Vulnerabilities in WordPress plugins more than doubled in 2021: Report

Vulnerabilities in WordPress plugins more than doubled in 2021 compared to the previous year, according to a report, a worrying trend because most can be exploited by threat actors on the e-commerce and news sites that rely on the platform.

The report, released today by researchers at Risk Based Security, says 2,240 vulnerabilities in WordPress plugins were disclosed last year. That’s a 142 per cent increase compared to 2020.

Plugins add capabilities to the platform, including the ability to add search engine optimization, user forms, a website builder, e-commerce features and more. It’s estimated  there are thousands of WordPress free or priced plugins available. However, not all of them are designed with security in mind, or issue security updates. Vulnerabilities in those plugins allow threat actors to attack WordPress indirectly rather than targeting the platform itself.

Out of all of the more than 10,000 known WordPress plugin vulnerabilities, 77 per cent have known public exploits, the report notes.

While the average CVSSv2 score for all WordPress plugin vulnerabilities is 5.5, considered of moderate severity, the report says, many score higher. For example, the Starter Templates plugin, which according to WordPress security specialist WordFence is installed on over 1 million WordPress websites, has a CVSS score of 7.6.

But, the Risk Based Security report says, WordPress administrators shouldn’t put a priority on patching high-scoring bugs. There’s evidence malicious actors go after vulnerabilities they can easily exploit.

“Because of factors like exploitability and attacker location, WordPress plugin issues can pose a significant threat to organizations deploying at-risk assets, even if they may not appear ‘highly critical’ at first glance,” warns the report.

Security teams need to have knowledge of their assets — including all plugins — comprehensive vulnerability intelligence for all known issues, and detailed metadata, that allows them to examine factors like exploitability, to then contextualize the risk it poses to their environment, says the report.

“Security professionals should start with vulnerabilities that are remotely exploitable, have a public exploit, and have a known solution,” says the report. “And if WordPress plugin issues affect important assets, these vulnerabilities should be triaged first. By remediating these types of issues, organizations can best protect themselves against potential attacks while saving time since solution data is available. This risk-based approach will prove to be more effective than traditional Vulnerability Management models based on severity.”

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Related Tech News

Featured Tech Jobs


CDN in your inbox

CDN delivers a critical analysis of the competitive landscape detailing both the challenges and opportunities facing solution providers. CDN's email newsletter details the most important news and commentary from the channel.