WordPress plugin and theme vulnerabilities: 3 tests that reveal your attack surface

70% of hacked WordPress sites are compromised through an outdated plugin. Orilyt scans the HTML, identifies every installed plugin and theme, then cross-references versions with the WPScan vulnerability database.

WordPress powers over 40% of the web. That popularity makes it the number one target for attackers. And the weak link is almost never WordPress core itself — it's the plugins. According to Patchstack and WPScan data, roughly 70% of compromised WordPress sites are hacked through a vulnerability in an outdated plugin or theme.

The problem is that most site owners don't even know which plugins are visible from the outside. Every plugin leaves traces in the HTML source: paths to /wp-content/plugins/, CSS and JavaScript files with version parameters. For an attacker, it's a roadmap.

Orilyt runs three complementary tests to map this attack surface. Test #47 detects exposed plugins and their versions. Test #46 identifies the active theme. Test #15 cross-references this information with the WPScan vulnerability database to reveal known CVEs. Together, they turn a technical check into an immediate business argument.

Test #47: Which plugins are visible from outside?

Test #47 analyses the page's HTML source to detect installed WordPress plugins. It doesn't connect to the back-office — it simply looks at what's publicly visible. The method:

1. Path scanning — every occurrence of /wp-content/plugins/{slug}/ in the HTML is extracted. The slug (the plugin's unique identifier) is collected and deduplicated. Example: if the HTML contains /wp-content/plugins/contact-form-7/css/styles.css, the "contact-form-7" plugin is identified
2. Version extraction — WordPress asset URLs often include a ?ver=X.Y.Z parameter. Test #47 parses these parameters for each detected plugin. Example: /wp-content/plugins/elementor/assets/js/frontend.min.js?ver=3.18.2 reveals that Elementor version 3.18.2 is installed
3. Counting and scoring — the number of detected plugins and exposed versions determines the score. 8+ plugins with 3+ exposed versions = score 40/100. 4+ plugins or 2+ versions = score 55. Few plugins without versions = score 75

The test stores up to 25 plugins and their versions in the report's raw data. For each plugin, up to 3 evidence items (found paths) are included. It's a complete snapshot of the extension-side attack surface.

Test #46: Which theme is exposed?

Test #46 uses the same HTML scanning logic, but targets /wp-content/themes/ paths:

1. Active theme detection — every occurrence of /wp-content/themes/{slug}/ in the HTML is extracted. The most frequent theme is considered the active one (a child theme may coexist with its parent theme)
2. Simple scoring — if a theme is detectable, the score is 80/100. If no theme is visible (rare), the score is 100. Exposing the theme name isn't a vulnerability by itself, but it opens the door

Why does the theme matter? WordPress themes execute server-side PHP code. A "nulled" (pirated) theme almost always contains backdoors. A theme abandoned by its developer will never receive security patches. And unlike plugins, the theme is loaded on every single page — the exposure surface is maximal.

Test #46 also provides the list of candidate themes and associated evidence, making it possible to identify the presence of a parent theme (like "flavor") and a child theme (like "flavor-child").

Test #15: Known vulnerabilities in your versions?

This is the test that turns simple detection into an alarm signal. Test #15 uses the WPScan database — the global reference for WordPress vulnerabilities — to cross-reference detected versions with known flaws:

1. WordPress core version — if the WordPress version is detectable (via the meta generator tag or other clues), it's sent to the WPScan API. The response includes all known CVEs for that version, with CVSS scores and the patched version
2. Vulnerability-based scoring — no known CVEs = score 100. 1 to 3 vulnerabilities = score 60 (needs improvement). More than 3 vulnerabilities = score 30 (critical). If the version isn't detectable, the score rises to 90 (good masking practice)
3. Flaw details — the report displays up to 8 vulnerabilities with the title, CVE number, CVSS score and the version that fixes the issue. It's concrete, verifiable, and impossible for a client to ignore

The power of this test comes from the combination with tests #47 and #46. A client who sees "Elementor 3.18.2 detected" might not worry. But if they also see "2 critical CVEs known for this version, fixed in 3.19.0", the urgency is immediate.

Concrete risks: why this is urgent

Vulnerable plugins and themes are not a theoretical risk. Here are the most common scenarios:

1. Abandoned plugins — a plugin that hasn't been updated in 2+ years will probably never receive a patch. If a flaw is discovered, it stays open indefinitely. The site is a permanent target
2. Outdated versions with CVEs — a specific plugin version with a published CVE is an invitation for automated scripts. Bots continuously scan the web looking for these exact version+plugin signatures
3. Nulled (pirated) themes — premium themes downloaded for free from third-party sites almost systematically contain backdoors. The site is compromised from installation
4. Plugin accumulation — every active plugin increases the attack surface. A site with 30 plugins has 30 potential entry points. The rule: install only what's strictly necessary

How to protect yourself: best practices

The good news: protection against plugin vulnerabilities is largely a matter of discipline, not budget:

1. Regular updates — enable automatic updates for plugins and themes (WordPress has supported this natively since version 5.5). Check manually each week for major updates
2. Minimalism — deactivate and delete every unused plugin. A deactivated but present plugin can still be exploited. Aim for fewer than 15 active plugins
3. Official sources only — never install a theme or plugin from an unverified third-party site. WordPress.org and official marketplaces (ThemeForest, Elegant Themes) enforce security checks
4. Continuous monitoring — a one-time audit is a good start, but ongoing vigilance is essential. New CVEs are published every week. Orilyt lets you re-run audits regularly to detect drift

For freelancers and agencies managing client sites, these practices aren't just recommendations — they're a professional obligation. A client site compromised through an outdated plugin you should have updated is your responsibility.

Business value: the most compelling finding

Of all Orilyt tests, vulnerable plugin detection is probably the finding that generates the most conversions for freelancers and agencies. The reason is simple: it's concrete, it's scary, and it's verifiable.

In the Orilyt report, the three tests generate immediate FIA (Fact-Impact-Action) recommendations:

1. Fact: "12 plugins detected, 4 with exposed versions. 2 critical CVEs identified via WPScan for Elementor 3.18.2"
2. Impact: "An attacker can target these exact versions with public exploits. The risk of compromise is high and immediate"
3. Action: "Update Elementor to 3.19.0+, deactivate unused plugins, hide version numbers in the source code"

When a client sees the list of their vulnerable plugins with associated CVEs, the conversation instantly shifts from "do I need an audit?" to "when can you start the fixes?". It's the most powerful selling point of a WordPress security audit.

Your WordPress attack surface, mapped in 2 minutes

Plugins are WordPress's greatest strength — and its biggest weakness. They extend functionality, but each one adds third-party code that must be maintained and monitored. Orilyt's tests #47, #46 and #15 automate this monitoring work.

Test #47 reveals which plugins are visible and which versions are exposed. Test #46 identifies the active theme. Test #15 cross-references everything with the WPScan database to identify known vulnerabilities. Together, they provide a complete map of the attack surface.

For a freelancer or agency, this triptych is the most effective tool to demonstrate the value of a security audit. The results are concrete, verifiable and create the urgency needed to trigger a remediation engagement.