Attackers rarely target the WordPress core itself; instead, they focus on the "low-hanging fruit" of your installation:
Using "nulled" themes from unofficial sources, which are frequently pre-packaged with malicious code. How Professionals Assess WordPress Security Hacking WordPress
Unpatched or "nulled" (pirated) plugins often contain logic flaws or backdoors that allow Remote Code Execution (RCE) or SQL Injections . Attackers rarely target the WordPress core itself; instead,