A wave of security risks is hitting countless WordPress sites this week, fueled by WP Ghost, while DollyWay malware continues to target thousands.
Explore our blog for smarter solutions to fight spam and protect your comment forms.
#1 – Security Risks in Popular Plugins
A range of sites are affected by these plugins, some with recurring risks, and WP Ghost emerging as the most critical.
Hide My WP Ghost Plugin
Local File Inclusion; 9.6/10; Update to v5.4.02+
Pods Plugin
SQL Injection; 7.6/10; Update to v3.2.8.2+
Responsive Slider by MetaSlider Plugin
XSS; 6.5/10; Update to v3.95.0+
GiveWP Plugin
Broken Access Control; 6.5/10; Update to v3.22.1+
Photo Gallery by 10Web Plugin
XSS; 5.9/10; Update to v1.8.33+
FluentForm Plugin
Bypass Vulnerability; 5.3/10; Update to v6.0.0+
Custom Twitter Feeds (Tweets Widget) Plugin
CSRF; 4.3/10; Update to v2.3.0+
Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.
#2 – High Security Risks in Less Popular Plugins & Themes
With ongoing exploitation, these plugins and themes are very critical, especially one still unpatched.
File Away Plugin
Broken Access Control; 10/10; Removed from wp.org; No fix; Remove/or replace.
Age Gate Plugin
Local File Inclusion; 9.8/10; Update to v3.5.4+
Service Finder Booking Plugin
Privilege Escalation; 9.8/10; Update to v5.1+
Altair Theme
Settings Change; 9.8/10; Update to v5.2.5+
MinimogWP Theme
Local File Inclusion; 9.8/10; Update to v3.8.0+
CozyStay Theme
PHP Object Injection; 9.8/10; Update to v1.7.1+
TinySalt Theme
PHP Object Injection; 9.8/10; Update to v3.10.0+
Automation By Autonami Plugin
SQL Injection; 9.3/10; Update to v3.5.2+
Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.
#3 – DollyWay Malware Strikes Thousands of WP Sites
DollyWay malware has infected 20,000+ WordPress sites, redirecting visitors to malicious sites. It exploits plugin and theme flaws, reinfects continuously, and uses masked code and fake admin accounts to stay hidden. Attackers monetise the traffic through affiliate networks for fraudulent clicks.
#4 – Our blog: Keep WordPress Comment Forms Spam-Free
Spam costs businesses billions, and WordPress sites are no exception. While traditional CAPTCHA blocks bots, it often frustrates real users. Smarter alternatives offer better protection without hassle.
Thanks for reading, and have a wonderful week!
Paul Goodchild
Shield Security for WordPress
