PluginsArmorProCitedProBoostPro
PricingDocsBlogAboutGet Started

WordPress Plugin Vulnerabilities: The 96% Problem

October 22, 20258 min read

Here is a number that should concern every WordPress site owner: 96% of WordPress vulnerabilities come from plugins. Not WordPress core. Not themes. Plugins. The very tools that make WordPress powerful are also its biggest security weakness.

The Plugin Problem

WordPress is secure. The core software is maintained by a dedicated security team and receives regular updates. But the average WordPress site runs 20 to 30 plugins, and each one of those plugins is a potential entry point for attackers.

In just one recent week, security researchers discovered 333 new vulnerabilities across WordPress plugins and themes. That is nearly 48 new threats appearing every single day. The ecosystem is simply too large and too decentralized for every plugin to be properly secured.

The WordPress plugin ecosystem is a double edged sword. On one hand, over 60,000 free plugins give you incredible flexibility. On the other hand, many of those plugins are created by solo developers, small teams, or hobbyists who may not have security expertise. Common issues include poor code reviews or no code reviews at all, plugins that get abandoned without security updates, developers who do not follow secure coding practices, and plugins that store sensitive data insecurely.

Even popular plugins with millions of installs have had critical vulnerabilities. The Post SMTP plugin with over 400,000 downloads recently had a critical flaw with a 9.8 CVSS score that allowed complete site takeover.

The Most Common Vulnerability Types

XSS vulnerabilities account for approximately 35% of all WordPress plugin vulnerabilities. These allow attackers to inject malicious scripts into web pages viewed by other users. The scripts can steal session cookies, redirect users to malicious sites, or modify page content. Many plugin developers do not properly sanitize user input before displaying it. One unsanitized form field is all it takes for an XSS attack to succeed.

SQL injection vulnerabilities make up about 15% of plugin vulnerabilities but represent some of the most serious threats. These allow attackers to manipulate database queries, potentially exposing all your site data including user credentials. Plugins that directly query the database without using WordPress prepared statements are particularly vulnerable. Many older plugins were written before secure database practices became standard.

CSRF vulnerabilities account for about 17% of plugin flaws. These trick authenticated users into performing unwanted actions. An attacker could craft a link that, when clicked by an admin, changes site settings or creates new admin accounts.

Remote code execution (RCE) vulnerabilities are less common at around 8% but are the most dangerous. These allow attackers to execute arbitrary code on your web server. Once they have RCE, they essentially own your server.

What Most People Get Wrong

In my experience, the biggest mistake is thinking security plugins can fix vulnerable code in other plugins. They cannot. Security plugins can only try to block attacks at the perimeter. If you have a plugin with a known vulnerability, no amount of firewall rules will make that code secure.

The second mistake is installing too many plugins. Every additional plugin increases your attack surface. Many sites have plugins installed that they do not even use anymore, just sitting there waiting to be exploited. I have audited sites with 40 or 50 plugins when they only actively used 15 of them.

The third mistake is the it will not happen to me mindset. Site owners think hackers only target big sites. But attackers use automated tools that scan millions of sites simultaneously. They do not care who you are. They just care that you have a vulnerable plugin.

The fourth mistake is trusting that updates will always be available. Some plugins stop receiving updates entirely. The developer moves on, loses interest, or simply disappears. The plugin still works, so you keep using it, not realizing it has known vulnerabilities that will never be patched.

The Real World Impact

Plugin vulnerabilities are not theoretical. In 2025, researchers discovered a campaign called ShadowCaptcha that exploited over 100 compromised WordPress sites through plugin vulnerabilities to spread ransomware and cryptocurrency miners.

Another campaign installed a malicious plugin called woocommerce_inputs on over 10,000 sites worldwide. The plugin looked legitimate but was designed to steal payment information.

67% of WordPress vulnerabilities now have low exploitation complexity, meaning even basic attackers can use ready made tools to compromise websites. You do not need to be a sophisticated hacker to exploit most plugin vulnerabilities. The tools are freely available online.

The Challenge of Staying Protected

The obvious solution is to keep plugins updated. But that is harder than it sounds. Only 30% of WordPress users enable auto updates. Many site owners are afraid that updates will break their sites. Others simply do not have time to monitor and apply updates regularly.

And even if you update immediately, there is often a window between when a vulnerability is discovered and when a patch is available. During that window, your site is exposed.

How do you know which of your 20 plugins has a vulnerability? Unless you are actively monitoring security feeds, you probably do not. New vulnerabilities are discovered daily, and most site owners have no idea their plugins are compromised until something bad happens.

Monitor Your Plugin Security

ArmorPro monitors your installed plugins against known vulnerability databases and alerts you when one of your plugins has a security issue. Combined with file integrity monitoring, you will know if something changes that should not.

Get ArmorPro

Regulatory Changes Coming

The EU Cyber Resilience Act (CRA) will begin applying in 2026. By September 2026, open source developers including plugin authors must have processes in place to notify authorities and users about actively exploited or severe vulnerabilities. This will likely improve the plugin ecosystem over time, but for now, the responsibility falls on you.

The Reality

Plugins are necessary. You cannot run a modern WordPress site without them. But every plugin you install is a calculated risk. The question is not whether your plugins have vulnerabilities. It is whether you will know about them before attackers exploit them.

With 48 new vulnerabilities discovered every day, staying ahead manually is nearly impossible. You need automated monitoring, alerts when your plugins become vulnerable, and a way to respond quickly. That is why we built this into our plugin. The alternative is finding out about the vulnerability after your site has been compromised.