What are the permissions set on those folders?
I use a lot of WordPress sites and never have those issues. I don't know if your host has permissions set differently. Because I have a server that's SUPHP and one is DSOHANLDER and I have to mess around with permissions to get things working right.
I googled your conundrum... take a look at this. Maybe you saw it maybe not.
https://hackertarget.com/xss-tutorial/