Patchstack Whitepaper: WordPress Ecosystem Records 150% Increase in Security Vulnerabilities in 2021

Patchstack Whitepaper: WordPress Ecosystem Records 150% Increase in Security Vulnerabilities in 2021

Patchstack has published its State of WordPress Security whitepaper with a summary of threats to the WordPress ecosystem recorded in 2021. The whitepaper aggregates data from multiple sources, including the Patchstack Vulnerability Database, the Patchstack Alliance (the company’s bug bounty platform), and publicy reported CVEs from other sources.

In 2021, Patchstack recorded nearly 1,500 vulnerabilities, a 150% increase as compared to 2020, which recorded ~600. Patchstack found that the majority of these come from the WordPress.org directory:

The WordPress.org repository leads the way as the primary source for WordPress plugins and themes. Vulnerabilities in these components represented 91.79% of vulnerabilities added to the Patchstack database.The remaining 8.21% of the reported vulnerabilities in 2021 were reported in premium or paid versions of the WordPress plugins or themes that are sold through other marketplaces like Envato, ThemeForest, Code Canyon, or made available for direct download only.

WordPress core shipped four security releases, and only one included a patch for a critical vulnerability. This particular vulnerability was not in WordPress itself but rather in one of its bundled open source libraries, the PHPMailer library.

Patchstack estimates that 99.31% of all security bugs from 2021 were in components – WordPress plugins and themes. Themes had the most critical vulnerabilities, logging 55 this year. Patchstack found that 12.4% of vulnerabilities reported in themes had a critical CVSS score of 9.0-10.0. Arbitrary file upload vulnerabilities were the most common.

Plugins had a total of 35 critical security issues. This is fewer vulnerabilities compared to themes, but 29% of these received no public patch.

“The most surprising finding was really also the most unfortunate truth,” Patchstack Security Advocate Robert Rowley said. “I was not expecting to see so many plugins with critical vulnerabilities in them not receive patches.

“Some of those vulnerabilities required no authentication to perform, and  have publicly available proof of concepts (exploit code) made widely available online. It is probably already too late for the site owners who did not get a notice that their websites were vulnerable.”

Patchstack: State of WordPress Security in 2021

Patchstack surveyed 109 WordPress site owners and found that 28% of respondents had zero budget for security, 27% budgeted $1-3/month, and just 7% budget ~$50/month. Agencies were more likely to allocate monthly costs to security than individual site owners.

Conversely, results from these same respondents showed$613 as the average cost of malware removal. Post-compromise cleanup prices reported ranged from $50 – $4,800.

Rowley sees the significant increase in security vulnerabilities found in 2021 as evidence of more engaged security professionals, not a sign of the WordPress ecosystem becoming less secure.

“Most likely this is due to more security bugs being reported (more vulnerable code being found, because more people are looking),” Rowley said. “Patchstack runs a bug bounty program which pays security researchers for the bugs they report in the WordPress ecosystem, which incentives security researchers (and even developers familiar with WordPress) to look for more security bugs.”

Overall, Patchstack’s findings this year show that WordPress core is very secure and the vast majority of vulnerabilities are found in themes and plugins. Users should monitor their extensions and periodically check to see if they have been abandoned, as not all vulnerable software is guaranteed to get patched. Check out the full security whitepaper for more details on the types of vulnerabilities most commonly found in 2021.
Category: News, Plugins, ThemesTags: Patchstack, securityShare this:Click to email this to a friend (Opens in new window)Click to share on Facebook (Opens in new window)Click to share on Twitter (Opens in new window)Click to share on Telegram (Opens in new window)Click to share on WhatsApp (Opens in new window)Click to share on Pocket (Opens in new window)Click to share on Reddit (Opens in new window)Like thisLike Loading…

Share:

Facebook
Twitter
Pinterest
LinkedIn

Leave a Comment

Your email address will not be published.

Table of Contents

On Key

Related Posts

Best Google Maps Plugins for WordPress

Before we start looking at any plugins, it’s good to review the way Google Maps work. There are several components in the Google Maps API family, all of which can be found on the Google Maps API Family page. When working with WordPress, we are mainly interested in two of these APIs: Static Maps APIMaps

How to Get a Custom Field Value via Shortcode

Sometimes we want to make it easy for site administrators to include the value of a custom field (maybe created as part of a custom meta box) into a post. An ideal solution to this challenge is to use shortcodes. You can either do this through these two plugins: Get Custom Field Values Custom Fields

Best Auto Translation Plugins for WordPress

Having the content of your website available in different languages can mean a much bigger audience for you. A very simple way to do this is to provide automatic translators, they’re not the same as manually translating all your content, but do a pretty good job. It’s better to have an automatic translation plugin than

Best WordPress Multilanguage Plugins

The two main contenders as best multilanguage plugins for WordPress are WPML and QTranslate. If you want a quick answer to which one comes out on top, I would say go for WPML. If you have enough time to give them a test drive, by all means, do so and judge for yourself which one