Patchstack Weekly #62: The Patchstack State of WordPress Security Report

Published 14 March 2023
Updated 24 July 2023
Robert Rowley
Author at Patchstack
Table of Contents

Welcome to the Patchstack Weekly Security Update, Episode 62! This update is for week 11 of 2023.

In this week's knowledge share, I will be sharing a review of Patchstack's annual 'State of WordPress Security' report. This report was just released and is jam-packed with useful insights from the front lines of WordPress security.

I will then cover 3 vulnerabilities of interest in this week's vulnerability roundup. One of these three contained a mystery I am still uncertain about.

2022 WordPress security highlights

The Patchstack team has been hard at work the last few weeks with the 2022 State of WordPress Security report. After a lot of collecting, reviewing, commenting, re-writing, collaborating, and designing, we have finally released the 2022 State of WordPress security paper.

In this week's knowledge share, I will highlight some key facts from this paper.

Plugins lead the way

WordPress plugins still account for the lion's share of patched security bugs in the WordPress ecosystem. This of course makes sense, as they also account for the vast majority of lines of code in the ecosystem.

The good news is the WordPress plugin ecosystem is well supported by their respective developers. The majority of developers Patchstack worked with regarding a security bug, had patches made available in short order. In one case I handled last year, the patch was made available in just a few hours!

2022 was the biggest year in security bug patches

The number of bugs reported, patched and/or addressed in the WordPress ecosystem tripled in 2022 compared to 2021.

This trend is showing the power of collaboration between security researchers and open-source software developers. This cooperation led to thousands of security bugs being patched in the WordPress ecosystem - in other words, this is how vulnerabilities get removed.

Two WordPress core bugs were left unpatched

There were two security bugs in WordPress core (one is in Gutenberg) that were publicly disclosed in 2022, but never received a patch.

Don't worry though - while these bugs went unpatched they present a very low or no risk at all to an average website. This is due to the unlikely conditions needed to be met for exploitation, such as the requirement to break existing browser security models or exploitation and control of the DNS server a website relies on.

Hopefully, patches are merged into the WordPress core project for these bugs. But,there is no need for site owners to panic if they see them pop up in security reports.

The danger of unsupported plugins

Not all unpatched security bugs are acceptable risks though. We identified that 26% of critical severity security bugs in WordPress components went unpatched in 2022. This was due to the plugins that were unsupported or abandoned by their developers.

These plugins will remain active on WordPress websites they were installed on, which will happily display 'no update available' notice in the admin dashboard. The site owners will therefore be in the dark about the risk that exists on their site, unless they have something like the Patchstack App installed to provide them with a warning.

Patchstack Alliance helping out

The Patchstack Alliance handled around 1,000 security bug reports in 2022. Some reports are still pending, but 661 of those resulted in a patch for the bug, and a more secure component (plugin or theme). Unfortunately, 87 components ended up being closed after we escalated the cases to the WordPress plugin repository - these projects have likely been abandoned and are unsupported.

The Patchstack Alliance provided support for the teams and volunteers behind open-source repositories. By handling 80% of the security reports directly with the developers, we did not need to take any of the WordPress volunteers' time. This means less work for the teams managing the respective repositories, so they can focus on other matters.

Looking ahead

We are looking forward to what 2023 brings. With the knowledge the Patchstack team has learned over the years, we have begun offering services to help with any security pain point we spot. From notifying site owners and agencies directly with the Patchstack App, through partnerships with hosting providers that use Patchstack's vulnerability intelligence for pro-active security warnings, as well as helping security researchers prove their skills and sometimes earn bounties through the Patchstack Alliance.

In 2022 we also started the Patchstack mVDP, as a way to help developers handle security bug reports, currently free of charge.

If 2022 predicts anything, I would say 2023 will bring a more secure WordPress ecosystem.

Vulnerability roundup

Woocommerce checkout field manager active installations: 200+

n-media-woocommerce-checkout-fields - Unauthenticated File Upload

Users of the WooCommerce Checkout Field Manager plugin are encouraged to update immediately. The recent release patches a critical risk, an unauthenticated file upload security bug. There are only a few hundred websites running this plugin, however, it looks like only 16% of them have applied this security patch so far.

Watu quiz active installations: 5000+

Watu Quiz - Reflected Cross Site Scripting

Developers of the watu quiz plugin released version to address a Reflected Cross Site Scripting security bug. This update does not include a changelog entry highlighting its importance so it is important you make sure this update is applied.

Postmatic plugin has been closed as of December 9, 2022

Postmatic - PHP Object Injection

The developers for the postmatic plugin, also known as Replyable, patched a PHP Object Injection bug months ago. This bug's information was just publicly released, however, it is a mystery to me why the plugin appears to be listed as closed since December due to an unknown security concern.

Hopefully, the developers of postmatic/replyable are able to get their plugin back in working order soon. In the meantime though, users may want to consider looking for an alternative plugin.

Thanks and appreciation

This week's thanks goes out to the developers of WooCommerce Checkout Field Manager, Watu Quiz, and Postmatic plugins. I see your efforts to keep your customer sites secure.

This week's special thank you goes out to the reporters and writers who have also reviewed and covered Patchstack's 2022 State of WordPress security paper. Authors like Nyasha Green at MasterWP and Dan Knauss of iThemes provided their own summaries and insight of what they learned from this great review of the WordPress security landscape.

If you would like to read the 2022 State of WordPress security paper just go to and click on the banner at the top of the page.

I will be back next week with more security tips, tricks, opinions and news on the Patchstack Weekly Security Update!

The latest in Patchstack Weekly

Looks like your browser is blocking our support chat widget. Turn off adblockers and reload the page.