Security takes center stage as recurring vulnerabilities strike popular plugins once again, including a new All In One SEO Pack risk affecting millions. Updates from the WordPress community and highlights from our blog round out this week’s coverage.
#1 – Recurring Vulnerability in Popular Plugins
These plugins are under constant attack, particularly the first two, which carry a serious risk. Make sure to review and patch them without delay to stay secure.
Blocksy Companion Plugin
Arbitrary File Upload; 9.1/10; Update to v2.1.20+
WP All Import Plugin
RCE; 9.1/10; Update to v4.0.0+
AI Engine Plugin
PHP Object Injection; 8.8/10; Update to v3.1.9+
SureForms Plugin
Broken Access Control; 5.3/10; Update to v1.13.2+
Envira Photo Gallery Plugin
Broken Access Control; 5.3/10; Update to v1.12.1+
Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.
#2 – New Vulnerability in Popular Plugins
The following plugins have new security flaws that are being actively exploited, putting millions of sites at risk. Update immediately.
WP Migrate Lite Plugin
SSRF 7.2/10; Update to v2.7.7+
All In One SEO Pack Plugin
Broken Access Control; 5.4/10; Update to v4.9.0+
PageLayer Plugin
IDOR; 4.3/10; Update to v2.0.6+
Modula Image Gallery Plugin
Broken Access Control; 4.3/10; Update to v2.12.29+
Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.
#3 – Less Popular Plugins with Critical Unpatched Flaws
Rarely seen but standing out due to especially high-risk, and unpatched gaps. If in use, remove or replace them to secure your site.
Astra Security Suite Plugin
Arbitrary File Upload; 10/10; Removed from wp.org; No fix; Remove/or replace.
Elastic Theme Editor Plugin
Arbitrary File Upload; 9.9/10; Removed from wp.org; No fix; Remove/or replace.
Enable SVG, WebP & ICO Upload Plugin
Arbitrary File Upload; 9.1/10; No fix; Remove/or replace.
Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.
#4 – WordPress 6.9 Debuts the Abilities API
Launching December 2, 2025, WordPress 6.9 adds the Abilities API, a unified, human- and machine-readable way for themes, plugins, and core to define functionality. By replacing scattered custom code with structured “abilities,” plus providing PHP registration, REST endpoints, and validation hooks, it reduces conflicts and improves stability. The system also enables more reliable AI and automation integration.
#5 – Our blog: Defending Your Site Against Bot Traffic
Many of your site’s visitors aren’t humans but automated bots running various tasks. While some bots are legitimate, others can pose serious security risks if left unchecked.
We guide you through how bots interact with your site, the dangers of malicious bots, and how to protect yourself.
Thanks for reading, and have a wonderful week!
Paul Goodchild
Shield Security for WordPress
