Most of the bugs were in the plugins that extend the functionality of WordPress websites. WordPress is the most popular content management system (CMS) followed by Joomla and Drupal. Almost all the vulnerabilities, 98%, are related to WordPress plugins, which are more than 50,000 on the official website of the CMS. Almost 1,980 of them allowed remote code execution (RCE) and 1,354 enabled SQL injection attacks. In 38% of the cases, there is no mitigation solution, such as a patch or a software upgrade.
Source: https://www.bleepingcomputer.com/news/security/wordpress-related-vulnerabilities-saw-a-30-percent-uptick-in-2018/