Vulnerabilities in WordPress Plugins: A Terrifying Trend

We'll share the terrifying trend on WordPress plugins vulnerabilities, security issues risk & explain how to protect your site from problems

Updated on February 15, 2024
Vulnerabilities in WordPress Plugins: A Terrifying Trend

Every third site on the Internet works using WordPress, and this number is constantly growing. This popularity is based on the fact that WordPress is a very convenient content management system. That has a lot of plugins, and its core engine is constantly updated in terms of cybersecurity. In today’s article, we’ll share the terrifying trend of WordPress plugins vulnerabilities and security issues risk & explain how to protect your site from those problems.

About 80% of CMS attacks are aimed at WordPress. Hackers believe that once they gain control over one site, they can get control over many sites in the same way. And this is quite logical. WordPress is present in 500 million sites.

The Alarming Increase in Plugin Vulnerabilities

Recent studies have shown a significant increase in the number of security vulnerabilities discovered in WordPress plugins. These plugins, which extend the functionality and add new features to websites, have become the Achilles’ heel of many online platforms. From SEO optimization tools to contact form builders, no plugin category is immune to these security flaws.

Why Does This Matter?

The implications of these vulnerabilities are far-reaching. Hackers can exploit them to gain unauthorized access to websites, steal sensitive data, distribute malware, and even take control of an entire site. For businesses, this can mean a loss of consumer trust, revenue and potentially severe legal ramifications. Keep reading WordPress plugins vulnerabilities, security issues risk & explain how to protect your site from problems.

Vulnerabilities in WordPress Plugins

Hackers use bots that crawl WordPress sites with ready-made hacking tools. If you do not have solid protection, it is only a matter of time before one bot or another comes to your site and hacks it using the list of known vulnerabilities. In addition, if your site is of interest to a specific hacker, he will come and try to hack it manually. To protect against manual attacks, you will need more advanced protection methods.

Website security is an essential basis for any website. And if the WordPress core engine is well protected, this does not apply to myriads of third-party plugins. Vulnerable plugins can be used for relatively harmless adware activities like Yahoo redirects, but most such attacks completely overtake your website.

Security researchers from have identified several dangerous vulnerabilities in five plugins for the WordPress web content management system, totaling more than a million installations.

This plugin has more than +1 million installs. The problem is assigned a hazard level of 9 out of 10 (CVSS). The vulnerability allows an authenticated user with subscriber rights to delete or hide (change the status to an unpublished draft) any site page, as well as to substitute its content on the pages with vulnerabilities in WordPress plugins. We are fixing the vulnerability in Release 1.8.3.

WordPress Plugins Vulnerabilities: ThemeGrill Demo Importer plugin

This plugin has more than 100 thousand installs. Actual attacks on sites using these plugins appear after the start of these and the appearance of data on this vulnerability. So, the number of installations was downgraded to 100 thousand. The vulnerability allows a visitor to clear the contents of the site database. Moreover, reset the database to a fresh installation state.

If there is a user ‘Admin’ in the database. The vulnerability also allows us to gain complete control over the site. The vulnerability was an attempt to authenticate a user trying to pass privilege escalation commands. Via the /wp-admin/admin-ajax.php script. Fixing the problem was in version 1.6.2. So, present on the WordPress plugins vulnerabilities, security issues risk & explain how to protect your site from problems.

Vulnerability in the ThemeREX Addons plugin

This plugin is in 44,000 sites. The problem is at a threat level of 9.8 out of 10. The vulnerability allows an unauthenticated user to execute his PHP code on the server and to substitute the site administrator’s account by sending a special request via the REST-API. So, there are several cases of exploitation of this vulnerability. The update is fixing the problem in late February. Finally, a solution for vulnerabilities in WordPress plugins.

wpCentral plugin

This plugin is in 60,000 sites. The problem is the threat level of 8.8 out of 10. The vulnerability allows any authenticated visitor. Including subscribers, to increase their privileges, become a site administrator, and access the wpCentral control panel. The plugin developers finally fixed the problem in version 1.5.1.

Vulnerability in the Profile Builder plugin

This plugin has about 65,000 installs. The problem is the threat level of 10 out of 10. The vulnerability allows an unauthenticated user to create an account with administrator rights. So, this WordPress plugin’s vulnerabilities allow you to create registration forms. The user can pass an additional field with the user role, assigning him administrator rights. Fixing the problem in version 3.1.1.

More facts

In addition, we can note that security researchers also found a network that distributed Trojanized plugins and themes for WordPress. Attackers placed pirated copies of paid plug-ins on dummy directory sites. Pre-integrating backdoors to access and download commands from the hacker-controlled command server remotely. After activation, the malicious code launches malicious or deceptive ads. Such as warnings about installing an antivirus or updating the browser.

As well as for search engine optimization to promote sites that distribute malicious plugins. According to preliminary data, we notice the problem in more than 20,000 sites with the help of these plugins. Among the victims are a decentralized mining platform, a trading company, a bank, several large companies, a developer of credit card payments solutions, IT companies, and others.

Mitigating the Risk of WordPress Vulnerabilities

The good news is that there are steps both website owners and developers can take to mitigate these risks. Regularly updating plugins and WordPress is crucial, as updates often contain security patches.

Additionally, website owners should practice the principle of least privilege by only granting necessary permissions to plugins. On the other hand, developers should adhere to security best practices, such as sanitizing inputs and regularly auditing their code.

Vulnerabilities WordPress Plugins Conclusion

In conclusion, to keep your WordPress site safe, users must keep their eyes open and monitor all installed plugins. We recommend removing essential plugins to minimize the chance of site hacks. It is also crucial to update all plugins regularly.