Another week, another critical WordPress plugin vulnerability. WPvivid Backup and Migration has reached the highest possible 10/10 severity rating, raising serious security concerns. With threats on the rise, tracking your logged-in users in real time matters. (See more below)

The highest-risk vulnerability in this plugin could permit arbitrary file uploads, including backdoors, which could lead to full site compromise for more than 900,000 installations. Immediate updates are recommended.

WPvivid Backup and Migration Plugin
Arbitrary File Upload; 10/10; Update to v0.9.124+

Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.

Serving around 6 million websites, the below plugins carry critical security risks. Updating to the latest patched versions is key.

SureForms Plugin
Broken Access Control; 7.5/10; Update to v2.2.2+

Converter for Media Plugin
SSRF; 7.2/10; Update to v6.5.2+

Mollie Payments for WooCommerce Plugin
XSS; 7.1/10; Update to v8.1.2+

Essential Addons for Elementor Plugin
XSS; 6.5/10; Update to v6.5.10+

Duplicate Post Plugin
XSS; 5.9/10; Update to v3.2.4+

Modula Image Gallery Plugin
Broken Access Control; 4.3/10; Update to v2.13.7+

LatePoint Plugin
CSRF; 4.3/10; Update to v5.2.6+

Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.

Quietly installed but highly dangerous, these plugins and theme, especially the first two unpatched, could put your site at risk. Take action to stay protected.

Bravis Addons Plugin
Arbitrary File Upload; 9.9/10; No fix; Remove/or replace.

WP eCommerce Plugin
PHP Object Injection; 9.8/10; Removed from wp.org; No fix; Remove/or replace.

AdForest Theme
Broken Authentication; 9.8/10; Update to v6.0.13+

Download Manager Addons for Elementor Plugin
SQL Injection; 9.3/10; Update to v2.0.0+

wpForo Forum Plugin
PHP Object Injection; 8.8/10; Update to v2.4.14+

Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.

#4 – Our blog: WordPress User Sessions: Know Who’s Inside

By default, WordPress provides no way to see who is currently logged in to your site. Discover how you can finally view and control all of your users’ sessions.

More Info →

Thanks for reading, and have a wonderful week!

Paul Goodchild
Shield Security for WordPress