A very worrisome fact about website hacking statistics and hacking websites is that 98% of WordPress vulnerabilities are related to plugins. (See Figure 7 below.)
The most popular vulnerability types in WordPress plugins are Cross-site Scripting and SQL Injection.
According to CVE Details, XSS attacks are the biggest threat to WordPress sites. The second most popular type of attack is code execution and third are different bypass vulnerabilities.
What is even the most worrisome is that in these top 10 WordPress plugins listed you can see 5 commercial plugins, they have around 21 million downloads and one of these plugins is a security plugin. (Source: WP WhiteSecurity)
Source: WP WhiteSecurity
To top it off, even more, the sad part is that anyone can create a plugin and publish it — WordPress is open source and nobody is performing a code analysis before the new plugin is sent out for the world. Also, there are no serious security standards for these plugins hence, WordPress plugins are unfortunately prone to vulnerabilities.