WordPress is one of the most popular and used content management platforms. Known for its easy usability and simple functionality, WordPress leverage several plugins to help users add more features to their websites. However, these plugins only stay reliable and secure until and unless they are updated on a regular basis.

The zero-day vulnerability can happen to any plugin that is either not updated for a long time or now stays abandoned by the developer in the absence of proper software testing services. With too many plugins deployed on the WordPress website, owners often become complacent and ignore installing regular updates to their plugins.

2019 was a year in which similar, as well as unprecedented attacks on WordPress plugins, happened. As you know, new years are also a great time to learn our lessons from the past and let go.

Let’s dive into this list and understand where we could have dogged these attacks, and even if we failed to do it in the past, let’s just pledge to be more vigilant and careful in the future.

Here is the list of top exploited plugins of 2019 to help you visualize just how vulnerable your WordPress website was in 2019:

#1 WooCommerce

It is one of the most popular e-commerce plugins of WordPress with over 4 million active installations and enabling more than 30 percent online stores.


WooCommerce plugin has 19 vulnerability warnings dating way back to 2019.

It was also affected by multiple additional security vulnerabilities for its plugin extensions. Some of the critical vulnerabilities of WooCommerce include Deserialization, XSS, Privilege Escalation flaws and Injection.


One identified flaw allowed any user with ‘Shop Manager’ access to take absolute control of an e-commerce website powered by WooCommerce. Unauthorized control of the website led to hacking, user data leak and crash of the website.

#2 Yoast SEO

Yoast SEO has over 5 million WordPress users and is currently one of the most popular plugins.


It has over 10 vulnerability warnings that could cripple the security of your WordPress website. Its vulnerabilities are also affecting the Yoast team’s Google Analytics plugin.

The latest flaws are occurring on a regular basis including new XSS discoveries and authenticated race condition flaws. These vulnerabilities are allowing code execution as per the setup of the plugin. The bug was fixed in Yoast SECO 9.2 version update but a large number of users are still using 9.1 versions or even an older one.


Above mentioned flaws are leading to flawed analytics and crippling the marketers to make the right marketing decisions and strategies.


#3 Contact Form 7


With over 5 million active users, Contact Form 7 is the second most widely used plugins in the world. Used for designing and customizing the contact form, it is affected with three severe security bugs including privilege escalation flaw.

Through this flaw, attackers are allowed to upload malicious files in the website’s directory. This vulnerability exposes the website to more dangerous attacks. Even after Contact Form 7 fixed the bug in its current version, only around 30 percent of users have updated the plugin. This means that still, more than 3.5 million websites are vulnerable to privilege escalation vulnerability.


Privilege escalation vulnerability has left the website to treacherous security attacks that could affect the framework and data security of the website.



It has been noted that GDPR Compliance Plugin (up to version 1.4.2) is unable to execute capability checks on its internal actions to ensure configuration changes. This issue could lead to a major security flaw. Random choices and values inserted to the current point by a malicious user could lead to the exact copy of the options table as present on the affected WordPress website.


This could lead to unauthorized admin access by switching the arbitrary settings. It could lead the registration of new users and changing the role of existing admins of the website. The newly registered users can compromise the website by adding new pages and corrupting the existing content on the website.

#5 AMP


WordPress allows users to register ajax hooks to directly call functions wp-admin/admin-ajax.php?action=action_name link. However, the issue with this method is that all the registered users are allowed to make a call for ajax hooks. And in case, the called hook fails to verify the account role of the user, anyone can leverage all the accessible functions.

The vulnerability is present in ampforwp_save_steps_data. This is called during the installation wizard to save settings.


The plugin setting allows the admin to place ads, insert custom HTML in the footer or header. However, in the absence of the admin role verification, any user is allowed to insert ads, mine scripts, and JavaScript malware.

It is a critical security issue for WordPress websites that offer unique user registration functionality.

#6 GiveWP


GiveWP has over 70,000 installations on WordPress websites. It one of the most preferred and downloaded plugins for making donations. It is a go-to plugin for websites that are looking to raise funds through donations.

The plugin is plagued with Authentication Bypass vulnerability with Information Disclosure. Version 2.5.4 or below are affected by this issue.


Once the user sets the key to any value of meta key from the wp-username table. After that, if the token is set to the corresponding MD5 hash of the meta key selected then the exploiter can exploit the restrictive standpoints to gain access to sensitive data including donor data and financial transactions.

#7 MyBB


Previously known as the MyBulletinBoard, MyBB is a PHP & My SQL based open-source tool. However, a few times back its vulnerabilities have been detected in version 1.8.20 and earlier versions. The vulnerabilities include critical stored XSS (Cross-Site Scripting) and RCE (Remote-code Execution).


XSS: It is exploited by sending a private message that contains malicious JavaScript code capable to bypass the security. As soon as the link is opened by the administrator, the hacker gets full access to all user accounts, private threads and messages stored in the board’s database.

RCE: This vulnerability can only be exploited by the user with admin permissions. However, in case there is a parsing error in the private messages, it allows to gain remote control access of the website and any malicious PHP codes can be updated in the database.

Secure Your Way in 2020

The best way to protect your site is to be proactive with your website’s security. In other words, beat the hacker every time by monitoring, updating, scanning, auditing and patching your vulnerabilities.

Does it look too tedious? Well, it’s not.

When you use a dedicated & multi-use security solution like Astra, it assuages most of your pains. Astra comes with intelligent security tools (including website firewall, malware scanner, one-click malware removal, security audits, health checks, GDPR, security seal, and more) bundled up as one dashboard and handle.

Besides, never overlook general security best practices such as: resetting your password, using secure hardware, taking regular backups, etc.

Following these steps will pave your way to security in 2020 for sure!