Security Experts:

Connect with us

Hi, what are you looking for?



Top WordPress Plugins Contain Serious Security Vulnerabilities

After analyzing many of the most popular WordPress plugins, researchers found many of them contained serious security vulnerabilities.

After analyzing many of the most popular WordPress plugins, researchers found many of them contained serious security vulnerabilities.

Of the top 50 most downloaded plugins for the WordPress platform, 18 were vulnerable and could be exploited to infect Websites and distribute malware, Maty Siman, the CTO of Checkmarx, told SecurityWeek. Out of the top 10 most popular e-commerce plugins, seven contained serious security flaws. Two were directly from the WordPress team and affected BuddyPress, and several dealt with online payments or interacted with Facebook and other social networks, Siman said.

WordPress Plugin VulnerabilitiesThe 18 plugins had been downloaded for a total of 18.5 million times, and the seven were downloaded 1.7 million times, Checkmarx said in “The Security State of WordPress Top 50 Plugins” report.

Siman said he was surprised the team found so many vulnerable plugins. “I thought we wouldn’t find anything,” Siman said, noting that these were “high-profile plugins.”

Checkmarx conducted the test in two phases by scanning the plugins in both January and June. In the first wave, Checkmarx scanned the top 50 plugins and identified 18 which were vulnerable. In the second wave, Checkmarx scanned those 18 plugins again, which had been updated at least once in the interim, and found that only six had been fixed.

Siman had expected that the top 50 plugins would be less vulnerable to common issues such as SQL injection and cross-site scripting.

In the June test, researchers found that over 20 percent of the most 50 popular add-ons could be exploited by a number of common attacks, such as SQL injection and cross-site scripting. This means that attackers can easily use an automated exploit kit and point it to a WordPress site and compromise it, Siman said.

“If the plugin is vulnerable, so is the Website,” Siman said.

Website administrators can take a few steps to protect their sites in case of vulnerable plugins. Administrators should download plugins only from reputable sources, such as for WordPress, and official marketplaces for other platforms. They should also scan their own Websites with the plugin itself to verify there are no vulnerabilities. If they have the source code, which is likely for most open-source plugins, administrators should go ahead and run a static source code analysis tool to verify the plugin’s security.

Just because the plugin comes from an official source does not guarantee its security, although it is a good place to start, Siman said.

It’s important to always ensure all plugins are up-to-date. Don’t ignore the notifications about an upgraded plugin, or postpone “to do it later,” Siman warned. And administrators should also remove plugins if they aren’t being used. Even if they aren’t actively being used, having vulnerable code on the Web server is a risk, and one not worth keeping around.

Siman said the process of notifying and working with developers to get vulnerabilities fixed was a challenge. Although the developers were generally receptive to receiving the reports, “the process can be improved,” Siman said.

Checkmarx identified only the plugins whose vulnerabilities had been fixed in the report. The remaining ones were not identified.

Checkmarx was careful to note that the problem wasn’t unique to WordPress. While the survey looked at only WordPress plugins because of the platform’s immense popularity, other content management platforms and other Web software suffer similar problems. Hackers exploit vulnerable applications to access sensitive information such as personal identifiable information, health records, and financial details, researchers wrote in the report.

“Application marketplaces should enforce a security standard for the third-party apps and authorize only those apps that pass the security bar,” Siman suggested.

The full report from Checkmarx is available here in PDF format.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.