PHOTO-2022-08-06-13-39-03

Free WordPress Themes and Plugins Featured 91% of Security Flaws in 2021 – Toolbox

EXPLORE
FOLLOW US
Get the latest news, expert insights and market research, sent straight to your inbox.

<!–

You’ll receive 2 email(s) per week

–>
Newsletters may contain advertising. You can unsubscribe at any time.
Stay away from WordPress themes and plugins, especially the free ones.

2021 was a bad year for the world’s most widely used content management platform. According to the State of WordPress Security Report by Patchstack, 1500 security vulnerabilities were discovered in WordPress in 2021, up from 600 in 2020, which was by no means a small count.
WordPress has dominated over half of the total CMS market share in the previous decade, and its market share grew from just over 51% in January 2010 to 64.8% in March 2022. The platform’s popularity is such that WordPress powers 43.2% of all websites globally.
Patchstack’s data indicates that WordPress itself is pretty secure, given that only 0.58% of the reported WordPress vulnerabilities in 2021 originated in the files that form the key functional elements of the platform, known as WordPress Core. The remaining 99.42% reside in themes and plugins, especially free ones.
The lion’s share (91.79%) of the reported WordPress vulnerabilities reside, as expected, in free themes and plugins sourced from the WordPress.org repository. The remaining 8.21% were reported in the premium or paid versions of the WordPress plugins or themes, generally available as direct download and on marketplaces such as Code Canyon, ThemeForest, and Envato.
WordPress Vulnerabilities by Type, PriceWordPress Vulnerabilities by Type, Price
WordPress Vulnerabilities at a Glance | Source: Patchstack
According to Patchstack, at least 55 WordPress themes featured critical flaws, 12.4% of which had a CVSS rating between 9 and 10 out of 10. The most common ones include those originating in arbitrary file upload functions. In total, 42 themes have vulnerabilities of CVSS 8.8 in an arbitrary file upload. Among others,
On the other hand, Plugins had 35 vulnerabilities, two of which have a million installations each. These are All in One SEO plugin (versions <= 4.1.5.2, 3+ million downloads), and WP Fastest Cache plugin (versions <=0.0.4, one+ million downloads). Alarmingly, just 29% of the critical plugin flaws were addressed with appropriate security patches.
Patches for both of these plugins are now available. “The positive action of these two projects is juxtaposed by the inaction by nine projects which had critical vulnerabilities identified in the plugins and with no security patch made available,” Patchstack noted. All of these are now removed from respective marketplaces.
Overall, the danger from just over 21% of all WordPress vulnerabilities was High or Critical.
Vulnerability by SeverityVulnerability by Severity
Vulnerability by Severity | Source: Patchstack
Vulnerabilities being targeted the highest were the easiest to exploit. The top four most-exploited vulnerabilities were found in:
However, XSS vulnerabilities took the highest share among WordPress’s various vulnerability types. This corresponds to the most prevalent vulnerabilities reported by the Patchstack Alliance bug bounty program.
WordPress Vulnerabilities by TypeWordPress Vulnerabilities by Type
WordPress Vulnerabilities by Type | Source: Patchstack
This is made worse by the fact that over 23% of respondents (digital agencies, freelance developers, site owners) have a zero security budget for WordPress. Furthermore,
None of this is at par with the average cost for WordPress malware removal in 2021, which was $613.
While higher budgets for WordPress security can help, the biggest draw from Patchstack’s State of WordPress Security 2021 report is this: stay away from themes and plugins, especially the free ones. While it’s true that paid themes and plugins also have weaknesses, eliminating the reliance on free WordPress tools reduces the chances of a compromise significantly.
The security budget, however low, can then come in handy to deal with the flaws in paid themes and plugins.
Let us know if you enjoyed reading this news on LinkedIn, Twitter, or Facebook. We would love to hear from you!

Jr. Editor
Get the latest industry news, expert insights and market research tailored to your interests!

By signing up, you agree to our Terms of Use and Privacy Policy. Newsletters may contain advertising. You can unsubscribe at any time.
Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>
*
*

document.getElementById( “ak_js_1” ).setAttribute( “value”, ( new Date() ).getTime() );

No Account? Sign up
By signing in, you agree to our Terms of Use and Privacy Policy. Newsletters may contain advertising. You can unsubscribe at any time.
We'll send an email with a link to reset your password.

Get the latest news, expert insights and market research, tailored to your interests.

Already have an account?
By signing up, you agree to our Terms of Use and Privacy Policy. Newsletters may contain advertising. You can unsubscribe at any time.
Enter the email address associated with your account. We'll send a magic link to your inbox.
Email Address


By signing in, you agree to our Terms of Use and Privacy Policy. Newsletters may contain advertising. You can unsubscribe at any time.
You auth link is expired or incorrect, please try again.
Get the latest news, expert insights and market research, tailored to your interests.

Enter a Email Address

By signing up, you agree to our Terms of Use and Privacy Policy. Newsletters may contain advertising. You can unsubscribe at any time.

source

Leave a Reply

Your email address will not be published. Required fields are marked *