Vulnerabilities in WordPress plugins more than doubled in 2021: Report – Saskatoon StarPhoenix


Vulnerabilities in WordPress plugins more than doubled in 2021 compared to the previous year, according to a report, a worrying trend because most can be exploited by threat actors on the e-commerce and news sites that rely on the platform.


The report, released today by researchers at Risk Based Security, says 2,240 vulnerabilities in WordPress plugins were disclosed last year. That’s a 142 per cent increase compared to 2020.

Plugins add capabilities to the platform, including the ability to add search engine optimization, user forms, a website builder, e-commerce features and more. It’s estimated  there are thousands of WordPress free or priced plugins available. However, not all of them are designed with security in mind, or issue security updates. Vulnerabilities in those plugins allow threat actors to attack WordPress indirectly rather than targeting the platform itself.

Out of all of the more than 10,000 known WordPress plugin vulnerabilities, 77 per cent have known public exploits, the report notes.

While the average CVSSv2 score for all WordPress plugin vulnerabilities is 5.5, considered of moderate severity, the report says, many score higher. For example, the Starter Templates plugin, which according to WordPress security specialist WordFence is installed on over 1 million WordPress websites, has a CVSS score of 7.6.

But, the Risk Based Security report says, WordPress administrators shouldn’t put a priority on patching high-scoring bugs. There’s evidence malicious actors go after vulnerabilities they can easily exploit.

“Because of factors like exploitability and attacker location, WordPress plugin issues can pose a significant threat to organizations deploying at-risk assets, even if they may not appear ‘highly critical’ at first glance,” warns the report.


Security teams need to have knowledge of their assets — including all plugins — comprehensive vulnerability intelligence for all known issues, and detailed metadata, that allows them to examine factors like exploitability, to then contextualize the risk it poses to their environment, says the report.

“Security professionals should start with vulnerabilities that are remotely exploitable, have a public exploit, and have a known solution,” says the report. “And if WordPress plugin issues affect important assets, these vulnerabilities should be triaged first. By remediating these types of issues, organizations can best protect themselves against potential attacks while saving time since solution data is available. This risk-based approach will prove to be more effective than traditional Vulnerability Management models based on severity.”

The post Vulnerabilities in WordPress plugins more than doubled in 2021: Report first appeared on IT World Canada .

This section is powered by IT World Canada. ITWC covers the enterprise IT spectrum, providing news and information for IT professionals aiming to succeed in the Canadian market.

The StarPhoenix Headline News logo

Saskatoon StarPhoenix Afternoon Headlines

We deliver the local news you need in these turbulent times on weekdays at 3 p.m.

By clicking on the sign up button you consent to receive the above newsletter from Postmedia Network Inc. You may unsubscribe any time by clicking on the unsubscribe link at the bottom of our emails. Postmedia Network Inc. | 365 Bloor Street East, Toronto, Ontario, M4W 3L4 | 416-383-2300