Being the top CMS worldwide is no picnic. WordPress has done an impressive job of becoming the go-to platform to create any kind of website, but its system still comes with some flaws, even though the evolution of the CMS leans towards a flawless model.
The flaws may come from the host of any WordPress website. In November 2021, Godaddy admitted that over 1.2 million WordPress websites hosted on its platform had their emails and Godaddy customer number exposed. The leak came from a third-party software that used a compromised password to access the confidential data of WordPress users.
The flaw may also come from unsecure plugins. In February 2022, WPScan revealed that the Essential Addons for Elementor, which has over 1 million users, had a vulnerability that enabled any malicious hacker to inject a local file inclusion attack and grab sensitive user data from there. This flaw may also enable the malicious hacker to launch a remote code execution and eventually take full control of any targeted website. This vulnerability was added to the U.S. Government Vulnerability Database.
Still in February 2022, the plugin PHP Everywhere was also identified as vulnerable as it allowed any user of a WordPress website to inject malicious code that could eventually lead to a takeover. 30 thousand websites used PHP Everywhere. The vulnerability was spotted by the Wordfence Threat Intelligence and relies on the WordPress’ native feature that allows any user of a website to use shortcodes.
These kind of regretful events will keep on happening, but the new versions of WordPress diminish the need to use third-party applications/plugins. WordPress 5.9 that just got released enables a full site editing capacity, meaning major plugins like Elementor are becoming less and less necessary to build a beautiful website with no coding skills, and WordPress 6.0 is expected to strengthen this feature, and also bring multilingual features, making WPML and Polylang a problem of the past.