The WordPress security Patchstack has released a whitepaper about the security of WordPress in 2021. According to the whitepaper, the vulnerabilities reported in 2021 have grown as much as 150% compared to 2020, a massive increase in just one year.
Themes and plugins cause risks
WordPress core seems to be quite safe since only 0.58% of the security vulnerabilities were originated from it. On the other hand, the themes and the plugins are causing a massive risk for the websites. Patchstack states that 29% of the critically vulnerable WordPress plugins did not receive a patch. This means WordPress admins must keep their eye on the security news and plugin versions for potential risks.
Patchstack states that there were 55 vulnerabilities in WordPress themes in 2021; 10 of them have a CVSS score of 10.0 with an “Unauthenticated arbitrary file upload and option deletion” flaw. On the other hand, there were 35 critical vulnerabilities in plugins. Two of those plugins with critical vulnerabilities were installed by more than 1 million users: All in One SEO and WP Fastest Cache plugins, and they addressed the vulnerabilities. Although, the plugins listed below did not fix the issues, and they have been removed from the repositories:
- Modern WPBakery Page Builder Addons (premium)
- N5 Upload Form
- WP-Curriculo Vitae Free
- Business Hours Pro
- Gallery from files
- Car Seller
- Store Locator Plus
Patchstack warns administrators to check those plugins to uninstall or replace them with alternatives. It is hard to track the vulnerable plugins since they seem to be up-to-date in the WordPress update dashboard. Keeping an eye on the WordPress security news appears to be the best solution for now.