WordPress plugins and themes vulnerabilities statistics for 2017. The statistics were derived from our up-to-date WordPress Vulnerabilities Database. We are monitoring a large number of sources to add new vulnerabilities to the database on a daily basis.

The year in figures

We added 221 vulnerabilities to our database. The total number of vulnerabilities decreased by 69%. During 2017, just like in 2016, Cross-Site Scripting (XSS) has been at the top of the list. More and more WordPress plugins and themes are found to be vulnerable to Cross-Site Scripting (XSS) vulnerability. This is because many developers do not pay enough attention to escaping data output.

Overall statistics for 2017

2017 has also seen a substantial rise in SQL Injection vulnerabilities. It’s surprising how many sites were put in danger by vulnerabilities found in WordPress plugins. The total number of active installs is 17,101,300+.

Total vulnerable plugins – 202

Total vulnerable themes – 5

Plugins affected by vulnerabilities in WordPress.org repository – 153

Non-WordPress.org repository plugins affected by vulnerabilities – 24

WordPress top 3 vulnerabilities

Cross-Site Scripting (XSS)

SQL Injection (SQLi)

Broken Access Control

Plugins by vulnerability type

XSS (Cross-Site Scripting) – 71

SQL Injection – 40

Unrestricted Access – 20

Cross Site Request Forgery (CSRF) – 12

Multi – 10

Information Disclosure – 10

Arbitrary File Upload – 7

BYPASS – 7

Arbitrary File Download – 7

PHP Object Injection – 5

Remote File Inclusion – 3

Local File Inclusion – 3

Arbitrary Code Execution – 2

Direct static code injection – 1

Directory Traversal – 1

Top 5 most popular plugins affected by vulnerabilities in 2017

Yoast SEO (most popular SEO plugin) – 5,000,000+ – XSS (Cross-site Scripting)

WooCommerce (most popular ecommerce plugin) – 3,000,000+ – XSS (Cross-site Scripting)

Smush Image Compression and Optimization – 1,000,000+ – Directory Traversal

Duplicator – 1,000,000+ – XSS (Cross-site Scripting)

Loginizer – 600,000+ – SQL Injection

Some interesting facts?

WordPress released 8 security updates in 2017 year.

The total number of vulnerabilities in the ThreatPress vulnerabilities database is 3321

First vulnerability discovered in 2005-02-20

About the Author: Dominykas Gelucevičius

Security Researcher, Web Developer and Blogger. He is a technology enthusiast with a keen eye for the cybersecurity and other tech-related developments.

Pierluigi Paganini

(Security Affairs – WordPress plugins, statistics)

Share this...

Linkedin Reddit Pinterest

Share On