This week, Everest Forms tops the vulnerability list again. We’re taking a closer look at what needs patching, how to tighten defenses with X-XSS-Protection, and what’s ahead for WordPress developers.

Over 1 million sites are affected by these plugins, with Everest Forms leading the pack as the highest risk.

Everest Forms Plugin
PHP Object Injection; 9.8/10; Update to v3.1.2+

SureTriggers Plugin
Bypass Vulnerability; 8.1/10; Update to v1.0.79+

Photo Gallery by 10Web Plugin
XSS; 7.1/10; Update to v1.8.35+

Royal Elementor Addons Plugin
XSS; 6.5/10; Update to v1.7.1013+

WooCommerce Multilingual & Multicurrency Plugin
Broken Access Control; 5.3/10; Update to v5.3.9+

Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.

Most of these low-usage, yet extremely high-risk plugins and themes are still unpatched. Your action is necessary.

AI Hub Theme
Arbitrary File Upload; 10/10; No fix; Remove/or replace.

Solace Extra Plugin
Arbitrary File Upload; 9.9/10; No fix; Remove/or replace.

Paid Videochat Turnkey Site Plugin
Broken Authentication; 9.8/10; Removed from wp.org; No fix; Remove/or replace.

Checkout Mestres WP Plugin
Privilege Escalation; 9.8/10; Removed from wp.org; No fix; Remove/or replace.

InstaWP Connect Plugin
Local File Inclusion; 9.8/10; Update to v0.1.0.86+

WPJobBoard Plugin
CSRF; 9.6/10; Update to v5.11.1+

Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.

#3 – WPEngine DeCode 2025 Conference: Today

It’s a virtual dev conference, and a chance to get useful tips in several areas, such as performance, business, eCommerce, AI innovations!

How Can I Join?
It’s free to register and you can view the schedule here.

Editor Comment
Virtual conferences aren’t to everyone’s taste, but the agenda here looks promising.

More Info →

#4 – Our blog: X-XSS-Protection Guide

WordPress is often targeted by XSS attacks, but protecting it doesn’t have to be complex. Our guide shows you exactly how to set up X-XSS-Protection. No matter your skill level, you can choose the method that works best for you.

More Info →

Thanks for reading, and have a wonderful week!

Paul Goodchild
Shield Security for WordPress