting your WordPress site from brute force attacks is essential for security and user trust. One-Time Passwords (OTPs) add an important layer of protection, making it harder for attackers to gain access.
Thanks for reading, and have a great week!
Paul Goodchild
Shield Security for WordPress
