42% of WordPress sites have security issues

The Patchstack solution, specialized in security on WordPress, publishes its annual white paper on the vulnerability of sites on the CMS. It reviews the top security issues reported in 2022. The publisher relied on data from the Patchstack Alliance, its bug bounty platform that helps connect security researchers and plugin developers. The analysis is based on the 4 security versions presented by WordPress in 2022: 5.8.3, 5.9.2, 6.0.2 and 6.0.3.

Vulnerabilities on WordPress: the key figures to remember from 2022

On the year 2022, Patchstack draws the following lessons:

  • The vast majority of observed vulnerabilities come from plugins (93%),
  • The number of reported vulnerabilities in plugins has increased by 328% compared to 2021, a considerable increase in one year,
  • 6.7% of vulnerabilities come from WordPress themes,
  • Very few bugs are found in the heart of the WordPress platform (0.6%),
  • 26% of plugins with critical vulnerabilities have never received a patch,
  • 42% of WordPress sites have at least one vulnerable software installed.

In its study, the editor thus insists on the responsibility of the users of the platform, whether they are developers of websites or creators of plugins and themes.

If you are a WordPress website developer, pay attention to the plugins and themes you use in your sites. […] If you are a plugin or theme developer, pay attention to the libraries you use in your own projects and check if they receive any updates, especially security updates.

The most common types of vulnerabilities in WordPress

In its previous study covering the year 2021, Patchstack noted that nearly one in two vulnerabilities (49.82%) was of an XSS (Cross-site Scripting) nature: the insertion of malicious code into sites web.

In 2022, this share has dropped considerably (27.2%). Cross-site Request Forgery (CSRF) is now the most significant security threat (29.4%). As a reminder, CSRF is a flaw that consists in forcing an authenticated user on a site to perform specific actions without their knowledge. This type of flaw represented only 11% of vulnerabilities in 2021. Patchstack partly explains this increase by the problems identified by the Freemius platform.

CSRF security issues are generally easier to find and are therefore reported more often. Second, last year a CSRF flaw was discovered within the Freemius SDK, which affected a large number of plugins.

Popular plugins causing severe vulnerabilities in WordPress

Apart from the nature of the vulnerabilities, Patchstack cares about the severity of the security issues. Thus, the publisher assigns a CVSS score (Common Vulnerability Scoring System), which corresponds to a score from 0 to 10:

  • from 0.1 to 3.9/10: low severity vulnerability,
  • from 4 to 6.9/10: medium severity vulnerability,
  • from 7 to 8.9/10: vulnerability of severe severity,
  • from 9 to 10 /10: vulnerability of critical severity.

In 2022, 3% of security issues were low severity, 84% medium severity, 11% severe severity, and 2% critical severity. Moreover, among the popular plugins (> 1 million downloads), 5 of them experienced a vulnerability of severe severity:

  • Elementor Website Builder : score of 8.8/10,
  • Essential Addons for Elementor : score of 8.6/10,
  • UpdraftPlus WordPress Backup : score of 8.5/10,
  • One Click Demo Import : score of 7.2/10,
  • MonsterInsights : score of 7.1/10.
Severity level WordPress vulnerabilities
The vast majority of vulnerabilities detected by Patchstack are of medium severity. © Patchstack

Note that, in 2021, 2 popular extensions (All in One SEO and WP Fastest Cache) had experienced a critical level vulnerability.

Patchstack’s Warnings About WordPress CMS Security

The WordPress cybersecurity specialist notes some other takeaways. First, Patchstack emphasizes the danger of abandoned plugins. Indeed, if these are deleted from the WordPress directory, they remain active on the sites that downloaded them. Thus, they are particularly vulnerable to attacks and, having no updates available, give the user the impression that they are up to date.

Software available in public repositories is sometimes not supported because it has been discontinued. This problem is exacerbated by the fact that website owners will see a misleading “no updates available” label for these insecure components. Many site owners are simply unaware that they are using insecure components.

On the other hand, Patchstack underlines a better involvement of the actors of the ecosystem in the security on WordPress. The publisher highlights in particular the work of WordPress hosting services in alerting their customers to vulnerabilities in their sites. For the year 2023, Patchstack is optimistic. According to the solution, growth in the number of reported vulnerabilities does not mean that they have increased, but rather that more of them have been addressed.

Access the full study