Staying ahead of WordPress threats means keeping up with newly disclosed plugin and theme vulnerabilities. This week, we identify the most notable risks and share security hardening solutions you can review right away.
#1 – Critical Security Risks in Popular Plugins
We’ve ranked these plugins first because they carry the highest and most immediate risk across millions of installs. If any are active on your site, treat them as priority updates.
JetEngine Plugin
PHP Object Injection; 9.8/10; Update to v3.8.10.1+
LoginPress Pro Plugin
Privilege Escalation; 9.8/10; Update to v6.2.3+
The Events Calendar Plugin
SQL Injection; 9.3/10; Update to v6.16.3+
Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.
#2 – Other Security Risks in Popular Plugins
Wide adoption changes the stakes. When vulnerabilities hit commonly used plugins, urgency rises fast. Check yours, and update now.
UpdraftPlus Plugin
Broken Authentication; 8.1/10; Update to v1.26.5+
Speed Optimizer Plugin
XSS; 7.1/10; Update to v7.7.9+
Autoptimize Plugin
XSS; 7.1/10; Update to v3.1.15+
Spam Protection, AntiSpam, FireWall by CleanTalk Plugin
XSS; 7.1/10; Update to v6.79+
Email Encoder Bundle Plugin
XSS; 7.1/10; Update to v2.4.7+
PageLayer Plugin
XSS; 6.5/10; Update to v2.1.0+
Presto Player Plugin
XSS; 6.5/10; Update to v4.2.1+
FooGallery Plugin
XSS; 6.5/10; Update to v3.1.32+
Feeds for YouTube Plugin
Broken Access Control; 5.4/10; Update to v2.6.4+
Schema & Structured Data for WP & AMP Plugin
Arbitrary File Upload; 5.3/10; Update to v1.60+
Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.
#3 – High Security Risks in Less Popular Plugins and Themes
This list is about severity, not scale. These plugins and themes carry especially serious risk and should be updated immediately if present on your site.
PowerPack for LearnDash Plugin
Broken Access Control; 9.8/10; Update to v1.3.0+
Doctreat Core Plugin
Privilege Escalation; 9.8/10; Update to v1.7.0+
FastDup Plugin
Path Traversal; 9.6/10; Update to v2.7.3+
WP Photo Album Plus Plugin
SQL Injection; 9.3/10; Update to v9.1.11.001+
eCommerce Product Catalog Plugin
SQL Injection; 9.3/10; Update to v3.5.6+
Newsletters Plugin
SQL Injection; 9.3/10; Update to v4.14+
XStore Theme
SQL Injection; 9.3/10; Update to v9.7.3+
Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.
#4 – Our blog: WordPress Security Hardening Services Complete Overview
WordPress site hardening happens at different layers, and no single approach covers everything. The question is which combination matches your technical comfort, budget, and risk tolerance.
Thanks for reading, and have a wonderful week!
Paul Goodchild
Shield Security for WordPress
