A new study has found that while Automattic Inc.’s WordPress content management system continues to have security flaws, they’re not as bad as commonly thought.

German security firm RIPS Technologies GmbH analyzed all 47,959 plugins that are available from the official WordPress repository using its static code analyzer and found that only 8,800 of the plugins had at least one vulnerability in them.

Where the figures do become somewhat concerning is with what the company describes as “larger plugins,” that is plugins with more than 500 lines of code. Of 10,523 larger plugins, 4,559 of them, or 43 percent of them, contain at least one medium severity issue, such as cross-site scripting.

Of all plugins analyzed, nearly 36,000 did not have any vulnerabilities at all while 1,426 had only low severity flaws. Medium severity bugs were identified in more than 4,600 plugins, while high severity bugs and critical issues came in at 2,799 and 41 plugins respectively. Those plugins found to have security issues tended not to have single vulnerabilities, with a total of 67,486 vulnerabilities discovered in the plugins analyzed.

Cross-site scripting was the most common vulnerability coming in at 68 percent of those found, followed by 20 percent of plugins allowing for potential SQL injections. Some of the most common WordPress plugins targeted by attacks were found to be

• Revolution Slider
• Beauty & Clean Theme
• MiwoFTP
• Simple Backup
• Gravity Forms
• WordPress Marketplace
• CP Image Store
• WordPress Download Manager

RIPS security researcher Hendrik Buchwald said there was a reason to be calm on the findings as the results are far less than could have been the case.

WordPress is not as insecure as its reputation would suggest. Rather it is a top target due to its incredible prevalence. Yes, there are a lot of vulnerabilities in the WordPress ecosystem, but most of them are in a small percentage of the plugins. While many plugins do not contain vulnerabilities at all because of their small size, the ones that do have issues, have a lot of them.

Buchwald recommends that WordPress users install only plugins that they really need, keep all plugins up to date and choose strong passwords.

Image credit: Maxpixel/Public Domain CCo