WordPress is the most popular blogging platform in use today. It powers more than 60 million websites and 18% of the Web. What makes it even better is the sheer number of plugins which improve upon its functionality and add to its features. A recent study examined the security state and exposed vulnerabilities in some of the top 50 most popular WordPress plugins.
A study by Checkmarx has revealed that more than 20% of the 50 most popular WordPress plugins are vulnerable to common Web attacks, like SQL Injection. Moreover 7 out of the 10 most popular e-commerce plugins contain vulnerabilities. The effect of this has been that over 8 million vulnerable WordPress plugins have been downloaded.
The findings in bullet form are:
- 20% of the 50 most popular WordPress plugins are vulnerable to common Web attacks. These plugins are vulnerable to: SQL Injection (SQLi), Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), and Path Traversal (PT).
- 7 out of top 10 most popular e-commerce plugins are vulnerable to common Web attacks. This amounts to more than 1.7 million downloads of vulnerable e-commerce plugins. These plugins are vulnerable to SQLi, XSS, CSRF, RFI/ LFI and PT.
- There is no correlation between the number of Lines of Code (LOC) and the vulnerability level of the plugins.
- Only six plugins were completely fixed in a 6-month time period- although all plugins updated their versions during this time.
This is quite an alarming situation, states the study. Hackers can exploit these vulnerable applications to access sensitive information such as personally identifiable information (PII), health records and financial details. Other vulnerabilities allow hackers to deface the sites or redirect them to another attacker-controlled site. Hackers can take control of the vulnerable sites and make them part of their botnet network.
The report concludes with recommendations for webmasters and bloggers, which includes:
- Download plugins only from official WordPress website
- Scan the plugin for security issues
- Ensure all your plugins are up to date
- Remove any unused plugins.
You can download and read the full report titled The Security State of WordPress’ Top 50 Plugins by clicking here.