{"id":167566,"date":"2025-03-03T15:32:50","date_gmt":"2025-03-03T15:32:50","guid":{"rendered":"https:\/\/getshieldsecurity.com\/?p=167566"},"modified":"2025-03-03T15:32:51","modified_gmt":"2025-03-03T15:32:51","slug":"shieldnotes-55","status":"publish","type":"post","link":"https:\/\/getshieldsecurity.com\/blog\/shieldnotes-55\/","title":{"rendered":"Some vulnerable plugins removed from WP.org; & the ‘Security Through Obscurity’ myth"},"content":{"rendered":"\n

There’s a few ultra critical vulnerabilities this week, with some removed from the WP repo.<\/p>\n\n\n\n

You can check out the upcoming WP virtual conference and uncover the “Security Through Obscurity” myth from our blog archive.<\/p>\n\n\n\n

#1 – Security Risks in Popular Plugins & Themes<\/h2>\n\n\n\n

These high-profile plugins and theme are being targeted; 1 plugin stands out as a major risk due to missing fixes.<\/p>\n\n\n\n

SEO Plugin by Squirrly SEO<\/a><\/strong>
Broken Access Control; 7.1\/10; No fix; Remove\/or replace.<\/p>\n\n\n\n

Site Mailer Plugin<\/a><\/strong>
XSS; 7.1\/10; Update to v1.2.4+<\/p>\n\n\n\n

Chaty Plugin<\/a><\/strong>
XSS; 6.5\/10; Update to v3.3.6+<\/p>\n\n\n\n

Essential Blocks for Gutenberg Plugin<\/a><\/strong>
XSS; 6.5\/10; Update to v5.3.0+<\/p>\n\n\n\n

Enfold Theme<\/a><\/strong>
SSRF; 6.4\/10; Update to v7.0+<\/p>\n\n\n\n

NextGEN Gallery Plugin<\/a><\/strong>
XSS; 5.9\/10; Update to v3.59.9+<\/p>\n\n\n\n

Advanced Google reCAPTCHA Plugin<\/a><\/strong>
Bypass Vulnerability; 5.3\/10; Update to v1.28+<\/p>\n\n\n\n

Editor Comment<\/strong>
It’s worth taking a few minutes each week to perform a sites review<\/a> to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade<\/a> feature for vulnerable plugins.<\/p>\n\n\n\n

#2 – Security Risks in Less Popular Plugins & Themes<\/h2>\n\n\n\n

These less popular plugins and theme often fly under the radar, but they still pose significant security risks, particularly 2 that remained unpatched.<\/p>\n\n\n\n

WooCommerce Ultimate Gift Card Plugin<\/a><\/strong>
Arbitrary File Upload; 10<\/strong>\/10; Removed from wp.org; No fix; Remove\/or replace.<\/p>\n\n\n\n

DHVC Form Plugin<\/a><\/strong>
Privilege Escalation; 9.8<\/strong>\/10; Update to v2.4.8+<\/p>\n\n\n\n

WHMpress Plugin<\/a><\/strong>
Local File Inclusion; 9.8<\/strong>\/10; Update to v6.3+<\/p>\n\n\n\n

Academist Membership Plugin<\/a><\/strong>
Broken Authentication; 9.8<\/strong>\/10; Update to v1.2+<\/p>\n\n\n\n

Templines Elementor Helper Core Plugin<\/a><\/strong>
Privilege Escalation; 8.8\/10; Update to v2.8+<\/p>\n\n\n\n

Traveler Theme<\/a><\/strong>
Local File Inclusion; 8.8\/10; No fix; Remove\/or replace.<\/p>\n\n\n\n

Editor Comment<\/strong>
It’s worth taking a few minutes each week to perform a sites review<\/a> to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade<\/a> feature for vulnerable plugins.<\/p>\n\n\n\n

#3 – WP:25 Virtual Conference<\/h2>\n\n\n\n

A free online conference starting this Thursday, March 6th, will highlight why WordPress remains a leading platform in 2025, along with research updates and the key topics that enterprise brands must focus on for the year ahead.<\/p>\n\n\n\n

How can I get involved?<\/strong>
You can signup and join the LiveStreams when they’re announced.<\/p>\n\n\n\n

More Info \u2192<\/a><\/p>\n\n\n\n

#4 – Our blog: Security Through Obscurity: Does It Work?<\/h2>\n\n\n\n

We clear up common WordPress security myths often raised at Shield, focusing on the tactic known as \u201cSecurity Through Obscurity\u201d and how it\u2019s often used with WordPress.<\/p>\n\n\n\n

More Info \u2192<\/a><\/p>\n\n\n\n

Thanks for reading, and have a wonderful week!<\/p>\n\n\n\n

Paul Goodchild<\/strong>
Shield Security for WordPress<\/em><\/p>\n\n\n\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

There’s a few ultra critical vulnerabilities this week, with some removed from the WP repo. You can check out the upcoming WP virtual conference and uncover the “Security Through Obscurity” myth from our blog archive.<\/p>\n","protected":false},"author":27,"featured_media":163832,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[153,201],"tags":[69],"class_list":["post-167566","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security-wordpress-solutions","category-shieldnotes","tag-security"],"acf":[],"_links":{"self":[{"href":"https:\/\/getshieldsecurity.com\/wp-json\/wp\/v2\/posts\/167566","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/getshieldsecurity.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/getshieldsecurity.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/getshieldsecurity.com\/wp-json\/wp\/v2\/users\/27"}],"replies":[{"embeddable":true,"href":"https:\/\/getshieldsecurity.com\/wp-json\/wp\/v2\/comments?post=167566"}],"version-history":[{"count":4,"href":"https:\/\/getshieldsecurity.com\/wp-json\/wp\/v2\/posts\/167566\/revisions"}],"predecessor-version":[{"id":167570,"href":"https:\/\/getshieldsecurity.com\/wp-json\/wp\/v2\/posts\/167566\/revisions\/167570"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/getshieldsecurity.com\/wp-json\/wp\/v2\/media\/163832"}],"wp:attachment":[{"href":"https:\/\/getshieldsecurity.com\/wp-json\/wp\/v2\/media?parent=167566"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/getshieldsecurity.com\/wp-json\/wp\/v2\/categories?post=167566"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/getshieldsecurity.com\/wp-json\/wp\/v2\/tags?post=167566"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}