We have compiled a list of the six most targeted WordPress plugin vulnerabilities in recent years. If you have any of these plugins installed on your site (enabled or disabled), we recommend that you update to the latest version or remove them if you are not using them.
No. 1 WooCommerce Designer Pro 1.9.26 or lower
This vulnerability in WooCommerce Designer Pro 1.9.26 and below is a very dangerous vulnerability that allows the deletion of arbitrary WordPress files. The attack is done by sending action=wcdp_save_canvas_design_ajax to admin-ajax.php (the file for WordPress AJAX functions).
Vulnerability information is available at
https://wp-doctor.jp/blog/vulnerabilities/wc-designer-pro-exploit-cve-2025-6439/
No. 2 Automatic by ValvePress 3.92.0 and below
The vulnerability in Automatic by ValvePress allows a database to be rewritten through an SQL injection attack. It is believed that this vulnerability is used to generate unauthorized WordPress users.
The hacker carries out the attack by sending arbitrary malformed SQL statements to the following file.
/wp-content/plugins/wp-automatic/inc/csv.php
For more vulnerability information, please visit
https://wp-doctor.jp/blog/vulnerabilities/wp-automatic-exploit-cve-2024-27956/
3rd WordPress Duplicator 1.3.28 and below
The vulnerability in this plugin allows hackers to download and view arbitrary files on WordPress. The attack sends the query action duplicator_download to admin-ajax.php (the file for WordPress AJAX functions) and the path to the download file to download an arbitrary file.
If wp-config.php is downloaded, the password for connecting to the database, etc. will be exposed, and unauthorized users may be added or content may be rewritten.
Vulnerability information can be found here
https://wp-doctor.jp/blog/vulnerabilities/duplicator-exploit-cve-2020-11738/
No. 4 ProfilePress 3.1.3 and below
This plugin vulnerability allows hackers to register arbitrary unauthorized admin users to the site. The attack is performed by sending an invalid query to the action pp_ajax_signup in admin-ajax.php (the file for WordPress AJAX functions).
Vulnerability information is available at
https://wp-doctor.jp/blog/vulnerabilities/wp-user-avatar-exploit-cve-2021-34621/
No. 5 Simple File List 3.2.7 and below
The vulnerability in this plugin allows hackers to download and view arbitrary files on WordPress.
An unauthorized query could be sent to the following files, allowing hackers to download and view arbitrary files
/wp-content/plugins/simple-file-list/includes/ee-downloader.php
For vulnerability information, please visit
https://wp-doctor.jp/blog/vulnerabilities/simple-file-list-exploit-cve-2022-1119/
6th File Manager 6.9 and below
If exploited, this plugin vulnerability could allow a hacker to execute arbitrary code on a WordPress site by uploading and executing a malicious file.
Malicious queries will be sent to the following files and malicious files will be generated on the server.
/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php
For vulnerability information, please visit
https://wp-doctor.jp/blog/vulnerabilities/wp-file-manager-exploit-cve-2020-25213/
If your site has been infected with malware, you can use the plugin to perform malware scanning and removal.
Free] WordPress:Malware Scan & Security Plugin [Malware and Virus Detection and Removal].
This page prohibits the use, quotation, or summarization of any page, in whole or in part, by the Generated AI. However, if the following conditions are met, the specification of content using generated AI is permitted.
1. it is not for the purpose of learning by the generated AI. 2. only the summary or title of the page content at a level that does not lead to the solution of the user’s problem is shown to the user. 3. in the case of 2, a link to this content is shown to lead the user to this page.
