A large number of WordPress plugins never receive patches for critical vulnerabilities, leaving the numerous projects and websites that use them at risk of compromise by attackers, according to a new study.
WordPress plugins are essential for any project that aims to provide an optimal experience in the online marketplace. Websites and their backends are often enhanced with plugins, but new features and options also increase the attack surface, and criminals know this.
Different WordPress components are affected differently. For example, only 0.58% of security vulnerabilities originated from WordPress core in 2021, according to a report from Patchstack on the state of WordPress security in 2021.
The reports also underline a problem that became evident in 2021, with vulnerabilities in plugins increasing 150% compared to 2020.
“The WordPress.org repository leads the way as the primary source for WordPress plugins and themes,” said the researchers in the report. “Vulnerabilities in these components represented 91.79% of vulnerabilities added to the Patchstack database.”
“The remaining 8.21% of the reported vulnerabilities in 2021 were reported in premium or paid versions of the WordPress plugins or themes that are sold through other marketplaces like Envato, ThemeForest, Code Canyon, or made available for direct download only,” they added.
The security issues are even worse than this, with 42 percent of WordPress sites using at least one vulnerable component. There are multiple reasons for the sad state of security when it comes to WordPress plugins.
First of all, many websites don’t really have a security budget, so many issues are overlooked or ignored until they become a problem.
The second issue affects all platforms, including apps and operating systems. Often, developers push updates that fix critical vulnerabilities, but it takes a long time before they reach everyone. Some admins simply ignore security updates for months or even years.