WordPress Flaws and Vulnerabilities

Vulnerabilities Exists in Popular WordPress Plugins Too

Blog WordPress Flaws and Vulnerabilities Vulnerabilities Exists in Popular WordPress Plugins Too
Never assume that the most known, most common, most used plugins are free of vulnerabilities, or the opposite.
However, the more an extension evolves, the more it tends to “create” vulnerabilities, and to patch them, and the less a plugin evolves, the more it tends to be discovered as a vulnerable one.
Let’s take a look at some of them together and explain this first paragraph.


WooCommerce is the leader of e-commerce plugins for WordPress. Launched in 2011, it was quickly adopted by communities around the world.

If we go through the changelog, and search for “security”, we find 18 occurrences. This means that there are at least 18 security fixes, but sometimes more because not all fix are rated as “security”.

For example version 2.1.8 contains a patch following a flaw found in WooCommerce 2.1.6 by SecuPress, but no “security”!


The most downloaded American security plugin, Wordfence, surely one of the oldest since launched in April 2012. Yes, even if it’s a security plugin, it’s human coded and you know what we say? “The error is human” !

The 5.2.x version of this plugin have suffered a lot as can be seen on WPVulnDB. Is it a good thing or a bad thing? I’ll say it again, but yes, it’s a good thing since now that it’s discovered and patched, it’s even more secure.

When a researcher finds a flaw, others follow him to find a flaw as well and this further secures the product. SecuPress also helped Wordfence to be more secure.

iThemes Security

Another security plugin, almost 1M of active installations, iThemes Security, I do not know since when it is there because it is based on a redeemed extension “better-wp-security”. Also there is no complete changelog available and for the pro version no changelog available if you are not a member. Too bad to hide this information!

The changelog piece only shows 4 security fix and our is missing! https://secupress.me/blog/ithemes-security-5-3-6-security-fix/ and WPVulnDB lists more.

All In One WP Security & Firewall

Ho, a security plugin! Quite well known, although less than the other 2 mentioned above, AIOWPSF (ouch) had setbacks with no less than 13 discoveries on WPVulnDB. SecuPress has just discovered a SQL Injection vulnerability.

Once again, no one is safe …

Redux Framework

Not a plugin, nor a theme, but a framework, Redux, to help the creation of these two. Rather widespread, I’ve randomly audited frameworks and just want to see a little bit.

We have found a privilege escalation vulnerability that allows a person who does not have the rights to change the site options, but having rights on the customizer, modify the options of the site all the same!

Although less visible unlike plugins and themes, vulnerable frameworks reach many more users because they are part of these products, that’s why their security is also important.


WPML is a classic of multilingual extensions, probably the first as complete. It has evolved with the time. Like any “massive” extension, it contains security fixes.

Unfortunately you need a customer account again to get a piece of changelog (only the last 2 years). As much as I can understand that we do not need 10 years of changelog, but do not let this changelog in public, no.

Our discovery of the XSS flaw in WPML has disappeared, or not! And again we can count on WPVulnDB.

Caching: W3 Total Cache, WP Super Cache & WP Rocket

Again, some dinosaurs plugins, with the cache this time. They are the pioneers of the WordPress cache, even though they have been outmoded by WP Rocket for a long time (but WP Rocket is starting to get fatter!).

W3TC in 2016 had not been updated for more than a year. A flaw was discovered. Do not think that it has grown like a mushroom, it is not because there is no update that the flaws grow, even if it gives the impression.

Above all, we have more people starting to worry about whether it’s safe to use it or not. When there are updates made, it is estimated that the author did the job well. You see ? The border is thin.

In short, W3TC was updated and SecuPress found 4 vulnerabilities in it, the goal was to make sure that the discovery flaw was not the only one to fix, job done. And WPVulnDB does not find less than 17 fix!

For WPSC, 9 are in WPVulnDB.

And WP Rocket, only one.


Jetpack, this plugin always bigger and bigger has also had its share of flaws. The more a plugin makes of things, or the more different developers, the more the probability of having faults increases (the bug too, and the weight too …) See WPVulnDB. Jetpack has no competitor, nobody wants to do a similar extension, nobody.

Yoast WordPress SEO and All in one SEO pack

The most popular SEO plugin for years, sadly known also for its scheduled latency updates has also gone through days without. WPVulnDB finds a lot. WP SEO has always had competitors like AIOSP, All In One SEO Pack which has also experienced the same bad days, see WPVulnDB.

WPS Hide My Login & SecuPress

… even SecuPress! In fact it is the module “Move Login” or “Moving the login page” that was missing. By performing an audit on WPS Hide My Login requested by its author, I also tested one of my 4 discoveries on SecuPress and one of them worked!

In fact, the flaw works everywhere on this kind of plugin that hides the login page, I advise you to use another plugin than these 2 to achieve this task, especially if the extension you use is not updated for too long, change quickly or I find your page!


But then, who is safe from vulnerability? Nobody. No extension, no development that is tracked, supported, contributed. If you develop, try to hack yourself, train yourself for web security. If you do not develop, have it checked, confirm that your choices are good and that the PHP scripts included in your sites (yes, what extensions) are clean.

Here we are at the end of our examples, we could quote others still, you have some?