Some plugins in WordPress CMS are vulnerable and allow unauthorised activity in your hosting account such as spam, unauthorised access etc. We have a list of such know plugins in another article. Have a look at those plugins too and remove them if you have them. Such plugins need to be Deactivated and Deleted from your WordPress account.

Below is a list of vulnerabilities in the plugins:

1. Arbitrary file viewing
This allow the attacker to view files in your account including those with sensitive information such as wp-config.php

2. Arbitrary file upload
This allows the upload of files that can executed on to do almost anything on the account ranging from spamming, to redirection of site, running of a resource intensive program eg cnrig among other things.

Privilege escalation
Here, an attacker is able to create an account in your dashboard. The attacker can then escalate the privileges of the account say from subscriber to administrator

SQL injection
By not escaping and filtering data that goes into SQL queries, malicious code can be injected into queries and data deleted, updated or inserted into the database. This is one of the most common vulnerabilities.

Remote code execution (RCE)
Instead of uploading and running malicious code, the attacker can run it from a remote location. The code can do anything, from hijacking the site to completely deleting it.