Skip to content

2240 WordPress vulnerabilities reported in 2021; 77% are still exploitable

WordPress third-party plugin vulnerabilities shot up significantly by the end of 2021 — 10,359 to be precise, out of which 2240 vulnerabilities were disclosed in 2021 itself, an increase of about 142% compared to 2020. What’s worse is that 77% of the vulnerabilities are still known to have public exploits.

Researchers at RiskBased Security put the average CVSSv2 score for all WordPress plugin vulnerabilities at 5.5. While that might be considered a ‘moderate’ score by most current VM frameworks, RiskBased Security observed a disconnect between conventional VM practices and the impact these vulnerabilities might have had. 

2240 WordPress vulnerabilities reported in 2021; 77% are still exploitable
73% of all WordPress Plugins Vulnerabilities are remote exploitable | Source RiskBased Security

Out of all the currently reported vulnerabilities, 7592 are remotely exploitable, 7993 have known public exploits, and 4797 have a public exploit with no CVE ID assigned yet. 

In the News: North Korean hackers infiltrate Russian Foreign Affairs Ministry


Right under the radar

These numbers are especially worrying for organisations relying on CVE IDs or NVDs, considering they’ll be unaware of about 60% of the total issues that have known public exploits. 

According to the researchers, the right approach towards this threat is to start a fundamental shift away from focussing on how critical a risk might be to an organisation and concentrating more on the most easily exploitable issues. 

2240 WordPress vulnerabilities reported in 2021; 77% are still exploitable
A significant number of vulnerabilities don’t have a CVE ID yet | Source: RiskBased Security

The report further adds that security professionals should start with remotely exploitable vulnerabilities, have a publicly known exploit and have a known solution as well. If the plugin issues affect important site assets, the vulnerabilities should be fixed first. This helps protect organisations against potential attacks while saving time since implementable solutions are already available. 

Organisations would be better off relying on a timely, detailed source of vulnerability intelligence that covers all known issues in IT, OT, IoT and other third-party libraries and dependencies. This approach will prove more effective than traditional Vulnerability Management (VM) models based on severity. 

In the News: US Cyber Command exposes hacking tools used by Iranian intelligence

Hello There!

If you like what you read, please support our publication by sharing it with your friends, family and colleagues. We're an ad-supported publication. So, if you're running an Adblocker, we humbly request you to whitelist us.

Share on facebook
Share on whatsapp
Share on twitter
Share on reddit
Share on linkedin
Share on pocket
Share on pinterest
Share on telegram
Share on stumbleupon
Share on digg
Share on tumblr
Share on email
Share on skype
Share on xing
Share on vk
Share on odnoklassniki
Share on mix






No more posts to show


>