{"id":170572,"date":"2025-09-29T14:35:27","date_gmt":"2025-09-29T13:35:27","guid":{"rendered":"https:\/\/getshieldsecurity.com\/?p=170572"},"modified":"2025-09-29T14:39:34","modified_gmt":"2025-09-29T13:39:34","slug":"shieldnotes-76","status":"publish","type":"post","link":"https:\/\/getshieldsecurity.com\/blog\/shieldnotes-76\/","title":{"rendered":"WordPress Core, Top Plugins &amp; New Backdoor Threats"},"content":{"rendered":"\n<p>From XSS in WordPress core and popular plugins, to the appearance of <strong>DebugMaster <\/strong>malware, this past week has been busy.<\/p>\n\n\n\n<p>Stay ahead of the threats with this roundup and additional safety guide from our blog archive.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">#1 &#8211; WordPress Core Vulnerability<\/h2>\n\n\n\n<p>WordPress Core &lt;= 6.8.2 is vulnerable to XSS and Sensitive Data Exposure.<\/p>\n\n\n\n<p>No fix available yet.<\/p>\n\n\n\n<p>The WordPress Core security team is <a href=\"https:\/\/wordpress.org\/support\/topic\/wordpress-vulnerabilities-detected-on-version-6-8-2\/\" target=\"_blank\" rel=\"noreferrer noopener\">aware of the issue<\/a> and is already working on a fix. This is a low-severity vulnerability. Contributor-level privileges required in order to exploit it.<\/p>\n\n\n\n<p><strong>Editor Comment<\/strong><br>Monitor WordPress updates closely and install security fixes immediately upon release to protect your site from these vulnerabilities. Also, it&#8217;s worth taking a few minutes each week to <a href=\"https:\/\/getshieldsecurity.com\/blog\/wordpress-security-vulnerabilities\/\" target=\"_blank\" rel=\"noreferrer noopener\">perform a sites review<\/a> to catch issues early.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">#2 &#8211; Security Risks in Popular Plugins<\/h2>\n\n\n\n<p>These top 10 plugins power millions of sites; two have no fixes yet, so exposure is high. Act now and tighten your security.<\/p>\n\n\n\n<p><strong><a href=\"https:\/\/patchstack.com\/database\/wordpress\/plugin\/translatepress-multilingual\/vulnerability\/wordpress-translatepress-plugin-2-10-2-deserialization-of-untrusted-data-vulnerability\" target=\"_blank\" rel=\"noreferrer noopener\">TranslatePress Plugin<\/a><\/strong><br>Deserialization of untrusted data; 8.1\/10; Update to v2.10.3+<\/p>\n\n\n\n<p><strong><a href=\"https:\/\/patchstack.com\/database\/wordpress\/plugin\/wp-statistics\/vulnerability\/wordpress-wp-statistics-plugin-14-5-4-unauthenticated-stored-cross-site-scripting-via-user-agent-header-vulnerability\" target=\"_blank\" rel=\"noreferrer noopener\">WP Statistics Plugin<\/a><\/strong><br>XSS; 7.1\/10; Update to v14.15.5+<\/p>\n\n\n\n<p><strong><a href=\"https:\/\/patchstack.com\/database\/wordpress\/plugin\/popup-maker\/vulnerability\/wordpress-popup-maker-plugin-1-20-6-authenticated-contributor-stored-cross-site-scripting-via-title-parameter-vulnerability\" target=\"_blank\" rel=\"noreferrer noopener\">Popup Maker Plugin<\/a><\/strong><br>XSS; 6.5\/10; Update to v1.21.0+<\/p>\n\n\n\n<p><strong><a href=\"https:\/\/patchstack.com\/database\/wordpress\/plugin\/backuply\/vulnerability\/wordpress-backuply-plugin-1-4-8-authenticated-admin-arbitrary-file-deletion-vulnerability\" target=\"_blank\" rel=\"noreferrer noopener\">Backuply \u2013 Backup, Restore, Migrate and Clone Plugin<\/a><\/strong><br>Arbitrary File Deletion; 6.5\/10; Update to v1.4.9+<\/p>\n\n\n\n<p><strong><a href=\"https:\/\/patchstack.com\/database\/wordpress\/plugin\/admin-site-enhancements\/vulnerability\/wordpress-admin-and-site-enhancements-plugin-7-9-8-authenticated-stored-xss-via-svg-vulnerability\" target=\"_blank\" rel=\"noreferrer noopener\">Admin and Site Enhancements (ASE) Plugin<\/a><\/strong><br>XSS; 6.5\/10; Update to v7.9.8+<\/p>\n\n\n\n<p><strong><a href=\"https:\/\/patchstack.com\/database\/wordpress\/plugin\/extended-widget-options\/vulnerability\/wordpress-widget-options-extended-plugin-5-2-1-authenticated-contributor-stored-cross-site-scripting-vulnerability\" target=\"_blank\" rel=\"noreferrer noopener\">Widget Options &#8211; Extended Plugin<\/a><\/strong><br>XSS; 6.5\/10; Update to v5.2.2+<\/p>\n\n\n\n<p><strong><a href=\"https:\/\/patchstack.com\/database\/wordpress\/plugin\/sureforms\/vulnerability\/wordpress-sureforms-plugin-1-9-1-admin-stored-xss-vulnerability\" target=\"_blank\" rel=\"noreferrer noopener\">SureForms Plugin<\/a><\/strong><br>XSS; 5.9\/10; Update to v1.9.1+<\/p>\n\n\n\n<p><strong><a href=\"https:\/\/patchstack.com\/database\/wordpress\/plugin\/download-manager\/vulnerability\/wordpress-download-manager-plugin-3-3-24-sensitive-data-exposure-vulnerability\" target=\"_blank\" rel=\"noreferrer noopener\">Download Manager Plugin<\/a><\/strong><br>Sensitive Data Exposure; 5.3\/10; No fix; Remove\/or replace.<\/p>\n\n\n\n<p><strong><a href=\"https:\/\/patchstack.com\/database\/wordpress\/plugin\/ninja-forms\/vulnerability\/wordpress-ninja-forms-plugin-3-12-0-cross-site-request-forgery-to-limited-file-deletion-vulnerability\" target=\"_blank\" rel=\"noreferrer noopener\">Ninja Forms Plugin<\/a><\/strong><br>CSRF; 4.3\/10; Update to v3.12.1+<\/p>\n\n\n\n<p><strong><a href=\"https:\/\/patchstack.com\/database\/wordpress\/plugin\/stackable-ultimate-gutenberg-blocks\/vulnerability\/wordpress-stackable-plugin-3-18-1-sensitive-data-exposure-vulnerability\" target=\"_blank\" rel=\"noreferrer noopener\">Stackable Plugin<\/a><\/strong><br>Sensitive Data Exposure; 4.3\/10; No fix; Remove\/or replace.<\/p>\n\n\n\n<p><strong>Editor Comment<\/strong><br>It&#8217;s worth taking a few minutes each week to <a href=\"https:\/\/getshieldsecurity.com\/blog\/wordpress-security-vulnerabilities\/\" target=\"_blank\" rel=\"noreferrer noopener\">perform a sites review<\/a> to catch issues early and wherever possible, use <a href=\"https:\/\/shsec.io\/lw\" target=\"_blank\" rel=\"noreferrer noopener\">ShieldPRO&#8217;s auto-upgrade<\/a> feature for vulnerable plugins.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">#3 &#8211; High Security Risks in Less Popular Plugins<\/h2>\n\n\n\n<p>These plugins don\u2019t grab headlines, but they do break things heavily. Update to clean up the mess they\u2019re causing.<\/p>\n\n\n\n<p><strong><a href=\"https:\/\/patchstack.com\/database\/wordpress\/plugin\/podlove-podcasting-plugin-for-wordpress\/vulnerability\/wordpress-podlove-podcast-publisher-plugin-4-2-6-unauthenticated-arbitrary-file-upload-vulnerability\" target=\"_blank\" rel=\"noreferrer noopener\">Podlove Podcast Publisher Plugin<\/a><\/strong><br>Arbitrary File Upload; <strong>10<\/strong>\/10; Update to v4.2.7+<\/p>\n\n\n\n<p><strong><a href=\"https:\/\/patchstack.com\/database\/wordpress\/plugin\/uni-woo-custom-product-options-premium\/vulnerability\/wordpress-uni-cpo-premium-plugin-4-9-54-unauthenticated-arbitrary-file-upload-via-uni-cpo-upload-file-vulnerability\" target=\"_blank\" rel=\"noreferrer noopener\">Uni CPO (Premium) Plugin<\/a><\/strong><br>Arbitrary File Upload; <strong>10<\/strong>\/10; Update to v4.9.55+<\/p>\n\n\n\n<p><strong><a href=\"https:\/\/patchstack.com\/database\/wordpress\/plugin\/woocommerce-multi-locations-inventory-management\/vulnerability\/wordpress-multiloca-woocommerce-multi-locations-inventory-management-plugin-4-2-8-missing-authorization-to-unauthenticated-arbitrary-options-update-via-wcmlim-settings-ajax-handler-vulnerability\" target=\"_blank\" rel=\"noreferrer noopener\">MultiLoca Plugin<\/a><\/strong><br>Broken Access Control; <strong>9.8<\/strong>\/10; Update to v4.2.9+<\/p>\n\n\n\n<p><strong><a href=\"https:\/\/patchstack.com\/database\/wordpress\/plugin\/sign-up-sheets\/vulnerability\/wordpress-sign-up-sheets-plugin-2-3-2-php-object-injection-vulnerability\" target=\"_blank\" rel=\"noreferrer noopener\">Sign-up Sheets Plugin<\/a><\/strong><br>PHP Object Injection; <strong>9.8<\/strong>\/10; Update to v2.3.3+<\/p>\n\n\n\n<p><strong>Editor Comment<\/strong><br>It&#8217;s worth taking a few minutes each week to <a href=\"https:\/\/getshieldsecurity.com\/blog\/wordpress-security-vulnerabilities\/\" target=\"_blank\" rel=\"noreferrer noopener\">perform a sites review<\/a> to catch issues early and wherever possible, use <a href=\"https:\/\/shsec.io\/lw\" target=\"_blank\" rel=\"noreferrer noopener\">ShieldPRO&#8217;s auto-upgrade<\/a> feature for vulnerable plugins.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">#4 &#8211; DebugMaster Malware Creates Persistent Admin Access on WordPress Sites<\/h2>\n\n\n\n<p>A stealthy WordPress backdoor hides in files disguised as legitimate utilities to maintain a secret administrator named \u201chelp.\u201d The DebugMaster plugin creates that account, sends the credentials (and the server IP) to an attacker, injects malicious code that visitors can see, and logs administrator IPs. Both the plugin and the \u201chelp\u201d user are hidden from normal listings, and if the account is removed a backup file will continuously recreate it to retain access.<\/p>\n\n\n\n<p>Full cleanup requires deleting both malicious files and the hidden admin account.<\/p>\n\n\n\n<p><strong>Editor Comment<\/strong><br>A security plugin plays a crucial role in protecting your sites, but it&#8217;s not everything. You need to <a href=\"https:\/\/getshieldsecurity.com\/blog\/run-wordpress-security-audit\/\" target=\"_blank\" rel=\"noreferrer noopener\">run regular security audits<\/a> to catch things that may fly under the radar. We can&#8217;t stress enough how being proactive will pay dividends in the long run.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">#5 &#8211; Our blog: The Importance of Regular WordPress Maintenance<\/h2>\n\n\n\n<p>This is a quick reminder from our blog archive about why regular site upkeep isn\u2019t just about looks or content, but is essential for functionality and protecting against cyber threats. Make consistent checks and updates a priority to keep your site secure and running smoothly.<\/p>\n\n\n\n<p><a href=\"https:\/\/getshieldsecurity.com\/blog\/regular-wordpress-maintenance\/\" data-type=\"link\" data-id=\"https:\/\/getshieldsecurity.com\/blog\/backup-wordpress-to-google-drive\/\" target=\"_blank\" rel=\"noreferrer noopener\">More Info \u2192<\/a><\/p>\n\n\n\n<p>Thanks for reading, and have a wonderful week!<\/p>\n\n\n\n<p><strong>Paul Goodchild<\/strong><br><em>Shield Security for WordPres<\/em>s<\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>From XSS in WordPress core and popular plugins, to the appearance of DebugMaster malware, this past week has been busy. Stay ahead of the threats with this roundup and additional safety guide from our blog archive.<\/p>\n","protected":false},"author":27,"featured_media":163832,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[153,201],"tags":[69],"class_list":["post-170572","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security-wordpress-solutions","category-shieldnotes","tag-security"],"acf":[],"_links":{"self":[{"href":"https:\/\/getshieldsecurity.com\/wp-json\/wp\/v2\/posts\/170572","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/getshieldsecurity.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/getshieldsecurity.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/getshieldsecurity.com\/wp-json\/wp\/v2\/users\/27"}],"replies":[{"embeddable":true,"href":"https:\/\/getshieldsecurity.com\/wp-json\/wp\/v2\/comments?post=170572"}],"version-history":[{"count":7,"href":"https:\/\/getshieldsecurity.com\/wp-json\/wp\/v2\/posts\/170572\/revisions"}],"predecessor-version":[{"id":170582,"href":"https:\/\/getshieldsecurity.com\/wp-json\/wp\/v2\/posts\/170572\/revisions\/170582"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/getshieldsecurity.com\/wp-json\/wp\/v2\/media\/163832"}],"wp:attachment":[{"href":"https:\/\/getshieldsecurity.com\/wp-json\/wp\/v2\/media?parent=170572"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/getshieldsecurity.com\/wp-json\/wp\/v2\/categories?post=170572"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/getshieldsecurity.com\/wp-json\/wp\/v2\/tags?post=170572"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}