Top 8 most vulnerable WordPress Plugins of 2020

One of the most preferred and popular CMSs (Content Management Platforms) across the globe is WordPress. The tool is widely known for its intuitiveness, usability, functionality and ease of use. It has leveraged a plethora of plugins, to enable users to add additional features to their websites. However, vulnerability being a major issue these customized plugins stay safe, secure and reliable only until they don’t face an external threat and are being updated on an ongoing basis. These commonly occurring threats can be easily resolved by scrutinizing your website with state-of-the-art security and cloud testing services

The 0-Day threat is one certain scenario that is prone to attack any plugin that has not been updated over a prolonged period of time. No update cases are also possible when the application is abandoned or not attended by the developer or tester due to the absence of any service or resource. Often several plugins are deployed on a website, that is built on WordPress and the owners turn down as too lethargic to ignore the vulnerability threat and regular plugin updates. In order to find out how vulnerable your WordPress based website is, let’s check out the list of the most exploited plugins of WordPress in 2019.


With over 2 million active installations, Wordfence provides active firewall and malware scanning services. However, Wordfence itself is a security plugin, it has been exploited and targeted very frequently by hackers.


WooCommerce enjoys 4 million+ active installations and is definitely one of the most popular eCommerce plugins of WordPress. As of 2019 the WooCommerce plugin has approximately 19 plugin vulnerability warnings.

WooCommerce also got affected by several unknown security vulnerabilities for its plugin extensions. Some of its crucial vulnerabilities included SQL Injection, privilege escalation flaws, deserialization and XSS (Cross-Site Scripting). Out of several loopholes ones of the identified flaws allowed any random user with ‘Shop Manager’ access to gain complete control of the eCommerce website that was powered by WooCommerce. As a result, the unauthorized breach gained control of the website, thus leading to hacking, leakage of private data and crashes.


Popularly known as MyBulletinBoard, MyBB is an open-source tool based on MySQL & PHP. Back in 2019 MyBB’s version 1.8.20 was diagnosed with certain vulnerabilities which included RCE (Remote-code Execution) and XSS (Cross-Site Scripting). The RCE vulnerability was only exploited by administrator access, in-case of parsing errors it gave remote access of the website to the unauthorized admin and allowed the installation of malicious PHP codes into the database.

The XSS vulnerability was exploited by malicious JS code sent through a private message, which was actively able to bypass the security. Soon as the link was accessed by the admin the attacker gained complete access to every user account, private threads and every message stored in the database

Contact Form 7

Contact Form 7 has an active user base of more than 5 million and is the 2nd most preferred plugin over the globe. Contact Form 7 was heavily used for customizing and designing purposes and was affected by 3 severe security flaws which included the privilege escalation flaw. The flaw allowed the attackers to send malware straight into the website’s directory. It exposed the site to even dangerous threats. Although the bug has been fixed in the latest version of Contact Form 7, still almost 30% of the plugin users have not updated with and are open to risks. The 30% of the users constitute almost 3.5 million+ websites, which means almost this no. of websites are still vulnerable to privilege escalation flaw. This privilege escalation threat still has the capability to directly impact the framework and website’s data security.

Yoast SEO

A popular WordPress plugin with 5 million+ users. Yoast SEO has more than 10 severe vulnerability plugins that have the capability to cripple the security architecture of your WordPress based website. The vulnerabilities are so severe that it has also affected the team’s Google analytics.

The current vulnerabilities of Yoast SEO floating in the market include race condition flaws and XSS discoveries. These allow code execution according to the plugin setup. This particular vulnerability got fixed in the updated version Yoast SEO 9.2, however, as mentioned earlier a majority of the users have still been using the outdated or previous versions. The flaw impacted the analytics result which hampered the productivity of the users.


WordPress significantly allows its users to register their ajax hooks with direct call functions wp-admin/admin-ajax.php?action=action_name link. But one significant issue with this particular method is that the registered users are allowed to call the ajax hooks. Due to which the called hook by the user fails to determine the role of the user account, which makes it such that any random user can utilize the available function to gain complete access.

The setting flaw also allows the current user to place ads and insert custom HTML. Also, if the original administrator is found to be absent it grants access for ad insertion, JS malware and mine scripts to any random logged in user.


With more than 70K installations on WordPress websites, GiveWP is a popular choice plugin. The plugin is leveraged for making and accepting donations. Majorly utilized by websites that look forward to raising funds through public donations. The plugin was affected with a vulnerability authentication bypass which resulted in information disclosure.

The plugin version 2.5.4 or below was severely affected and as a result, soon as the user sets the key from the wp-username table the token is set for the corresponding MD5 hash. This results in the exploitation of the standpoints and gives access to critical information regarding payments and data.

Visual CSS Style Editor

Popularly known as Yellow Pencil Visual Theme Customizer, the plugin faced vulnerability in version 7.1.9 which risked almost 30,000 websites. The yellow-pencil.php file that handles the function responsible for checking parameters was triggering privilege escalation. As a result, the hackers got access to redirect the homepage and gained complete admin access to the website.