The Patchstack solution, specialized in security on WordPress, publishes its annual white paper on the vulnerability of sites on the CMS. It reviews the main security issues reported in 2022. The editor relied on data from the Patchstack Alliance, its bug bounty platform that helps connect security researchers and plugin developers. The analysis is based on the 4 security versions reported by WordPress in 2022: 5.8.3, 5.9.2, 6.0.2 and 6.0.3.
On the year 2022, Patchstack draws the following insights:
- The vast majority of reported vulnerabilities come from plugins (93%),
- The number of reported vulnerabilities in plugins saw a 328% increase over 2021, a significant increase in one year,
- 6.7% of vulnerabilities are in WordPress themes,
- Very few bugs are found in the core WordPress platform (0.6%),
- 26% of plugins with critical vulnerabilities have never been patched,
- 42% of WordPress sites have at least one vulnerable software installed.
In its study, the editor insists on the responsibility of platform users, whether they are website developers or plugin and theme creators.
In its previous study for the year 2021, Patchstack noted that nearly one in two vulnerabilities (49.82%) was XSS (Cross-site Scripting): the insertion of malicious code into websites.
In 2022, this share has dropped considerably (27.2%). It is now Cross-site Request Forgery (CSRF) that represents the most important security threat (29.4%). As a reminder, CSRF is a flaw that consists in forcing an authenticated user on a site to execute specific actions without his knowledge. This type of flaw represented only 11% of vulnerabilities in 2021. Patchstack explains this increase in part by the problems identified by the Freemius platform.
In its previous study for the year 2021, Patchstack noted that nearly one in two vulnerabilities (49.82%) was XSS (Cross-site Scripting): the insertion of malicious code into websites.
In 2022, this share has dropped considerably (27.2%). It is now Cross-site Request Forgery (CSRF) that represents the most important security threat (29.4%). As a reminder, CSRF is a flaw that consists in forcing an authenticated user on a site to execute specific actions without his knowledge. This type of flaw represented only 11% of vulnerabilities in 2021. Patchstack explains this increase in part by the problems identified by the Freemius platform.
The WordPress cybersecurity specialist notes other lessons to be learned. First of all, Patchstack insists on the danger of abandoned plugins. Indeed, if they are removed from the WordPress directory, they remain active on the sites that downloaded them. Thus, they are particularly vulnerable to attacks and, as they have no updates available, give the impression to the user that they are up to date.
On the other hand, Patchstack underlines a better involvement of the actors of the ecosystem in the security on WordPress. In particular, the editor highlights the work of WordPress hosting services in alerting their customers about vulnerabilities on their sites. For the year 2023, Patchstack is optimistic. According to the solution, the growth in the number of reported vulnerabilities does not mean that they have increased, but rather that more of them have been addressed.
