Vulnerabilities in WordPress plugins more than doubled in 2021 compared to the previous year, according to a report, a worrying trend because most can be exploited by threat actors on the e-commerce and news sites that rely on the platform.
The report, released today by researchers at Risk Based Security, says 2,240 vulnerabilities in WordPress plugins were disclosed last year. That’s a 142 per cent increase compared to 2020.
Plugins add capabilities to the platform, including the ability to add search engine optimization, user forms, a website builder, e-commerce features and more. It’s estimated there are thousands of WordPress free or priced plugins available. However, not all of them are designed with security in mind, or issue security updates. Vulnerabilities in those plugins allow threat actors to attack WordPress indirectly rather than targeting the platform itself.
Out of all of the more than 10,000 known WordPress plugin vulnerabilities, 77 per cent have known public exploits, the report notes.
While the average CVSSv2 score for all WordPress plugin vulnerabilities is 5.5, considered of moderate severity, the report says, many score higher. For example, the Starter Templates plugin, which according to WordPress security specialist WordFence is installed on over 1 million WordPress websites, has a CVSS score of 7.6.
But, the Risk Based Security report says, WordPress administrators shouldn’t put a priority on patching high-scoring bugs. There’s evidence malicious actors go after vulnerabilities they can easily exploit.
“Because of factors like exploitability and attacker location, WordPress plugin issues can pose a significant threat to organizations deploying at-risk assets, even if they may not appear ‘highly critical’ at first glance,” warns the report.
Security teams need to have knowledge of their assets — including all plugins — comprehensive vulnerability intelligence for all known issues, and detailed metadata, that allows them to examine factors like exploitability, to then contextualize the risk it poses to their environment, says the report.
“Security professionals should start with vulnerabilities that are remotely exploitable, have a public exploit, and have a known solution,” says the report. “And if WordPress plugin issues affect important assets, these vulnerabilities should be triaged first. By remediating these types of issues, organizations can best protect themselves against potential attacks while saving time since solution data is available. This risk-based approach will prove to be more effective than traditional Vulnerability Management models based on severity.”