The number of vulnerabilities in plugins and themes for WordPress has increased significantly over the past year. There is almost a doubling compared to 2022.
That’s according to research by WordFence. 4,833 vulnerabilities were identified for the entire WordPress ecosystem in the past year. These vulnerabilities affected as many as 3,996 unique WordPress plugins and themes and WordPress core components.
The most commonly found vulnerabilities involved Cross-Site Scripting (XSS), with 1,963 vulnerabilities found. Cross-Site Request Forgery came in second with 1,098 instances. This category nearly tripled in 2023 compared to 2022.
In third place come Missing Authorization and Authorization bypass vulnerabilities with 885 instances. These attacks also tripled from a year earlier. Numbers four and five come with SQL injection with 279 cases and information disclosure with 98 cases, respectively.
Positive developments
Fortunately, there are also positives to report. WordFence indicates that although the number of vulnerabilities for WordPress is high, not all cases have significant consequences. According to the study, WordPress is no longer the weakest link in the web hosting chain. Many hackers’ tools now target other parts of this chain, such as cPanel and other Web host management systems.
Furthermore, regarding malware infections, the number of infections of WordPress environments in 2023 remained the same as a year earlier.
Bug bounty program to increase quality
In their report, WordFence researchers also address the quality of vulnerability reports. They note that lately, security researchers, often out of self-promotion, present the most minor and low-impact vulnerabilities as critical issues.
The security specialist, therefore, wants to separate more of the wheat from the chaff and is introducing a bug bounty program for this purpose. This program rewards finding and reporting vulnerabilities in WordPress plugins and themes.
In this way, WordFence hopes that researchers will spend more time finding vulnerabilities in the CMS platform that can have a major impact.
Also read: Vulnerability in popular WordPress plugin affects million websites
2 days ago
