Top 10 security vulnerabilities by OWASP
A1 Injection (PHP include, global variables, Sql Injection through Url)
A2 Broken authentication (To avoid broken authentication put into practice not leaving the login page for admins publicly accessible. Rename /wp-admin/ on WordPress to something else. Rename /admin in Magento to something else)
A3 Sensitive data exposure (arp spoofing resulting traffic sniffing, stealing auth passwords, http or pop3 passwords.Protect Data in Transit.Sensitive data: passwords, credit card numbers, credentials, social security numbers, health information, personal identity information)
A4 XML external entities (XXE vulnerability) (XML processor implementation issues with ability to access contents of local files and access to other systems. XML processor should have such capability off)
A5 Broken access control
A6 Security misconfiguration (default settings on production server)
A7 Cross-site Scripting (XSS) – (Uset input should be properly sanitized. Sanitization. Remove unaccepted characters)
A8 Insecure desirialization – (When you keep php serialize() object inside the text field in DB it can be silently updated to another one)
A9 Using Components with known vulnerabilities (Using out of dates WordPress website. Do not applying patches in time)
A10 Insufficient logging and monitoring (Lack of logging and monitoring)
Also:
Cross-site request forgery (CSRF) (Protect your forms with csrf_token to prevents posting form from a different website)
Unvalidated redirects and forwards (Third parties can redirect users to malicious websites or routing rules can be altered to have user being redirected to malicious website)