Could your CDN be delivering malicious code without you knowing?

From recurring WordPress plugin vulnerabilities to a high WP Activity Log security risk, we take a closer look at the OptinMonster and TrustPulse CDN compromise, exposing how modern attacks evade traditional malware scanners and how Shield brings hidden threats to light.

This plugin carries significant risk. A valid POP chain could allow attackers to execute code and SQL injection, path traversal, and DoS attacks on your site. Update immediately if you haven’t already.

WP Activity Log Plugin
PHP Object Injection; 9.8/10; Update to v5.6.4+

Editor Comment

It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.

The more sites a plugin powers, the bigger the target it becomes. A single vulnerability across countless installs is every attacker’s dream. Take a minute to check yours.

Tutor LMS Plugin
SQL Injection; 7.6/10; Update to v3.9.12+

Advanced Order Export For WooCommerce Plugin
SQL Injection; 7.6/10; Update to v4.1.0+

Advanced Ads Plugin
RCE; 7.5/10; Update to v2.0.22+

JetFormBuilder Plugin
Privilege Escalation; 6.8/10; Update to v3.6.1.1+

WooCommerce Stripe Payment Gateway Plugin
Broken Access Control; 6.5/10; Update to v10.8.0+

Permalink Manager Lite Plugin
XSS; 6.5/10; Update to v2.5.3.4+

Royal Elementor Addons Plugin
Arbitrary File Download; 6.5/10; Update to v1.7.1060+

Blocksy Companion Plugin
XSS; 5.9/10; Update to v2.1.46+

WP Go Maps Plugin
Broken Access Control; 5.3/10; Update to v10.1.02+

Gutenberg Blocks by Kadence Blocks Plugin
Sensitive Data Exposure; 4.3/10; Update to v3.7.6+

Optimole Plugin
CSRF; 4.3/10; Update to v4.2.7+

Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.

High severity. High priority. Every plugin below needs an immediate update if it’s running on your site.

Branda Plugin
Privilege Escalation; 9.8/10; Update to v3.4.31+

SMS Alert Order Notifications Plugin
Privilege Escalation; 9.8/10; Update to v3.9.5+

Motors Plugin
SQL Injection; 9.3/10; Update to v1.4.110+

JobSearch Plugin
SQL Injection; 9.3/10; Update to v3.3.0+

Listdom Plugin
SQL Injection; 9.3/10; Update to v5.5.0+

Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.

#4 – Our blog: Why the OptinMonster CDN Attack Is a Case for On-Site WordPress Security

A compromised CDN credential turned OptinMonster and TrustPulse into malware delivery vehicles targeting WordPress admins. Cloudflare couldn’t stop it. A WAF couldn’t stop it. We look at why on-site WordPress security is the layer that actually matters here, and what Shield is building next to catch an attack technique most security tools can’t even see.

More Info →

Thanks for reading, and have a wonderful week!

Paul Goodchild
Shield Security for WordPress