Open Nav
Sign Up

Can Low Code-No Code and Security go together?

Nicole Sheinin

February 28, 2023

TL;DR:

  • What is a Low-Code, No-Code platform?
  • Understanding the difference between Low-Code and No-Code
  • WordPress as a case study
  • Takeaways: No-code does NOT mean no vulnerabilities.

Low-Code No-Code (LCNC) platforms provide a graphical user interface (GUI) that allows users to create custom applications without the need to write code. These popular platforms contain pre-built templates, components, plugins, and themes to expedite the development process and cut costs.

The concept of Low-Code, No-Code platforms has been around for decades. It began with the first high-level programming languages using visual interfaces and pre-built components.

LCNC platforms have become very popular among organizations and individuals for building marketing websites, business applications, blogs, simple websites, and more.

So, what’s the difference between Low-Code and No-Code?

Low-Code platforms are designed to strike a balance between traditional coding elements, such as control over the code, flexibility in making changes, and the simplicity of the user interface. The platforms provide users with broad functionality and pre-built functions. They allow them to make edits and modifications as well as to add custom code. One of the most popular and famous Low-Code examples is WordPress.

No-Code platforms, on the contrary, are very simple and allow non-technical users to build applications without the need to write any code whatsoever. They have intuitive user interfaces and emphasize their user-friendliness. One of theie disadvantages is that they do not offer much flexibility with custom code. Some popular No-Code platforms are Shopify, Mailchimp, Notion, and more.

Just as every coin has two sides, Low-Code, No-Code platforms have their pros and cons.

Their main pro is that they allow users to build applications in a short time and maintain low costs. Their main con affects the programming aspect since this provides limited flexibility and lacks customization options.

However, one critical downside of these platforms is security. The platforms introduce security vulnerabilities that could pose a critical risk for the organization and its customers.

Awareness of potential security risks and the knowledge of how to mitigate them will protect your site/platform from becoming the next casualty of a cyber attack. 

Nicole Sheinin, OP Innovate

Low-Code, No-Code != No vulnerabilities

It is important to remember that even though these platforms do not require advanced coding skills, the simplicity of these platforms leaves them vulnerable to security shortfalls. 

The main risk of LCNC platforms is that the software can have vulnerabilities in its pre-built functionalities, such as templates, plugins, and themes. Often the developers that create them favored usability over security, so common vulnerabilities such as cross-site scripting (XSS), injections, remote code execution are rife. 

WordPress: A Security Case Study

WordPress is one of the most popular LCNC platforms. According to W3Techs, it is used by 43% of all websites on the internet – to give a sense of perspective, that means there are nearly half a billion sites using WordPress at the time of writing.

WordPress, like most other software, is not entirely secure. WordPress vulnerabilities are discovered on a daily basis, either on the platform itself or in third-party plugins.  

Common vulnerabilities in plugins and themes typically arise from poor coding practices. The first step to mitigate this risk is to limit the use of reputable plugins from trusted sources. The second step is to implement WordPress best practices for developers. 

When a vulnerability is found, and a fix is released, both are made public. Attackers scan the internet looking for low-hanging fruits in the form of unpatched sites in order to exploit this now known vulnerability with minimal effort.

Our research team often finds outdated WordPress instances, however our mission is to secure the site and its users, in contrast to an attacker’s nefarious goals. It is essential to maintain WordPress installations, plugins, and themes so they’re up to date and the website is protected against known vulnerabilities. 

As active members of the international cyber security community, OP Innovate’s researchers invest time hunting for vulnerabilities in open-source projects that are relied upon by a great number of users worldwide. The research team recently discovered four vulnerabilities in WordPress plugins. The team promptly reported the findings to the relevant software vendors and publicly disclosed them once patches were released. 

Recent WordPress plugins vulnerabilities found by the team:

Takeaways

  • Low-Code, No-Code platforms are very commonly used and make life easier for organizations, individuals, and developers who need to build and manage websites or platforms. 
  • Despite these advantages, there is one critical disadvantage that everyone should be aware of – No code does NOT mean no vulnerabilities.
  • Awareness of potential security risks and knowing how to mitigate them will protect your site/platform from becoming the next casualty of a cyber attack. 

Resources highlights

High-Severity WordPress Vulnerability in Forminator Plugin (CVE-2025-6463)

A critical vulnerability in the Forminator plugin, one of the most popular form-building plugins in Wordpress, allows unauthenticated attackers to delete arbitrary files on the…

Read more >

CVE-2025-6463

CVE-2025-6554: Chrome V8 Zero-Day Exploited in the Wild

On June 30, 2025, Google issued an emergency patch for a critical zero-day vulnerability in its Chrome browser, tracked as CVE-2025-6554. The flaw resides in…

Read more >

CVE-2025-6554

Critical Cisco ISE Vulnerabilities Lead to Unauthenticated RCE (CVE-2025-20281 & CVE-2025-20282)

On June 25, 2025, Cisco disclosed and patched two critical remote code execution (RCE) vulnerabilities: CVE-2025-20281 and CVE-2025-20282, affecting its widely deployed Identity Services Engine…

Read more >

CVE-2025-20281 & CVE-2025-20282

Critical Vulnerability in MegaRAC BMC Added to CISA’s KEV: CVE-2024-54085

On June 25, 2025, CISA added CVE‑2024‑54085, a critical authentication bypass vulnerability in the MegaRAC SPx Baseboard Management Controller (BMC) firmware, to its Known Exploited…

Read more >

CVE-2024-54085

‘UMBRELLA STAND’ Malware Targets Fortinet FortiGate Firewalls

‘UMBRELLA STAND’ Malware Targets Fortinet FortiGate Firewalls The UK’s National Cyber Security Centre (NCSC) has issued an alert regarding a sophisticated malware campaign dubbed “UMBRELLA…

Read more >

umbrella stand fortinet

CVE-2025-49144: Privilege Escalation in Notepad++ Installer Enables Full SYSTEM Access

A critical local privilege escalation vulnerability in the Notepad++ v8.8.1 installer allows attackers to escalate to NT AUTHORITY\SYSTEM using binary planting techniques. Tracked as CVE-2025-49144,…

Read more >

CVE-2025-49144
Under Cyber Attack?

Fill out the form and we will contact you immediately.