WPScan’s 2024 WordPress vulnerability report talks about some security threats that WordPress keeps on experiencing and the website publishers should be aware of them. The report says that 20% of the vulnerabilities in the report were critical level threats while 67% of them were medium level threats. There are some threats that are due to malware and website vulnerabilities that cannot be dodged most of the time. But there are some mistakes that publishers make that make their websites more vulnerable to hackers. This can be avoided by taking right decisions while disabling or updating an extension.
The highest level of threats WordPress has is by critical vulnerabilities that make up 2.38% of the total vulnerabilities. But when these critical vulnerabilities are combined with other high level threats which are 17.68%, they make up 20% of all the vulnerabilities. There are two types of vulnerabilities on WordPress– Authorized Vulnerabilities and Unauthorized Vulnerabilities. Authorized Vulnerabilities are those where the attacker first takes the user credentials and other permission levels to exploit a specific vulnerability. Unauthorized vulnerabilities directly launch the attack, without taking the user credentials first. These kinds of vulnerabilities are easiest to exploit. According to the WPScan report, 22% of the vulnerabilities reported didn’t require any authentication while the vulnerabilities requiring admin permission levels were 30.71%.
The reason why many websites on WordPress are vulnerable to malware is because of their weak passwords and nulled plugins. Nulled plugins are pirated softwares that are easy to get infected by malwares. Weak passwords can easily be guessed through brute force, and by social engineering tactics like phishing and pretexting.
Vulnerabilities that required administrator level credentials were the highest to be exploited with 30.71% vulnerabilities, followed by CSRF (Cross Site Reverse Forgery) with 19.26% vulnerabilities. The others included Contributor (19.62%), Unauthenticated Vulnerabilities (12.35%) and Author (1.19%). Broken Access Controller in WordPress refers to security failure that allows an attacker to gain access to high credential permissions. The WPScan report shows that Broken Access Controller gives access to 84.99% vulnerabilities, followed by 20.64% from SQL injection.
The highest number of vulnerabilities on WordPress were reported in third-party plugins and themes. A total of 13 vulnerabilities were reported in WordPress core in 2023. Only one vulnerability out of 13 was a high level threat which is the second biggest threat after Critical. All these levels of threats are made by the Common Vulnerability Scoring System (CVSS). Site audits are not responsible for covering website security but they should talk about security headers. The security issue can quickly become an SEO issue if the website’s ranking starts getting low because of security concerns. Strong passwords and two factor authentication should be the main priority for keeping a website away from malware and hackers.
Read next: Cybersecurity Crisis: 17 Billion Personal Accounts Compromised Since 2004
The highest level of threats WordPress has is by critical vulnerabilities that make up 2.38% of the total vulnerabilities. But when these critical vulnerabilities are combined with other high level threats which are 17.68%, they make up 20% of all the vulnerabilities. There are two types of vulnerabilities on WordPress– Authorized Vulnerabilities and Unauthorized Vulnerabilities. Authorized Vulnerabilities are those where the attacker first takes the user credentials and other permission levels to exploit a specific vulnerability. Unauthorized vulnerabilities directly launch the attack, without taking the user credentials first. These kinds of vulnerabilities are easiest to exploit. According to the WPScan report, 22% of the vulnerabilities reported didn’t require any authentication while the vulnerabilities requiring admin permission levels were 30.71%.
The reason why many websites on WordPress are vulnerable to malware is because of their weak passwords and nulled plugins. Nulled plugins are pirated softwares that are easy to get infected by malwares. Weak passwords can easily be guessed through brute force, and by social engineering tactics like phishing and pretexting.
Vulnerabilities that required administrator level credentials were the highest to be exploited with 30.71% vulnerabilities, followed by CSRF (Cross Site Reverse Forgery) with 19.26% vulnerabilities. The others included Contributor (19.62%), Unauthenticated Vulnerabilities (12.35%) and Author (1.19%). Broken Access Controller in WordPress refers to security failure that allows an attacker to gain access to high credential permissions. The WPScan report shows that Broken Access Controller gives access to 84.99% vulnerabilities, followed by 20.64% from SQL injection.
The highest number of vulnerabilities on WordPress were reported in third-party plugins and themes. A total of 13 vulnerabilities were reported in WordPress core in 2023. Only one vulnerability out of 13 was a high level threat which is the second biggest threat after Critical. All these levels of threats are made by the Common Vulnerability Scoring System (CVSS). Site audits are not responsible for covering website security but they should talk about security headers. The security issue can quickly become an SEO issue if the website’s ranking starts getting low because of security concerns. Strong passwords and two factor authentication should be the main priority for keeping a website away from malware and hackers.
Read next: Cybersecurity Crisis: 17 Billion Personal Accounts Compromised Since 2004
