Nearly 30% of critical bugs in WordPress plugins do not receive a fix

Patchstack, a leader in WordPress security and threat intelligence, released a white paper to outline the state of WordPress security in 2021, and the report paints a dire picture.

Specifically, 2021 saw a 150% growth in reported vulnerabilities over the previous year, while 29% of critical WordPress plugin vulnerabilities never received a security update.

This is alarming given that WordPress is the most popular content management system in the world, used in 43.2% of all websites.

Of all the flaws reported in 2021, only 0.58% involved core WordPress, with the rest being on themes and plugins for the platform, from various sources and different developers.

Notably, 91.38% of these flaws are in free plugins, while paid/premium WordPress add-ons accounted for only 8.62% of the total, reflecting better code verification and testing procedures.

Critical issues

In 2021, Patchstack had five critical-severity vulnerabilities affecting 55 WordPress themes, with the most impacting regarding abuse of file upload features.

Critical Flaws That Affected WordPress Themes
Critical Flaws That Affected WordPress Themes (stack of patches)

On the plugin side, 35 critical vulnerabilities have been reported, with two affecting four million websites.

Two notable examples covered by Bleeping Computer last year are the “OptinMonster” plugin which affected 1 million sites and the “All in One” SEO plugin which exposed 3 million websites to takeover attacks.

While the developers patched these vulnerabilities through security updates, nine plugins never received patches. Hence, they have been removed from plugin marketplaces for not fixing serious issues.

Plugins that never fixed their critical flaws.
Plugins that never fixed their critical flaws (stack of patches)

Notably, this subset also suffered primarily from unauthenticated file download issues, followed by SQL injection and privilege escalation bugs.

Most Common Targets

PatchStack Reports that cross-site scripting (XSS) topped the list with the most reported type of WordPress flaws in 2021, followed by “mixed”, cross-site request forgery, SQL injection, and arbitrary file downloading.

Type of WordPress vulnerabilities reported in 2021
Types of WordPress vulnerabilities reported in 2021 (stack of patches)

In terms of the severity of the defects reported, 3.41% were critical, 17.94% were classified as very serious and 76.76% were classified as medium, mainly due to the presence of operating conditions.

Around 42% of WordPress sites had at least one vulnerable component in 2021, out of the average 18 installed. If this number is lower than the 23 plugins installed on sites in 2020, the problem remains because six of them out of 18 are outdated.

The most targeted outdated plugins in 2021 were OptinMonster, PublishPress Capabilities, Booster for WooCommerce plugin and Image Hover Effects Ultimate plugin.

Most Targeted Outdated Plugins
Most Targeted Outdated Plugins (stack of patches)

In summary, the Patchstack report highlights that WordPress site admins can manage most security risks by using paid plugins instead of free offerings, keeping the number of installed add-ons to a minimum, and upgrading them. to the latest available version as soon as possible.

Esther L. Gunn