This is a brief glossary of common vulnerability attacks on WordPress.

Cross-Site Scripting

Cross-Site Scripting (XSS) is a vulnerability that allows a hacker to paste arbitrary malicious code on an arbitrary website and execute it when the victim loads the website.
The malicious code can be executed by the victim in several ways.

The most common is to add that malicious code to the end of the URL of a link and let the vulnerability execute the code on the page of the website where the victim clicks on the link and flies to.

Privilege escalation

Privilege escalation attacks are cyber attacks aimed at gaining unauthorized privileged access to a system. Attackers take advantage of vulnerabilities in operating systems and web applications to gain and exploit privileges on the system that they do not have.
In the case of WordPress, this means using a vulnerability to elevate a subscriber’s privileges to a higher level of privileges, such as administrator privileges, and then defacing the site.

Path Traversal,Directory Traversal

Path traversal is a vulnerability that allows an attacker to illegally retrieve and read arbitrary files on the server. The ability for an attacker to read the files means the following

Obtaining and reading application code and data
Retrieval and viewing of WordPress configuration files and database connection credentials
Retrieving and viewing sensitive system files.

In some cases, an attacker will be able to use the above illegally obtained data to ultimately take over the site completely.

SQL injection

SQL injection is one of the most common web hacking techniques; a SQL injection attack is an attack in which the input of a web page causes various operations to be performed improperly on a database via this vulnerable program.

Hacking attacks that are possible with SQL injection attacks include the following

Rewriting user passwords. Adding unauthorized users.
Rewriting content.
Extract information from the database
Bypass login authentication
Rewrite settings

Cross-Site Request Forgery

A Cross-Site Request Forgery (CSRF) attack is an attack that takes advantage of a user’s authentication state (login state) on a site to trick the user into performing actions such as transferring money from an account, changing an email address or password, or other undesirable actions. Attack.
(The site interprets this as the legitimate action of the logged-in user, but it is actually a form of malicious action taken by the hacker by executing a malicious program that the user is unaware of.)

A successful CSRF attack against an administrative account can compromise an entire server and completely take over web applications, APIs, and other services.

File inclusion

File inclusion vulnerabilities allow an attacker to read and sometimes execute files on the victim’s server, and some vulnerabilities allow an attacker to execute malicious code that resides on the attacker’s machine.

PHP Object injection

This vulnerability occurs when user-supplied input is not properly sanitized (converted to non-executable data) before the data is passed to the unserialize() function in PHP (the WordPress programming language).

An attacker can pass an ad hoc, malformed data string to the vulnerable unserialize(), resulting in arbitrary PHP malformed code or data being embedded in the PHP program, allowing the programmer to perform unintended processing.

Authentication Bypass

Authentication bypass is a vulnerability that allows a user to bypass the login process and log in without the necessary ID and password confirmation, and to do things that can only be done with that user’s privileges (e.g., administrator privileges).

RCE Remote code execution

A remote code execution (RCE) attack is a vulnerability that allows an attacker to execute malicious code on an organization’s computer or network.
If the WordPress PHP program does not properly handle the submitted data, an attacker could send the malicious execution code itself and execute it on the server.

Unauthenticated Hook Injection

Unauthenticated Hook Injection is a WordPress-specific vulnerability in which a WordPress hook is not properly implemented in a theme or plugin and can be exploited to execute a process on the server without sufficient authorization.

Sensitive Information Exposure

Sensitive Information Exposure refers to a vulnerability that could result in the disclosure of sensitive information such as personal information, credit card data, or intellectual property. This vulnerability can lead to the disclosure of sensitive data.

In WordPress, for example, it refers to database connection information, registered user information, and in e-commerce sites, it refers to the possibility of customer purchase information and personal information being exposed.

Blind Server-Side Request Forgery

Server-Side Request Forgery is a vulnerability that allows an attacker to send data (requests) to a location not intended by the server-side application.

A common SSRF attack is one in which an attacker forces an organization to connect to an internal-only service. Other times, an attacker may be able to use the server as a stepping stone to connect to an arbitrary external system.

Blind SSRF refers to a scenario in which an attacker can send a request to a target server but receive no direct response or feedback about the result of the request. Since the attacker does not know the server’s response, it is more difficult to exploit since the attacker cannot directly see the results of his actions.

Command Injection

Command Injection is an attack that aims to execute arbitrary commands on the host OS via a vulnerable program in WordPress.
(This means that it is possible to execute OS-level commands.)

However, since execution of OS commands is restricted on shared servers, the activities that can be performed with command injection are limited.

Arbitrary file uploads

File upload vulnerabilities are security flaws that allow attackers to upload malicious files onto the server.

Through this vulnerability, hackers may be able to install backdoors or other dangerous programs on the server that can alter site data and files.

Server Side Template Injection (SSTI)

Server Side Template Injection is the use of the template syntax of a particular program (a syntax that is specific to a group of programs that allows arbitrary rules to be used to replace text or embed variable values) to inject a malicious program into that template and execute it on the server. The template engine is a template engine that is used by the site’s server to execute the malicious program.

Such template engines are designed to generate web pages by combining a template for site display with data used on an ad-hoc basis. Server-side template injection attacks can also occur when user input is concatenated directly into the program in the template rather than being passed as data. This allows an attacker to inject arbitrary template execution syntax to manipulate the template engine, which may allow for complete control of the server.

Find out about the various vulnerabilities in WordPress.

The following plug-ins make it easy to check for vulnerabilities in WordPress plug-ins and other vulnerabilities.
Please take advantage of this service.
Free WordPress:Malware Scan & Security Plugin [Malware/Virus Detection and Removal/Vulnerability Testing].