New web application vulnerabilities increased by 21% in 2018 compared to 2017, according to a Wednesday report from Imperva. More than half of these vulnerabilities (54%) have a public exploit available to hackers, and more than one third (38%) don’t have any solution in terms of software upgrades or patches, the report found.

In the content management system (CMS) category, reported WordPress vulnerabilities increased by 30% over the last year, according to the report. WordPress faced more vulnerabilities than any other CMS, the report found, due in part to the platform’s popularity: It is used by nearly 60% of all websites, totalling to more than 22 million sites, according to WebsiteSetup data.

SEE: Incident response policy (Tech Pro Research)

Virtually all WordPress vulnerabilities (98%) are related to plugins, which expand the functionality and features of a website, the report found. Any user can create and publish a plugin, since WordPress is open source, and there is no enforcement of minimum security standards, which makes them prone to vulnerabilities.

At the time of the report’s publication, WordPress had 55,271 plugins, with only 1,914 (or 3%) added in 2018. The slow growth of plugins and rapid rise of new vulnerabilities could again be due to its widespread use, as attackers may be more motivated to develop dedicated tools to search for holes in the code, the report noted.

Meanwhile, while Drupal is the third-most popular CMS after WordPress and Joomla, two of its vulnerabilities (CVE-2018-7600 and CVE-2018-7602) were the cause of security breaches in hundreds of thousands of web servers in 2018, the report found. These vulnerabilities allowed unauthenticated attackers to remotely inject malicious code, and run it on default or common Drupal installations–then letting attackers connect to backend databases, scan and infect internal networks, mine cryptocurrencies, and infect clients with trojans, according to the report.

Here are the 10 WordPress plugins with the most vulnerabilities in 2018, according to the report. However, there are several caveats to this information. For one, it should be noted that inclusion on this list does not mean these are necessarily the most-attacked plugins, the report said. In some cases, the issues found do not put users at risk of attack, because they can only be exploited by users with full administrative access to the site. Some of the sites below only had a handful of vulnerabilities, Imperva clarified, that may not directly impact users.

  1. Event Calendar WD
  2. Ultimate Member
  3. Coming Soon Page
  4. GD Rating System
  5. Contact Form by WD
  6. WPGlobus
  7. From Maker
  8. Ninja Forms
  9. Affiliates Manager
  10. Duplicator Pro

The big takeaways for tech leaders:

  • Web application vulnerabilities increased by 21% in 2018 compared to 2017. — Imperva, 2019
  • WordPress vulnerabilities tripled between 2017 and 2018. — Imperva, 2019