Welcome to ShieldNOTES #100! 🎉
Triple digits, sharper insights. Inside: the plugins powering millions of sites with hidden vulnerabilities, a look behind the curtain at WordPress in your browser, and our latest SQL injection testing playbook.
#1 – Security Risks in Popular Plugins
Big installs, ongoing issues, with one vulnerability still unpatched. Address them now to cut your risk.
NextGEN Gallery Plugin
Local File Inclusion; 7.2/10; Update to v4.0.5+
Fusion Builder Plugin
XSS; 7.1/10; Update to v3.15.0+
Post SMTP Plugin
XSS; 7.1/10; Update to v3.9.0+
UpSolution Core Plugin
XSS; 7.1/10; Update to v8.42+
Autoptimize Plugin
XSS; 6.5/10; Update to v3.1.15+
WP Go Maps Plugin
XSS; 6.5/10; Update to v10.0.06+
Yoast Duplicate Post Plugin
Broken Access Control; 5.4/10; Update to v4.6+
Royal Elementor Addons Plugin
Broken Access Control; 5.3/10; Update to v1.7.1050+
Modern Events Calendar Plugin
Broken Access Control; 5.3/10; No fix; Remove/or replace.
Download Manager Plugin
Broken Access Control; 4.3/10; Update to v3.3.50+
Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.
#2 – High Security Risks in Less Popular Plugins and Themes
These high risk plugins and themes impact 140,000+ sites. Take action now to close critical gaps.
Kali Forms Plugin
RCE; 10/10; Update to v2.4.10+
WishList Member X Plugin
Arbitrary File Upload; 9.9/10; No fix; Remove/or replace.
EventPrime Plugin
PHP Object Injection; 9.8/10; Update to v4.2.8.1+
Traveler Theme Plugin
PHP Object Injection; 9.8/10; Update to v3.2.8.1+
Simply Schedule Appointments Plugin
SQL Injection; 9.3/10; Update to v1.6.10.2+
Lumise Product Designer Plugin
SQL Injection; 9.3/10; Update to v2.0.9+
PublishPress Revisions Plugin
SQL Injection; 9.3/10; Update to v3.7.24+
ChatBot Plugin
SQL Injection; 9.3/10; Update to v7.8.0+
Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.
#3 – New “My WordPress” Release
WordPress has introduced “My WordPress,” a fully functional WordPress environment that runs directly in your browser, with no hosting, domain, or installation required. It’s good for safely testing plugins and settings, drafting content, and experimenting with new ideas before applying them to a live site.
#4 – Our blog: How to Test WordPress for SQL Injection Vulnerabilities
SQL injection, or SQLi, is a vulnerability that lets attackers run their own database queries through your WordPress site. We show you how it appears in WordPress code, how to test for it, and what to do if you spot signs of an attack.
Thanks for reading, and have a wonderful week!
Paul Goodchild
Shield Security for WordPress
