via wordfence.com => original post link
The Wordfence 2022 State of WordPress Security Report was released on January 24th, 2023. One area that we reviewed in this report were the vulnerabilities disclosed in 2022. Keeping in mind that some vulnerabilities affected multiple plugins, themes, and WordPress core, a total of 2,370 vulnerabilities were reported in 2022. The top five vulnerability categories were Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), authorization bypass, SQL Injection (SQLi), and information disclosure. While the statistics sum up what was in the report, the story does not end there.
The report shows some similarities, as well as distinct differences, to the prior year. This is not uncommon, as WordPress development, both for core and for plugins and themes, potentially includes years’ worth of legacy code, as well as newer code that fits updated coding standards. This tends to have the effect of increasing the number of potential vulnerabilities, while also creating new ways for vulnerabilities to exist.
In addition to changes in code, one major factor in the increase of vulnerability reports in 2022 was likely the fact that it is becoming easier for researchers to report vulnerabilities. As was mentioned in our 2022 report, Wordfence, along with other companies, became a CVE Numbering Authority (CNA) in 2021. This means that there are more points of contact for researchers to submit newly discovered vulnerabilities, and more bandwidth for processing vulnerability reports. As mentioned in our report, we hope to continue to amplify this trend with the launch of Wordfence Intelligence Community Edition, a complete free to access and utilize WordPress Vulnerability Database.