All of the reported vulnerabilities in WordPress Core in 2021 were reported through this vulnerability disclosure program which sets forth proper rules and expectations for all parties involved.
Patchstack encourages all developers, including small open-source developers, to have a public vulnerability disclosure policy. You don’t need to pay big bug bounties to have one, and a vulnerability disclosure policy is exactly where you can state that you don’t offer any bounties on security bugs at all.
Public vulnerability disclosure policies are about setting expectations. It also states who is responsible for reviewing security reports for the project and how to get in contact with policies and include bug bounty details.
There has been a 150% increase in vulnerabilities found compared to 2020. Nearly 1,500 new vulnerabilities were added to the Patchstack database in 2021. These vulnerabilities were in WordPress plugins, themes, and WordPress core.
In 2020 we saw almost 600 vulnerabilities. If you compare these figures, it’s evident that 2021 has been an exceptional year for the security of the WordPress ecosystem.
As the primary source for WordPress plugins and themes, the WordPress.org repository leads the way. Vulnerabilities in these components represented 91.79% of vulnerabilities added to the Patchstack database.
The remaining 8.21% of the reported vulnerabilities in 2021 were reported in the premium or paid versions of the WordPress plugins or themes sold through other marketplaces, e.g., Envato, ThemeForest, Code Canyon, or made available for direct download only.
Plesk’s WP Toolkit can regularly scan active plugins, themes, and WordPress versions to identify known vulnerabilities, using the information provided by our partners at Patchstack. First, let us emphasize some figures to understand the importance:
WordPress is used on about 43% of all sites on the internet, with the figure going up to 65% for sites made on a CMS (content management system). These figures are constantly growing, meaning that WordPress is becoming an even bigger target for hackers every day. Case in point:
- Increase in cybercrime by 600% due to the COVID-19 pandemic
- 60% of data breach victims said they were breached due to an unpatched known vulnerability where the patch was not applied