It doesn’t seem to take very long for either, or both, of Elementor or LiteSpeed to make an appearance on our ShieldNOTES editions.

There are also 2 Elementor-related plugins with vulnerabilities, and the popular User Role Editor plugin faces exposes sites to a CSRF of severity 9.8/10.

🎄 If you don’t hear from us beforehand, we wish all those who celebrate Christmas, a very merry Christmas holiday season, and everyone a prosperous New Year for 2025! 🎄

This is a high risk plugin, affecting 700,000+ sites.

User Role Editor Plugin
CSRF; 9.8/10; Update to v4.64.4+

Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.

These are widely used plugins with security threats, impacting millions of sites.

Elementor Website Builder Plugin
XSS; 6.5/10; Update to v3.25.10+

LiteSpeed Cache Plugin
XSS; 6.5/10; Update to v6.5.3+

Elementor – Header, Footer & Blocks Template Plugin
XSS; 6.5/10; Update to v1.6.47+

Download Manager Plugin
XSS; 5.9/10; Update to v3.3.03+

Element Pack Elementor Addons Plugin
Broken Access Control; 4.3/10; Update to v5.10.13+

Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.

Despite their limited use, these plugins and themes pose serious security risks.

WPLMS Plugin
Arbitrary File Upload; 9.9/10; Update to v1.9.9.5.3+

AdForest Theme
Broken Access Control; 9.8/10; Update to v5.1.7+

Biagiotti Membership Plugin
Privilege Escalation; 9.8/10; Update to v1.1+

VibeBP Plugin
SQL Injection; 9.3/10; Update to v1.9.9.7.7+

Traveler Theme
SQL Injection; 9.3/10; Update to v3.1.7+

Frontend Admin by DynamiApps Plugin
SQL Injection; 9.3/10; Update to v3.25.2+

Collapsing Categories Plugin
SQL Injection; 9.3/10; Update to v3.0.9+

Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.

#4 – wp.org Temporarily Shuts Down Most Services

With the WP vs WP Engine saga continuing to play out, Matt has put several free services on pause, with no end date provided. Users can still set up WordPress installations and accounts during this time.

More Info →

#5 – Our blog: How to Force HTTPS on WordPress

Our beginner-friendly guide explores how HTTPS protects WordPress sites and user data, addressing security vulnerabilities and implementation challenges. You’ll learn its importance and how to adopt it effectively.

More Info →

Thanks for reading, and have a great week!

Paul Goodchild
Shield Security for WordPress