WordPress maintains its dominance as a content management system (CMS), reportedly occupying 63.3% of the entire market share. At least 43.2% of the web (810 million websites) operates through WordPress, reported Search Logistics. While it offers simplicity in content management, and numerous plugins offer additional versatility to the default WordPress experience —it also presents a security challenge.
Its widespread usage makes it an enticing target for attackers who can discover and chain different WordPress vulnerabilities to attack a huge range of websites. Reportedly, roughly 13,000 WordPress sites are hacked on a daily basis, as reported by Colorlib.
The inclusion of the theming plugin facility further complicates the security challenge as most plugins/themes are often less secure than the core WordPress base. The WordPress developer security page makes a direct claim about the flaws within the platform, stating, ‘because it provides so much power and flexibility, plugins and themes are key points of weakness.’
To address these WordPress vulnerabilities, it becomes necessary to devise a list of common WordPress vulnerabilities so that users can effectively secure against potential threats.
List of Top 10 WordPress Vulnerabilities in 2024
It was observed that of the 5,948 reported vulnerabilities between 2023 and 2024, 97% of them stemmed from plugins, 3% from themes while about only 0.2% of them stemmed from the core WordPress package. Of these core vulnerabilities, all of them were observed to be low-severity issues and not particularly critical. These statistics reflect that the plugins pose the most potent security threat to WordPress.
Patchstack researchers noted that a lot of WordPress plugins tend to be abandoned or turn out to be “zombie plugins“, zombie plugins are additional components or add-ons that seem up-to-date but often contained security issues or were not paid complete attention to by the developers.
Many of the flawed plugins were published by developers who no longer seemed reachable or lacked contact details, this highlights a glaring flaw in the WordPress ecosystem as they remain active on sites even when no longer actively developed or removed from the WordPress store.
1. Cross Site Scripting (XSS) (3,171 vulnerabilities)
Cross Site Scripting is the most common form of WordPress vulnerability with Cross-Site Scripting (XSS) accounting for 53.3% of all new WordPress security vulnerabilities. Attackers can abuse this vulnerability to inject malicious scripts into your WordPress pages accessed by other users, enabling them to hijack sessions, deface websites, or steal data from visitors. However, 654 – more than a third – of the reported Cross-Site Scripting vulnerabilities required Administrator Privileges for successful exploitation.
2. Cross-site Request Forgery (CSRF) (1,098 vulnerabilities)
Cross-site request forgery (CSRF) WordPress vulnerabilities can be exploited by attackers to trick visitors into performing unintended actions on authenticated web applications, leading to unauthorized transactions or data manipulation on WordPress sites. Cross-Site Request Forgery (CSRF) ranks at 16.9%, second in terms of common WordPress vulnerabilities and thrice more than the CSRF vulnerabilities disclosed in 2022.
3. Broken Access Control at 12.9% (767 vulnerabilities)
This is a WordPress application vulnerability that occurs when the application does not enforce adequate level of restrictions on authenticated users. Attackers can exploit such vulnerabilities to access sensitive data. To ensure your website is not vulnerable to broken access control, keep your WordPress core, plugins and other software you use on your website up to date.
4. SQL Injection (266 vulnerabilities)
A SQL Injection WordPress vulnerability can be exploited by attackers to send SQL data-retrieval code to the host to gain unrestricted access to the database server. This form of attack also relies on exploiting weaknesses in WordPress input validation. SQL Injection vulnerabilities saw a small increase in 2023, with 266 such vulnerabilities reported at 4.47% of reported WordPress vulnerabilities.
5. Sensitive Data Exposure (119 vulnerabilities)
Sensitive Data Exposure is a common issue due to the improper handling of sensitive and personal data. To ensure your WordPress website is compliant to data handling regulations, restrict the access to sensitive data on your WordPress website to only the users who need the data while maintaining adequate data-encryption.
6. Arbitrary File Transfer (91 vulnerabilities)
In arbitrary file transfer WordPress vulnerability, attackers can manipulate uploads or POST requests to execute arbitrary files on the webserver process, leading to compromise through crafted malware or exfiltration of sensitive data.
7. Privilege Escalation (71 vulnerabilities)
In privilege escalation WordPress vulnerability, an attacker first gains access to a low-level account before escalating privileges to get access to an administrator-level account, which allows for access to a wider range of resources.<
8. PHP Object Injection (54 vulnerabilities)
PHP Object Injection is a WordPress vulnerability that could let attackers perform different kinds of malicious attacks, such as Code Injection, SQL Injection, Path Traversal and Application Denial of Service through the injection of arbitrary php code. It occurs when the user-supplied input is not properly sanitized before being passed to PHP functions.
9. Bypass Vulnerability (48 vulnerabilities)
Authentication Bypass WordPress vulnerability is a defect that enables a threat actor to circumvent or bypass site authentication mechanisms. This is usually the result of the attacker using an unconventional access procedure that does not go through the right checkpoints where proper authentication should occur. Exploiting this WordPress vulnerability could allow attackers to perform otherwise restricted actions or reset the user passwords to gain unauthorized access to WordPress accounts.
10. Server-Side Request Forgery (44 vulnerabilities)
By exploiting a Server-Side Request Forgery (SSRF) vulnerability, an attacker can abuse the WordPress hosting server to access or modify resources that are not meant to be exposed to the public. WordPress versions prior to 5.2.4 were known to contain a Server Side Request Forgery (SSRF) vulnerability because of improper path handling during validation of URLs.
Causes of WordPress Vulnerabilities
Maintaining a WordPress site as well as understanding the security intricacies relating to its components can be challenging. The WordPress ecosystem continues to be haunted by several different issues both from plugins that are not actively maintained yet continue to be used as well as users who do not fully comprehend administrative actions.
Insecure software, plugins and themes
Users may fail to regularly update WordPress core, plugins, and themes leaving websites vulnerable to known security flaws. On average, 42% of WordPress sites have at least 1 vulnerable software installed. The installed plugins might also not be actively focused on as developers abandon them, find it overwhelming to deal with security issues or choose to focus on other projects.
Outdated WordPress core
An outdated WordPress can leave you vulnerable to threats as you miss out on the latest security fixes, compatibility patches and product improvements. While the threat posed by plugins and themes is relatively higher, at least 49.8% of infected sites were reportedly running an out-of-date version of the platform.
Weak credentials/Authentication mechanism
Using of common/default usernames, such as “admin,” and passwords, such as “admin123” make it easier for attackers to compromise your site through brute-force attacks on the admin panel. Use a complex combination of passwords and usernames for each user on your site.
Poor hosting facility
The ideal hosting provider should have grant you the ability to manage create, schedule, or automate backups and restore backups. Relying on an unreliable or poorly secured hosting provider introduces various security risks stemming from inadequate server configurations and lack of security measures.
Undefined user roles/permissions
Improperly configured user roles and permissions can lead to unauthorized access to sensitive areas of a WordPress site, potentially compromising its security. It was observed that 58.9% of reported vulnerabilities did not require any authentication to be exploited.
Only 13.4% of the new vulnerabilities required an administrator role for successful exploitation.
Default WP-login URL
The default WordPress login page URL and admin panel prefix(/wp-login.php and /wp-admin) are enabled on all sites, making them easy for attackers to find. These files can be renamed in order to secure against targeted attacks.
Conclusion
To fully enjoy the benefits of WordPress as a Content Management System (CMS), it becomes necessary to secure against the common WordPress vulnerabilities mentioned in this article through adequate security efforts.
Although the WordPress core is relatively safe and actively patched, users may look to extend their site functionalities through common plugins and themes that might not be actively vetted for security issues and may compromise the rest of your site.
WordPress API developers and administrators are urged to follow official security guides to prevent attacks and mitigate common WordPress vulnerabilities.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
