WordPress plugins and themes vulnerabilities statistics for 2017. The statistics were derived from our up-to-date WordPress Vulnerabilities Database. We are monitoring a large number of sources to add new vulnerabilities to the database on a daily basis.
The year in figures
We added 221 vulnerabilities to our database. The total number of vulnerabilities decreased by 69%. During 2017, just like in 2016, Cross-Site Scripting (XSS) has been at the top of the list. More and more WordPress plugins and themes are found to be vulnerable to Cross-Site Scripting (XSS) vulnerability. This is because many developers do not pay enough attention to escaping data output.
Overall statistics for 2017
2017 has also seen a substantial rise in SQL Injection vulnerabilities. It’s surprising how many sites were put in danger by vulnerabilities found in WordPress plugins. The total number of active installs is 17,101,300+.
- Total vulnerable plugins – 202
- Total vulnerable themes – 5
- Plugins affected by vulnerabilities in WordPress.org repository – 153
- Non-WordPress.org repository plugins affected by vulnerabilities – 24
WordPress top 3 vulnerabilities
- Cross-Site Scripting (XSS)
- SQL Injection (SQLi)
- Broken Access Control
Plugins by vulnerability type
- XSS (Cross-Site Scripting) – 71
- SQL Injection – 40
- Unrestricted Access – 20
- Cross Site Request Forgery (CSRF) – 12
- Multi – 10
- Information Disclosure – 10
- Arbitrary File Upload – 7
- BYPASS – 7
- Arbitrary File Download – 7
- PHP Object Injection – 5
- Remote File Inclusion – 3
- Local File Inclusion – 3
- Arbitrary Code Execution – 2
- Direct static code injection – 1
- Directory Traversal – 1
Top 5 most popular plugins affected by vulnerabilities in 2017
- Yoast SEO (most popular SEO plugin) – 5,000,000+ – XSS (Cross-site Scripting)
- WooCommerce (most popular ecommerce plugin) – 3,000,000+ – XSS (Cross-site Scripting)
- Smush Image Compression and Optimization – 1,000,000+ – Directory Traversal
- Duplicator – 1,000,000+ – XSS (Cross-site Scripting)
- Loginizer – 600,000+ – SQL Injection
Some interesting facts?
About the Author: Dominykas Gelucevičius
Security Researcher, Web Developer and Blogger. He is a technology enthusiast with a keen eye for the cybersecurity and other tech-related developments.
(Security Affairs – WordPress plugins, statistics)