A small survey of blogs that use the popular WordPress blogging software has found that the sites’ administrators are not sticklers about patching, which could leave the door open to increasingly common compromises with malicious JavaScript.

The survey, published by security analyst David Kierznowski on Wednesday, found that only one of the 50 surveyed WordPress sites had upgraded to the latest supported versions — 2.2 and 2.0.10 — of the open-source package. Nearly half of the sites had not even been upgraded from the unsupported 1.5 branch of the WordPress software.