PHP static code analysis vs ~1000 top wordpress plugins = 103 vulnerable plugins found: I’ve been making php static code analysis tool for a while and few months ago I ran it against ~1000 (more or less) top wordpress plugins.
Scanning results were manually verified in my spare time and delivered to official firstname.lastname@example.org from 04.07.2015 to 31.08.2015. Most of reported plugins are already patched, some are not. Vulnerable and not patched plugins are already removed from official wordpress plugin repository.
103 plugins vulnerable with more than 4.000.000 active installations in total (~30.000.000 downloads)