Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Top WordPress Plugins Contain Serious Security Vulnerabilities

After analyzing many of the most popular WordPress plugins, researchers found many of them contained serious security vulnerabilities.

After analyzing many of the most popular WordPress plugins, researchers found many of them contained serious security vulnerabilities.

Of the top 50 most downloaded plugins for the WordPress platform, 18 were vulnerable and could be exploited to infect Websites and distribute malware, Maty Siman, the CTO of Checkmarx, told SecurityWeek. Out of the top 10 most popular e-commerce plugins, seven contained serious security flaws. Two were directly from the WordPress team and affected BuddyPress, and several dealt with online payments or interacted with Facebook and other social networks, Siman said.

WordPress Plugin VulnerabilitiesThe 18 plugins had been downloaded for a total of 18.5 million times, and the seven were downloaded 1.7 million times, Checkmarx said in “The Security State of WordPress Top 50 Plugins” report.

Siman said he was surprised the team found so many vulnerable plugins. “I thought we wouldn’t find anything,” Siman said, noting that these were “high-profile plugins.”

Checkmarx conducted the test in two phases by scanning the plugins in both January and June. In the first wave, Checkmarx scanned the top 50 plugins and identified 18 which were vulnerable. In the second wave, Checkmarx scanned those 18 plugins again, which had been updated at least once in the interim, and found that only six had been fixed.

Siman had expected that the top 50 plugins would be less vulnerable to common issues such as SQL injection and cross-site scripting.

In the June test, researchers found that over 20 percent of the most 50 popular add-ons could be exploited by a number of common attacks, such as SQL injection and cross-site scripting. This means that attackers can easily use an automated exploit kit and point it to a WordPress site and compromise it, Siman said.

“If the plugin is vulnerable, so is the Website,” Siman said.

Website administrators can take a few steps to protect their sites in case of vulnerable plugins. Administrators should download plugins only from reputable sources, such as WordPress.org for WordPress, and official marketplaces for other platforms. They should also scan their own Websites with the plugin itself to verify there are no vulnerabilities. If they have the source code, which is likely for most open-source plugins, administrators should go ahead and run a static source code analysis tool to verify the plugin’s security.

Advertisement. Scroll to continue reading.

Just because the plugin comes from an official source does not guarantee its security, although it is a good place to start, Siman said.

It’s important to always ensure all plugins are up-to-date. Don’t ignore the notifications about an upgraded plugin, or postpone “to do it later,” Siman warned. And administrators should also remove plugins if they aren’t being used. Even if they aren’t actively being used, having vulnerable code on the Web server is a risk, and one not worth keeping around.

Siman said the process of notifying and working with developers to get vulnerabilities fixed was a challenge. Although the developers were generally receptive to receiving the reports, “the process can be improved,” Siman said.

Checkmarx identified only the plugins whose vulnerabilities had been fixed in the report. The remaining ones were not identified.

Checkmarx was careful to note that the problem wasn’t unique to WordPress. While the survey looked at only WordPress plugins because of the platform’s immense popularity, other content management platforms and other Web software suffer similar problems. Hackers exploit vulnerable applications to access sensitive information such as personal identifiable information, health records, and financial details, researchers wrote in the report.

“Application marketplaces should enforce a security standard for the third-party apps and authorize only those apps that pass the security bar,” Siman suggested.

The full report from Checkmarx is available here in PDF format.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...