Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Over 8,800 WordPress Plugins Have Flaws: Study

Researchers at web application security firm RIPS Technologies have analyzed 44,705 of the roughly 48,000 plugins available in the official WordPress plugins directory and discovered that more than 8,800 of them are affected by at least one vulnerability.

Researchers at web application security firm RIPS Technologies have analyzed 44,705 of the roughly 48,000 plugins available in the official WordPress plugins directory and discovered that more than 8,800 of them are affected by at least one vulnerability.

The company downloaded all the plugins and used its static code analyzer to check the ones that have at least one PHP file. An analysis of the size of these plugins showed that roughly 14,000 of them have only 2-5 files and only 10,500 of them have more than 500 lines of code.

WordPress plugins - lines of code

Researchers determined that of the plugins with more than 500 lines of code, which have been classified as “larger plugins,” 4,559, or 43 percent of the total, contain at least one medium severity issue (e.g. cross-site scripting).

RIPS’s analysis showed that nearly 36,000 of the plugins did not have any vulnerabilities and 1,426 had only low severity flaws. Medium severity bugs have been identified in more than 4,600 plugins, while high and critical security holes have been found in 2,799 and 41 plugins, respectively.

A total of 67,486 vulnerabilities have been discovered in the plugins, which indicates that the applications that do have flaws have a lot of them. Experts noted that a majority of plugins don’t have weaknesses due to their small size (i.e. have fewer lines of code).

As for the types of vulnerabilities affecting these plugins, unsurprisingly, more than 68% are cross-site scripting (XSS) issues and just over 20% are SQL injections. XSS flaws can pose a serious risk in the case of WordPress websites, but exploiting them requires administrator interaction. SQL injections, on the other hand, can be exploited without user interaction and attacks can be automated.

Between January and December 2016, a honeypot operated by RIPS captured more than 200 attacks targeting WordPress plugins, including 69 against Revolution Slider, 46 against Beauty & Clean Theme, 41 against MiwoFTP and 33 against Simple Backup. These attacks involved easy-to-exploit vulnerabilities that were known and well documented.

RIPS pointed out that they may not have found all the vulnerabilities affecting the plugins they analyzed, and it’s uncertain if the flaws they identified are exploitable.

Advertisement. Scroll to continue reading.

Related: Hackers Can Exploit Roundcube Flaw by Sending an Email

Related: Hacked WordPress Sites Target Random Users

Related: Backdoor Uploaded to WordPress Sites via eCommerce Plugin Zero-Day

Related: WordPress Flaw Allows XSS Attack via Image Filenames

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.