Unpatched plugins threaten millions of WordPress websites
A year-on-year surge has been observed in the number of security vulnerabilities found in the WordPress ecosystem.
WordPress powers just over 40% of all websites, but bugs in plugins and themes can render those sites vulnerable to SQL injection, arbitrary file upload, remote code execution (RCE) or privilege escalation attacks, among others.
Core strength, peripheral weakness
Patchstack’s State of WordPress Security report found that relatively few vulnerabilities affected WordPress core, which accounted for just 0.58% of WordPress security bugs in 2021. The problem instead lies in the profusion of third-party add-ons that broaden the platform’s functionality and appeal.
“WordPress has almost 60,000 free plugins available in the WordPress.org repository and almost 10,000 themes,” Oliver Sild, CEO of Patchstack, told The Daily Swig. “These are all written by different people with different coding skills.”
Sild said the jump in bugs detected is “most likely because there is more and more security attention on WordPress. The majority of these vulnerabilities have existed for years.”
According to Sild, plugin and theme developers often fail to update their products. When patches fail to materialize for known bugs, the only sensible available options are to delete the plugin or use a third-party WordPress security tool to apply a virtual patch. “Users of those plugins just see everything is updated and have no option to patch the plugin,” said Sild.
‘Full site compromise’
Patchstack gathered data from some 50,000 websites that use its own WordPress security tool.
Researchers found more than 50 critical vulnerabilities in themes and 35 in plugins. Alarmingly, two of the vulnerabilities were in plugins found in more than one million websites.
The researchers found that 12.4% of WordPress theme vulnerabilities had a CVSS score of between 9 and 10, the maximum severity. The most serious flaw was an arbitrary file upload bug threatening full site compromise. This affected 10 themes.
Site owners or webhosts can protect their sites from arbitrary file upload flaws by disallowing execution of PHP files in file upload directories, which would not affect legitimate media uploads such as images or videos. Organizations can do this via the Apache .htaccess file, Nginx rules, or a web application firewall rule.
Cross-site scripting (XSS) issues were also prevalent, accounting for almost half of the vulnerabilities in Patchstack’s database. These can lead to HTML or JavaScript injections that redirect users to malicious sites or inject adverts.
Due diligence
To counter vulnerabilities, Rowley advises that site owners use only plugins and themes that are reliably kept up to date.
Some of the riskier plugins have been in use – and unpatched – for years.
“Relying on auto-updates may not be enough, because some insecure components never receive a patch.”
TEXTO PROPIEDAD de: https://portswigger.net/daily-swig/unpatched-plugins-threaten-millions-of-wordpress-websites