Top 10 WordPress plugins with the most reported vulnerabilities according to the WPScan Vulnerability Database.
Please note that past vulnerabilities do not necessarily reflect the plugins’ state today. Reporting vulnerabilities so they can be fixed, is a good thing.
What’s the data source?
I wrote a script that once per day will download the WPScan Vulnerability Database and count the vulnerabilities per plugin. The result is published in a JSON file here (use this source at your own risk, it might go away or be changed without any notice), which I parse to use as data source in the above graph.