WordPress security researchers at Patchstack released their annual State of WordPress Security whitepaper, revealing an increase in high and critical severity vulnerabilities, emphasizing the need for robust security measures across all WordPress websites.
XSS Is Top WordPress Vulnerability Of 2023
Among various types of vulnerabilities, cross-site scripting (XSS) was the most prevalent, constituting 53.3% of all new WordPress security issues. XSS vulnerabilities typically arise from inadequate "sanitization" of user inputs, which means failing to block inputs that deviate from expected norms. Patchstack reported that the Freemius framework, a third-party eCommerce platform, accounted for over 1,200 XSS vulnerabilities, representing 21% of all new XSS vulnerabilities identified in 2023.
The Freemius Software Development Kit (SDK), used in over 1,200 plugins installed on more than 7 million WordPress sites, illustrates the risk of supply chain vulnerabilities. A flaw in one component can spread across multiple plugins, widening the scope of vulnerability.
Patchstack’s report stated:
"This year we saw once again how a single cross-site scripting vulnerability in the Freemius framework resulted in 1,248 plugins inheriting the security vulnerability, exposing their users to risk.
21% of all new vulnerabilities discovered in 2023 can be traced back to this one flaw. It’s vital for developers to choose their stack carefully and promptly apply security updates when these become available."
More Vulnerabilities Rated High Or Critical
Vulnerabilities are scored based on their severity, ranging from low to critical. In 2022, 13% of new vulnerabilities were rated high or critical, but this surged to 42.9% in 2023, indicating an increase in severe vulnerabilities this year.
Authenticated Versus Unauthenticated Vulnerabilities
Another key metric from the report is the percentage of vulnerabilities requiring no authentication (unauthenticated), meaning attackers do not need any user permission level to execute an attack. Vulnerabilities that require a user to have certain permissions (e.g., from subscriber to admin levels) present a higher barrier for attackers. Unauthenticated vulnerabilities, which can be exploited automatically by bots, are more concerning.
Patchstack found that 58.9% of all new vulnerabilities required no authentication.
Abandoned Plugins Spike As a Risk Factor
The high number of abandoned plugins is another significant risk. In 2022, Patchstack reported 147 abandoned plugins and themes to WordPress.org, of which 87 were removed. In 2023, the number of abandoned plugins and themes skyrocketed to 827, with 481 removed.
Patchstack noted:
"We reported 404 of those plugins in a single day to draw attention to the ‘zombie plugin pandemic’ in WordPress. Such ‘zombie’ plugins appear safe and up-to-date at first glance but may contain unpatched security issues. Furthermore, these plugins remain active on user sites even if they are removed from the WordPress plugins repository."
Most Popular Plugins With Vulnerabilities
As noted earlier, severity ratings range from low to critical. Patchstack compiled a list of the most popular plugins with vulnerabilities.
In 2022, 11 popular plugins with over a million active installations had vulnerabilities. In 2023, Patchstack lowered the threshold to plugins with over 100,000 installations. Despite this change, only nine popular plugins were found to have vulnerabilities in 2023, down from 11 in 2022.
In 2022, five out of 11 of the most popular plugins with vulnerabilities contained high severity vulnerabilities. None had critical level vulnerabilities; the rest were medium severity.
The situation worsened in 2023. Despite the lower threshold, all nine plugins on the list contained critical level vulnerabilities. The majority, six out of nine, had unauthenticated vulnerabilities, making them easy to exploit with automation. The remaining three required minimal authentication, just subscriber level access, which is easily achievable.
List Of Most Popular Plugins With Vulnerabilities
- Essential Addons for Elementor – 1M+ installations (severity rating 9.8)
- WP Fastest Cache – 1M+ installations (severity rating 9.3)
- Gravity Forms – 940k installations (severity rating 8.3)
- Fusion Builder – 900k installations (severity rating 8.5)
- Flatsome (Theme) – 618k installations (severity rating 8.3)
- WP Statistics – 600k installations (severity rating 9.9)
- Forminator – 400k installations (severity rating 9.8)
- WPvivid Backup and Migration – 300k installations (severity rating 8.8)
- JetElements For Elementor – 300k installations (severity rating 8.2)
State Of WordPress Security Is Worse
The increase in vulnerabilities, particularly high and critical ones, highlights the need for improved security measures. Publishers must regularly audit their plugins and themes to ensure they are updated and actively maintained.
SEO professionals should also be aware that security directly impacts rankings, as Google may de-list hacked sites. Basic security checks, such as verifying security headers, should be part of every site audit. Discussions with clients about security risks are essential.
Patchstack exemplifies a service that proactively protects WordPress sites against vulnerabilities, even before a patch is issued. These services are crucial for defending against hacks and maintaining search visibility and revenue.
Read the Patchstack report:
State of WordPress Security In 2023
Featured Image by Shutterstock/Iurii Stepanov
