WordPress Penetration Testing: Plugin CVEs, REST API & Enterprise CMS Security

WordPress powers 43% of all websites — including thousands of small businesses, WooCommerce stores, and editorial blogs. WordPress vulnerabilities concentrate in plugins (1,500+ CVE/year per WPScan) and the REST API. CVE-2024-1827 (Elementor), CVE-2023-5561 (REST API user enum), CVE-2023-1862 (jQuery XSS) are recent examples. Matproof Sentinel runs targeted WordPress pentests with audit-ready GDPR/DORA reports from €149.

Start free scan

Written by Malte Wagenbach

Founder of Matproof Security. Specialized in AI-driven penetration testing and EU compliance (DORA, NIS2, ISO 27001, SOC 2).

Last reviewed: May 17, 2026

Why WordPress requires special pentest attention

WordPress is the world's most popular CMS, but also the most attacked: Sucuri reports 43% of hacked sites in 2024 were WordPress, with the majority of breaches caused by outdated plugins. WPScan has cataloged over 5,000 CVE in WordPress plugins in 2023-2024 alone. CVE-2024-1827 (Elementor < 3.16.4) enables stored XSS exploitable for session hijacking. Beyond CVEs, WordPress installations expose legacy surfaces: XML-RPC enabled by default allows DDoS amplification and brute-force, exposed wp-config.php if misconfigured, wp-admin without IP restriction attacked by botnets (50,000+ attempts/day per typical site).

CVE-2024-1827 (Elementor < 3.16.4): stored XSS exploitable for session hijacking — Elementor is installed on 5+ million WordPress sites.
CVE-2023-5561 (WordPress core < 6.3.2): user enumeration via REST API even with authentication required — facilitates brute-force preparation.
CVE-2023-1862 (jQuery XSS via plugins): exploitable XSS in hundreds of plugins still using vulnerable jQuery.
5,000+ WordPress plugin CVEs documented by WPScan in 2023-2024 — outdated plugins are the root cause of most hacked sites.
XML-RPC enabled by default: allows DDoS amplification (pingback method) and brute-force with bypass of standard wp-login.php rate limiting.
REST API exposed: user enumeration (/wp-json/wp/v2/users), private posts (privacy bug if misconfigured), exposed meta data.
WooCommerce + e-commerce: additional attack surface — payment processing, customer PII, REST API for inventory, payment plugins with CVEs.

What we specifically test in a WordPress installation

Plugin audit: enumeration of all installed plugins (even inactive), cross-reference with WPScan vulnerability database (5,000+ CVE), priority on plugins with > 100k installs.
WordPress core: version detection (even if hidden), check applicable CVEs (e.g., CVE-2023-5561), audit of custom themes/child themes.
REST API: enumeration of /wp-json/ endpoints, user enumeration via /wp-json/wp/v2/users, exposed sensitive data, proper authentication on restricted endpoints.
XML-RPC: verification of enablement (default ON in many installs), test of pingback DDoS amplification, brute-force via system.multicall.
Authentication: wp-login.php with rate limiting (Wordfence, Limit Login Attempts), 2FA, wp-admin with HTTPS + IP whitelist if possible.
wp-config.php / file system: protection of wp-config.php and .env, file upload directory without PHP execution, backup files (.bak, .old) not exposed.
Database security: non-default table prefix (wp_), DB user with minimum privileges, connection over TLS.
WooCommerce / e-commerce specifics: payment gateway plugin audit, PCI-DSS scope (for stores with > 1k transactions/year), customer data export endpoints.
SEO plugins (Yoast, RankMath): admin panel exposure, XML sitemap leaking private posts, REST API endpoints with auth bypass.
Backup plugins: UpdraftPlus, BackupBuddy, WP All-in-One Migration — backup files publicly exposed via URL prediction.

Sample finding

High

Elementor < 3.16.4 plugin with exploitable stored XSS (CVE-2024-1827)

The WordPress installation uses Elementor 3.15.2, affected by CVE-2024-1827. The vulnerability allows a user with Contributor role or higher to insert stored XSS into Elementor widgets that are rendered in another user's admin panel. The test demonstrated: (1) creating a Contributor user; (2) inserting XSS payload in Elementor widget; (3) when an Administrator accesses the panel, the XSS executes and steals the wordpress_logged_in_* cookie; (4) complete Administrator account takeover.

Fix: Immediate action (priority 1): update Elementor ≥ 3.16.4 (patched version). Temporarily disable open user registration if the patch cannot be applied immediately. Complementary actions: complete plugin audit with WPScan CLI; enable 2FA for all users with Editor+ role (Wordfence Login Security plugin); restrict wp-admin via IP whitelist via .htaccess or Cloudflare WAF rule; configure auto-updates for security plugins; log monitoring for anomalous user activity (WP Activity Log).

Reference: CVE-2024-1827 (CVSS 5.4) · WPScan ID 5d80e0e4-2873-4dd1-8b6b-2d7e0e3e6e4f · CWE-79 · OWASP A03:2021

WordPress pentest options compared

—	Free scan	Matproof Sentinel	Traditional consultancy
Automated scan engine	✓ (3-min preview)	✓ Full scan	✗ Manual only
OWASP Top 10 coverage	Partial	✓ Complete	✓ Complete
Proof-of-exploit evidence	✗	✓ Per finding	✓ Per finding
Regulatory mapping (DORA/NIS2/ISO 27001)	✗	✓ Automated	✓ Manual
Audit-ready PDF report	✗	✓ Instant	✓ 2–4 weeks delivery
Continuous / recurring scans	✗	✓ Per deploy	✗ Annual engagement
Time to first result	~3 min	~30 min full scan	2–4 weeks
Price	€0	From €149	€8,000–€25,000
Source code review (SAST)	✗	✓ On Growth plan	✓ Scoped engagement
API testing (REST/GraphQL)	✗	✓ Automated	✓ Manual

WordPress pentest packages

Single Run

€149 one-time

1 full pentest scan
AI-prioritized findings with CVSS 3.1
Proof-of-exploit per finding
Audit-ready PDF report
Regulatory mapping (DORA, NIS2, ISO 27001)

Unlimited scans (up to 3 domains)
Continuous monitoring
CI/CD integration (GitHub, GitLab)
All regulatory mappings
Priority support

Start Starter →

Growth

€799 / month

Unlimited scans + domains
Authenticated / White-Box testing
API & cloud infrastructure tests
Dedicated security account manager
24h SLA response time

Contact for Growth →

Frequently asked questions about WordPress pentest

How many WordPress plugin CVEs do you check?

We cross-reference the site's plugin inventory against the complete WPScan database: 5,000+ CVE cataloged for WordPress core, themes, and plugins. Priority on plugins with > 100k installs and CVE classified CVSS ≥ 7.0. Inactive plugins are also tested.

Do you also test WooCommerce specifically?

Yes. WooCommerce has its own attack surface: REST API endpoints (/wp-json/wc/v3/*), payment gateway plugins, customer data export, checkout flow for IDOR. For PCI-DSS scoped stores (> 1k transactions/year), WooCommerce pentest is a required element for annual audit.

What do you test for multisite (WordPress Network) installations?

Multisite has specific risks: super admin with cross-network access, network-level plugins inheriting vulnerabilities across all sites, shared file system. We test: cross-site privilege escalation, file path traversal between sites, network-wide plugin CVEs.

Can we integrate the pentest in an editorial publishing workflow?

Yes. For editorial workflows, we propose: monthly scan after deployment, immediate alert if a new CVE high/critical is discovered in an installed plugin, automated audit log for user activity.

Can the pentest cause downtime to our WordPress site in production?

Minimal risk. Automated scan is semi-intrusive (no actual DoS, no destructive testing). For high-traffic sites (> 1M visits/month), we test against a staging environment. For Critical findings with risk during remediation, we provide a step-by-step plan.

Do you also audit custom themes / child themes?

Yes. Custom themes are often a vulnerability source: SQL injection in template files, IDOR in theme options, XSS via custom shortcodes. We test all .php files of the active theme for: unsanitized input, eval()/system()/exec() usage, SQL queries with concatenation, file inclusion patterns.

How long does a complete WordPress pentest take?

Automated scan: 45-60 minutes for typical WordPress installation (50-200 plugins). For complex installations (multisite with 50+ sites, custom plugins): 2-3 hours. Audit-ready report within 24 hours.

Is the report accepted for GDPR audits?

Yes. The technical report provides evidence of « adequate technical measures » required by GDPR Art. 32. For data protection authority inspections, demonstrates regular testing and remediation tracking. Mitigating element for fines in case of data breach.

Go deeper — related blog articles

Protect your WordPress site now

First scan in 3 minutes, complete WordPress pentest in 45-60 minutes including audit of 5,000+ plugin CVEs. Audit-ready GDPR/DORA report from €149.