2016: Major WordPress Vulnerabilities & The Best Thing You Can Do

The WordPress ecosystem is vast. According to the official WordPress site, there are 48,360 different, available plugins (in the time of writing) and over 2,000 themes available for downloading. A plugin, usually, consists of thousands of lines of code. And it only takes one line of code that is not well thought of, or a missing check, for it to be rendered vulnerable to attack.

As the WPScan Vulnerability Database reported, there were around 310 plugin vulnerabilities investigated the past year while 14 were discovered in WordPress themes. The total number of reported vulnerabilities found in WordPress core for 2016 was 17.  This is why, it is very important that you upgrade to the newest WordPress version. If you are a Force WP client, this has already been taken care of automatically.


Major Plugin and Theme Vulnerabilities for 2016

There were a lot of vulnerable plugins reported in 2016 and we cannot possibly cover all of them in this post. Below is a list of some of the most popular ones. If you do use them in production, though, please upgrade them immediately.

  • bbPress (300,000+ active installations)

There exists an XSS vulnerability in bbPress versions earlier than 2.5.9. Users participating in the forum can insert malicious Javascript code snippets in posts and replies.

  • wooCommerce (1 million+ active installations)

wooCommerce versions earlier than 2.6.8 are also vulnerable to several XSS attacks.

  • gravityForms (500,000 active installations)

Versions earlier than are vulnerable to XSS attacks as well. These vulnerabilities, however, are fixed in version 2.0.7.

  • nextGEN Gallery (1+ million active installations)

Versions prior to 2.1.57 are vulnerable to code execution from an uploaded malicious file.

  • all-in-one-seo-pack (1+ million active installations)

Versions older than are vulnerable to an XSS attack.

  • iThemes Security (Formerly Better WP Security, 800,000+ active installations)

Versions older than or equal of 5.6.1 contain an XSS attack vulnerability. Versions older or equal of 5.3.0 enable attackers to obtain backup log files, provided they know the timestamp of that file.


Major WordPress Vulnerabilities for 2016

What follows next is a brief report of the security vulnerabilities that were discovered in WordPress. Make sure that every so often, you check the WordPress Security Archive for authoritative updates on the matter.


WordPress versions 4.4 and earlier were affected by a cross-site scripting (XSS) vulnerability. These types of vulnerabilities allow attackers to inject malicious code (usually Javascript) to another user’s browser. What happens then is that the user’s browser does not know that it should not trust the injected code, and so it executes it.


WordPress versions 4.4.1 and earlier were affected by two issues: a vulnerability issue which allowed for some local URIs to be forged as coming from the server and an open redirection attack. This is called a Server Side Request Forgery attack. It can be used by attackers to create requests that seem to be coming from the vulnerable server, thus, bypassing any firewall measures and such. The open redirection attack is used when a vulnerable web page is redirected to a malicious one, usually for phishing purposes.


WordPress versions 4.5.1 and earlier were affected by a Same Origin Method Execution (SOME) vulnerability found in Plupload. This is a third-party library that is used in WordPress to upload files. The impact of a SOME attack is similar to that of an XSS one. The difference, though, being that it is targeted at callback endpoints (such as JSONP, etc).
WordPress versions 4.2 through 4.5.1 were also vulnerable to XSS attacks  through MediaElement.js; a third-party media player library. Both security issues in MediaElement.js and Plupload were fixed.


June was, indeed, a very busy month, as there were several security issues affecting WordPress versions 4.5.2 and earlier. Namely:

  • A redirect bypass found in the customizer.
  • Two different XSS problems in attachment filenames.
  • oEmbed denial of service. oEmbed is an API that allows a website to display embedded content.
  • Unauthorized category removal from a post.
  • Password change via stolen cookie.
  • And some edge cases, where the sanitize_file_name function was less secure. This function replaces whitespaces with dashes, and removes special characters from a filename.


WordPress versions 4.6 and earlier were found to be affected by two vulnerabilities. The first one, was another XSS vulnerability (via image filenames) and the second one, was  a path traversal one, found in the upgrade package uploader.  A path traversal vulnerability allows the attacker to access files that are outside the web root folder, such as critical system configuration files etc.

 Your business and sleep are secure with us

Security vulnerabilities pop-up all the time, while tracking and patching them is definitely a full-time job. With Force WP Secure Managed WordPress Hosting, you need not ever worry about that, at all! We ensure that your business stays operational and secure, and your sleeping patterns uninterrupted. Our infrastructure was designed with security as a foundation and not as an afterthought. Here’s some of our measures against the things that go bump in the night:

  1. Incoming malicious queries and attacks are intercepted by our Web Application Firewall.
  2. We implement server-side vulnerability scanning and hacked site cleanup.
  3. Brute-force and DDoS attacks can be effectively blocked on a country-wide level if need be.
  4. Security upgrades are provisioned and rolled automatically without any service disruption.

The One Important Thing we care is you and your enterprise. Your every day thing. And keeping your head free from worrying about hackers or exploits, is fundamental for us.

Related posts