To make the internet a safer place for all, WP Toolkit is now introducing an automated vulnerability scan based on the vulnerability database provided by our partners at Patchstack. Every hour we’re checking if there are any plugins, themes, or WordPress sites on a given server with known vulnerabilities. We are also fetching information about new vulnerabilities from the vulnerability database on an hourly basis. Once a vulnerability is detected, WP Toolkit will mark the site in the interface, letting site admins know they should take action.

A vulnerability scan isn’t something we’ve decided to do “just in case”. There has been a 150% increase in vulnerabilities found compared to 2020. Nearly 1,500 new vulnerabilities have been added to Patchstack vulnerability database in 2021. These vulnerabilities were in WordPress plugins, themes, and WordPress core. For comparison, in 2020 we saw almost 600 vulnerabilities.

As the primary source for WordPress plugins and themes, the wordpress.org repository leads the way in terms of vulnerable assets. Vulnerabilities in plugins and themes hosted on wordpress.org represented 91.79% of vulnerabilities added to Patchstack vulnerability database.

The remaining 8.21% of the reported vulnerabilities in 2021 were reported in the premium or paid versions of the WordPress plugins or themes that are sold through other marketplaces e.g. Envato, ThemeForest, Code Canyon, or made available for direct download only.

As you can see, the situation with security vulnerabilities in the WordPress ecosystem seems to be getting out of hand. Who’s going to help us mitigate the consequences?