While it’s a relatively calm week in WordPress security, popular plugins like Elementor, SVG Support continue to be targeted, affecting millions.
We’re also sharing one of our blog articles on best practices for balancing control and security in WordPress automatic updates.
#1 – Security Risks in Popular Plugins
Since millions of sites depend on these plugins, we’re highlighting this first. If you’re running these, please ensure you’re at the latest available version.
Ultimate Member Plugin
SQL Injection; 8.5/10; Update to v2.10.0+
Head, Footer and Post Injections Plugin
RCE; 8.0/10; Update to v3.3.1+
WPvivid Backup and Migration Plugin
Arbitrary File Upload; 7.2/10; Update to v0.9.113+
Royal Elementor Addons Plugin
XSS; 7.1/10; Update to v1.7.1008+
Elementor Website Builder Plugin
XSS; 6.5/10; Update to v3.27.5+
SVG Support Plugin
XSS; 5.9/10; Update to v2.5.11+
Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.
#2 – High Security Risk in Less Popular Plugin
Potentially 80,000 WP sites with serious SQL injection vulnerability.
Events Manager Plugin
SQL Injection; 9.3/10; Update to v6.6.4+
Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.
#3 – Our blog: Safely Disable WordPress Automatic Updates
WordPress automatic updates improve security and functionality, yet some users disable them due to compatibility concerns.
We explore the risks of turning off minor updates, their role in security patches, and best practices for balancing control and protection.
Thanks for reading, and have a wonderful week!
Paul Goodchild
Shield Security for WordPress
