According to Common Vulnerabilities and Exposures and The Free and Open Software Security Community here are the main current security issues with WordPress. The known issues are in plugins and one theme. The WordPress Application itself (the Core) does not have any know issues at this time. The plugin names in bold are ones I’ve used.
If you have any of these plugins, you should 1) backup your WordPress website (I use WP Updraft for that) then 2) update your plugins. If you use WP Like Button or One Signal you should remove these plugins and switch to something else.
| Plugin or Theme | Affected Version (or before in most cases) | Issue Type | Required Action |
|---|---|---|---|
| Yoast SEO | 11.5 | XSS | Upgrade |
| WooCommerce | 3.6.4 | XSS | Upgrade |
| Ad Inserter | 2.4.19 | Restricted directory access | Upgrade |
| WP Statistics | 12.6.6.1 | SQL Injection | Upgrade |
| Visitors Traffic Real Time Statistics | 2.0.5 | XSS | Upgrade |
| Essential Real Estate | 1.7.1 | XSS | Upgrade |
| Appointment Booking Calendar | 1.3.18 | XSS | Upgrade |
| Gallery PhotoBlocks | 1.1.40 | XSS | Upgrade |
| Slimstat Analytics | 4.8.3 | XSS | Upgrade |
| WP Google Maps | 7.11.34 | XSS | Upgrade |
| LiveChat | 3.7.2 | XSS | Upgrade |
| Icegram | 1.10.28.2 | XSS | Upgrade |
| WP Like Button | 1.6.4 | Site Access | Remove |
| File Manager | 5.0 | WebARX | Upgrade |
| Newsletters | 4.6.16 | XSS | Upgrade |
| One Click SSL | 1.4.6 | AJAX Access | Upgrade |
| Ultimate Member | 2.0.51 | XSS | Upgrade |
| FV Flowplayer Video Player | 7.3.18.727 | SQL Injection | Upgrade |
| Zoner – Real Estate WordPress Theme | 4.1 | XSS | Upgrade |
| One Signal | 1.17.5 | XSS | Remove |
| All-in-One WP Migration | 6.97 | XSS | Upgrade |
| WPS Hide Login | 1.5.2.2 | Bug | Upgrade |
| Photo Gallery by 10Web | 1.5.30 | SQL Injection | Upgrade |
| Email Subscribers & Newsletters | 4.1.7 | SQL Injection | Upgrade |
| Contact Form & SMTP Plugin for WordPress | 1.5.1 | XSS | Upgrade |
| Everest Forms | 1.4.9 | SQL Injection | Upgrade |
| Adaptive Images for WordPress | 0.6.66 | Pull or Delete you files | Upgrade |
| AdRotate Banner Manager | 5.2 | SQL Injection | Upgrade |
| Contact Form 7 Dynamic Text Extension | 2.0.2.1 | XSS | Upgrade |
| Blog2Social: Social Media Auto Post & Scheduler | 5.5.0 | SQL Injection | Upgrade |
| Simple Membership | 3.8.4 | XSS | Upgrade |
| Advanced Contact form 7 DB | 1.6.1 | SQL Injection | Upgrade |
| Coming Soon Page & Maintenance Mode | 1.8.0 | XSS | Upgrade |
| WordPress Ultra Simple Paypal Shopping Cart | 4.4 | XSS | Upgrade |
| Category Specific RSS feed Subscription | 4.4 | XSS | Upgrade |
| Appointment Hour Booking | 1.1.45 | XSS | Upgrade |
