This is a big week for vulnerabilities. Several popular form plugins are hit by quite serious vulnerabilities, and there’s a privilege escalation risk with the MainWP client plugin.

It’s hard to imagine that there’s anyone out there not affected by at least 1 vulnerability this week.

I’d also like to draw your attention to our latest ShieldPRO release, v20.1 (see more below)

These are widely used plugins with security threats, led by WPForms, affecting 6+ million sites.

Contact Form by WPForms Plugin
Broken Access Control; 8.5/10; Update to v1.9.2.2+

MainWP Child Plugin
Privilege Escalation; 8.1/10; Update to v5.3+

FooGallery Premium Plugin
Directory Traversal; 7.7/10; Update to v2.4.27+

Ninja Forms Plugin
XSS; 7.1/10; Update to v3.8.20+

Unlimited Elements For Elementor (Free Widgets, Addons, Templates) Plugin
XSS; 6.5/10; Update to v1.5.127+

Beaver Builder Plugin
XSS; 6.5/10; Update to v2.8.5.3+

ProfilePress Plugin
XSS; 5.9/10; Update to v4.15.15+

Popup Builder Plugin
XSS; 5.9/10; Update to v4.3.5+

LuckyWP Table of Contents Plugin
XSS; 5.9/10; Update to v2.1.7+

The Events Calendar Plugin
Broken Access Control; 5.3/10; Update to v6.8.2.1+

Members Plugin
Sensitive Data Exposure; 5.3/10; Update to v3.2.11+

Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.

These plugins and theme, despite limited use, pose extreme risks—2 most critical with no-fix and removed from wp.org

WP SuperBackup Plugin
Arbitrary File Upload; 10/10; Update to v2.4+

Opt-In Downloads Plugin
Arbitrary File Upload; 9.9/10; Removed from wp.org; No fix; Remove/or replace.

Woffice Theme
Broken Authentication; 9.8/10; Update to v5.4.15+

Hunk Companion Plugin
Broken Access Control; 9.8/10; Update to v1.9.0+

Sign In With Google Plugin
Broken Authentication; 9.8/10; Removed from wp.org; No fix; Remove/or replace.

Responsive Filterable Portfolio Plugin
SQL Injection; 9.3/10; Update to v1.0.9+

Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.

#3 – Our blog: Proven Tips Securing Your WordPress REST API

WordPress REST APIs offer powerful functionality but come with security risks. Learn advanced techniques for securing APIs with strong authentication, access control, and protection against malicious traffic and code injection.

More Info →

#4 – Shield Security 20.1 Released

With this release we’ve made further UI improvements and extended the coverage of the FileLocker feature to cover your critical theme’s functions file. There’s lots more to explore, and we advise all our members to upgrade asap!

More Info →

Thanks for reading, and have a great week!

Paul Goodchild
Shield Security for WordPress