This week in WordPress security: the spotlight’s back on popular plugins and themes as new vulnerabilities put millions of sites at risk.
Our latest guide, featuring expert-level WPForms spam prevention strategies, is perfect for those ready to level up their defences.
#1 – High Security Risks in Popular Plugins
Given the widespread use of these plugins and their high severity, we’re highlighting this first. If you’re using them, be sure to update to the latest version.
Ultimate Member Plugin
SQL Injection; 9.3/10; Update to v2.10.2+
Kadence WooCommerce Email Designer Plugin
Arbitrary File Upload; 9.1/10; Update to v1.5.15+
Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.
#2 – Lower Security Risks in Popular Plugins and Themes
Despite lower severity, these plugins and themes power millions of sites and pose risks that need attention. Popularity increases the likelihood of targeted attacks.
Insert Headers And Footers Plugin
CSRF; 7.5/10; Update to v3.1.2+
Download Manager Plugin
XSS; 6.8/10; Update to v3.3.13+
Essential Addons for Elementor Plugin
XSS; 6.5/10; Update to v6.1.10+
Ocean Extra Plugin
Content Injection; 6.5/10; Update to v2.4.7+
FluentForm Plugin
XSS; 6.5/10; Update to v6.0.3+
Forminator Plugin
XSS; 6.5/10; Update to v1.42.1+
Betheme Theme
XSS; 6.5/10; Update to v28.0.4+
Password Protected Plugin
Sensitive Data Exposure; 5.3/10; Update to v2.7.8+
WP Staging Pro Plugin
Sensitive Data Exposure; 5.3/10; Update to v6.1.3+
Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.
#3 – High Security Risks in Less Popular Plugins
These plugins may have a smaller user base, but their security risks are anything but minor.
Drag and Drop Multiple File Upload for WooCommerce Plugin
Arbitrary File Deletion; 10/10; Update to v1.1.5+
Smart Sections Theme Builder – WPBakery Page Builder Addon Plugin
PHP Object Injection; 9.8/10; No fix; Remove/or replace.
UrbanGo Membership Plugin
Privilege Escalation; 9.8/10; Update to v1.1+
Cost Calculator Builder Plugin
SQL Injection; 9.3/10; Update to v3.2.68+
Super Store Finder Plugin
SQL Injection; 9.3/10; Update to v7.5+
Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.
#4 – Our blog: Advanced WPForms Spam Prevention Strategies
Spam bots are bypassing traditional CAPTCHA, flooding WPForms users with fake entries and missed leads. Basic spam protection often isn’t enough. Fortunately, advanced solutions can block these evolving threats.
Thanks for reading, and have a wonderful week!
Paul Goodchild
Shield Security for WordPress
