Vulnerabilities in WordPress plugins doubled in 2021 compared to the previous year, according to one report, a worrying trend because most of them can be exploited by threat actors on e-commerce and news sites that rely on the platform.
The report, released today by researchers at Risk Based Security, says that 2,240 vulnerabilities were exposed in WordPress plugins last year. This is a 142 percent increase compared to 2020.
Plugins add capabilities to the platform, including the ability to add search engine optimization, user forms, website builder, e-commerce features, and more. It is estimated that there are thousands of free or priced WordPress plugins available. However, not all of them are designed with security in mind or release security updates. Vulnerabilities in these plugins allow threat actors to attack WordPress indirectly rather than targeting the platform itself.
The report states that out of more than 10,000 known vulnerabilities in the WordPress plugin, 77 percent of them know about generic exploits.
While the average CVSSv2 score for all WordPress plugin vulnerabilities is 5.5, which is considered medium severity, the report says, many of the scores are higher. For example, the Starter Templates plugin, which according to WordPress security specialist WordFence is installed on over a million WordPress websites, has a CVSS score of 7.6.
But, according to the Risk-Based Security Report, WordPress admins should not prioritize fixing high-score bugs. There is evidence that malicious actors go after vulnerabilities that can be easily exploited.
The report warns that “due to factors such as exploitability and the location of the attacker, WordPress plugin issues can pose a significant threat to organizations deploying vulnerable assets, even if they do not appear ‘critical’ at first glance.”
The security team needs to know their assets — including all the plugins — comprehensive vulnerabilities information for all known issues, and detailed metadata, which allows them to examine factors such as exploitability, and then contextualize the risks they pose to their environment, the report says.
“Security professionals should start with vulnerabilities that can be exploited remotely, have public vulnerabilities, and have a known solution,” the report says. “And if WordPress plugin issues affect critical assets, those vulnerabilities should be categorized first. By addressing these types of issues, organizations can better protect themselves against potential attacks while saving time due to the availability of solution data. This risk-based approach will prove It is more effective than traditional severity-based vulnerability management models.”
Subsequent vulnerabilities in WordPress plugins more than doubled in 2021: the report first appeared in IT World Canada.
This section is powered by IT World Canada. ITWC covers the enterprise IT spectrum, providing news and information for IT professionals with the goal of achieving success in the Canadian market.