WordPress vulnerabilities more than doubled last year

News
By
published

Most have known exploits, experts warn

WordPress website
(Image credit: Shutterstock/Koshiro K)

Security vulnerabilities affecting different WordPress plugins saw a 142% increase in 2021 compared to the year before, experts have revealed.

Analyzing the state of the WordPress ecosystem, which includes some 58,000 free plugins, as well as “tens of thousands” more available for purchase, Risk Based Security say the spike in the vulnerabilities to hit 2,240 is “alarming”.

However, what’s even more concerning, is the exploitability of these vulnerabilities. Of all the known flaws, more than three-quarters (77%) are exploitable (have known public exploits). 

Addressing the biggest threats first

While the majority of these flaws are exploitable, the average CVSSv2 score for all of them is 5.5, which creates a potential problem. Most organizations tend to deprioritize vulnerabilities with a severity score less than 7.0, which is not something they should do.

Of the vulnerabilities with known exploits, 7,592 are remotely exploitable, 7,993 have a public exploit, while 4,797 have a public exploit, but no CVE ID. For organizations relying on CVE/NVD, this is particularly concerning, as they’ll be unaware of 60% of issues with known public exploits.

“To fully understand the impact of these vulnerabilities, organizations will need to adopt a risk-based approach,” the researchers conclude. “Although some WordPress plugins claim to have over 500,000 installs, it doesn’t necessarily mean that all enterprises use them. Security teams will need to have knowledge of their assets, comprehensive vulnerability intelligence for all known issues, and detailed metadata, that allows them to examine factors like exploitability, to then contextualize the risk it poses to their environment.”

When triaging the threats, security pros should start with remotely exploitable ones first, then move on to those with a public exploit and have a known solution. If WordPress plugin issues affect important assets, these should be triaged first. 

“By remediating these types of issues, organizations can best protect themselves against potential attacks while saving time since solution data is available. This risk-based approach will prove to be more effective than traditional Vulnerability Management models based on severity,” the researchers conclude.

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Top WordPress plugins found to have some serious security flaws, so make sure you're protected
WordPress
Another top WordPress plugin found carrying critical security flaws
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Thousands of WordPress websites hit in new malware attack, here's what we know
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Over a million WordPress sites exposed to attack from W3 Total Cache plugin flaw
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Another serious WordPress plugin vulnerability could put 40,000 sites at risk of attack
WordPress
WordPress users beware - these popular theme plugins have some major security issues
Latest in Website Building
Squarespace
Don't miss out on this great Squarespace deal
Hostinger Website Builder vs WordPress.com: Which is better?
Hostinger Website Builder vs WordPress.com: Battle of the WordPress website builders
Wix Business Launcher vs GoDaddy Airo: What's better for businesses?
Weebly vs Wix: Which offers a better free plan?
Wix Business Launcher vs GoDaddy Airo: What's better for businesses?
Wix Business Launcher vs GoDaddy Airo: Which is better for small businesses?
Wix AI vs Squarespace Blueprint: Who has the better AI?
Wix AI vs Squarespace Blueprint: Which website builder has better AI?
Hostinger logo
Grab an impressive 15% off your Hostinger website builder plan for a limited time
Latest in News
Vision Pro Metallica
Apple Vision Pro goes off to never never land with Metallica concert footage
Mufasa is joined by another lion, a monkey and a bird in this promotional image
Mufasa: The Lion King prowls onto Disney+ as it finally gets a streaming release date
An American flag flying outside the US Capitol building against a blue sky
Sean Plankey selected as CISA director by President Trump
An Nvidia GeForce RTX 4060 on a table with its retail packaging
Nvidia RTX 5060 GPU spotted in Acer gaming PC, suggesting rumors of imminent launch are correct – and that it’ll run with only 8GB of video RAM
Indiana Jones talking to a friend in a university setting with a jaunty smile on his face
New leak claims Indiana Jones and the Great Circle PS5 release will come in April
A close up of the limited edition vinyl turntable wrist watch from AndoAndoAndo
This limited-edition timepiece turns the iconic Technics SL-1200 turntable into a watch, and I want one
More about website building
Hostinger Website Builder vs WordPress.com: Which is better?

Hostinger Website Builder vs WordPress.com: Battle of the WordPress website builders

Wix Business Launcher vs GoDaddy Airo: What's better for businesses?

Weebly vs Wix: Which offers a better free plan?
Microsoft 365 Business app logos

Office 2024 LTSC vs Microsoft 365 Business: what are the differences?
See more latest
Most Popular
Three photos of the iPad Air M3 and its camera
iPad Air M3 review roundup – should you buy Apple's new mid-range tablet?
Vision Pro Metallica
Apple Vision Pro goes off to never never land with Metallica concert footage
HP LaserJet Pro 3000 on modern office desk
Now HP printers are being bricked following firmware update
Meta QLC Server
Facebook engineers say bigger hard disk drives is making one critical metric far, far worse
Mufasa is joined by another lion, a monkey and a bird in this promotional image
Mufasa: The Lion King prowls onto Disney+ as it finally gets a streaming release date
Two iPhones showing Apple HomeKit settings
Still using an iPad as a Home Hub? Bad news – Apple is about to end support for it
Horizon Zero Dawn Remastered
Future PlayStation games could have AI-powered characters, if this leaked prototype of Aloy is anything to go by
An American flag flying outside the US Capitol building against a blue sky
Sean Plankey selected as CISA director by President Trump
Scam alert
Fake jobs and phone calls: How Americans lost $12.5 bn to fraud in 2024
Indiana Jones talking to a friend in a university setting with a jaunty smile on his face
New leak claims Indiana Jones and the Great Circle PS5 release will come in April