{"id":170726,"date":"2026-02-09T14:41:46","date_gmt":"2026-02-09T14:41:46","guid":{"rendered":"https:\/\/getshieldsecurity.com\/?p=170726"},"modified":"2026-02-09T14:41:47","modified_gmt":"2026-02-09T14:41:47","slug":"shieldnotes-94","status":"publish","type":"post","link":"https:\/\/getshieldsecurity.com\/blog\/shieldnotes-94\/","title":{"rendered":"Post SMTP, Yoast, WP All Import and Beyond;&amp; New WordPress AI Rules"},"content":{"rendered":"\n<p>Popular WordPress plugins and themes are under the microscope again this week, with WP All Import reaching a high <em><strong>9.1<\/strong>\/10<\/em> risk score. As new AI guidelines reshape how contributors work, our guide helps you stay in charge of your error log files.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">#1 &#8211; High Security Risks in Popular Plugin<\/h2>\n\n\n\n<p>A high-risk vulnerability in this plugin can allow arbitrary server-side code execution, potentially leading to full system compromise across 100,000+ websites. Admins are strongly advised to update to the most recent version.<\/p>\n\n\n\n<p><strong><a href=\"https:\/\/patchstack.com\/database\/wordpress\/plugin\/wp-all-import\/vulnerability\/wordpress-wp-all-import-plugin-3-7-3-admin-arbitrary-file-upload-to-rce-vulnerability\" target=\"_blank\" rel=\"noreferrer noopener\">WP All Import Plugin<\/a><br><\/strong>RCE; <strong>9.1<\/strong>\/10; Update to v3.7.3+<strong><br><br>Editor Comment<\/strong><br>It&#8217;s worth taking a few minutes each week to <a href=\"https:\/\/getshieldsecurity.com\/blog\/wordpress-security-vulnerabilities\/\" target=\"_blank\" rel=\"noreferrer noopener\">perform a sites review<\/a> to catch issues early and wherever possible, use <a href=\"https:\/\/shsec.io\/lw\" target=\"_blank\" rel=\"noreferrer noopener\">ShieldPRO&#8217;s auto-upgrade<\/a> feature for vulnerable plugins.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">#2 &#8211; Other Security Risks in Popular Plugins and Themes<\/h2>\n\n\n\n<p>With usage spanning roughly 13 million websites, the security risk in below plugins and theme is significant. Updating to the latest patched release is critical to mitigate risk.<\/p>\n\n\n\n<p><strong><a href=\"https:\/\/patchstack.com\/database\/wordpress\/plugin\/essential-blocks\/vulnerability\/wordpress-essential-blocks-plugin-4-4-3-unauthenticated-local-file-inclusion-vulnerability\" target=\"_blank\" rel=\"noreferrer noopener\">Essential Blocks for Gutenberg Plugin<\/a><br><\/strong>Local File Inclusion; 8.1\/10; Update to v4.4.3+<\/p>\n\n\n\n<p><strong><a href=\"https:\/\/patchstack.com\/database\/wordpress\/plugin\/post-smtp\/vulnerability\/wordpress-post-smtp-plugin-2-8-7-admin-sql-injection-vulnerability\" target=\"_blank\" rel=\"noreferrer noopener\">Post SMTP Plugin<\/a><br><\/strong>SQL Injection; 7.6\/10; Update to v2.8.7+<\/p>\n\n\n\n<p><strong><a href=\"https:\/\/patchstack.com\/database\/wordpress\/plugin\/latepoint\/vulnerability\/wordpress-latepoint-calendar-booking-plugin-for-appointments-and-events-plugin-5-2-5-unauthenticated-stored-cross-site-scripting-vulnerability\" target=\"_blank\" rel=\"noreferrer noopener\">LatePoint Plugin<\/a><br><\/strong>XSS; 7.1\/10; Update to v5.2.6+<\/p>\n\n\n\n<p><strong><a href=\"https:\/\/patchstack.com\/database\/wordpress\/plugin\/wordpress-seo\/vulnerability\/wordpress-yoast-seo-plugin-26-8-authenticated-contributor-stored-cross-site-scripting-via-yoast-schema-block-attribute-vulnerability\" target=\"_blank\" rel=\"noreferrer noopener\">Yoast SEO Plugin<\/a><br><\/strong>XSS; 6.5\/10; Update to v26.9+<\/p>\n\n\n\n<p><strong><a href=\"https:\/\/patchstack.com\/database\/wordpress\/plugin\/wp-seopress\/vulnerability\/wordpress-seopress-on-site-seo-plugin-7-5-2-1-authenticated-contributor-stored-cross-site-scripting-vulnerability\" target=\"_blank\" rel=\"noreferrer noopener\">SEOPress Plugin<\/a><br><\/strong>XSS; 6.5\/10; Update to v7.6+<\/p>\n\n\n\n<p><strong><a href=\"https:\/\/patchstack.com\/database\/wordpress\/plugin\/woolentor-addons\/vulnerability\/wordpress-shoplentor-plugin-2-8-1-authenticated-contributor-stored-cross-site-scripting-vulnerability\" target=\"_blank\" rel=\"noreferrer noopener\">ShopLentor Plugin<\/a><br><\/strong>XSS; 6.5\/10; Update to v2.8.2+<\/p>\n\n\n\n<p><strong><a href=\"https:\/\/patchstack.com\/database\/wordpress\/plugin\/menu-icons\/vulnerability\/wordpress-menu-icons-by-themeisle-plugin-0-13-20-authenticated-author-stored-cross-site-scripting-vulnerability\" target=\"_blank\" rel=\"noreferrer noopener\">Menu Icons by ThemeIsle Plugin<\/a><br><\/strong>XSS; 5.9\/10; Update to v0.13.21+<\/p>\n\n\n\n<p><strong><a href=\"https:\/\/patchstack.com\/database\/wordpress\/plugin\/pubsubhubbub\/vulnerability\/wordpress-websub-fka-pubsubhubbub-plugin-3-1-4-authenticated-admin-stored-cross-site-scripting-vulnerability\" target=\"_blank\" rel=\"noreferrer noopener\">WebSub Plugin<\/a><br><\/strong>XSS; 5.9\/10; Update to v3.2.0+<\/p>\n\n\n\n<p><strong><a href=\"https:\/\/patchstack.com\/database\/wordpress\/plugin\/robin-image-optimizer\/vulnerability\/wordpress-robin-image-optimizer-plugin-2-0-2-authenticated-author-stored-cross-site-scripting-via-image-alternative-text-field-vulnerability\" target=\"_blank\" rel=\"noreferrer noopener\">Robin image optimizer Plugin<\/a><br><\/strong>XSS; 5.9\/10; Update to v2.0.3+<\/p>\n\n\n\n<p><strong><a href=\"https:\/\/patchstack.com\/database\/wordpress\/plugin\/relevanssi\/vulnerability\/wordpress-relevanssi-plugin-4-22-0-unauthenticated-private-draft-post-disclosure-vulnerability\" target=\"_blank\" rel=\"noreferrer noopener\">Relevanssi Plugin<\/a><br><\/strong>IDOR; 5.3\/10; Update to v4.22.0+<\/p>\n\n\n\n<p><strong><a href=\"https:\/\/patchstack.com\/database\/wordpress\/plugin\/shortpixel-image-optimiser\/vulnerability\/wordpress-shortpixel-image-optimizer-plugin-6-4-2-authenticated-editor-arbitrary-file-read-via-loadfile-parameter-vulnerability\" target=\"_blank\" rel=\"noreferrer noopener\">ShortPixel Image Optimizer Plugin<\/a><br><\/strong>Arbitrary File Download; 4.9\/10; Update to v6.4.3+<\/p>\n\n\n\n<p><strong><a href=\"https:\/\/patchstack.com\/database\/wordpress\/plugin\/code-snippets\/vulnerability\/wordpress-code-snippets-plugin-3-9-4-cross-site-request-forgery-to-cloud-snippet-download-update-actions-vulnerability\" target=\"_blank\" rel=\"noreferrer noopener\">Code Snippets Plugin<\/a><br><\/strong>CSRF; 4.3\/10; Update to v3.9.5+<\/p>\n\n\n\n<p><strong><a href=\"https:\/\/patchstack.com\/database\/wordpress\/theme\/royal-elementor-kit\/vulnerability\/wordpress-royal-elementor-kit-plugin-1-0-116-missing-authorization-to-arbitrary-transient-update-vulnerability\" target=\"_blank\" rel=\"noreferrer noopener\">Royal Elementor Kit Theme<\/a><br><\/strong>Broken Access Control; 4.3\/10; Update to v1.0.117+<\/p>\n\n\n\n<p><strong>Editor Comment<\/strong><br>It&#8217;s worth taking a few minutes each week to <a href=\"https:\/\/getshieldsecurity.com\/blog\/wordpress-security-vulnerabilities\/\" target=\"_blank\" rel=\"noreferrer noopener\">perform a sites review<\/a> to catch issues early and wherever possible, use <a href=\"https:\/\/shsec.io\/lw\" target=\"_blank\" rel=\"noreferrer noopener\">ShieldPRO&#8217;s auto-upgrade<\/a> feature for vulnerable plugins.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">#3 &#8211; High Security Risks in Less Popular Plugins<\/h2>\n\n\n\n<p>Despite their smaller footprint, these plugins can have severe consequences in affected environments.<\/p>\n\n\n\n<p><strong><a href=\"https:\/\/patchstack.com\/database\/wordpress\/plugin\/gsheetconnector-wpforms\/vulnerability\/wordpress-wpforms-google-sheet-connector-plugin-4-0-1-remote-code-execution-rce-vulnerability\" target=\"_blank\" rel=\"noreferrer noopener\">WPForms Google Sheet Connector Plugin<\/a><br><\/strong>RCE; <strong>9.9<\/strong>\/10; Update to v4.0.2+<\/p>\n\n\n\n<p><strong><a href=\"https:\/\/patchstack.com\/database\/wordpress\/plugin\/school-management\/vulnerability\/wordpress-school-management-plugin-91-5-0-authenticated-student-arbitrary-file-upload-vulnerability\" target=\"_blank\" rel=\"noreferrer noopener\">School Management Plugin<\/a><br><\/strong>Arbitrary File Upload; <strong>9.9<\/strong>\/10; Update to v92.0.0+<\/p>\n\n\n\n<p><strong><a href=\"https:\/\/patchstack.com\/database\/wordpress\/plugin\/vayu-blocks\/vulnerability\/wordpress-vayu-blocks-gutenberg-blocks-for-wordpress-woocommerce-plugin-1-1-1-missing-authorization-to-unauthenticated-arbitrary-plugin-installation-activation-vulnerability\" target=\"_blank\" rel=\"noreferrer noopener\">Vayu Blocks \u2013 Gutenberg Blocks for WordPress &amp; WooCommerce Plugin<\/a><br><\/strong>Broken Access Control; <strong>9.8<\/strong>\/10; Update to v1.2.0+<\/p>\n\n\n\n<p><strong><a href=\"https:\/\/patchstack.com\/database\/wordpress\/plugin\/all-in-one-video-gallery\/vulnerability\/wordpress-all-in-one-video-gallery-plugin-4-5-7-authenticated-author-arbitrary-file-upload-via-vtt-upload-bypass-vulnerability\" target=\"_blank\" rel=\"noreferrer noopener\">All-in-One Video Gallery Plugin<\/a><br><\/strong>Arbitrary File Upload; <strong>9.1<\/strong>\/10; Update to v4.6.4+<\/p>\n\n\n\n<p><strong><a href=\"https:\/\/patchstack.com\/database\/wordpress\/plugin\/demo-importer-plus\/vulnerability\/wordpress-demo-importer-plus-plugin-2-0-6-authenticated-author-arbitrary-file-upload-via-wxr-upload-bypass-vulnerability\" target=\"_blank\" rel=\"noreferrer noopener\">Demo Importer Plus Plugin<\/a><br><\/strong>Arbitrary File Upload; <strong>9.1<\/strong>\/10; Update to v2.0.7+<\/p>\n\n\n\n<p><strong>Editor Comment<\/strong><br>It&#8217;s worth taking a few minutes each week to <a href=\"https:\/\/getshieldsecurity.com\/blog\/wordpress-security-vulnerabilities\/\" target=\"_blank\" rel=\"noreferrer noopener\">perform a sites review<\/a> to catch issues early and wherever possible, use <a href=\"https:\/\/shsec.io\/lw\" target=\"_blank\" rel=\"noreferrer noopener\">ShieldPRO&#8217;s auto-upgrade<\/a> feature for vulnerable plugins.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">#4 &#8211; WordPress Sets New AI Guidelines<\/h2>\n\n\n\n<p>WordPress releases AI usage guidelines for plugins, themes, docs, and media assets. The goal: transparency, accountability, and preserving the project\u2019s open-source roots.<\/p>\n\n\n\n<p><a href=\"https:\/\/make.wordpress.org\/ai\/handbook\/ai-guidelines\/\" data-type=\"link\" data-id=\"https:\/\/make.wordpress.org\/ai\/handbook\/ai-guidelines\/\" target=\"_blank\" rel=\"noreferrer noopener\">More Info \u2192<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">#5 &#8211; Our blog: How to Control and Use PHP Error Logs<\/h2>\n\n\n\n<p>Clean up your WordPress by consolidating PHP error logs into a single, organised location. Eliminate scattered log files and make troubleshooting faster and easier.<\/p>\n\n\n\n<p><a href=\"https:\/\/getshieldsecurity.com\/blog\/consolidate-php-error-log-files\/\" data-type=\"link\" data-id=\"https:\/\/getshieldsecurity.com\/blog\/consolidate-php-error-log-files\/\" target=\"_blank\" rel=\"noreferrer noopener\">More Info \u2192<\/a><\/p>\n\n\n\n<p>Thanks for reading, and have a wonderful week!<\/p>\n\n\n\n<p><strong>Paul Goodchild<\/strong><br><em>Shield Security for WordPres<\/em>s<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Stay updated on the latest WordPress plugin and theme attacks, new AI guidelines, and tips to manage your PHP error logs effectively.<\/p>\n","protected":false},"author":27,"featured_media":163832,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[153,201],"tags":[69],"class_list":["post-170726","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security-wordpress-solutions","category-shieldnotes","tag-security"],"acf":[],"_links":{"self":[{"href":"https:\/\/getshieldsecurity.com\/wp-json\/wp\/v2\/posts\/170726","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/getshieldsecurity.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/getshieldsecurity.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/getshieldsecurity.com\/wp-json\/wp\/v2\/users\/27"}],"replies":[{"embeddable":true,"href":"https:\/\/getshieldsecurity.com\/wp-json\/wp\/v2\/comments?post=170726"}],"version-history":[{"count":2,"href":"https:\/\/getshieldsecurity.com\/wp-json\/wp\/v2\/posts\/170726\/revisions"}],"predecessor-version":[{"id":170728,"href":"https:\/\/getshieldsecurity.com\/wp-json\/wp\/v2\/posts\/170726\/revisions\/170728"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/getshieldsecurity.com\/wp-json\/wp\/v2\/media\/163832"}],"wp:attachment":[{"href":"https:\/\/getshieldsecurity.com\/wp-json\/wp\/v2\/media?parent=170726"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/getshieldsecurity.com\/wp-json\/wp\/v2\/categories?post=170726"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/getshieldsecurity.com\/wp-json\/wp\/v2\/tags?post=170726"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}