Security maintenance and management tool Patchstack has published its“State of WordPress Security” white paper for 2022. It highlights the risk of using unmaintained themes and plugins.
In 2022, Patchstack added 4,528 confirmed security bugs to its database, compared with 1,382 in 2021. This represents an increase of 328%. Plugins alone account for the majority of these detected bugs, at 93%.
The WordPress ecosystem continues to improve security
The report points out that the increase in the number of reported vulnerabilities is rather good news. This means that the WP ecosystem is becoming more secure by detecting and correcting a greater number of vulnerabilities.
A medium-severity vulnerability is a security flaw that can be exploited by a hacker to access sensitive data or take control of the system. Although less critical than high severity vulnerabilities, they nevertheless require swift action to minimize security risks.
These figures come from public data from Patchstack, Automattic (WPscan) and WordFence, the three official CNAs (CVE Numbering Authority) in the WordPress space authorized to assign CVE (Common Vulnerabilities and Exposures) identifiers to new security vulnerabilities.
Another improvement lies in the number of critical security bugs detected that never received a patch. Their percentage has fallen from 26% to 29% between 2021 and 2022.
Patchstack CEO Oliver Sild commented:“We still think this points to a big problem, which is that some plugins are unsupported or abandoned and not receiving timely patches“.
What about abandoned plugins?
Solving the problem of developers abandoning their work is a real challenge. While it’s normal for a project to come to an end, the developer should bear in mind that some people will continue to use the fruits of his labor.
The problem is that users are left in the dark most of the time. WordPress announces available updates, but if WordPress.org “shuts down” a plugin due to an uncorrected security issue, no one knows.
Critical flaws among the most popular plugins too
Critical bugs are also found among the most popular plugins (over a million installations). Even if the developers of these plugins quickly correct the flaws, you should remain vigilant and update your plugins regularly.
What about solutions?
“This is something we’re trying to improve with our partners such as other security plugins and hosting companies,” says Oliver Sild, adding:“Communication is key. We recently created a free service for plugin developers called Managed Vulnerability Disclosure Program (mVDP).”
The aim of this service is to encourage plugin developers to gain maturity in security practices. It will also demonstrate their commitment in this direction to users.
In conclusion, the breakdown of security bugs by severity is instructive. In 2022, 84% of vulnerabilities were rated as medium severity. High severity vulnerabilities accounted for 11%, and only 2% were in the most problematic category, i.e. critical.
Always take care when choosing your plugins, and don’t forget to keep up to date!
