WordPress Plugin Vulnerabilities Rose by 142% in 2021; 77% of them have known public exploits
As per a report, there are more than 450 million websites that use WordPress. These WordPress websites use different WordPress plugins to add more features and extend functionality. But these WordPress plugins also put websites at risk.
As per a report by RiskBased Security, There were 10,359 vulnerabilities reported to affect third-party WordPress plugins in 2021. It was a 142% increase as compared to 2020. The primary concern about these vulnerable plugins is that 77% of these vulnerabilities have known public exploits.
Of all these 10359 vulnerabilities, 7,993 WordPress vulnerabilities have a public exploit and 7,592 WordPress vulnerabilities are remotely exploitable. Now you can see how risky it is now to have a WordPress-based website. The worst thing is that 4,797 WordPress vulnerabilities have a public exploit, but no CVE ID. NO CVE ID means these vulnerabilities have not been reported, so it may still be an existing vulnerability with no patch on the way. Any person with malicious intention can use these vulnerabilities to successfully target a WordPress website.
Many vulnerable WordPress plugins with a public exploit have more than 50000 installs. If your website uses any of these plugins, your website is at high risk. Organizations with a security team should focus on security audit to find if any of the plugins they are using is vulnerable. Having a vulnerable plugin with a public exploit can cause a big loss.
WordPress is a popular CMS and is used to make a website without knowing coding. Many people with no knowledge of coding use WordPress and plugins to have a website with desirable features. So, they reply in WordPress and Plugin developers for patches of known vulnerabilities. But vulnerabilities with available public exploit to make their websites vulnerable.
There are close to 60000 free and thousands of paid WordPress plugins. Many of those plugins have been developed without taking care of security. So, thousands of websites are still vulnerable. There have been several instances when millions of websites have been hacked and wiped using a plugin vulnerability.