Unpatched plugins threaten millions of WordPress websites
A year-on-year surge has been observed in the number of security vulnerabilities found in the WordPress ecosystem.
The number of flaws reported in plugins and themes for WordPress was 150% higher in 2021 than in 2020, according to researchers at WordPress security firm Patchstack. As many as 29% of critical vulnerabilities were never patched.
WordPress powers just over 40% of all websites, but bugs in plugins and themes can render those sites vulnerable to SQL injection, arbitrary file upload, remote code execution (RCE) or privilege escalation attacks, among others.
Core strength, peripheral weakness
Patchstack’s State of WordPress Security report found that relatively few vulnerabilities affected WordPress core, which accounted for just 0.58% of WordPress security bugs in 2021. The problem instead lies in the profusion of third-party add-ons that broaden the platform’s functionality and appeal.
“WordPress has almost 60,000 free plugins available in the WordPress.org repository and almost 10,000 themes,” Oliver Sild, CEO of Patchstack, told The Daily Swig. “These are all written by different people with different coding skills.”
Sild said the jump in bugs detected is “most likely because there is more and more security attention on WordPress. The majority of these vulnerabilities have existed for years.”
According to Sild, plugin and theme developers often fail to update their products. When patches fail to materialize for known bugs, the only sensible available options are to delete the plugin or use a third-party WordPress security tool to apply a virtual patch. “Users of those plugins just see everything is updated and have no option to patch the plugin,” said Sild.
‘Full site compromise’
Patchstack gathered data from some 50,000 websites that use its own WordPress security tool.
Researchers found more than 50 critical vulnerabilities in themes and 35 in plugins. Alarmingly, two of the vulnerabilities were in plugins found in more than one million websites.
“All of these security bugs pose significant risk until sites can update their plugins, because successful attacks would result in full site compromise,” Patchstack security advocate Robert Rowley told The Daily Swig.
The researchers found that 12.4% of WordPress theme vulnerabilities had a CVSS score of between 9 and 10, the maximum severity. The most serious flaw was an arbitrary file upload bug threatening full site compromise. This affected 10 themes.
Site owners or webhosts can protect their sites from arbitrary file upload flaws by disallowing execution of PHP files in file upload directories, which would not affect legitimate media uploads such as images or videos. Organizations can do this via the Apache .htaccess file, Nginx rules, or a web application firewall rule.
To counter vulnerabilities, Rowley advises that site owners use only plugins and themes that are reliably kept up to date.
Some of the riskier plugins have been in use – and unpatched – for years.
“All plugins can contain vulnerable code,” he said. “Having a developer who is active with their project and is providing regular updates, especially security updates, is an important consideration for site owners who are choosing which plugins to add to their WordPress websites.
“Relying on auto-updates may not be enough, because some insecure components never receive a patch.”