Patchstack, a WordPress security maintenance and management tool, has published its “State of WordPress Security” whitepaper for 2022, tracking a few key metrics on publicly reported vulnerabilities.

The findings highlight the risk of using unmaintained themes and plugins along with developers’ need to keep pace with updates to libraries and dependencies included in their work. Patchstack is tracking a significant increase in vulnerabilities reported in 2022:

In 2022 we saw 328% more security bugs reported in WordPress plugins – we added 4,528 confirmed security bugs to our database, compared to 1,382 in 2021.

Similar to previous years, the majority of these security bugs were found in plugins (93%), followed by themes (6.7%), and WordPress core (0.6%).

These numbers were sourced from public data from Patchstack and other security companies and researchers in the WordPress ecosystem. The total number of vulnerabilities comes from the three official CNAs in the WordPress space that are authorized to assign CVE IDs to new security vulnerabilities and to whom researchers report issues. These include Patchstack, Automattic (WPscan) and WordFence. Patchstack CEO Oliver Sild said some of the vulnerabilities were also independently published elsewhere or reported directly to MITRE.

The report emphasized that the increase in the number of vulnerabilities reported means that ecosystem is becoming more secure as the result of more security issues being found and patched.

Another small improvement over last year is the percentage of critical security bugs that never received a patch. In 2022, that number was 26% versus 29% in 2021. Critical vulnerabilities were better addressed this year but Sild said so far it’s not a significant change that they would connect with any trend yet.

“We still think it shows a big problem, which is that some plugins are unsupported or abandoned and do not receive timely patches,” he said.

Solving the problem of developers abandoning their work is challenging, and many users have no idea how to select plugins that are more likely to be supported.

“I think it’s important to be transparent,” Sild said. “It is also okay that projects come to an end. I just recently told my colleague that ‘when someone builds a new plugin, they should keep in mind that someone might actually use it.’ It kind of stuck with me, because even if the plugin developer has moved on and is not working on the project anymore, there still might be people who rely on it.”

Sild said users often get left in the dark because WordPress core only shows if an update is available. If a plugin gets closed by WordPress.org due to an unpatched security issue, users don’t get notified.

“It’s something we try to improve together with our partners such as other security plugins and hosting companies,” he said. “Communication is key. We recently also created a free service for plugin developers called ‘managed vulnerability disclosure program’ shortly mVDP. The goal is to help plugin developers adopt more mature security practices and show users that they take security seriously.”

Other notable insights from the whitepaper include a breakdown of WordPress security bugs by severity. In 2022, the majority of vulnerabilities (84%) were classified as Medium severity, with a smaller percentage of High severity (11%) and Critical (2%).

Of the most popular plugins (over 1 million installs) that had security issues, only five contained high severity bugs. The two with the highest CVSS score vulnerabilities were Elementor and Essential Add-ons for Elementor, followed by UpdraftPlus WordPress Backup, One Click Demo Import, and MonsterInsights.

The whitepaper highlights a few other trends, including hosting companies alerting their customers to vulnerabilities, the growth of the security research community, and increased security awareness within the WordPress ecosystem. For more details on the state of WordPress security in 2022 and predictions for this year, check out the whitepaper on Patchstack’s website.