WordPress Vulnerabilities Overview
As per the below pie chart, WordPress plugins are the biggest source of vulnerabilities in WordPress. So far there are 1,305 WordPress plugins vulnerabilities in the WPScan Vulnerability database. That accounts to 54% of the global WordPress vulnerabilities count. Then there are 344 (14.3%) WordPress themes vulnerabilities and 758 (31.5%) WordPress core vulnerabilities.
Type of WordPress Vulnerabilities
The most popular vulnerability types in WordPress core, plugins and themes are Cross-site Scripting and SQL Injection. This is not surprising considering these 2 vulnerabilities have been listed in the OWASP Top 10 since its inception.
Statistics of WordPress Core Vulnerabilities
The below graph highlights the top 10 most vulnerable WordPress core versions, with versions 3.0 and 3.0.1 leading the pack with 15 vulnerabilities each. In second place, with 13 vulnerabilities each there are WordPress version 3.5, 3.5.1 and 3.6.
Top 10 Most Vulnerable WordPress Plugins
Here are some worrying facts about the Top 10 most vulnerable WordPress plugins:
- 5 of them are commercial plugins
- These plugins were downloaded around 21 million times
- 1 of these plugins is a WordPress security plugin
Why are these worrying facts? I would not be surprised if a commercial plugin is vulnerable, I mean everyone makes mistakes and as long as they are rectified immediately then all is good. But what is worrying is that commercial plugins are listed in the top 10 most vulnerable WordPress plugins list. I was also very surprised to see Wordfence, a WordPress security plugin in the Top 10 most vulnerable WordPress plugins with 9 vulnerabilities. Again I am not saying such plugins should be bullet proof as it and all the other plugins will never be. Though I would expect that a plugin written from security people to help WordPress users keep their WordPress secure to have less vulnerabilities, or at least not to be in the top 10 list.
Top 10 Most Vulnerable WordPress Themes
The below graph highlights the top 10 most vulnerable WordPress themes with the highest one having only 3 vulnerabilities under its name.
Are These WordPress Vulnerabilities Statistics Accurate?
These statistics are based on the information stored in the WPScan Vulnerability Database, which although it is frequently updated it is by no means complete. There are many other vulnerable WordPress plugins and themes out there which are not listed here, or vulnerabilities which have not been made public yet. But at least this gives us a good overview of the state of WordPress vulnerabilities.
HAVE A LOOK AT OUR MAINTENANCE PACKAGESMonthly Maintenance Packages