Riskbased Security researchers revealed a huge increase of WordPress vulnerabilities in 2021 in their latest research.
10,359 vulnerabilities were reported to affect third-party WordPress plugins at the end of 2021. Of those, 2,240 vulnerabilities were disclosed last year, which is a 142% increase compared to 2020.
Most Plugin Vulnerabilities are Exploitable
What is most alarming is that 77% of WordPress plugin vulnerabilities have known public exploits.
- 7,592 WordPress vulnerabilities are remotely exploitable
- 7,993 WordPress vulnerabilities have a public exploit
- 4,797 WordPress vulnerabilities have a public exploit, but no CVE ID
Prioritize Your Patching
Riskbased Security suggests that your organization should prioritize patching of vulnerabilities based on their exploitability. Do less “mass patching” and focus on targeted, intelligent risk-based patching.
Start with vulnerabilities that are remotely exploitable, have a public exploit, and have a known solution. And if WordPress plugin issues affect important assets, these vulnerabilities should be triaged first.
This risk-based approach will prove to be more effective than traditional Vulnerability Management models based on severity.