WordPress plugins and themes vulnerabilities statistics for 2017 year

WordPress plugins and themes vulnerabilities statistics for 2017

Pierluigi Paganini January 23, 2018

WordPress plugins and themes vulnerabilities statistics for 2017. The statistics were derived from our up-to-date WordPress Vulnerabilities Database. We are monitoring a large number of sources to add new vulnerabilities to the database on a daily basis.

The year in figures

We added 221 vulnerabilities to our database. The total number of vulnerabilities decreased by 69%. During 2017, just like in 2016, Cross-Site Scripting (XSS) has been at the top of the list. More and more WordPress plugins and themes are found to be vulnerable to Cross-Site Scripting (XSS) vulnerability. This is because many developers do not pay enough attention to escaping data output.

Overall statistics for 2017

2017 has also seen a substantial rise in SQL Injection vulnerabilities. It’s surprising how many sites were put in danger by vulnerabilities found in WordPress plugins. The total number of active installs is 17,101,300+.

Total vulnerable plugins – 202
Total vulnerable themes – 5
Plugins affected by vulnerabilities in WordPress.org repository – 153
Non-WordPress.org repository plugins affected by vulnerabilities – 24

WordPress top 3 vulnerabilities

Cross-Site Scripting (XSS)
SQL Injection (SQLi)
Broken Access Control

Plugins by vulnerability type

XSS (Cross-Site Scripting) – 71
SQL Injection – 40
Unrestricted Access – 20
Cross Site Request Forgery (CSRF) – 12
Multi – 10
Information Disclosure – 10
Arbitrary File Upload – 7
BYPASS – 7
Arbitrary File Download – 7
PHP Object Injection – 5
Remote File Inclusion – 3
Local File Inclusion – 3
Arbitrary Code Execution – 2
Direct static code injection – 1
Directory Traversal – 1

Top 5 most popular plugins affected by vulnerabilities in 2017

Yoast SEO (most popular SEO plugin) – 5,000,000+ – XSS (Cross-site Scripting)
WooCommerce (most popular ecommerce plugin) – 3,000,000+ – XSS (Cross-site Scripting)
Smush Image Compression and Optimization – 1,000,000+ – Directory Traversal
Duplicator – 1,000,000+ – XSS (Cross-site Scripting)
Loginizer – 600,000+ – SQL Injection

Some interesting facts?

WordPress released 8 security updates in 2017 year.
The total number of vulnerabilities in the ThreatPress vulnerabilities database is 3321
First vulnerability discovered in 2005-02-20

About the Author: Dominykas Gelucevičius

Security Researcher, Web Developer and Blogger. He is a technology enthusiast with a keen eye for the cybersecurity and other tech-related developments.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – WordPress plugins, statistics)

[adrotate banner=”5″]

[adrotate banner=”13″]

2017 Hacking Pierluigi Paganini plugins Security Affairs themes Wordpress XSS

Pierluigi Paganini July 22, 2025

Cisco confirms active exploitation of ISE and ISE-PIC flaws

Pierluigi Paganini July 22, 2025