Oliver Sild
Open-source security & communities
wordpress security

Most Dangerous Vulnerabilities in WordPress Plugins

While Cross-Site Scripting, Cross-Site Request Forgery, and Broken Access Control are the most common ones, they might not necessarily be the most dangerous ones.

by Oliver Sild

Most Dangerous Vulnerabilities in WordPress Plugins

As I recently published, the annual Patchstack report about WordPress security, we shared some insight into what are the most commonly found security vulnerabilities are in the WordPress ecosystem.

While Cross-Site Scripting, Cross-Site Request Forgery, and Broken Access Control are the most common ones, they might not necessarily be the most dangerous ones.

In this post today, I’ll cover the characteristics of the most dangerous security vulnerabilities in the WordPress ecosystem.

Top 3 most dangerous WordPress security vulnerabilities

Let’s look into security vulnerabilities which we see commonly mass-exploited and which are used to take over entire websites and cause the most harm.

1. Unauthenticated Privilege Escalation

Privilege escalation vulnerabilities allow hackers to essentially become admins by exploiting some mechanism that allows them to login as any user. It’s common that hackers use this vulnerability to try to log in to an account with the lowest possible user ID, which in most cases equals an account with administrator privileges.

After successful exploitation, the hackers mostly upload a fake plugin which allows them to get full filesystem and database access.

2. Unauthenticated WordPress settings change

WordPress settings have a lot of control over the security on a site. For example, if a vulnerability allows unauthenticated users to change any WordPress settings, then they can open up the site registration and set the default role of new accounts to administrator.

Similarly to the first one, after successful exploitation, the hackers mostly upload a fake plugin that allows them to get full filesystem and database access.

3. Unauthenticated site-wide stored cross-site scripting (XSS)

Site-wide stored XSS allows malicious users to inject code into a website, which is then executed on every page load. Compared to the other two, the hacker might not get full access to the WordPress installation (though in theory they could), but they will be able to control how the website behaves for visitors (such as redirecting traffic, showing ads, etc).

Unauthenticated vs authenticated

As you may notice on the list above, all three of the most dangerous security vulnerability types are unauthenticated. This means that an attacker does not require any prior access to the website.

This is an important factor that plays a big role in whether a vulnerability will be mass-exploited or not.

Therefore, unauthenticated security vulnerabilities are the most dangerous ones, which account for the majority of the mass-exploited vulnerabilities. Unauthenticated vulnerabilities are followed by the lowest possible authentication levels, such as Subscriber & Customer (WooCommerce).

If we look at all vulnerabilities found in 2023, 58.84% were unauthenticated, and 11.90% required Subscriber level authentication. The fact that over half of the vulnerabilities are unauthenticated is rather concerning.

Regardless of the high danger of unauthenticated and the lowest subscriber/customer level authentications, the Contributor, Editor, Author, and even Administrator vulnerabilities should not be left unnoticed.

It’s common for hackers to take over accounts, so in more targeted attacks, such vulnerabilities can still pose a serious security risk.

Conclusion

The most dangerous vulnerabilities which are most often mass-exploited and cause damage, are unauthenticated or require the lowest possible authentication level such as subscriber or a special WooCommerce customer role.

The most dangerous vulnerability types allow hackers to take complete control over the website or control how the website behaves for visitors. Hackers are most interested about vulnerabilities which allows them to get administrator privileges or a remote code execution ability.

If you want to learn more about WordPress security vulnerabilities and their types, you can find a more in-depth overview here: https://patchstack.com/articles/common-plugin-vulnerabilities-how-to-fix-them/

Subscribe to the Patchstack weekly security newsletter.

Member discussion

Similar topics

How to Use PassKeys for WordPress Authentication

For WordPress users, implementing PassKeys can enhance the security of your site while simplifying the login process.

Getting Started with Multi-Factor Authentication (2FA/MFA)

In this post, I'll cover the different 2FA methods that you should use on all accounts where it’s possible.

How to Deal with Incoming Security Reports

When you receive a security report, what should be the first steps, how should you react, and how quickly should you address the issue?

Are Your WordPress Sites Really Isolated From Each Other?

Let's talk about why site isolation is important and why you should make sure to choose a hosting provider that does this properly.

How to Make the WordPress Development Process Safer

Whenever you build WordPress websites, plugins, or themes, think about the workflow and how correct workflows can help you incorporate security as early as possible.