The Cybersecurity company ThreatPress has published a summary of WordPress vulnerabilities for the 2017 year.
The infographic provides statistical information collected from ThreatPress database of WordPress vulnerabilities and data available on the WordPress.org website.
The first number that draws the most attention is the number of sites that were potentially at risk during the year. There were about 17,101,300 active installs of vulnerable plugins.
221 vulnerabilities added to the ThreatPress database in the 2017 year and this number is lower by 69 percent in comparison with the statistics of the 2016 year. It’s good news. Reduced number of vulnerabilities shows that WordPress software becomes safer.
Most of the identified vulnerabilities found in plugins hosted on the WordPress.org plugin repository, 153 plugins had security issues. There were 24 plugins (this number shows plugins with identified and confirmed vulnerabilities) hosted outside the WordPress.org plugin repository with serious security issues.
Also, there were five themes added to the ThreatPress vulnerability database.
So, what caused the most security threats. According to the ThreatPress database statistics, the most common vulnerabilities in the 2017 year were:
- Cross-Site Scripting (XSS) – 35.1%
- SQL Injection (SQLi) – 19.8%
- Broken Access Control – 9.9%Below the top three we see these vulnerabilities:
- Cross-Site Request Forgery (CSRF) – 5.9%
- Multiple vulnerabilities (on the same product) – 5.0%
- Information disclosure – 5.0%
- Arbitrary File Upload – 3.5%
- BYPASS – 3.5%
- Arbitrary File Download – 3.5%
- PHP Object Injection – 2.5%
- Local File Inclusion (LFI) – 1.5%
Now let’s see the list of the most popular plugins with a most significant active install counts that were affected by vulnerabilities in the 2017 year:
- Yoast SEO – More than 5,000,000 active installs.
- WooCommerce – More than 3,00,00 active installs.
- Smush Image Compression and Optimization – More than 1,000,000 active installs.
- Duplicator – More than 1,000,000 active installs.
- Loginizer – More than 600,000 active installs.
Now you can imagine how many websites were under potential threat. These numbers are impressive.
If you think numbers above are significant, think again. WordPress itself had some security issues, and its development team released eight security releases to patch the WordPress core vulnerabilities.
First WordPress related vulnerability found in early 2005 year. ThreatPress database includes more than 3300 vulnerabilities, and only in January 2018, nearly fifty new entries added.
We hope that these statistics will encourage more people to think about the additional protection for their websites.