The same ecosystem that makes WordPress so attractive also makes it vulnerable. According to the report from PatchStack the core WordPress CMS was responsible for less than 1% of vulnerabilities discovered in 2021. The other 99% were in themes and plugins. This was in a year where reported vulnerabilities grew by 50%. The most commonly vulnerable add-ons, as you might have guessed, are the free themes and plugins. It was in these free components that more than 90% of reported flaws were found.
Many of the vulnerabilities related to abusing file uploads, SQL injections, and privilege escalation bugs but also included the usual suspects like Cross-Site Scripting and Forgery. Due the popularity of some of these plug-ins a single critical flaw in one plug-in can affect many sites making WordPress as popular as a target for attackers as it is for people and companies to use on their own sites. This becomes even more clear when you consider that while critical vulnerabilities only accounted for around 4% of all reported vulnerabilities in 2021, almost 30% of those reported never received an update to fix the issue.
WordPress is a great tool and one that, as we mentioned, offers a lot of options to enhance the content and functionality of the site. However, site administrators need to keep on top of updates, patches and vulnerabilities that exist in the plugins that they use on the site. Not doing so leaves them open to attack and, in the right case, compromise and exfiltration of sensitive data. Nothing like having someone target an unprotected Rest-API that could leak your client list because you chose the wrong plug-in to handle signups for your newsletter (as was the case with OptinMonster Version 2.6.4 and below).
Happy Patching
