For the past 30 months, we have reported quite a lot of vulnerabilities we discovered in WordPress themes and plugins. Here are some interesting stats and facts about them, as well as few recommendations for all developers of WordPress plugins and themes.
The WordPress Welcart e-Commerce plugin (20,000+ active installations) fixed multiple information disclosure vulnerabilities affecting version 2.2.7 and below.
Fifteen WordPress themes were prone to critical unauthenticated function injection and privilege escalation vulnerabilities.
The Product Input Fields for WooCommerce plugin (5,000+ active installations) fixed a high severity vulnerability that could allow an unauthenticated user to download any file from the blog, including the WordPress configuration file.
The WordPressWP Security Audit Log plugin, (100,000+ active installations), fixed a vulnerability that could lead to privilege escalation, sensitive data exposure and insecure deserialization.