Imperva specialists published a report dedicated to threats related to web applications and the most popular CMS (WordPress, Joomla, Drupal, Magento). According to experts, over the past 2018, the number of bugs related to WordPress has grown by 300%, and this is a big problem, because about 30% of all sites in the world are running WordPress. In 2018, experts counted 542 vulnerabilities related to WordPress in one way or another. At the same time, in 2017 the number of threats was significantly lower (less than 200 for the entire year).
Experts note that fewer vulnerabilities in other platforms do not mean that they were less attacked. For example, it suffices to recall how much headache last year the problem alone brought to administrators Drupalgeddon.
98% of WordPress-related vulnerabilities were related to the operation of various plugins, and only 2% of the problems were found in the code of the CMS itself. Let me remind you that currently there are more than 50,000 plugins in the official repository. Imperva researchers emphasize that the root of the problem is that anyone can create and publish their own plugin, because WordPress is an open source platform and security standards are minimal. As for vulnerabilities in web applications, the situation is also far from positive. In 2018, experts counted about 3300 vulnerabilities and 1980 of them allow remote execution of arbitrary code, and 1354 SQL injections. Even worse, 54% of these bugs already have working exploits published, and in 38% of cases there are simply no patches or other ways to protect these problems. The researchers also note that the number of XSS vulnerabilities doubled last year compared to 2017.