Common Vulnerability Assessment System CVSS Score
Software vulnerabilities have an objective measure of severity called a CVSS score.
The CVSS score is basically derived from the following criteria on a 10-point scale.
AV : Is the attack remotely possible via the Internet?
AC: Are the requirements for a successful attack complex?
Au: Does the attack require authentication to succeed?
C :Will a successful attack cause serious information leakage?
I : Can information be tampered with in the event of a successful attack?
A : If the attack is successful, is there a risk of business interruption (e.g., site down, cannot be viewed, etc.)?
Unfortunately, vulnerabilities with a CVSS score of 7-8 or higher continue to be reported daily in WordPress themes and plugins, and if a hacker finds a vulnerability in this score range on your site,
site can be remotely (via the Internet) tampered with without authentication, or the site will no longer display, which can be fatal to your site.
It is dangerous to underestimate that vulnerabilities in your site cannot be found!
It is actually dangerous to assume that there is no way to find vulnerabilities on your site among the many websites out there. Hackers can find vulnerable sites by using the following methods and procedures
1 Investigation
1-1 Extract the URL of your site from the portal site where the WordPress site is registered
1-2 Get the URL of your WordPress site using a wordpress-specific expression (e.g., sample submission string) in a search engine
1-3 Search the directory index of vulnerable plugins (folders without INDEX.HTML are displayed as file listing pages and may be picked up by the search engine) to find them
2 Attack
When a vulnerable site is found that is convenient for hackers, hackers use the following procedures to break into the site and perform hacking acts such as embedding malware.
2-1 Repeatedly log in to the site to gain administrator privileges.
2-2 Using a tool to check the vulnerabilities of themes and plug-ins at once to see if they can be penetrated.
2-3 They directly exploit the vulnerabilities in 1-3 to break into the site.
Check for high CVSS score vulnerabilities in your site
WordPress :Malware Scanning & Security Plugin [Malware & Virus Detection and Removal] developed by WordPress Doctor is a free tool that allows you to scan your site for high CVSS score vulnerabilities from the inside.
Once the plugin is installed,
Administration > Malware Scan > Vulnerabilities tab > Run Vulnerability Scan button.
After a few moments, we will check for the most dangerous vulnerabilities (CSVV score 7.5 or higher), including plugins that are not enabled, and display the results.