Top 10 WordPress plugins with the most reported vulnerabilities according to the WPScan Vulnerability Database.
[wpvulndb_chart]
Please note that past vulnerabilities do not necessarily reflect the plugins’ state today. Reporting vulnerabilities so they can be fixed, is a good thing.
What’s the data source?
I wrote a script that once per day will download the WPScan Vulnerability Database and count the vulnerabilities per plugin. The result is published in a JSON file here (use this source at your own risk, it might go away or be changed without any notice), which I parse to use as data source in the above graph.