Statistics Highlight the Biggest Source of WordPress Vulnerabilities

By Robert Abela on November 05th, 2014 in WordPress Security News

After a number of WordPress hack incidents this year many started questioning if WordPress is secure. As such WordPress, especially the WordPress core is quite secure as I explained in the article Is WordPress Secure? Most successful WordPress hack attacks are typically the result of human error, be it a configuration error or failing to maintain WordPress, such as keeping core and all plugins up to date, or installing insecure plugins etc.

In this article I am going to use the statistics from the WPScan Vulnerability database to highlight which are the most vulnerable WordPress components, and to make emphasis on how important it is to always run the latest version of any type of software you are using.

What is WPScan Vulnerability Database?

The WPScan Vulnerability Database is an online browsable version of WPScan’s data files which are used to detect known WordPress core, plugins and themes vulnerabilities.  To date it contains 2407 vulnerabilities, 1570 of which are unique vulnerabilities.

WPScan is an open source automated WordPress black box security scanner. I recommend you to read Getting to Know WPScan Automated Black Box Security Scanner for WordPress for more information on WPScan and how it can be used to help you improve the security of your WordPress.

WordPress Vulnerabilities Overview

As per the below pie chart, WordPress plugins are the biggest source of vulnerabilities in WordPress. So far there are 1,305 WordPress plugins vulnerabilities in the WPScan Vulnerability database. That accounts to 54% of the global WordPress vulnerabilities count. Then there are 344 (14.3%) WordPress themes vulnerabilities and 758 (31.5%) WordPress core vulnerabilities.

WordPress vulnerabilities Pie Chart

Type of WordPress Vulnerabilities

The most popular vulnerability types in WordPress core, plugins and themes are Cross-site Scripting and SQL Injection. This is not surprising considering these 2 vulnerabilities have been listed in the OWASP Top 10 since its inception.

Type of Vulnerabilities in WordPress Core, Plugins and Themes

Statistics of WordPress Core Vulnerabilities

The below graph highlights the top 10 most vulnerable WordPress core versions, with versions 3.0 and 3.0.1 leading the pack with 15 vulnerabilities each. In second place, with 13 vulnerabilities each there are WordPress version 3.5, 3.5.1 and 3.6.

Top 10 Most Vulnerable WordPress Core Versions

Top 10 Most Vulnerable WordPress Plugins

Here are some worrying facts about the Top 10 most vulnerable WordPress plugins:

  • 5 of them are commercial plugins
  • These plugins were downloaded around 21 million times
  • 1 of these plugins is a WordPress security plugin

Top 10 Most Vulnerable WordPress Plugins

Why are these worrying facts? I would not be surprised if a commercial plugin is vulnerable, I mean everyone makes mistakes and as long as they are rectified immediately then all is good. But what is worrying is that commercial plugins are listed in the top 10 most vulnerable WordPress plugins list. I was also very surprised to see Wordfence, a WordPress security plugin in the Top 10 most vulnerable WordPress plugins with 9 vulnerabilities. Again I am not saying such plugins should be bullet proof as it and all the other plugins will never be. Though I would expect that a plugin written from security people to help WordPress users keep their WordPress secure to have less vulnerabilities, or at least not to be in the top 10 list.

Top 10 Most Vulnerable WordPress Themes

The below graph highlights the top 10 most vulnerable WordPress themes with the highest one having only 3 vulnerabilities under its name.

The Top 10 Most Vulnerable WordPress Themes

Are These WordPress Vulnerabilities Statistics Accurate?

These statistics are based on the information stored in the WPScan Vulnerability Database, which although it is frequently updated it is by no means complete. There are many other vulnerable WordPress plugins and themes out there which are not listed here, or vulnerabilities which have not been made public yet. But at least this gives us a good overview of the state of WordPress vulnerabilities.

Submit Known WordPress Vulnerabilities

As a matter of fact the WPScan team encourages everyone who knows of a WordPress core, plugin or theme vulnerability that is not yet listed in the vulnerabilities database to submit it to them to ensure we have one centralized and reliable source of information.

What Can You Learn From These Statistics?

WordPress Users and Administrators

These statistics highlight how important it is to always run the latest version of WordPress, plugins and themes thus ensuring that you always have the most secure and stable version of the software. You can make this easier on yourself by choosing a hosting provider which provides auto-updates for both plugins and WordPress itself, effectively eliminating the need to update plugins manually.

It is also very important to choose the right plugin for your WordPress and when it comes to WordPress security plugins, first I recommend you to get a better understanding of the WordPress security plugins ecosystem and how they all work.

WordPress Plugins Developers

If you are a WordPress plugin developer, especially of a commercial plugin you should go the extra mile to ensure the security of your customers. Hence I would recommend you to always double check the code and if possible do a WordPress plugin security source code audit. Investing in security will actually help your business and plugin’s reputation.

WordPress Hosting, Firewall and Backup

WP White Security is hosted on A2 Hosting, protected with BBQ:Block Bad Queries Firewall and backed up with BlogVault online WordPress backup service

11 comments

Kevin 05/11/2014

When you mention which plugins are the most vulnerable, you don’t mention what versions you’re referring to. This makes an enormous difference, especially when plugins like WordFence are updated frequently, (some could argue *too* frequently) and plugins like NextGen Gallery have been around for many, many years.

Do you have the version number information for these “most vulnerable” plugins?

Robert Abela 06/11/2014

Hi Kevin,

Very good point. What I am trying to highlight here is not if vulnerabilities have been fixed or not, but I am trying to raise awareness about writing more secure code to avoid such vulnerabilities in the first place.
When talking about WordFence and frequent updates I see your point, and yes reported issues have been fixed and that is good. But the security history of a plugin (or any other software) tells us a lot about the product, for example in this case security was not catered for in the first place when developing the plugin and this is a bit of a let-down considering the plugin is written by security people who are aware on what type of vulnerabilities attackers / hackers typically exploit. In fact I am not just surprised about Wordfence but about all the 5 commercial plugins listed there!

Can commercial plugins have vulnerabilities? Of course they can, everyone can do mistakes but they should lead by example and not be in the top 10 list of plugins which had most reported vulnerabilities so far. It is not exactly something one should boast about ay?

Kevin 10/11/2014

Had the vulnerabilities not been dealt with, then I would probably agree with you. When a plugin is under active development and performs many useful functions – like WordFence – I’m not too concerned about it being less secure than the (hopefully rock-solid) Hello Dolly plugin.

Just my 2 cents worth…

Robert Abela 11/11/2014

Hi Kevin,

I agree and disagree with you. I mean I appreciate the fact that for example the WordFence developers do address security issues in a timely manner but I do not appreciate the fact that their history has so many vulnerabilities. It clearly shows that they do not practise what they preach; i.e. security should be thought of in everything you are doing, especially when developing a plugin. But hey, aren’t we all entitled for an opinion? 🙂

Tim 22/10/2015

I am shocked – SHOCKED – Wordfence has any vulnerabilities.

Tim

Robert Abela 22/10/2015

I wouldn’t be so surprised. Every software can have vulnerabilities. As explained in the article, what’s important is how the developers respond to such vulnerabilities.

Jan Koch 11/11/2014

Hey Robert,
thanks for sharing these statistics with us!

I’ll have to share them with some of my friends who run online businesses. I’m preaching about updating their sites for ages and now they finally have the evidence that running WordPress 3.6 isn’t a good idea when you have 100k uniques and more every month 😉

Hopefully you’re not only raising awareness for writing secure code, but also for maintaining WordPress more carefully.

Cheers,
Jan

Chris S 02/12/2014

Yes but if you use your thought about overall history, then why would anyone use WP at all judging by its history as they update bad security all the time

Robert Abela 04/12/2014

Hi Chris,

Thank you for your comment.

What we are trying to highlight here are a few things;

1. First of all the importance of security code audits. If you are writing a plugin especially for commercial purposes it is recommended that you do frequent security code audits to ensure that you ship the best and most secure code when possible.

2. I am not saying that plugins with many vulnerabilities are not good. What I am trying to say is that one would expect better from a security plugin. Having said that as long as the developer addresses the issue in a timely fashion it is all good, though there might be the day when someone discovers a vulnerability and not report it. This would allow him to exploit the vulnerability (0-day exploit). Therefore if you choose a plugin which has a “good history” the chances of being a victim of a 0-day exploit are much lower.

As regards your comment with WordPress, you are right. In fact WordPress’ history is not that bright in terms of security but developers are indeed taking a new more proactive approach when coding. Having said that yes, WordPress still got a long way to go when it comes to security.

Bernard Pieper 12/08/2015

Good information and I’ll use wpvulndb.com to see what I’m dealing with. But I accept the fact that vulnerabilities exsist (but don’t like it :-)), if we see to WP in general, even the use of WP can be seen as unsafe.
What’s far more interesting for me is if and how quick the developper reacts and solves the vulnerability-problem. And how the communication is with their userbase. Is the program automatically updated or is this the webmaster the one who must initiate the update?
If the update is very quick and the communication good… I’ll appreciate that and see that as a plus for that developer and gives me trust.

Robert Abela 19/08/2015

Hello Bernard,

Have a look at http://www.wpsecuritybloggers.com and subscribe to it. It is a central source of WordPress security news, i.e. an aggregation of most popular WordPress security sites.

Leave a Reply

Your email address will not be published. Required fields are marked *