WordPress plugins and themes vulnerabilities statistics for 2017

Pierluigi Paganini January 23, 2018

WordPress plugins and themes vulnerabilities statistics for 2017. The statistics were derived from our up-to-date WordPress Vulnerabilities Database. We are monitoring a large number of sources to add new vulnerabilities to the database on a daily basis.

The year in figures

We added 221 vulnerabilities to our database. The total number of vulnerabilities decreased by 69%. During 2017, just like in 2016, Cross-Site Scripting (XSS) has been at the top of the list. More and more WordPress plugins and themes are found to be vulnerable to Cross-Site Scripting (XSS) vulnerability. This is because many developers do not pay enough attention to escaping data output.

Overall statistics for 2017

2017 has also seen a substantial rise in SQL Injection vulnerabilities. It’s surprising how many sites were put in danger by vulnerabilities found in WordPress plugins. The total number of active installs is 17,101,300+.

  • Total vulnerable plugins – 202
  • Total vulnerable themes – 5
  • Plugins affected by vulnerabilities in WordPress.org repository – 153
  • Non-WordPress.org repository plugins affected by vulnerabilities – 24

WordPress plugins vulnerabilities-2017

WordPress top 3 vulnerabilities

  • Cross-Site Scripting (XSS)
  • SQL Injection (SQLi)
  • Broken Access Control

Plugins by vulnerability type

  • XSS (Cross-Site Scripting) – 71
  • SQL Injection – 40
  • Unrestricted Access – 20
  • Cross Site Request Forgery (CSRF) – 12
  • Multi – 10
  • Information Disclosure – 10
  • Arbitrary File Upload – 7
  • BYPASS – 7
  • Arbitrary File Download – 7
  • PHP Object Injection – 5
  • Remote File Inclusion – 3
  • Local File Inclusion – 3
  • Arbitrary Code Execution – 2
  • Direct static code injection – 1
  • Directory Traversal – 1

Top 5 most popular plugins affected by vulnerabilities in 2017

  • Yoast SEO (most popular SEO plugin) – 5,000,000+ – XSS (Cross-site Scripting)
  • WooCommerce (most popular ecommerce plugin) – 3,000,000+ – XSS (Cross-site Scripting)
  • Smush Image Compression and Optimization – 1,000,000+ – Directory Traversal
  • Duplicator – 1,000,000+ – XSS (Cross-site Scripting)
  • Loginizer – 600,000+ – SQL Injection

Some interesting facts?

About the Author: Dominykas Gelucevičius

Security Researcher, Web Developer and Blogger. He is a technology enthusiast with a keen eye for the cybersecurity and other tech-related developments.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – WordPress plugins, statistics)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment