The number of vulnerabilities discovered in WordPress plugins and themes is quite impressive. If you take a look at public exploits databases, you’ll see new vulnerabilities discovered every week.
According to the most recent data, the most common vulnerabilities in WordPress plugins and themes are XSS (Cross-site Scripting) and CSRF (Cross-Site Request Forgery). Less common types of vulnerabilities are SQL Injection, RFI (Remote File Inclusion), LFI (Local File Inclusion), Arbitrary File Upload, Directory Traversal.