Wordpress Vulnerability Scanner

Online Wordpress security scanner for your website, plugins, and web server.

Check out ourdemo account
Introducing HostedScan

A powerful online Wordpress vulnerability scanner

HostedScan makes it easy to run a powerful set of vulnerability scans for your Wordpress websites. While some Wordpress scanners focus exclusively on Wordpress code and plugins, HostedScan leverages multiple tools to test for both Wordpress specific vulnerabilities and a wide range of other web site and web server vulnerabilities, such as CVEs, expired certificates, sql injection, and cross-site scripting.

Application dashboard screenshot

Most common Wordpress vulnerabilities and CVEs

Here are 30 of the most frequently detected Wordpress vulnerabilities, in the past month.

VulnerabilityCVEs
1WordPress < 6.5 Private Information Exposure VulnerabilityCVE-2023-5692
2WordPress Elementor Website Builder Plugin < 3.18.2 RCE VulnerabilityCVE-2023-48777
3WordPress Elementor Website Builder Plugin < 3.16.5 XSS VulnerabilityCVE-2023-47505
4WordPress 'wp-cron.php' Accessible/Enabled (HTTP) - Active CheckCVE-2023-22622
5WordPress Elementor Website Builder Plugin < 3.12.2 SQLi VulnerabilityCVE-2023-0329
6WordPress Elementor Pro Plugin < 3.11.7 Privilege Escalation VulnerabilityCVE-2023-3124
7WordPress Yoast SEO Plugin < 20.2.1 XSS Vulnerability
8WordPress Contact Form 7 Plugin < 5.3.2 RCE VulnerabilityCVE-2020-35489
9WordPress WooCommerce Plugin < 8.2.0 XSS VulnerabilityCVE-2023-47777
10WordPress WooCommerce Plugin < 8.3.0 CSRF VulnerabilityCVE-2023-52222
11WordPress Advanced Custom Fields Pro Plugin < 6.1.6 XSS VulnerabilityCVE-2023-30777
12WordPress Essential Addons for Elementor Plugin < 5.9.24 XSS VulnerabilityCVE-2024-5189
13WordPress Essential Addons for Elementor Plugin < 5.9.12 Multiple XSS VulnerabilitiesCVE-2024-2623, CVE-2024-2650
14WordPress Essential Addons for Elementor Plugin < 5.9.14 Multiple VulnerabilitiesCVE-2024-3018, CVE-2024-2974
15WordPress Essential Addons for Elementor Plugin < 5.9.16 Multiple XSS VulnerabilitiesCVE-2024-3728, CVE-2024-4003
16WordPress Essential Addons for Elementor Plugin < 5.9.18 XSS VulnerabilityCVE-2024-4156
17WordPress Essential Addons for Elementor Plugin < 5.9.20 Multiple XSS VulnerabilitiesCVE-2024-4275, CVE-2024-4448, CVE-2024-4449
18WordPress Essential Addons for Elementor Plugin < 5.9.21 XSS VulnerabilityCVE-2024-4624
19WordPress Essential Addons for Elementor Plugin < 5.9.22 XSS VulnerabilityCVE-2024-5073
20WordPress Essential Addons for Elementor Plugin < 5.9.5 Multiple XSS VulnerabilitiesCVE-2024-0585, CVE-2024-0586
21WordPress Essential Addons for Elementor Plugin < 5.9.8 XSS VulnerabilityCVE-2024-0954
22WordPress Essential Addons for Elementor Plugin < 5.8.15 XSS VulnerabilityCVE-2024-5086
23WordPress UpdraftPlus Plugin < 1.23.11 CSRF VulnerabilityCVE-2023-5982
24WordPress Advanced Custom Fields Pro Plugin 5.x < 5.12.3 File Upload VulnerabilityCVE-2022-2594
25WordPress Advanced Custom Fields Plugin < 6.1.6 XSS VulnerabilityCVE-2023-30777
26WordPress LiteSpeed Cache Plugin < 6.5.2 Privilege Escalation VulnerabilityCVE-2024-50550
27WordPress Yoast SEO Plugin < 17.3 Information Disclosure VulnerabilityCVE-2021-25118
28WordPress Essential Addons for Elementor Plugin < 5.8.2 Information Disclosure VulnerabilityCVE-2023-3779
29WordPress Elementor Page Builder Plugin <= 3.5.5 XSS VulnerabilityCVE-2022-29455
30WordPress WooCommerce Plugin < 6.6.0 Stored HTML Injection VulnerabilityCVE-2022-2099

Ready to start securing a Wordpress site now?

Run a free online Wordpress vulnerability scan to see the power of HostedScan

See the power
Learn more

Wordpress architecture overview

It's important to secure the entire external attack surfaces of a Wordpress website. These are the components of a typical Wordpress deployment:

  • Web server host - The physical or virtual machine(s) which host the Wordpress site. e.g. your Digital Ocean or AWS servers.
  • Web server software - Typically Apache Web Server or Nginx.
  • Web application code - Wordpress applications are primarily written in PHP which generates HTML code rendered by the browser.
  • Database - Typically MariaDB or MySQL.
  • Wordpress plugins - Plugins that add functionality to your Wordpress site.
  • SSL/TLS certificates - Certificates to enable secure HTTPS communication.
Wordpress and beyond

How can HostedScan help?

HostedScan provides a comprehensive set of vulnerability scans for web applications built with any technologies, including Wordpress.

RequirementHostedScan solution
Wordpress code and pluginsOpenVAS - tests for Wordpress specific vulnerabilities
Web server softwareOpenVAS - tests for vulnerable and misconfigured Apache, Nginx, and more
Web server hostOpenVAS - tests for general webserver issues such as vulnerable ssh
Web application code and APIsZAP - test for security issues such as sql inject, xss
SSL/TLSSslyze - tests for misconfigured TLS and issues such as expired certificates
FirewallNmap - tests for open ports to ensure databases and other sensitive applications are not publicly accessible
ReportingClear and helpful reports. And they look good too!
Ease-of-useGet started in minutes and add value to your business from the first day.

Trusted by teams who require high-quality scans at speed

BbAmericas
Porsche
ExpediaGroup
WeMakeApps
SibylSoft
Luminary
CoinMe
Appetize
WonderProxy
Median
TaxiCaller
Yamaha
UniversityOfOxford
BbAmericas
Porsche
ExpediaGroup
WeMakeApps
SibylSoft
Luminary
CoinMe
Appetize
WonderProxy
Median
TaxiCaller
Yamaha
UniversityOfOxford
UniversityOfOxford
Yamaha
TaxiCaller
Median
WonderProxy
Appetize
CoinMe
Luminary
SibylSoft
WeMakeApps
ExpediaGroup
Porsche
BbAmericas
UniversityOfOxford
Yamaha
TaxiCaller
Median
WonderProxy
Appetize
CoinMe
Luminary
SibylSoft
WeMakeApps
ExpediaGroup
Porsche
BbAmericas

See the Power of HostedScan

HostedScan enables companies to meet compliance and security goals.

Or through:

Sign up with Microsoft
Sign up with Google
Sign up with Github
DigitalOcean