This week features major high-risk vulnerabilities in popular plugins, important WordPress security changes notice, alongside a guide to securely changing your database passwords (from our blog).

#1 – Recurring Vulnerability: LiteSpeed Cache Plugin

5+ million sites face a high risk of unauthorized access.

How will I know I’m okay?
Upgrade ASAP to v6.5.0.1+

What’s the risk?
Severity risk 9.8/10 – Broken Authentication – an attacker can access site without permission, steal data, or take over user accounts.

Editor Comment
Please use ShieldPRO’s auto-upgrade feature for vulnerable plugins.

More Info →

#2 – Vulnerable: WP Job Portal Plugin

Another plugin with a critical unauthorised access risk.

How will I know I’m okay?
Upgrade ASAP to v2.1.7+

What’s the risk?
Severity risk 9.8/10 – Broken Access Control – unauthorised users can access sensitive data to perform higher-level actions.

Editor Comment
Please use ShieldPRO’s auto-upgrade feature for vulnerable plugins.

More Info →

#3 – Vulnerable: Ninja Forms Plugins

Nearly 1 million sites at risk from malicious script injection in 2 Ninja Forms plugins.

How will I know I’m okay?
Upgrade ASAP the following plugins:

Ninja Forms to v3.8.11+

Ninja Forms File Uploads Extension to v3.3.18

What’s the risk?
Severity risk 7.1/10 – XSS – allowing injection of malicious scripts into website that guests may execute.

Editor Comment
Please use ShieldPRO’s auto-upgrade feature for vulnerable plugins.

More Info →

#4 – Plugins with Severe Security Risks Removed from wp.org

The plugins below have high severity Privileged Escalation risk but no official fixes and are being actively exploited. As a preventive measure, they were removed from wp.org.

These should probably be removed/replaced:

WPCOM Member Plugin
No official fix available. Remove it for now.

ForumWP Plugin
No official fix available. Remove it for now.

Editor Comment
As a precautionary measure, take a few minutes each week to perform a review of your sites to catch issues early.

#5 – Upcoming WordPress Security Changes

Starting October 1st, 2024, WordPress will mandate that all plugin and theme authors enable 2FA and use SVN-specific passwords. This update aims to improve security across millions of sites and for developers globally. Authors are advised to store backup codes to avoid recovery issues.

Editor Comment
Activate 2FA everywhere, create unique passwords for each account, and store them securely using a Password Manager.

More Info →

#6 – From Our Blog: Change DB Passwords with Security in Mind

You may need to update a password directly in the database if you lose access to your recovery email or have a hacked account.

More Info →

Thanks for reading, and have a great week!

Paul Goodchild
Shield Security for WordPress