Study Reveals a Rise in WordPress Vulnerabilities

According to the annual State of WordPress Security whitepaper by Patchstack, XSS emerges as the top vulnerability for WordPress in 2023.

Cross site scripting (XSS) vulnerabilities are the most common type of vulnerability, making up 53.3% of all new WordPress security vulnerabilities. These vulnerabilities often occur when user inputs are not properly sanitized, meaning that inputs that do not meet the expected criteria are not blocked.

In 2023, Patchstack reported that the Freemius framework, a third-party managed eCommerce platform, was responsible for over 1,200 XSS vulnerabilities. This accounted for 21% of all new XSS vulnerabilities discovered during that year.

The Freemius Software Development Kit (SDK) is utilized in more than 1,200 plugins, reaching over 7 million WordPress sites. This raises concerns about supply chain vulnerabilities, as a single component used in a WordPress plugin can potentially lead to vulnerabilities in multiple plugins.

According to Patchstack's report:

This year, we witnessed how a single cross-site scripting vulnerability in the Freemius framework affected 1,248 plugins, putting their users at risk.

A staggering 21% of all new vulnerabilities found in 2023 can be linked back to this particular flaw. It is crucial for developers to be mindful of their choices in technology stack and to promptly install security updates as soon as they are released.

Increase in High or Critical Vulnerabilities

Vulnerabilities are categorized based on their severity score, which indicates the level of disruption caused by a discovered flaw. These ratings can range from low, medium, high, to critical.

In 2022, only 13% of new vulnerabilities were considered high or critical. However, in 2023, this number dramatically increased to 42.9%, indicating a significant rise in more severe vulnerabilities compared to the previous year.

Authenticated Versus Unauthenticated Vulnerabilities

Another important point highlighted in the report is the percentage of vulnerabilities that do not require any authentication. This means that attackers can launch an attack without needing any user permission level.

Flaws that demand an attacker to have subscriber to admin level permissions are more difficult for attackers to exploit. On the other hand, unauthenticated vulnerabilities do not need the attacker to obtain a permission level first. This makes these vulnerabilities more worrisome as they can be easily exploited through automated attacks, such as bots scanning a site for vulnerabilities and launching attacks automatically.

Patchstack found that 58.9% of all new vulnerabilities required no authentication at all.

Abandoned Plugins Spike As a Risk Factor

Another major reason for vulnerabilities is the high number of abandoned plugins. According to Patchstack's report in 2022, there were 147 abandoned plugins and themes on WordPress.org. Out of these, 87 were removed while the rest were fixed.

The following year, in 2023, the number of abandoned plugins skyrocketed to 827. In 2022, 87 vulnerable abandoned plugins were taken down, but in 2023, the number increased to 481 removed plugins.

Patchstack highlighted that they identified 404 plugins in one day to raise awareness about the "zombie plugin pandemic" in WordPress. These "zombie" plugins may appear safe and current initially, but they could have unresolved security vulnerabilities. Additionally, these plugins continue to operate on user websites even after being removed from the WordPress plugins repository.

Most Popular Plugins With Vulnerabilities

Patchstack has identified vulnerabilities in various popular plugins. These vulnerabilities are categorized based on severity ratings such as low, medium, high, and critical.

In 2022, 11 popular plugins with over a million active installations were found to have vulnerabilities. However, in 2023, Patchstack reduced the threshold to over 100,000 installations. Despite this change making it easier to qualify, only 9 popular plugins were discovered to have vulnerabilities, which is a significant improvement from the previous year.

In 2022, out of the 11 vulnerable popular plugins, only five had high severity vulnerabilities. None of them had critical level vulnerabilities, while the remaining vulnerabilities were of medium severity.

List Of Most Popular Plugins With Vulnerabilities

The numbers for plugin vulnerabilities took a turn for the worse in 2023. Even though the bar for popular plugins was lowered, all nine plugins on the list had critical vulnerabilities. Out of these, the majority, six out of nine, had vulnerabilities that could be exploited without authentication, making them easy targets for automation. The remaining three plugins required only subscriber-level access, which is easily obtainable by simply signing up and verifying an email. This also opens the door for automation to exploit these vulnerabilities.

Essential Addons for Elementor  1M+ installations (severity rating 9.8)

WP Fastest Cache 1M+ installations (severity rating 9.3)

Gravity Forms 940k installations (severity rating 8.3)

Fusion Builder 900k  installations (severity rating 8.5)

Flatsome (Theme) 618k installations (severity rating 8.3)

WP Statistics 600k installations (severity rating 9.9)

Forminator 400k installations (severity rating 9.8)

WPvivid Backup and Migration 30ok installations (severity rating 8.8)

JetElements For Elementor 30ok installations  (severity rating 8.2)

State Of WordPress Security Is Worse

If you've been noticing an increase in vulnerabilities recently, you're not alone. The statistics are clear - there are more vulnerabilities in 2023, with a higher percentage falling into the high and critical categories that can be easily exploited on a large scale with automation.

This highlights the importance for all publishers to enhance their security measures. It's crucial for someone to take charge of regularly auditing plugins and themes to ensure they are up-to-date and properly maintained.

Security is a crucial aspect for SEOs to consider, as it can impact a website's ranking when Google removes hacked sites from search results. Many SEOs overlook basic security checks during site audits, such as verifying the presence of security headers. It is important to always discuss security measures with clients to ensure they understand the risks involved.

One example of a valuable service is Patchstack, which automatically protects WordPress sites from vulnerabilities even before a patch is issued. These types of services are essential for preventing hacking incidents that could result in a loss of search visibility and revenue.

Read the Patchstack report:

State of WordPress Security In 2023

Featured Image by Shutterstock/Iurii Stepanov

Editor's P/S:

The article highlights the alarming increase in WordPress vulnerabilities in 2023, particularly the prevalence of cross site scripting (XSS) vulnerabilities. The Freemius framework, used by numerous plugins, is identified as a major contributor to these vulnerabilities, raising concerns about supply chain risks. The dramatic rise in high and critical vulnerabilities, along with the high percentage of unauthenticated vulnerabilities, further underscores the urgency of addressing WordPress security.

To mitigate these risks, it is crucial for website administrators to regularly audit plugins and themes, ensure timely updates, and implement robust security measures. SEOs should prioritize security during site audits and communicate the importance of security to clients. Additionally, automated security services like Patchstack can provide valuable protection against vulnerabilities and hacking incidents. By proactively addressing WordPress security, website owners can safeguard their online presence, maintain search visibility, and protect their revenue streams. can protect their sites from hacking incidents, maintain search visibility, and safeguard their reputation and revenue.