Today, we cover the latest plugin security risks, including a few severe vulnerabilities in popular plugins, and recurring issues with WPForms.
Expert tips for further securing and optimizing your WordPress sites are at the end, along with a Google warning about an AI-driven Gmail phishing attack.
#1 – Security Risks in Popular Plugins
The plugins below pose risks to numerous sites, with Nextend Pro and WP All Export Pro leading in severity.
Nextend Social Login Pro Plugin
Broken Authentication; 9.8/10; Update to v3.1.17+
WP All Export Pro Plugin
RCE; 9.6/10; Update to v1.9.2+
WP All Import Plugin
PHP Object Injection; 7.2/10; Update to v3.8.0+
Contact Form by WPForms Plugin
XSS; 6.5/10; Update to v1.9.3.2+
Qi Addons For Elementor Plugin
XSS; 6.5/10; Update to v1.8.8+
The Plus Addons for Elementor Page Builder Lite Plugin
XSS; 6.5/10; Update to v6.2.0+
Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.
#2 – High Security Risks in Less Popular Plugins
Though less common, these plugins are highly severe and actively exploited, with some particularly dangerous due to missing fixes.
FoodBakery Plugin
Arbitrary File Upload; 10/10; No fix; Remove/or replace.
WP Directorybox Manager Plugin
Broken Authentication; 9.8/10; No fix; Remove/or replace.
Super Store Finder Plugin
SQL Injection; 9.3/10; Update to v7.1+
uListing Plugin
SQL Injection; 9.3/10; Update to v2.1.7+
Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.
#3 – 2.5 Billion Gmail Accounts at Risk from Advanced AI Hack
Google has issued an urgent warning to 2.5 billion Gmail users about a highly sophisticated AI-driven phishing attack to steal account credentials. Described by one victim as the most advanced attack ever seen, this scam combines deepfake voice technology, phishing emails, and 2FA bypass attempts. (see More Info below)
In response, Google has suspended attacker accounts, improved AI-based threat detection, and is urging users to enable extra security features through its Advanced Protection Program.
#4 – Our blog: Manage Plugins for Faster and Safer WordPress Sites
Each plugin impacts your site’s speed, security, and user experience, so regular management is vital for optimal performance. Regular reviews help identify and remove unnecessary plugins that could slow down your site, ensuring that each plugin adds value to your site’s ecosystem.
Thanks for reading, and have a wonderful week!
Paul Goodchild
Shield Security for WordPress
