New vulnerabilities this week range from recurring issues in popular plugins to a serious high‑risk threat in ACF.
We also include a security checklist from our blog to help keep your WordPress site safe.
#1 – High Security Risks in Popular Plugins
A critical vulnerability in this plugin could allow unauthorised high-level privilege access, potentially enabling full site compromise across 100,000+ installations.
Advanced Custom Fields: Extended Plugin
Privilege Escalation; 9.8/10; Update to v0.9.2.2+
Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.
#2 – Lower Security Risks in Popular Plugins
Small glitches aside, these widely used plugins remain critical to track, as they affect millions of sites.
Happy Addons for Elementor Plugin
SQL Injection; 8.5/10; Update to v3.20.6+
Beaver Builder Plugin
Arbitrary Code Execution; 7.5/10; Update to v2.9.4.2+
BuddyPress Plugin
Arbitrary Code Execution; 7.3/10; Update to v14.3.4+
Custom Fonts – Host Your Fonts Locally Plugin
Broken Access Control; 6.5/10; Update to v2.1.17+
Schema & Structured Data for WP & AMP Plugin
XSS; 6.5/10; Update to v1.54.1+
The Events Calendar Plugin
Broken Access Control; 5.4/10; Update to v6.15.13.1+
Photo Gallery by 10Web Plugin
Broken Access Control; 5.3/10; Update to v1.8.37+
Newsletter Plugin
CSRF; 4.3/10; Update to v9.1.1+
Metform Plugin
Broken Authentication; 3.7/10; Update to v4.1.1+
Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.
#3 – High Security Risks in Less Popular Plugins
These plugins may be less common but are high risk wherever they are used.
Real Homes CRM Plugin
Arbitrary File Upload; 9.9/10; Update to v1.0.1+
LA-Studio Element Kit for Elementor Plugin
Backdoor; 9.8/10; Update to v1.6.0+
Nexter Extension Plugin
PHP Object Injection; 9.8/10; Update to v4.4.7+
Academy LMS Plugin
Privilege Escalation; 9.8/10; Update to v3.5.1+
MailerLite – WooCommerce integration Plugin
SQL Injection; 9.3/10; Update to v3.1.3+
Xpro Elementor Addons Plugin
Arbitrary File Upload; 9.1/10; Update to v1.4.20+
Nelio AB Testing Plugin
Arbitrary Code Execution; 9.1/10; Update to v8.2.0+
Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.
#4 – Our blog: WordPress Security Checklist
Keeping your website secure can seem daunting at first. To make it easy for you we have put together a comprehensive checklist that you should look for when securing your WordPress website.
Thanks for reading, and have a wonderful week!
Paul Goodchild
Shield Security for WordPress
