ThreatPress published a summary of all WordPress vulnerabilities detected in the 2017 year. This beautiful info-graphic (below) gives statistical information collected from ThreatPress database of WordPress vulnerabilities and data available on such open sources like WordPress.org website.
All of the WordPress plugins that were marked as vulnerable in the 2017 year have more than seventeen million active installs. Just imagine how many sites were at potential risk. I think we’re talking about a number that exceeds five million websites. Five million!!! OK, let’s see what more do we have on this infographic.
ThreatPress 2017 year report in numbers
- 221 vulnerability added to the database of WordPress vulnerabilities compared to the 234 vulnerabilities in the 2016 year.
- 202 plugins were identified as vulnerable, 153 of them hosted on WordPress.org plugin repository.
- 5 WordPress themes were identified as vulnerable, this number could be much bigger, but it’s hard to access and check themes from premium repositories.
- The most common vulnerability type was a Cross-Site Scripting (XSS) with a SQL Injection (SQLi) on a second place and Broken Access Control on the third.
- Other quite common vulnerability types in the 2017 year were Cross-Site Request Forgery (CSRF), Arbitrary File Upload, BYPASS, Arbitrary File Download, PHP Object Injection and Local File Inclusion.
- Top five vulnerable plugins in the 2017 year (by the number of active installs according to WordPress.org data) were Yoast SEO, WooCommerce, Smush Image Compression and Optimisation, Duplicator and Loginizer.
- There were 8 WordPress security-related releases in the 2017 year.
Last year statistics were promising, a decrease of vulnerabilities is a good sign, but 2018 year started with some dangerous discoveries. In the middle of January ThreatPress found an easily exploitable vulnerability in WordPress Email Subscribers and Newsletters plugin. This plugin has more than one hundred thousand active installs and could leak a massive amount of emails and other personal data. Still, I hope this year will be safer than 2017 or 2016.