This is a big week for vulnerabilities. Several popular form plugins are hit by quite serious vulnerabilities, and there’s a privilege escalation risk with the MainWP client plugin.<\/p>\n\n\n\n
It’s hard to imagine that there’s anyone out there not affected by at least 1 vulnerability this week.<\/p>\n\n\n\n
I’d also like to draw your attention to our latest ShieldPRO release, v20.1 (see more below)<\/p>\n\n\n\n
These are widely used plugins with security threats, led by WPForms, affecting 6+ million sites.<\/p>\n\n\n\n
Contact Form by WPForms Plugin<\/a><\/strong> MainWP Child Plugin<\/a><\/strong> FooGallery Premium Plugin<\/a><\/strong> Ninja Forms Plugin<\/a><\/strong> Unlimited Elements For Elementor (Free Widgets, Addons, Templates) Plugin<\/a><\/strong> Beaver Builder Plugin<\/a><\/strong> ProfilePress Plugin<\/a><\/strong> Popup Builder Plugin<\/a><\/strong> LuckyWP Table of Contents Plugin<\/a><\/strong> The Events Calendar Plugin<\/a><\/strong> Members Plugin<\/a><\/strong> Editor Comment<\/strong> These plugins and theme, despite limited use, pose extreme risks\u20142 most critical with no-fix and removed from wp.org<\/p>\n\n\n\n WP SuperBackup Plugin<\/a><\/strong> Opt-In Downloads Plugin<\/a><\/strong> Woffice Theme<\/a><\/strong> Hunk Companion Plugin<\/a><\/strong> Sign In With Google Plugin<\/a><\/strong> Responsive Filterable Portfolio Plugin<\/a><\/strong> Editor Comment<\/strong> WordPress REST APIs offer powerful functionality but come with security risks. Learn advanced techniques for securing APIs with strong authentication, access control, and protection against malicious traffic and code injection.<\/p>\n\n\n\n More Info \u2192<\/a><\/p>\n\n\n\n
Broken Access Control; 8.5\/10; Update to v1.9.2.2+<\/p>\n\n\n\n
Privilege Escalation; 8.1\/10; Update to v5.3+<\/p>\n\n\n\n
Directory Traversal; 7.7\/10; Update to v2.4.27+<\/p>\n\n\n\n
XSS; 7.1\/10; Update to v3.8.20+<\/p>\n\n\n\n
XSS; 6.5\/10; Update to v1.5.127+<\/p>\n\n\n\n
XSS; 6.5\/10; Update to v2.8.5.3+<\/p>\n\n\n\n
XSS; 5.9\/10; Update to v4.15.15+<\/p>\n\n\n\n
XSS; 5.9\/10; Update to v4.3.5+<\/p>\n\n\n\n
XSS; 5.9\/10; Update to v2.1.7+<\/p>\n\n\n\n
Broken Access Control; 5.3\/10; Update to v6.8.2.1+<\/p>\n\n\n\n
Sensitive Data Exposure; 5.3\/10; Update to v3.2.11+<\/p>\n\n\n\n
It’s worth taking a few minutes each week to perform a sites review<\/a> to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade<\/a> feature for vulnerable plugins.<\/p>\n\n\n\n#2 – High Security Risks in Less Popular Plugins & Themes<\/h2>\n\n\n\n
Arbitrary File Upload; 10<\/strong>\/10; Update to v2.4+<\/p>\n\n\n\n
Arbitrary File Upload; 9.9<\/strong>\/10; Removed from wp.org; No fix; Remove\/or replace.<\/p>\n\n\n\n
Broken Authentication; 9.8<\/strong>\/10; Update to v5.4.15+<\/p>\n\n\n\n
Broken Access Control; 9.8<\/strong>\/10; Update to v1.9.0+<\/p>\n\n\n\n
Broken Authentication; 9.8<\/strong>\/10; Removed from wp.org; No fix; Remove\/or replace.<\/p>\n\n\n\n
SQL Injection; 9.3<\/strong>\/10; Update to v1.0.9+<\/p>\n\n\n\n
It’s worth taking a few minutes each week to perform a sites review<\/a> to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade<\/a> feature for vulnerable plugins.<\/p>\n\n\n\n#3 – Our blog: Proven Tips Securing Your WordPress REST API<\/h2>\n\n\n\n
#4 – Shield Security 20.1 Released<\/h2>\n\n\n\n