Daniel Cid has a good post on Sucuri that describes how they look at WordPress plugin vulnerabilities.
Contrary to popular belief, just because you hear “SQL Injection”, it doesn’t mean someone can actually hack your site. The real problem comes in remote and unauthenticated attacks. These can lead to mass compromises; compromised can be mean leveraged to distribute malware, spam and can lead to brand reputation issues like getting blacklisted by Google.
When an attack requires an authenticated user, the severity drops. However, it is not that uncommon for sites to allow subscribers to register. So, any vulnerability that requires a subscriber user can also lead to serious issues.
He also notes how they use a DREAD score to measure vulnerability severity. Is DREAD the best acronym ever, or what?
You’ll notice in the post that most of these vulnerabilities we’ve seen lately are either low or very low severity. That doesn’t make them unimportant, but we need to learn how to judge by more than a scary name of a vulnerability, and instead be able to decipher what requires red sirens and PSAs and what requires a simple log in the update changelog.