It’s a relatively quiet week in WordPress security, but we’ve gathered a few items together that might be worthy of your attention.
We’re also sharing one of our recent blog articles that discusses security around image and file uploads in WordPress.
#1 – Security Risks in Popular Plugins
Many sites rely on the plugins below, so we share this first and foremost. If you’re running these, please ensure you’re at the latest available version.
Ultimate Member Plugin
SQL Injection; 9.3/10; Update to v2.9.2+
W3 Total Cache Plugin
Sensitive Data Exposure; 8.5/10; Update to v2.8.2+
Advanced File Manager Plugin
Arbitrary File Upload; 7.5/10; Update to v5.2.14+
Gravity Forms Plugin
XSS; 7.1/10; Update to v2.9.2+
WP All Import Pro Plugin
XSS; 5.9/10; No fix; Remove/or replace.
Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.
#2 – High Security Risks in Less Popular Plugins
Low usage, but high risk plugins – 1 removed from wp.org with no-fix.
Adifier System Plugin
Privilege Escalation; 9.8/10; Update to v3.1.8+
Quick Count Plugin
PHP Object Injection; 9.8/10; Removed from wp.org; No fix; Remove/or replace.
The Ultimate WordPress Toolkit – WP Extended Plugin
SQL Injection; 9.3/10; Update to v3.0.13+
Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.
#3 – Our blog: Secure Image and File Uploads in WordPress
File uploads can be risky, as attackers often exploit unsecured upload functions, targeting the REST API media endpoint to inject malware or access sensitive data. Without proper protection, even a small backdoor can compromise your site.
Thanks for reading, and have a wonderful week!
Paul Goodchild
Shield Security for WordPress
