WordPress rolled out a new security patch, but the story doesn\u2019t end there \u2014 recurring vulnerabilities continue to affect popular plugins, including the critical MetForm Pro with no fix yet. Monitor your site for suspicious activity (details below).<\/p>\n\n\n\n
WordPress first released update 6.9.2 to address security issues, but it caused some sites to crash (show a white screen). They quickly released v6.9.3 to fix that problem. Now they\u2019ve released a final v6.9.4 <\/em><\/strong>because some security issues were still not fully fixed.<\/p>\n\n\n\n WordPress Core<\/a> The plugins below suffer from extremely severe security flaws, leaving around 1.5 million sites vulnerable. Please take action ASAP.<\/p>\n\n\n\n ExactMetrics Plugin<\/a> Ally Plugin<\/a> My Sticky Bar Plugin<\/a> MetForm Pro Plugin<\/a> Plugins below have known vulnerabilities affecting millions of sites, possibly including yours, and is actively being exploited. Update now to avoid unnecessary risk.<\/p>\n\n\n\n ProfilePress Plugin<\/a> The Events Calendar Plugin<\/a> Formidable Forms Plugin<\/a> PixelYourSite PRO Plugin<\/a> Everest Forms Pro Plugin<\/a> Avada Core Plugin<\/a> MC4WP Plugin<\/a> Gravity Forms Plugin<\/a> Social Icons Widget & Block by WPZOOM Plugin<\/a> Editor Comment<\/strong> The plugins below are also under active attack. They may be less common, but their vulnerabilities are especially critical.<\/p>\n\n\n\n Divi Booster Plugin<\/a> Xagio SEO Plugin<\/a> Simply Schedule Appointments Plugin<\/a> Editor Comment<\/strong> WordPress sites face cyber threats every day, and hackers constantly look for new ways to break security systems. Custom security alerts help protect your site by detecting suspicious activity in real time, such as unauthorised logins, file changes, or plugin issues.<\/p>\n\n\n\n
<\/strong>XML External Entity (XXE); 6.5\/10; Update to v6.9.4+
Editor Comment<\/strong>
It’s worth taking a few minutes each week to perform a sites review<\/a> to catch issues early and keep your WordPress installation updated.\u00a0<\/p>\n\n\n\n#2 – High Security Risks in Popular Plugins<\/h2>\n\n\n\n
<\/strong>Privilege Escalation; 9.8<\/strong>\/10; Update to v9.0.3+<\/p>\n\n\n\n
<\/strong>SQL Injection; 9.3<\/strong>\/10; Update to v4.1.0+<\/p>\n\n\n\n
<\/strong>SQL Injection; 9.3<\/strong>\/10; Update to v2.8.7+<\/p>\n\n\n\n
<\/strong>Broken Access Control; 9.1<\/strong>\/10; No fix; Remove\/or replace.
Editor Comment<\/strong>
It’s worth taking a few minutes each week to perform a sites review<\/a> to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade<\/a> feature for vulnerable plugins.<\/p>\n\n\n\n#3 – Other Security Risks in Popular Plugins<\/h2>\n\n\n\n
<\/strong>IDOR; 8.1\/10; Update to v4.16.12+<\/p>\n\n\n\n
<\/strong>Arbitrary File Download; 7.5\/10; Update to v6.15.17.1+<\/p>\n\n\n\n
<\/strong>Broken Access Control; 7.5\/10; Update to v6.29+<\/p>\n\n\n\n
<\/strong>XSS; 7.1\/10; Update to v12.4.0.3+<\/p>\n\n\n\n
<\/strong>XSS; 7.1\/10; No fix; Remove\/or replace.<\/p>\n\n\n\n
<\/strong>XSS; 6.5\/10; Update to v5.15.0+<\/p>\n\n\n\n
<\/strong>Broken Access Control; 6.5\/10; Update to v4.12.0+<\/p>\n\n\n\n
<\/strong>XSS; 6.5\/10; Update to v2.9.29+<\/p>\n\n\n\n
<\/strong>Broken Access Control; 4.3\/10; Update to v4.5.9+<\/p>\n\n\n\n
It’s worth taking a few minutes each week to perform a sites review<\/a> to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade<\/a> feature for vulnerable plugins.<\/p>\n\n\n\n#4 – High Security Risks in Less Popular Plugins<\/h2>\n\n\n\n
<\/strong>PHP Object Injection; 9.8<\/strong>\/10; Update to v5.0.2+<\/p>\n\n\n\n
<\/strong>Privilege Escalation; 9.8<\/strong>\/10; Update to v7.1.0.31+<\/p>\n\n\n\n
<\/strong>SQL Injection; 9.3<\/strong>\/10; Update to v1.6.9.29+<\/p>\n\n\n\n
It’s worth taking a few minutes each week to perform a sites review<\/a> to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade<\/a> feature for vulnerable plugins.<\/p>\n\n\n\n#5 – Our blog: Let Custom Alerts Watch Over Your Site<\/h2>\n\n\n\n