Skip to content

2240 WordPress vulnerabilities reported in 2021; 77% are still exploitable

  • by
  • 3 min read

WordPress third-party plugin vulnerabilities shot up significantly by the end of 2021 — 10,359 to be precise, out of which 2240 vulnerabilities were disclosed in 2021 itself, an increase of about 142% compared to 2020. What’s worse is that 77% of the vulnerabilities are still known to have public exploits.

Researchers at RiskBased Security put the average CVSSv2 score for all WordPress plugin vulnerabilities at 5.5. While that might be considered a ‘moderate’ score by most current VM frameworks, RiskBased Security observed a disconnect between conventional VM practices and the impact these vulnerabilities might have had. 

2240 WordPress vulnerabilities reported in 2021; 77% are still exploitable
73% of all WordPress Plugins Vulnerabilities are remote exploitable | Source RiskBased Security

Out of all the currently reported vulnerabilities, 7592 are remotely exploitable, 7993 have known public exploits, and 4797 have a public exploit with no CVE ID assigned yet. 

In the News: North Korean hackers infiltrate Russian Foreign Affairs Ministry

Right under the radar

These numbers are especially worrying for organisations relying on CVE IDs or NVDs, considering they’ll be unaware of about 60% of the total issues that have known public exploits. 

According to the researchers, the right approach towards this threat is to start a fundamental shift away from focussing on how critical a risk might be to an organisation and concentrating more on the most easily exploitable issues. 

2240 WordPress vulnerabilities reported in 2021; 77% are still exploitable
A significant number of vulnerabilities don’t have a CVE ID yet | Source: RiskBased Security

The report further adds that security professionals should start with remotely exploitable vulnerabilities, have a publicly known exploit and have a known solution as well. If the plugin issues affect important site assets, the vulnerabilities should be fixed first. This helps protect organisations against potential attacks while saving time since implementable solutions are already available. 

Organisations would be better off relying on a timely, detailed source of vulnerability intelligence that covers all known issues in IT, OT, IoT and other third-party libraries and dependencies. This approach will prove more effective than traditional Vulnerability Management (VM) models based on severity. 

In the News: US Cyber Command exposes hacking tools used by Iranian intelligence

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: