Web application security firm RIPS Technologies researchers have recently analysed 44,70 WordPress Plugins out of the 48,000 Plugins present in the official WordPress plugins directory. They found that 8,800 of these Plugins have at least one vulnerability in them.
HOW THEY ANALYSED
First, the researchers downloaded all the plugins and then used a static code analyser to find the ones that have at least one PHP file. An analysis of the size of these plugins showed that roughly 14,000 of them have only 2-5 files and only 10,500 of them have more than 500 lines of code.
Researchers determined that of the plugins with more than 500 lines of code, which have been classified as “larger plugins,” 4,559, or 43 percent of the total, contain at least one medium severity issue (e.g. cross-site scripting).
RIPS’s analysis showed that nearly 36,000 of the plugins did not have any vulnerabilities and 1,426 had only low severity flaws. Medium severity bugs have been identified in more than 4,600 plugins, while high and critical security holes have been found in 2,799 and 41 plugins, respectively.
A total of 67,486 vulnerabilities has been discovered in the plugins, which indicates that the applications that do have flaws have a lot of them. Experts noted that a majority of plugins don’t have weaknesses due to their small size (i.e. have fewer lines of code).
As for the types of vulnerabilities affecting these plugins, unsurprisingly, more than 68% are cross-site scripting (XSS) issues and just over 20% are SQL injections. XSS flaws can pose a serious risk in the case of WordPress websites, but exploiting them requires administrator interaction. SQL injections, on the other hand, can be exploited without user interaction and attacks can be automated.
Between January and December 2016, a honeypot operated by RIPS captured more than 200 attacks targeting WordPress plugins, including 69 against Revolution Slider, 46 against Beauty & Clean Theme, 41 against MiwoFTP and 33 against Simple Backup. These attacks involved easy-to-exploit vulnerabilities that were known and well documented.
RIPS pointed out that they may not have found all the vulnerabilities affecting the plugins they analysed, and it’s uncertain if the flaws they identified are exploitable.