Three WordPress plugins have current security reports that site owners should turn into a simple maintenance task: inventory the installed version, take a backup, update only the affected active plugin, and validate the site after the change. This guide covers Code Engine, Essential Addons for Elementor, and Simple JWT Login without exposing technical attack details.
Start at the WordPress support hub for broader maintenance help. This checklist applies only when one of the named plugins is installed. Do not install a plugin merely to check it, and remove unused plugins instead of leaving them inactive indefinitely.
What to review now
Patchstack currently lists reports affecting the following older releases. Check the version in Plugins before making a change:
- Code Engine: review any installation at version 0.3.5 or earlier. The official WordPress.org listing currently provides version 0.5.4.
- Essential Addons for Elementor: review any installation at version 6.6.10 or earlier. The official WordPress.org listing currently provides version 6.7.0.
- Simple JWT Login: review any installation at version 3.6.6 or earlier. The official WordPress.org listing currently provides version 3.6.7.
The update targets above are based on the official plugin listings at the time of this review. Patchstack’s individual reports cover Code Engine, Essential Addons for Elementor, and Simple JWT Login. Keep the public response focused on version management and validation, not on reproducing the reported behavior.
Use a backup-first update sequence
- Record the affected plugin’s installed version and whether it is active on the production site.
- Make a current, restorable WordPress backup that includes both files and the database. If the site is business-critical, test the update on staging first.
- Update the plugin from the trusted WordPress administration screen or the provider’s supported management tool. Do not use copies from unverified sources.
- Clear the site and CDN cache after the update if the site uses page caching.
- Confirm the current plugin version, then exercise the site area that depends on it with an authorized account.
Validate the site after updating
For Code Engine, review the site features that rely on its snippets and scheduled work. For Essential Addons for Elementor, check a representative set of Elementor pages, forms, and any store or membership flow that uses its widgets. For Simple JWT Login, verify the approved sign-in and integration paths with a normal authorized user, then confirm that privileged administrative workflows still behave as expected.
If a plugin cannot be updated immediately because of a compatibility dependency, reduce exposure by disabling it when it is not required, limiting unnecessary user roles, and scheduling a tested upgrade as soon as possible. Do not treat an outdated plugin as safe simply because it is rarely used. Review the active WordPress PHP runtime before a compatibility test, and use a backup-restore test when the site’s recovery process has not been proven recently.
Keep the plugin inventory smaller and easier to maintain
After the immediate update work, document the owner and purpose of every active plugin. That makes version checks faster during the next security notice and reduces the chance that an abandoned add-on remains forgotten. The unused WordPress plugins and themes cleanup guide can help remove software that no longer has a documented role.
For a wider current-plugin maintenance view, see the July WordPress plugin security update checklist. Keep each report scoped to the affected plugins and recheck the official listing before applying a later update.


