WordPress sites numbering in 16+ millions face ongoing threats from vulnerable plugins, and new malware is on the rise.
Keep your site safe with this security briefing, including a migration checklist to prevent data loss, from our blog.
#1 – Security Risks in Popular Plugins
These plugins are installed on millions of sites, making them high-value targets for hackers. Small oversights today could become major issues tomorrow.
Slider Revolution Plugin
Broken Access Control; 6.5/10; Update to v6.7.38+
WPBakery Page Builder Plugin
XSS; 6.5/10; Update to v8.7+
Redirection for Contact Form 7 Plugin
XSS; 6.5/10; Update to v3.2.7+
Essential Blocks for Gutenberg Plugin
XSS; 6.5/10; Update to v5.7.2+
ShortPixel Image Optimizer Plugin
Broken Access Control; 5.4/10; Update to v6.3.5+
WPC Smart Quick View for WooCommerce Plugin
IDOR; 5.3/10; Update to v4.2.6+
Ally Plugin
CSRF; 4.3/10; Update to v3.8.1+
SureForms Plugin
Broken Access Control; 4.3/10; Update to v1.12.2+
Filebird Plugin
Broken Access Control; 4.3/10; Update to v6.5.0+
Optimole Plugin
IDOR; 4.3/10; Update to v4.1.1+
Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.
#2 – High Security Risks in Less Popular Plugins and Themes
These plugins and themes aren’t as common, but attacks on them can be devastating—two stand out as especially high-risk because of unpatched flaws.
PPOM for WooCommerce Plugin
Arbitrary File Upload; 10/10; Update to v33.0.16+
Orion SMS OTP Verification Plugin
Broken Authentication; 9.8/10; Removed from wp.org; No fix; Remove/or replace.
External Login Plugin
SQL Injection; 9.3/10; Removed from wp.org; No fix; Remove/or replace.
XStore Theme
Local File Inclusion; 8.8/10; Update to v9.6+
Theme Editor Plugin
CSRF; 8.8/10; Update to v3.1+
Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.
#3 – WordPress Sites Exploited via EtherHiding Technique
The threat group UNC5142 is hijacking WordPress sites to distribute data-stealing malware. They use a technique called EtherHiding, which stores malicious code in public blockchains like the BNB Smart Chain.
A multi-stage JavaScript downloader, CLEARSHORT, is injected into core, plugins, themes, or even the database, and connects to a smart contract that loads fake ClickFix prompts. Visitors tricked by these prompts may unknowingly execute commands that install malware, stealing sensitive or financial information.
It’s highly recommended to regularly scan your WordPress site for unauthorised code changes, keep all plugins, themes, and core files updated, and ensure your database is secure.
#4 – Our blog: WordPress Migration Checklist to Prevent Data Loss
WordPress migration can be confusing and risky, affecting files, databases, plugins, themes, and SEO.
Our checklist provides a security-first, step-by-step guide, showing what to do when things go right and how to recover if they go wrong. It ensures every action is verified, giving you a clear, reliable path through the migration process.
Thanks for reading, and have a wonderful week!
Paul Goodchild
Shield Security for WordPress
