Patchstack, a leader in WordPress security and threat intelligence, has released a whitepaper to present the state of WordPress security in 2021, and the report paints a dire picture.

More specifically, 2021 has seen a growth of 150% in the reported vulnerabilities compared to the previous year, while 29% of the critical flaws in WordPress plugins never received a security update.

This is alarming considering that WordPress is the world’s most popular content management system, used in 43.2% of all websites out there.

Of all the reported flaws in 2021, only 0.58% were in WordPress core, with the rest being on themes and plugins for the platform, coming from various sources and different developers.

Notably, 91.38% of these flaws are found in free plugins, whereas paid/premium WordPress add-ons only accounted for 8.62% of the total, reflecting better code vetting and testing procedures.

Critical problems

In 2021, Patchstack counted five critical-severity vulnerabilities affecting 55 WordPress themes, with the most impactful concerning the abuse of file upload features.

Critical flaws that affected WordPress themesCritical flaws that affected WordPress themes (Patchstack)

On the plugins side, 35 critical vulnerabilities were reported, two of them affecting four million websites.

Two notable examples covered by Bleeping Computer last year are the “OptinMonster” plugin that impacted 1 million sites and the “All in One” SEO plugin that exposed 3 million websites to takeover attacks.

While the developers fixed these vulnerabilities via security updates, nine plugins never received patches. Therefore, they were removed from plugin marketplaces for not addressing the severe issues.

Plugins that never fixed their critical flaws.Plugins that never fixed their critical flaws (Patchstack)

Notably, this subset also suffered predominately by unauthenticated file upload problems, followed by SQL injection and privilege escalation bugs.

Most prevalent targets

PatchStack reports that cross-site scripting (XSS) topped the list with the most reported type of WordPress flaws in 2021, followed by “mixed”, cross-site request forgery, SQL injection, and arbitrary file upload.

Type of WordPress vulnerabilities reported in 2021Types of WordPress vulnerabilities reported in 2021 (Patchstack)

In terms of the severity of the reported flaws, 3.41% were critical, 17.94% were categorized as highly important, and 76.76% were classified as medium, primarily due to the presence of conditions for exploitation.

About 42% of WordPress sites had at least one vulnerable component in 2021, out of the 18 installed on average. While this number is lower than the 23 plugins installed on sites in 2020, the problem remains due to six out of 18 of them being outdated.

The most targeted outdated plugins in 2021 were OptinMonster, PublishPress Capabilities, Booster for WooCommerce plugin, and Image Hover Effects Ultimate plugin.

Most targeted outdated pluginsMost targeted outdated plugins (Patchstack)

In summary, Patchstack’s report highlights that WordPress site admins can manage most security risks by using paid plugins instead of free offerings, keeping the number of installed add-ons at a minimum, and upgrading them to the latest available version as soon as possible.