Popular WordPress plugins and themes are under the microscope again this week, with WP All Import reaching a high 9.1/10 risk score. As new AI guidelines reshape how contributors work, our guide helps you stay in charge of your error log files.
#1 – High Security Risks in Popular Plugin
A high-risk vulnerability in this plugin can allow arbitrary server-side code execution, potentially leading to full system compromise across 100,000+ websites. Admins are strongly advised to update to the most recent version.
WP All Import Plugin
RCE; 9.1/10; Update to v3.7.3+
Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.
#2 – Other Security Risks in Popular Plugins and Themes
With usage spanning roughly 13 million websites, the security risk in below plugins and theme is significant. Updating to the latest patched release is critical to mitigate risk.
Essential Blocks for Gutenberg Plugin
Local File Inclusion; 8.1/10; Update to v4.4.3+
Post SMTP Plugin
SQL Injection; 7.6/10; Update to v2.8.7+
LatePoint Plugin
XSS; 7.1/10; Update to v5.2.6+
Yoast SEO Plugin
XSS; 6.5/10; Update to v26.9+
SEOPress Plugin
XSS; 6.5/10; Update to v7.6+
ShopLentor Plugin
XSS; 6.5/10; Update to v2.8.2+
Menu Icons by ThemeIsle Plugin
XSS; 5.9/10; Update to v0.13.21+
WebSub Plugin
XSS; 5.9/10; Update to v3.2.0+
Robin image optimizer Plugin
XSS; 5.9/10; Update to v2.0.3+
Relevanssi Plugin
IDOR; 5.3/10; Update to v4.22.0+
ShortPixel Image Optimizer Plugin
Arbitrary File Download; 4.9/10; Update to v6.4.3+
Code Snippets Plugin
CSRF; 4.3/10; Update to v3.9.5+
Royal Elementor Kit Theme
Broken Access Control; 4.3/10; Update to v1.0.117+
Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.
#3 – High Security Risks in Less Popular Plugins
Despite their smaller footprint, these plugins can have severe consequences in affected environments.
WPForms Google Sheet Connector Plugin
RCE; 9.9/10; Update to v4.0.2+
School Management Plugin
Arbitrary File Upload; 9.9/10; Update to v92.0.0+
Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce Plugin
Broken Access Control; 9.8/10; Update to v1.2.0+
All-in-One Video Gallery Plugin
Arbitrary File Upload; 9.1/10; Update to v4.6.4+
Demo Importer Plus Plugin
Arbitrary File Upload; 9.1/10; Update to v2.0.7+
Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.
#4 – WordPress Sets New AI Guidelines
WordPress releases AI usage guidelines for plugins, themes, docs, and media assets. The goal: transparency, accountability, and preserving the project’s open-source roots.
#5 – Our blog: How to Control and Use PHP Error Logs
Clean up your WordPress by consolidating PHP error logs into a single, organised location. Eliminate scattered log files and make troubleshooting faster and easier.
Thanks for reading, and have a wonderful week!
Paul Goodchild
Shield Security for WordPress
