Marcin Probola conducted a PHP static code analysis of the top ~1000 WordPress plugins, and the results showed 103 plugins were vulnerable to at least one vulnerability type (XSS, SQL injection). This is roughly 10 percent! Marcin Probola writes that scanning results were manually verified in his spare time and delivered to official firstname.lastname@example.org from 04.07.2015 to 31.08.2015. Most of reported plugins are already patched, some are not. Vulnerable and not patched plugins are already removed from official wordpress plugin repository.
You can find Marcin Probola list here, which is an interesting read. Kudo’s for this one!
WordPress, on their Codex, provides a lot of functions and information about input & output sanitization, hardening WordPress, and a lot of information is freely available on the Internet about secure PHP programming, SQL injection, Cross Site Scripting (XSS), and so on.
Therefore I don’t understand why so many plugins are written so poorly. Is it time? Money? Knowledge? Functionality? Who knows… Enlighten me! :-)