WordPress rolled out a new security patch, but the story doesn’t end there — recurring vulnerabilities continue to affect popular plugins, including the critical MetForm Pro with no fix yet. Monitor your site for suspicious activity (details below).
#1 – WordPress Core Vulnerability
WordPress first released update 6.9.2 to address security issues, but it caused some sites to crash (show a white screen). They quickly released v6.9.3 to fix that problem. Now they’ve released a final v6.9.4 because some security issues were still not fully fixed.
WordPress Core
XML External Entity (XXE); 6.5/10; Update to v6.9.4+
Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and keep your WordPress installation updated.
#2 – High Security Risks in Popular Plugins
The plugins below suffer from extremely severe security flaws, leaving around 1.5 million sites vulnerable. Please take action ASAP.
ExactMetrics Plugin
Privilege Escalation; 9.8/10; Update to v9.0.3+
Ally Plugin
SQL Injection; 9.3/10; Update to v4.1.0+
My Sticky Bar Plugin
SQL Injection; 9.3/10; Update to v2.8.7+
MetForm Pro Plugin
Broken Access Control; 9.1/10; No fix; Remove/or replace.
Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.
#3 – Other Security Risks in Popular Plugins
Plugins below have known vulnerabilities affecting millions of sites, possibly including yours, and is actively being exploited. Update now to avoid unnecessary risk.
ProfilePress Plugin
IDOR; 8.1/10; Update to v4.16.12+
The Events Calendar Plugin
Arbitrary File Download; 7.5/10; Update to v6.15.17.1+
Formidable Forms Plugin
Broken Access Control; 7.5/10; Update to v6.29+
PixelYourSite PRO Plugin
XSS; 7.1/10; Update to v12.4.0.3+
Everest Forms Pro Plugin
XSS; 7.1/10; No fix; Remove/or replace.
Avada Core Plugin
XSS; 6.5/10; Update to v5.15.0+
MC4WP Plugin
Broken Access Control; 6.5/10; Update to v4.12.0+
Gravity Forms Plugin
XSS; 6.5/10; Update to v2.9.29+
Social Icons Widget & Block by WPZOOM Plugin
Broken Access Control; 4.3/10; Update to v4.5.9+
Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.
#4 – High Security Risks in Less Popular Plugins
The plugins below are also under active attack. They may be less common, but their vulnerabilities are especially critical.
Divi Booster Plugin
PHP Object Injection; 9.8/10; Update to v5.0.2+
Xagio SEO Plugin
Privilege Escalation; 9.8/10; Update to v7.1.0.31+
Simply Schedule Appointments Plugin
SQL Injection; 9.3/10; Update to v1.6.9.29+
Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.
#5 – Our blog: Let Custom Alerts Watch Over Your Site
WordPress sites face cyber threats every day, and hackers constantly look for new ways to break security systems. Custom security alerts help protect your site by detecting suspicious activity in real time, such as unauthorised logins, file changes, or plugin issues.
Thanks for reading, and have a wonderful week!
Paul Goodchild
Shield Security for WordPress
