WordPress Vulnerabilities Up 30 Percent in 2018

Despite fewer plugins being added to WordPress in 2017, the CMS platform experienced an increase in vulnerabilities in 2018.


In 2018, vulnerabilities in the popular content management system (CMS) WordPress increased by 30 percent, according to new research on web application bugs published on Wednesday.

Researchers at Imperva reported that they continued to observe an upward trend in web application bugs in 2018. The number of new vulnerabilities in web applications increased by 21 percent in 2018 compared to 2017. (14,082).

Worse, according to Imperva’s data, more than half of these web application vulnerabilities have a public exploit available to hackers, and a third of web application vulnerabilities do not even have a workaround or patch.

The most prevalent injection-related vulnerabilities include SQL injection, command injection, and object injection. Injection vulnerabilities comprised 19% of all web application vulnerabilities in 2018. In 2018, malicious actors employed new stealthy code-injection techniques to embed malware variants like Trickbot and TurnedUp within infected systems.

Cross-site scripting vulnerabilities appear to be the second most prevalent vulnerability, with a 14 percent prevalence rate – doubling since 2017.

WordPress vulnerabilities increased by 30 percent from the previous year, and they continue to dominate the CMS category in terms of the number of vulnerabilities published.

While it may come as no surprise that WordPress is a target for hackers due to its popularity – the CMS is used by 59 percent of all websites using a known content management system – interestingly, the increase in security issues has occurred despite a 3 percent decrease in the number of new plugins added to the suite in 2018.

Almost all (98%) WordPress vulnerabilities are related to plugins that extend a website or blog’s functionality and features. Event Calendar, Ultimate Member, Coming Soon Page, Ninja Forms, and Duplicator Pro is among the top 10 plugins that are susceptible to attack.

Researchers stated, “Anyone can create a plugin and publish it because WordPress is open source, easy to manage, and there is no enforcement or proper process that mandates minimum security standards (such as code analysis).” Therefore, WordPress plugins are vulnerable to security flaws. In 2018, WordPress patched a variety of these vulnerabilities: Including a critical privilege-escalation flaw that could allow an attacker to inject malware, place advertisements, and load custom code on a vulnerable website; and two “medium” vulnerabilities in its tooltips plugin.

In December, it was discovered that WordPress websites are the target of a series of attacks connected to a 20,000-strong army of infected WordPress websites.

Less than a week after the release of version 5.0, WordPress 5.0 users were urged to update their CMS software to fix several critical bugs.

While WordPress leads the pack in terms of sheer attack volume, Drupal vulnerabilities had a significant impact in 2018 and were used in attacks that targeted hundreds of thousands of websites. Most notably, an infamous, critical Drupal bug dubbed Drupalgeddon 2.0 impacted estimated million-plus websites running the CMS last year (despite a patch being released).

The WordPress owner, Automattic, did not immediately respond to Threatpost’s request for comment.

There is some good news regarding vulnerability: The number of Internet of Things (IoT) vulnerabilities and vulnerabilities related to weak authentication decreased in 2018. Likewise, the number of PHP vulnerabilities decreased, while the growth of API vulnerabilities slowed slightly.

“Despite the widespread belief that all of our electronic devices can be compromised easily, it appears that something has changed in this area,” said Imperva researchers. “Possible explanations include the fact that IoT vendors have finally begun to implement better security in IoT devices, or that hackers and researchers shifted their focus in 2018 to another area.”

This article was updated on January 14 at 4:00 p.m. EST to reflect new statistics about WordPress vulnerabilities based on Imperva’s report, due to a discrepancy with the initial report’s statistics. Some 2017 figures were incorrectly reported due to a data transfer error; this version of the blog has been updated. This error did not affect our 2018 statistics or conclusions, as stated by Imperva.

Why Trust Us?

Best Top Reviews Online was founded in 2018 to provide our readers with thorough, unbiased, and independent advice on what to buy. We now have millions of monthly users from all over the world and evaluate over 1,000 products per year.

The article above was written by the BestTopReviewsOnline team, which includes many of the US’s most knowledgeable technical experts. Our team includes well-known writers with extensive experience in mobile phones, computing, technology, photography, and other fields.

Related Stories

  • All Post
  • Best Picks
  • Explainers
  • How To
  • News
  • Versus
Malware GuLoader Using New Methods to Avoid Security Software

December 26, 2022

Researchers in cyber security have uncovered a vast array of techniques used by the advanced malware downloader GuLoader to circumvent security software. “New shellcode anti-analysis technique attempts to thwart researchers and hostile environments by scanning entire process memory for any…

Get more info



Best Products

Buying Guides

Contact Us

About Us

We provide a platform for our customers to rate and review services and products, as well as the stores that sell them. We research and compare the most popular brands and models before narrowing it down to the top ten, providing you with the most comprehensive and reliable buying advice to help you make your decision.


BestTopReviewsOnline.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com. As an Amazon Associate I earn from qualifying purchases.


Address & Map

20 S Santa Cruz Ave, Suite 300, Los Gatos, CA 95030, United States

© 2022 BestTopReviewsOnline.com Pty. Ltd. All Rights Reserved. Licensing: All third-party trademarks, images, and copyrights used on this page are for comparative advertising, criticism, or review. As this is a public forum where users can express their opinions on specific products and businesses, the opinions expressed do not reflect those of BestTopReviewsOnline.com.