Security News > 2022 > March > Nearly 30% of critical WordPress plugin bugs don't get a patch
Patchstack, a leader in WordPress security and threat intelligence, has released a whitepaper to present the state of WordPress security in 2021, and the report paints a dire picture.
More specifically, 2021 has seen a growth of 150% in the reported vulnerabilities compared to the previous year, while 29% of the critical flaws in WordPress plugins never received a security update.
Of all the reported flaws in 2021, only 0.58% were in WordPress core, with the rest being on themes and plugins for the platform, coming from various sources and different developers.
Two notable examples covered by Bleeping Computer last year are the "OptinMonster" plugin that impacted 1 million sites and the "All in One" SEO plugin that exposed 3 million websites to takeover attacks.
The most targeted outdated plugins in 2021 were OptinMonster, PublishPress Capabilities, Booster for WooCommerce plugin, and Image Hover Effects Ultimate plugin.
In summary, Patchstack's report highlights that WordPress site admins can manage most security risks by using paid plugins instead of free offerings, keeping the number of installed add-ons at a minimum, and upgrading them to the latest available version as soon as possible.
News URL
Related news
- Unpatched critical flaws impact Fancy Product Designer WordPress plugin (source)
- Critical zero-days impact premium WordPress real estate plugins (source)
- SonicWall Urges Immediate Patch for Critical CVE-2025-23006 Flaw Amid Likely Exploitation (source)
- Patch now: Cisco fixes critical 9.9-rated, make-me-admin bug in Meeting Management (source)
- Zyxel CPE devices under attack via critical vulnerability without a patch (CVE-2024-40891) (source)
- Netgear warns users to patch critical WiFi router vulnerabilities (source)