According to a new report from the website security company Patchstack (formerly WebARX), more than 580 WordPress vulnerabilities were disclosed in 2020, but most of them affected third-party plugins and themes, not the core of WordPress.

The report is based on Patchstack's WordPress vulnerability database data, which includes information collected by the company's internal research team and its vulnerability bounty community, third-party cybersecurity vendors, and independent security researchers. It is worth noting that the WordPress content management system (CMS) drives more than 40% of the websites on the Internet, and users have tens of thousands of plugins for them to use to achieve various functions.

An analysis of the vulnerabilities disclosed last year showed that of the 582 unique issues, more than 96% of the issues actually affected third-party themes or plug-ins, many of which were adopted by millions of websites. More than 470 security vulnerabilities were found in the plugin, and only 22 affected the WordPress core-the rest only affected themes.

Patchstack also analyzed 50,000 WordPress websites and found that they used an average of 23 third-party plugins, and an average of 4 plugins were not updated to the latest version. Patchstack wrote in its report: "Every time a plug-in is installed on the website, the risk of exposure to potential vulnerabilities increases. The fact that website updates are delayed increases the risk.

Cross-site scripting (XSS) vulnerabilities are the most common, followed by SQL injection, cross-site request forgery (CSRF), information leakage, and arbitrary file upload vulnerabilities (as shown in the figure below).

Patchstack said that based on the vulnerability reports submitted through its bug bounty program this year, the number of vulnerabilities discovered so far seems to have increased compared to 2020.