Attackers are currently scanning the web for WordPress sites still running old, vulnerable versions of big‑name plugins, including page builders. Here’s what’s currently under threat and how to stay ahead of these exploits and potential backdoors.
#1 – High Security Risks in Popular Plugins
These plugins are listed first as they currently pose the greatest security risk. Prioritise reviewing and updating them without delay.
GiveWP Plugin
PHP Object Injection; 10/10; Update to v3.14.2+
Custom Login Page Customizer Plugin
Privilege Escalation; 9.8/10; Update to v2.5.4+
Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.
#2 – Other Security Risks in Popular Plugins
Given how widely these plugins are used, the security risk is substantial. Make sure you have updated them to their latest available release.
Advanced Google reCAPTCHA Plugin
SQL Injection; 8.5/10; Update to v1.30+
Relevanssi Premium Plugin
SQL Injection; 8.5/10; Update to v2.29.0+
Redirection for Contact Form 7 Plugin
Arbitrary File Upload; 8.1/10; Update to v3.2.8+
FileOrganizer Plugin
Sensitive Data Exposure; 7.5/10; Update to v1.0.8+
Hide My WP Ghost Plugin
Arbitrary File Download; 7.5/10; Update to v5.4.02+
Beaver Builder Plugin (Starter Version)
Arbitrary File Upload; 7.2/10; Update to v2.9.1.1+
SureForms Plugin
XSS; 7.1/10; Update to v2.2.1+
WPBakery Page Builder Plugin
XSS; 6.5/10; Update to v7.7+
Cookie Notice & Compliance for GDPR / CCPA Plugin
XSS; 6.5/10; Update to v2.5.9+
Responsive Lightbox Plugin
XSS; 6.5/10; Update to v2.4.8+
VK All in One Expansion Unit Plugin
XSS; 6.5/10; Update to v9.112.2+
All In One SEO Pack Plugin
XSS; 6.5/10; Update to v4.6.1.1+
FluentForm Plugin
XSS; 6.5/10; Update to v5.1.20+
NextGEN Gallery Plugin
XSS; 6.5/10; Update to v3.59.12+
Ultimate Member Plugin
XSS; 6.5/10; Update to v2.11.1+
Modula Image Gallery Plugin
Broken Access Control; 6.5/10; Update to v2.13.4+
EmbedPress Plugin
XSS; 6.5/10; Update to v3.9.15+
Colibri Page Builder Plugin
XSS; 6.5/10; Update to v1.0.274+
Presto Player Plugin
XSS; 6.5/10; Update to v2.2.3+
Slider Revolution Plugin
XSS; 6.5/10; Update to v6.7.11+
Ninja Forms Plugin
XSS; 5.9/10; Update to v3.10.1+
Gutenberg Blocks with AI by Kadence WP Plugin
XSS; 5.9/10; Update to v3.2.54+
GDPR Cookie Compliance Plugin
XSS; 5.9/10; Update to v4.15.7+
Photo Gallery by 10Web Plugin
XSS; 5.9/10; Update to v1.8.31+
FooBox Image Lightbox Plugin
XSS; 5.9/10; Update to v2.7.35+
ProfilePress Plugin
XSS; 5.9/10; Update to v4.15.20+
Shortcodes Ultimate Plugin
SSRF; 5.5/10; Update to v7.4.6+
JetFormBuilder Plugin
Broken Access Control; 5.3/10; Update to v3.5.4+
Amelia Plugin
Broken Access Control; 5.3/10; Update to v2.0.0+
Paid Memberships Pro Plugin
Broken Access Control; 4.9/10; Update to v2.12.9+
Tutor LMS Plugin
Broken Access Control; 4.3/10; Update to v3.9.4+
Jetpack Boost Plugin
SSRF; 4.1/10; Update to v3.4.7+
WPvivid Backup and Migration Plugin
Broken Access Control; 2.7/10; Update to v0.9.121+
Easy WP SMTP Plugin
Sensitive Data Exposure; 2.7/10; Update to v2.3.1+
Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.
#3 – Elementor Security Risks
These Elementor vulnerabilities can allow attackers to inject malicious scripts that run when visitors load your site. Secure your environment by keeping it fully updated.
Elementor Pro Plugin
XSS; 6.5/10; Update to v3.29.1+
Essential Addons for Elementor Plugin
XSS; 6.5/10; Update to v5.9.20+
Happy Addons for Elementor Plugin
XSS; 6.5/10; Update to v3.11.0+
Royal Elementor Addons Plugin
XSS; 6.5/10; Update to v1.7.1002+
Jeg Elementor Kit Plugin
XSS; 6.5/10; Update to v2.6.5+
Unlimited Elements For Elementor Plugin
XSS; 6.5/10; Update to v1.5.113+
The Plus Addons for Elementor Page Builder Lite Plugin
XSS; 6.5/10; Update to v5.6.3+
Element Pack Addons for Elementor Plugin
XSS; 6.5/10; Update to v5.6.12+
Addon Elements for Elementor Plugin
XSS; 6.5/10; Update to v1.13.7+
Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.
#4 – Our blog: Protect Your WordPress Sites from Backdoor Threats
Backdoors are hidden entry points that let hackers keep accessing a compromised WordPress site, even after security fixes have seemingly been applied. They are often disguised inside normal files and installed through vulnerabilities in plugins, themes, or core.
Get practical steps to identify, remove, and protect your site from future unauthorised access.
Thanks for reading, and have a wonderful week!
Paul Goodchild
Shield Security for WordPress
