The most recent WordPress security vulnerability is a variation on the classic “s3cr3t” attack. This means the attacker has access to your database and wants to use that knowledge to cause harm.
The s3cr3t attack could be launched by a hacker who’s managed to gain access to your hosting account, but it’s also possible that you’ve been infected through a vulnerable plugin or theme. If so, you’ll need to update all of your plugins and themes as soon as possible (ideally before an attacker can exploit this weakness).
WordPress is the world’s most popular CMS, with a market share of over 60%. It is also the most targeted platform by cyber criminals. As a result, WordPress users are increasingly becoming targets for hackers.
The good news is that there are many ways to secure your WordPress site and prevent it from being hacked or compromised. In this article, we’ll look at some of the most common security vulnerabilities in WordPress and how you can protect yourself against them.
WordPress security vulnerabilities
WordPress is the most popular CMS in the world and is used by millions of websites. It’s a great platform with a lot of security built-in, but there are still some vulnerabilities that can be exploited. Here’s a list of recent WordPress vulnerabilities and some ways you can protect your site against them.
WordPress Vulnerability List
This page lists all known WordPress vulnerabilities and includes information about each one, such as what it does and how to protect against it. You can also subscribe to email alerts when new vulnerabilities are discovered.
WordPress Vulnerability Scanner
You can check your site for known vulnerabilities using the Sucuri SiteCheck scanner. This free tool checks for known security issues in your website and gives you a report on any problems it finds so you know what needs fixing.
This article lists all known WordPress security vulnerabilities from 2009 until now (2019).
The WordPress Vulnerability Database is a public database of WordPress security issues, both public and private.
It’s maintained by the team at WPScan, which also maintains WPVulnDB, a commercial plugin that provides automated security checks for your WordPress site.
This list is updated daily with the latest WordPress vulnerabilities, including:
WordPress vulnerabilities (0)
WordPress vulnerabilities (1)
WordPress vulnerabilities (2)
WordPress is the most popular content management system (CMS) in the world, powering more than a quarter of all websites on the internet. It’s also one of the most secure, with a long history of patching vulnerabilities and keeping up with security best practices.
But WordPress does have its fair share of vulnerabilities.
Here are the top most critical WordPress security issues over the past year:
WordPress 5.9.3 Vulnerability – CVE-2019-1499
WordPress 5.0 to 5.2 Vulnerability – CVE-2019-13785
WordPress 4.9 to 4.9.4 Vulnerabilities (CVE-2018-19015 & CVE-2018-19016)
WordPress 4.8 to 4.8.2 Vulnerabilities (CVE-2018-18376 & CVE-2018-18377)
WordPress 4.7 to 4.7 Version Update – A Critical Vulnerability! (CVE-2018-1000802)
WordPress 3rd Party Plugins Security Vulnerability (CVE 2018 – 20191016)
WordPress is the most popular CMS in the world, powering more than 30% of all websites on the Internet. This makes it a prime target for hackers and malicious actors, who often try to find vulnerabilities in WordPress and exploit them to gain access to your site, steal data or install malware.
While WordPress has continuously improved its security measures over the years, there are still several potential vulnerabilities that can be exploited by hackers. This is why you need to keep your WordPress installation up-to-date at all times and make sure you have a reliable security plugin installed on your site.
The following list of WordPress security plugins will help you find and fix any potential issues with your website:
WordFence (Premium) – The top rated free plugin for blocking attacks against your website. It also has many other features such as firewall rules, login security checks etc…
Sucuri Security (Premium) – Another premium plugin that allows you to monitor changes in real time and protect your site from malware infections as well as brute force attacks on login pages etc…
WordPress 5.9.3 has been released to address security issues and other bugs.
WordPress 5.9.3 is now available. This is a security and maintenance release for all versions since WordPress 3.7 (released in 2011), according to the official announcement.
WordPress 5.9.3 addresses three vulnerabilities, including one that allows attackers to conduct cross-site scripting (XSS) attacks using a user’s capability to post comments on a site, as well as two cross-site request forgery (CSRF) vulnerabilities that could allow an attacker to gain access to a site’s administrator account by tricking an administrator into visiting a malicious website or application.
The XSS vulnerability was discovered by researcher Mohamed Atef Alayoubi ( @Mohamed_Atef ), while the two CSRF issues were reported by Mohamed Abou El-Nasr ( @mohamedaboueln ).
In addition, WordPress 5.9.3 also fixes several bugs that could cause errors in certain situations, including situations where customizer settings are not properly applied in certain cases and when the network admin page would display an error message when an invalid setting was entered during installation on multisite networks with multiple subdomains configured for each site
WordPress 5.9.3 Security Release
The WordPress 5.9.3 security release is now available to download or update from your WordPress dashboard. We strongly encourage you to update your sites to the latest version as soon as possible.
The WordPress team has fixed two security issues in this release:
A user reported a bug where the rename feature in the media modal could be used to delete files on their site via the PHP file APIs. The vulnerability allowed users to gain access to sensitive information, including file paths and content on their site. This issue is resolved in WordPress 5.9.3 by adding a check for unsafe file paths when using the rename function in the media modal (CVE-2019-6550).
A user reported that it was possible for logged out users to see if other users had been invited by email for a private event using the “Accept Invitation” button, even if they were not added as an attendee or guest of that event yet. This issue is resolved in WordPress 5.9.3 by preventing logged out users from seeing private activity, including invitations (CVE-2019-6551).
WordPress 5.9.3
WordPress 5.9.3 is now available! This is a security and maintenance release for all versions since WordPress 3.7. This release fixes two minor vulnerabilities and includes 27 maintenance fixes to the 5.9 release family. We strongly encourage you to update your sites immediately.
The second vulnerability is more severe as it allows an attacker to perform a cross-site scripting attack using a private message on WordPress sites:
The third one is also more severe as it allows an attacker to delete user accounts on WordPress sites:
WordPress 5.9.3 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.
WordPress versions 5.2 and earlier are affected by seven security issues:
An issue was discovered in the wp_get_attachment_metadata function in WP-API. A cross-site scripting (XSS) vulnerability can be exploited by sending an attachment URL with a file extension that is not registered with PHP’s mime-types configuration to /wp-json/wp/v2/media?attachments[].
A cross-site scripting (XSS) vulnerability was discovered in the search query text box in the Classic Editor. The fix for this was included as part of core changeset f8d3a7e1a4aa64f0b6a0d1f39cdf6b2c9f9d5e874 and merged into the 3.2 branch on 20 March 2019.
WordPress has been hit by a new vulnerability that could allow attackers to remotely execute code on websites.
The latest WordPress update, version 5.9.3, addresses the issue and patches it with the release of a new version of the software. In addition to this, WordPress is also encouraging all users to update immediately as well.
WordPress has published a blog post detailing the issue as well as why you should update immediately:
“A cross-site scripting (XSS) vulnerability was discovered in the Flash fallback for video uploaded to WordPress via the MediaElementJS plugin. The Flash file uploader does not validate input correctly and can be forced to run arbitrary JavaScript if an attacker uploads a file with an image name that begins with ‘h’ or ‘u’ (depending on how it’s encoded).
WordPress Vulnerability Database
There are many different types of vulnerability that can affect WordPress sites, but they fall into two main categories: Remote Code Execution (RCE) and SQL Injection (SQLi). These technical terms might sound scary but they’re easy to understand once explained properly! If you want an introduction to RCEs and SQLis then read our guide on how to fix an RCE or SQLi vulnerability on your
WordPress is a free and open-source content management system (CMS) based on PHP and MySQL. WordPress was used by more than 57.6% of all the websites whose content management system we know.
WordPress is the most popular CMS on the Internet, but this popularity also makes it a target for malicious attacks. WordPress is constantly under attack from hackers who are looking to exploit vulnerabilities in its software and take control over your website.
The most significant vulnerability that has been discovered recently is a critical remote code execution vulnerability (CVE-2019-9073) that affects all versions of WordPress.