Common WordPress Vulnerabilities Leading to RCE
Vulnerable Plugins and Themes
Many WordPress plugins and themes have security flaws that can be exploited by attackers to execute arbitrary code. Some common issues include:
Unvalidated input:
Allowing user-controlled input without sanitization.
File upload vulnerabilities: Uploading malicious PHP files disguised as images.
Deserialization attacks: Exploiting PHP object injection vulnerabilities.
Example Exploit
A vulnerable plugin may allow an attacker to upload a .php file disguised as an image, granting them shell access to the server.
Unpatched WordPress Core
WordPress frequently releases security updates to patch vulnerabilities. However, outdated WordPress installations are often vulnerable to known exploits, including PHP object injection and SQL injection that can lead to RCE.
Example Exploit
In 2021, an authenticated RCE vulnerability was discovered in the REST API that allowed attackers to execute arbitrary commands if they had contributor access.
Weak File Permissions
Improper file permissions on the WordPress installation can allow attackers to modify core files, upload malicious scripts, or execute commands remotely. Common mistakes include:
Setting wp-config.php with 777 permissions.
Allowing execution of files in the uploads directory.
Example Exploit
An attacker gains access to the uploads directory and places a backdoor PHP shell that enables RCE.
Insecure Hosting Configuration
Many WordPress hosting environments have misconfigurations that increase the risk of RCE, such as:
Running outdated PHP versions.
Exposing sensitive files (.env, backup.sql).
Allowing direct execution of scripts in writable directories.
Example Exploit
Attackers target poorly secured wp-config.php files to extract database credentials and inject malicious PHP code.
How to Protect Your WordPress Site from RCE
Keep WordPress, Plugins, and Themes Updated
Regularly update your WordPress core, plugins, and themes.
Remove unused plugins and themes to reduce attack surfaces.
Use a Web Application Firewall (WAF)Implement a WAF such as Cloudflare, Sucuri, or Wordfence to block malicious requests.
Restrict access to admin panels using IP whitelisting.
Harden File and Server Permissions
Set correct file permissions:
wp-config.php → 400
Directories → 755
Files → 644
Disable PHP execution in wp-content/uploads/ and wp-includes/.
Implement Security Headers
Enable Content Security Policy (CSP) to prevent script injection.
Use HTTP headers like X-Frame-Options, X-XSS-Protection, and Strict-Transport-Security.
Regular Security Audits and Monitoring
Use security scanners like WP
Scan, SUCURI, and MalCare.
Monitor server logs for suspicious activity.
Set up real-time alerts for unexpected file changes.
