10 Most Vulnerable WordPress Plugins

Dec 23, 2019

10 Most Vulnerable WordPress Plugins

Dec 23, 2019

WordPress plugins are amazing for the functionality, features, and enhancements they bring to your WordPress site. But there is a dark side to these plugins. Like any software, WordPress plugins are vulnerable from time to time.

Vulnerabilities are glitches, flaws or weaknesses in the coding of software. It can enable hackers to break into your WordPress website and take full control. There are many signs of a hacked website. If your site gets hacked, fixing it is a nightmare.

Note: In most cases, vulnerabilities are usually discovered and fixed promptly by developers who created the plugin. The fix comes as a security patch in an update. WordPress users would need to update their software to the new version released by the developers.

Now, you may choose your plugins wisely by checking how many active installations it has or when it was last updated:


plugin details in repo


But even among the popular plugins, we’ve seen multiple instances of vulnerabilities over the years.

What’s worse is millions of users don’t update to the new versions. Maybe they trust that the plugins are safe or maybe they don’t understand that updates may carry security patches. Therefore, you should enable automatic WordPress updates on your site.

Here, we’ve addressed some of the most popular plugins that have had vulnerabilities multiple times – to hopefully encourage users to keep their WordPress websites updated and safe from hackers.


If you worry about the safety of your website due to a vulnerability in a plugin, download and install MalCare. It enables you to update all plugins on your website at once from a centralized dashboard. Plus, it will scan your site for malware or any hack attempts regularly.

Before we delve into the list of vulnerable plugins, we’ll explain what vulnerabilities are and the different types that exist.

WordPress Plugin Vulnerabilities

There are many different kinds of vulnerabilities in WordPress. Here, we touch upon some of the basic ones you should know about:

i. Arbitrary file viewing

A source file is one that contains the list of program instructions and other essential coding data. Generally, plugins have security checks in place to allow viewing of only certain source files. Ones that contain sensitive data are hidden from third-party viewing. Now, if these security measures aren’t in place, hackers will be able to view even sensitive files.

For example, wp-config.php file contains information about your database and the credentials to access it. If hackers get their hands on this information, they can break into your database and inject their own malicious scripts there.

ii. Arbitrary file upload

Some websites allow users to upload their own files such as a profile picture or PDF files. Some plugins lack security measures to check what type of file is being uploaded and what content is in it.

This means instead of uploading a .pdf file, a hacker could upload a .php file that contains executable code. The code could be to create a new admin account or any other type of backdoor that grants them access to your website or web application.

iii. SQL injections

SQL injection is one of the most common vulnerabilities where it exploits areas that send information to the database. It can happen if the plugin does not validate the information that is to be sent to the database such as information filled in forms or the site search bar.

A hacker can insert their own malicious scripts in these inputs. The script will not validate before it passes to the database. Once it is in the database, the malicious code will run. This way, a hacker could create a new admin account, change your password, or even inject spam links.

iv. Privilege escalation

If a hacker is able to get access to any type of user on your site, even if it’s just a subscriber, they can escalate privileges to an administrator. Then they’d get full control of your site.

v. Remote execution evaluation

Cross-site scripting vulnerabilities enable hackers to make changes to seemingly harmless elements such as the post_meta data of images. But in doing so, the hacker can plant their own malicious image. They can also abuse the vulnerability to create new posts or update other posts and images.

 vi. Cross-site scripting (XSS)

Commonly referred to as XSS – cross-site scripting is a type of injection in which hackers add malicious scripts to websites. This commonly happens through vulnerabilities in comments. This hack usually targets website users and not the website itself. However, hackers can use it to deface a site, change the contents, or even redirect users to other sites.

v. Cross-site request forgery (CSRF)

Hackers trick website users into performing unwanted actions on a website. The hacker uses vulnerabilities in the way a website validates the data it receives. Hackers could use this to change passwords, email credentials or even transfer funds! You should always enforce strong passwords on your website.

Now that we’ve seen what vulnerabilities exist in WordPress plugins and how they can affect your site, we’ll detail the list of vulnerable plugins.


10 Popular WordPress Plugins with Vulnerabilities

We’ve picked the top plugins on the market that had multiple vulnerabilities present in them. Note: Most of these vulnerabilities were patched immediately. If you have any of these plugins on your site, update it immediately. You can also choose to delete them if you’re no longer using them.

1. WooCommerce


WooCommerce plugin


WooCommerce is one of the most popular plugins on WordPress, with over 5 million active installations.

The plugin enables WordPress websites to become e-commerce stores. Such websites potentially store both personal and financial data of customers, therefore, the stakes are much higher for these online stores. The plugin is well-maintained, but it too has seen its own share of vulnerabilities. Since 2014, there have been 19 vulnerabilities spotted in the plugin. These vulnerabilities included XSS (Cross-site scripting), SQL injections, and privilege escalation flaws.

One of the flaws discovered in November 2018 showed that anyone with the privilege of ‘shop manager’ could take control of the entire website if it was powered by WooCommerce. Version 3.4.6 carried the fix for this.

However, WooCommerce receives regular updates to its plugin which means security issues are dealt with quickly.

2. Ultimate Member


Ultimate Member plugin


The Ultimate Member plugin enables WordPress site owners to integrate a sign-up option that enables user-profiles and memberships. It’s an open-source software with over 100,000 active installations.

Since 2017, the plugin has seen 13 known vulnerabilities. This included Arbitrary file read and XSS flaws.

One of their biggest vulnerabilities was created if an admin included a file or image upload option into one of the forms on their site. This means users can download any file on the server.

However, it should be noted that the developers are constantly releasing new versions. This means security issues are patched quickly. If you’re using this plugin, make sure you stay up to date on new releases and update it immediately.

3. Yoast SEO


Yoast SEO plugin


Yoast SEO makes SEO straight-forward and easy for site owners. It enables owners to improve the SEO of their pages and posts right from the wp-admin dashboard.

With over 5 million active installations, this plugin is very popular. And rightly so. The plugin has been relatively safe.

However, since 2010, there have been 10 known vulnerabilities in the plugin. Some of these vulnerabilities could potentially allow remote code execution and XSS.

The most recent vulnerability was in version 9.1 that affected users with an ‘SEO Manager’ role enabled. This vulnerability was a more complex and not-so-common issue called race condition. In this, the plugin expects a process to happen in a certain sequence, but when the sequence changes, the vulnerability appears.

The developers released version 9.2 that fixed the vulnerability promptly. But as of November 2019, only 19.5% of Yoast SEO Users are running on the latest version.

4. Ninja Forms


Ninja Forms plugin


Known as the ultimate free contact form for your WordPress site, Ninja Forms has over 1 million active installations.

Over the years, it has seen 10 known vulnerabilities, some of which have fallen in the “Very High Risk” category. These vulnerabilities included XSS, remote code execution, and SQL injections.

Wordfence reported that with the vulnerability found in 2018, all the hacker needed was a URL on the target site that had a form powered by Ninja Forms (version 2.9.36 to 2.9.42).

This issue was patched. But since then, Ninja Forms has released over 10 more security fixes to the plugin.

5. Wordfence


Wordfence plugin


Wordfence has over 2 million active installations and provides firewall and malware scanning services. Though it is a security plugin itself, it must be noted that security web apps are often targeted by hackers.

In the past, the plugin has seen 10 listed vulnerabilities that have been patched. But again, in September 2018, the plugin disclosed multiple new flaws that included XSS vulnerabilities. Version 5.2.3 addressed this flaw.

Even with security plugins, it’s not advisable to set and forget. Site owners should keep all plugins updated.

6. NextGen Gallery


NextGen Gallery plugin


NextGEN Gallery is a popular plugin that enables site owners to display an image gallery or create slideshows. The plugin is popular among photographers, hotels, and bloggers, and has over 1.5 million annual downloads.

The NextGen Gallery plugin has seen a couple of security issues over the years. Between 2017 and 2019, there were 7 vulnerabilities that included XSS, SQL injection, and remote code execution.

But the most recent one occurred in 2019. There was an SQL injection vulnerability wherein hackers could remotely execute commands on sites that had the plugin installed.

Version 3.2.11 was released on 27th August 2019 that fixed the security flaw.

7. JetPack


JetPack plugin


JetPack is an all-in-one general WordPress management tool with over 5 million active installations. The plugin provides a vast range of functionalities and utilities. It manages site functions and the coding, so any vulnerabilities in the plugin could lead to a fully compromised website.

The plugin has seen 5 known vulnerabilities and the most severe flaw was discovered in December 2018. An XSS vulnerability could’ve have been exploited by hackers to inject their own code to compromise the website’s server.

The latest vulnerability in JetPack was the way it processes embed codes. However, on 19th November 2019, JetPack released version 7.9.1 with the patch.

8. All-in-One SEO Pack


All-in-One SEO Pack plugin


This plugin is one of the most popular amongst all plugins and has been around since 2007. It boasts over more than 50 million downloads since its inception, with 2 million active installations.

The plugin has seen 2 known vulnerabilities that were XSS vulnerabilities as well as privilege escalation flaws.

In October 2018, a persistent XSS flaw was reported in version 3.2.6 and below. Using this vulnerability, if an attacker manages to get access to an admin account, they could execute their own codes and compromise the webserver.

Since then, the plugin has been safe. We recommend using only the latest version of this plugin.

9. Elementor


Elementor plugin


One of the most popular drag-and-drop page builders on WordPress, Elementor is wildly popular. It has over 3 million active installations and is a much-loved plugin for the ease it brings in designing web pages.

Elementor saw 2 known vulnerabilities which were privilege escalation flaws in 2017.

These flaws were discovered in the template library, page settings, and history. These flaws were fixed in version 1.8.8 and 1.8.9. Since then, Elementor hasn’t seen any security issues. However, there are at least 17.25% of users who are running on outdated versions of the plugin.

10. Contact Form 7


Contact Form 7 plugin


This plugin allows websites to design and customize their contact forms. The plugin, by default, doesn’t store any personal user data. But site owners can configure the settings to track some amount of data.

So far, there have been 2 known vulnerabilities in the plugin. In September 2018, the plugin disclosed a privilege escalation flaw. It allowed attackers to upload malicious files into the website’s directory. While this doesn’t cause serious damage, it opens up the door to more severe hacks.

Though the number of vulnerabilities is low, we featured this plugin because it has over 5 million users. A patch was released in Version 5.0.4, but as of November 2019, there are about 22% of users that have not updated the plugin on their site. This leaves millions of WordPress websites vulnerable to attacks.


Security Measures to take against Plugin Vulnerabilities in WordPress

To avoid vulnerabilities in plugins, we recommend using only trusted plugins. Check to see how many active installations it has and when it was last updated. This is indicative of whether the plugin is being maintained and updated regularly.


plugin last updated and active installation details


But as we can see from the list above, many popular and trusted plugins face vulnerabilities too. So you need to take your own security measures against such vulnerabilities. You can do this by implementing four main steps:

  • Install a Security Plugin

Always keep a reliable security plugin like MalCare active on your website. It will scan your site for malware at regular intervals. And it’ll alert you of any suspicious activity on your website immediately. Plus, your website will have a firewall to block any known hack attempts and known malicious IP addresses trying to access your site.

  • Always Update Your Site

Developers roll out updates regularly for the WordPress core, themes, and plugins. These updates enhance functionality, fix any glitches or bugs, add new features, etc. But more importantly, these updates could carry security patches that will seal any vulnerabilities present. It’s extremely important to update your site regularly.

If you find WordPress updates to be difficult, refer to our guide on How to Safely Update Your WordPress Site.

  • Implement Website Hardening

WordPress recommends you take certain security measures on your website that will help reduce the risk of attacks. This includes disabling the file editor in themes and plugins, using strong credentials, resetting passwords for all users, and changing security keys and salts.

Now, this may all seem like jargon, so we’ve created an extensive guide on WordPress Site Hardening.

  • Don’t Use Pirated Plugins

Never ever use pirated or cracked versions of plugins. It may give you access to premium features for free, but these plugins can compromise your website. This is because they come with malware embedded in them.

  • Delete Inactive Themes & Plugins

Delete unused themes and plugins. Many times, as site owners, we build up a huge list of plugins that we don’t use. The more plugins and themes you have installed on your site the more chances hackers have of breaking in.

It’s advisable to keep only your active theme, the rest can be deleted. With plugins, keep the ones you need and the rest can be uninstalled.


Concluding Thoughts

It’s not uncommon to see software having vulnerabilities and security issues. It happens all the time. If you find out that a plugin you’re using has an application security flaw. Update it immediately to the latest version.

If you think your WordPress site is hacked, we recommend installing MalCare on your site. It will scan your site and find the hack if present. You can then auto-clean your website with just a click of a button. This eliminates any need for panic and stress!

Keep your WordPress secure and fortified against hackers!

Try our MalCare Security Plugin