WordPress powers more than 43% of all websites worldwide. This ubiquity makes it the most attacked target on the web. Thousands of CVEs are published every year affecting WordPress, its themes and its plugins. Here's how to navigate this landscape.
Why Does WordPress Concentrate So Many CVEs?
WordPress has a triple attack surface:
- WordPress core — relatively well-maintained by the official security team
- Plugins — 60,000+ in the official repository, highly variable quality
- Themes — thousands available, often abandoned by their developers
The reality: 94% of WordPress attacks target vulnerable plugins, not the core.
The Most Common WordPress CVE Types
SQL Injection
Plugins that construct SQL queries without parameterisation are vulnerable:
// Vulnerable
$results = $wpdb->get_results("SELECT * FROM wp_posts WHERE author = " . $_GET['id']);
// Secure
$results = $wpdb->get_results($wpdb->prepare("SELECT * FROM wp_posts WHERE author = %d", $_GET['id']));
SQL injection can allow extraction of the entire database, including password hashes.
Cross-Site Scripting (XSS)
Stored XSS is particularly dangerous in WordPress because malicious content injected once into the database is served to all visitors. An admin visiting an infected page can have their session cookies stolen, leading to full compromise.
Broken Access Control / IDOR
WordPress uses a role system (admin, editor, author, subscriber). Plugins that don't properly check permissions allow low-privilege users to perform admin-only actions.
Remote Code Execution via Upload
File management plugins (File Manager, WP File Manager) have been responsible for numerous critical CVEs enabling the upload and execution of PHP files.
Notable WordPress CVEs
CVE-2024-4439 — WordPress Core XSS (CVSS 7.2)
A stored XSS in the Avatar block of WordPress 6.5.0 and earlier. Allowed script injection via comments.
CVE-2023-6553 — Backup Migration Plugin RCE (CVSS 9.8)
An unauthenticated RCE in the Backup Migration plugin (500,000+ installs) via remote PHP file inclusion.
CVE-2023-3460 — Ultimate Member Plugin (CVSS 9.8)
A registration bypass in Ultimate Member allowed admin account creation without authentication. Massively exploited to install backdoors.
CVE-2022-0739 — BookingPress Plugin (CVSS 9.8)
An unauthenticated SQL injection in BookingPress allowed complete database extraction via the booking API.
Setting Up WordPress CVE Monitoring
1. Follow Official Sources
- WPScan Vulnerability Database (wpscan.com) — the reference for WordPress CVEs
- Wordfence Intelligence — detailed analyses and statistics
- Patchstack — real-time alerts
2. Use cveo.tech for Monitoring
On cveo.tech, you can:
- Search directly for
wordpress [plugin-name]to see associated CVEs - Register your WordPress stack as an asset in your inventory
- Receive automatic alerts as soon as a new CVE is published
3. Automate Updates
# Via WP-CLI — integrate into a cron job
wp core update
wp plugin update --all
wp theme update --all
4. Deactivate Unused Plugins
A deactivated but still-installed plugin remains vulnerable. WordPress doesn't execute deactivated plugin code, but the files are present and can be directly targeted if the web server exposes them.
Additional Hardening Measures
| Measure | Impact |
|---|---|
| Disable theme/plugin editor in dashboard | Blocks code modification via admin |
| Limit login attempts | Reduces brute force risk |
| 2-factor authentication on admin accounts | Session theft mitigation |
| Disable XMLRPC if unused | Reduces attack surface (brute force, DDoS) |
wp-config.php outside web root | Prevents direct access to config file |
| Security headers (CSP, HSTS) | XSS and HTTPS downgrade mitigation |
Conclusion
WordPress security is not a state but an ongoing process. CVE monitoring is essential — an unpatched popular plugin can expose millions of sites within hours.
Set up automated monitoring of your WordPress components on cveo.tech.