Patchstack has published its State of WordPress Security whitepaper with a summary of threats to the WordPress ecosystem recorded in 2021. The whitepaper aggregates data from multiple sources, including the Patchstack Vulnerability Database, the Patchstack Alliance (the company’s bug bounty platform), and publicy reported CVEs from other sources.
In 2021, Patchstack recorded nearly 1,500 vulnerabilities, a 150% increase as compared to 2020, which recorded ~600. Patchstack found that the majority of these come from the WordPress.org directory:
The WordPress.org repository leads the way as the primary source for WordPress plugins and themes. Vulnerabilities in these components represented 91.79% of vulnerabilities added to the Patchstack database.
The remaining 8.21% of the reported vulnerabilities in 2021 were reported in premium or paid versions of the WordPress plugins or themes that are sold through other marketplaces like Envato, ThemeForest, Code Canyon, or made available for direct download only.
WordPress core shipped four security releases, and only one included a patch for a critical vulnerability. This particular vulnerability was not in WordPress itself but rather in one of its bundled open source libraries, the PHPMailer library.
Patchstack estimates that 99.31% of all security bugs from 2021 were in components – WordPress plugins and themes. Themes had the most critical vulnerabilities, logging 55 this year. Patchstack found that 12.4% of vulnerabilities reported in themes had a critical CVSS score of 9.0-10.0. Arbitrary file upload vulnerabilities were the most common.
Plugins had a total of 35 critical security issues. This is fewer vulnerabilities compared to themes, but 29% of these received no public patch.
“The most surprising finding was really also the most unfortunate truth,” Patchstack Security Advocate Robert Rowley said. “I was not expecting to see so many plugins with critical vulnerabilities in them not receive patches.
“Some of those vulnerabilities required no authentication to perform, and have publicly available proof of concepts (exploit code) made widely available online. It is probably already too late for the site owners who did not get a notice that their websites were vulnerable.”
Patchstack surveyed 109 WordPress site owners and found that 28% of respondents had zero budget for security, 27% budgeted $1-3/month, and just 7% budget ~$50/month. Agencies were more likely to allocate monthly costs to security than individual site owners.
Conversely, results from these same respondents showed$613 as the average cost of malware removal. Post-compromise cleanup prices reported ranged from $50 – $4,800.
Rowley sees the significant increase in security vulnerabilities found in 2021 as evidence of more engaged security professionals, not a sign of the WordPress ecosystem becoming less secure.
“Most likely this is due to more security bugs being reported (more vulnerable code being found, because more people are looking),” Rowley said. “Patchstack runs a bug bounty program which pays security researchers for the bugs they report in the WordPress ecosystem, which incentives security researchers (and even developers familiar with WordPress) to look for more security bugs.”
Overall, Patchstack’s findings this year show that WordPress core is very secure and the vast majority of vulnerabilities are found in themes and plugins. Users should monitor their extensions and periodically check to see if they have been abandoned, as not all vulnerable software is guaranteed to get patched. Check out the full security whitepaper for more details on the types of vulnerabilities most commonly found in 2021.