Plugins And Themes Responsible For 96% Of WordPress Security 2020 Vulnerabilities

Published 20 April 2021
Updated 12 July 2023
Table of Contents

WordPress is the most popular content management system in the world. Just recently, it reached a milestone of powering 41% of the websites on the whole web.

With such a scale, security is increasingly important. For that reason, we did an in-depth analysis of all security vulnerabilities discovered in WordPress core, plugins, and themes in 2020.

You can find a download link to the full whitepaper PDF at the bottom of the article!

582 security vulnerabilities found in 2020

Just in 2020 alone, the data of the Patchstack Database reveals that 582 unique security vulnerabilities were found in total. These vulnerabilities affected WordPress core and third-party plugins and themes.

The most common vulnerabilities are Cross-Site Scripting which accounts for more than 36.2% of the total unique vulnerabilities found in 2020.

SQL Injection counts for 9.1% of the vulnerabilities and Cross-Site Request Forgery comes third with 6.5% of vulnerabilities.

96.22% of vulnerabilities originate from third-party code

WordPress Plugin Vulnerabilities

Only 22 vulnerabilities in 2020 were found in WordPress core. Every other vulnerability was either found in a third-party plugin or in a theme.

While 82 unique vulnerabilities were found in WordPress themes a whopping 478 security issues were found in plugins.

What makes matters worse is that many popular plugins have millions of active installations and the numbers aren’t pretty when we look at how many websites are affected by the vulnerable plugins.

The security vulnerabilities which were found in plugins and themes had a total active installation count of 70 million.

Read the full whitepaper with complete data and statistics


WordPress Security Whitepaper 2020

The latest in Patchstack news

Looks like your browser is blocking our support chat widget. Turn off adblockers and reload the page.
crossmenu