HostedScan

use case

WordPress Vulnerability Scanner

Online WordPress security scanner for your website, plugins, and web server.

Team securing a WordPress website

Introducing HostedScan

A powerful online WordPress vulnerability scanner

HostedScan makes it easy to run a powerful set of vulnerability scans for your WordPress websites. While some WordPress scanners focus exclusively on WordPress code and plugins, HostedScan leverages multiple tools to test for both WordPress specific vulnerabilities and a wide range of other website and web server vulnerabilities, such as CVEs, expired certificates, SQL injection, and cross-site scripting.

HostedScan dashboard showing health score, detected risks, recent scans and discovered domains

Ready to start securing a WordPress site now?

Full-stack security

Most common WordPress vulnerabilities and CVEs

Here are 30 of the most frequently detected WordPress vulnerabilities, in the past month.

WordPress CVEs
NumberVulnerabilityCVEs
1
WordPress < 6.5 Private Information Exposure Vulnerability
CVE-2023-5692
2
WordPress Elementor Website Builder Plugin < 3.18.2 RCE Vulnerability
CVE-2023-48777
3
WordPress Elementor Website Builder Plugin < 3.16.5 XSS Vulnerability
CVE-2023-47505
4
WordPress 'wp-cron.php' Accessible/Enabled (HTTP) - Active Check
CVE-2023-22622
5
WordPress Elementor Website Builder Plugin < 3.12.2 SQLi Vulnerability
CVE-2023-0329
6
WordPress Elementor Pro Plugin < 3.11.7 Privilege Escalation Vulnerability
CVE-2023-3124
7
WordPress Yoast SEO Plugin < 20.2.1 XSS Vulnerability
8
WordPress Contact Form 7 Plugin < 5.3.2 RCE Vulnerability
CVE-2020-35489
9
WordPress WooCommerce Plugin < 8.2.0 XSS Vulnerability
CVE-2023-47777
10
WordPress WooCommerce Plugin < 8.3.0 CSRF Vulnerability
CVE-2023-52222
11
WordPress Advanced Custom Fields Pro Plugin < 6.1.6 XSS Vulnerability
CVE-2023-30777
12
WordPress Essential Addons for Elementor Plugin < 5.9.24 XSS Vulnerability
CVE-2024-5189
13
WordPress Essential Addons for Elementor Plugin < 5.9.12 Multiple XSS Vulnerabilities
CVE-2024-2623, CVE-2024-2650
14
WordPress Essential Addons for Elementor Plugin < 5.9.14 Multiple Vulnerabilities
CVE-2024-3018, CVE-2024-2974
15
WordPress Essential Addons for Elementor Plugin < 5.9.16 Multiple XSS Vulnerabilities
CVE-2024-3728, CVE-2024-4003
16
WordPress Essential Addons for Elementor Plugin < 5.9.18 XSS Vulnerability
CVE-2024-4156
17
WordPress Essential Addons for Elementor Plugin < 5.9.20 Multiple XSS Vulnerabilities
CVE-2024-4275, CVE-2024-4448, CVE-2024-4449
18
WordPress Essential Addons for Elementor Plugin < 5.9.21 XSS Vulnerability
CVE-2024-4624
19
WordPress Essential Addons for Elementor Plugin < 5.9.22 XSS Vulnerability
CVE-2024-5073
20
WordPress Essential Addons for Elementor Plugin < 5.9.5 Multiple XSS Vulnerabilities
CVE-2024-0585, CVE-2024-0586
21
WordPress Essential Addons for Elementor Plugin < 5.9.8 XSS Vulnerability
CVE-2024-0954
22
WordPress Essential Addons for Elementor Plugin < 5.8.15 XSS Vulnerability
CVE-2024-5086
23
WordPress UpdraftPlus Plugin < 1.23.11 CSRF Vulnerability
CVE-2023-5982
24
WordPress Advanced Custom Fields Pro Plugin 5.x < 5.12.3 File Upload Vulnerability
CVE-2022-2594
25
WordPress Advanced Custom Fields Plugin < 6.1.6 XSS Vulnerability
CVE-2023-30777
26
WordPress LiteSpeed Cache Plugin < 6.5.2 Privilege Escalation Vulnerability
CVE-2024-50550
27
WordPress Yoast SEO Plugin < 17.3 Information Disclosure Vulnerability
CVE-2021-25118
28
WordPress Essential Addons for Elementor Plugin < 5.8.2 Information Disclosure Vulnerability
CVE-2023-3779
29
WordPress Elementor Page Builder Plugin <= 3.5.5 XSS Vulnerability
CVE-2022-29455
30
WordPress WooCommerce Plugin < 6.6.0 Stored HTML Injection Vulnerability
CVE-2022-2099

Learn more

WordPress architecture overview

It's important to secure the entire external attack surfaces of a WordPress website. These are the components of a typical WordPress deployment:

  • Web server host - The physical or virtual machine(s) which host the WordPress site. e.g. your Digital Ocean or AWS servers.
  • Web server software - Typically Apache Web Server or Nginx.
  • Web application code - WordPress applications are primarily written in PHP which generates HTML code rendered by the browser.
  • Database - Typically MariaDB or MySQL.
  • WordPress plugins - Plugins that add functionality to your WordPress site.
  • SSL/TLS certificates - Certificates to enable secure HTTPS communication.

WordPress and beyond

How can HostedScan help?

HostedScan provides a comprehensive set of vulnerability scans for web applications built with any technologies, including WordPress.

WordPress code and plugins

OpenVAS - tests for WordPress specific vulnerabilities

Web server software

OpenVAS - tests for vulnerable and misconfigured Apache, Nginx, and more

Web server host

OpenVAS - tests for general web server issues such as vulnerable SSH

Web application code and APIs

ZAP - tests for security issues such as SQL injection and XSS

SSL/TLS

SSLyze - tests for misconfigured TLS and issues such as expired certificates

Firewall

Nmap - tests for open ports to ensure databases and other sensitive applications are not publicly accessible

Reporting

Clear and helpful reports. And they look good too!

Ease-of-use

Get started in minutes and add value to your business from the first day.

Benefits of using HostedScan

Strengthen your
cybersecurity
resilience

Mitigate security vulnerabilities

Discover CVEs, OWASP Top 10 vulnerabilities, and exploitable weaknesses across your entire infrastructure. Get prioritized remediation guidance with CVSS scoring and actionable risk classifications—fix what matters first.

Learn more

Manage your risk exposure

With regulations such as GDPR and CCPA, failure to maintain reasonable security procedures is grounds for lawsuits and fines.

Get started

Meet compliance requirements

Vulnerability scanning is essential for your compliance with SOC 2, ISO 27001, cyber insurance, and more.

Learn more

Detect misconfigurations

90% of cyber attacks exploit simple misconfigurations, not zero-days. Detect exposed ports, weak credentials, outdated software, and common security gaps before attackers do—automatically, every day.

Get started

Map your attack surface

Your infrastructure changes constantly. Automatically discover and monitor all websites, servers, networks, and APIs—maintaining complete visibility of your attack surface without manual tracking.

Get started

Our Customers

5,000+ MSPs and IT teams who move faster

BbAmericas
Porsche
ExpediaGroup
WeMakeApps
SibylSoft
Luminary
CoinMe
Appetize
WonderProxy
Median
TaxiCaller
Yamaha
UniversityOfOxford

Speed and power,
without the complexity

The world's leading vulnerability scanners, all in one platform.

Loading call to action