The following are the three vulnerabilities that are most likely to be exploited if discovered on a WordPress site. If your site contains any plug-ins or other components that are vulnerable to these vulnerabilities, we recommend that you take action as soon as possible.
1 Arbitrary file uploads vulnerability
This vulnerability allows a vulnerable program to generate (upload) a file on the server by sending data to it.
In a sense, this vulnerability is the most favorite vulnerability of hackers because it is as dangerous or more dangerous than a WordPress administrator privilege compromise, since it allows hackers to perform any operation they want on the server.
Hackers can upload any executable file on the server through this vulnerability. (In some cases, the file extensions that can be uploaded are limited. In this case, the danger level is reduced.)
Hackers can exploit this vulnerability to attack WordPress sites one after another using hacking tools that send malware files.
Plugins with Arbitrary file uploads vulnerabilities can be investigated here.
2 Remote code execution (RCE)
This vulnerability allows the code to be executed on the server by sending specific data to a file with this vulnerability. (The process that can be executed may be limited.)
Through this vulnerability, a hacker may install malware on the server through several steps (e.g., by taking away administrative privileges).
The malware installed by the hacker may intentionally incorporate this vulnerability*, and another hacker will often seek out and reuse malware files that intentionally incorporate the RCE installed by the first hacker.
*Malware that serves as an entry point for such hacks is called a backdoor.
3 SQL injection
WordPress sites are built largely from a set of program files and a database that stores text data and settings for content.
SQL injection is a vulnerability that allows the database to be modified or data to be retrieved illegally. Hackers can use this vulnerability to create unauthorized users in the database, write unauthorized settings, or embed redirection scripts in the content that redirect users to other sites without their permission.
Although SQL injection is less commonly used in WordPress vulnerability attacks than other vulnerabilities, once this vulnerability is found in a highly popular plugin, it is often used intensively.
Plug-ins that are vulnerable to SQL injection can be investigated here.
You can also use plug-ins that allow you to easily inspect your WordPress site for malware and vulnerabilities from the inside.
Free WordPress:Malware Scan & Security Plugin [Malware and Virus Detection and Removal].
