What are common WordPress vulnerabilities?

The most common WordPress vulnerabilities include SQL injection and XSS in plugins, exposed wp-config.php files containing database credentials, directory listing enabled on uploads and plugins folders, XML-RPC brute force attacks, user enumeration through the REST API and author archives, outdated plugins with known CVEs, weak admin passwords, file upload vulnerabilities in media handlers, and cross-site request forgery in plugin settings pages. The WordPress REST API can also expose sensitive site information if not properly restricted. UNPWNED checks for all of these vulnerability categories in a single comprehensive scan.