WordPress plugins and themes vulnerabilities statistics for 2017. The statistics were derived from our up-to-date WordPress Vulnerabilities Database. We are monitoring a large number of sources to add new vulnerabilities to the database on a daily basis.
The year in figures
We added 221 vulnerabilities to our database. The total number of vulnerabilities decreased by 69%. During 2017, just like in 2016, Cross-Site Scripting (XSS) has been at the top of the list. More and more WordPress plugins and themes are found to be vulnerable to Cross-Site Scripting (XSS) vulnerability. This is because many developers do not pay enough attention to escaping data output.
Overall statistics for 2017
2017 has also seen a substantial rise in SQL Injection vulnerabilities. It’s surprising how many sites were put in danger by vulnerabilities found in WordPress plugins. The total number of active installs is 17,101,300+.
Total vulnerable plugins – 202
Total vulnerable themes – 5
Plugins affected by vulnerabilities in WordPress.org repository – 153
Non-WordPress.org repository plugins affected by vulnerabilities – 24
WordPress top 3 vulnerabilities
Cross-Site Scripting (XSS)
SQL Injection (SQLi)
Broken Access Control
Plugins by vulnerability type
XSS (Cross-Site Scripting) – 71
SQL Injection – 40
Unrestricted Access – 20
Cross Site Request Forgery (CSRF) – 12
Multi – 10
Information Disclosure – 10
Arbitrary File Upload – 7
BYPASS – 7
Arbitrary File Download – 7
PHP Object Injection – 5
Remote File Inclusion – 3
Local File Inclusion – 3
Arbitrary Code Execution – 2
Direct static code injection – 1
Directory Traversal – 1
Top 5 most popular plugins affected by vulnerabilities in 2017
Yoast SEO (most popular SEO plugin) – 5,000,000+ – XSS (Cross-site Scripting)
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.