The new report vulnerability2024 WordPress Trends by WPScan brings to light important trends WordPress webmasters (and SEOs) need to be aware of to stay ahead better safety of their websites.
The report emphasizes that while the rates of critical vulnerabilities are low (just 2,38%), the findings should not reassure website owners. Almost 20% of reported vulnerabilities are categorized as high or critical threat level, while medium severity vulnerabilities make up the majority (67,12%). It is important to realize that moderate vulnerabilities should not be ignored as they can be exploited by the astute.
The report does not criticize users for malware and vulnerabilities. However, he points out that some mistakes by webmasters can make it easier for hackers to exploit vulnerabilities.
An important finding is that 22% of reported vulnerabilities do not even require user credentials or only require subscriber credentials, making them particularly dangerous. On the other hand, vulnerabilities that require administrator rights to exploit account for 30,71% of reported vulnerabilities.
The report also highlights the dangers of stolen passwords and nulled plugins. Weak passwords can be cracked with brute-force attacks, while nulled plugins, which are essentially illegal copies of plugins without subscription control, often contain security gaps (backdoors) that allow the installation of malware.
It is also important to note that Cross-Site Request Forgery (CSRF) attacks account for 24,74% of vulnerabilities that require administrative privileges. CSRF attacks use social engineering techniques to trick administrators into clicking on a malicious link, giving attackers administrator access.
According to the WPScan report, the most common type of vulnerability that requires little or no user authentication is Broken Access Control (84,99%). This type of vulnerability allows an attacker to gain access to higher-level privileges than they normally have. Another common type of vulnerability is SQL hacking (20,64%), which can allow attackers to access or tamper with the WordPress database.