Study reveals vulnerabilities in top 50 popular WordPress plugins

WordPress is the most popular blogging platform in use today. It powers more than 60 million websites and 18% of the Web. What makes it even better is the sheer number of plugins which improve upon its functionality and add to its features. A recent study examined the security state and  exposed vulnerabilities in some of the top 50 most popular WordPress plugins.

A study by Checkmarx has revealed that more than 20% of the 50 most popular WordPress plugins are vulnerable to common Web attacks, like SQL Injection. Moreover 7 out of the 10 most popular e-commerce plugins contain vulnerabilities. The effect of this has been that over 8 million vulnerable WordPress plugins have been downloaded.


The findings in bullet form are:

  • 20% of the 50 most popular WordPress plugins are vulnerable to common Web attacks. These plugins are vulnerable to: SQL Injection (SQLi), Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), and Path Traversal (PT).
  • 7 out of top 10 most popular e-commerce plugins are vulnerable to common Web attacks. This amounts to more than 1.7 million downloads of vulnerable e-commerce plugins. These plugins are vulnerable to SQLi, XSS, CSRF, RFI/ LFI and PT.
  • There is no correlation between the number of Lines of Code (LOC) and the vulnerability level of the plugins.
  • Only six plugins were completely fixed in a 6-month time period- although all plugins updated their versions during this time.

This is quite an alarming situation, states the study. Hackers can exploit these vulnerable applications to access sensitive information such as personally identifiable information (PII), health records and financial details. Other vulnerabilities allow hackers to deface the sites or redirect them to another attacker-controlled site. Hackers can take control of the vulnerable sites and make them part of their botnet network.

The report concludes with recommendations for webmasters and bloggers, which includes:

  1. Download plugins only from official WordPress website
  2. Scan  the plugin for security issues
  3. Ensure all your plugins are up to date
  4. Remove any unused plugins.

You can download and read the full report titled The Security State of WordPress’ Top 50 Plugins by clicking here.

Posted by with Tags
Anand Khanse is the Admin of, a 10-year Microsoft MVP Awardee in Windows (2006-16) & a Windows Insider MVP. He enjoys following and reporting Microsoft news and developments in the world of Personal Computing & Social Media.

Leave a Reply

Your email address will not be published. Required fields are marked *

4 + 7 =