We bring the latest plugin security risks, including Elementor Pro and a recurring vulnerability in Ninja Forms.
Hackers exploit outdated WordPress versions and plugins to spread malware. Plus, catch up on the new updates in the WordPress community and learn how to keep your Contact Form 7 spam-free, from our blog.
#1 – Security Risks in Popular Plugins
Lower severity but timely updates are key, as these plugins affect millions of sites.
Forminator Plugin
XSS; 7.1/10; Update to v1.38.3+
ElementsKit Pro Plugin
XSS; 6.5/10; Update to v3.7.9+
Ninja Forms Plugin
XSS; 6.5/10; Update to v3.8.25+
Tracking Code Manager Plugin
XSS; 6.5/10; Update to v2.4.0+
Elementor Pro Plugin
Sensitive Data Exposure; 4.3/10; Update to v3.25.11+
Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.
#2 – High Security Risks in Less Popular Plugins
Even less popular plugins, but with high-severity risks, like the ones below, can lead to major security issues.
ThemeREX Addons Plugin
Arbitrary File Upload; 10/10; Update to v2.34.0+
Media Manager for UserPro Plugin
Broken Access Control; 9.8/10; No fix; Remove/or replace.
iControlWP Plugin
PHP Object Injection; 9.8/10; Update to v4.5.2+
Eventer Plugin
SQL Injection; 9.3/10; Update to v3.9.9+
Borderless Plugin
RCE; 9.1/10; No fix; Remove/or replace.
Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.
#3 – Hackers Target Outdated WordPress Versions and Plugins to Spread Malware
Hackers are exploiting outdated WordPress versions and plugins to infect thousands of sites, aiming to trick visitors into downloading malware. The malware steals personal information from both Windows and Mac users. The attack, still ongoing, redirects visitors to fake Chrome update pages that prompt them to download harmful files.
#4 – WordPress Community Moves Toward Decentralization and Shared Control
A growing movement is pushing to build a parallel community to WordPress, aiming to increase stability and ensure its continued popularity. Disputes between Matt Mullenweg and WP Engine could shift control away from Automattic.
The community is also exploring decentralizing plugin and theme distribution through multiple channels to reduce Automattic’s control.
#5 – Our blog: Keep Your Contact Form 7 Spam-Free
Spam in Contact Form 7 is a constant threat that simple CAPTCHAs and honeypots can’t always stop. Modern spam tactics are more sophisticated, making single-layer defences ineffective.
Advanced anti-spam strategies with layered defences, intelligent bot detection, and adaptive automation are crucial for keeping your forms secure.
Thanks for reading, and have a wonderful week!
Paul Goodchild
Shield Security for WordPress
