580 WordPress vulnerabilities were disclosed in 2020

The report is based on data from Patchstack’s WordPress vulnerability database, which includes information collected by the company’s internal research team and its vulnerability bounty community, third-party cybersecurity vendors, and independent security researchers. It is worth noting that the WordPress content management system (CMS) drives more than 40% of websites on the Internet, and users have tens of thousands of plugins for them to use to achieve various functions.

An analysis of the vulnerabilities disclosed last year showed that of the 582 unique issues, more than 96% of the issues actually affected third-party themes or plug-ins, many of which were adopted by millions of websites. More than 470 security vulnerabilities were found in the plugin, and only 22 flaws affected the WordPress core.

Patchstack also analyzed 50,000 WordPress websites and found that they used an average of 23 third-party plugins, and an average of 4 plugins was not updated to the latest version. Patchstack wrote in its report, every time a plug-in is installed on the website, the risk of exposure to potential vulnerabilities increases. The fact that website updates are delayed increases the risk.

Cross-site scripting (XSS) vulnerabilities are the most common, followed by SQL injection, cross-site request forgery (CSRF), information disclosure, and arbitrary file upload vulnerabilities.