In a blog post, Risk Based Security said a total of 10.359 flaws were now listed for all third-party WordPress plugins, with the 2021 count rising about that of 2020 by 142%.
Of all the vulnerabilities listed, there were public exploits for 77%, the company claimed, adding that if CVSS scores were the basis for prioritisation of risk, then there was a need to p[properly triage this risk.
The post said there was a tendency for organisations to disregard this risk as the average CVSSv2 score for a third-party WordPress vulnerability was 5.5.
"Since the average WordPress plugin issue is scored 5.5, is it safe for organisations to instantly de-prioritize these issues? The answer is no."
The post said most such flaws were exploitable, pointing out that 7592 were remotely exploitable, 7993 had a public exploit and 4797 had a public exploit but no CVE ID.
"Because of factors like exploitability and attacker location, WordPress plugin issues can pose a significant threat to organisations deploying at-risk assets, even if they may not appear 'highly critical' at first glance," Risk Based Security said.
"In addition, WordPress plugin vulnerabilities may be especially dangerous for organisations relying on CVE/NVD, since they will be unaware of 60% of issues with known public exploits."
The post said while there were 58,000 free plugins for download, few had been designed with security in mind and this meant that one vulnerability could very well end up affecting more than one plugin.
"Security teams will need to have knowledge of their assets, comprehensive vulnerability intelligence for all known issues, and detailed metadata, that allows them to examine factors like exploitability, to then contextualise the risk it poses to their environment," the post added.