Security patches are required for a few widely used plugins and themes with recurring vulnerabilities, including the Widget Options plugin having a high severity and no fix yet.
Don’t miss the latest WordPress news and X-Frame options guide for advanced security, from our blog archive.
#1 – Security Risks in Popular Plugins and Themes
The plugins and themes below affect millions of sites, with Widget Options leading in severity and no fix in sight.
Widget Options Plugin
Arbitrary Code Execution; 9.9/10; No fix; Remove/or replace.
Avada Theme
RCE; 7.3/10; Update to v7.11.14+
WP Activity Log Plugin
XSS; 7.2/10; Update to v5.3.0+
Rank Math SEO Plugin
XSS; 6.5/10; Update to v1.0.236+
Forminator Plugin
XSS; 5.9/10; Update to v1.38.3+
ProfilePress Plugin
XSS; 5.9/10; Update to v4.15.20+
Everest Forms Plugin
XSS; 5.9/10; Update to v3.0.8.1+
Hide My WP Ghost Plugin
Bypass Vulnerability; 5.3/10; Update to v5.4.01+
Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.
#2 – High Security Risks in Less Popular Plugins and Themes
These plugins and theme are highly severe and actively targeted, with 1 especially risky because of missing fixes.
Security & Malware scan by CleanTalk Plugin
Arbitrary File Upload; 10/10; Update to v2.150+
Brizy Plugin
Arbitrary File Upload; 9.9/10; Update to v2.6.5+
Real Estate 7 Theme
Privilege Escalation; 9.8/10; Update to v3.5.1+
Themes Coder Plugin
SQL Injection; 9.3/10; Removed from wp.org; No fix; Remove/or replace.
Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.
#3 – Community Protest Stops WordPress Trademark Bid
The WordPress Foundation’s attempt to trademark “Hosted WordPress” and “Managed WordPress” has been blocked after objections from the open-source community.
The USPTO ruled the terms as too descriptive to be trademarks. Critics see this as a win for the ecosystem, while Automattic plans to challenge the decision.
#4 – Our blog: Set X-Frame-Options for Better WordPress Security
While HTTP headers might seem simple, they control how browsers interact with your site and shield it from threats like clickjacking. Implementing this crucial header adds an extra layer of defense, keeping your site secure even with older themes or plugins that don’t play nicely with newer security standards.
Thanks for reading, and have a wonderful week!
Paul Goodchild
Shield Security for WordPress
