Skip to content

Biggest Security Vulnerabilities With WordPress Plugins


WordPress powers over 40 percent of the web. The user-friendly content management system allows non-web developers to create and run websites, through the use of plugins. WordPress plugins let you add functionalities and features to a website without having to know how to code. They can be immensely useful but they can also slow down your website if you have too many.

Plugins can also pose a security threat to your WordPress site, exposing it to potential attacks from cyber criminals.

What do you need to know about WordPress plugin security vulnerabilities, and which plugins, in particular, should you watch out for?

Common security risks to look for with WordPress plugins

How much damage can a vulnerable plugin do to your WordPress site? Outdated plugins are more more likely to be exploited by malicious actors, and may lead to one of the following security issues:

  • Arbitrary file viewing: Your website runs on source files that contain sensitive data and should not be publicly viewable. Compromised plugins can allow hackers to view these files and access your site.
  • Privilege access: With a WordPress site, you have five default user roles that have different privileges: Subscriber, Contributor, Author, Editor, and Administrator. Some vulnerable plugins can allow privilege escalation to users that normally wouldn’t have that access. 
  • Uploading files: In some cases, plugins allow for malicious files to be uploaded onto your site.
  • Cross-site scripting attacks: With a cross-scripting attack, hackers gain access to your site through a user’s browser. It can slow your site down and negatively impact your traffic.
  • SQL injections: One of the most common WordPress plugin vulnerabilities, SQL injections happen when a plugin doesn’t validate information from items like a contact form or search bar on your website. Hackers inject malicious code into a contact form, for example, and the code gets sent to your database. From there, hackers can create access for themselves.

The most vulnerable WordPress plugins in 2022

On the Internet, the more popular something is, the more likely it is to be exploited by cyber attackers. WordPress plugins are no different. Although a high number of installations is usually a good sign for adding a WordPress plugin to your site, you should also be wary of popular plugins and vet them properly for security issues.

The good thing about installing highly popular plugins is that they usually get patched for security issues as soon as a vulnerability is discovered. You just have to be sure you’re installing the right version of these popular plugins. Double-check before installing the following popular plugins, as they’ve reported vulnerabilities in the last year:

  • YoastSEO
  • WooCommerce
  • Elementor
  • W3 Total Cache
  • SEO Press
  • Ninja Forms

If you use any of these popular plugins, always keep them up-to-date.

As of January 2022, vulnerabilities have been discovered with the following plugins, according to WordPress security company Patchstack:

  • WebP Converter for Media (version 4.0.2 or previous)
  • NextScripts (version 4.3.24 or previous)
  • Ultimate FAQ (version 2.1.1 or previous)
  • Code Snippets (version 2.14.2 or previous)
  • TrustMate (version 1.7.0 or previous)
  • WP Affiliate Manager (version 2.8.9 or previous)
  • Event Tickets (version 5.2.1 or previous)
  • Simple Download Monitor (version 3.9.8 or previous)

If you are using any of the above plugins, confirm that the version you are using is later than the one provided in the list. So if you use WebP Converter for Media, for example, ensure you have updated to version 4.0.3 or later, as version 4.0.2 and all other previous versions could be compromised.

Stay updated on vulnerability news

To see if a plugin you’re using has any known vulnerabilities, you can also check a security database such as WP Scan. Type the name of the plugin into the search bar and check the results for any reported vulnerabilities and the date they were reported.

You can also check the Exploit Database run by the company Offensive Security. Their database tracks known exploits across the web, not just WordPress plugins.You can type in the name of the plugin you’re concerned about to see if there’s any exploit information about it in the database.

In addition to a weekly digest of WordPress security news, Patchstack also has a vulnerability database specifically for WordPress and WordPress plugins. You can search by plugin or see what the latest vulnerabilities are if you sort the list by date.

How to verify the security of a WordPress plugin

Searching for information about a plugin’s vulnerability on a database can let you know there’s a risk, but it isn’t too helpful beyond that. When deciding to install a plugin on your WordPress site or not, you should also run these quick checks to be sure it’s secure:

  • Use a security plugin: Ironically, one of the best ways to check plugins for security issues is with a plugin. Wordfence is highly recommended for WordPress sites, as it lets you run daily scans and notifies you immediately if it detects potential threats.
  • Avoid “nulled” or “free” plugins: If you see a free version of a premium plugin, either don’t install it or pay for the premium one. These “nulled” plugins have modified files that can include malicious code. If you install it, that malicious code infects your site.
  • Check the official WordPress plugin repository: Search for plugins that appear on the official WordPress plugin repository. WordPress vets each plugin before publishing it, so the chances are lower that there’s a security vulnerability. 
  • Vet the website for the plugin: If you want to install a plugin from another site, vet it carefully yourself beforehand. Do a Google search of ‘plugin name + security issues’ to see what comes up. The plugin should have its own website as well. Check the site to see if: it appears professional; the developer has a good reputation; company information is available; and they offer terms of service and a privacy policy.
  • Check user reviews: Look for user reviews and ratings for the plugin on third-party sites and the WordPress plugin repository. If more than one recent review mentions a security issue, don’t install it. While you’re at it, check the support forum for the plugin to see if the developer is responsive to issues users have with the plugin.
  • Check latest update: Secure plugins should be updated regularly to prevent security vulnerabilities. If the last update was at least one year ago, don’t install the plugin. You should also confirm that the plugin is compatible with the latest version of WordPress.

Keep your WordPress site secure

Many popular and successful sites run with WordPress, using plugins. It’s possible to keep your site secure if you pay attention to your plugins and take proactive safety measures when setting up your site.

Related Articles

  • All
  • Easy Prey Podcast
  • General Topics
  • Home Computing
  • IP Addresses
  • Networking
  • Online Privacy
  • Online Safety
Stuart Madnick has been in cybersecurity since 1974 and knows a lot about the costs of cyberattacks.

The Cost of Cyberattacks: Minimizing Risk, Minimizing Damage

Most of us view the internet as a useful and benign tool. But in many ways, it’s…

[Read More]

How to Keep Your YouTube from getting Demonetized

You finally did it–you hit all of the markers for acceptance in the YouTube Partner program, and…

[Read More]

How to Stay Out of Facebook Jail

Many of us have been there before–behind the proverbial bars of social media punishment. We’re left shocked…

[Read More]
Lisa Plaggemier's job is to promote cyber security awareness.

Cyber Security Awareness for Everyone

You can do anything on the internet – shop, bank, meet your future spouse, become famous, and…

[Read More]

Cyberbullying Prevention: What Parents Can Do

It’s very easy for anyone to create a fake online profile and say or do mean things…

[Read More]
Lost iPhone

Lost iPhone? If It’s Missing, Look Up to the Cloud for Help.

Here's an important piece of advice: You need to learn what Find My and can do...

[Read More]