Security Experts:

Top WordPress Plugins Contain Serious Security Vulnerabilities

After analyzing many of the most popular WordPress plugins, researchers found many of them contained serious security vulnerabilities.

Of the top 50 most downloaded plugins for the WordPress platform, 18 were vulnerable and could be exploited to infect Websites and distribute malware, Maty Siman, the CTO of Checkmarx, told SecurityWeek. Out of the top 10 most popular e-commerce plugins, seven contained serious security flaws. Two were directly from the WordPress team and affected BuddyPress, and several dealt with online payments or interacted with Facebook and other social networks, Siman said.

WordPress Plugin VulnerabilitiesThe 18 plugins had been downloaded for a total of 18.5 million times, and the seven were downloaded 1.7 million times, Checkmarx said in "The Security State of WordPress Top 50 Plugins" report.

Siman said he was surprised the team found so many vulnerable plugins. "I thought we wouldn't find anything," Siman said, noting that these were "high-profile plugins."

Checkmarx conducted the test in two phases by scanning the plugins in both January and June. In the first wave, Checkmarx scanned the top 50 plugins and identified 18 which were vulnerable. In the second wave, Checkmarx scanned those 18 plugins again, which had been updated at least once in the interim, and found that only six had been fixed.

Siman had expected that the top 50 plugins would be less vulnerable to common issues such as SQL injection and cross-site scripting.

In the June test, researchers found that over 20 percent of the most 50 popular add-ons could be exploited by a number of common attacks, such as SQL injection and cross-site scripting. This means that attackers can easily use an automated exploit kit and point it to a WordPress site and compromise it, Siman said.

"If the plugin is vulnerable, so is the Website," Siman said.

Website administrators can take a few steps to protect their sites in case of vulnerable plugins. Administrators should download plugins only from reputable sources, such as WordPress.org for WordPress, and official marketplaces for other platforms. They should also scan their own Websites with the plugin itself to verify there are no vulnerabilities. If they have the source code, which is likely for most open-source plugins, administrators should go ahead and run a static source code analysis tool to verify the plugin's security.

Just because the plugin comes from an official source does not guarantee its security, although it is a good place to start, Siman said.

It's important to always ensure all plugins are up-to-date. Don't ignore the notifications about an upgraded plugin, or postpone "to do it later," Siman warned. And administrators should also remove plugins if they aren't being used. Even if they aren't actively being used, having vulnerable code on the Web server is a risk, and one not worth keeping around.

Siman said the process of notifying and working with developers to get vulnerabilities fixed was a challenge. Although the developers were generally receptive to receiving the reports, "the process can be improved," Siman said.

Checkmarx identified only the plugins whose vulnerabilities had been fixed in the report. The remaining ones were not identified.

Checkmarx was careful to note that the problem wasn't unique to WordPress. While the survey looked at only WordPress plugins because of the platform's immense popularity, other content management platforms and other Web software suffer similar problems. Hackers exploit vulnerable applications to access sensitive information such as personal identifiable information, health records, and financial details, researchers wrote in the report.

"Application marketplaces should enforce a security standard for the third-party apps and authorize only those apps that pass the security bar," Siman suggested.

The full report from Checkmarx is available here in PDF format.

Fahmida Y. Rashid is a contributing writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.