New WordPress vulnerabilities in plugins and themes, including persistent Elementor issues, have surfaced this week.

We also have a blog article that walks you through HSTS security for your sites.

With 2+ million sites affected, these plugins have security risks that should be addressed asap. The more popular, the more likely they’ll see targeted attacks.

SEO Plugin by Squirrly SEO Plugin
SQL Injection; 8.5/10; Update to v12.4.06+

The Post Grid Plugin
Local File Inclusion; 7.5/10; Update to v7.7.18+

TranslatePress Plugin
PHP Object Injection; 7.2/10; Update to v2.9.7+

Elements kit Elementor Addons Plugin
XSS; 6.5/10; Update to v3.4.8+

Happy Addons for Elementor Plugin
XSS; 6.5/10; Update to v3.16.3+

Metform Plugin
SSRF; 4.4/10; Update to v3.9.3+

Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.

Despite their average user base, these plugins & theme have critical risks that demand swift action.

Kubio AI Page Builder Plugin
Local File Inclusion; 9.8/10; Update to v2.5.2+

User Registration Plugin
Privilege Escalation; 9.8/10; Update to v4.1.2+

Drag and Drop Multiple File Upload for Contact Form 7 Plugin
PHP Object Injection; 9.8/10; Update to v1.3.8.8+

WP Ultimate Exporter Plugin
PHP Object Injection; 9.8/10; Update to v2.14+

Rapyd Payment Extension for WooCommerce Theme
PHP Object Injection; 9.8/10; Removed from wp.org; No fix; Remove/or replace.

Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.

#3 – Our blog: WordPress HSTS Security Made Easy

Enforcing HTTPS with HSTS is a strong start, but it won’t protect against malware, bots, or brute force attacks. Your site needs a multi-layered approach to stay protected.

More Info →

Thanks for reading, and have a wonderful week!

Paul Goodchild
Shield Security for WordPress