The problem is most Wordpress plugins are abandoned. Most sites default to auto updating plugins, but if the plugin author isn’t pushing security patches it’s a big vulnerability.
Wordpress plugins are notoriously bad at input sanitization. Even many large, commercially supported plugins get abandoned or simply aren’t secure.
Wordpress plugins are notoriously bad at input sanitization. Even many large, commercially supported plugins get abandoned or simply aren’t secure.