Security discover

Be wary of WordPress plugin vulnerabilities

WordPress plugins are highly vulnerable, according to a recent report.

Various web applications and platforms are coming under fire for being poorly coded (from a security perspective) and the usual suspects of common vulnerabilities (SQL injection, XSS, broken authentication) are still a major issue. A recent report from Checkmarx, indicates that a significant portion of the plugins within WordPress are highly vulnerable. WordPress is one of the most popular content management systems in use today (more than 60 million websites). Currently, any developer can add a WordPress extension to enhance the basic platform. As is the problem with many online environments, there are no security requirements or framework to which a plugin developer needs to adhere.

Checkmarx, a provider of code analysis tools and static code analysis, identified that more than ten of the fifty (over 20%) most popular WordPress plugins are vulnerable to common web attacks, such as SQL injection (check out the OWASP top ten list). A deeper dive revealed that seven out of the ten most popular ecommerce plugins (within WordPress) contain systemic vulnerabilities. Nearly eight million vulnerable WordPress plugins have been downloaded.

WordPress is used by a wide-variety of small to midsize companies. The plugin vulnerabilities can be exploited to access sensitive information or to allow for the sites to be easily defaced, redirected to a nefarious site, or to become part of a larger botnet and serve up malware to site visitors. The real concern with the ecommerce plugins (involving shopping carts, social media, customer profiles)is that they have access to consumers' personal identifiable information and potentially credit card information as well.

Maty Siman, the founder and CTO of Checkmarx, described how the issues in their report lie within WordPress's extensive plugin offerings and not with the underlying platform. The security gap exists between the platform and the relative free for all within the realm of unchecked plugins. The issue of vulnerable plugins is not confined to WordPress; it is a problem indicative of any marketplace that provides third-party extensions and applications.

In the midterm, a handful of the plugins had their security flaws addressed and were fixed. According to Siman, he strongly believes that websites containing the vulnerable plugin versions still remain outdated and unfixed due to the dearth of security knowledge (especially among WordPress's SMB clientele that do not have full time IT security staff) and lack of resources (staff and/or time).

What to do?

If your small business makes use of WordPress what should you do? Unfortunately, there are no easy answers, especially for the SMBs (or mom-and-pop ecommerce sites) that put a great deal of trust in the plugin developers. The main issue is the lack of accountability. Developers need to abide by security coding best practices and focus on making useful and secure plugins. Write a posting in the WordPress support forums stating that you want better enforcement and security code checking on all third-party plugins and extensions. Start demanding better security practices from the platforms and vendors that you rely on for your business!

I do suggest that you peruse the Checkmarx report it is an interesting read.

About

Dominic Vogel is currently a security analyst for a financial institution in beautiful Vancouver, British Columbia.

2 comments
nhoeller
nhoeller

From personal experience, one of the issues with WordPress plugins is an apparent lack of any central reporting system. A WordPress website that I host was hit by hackers through a vulnerability in a plug-in. The developer fixed the code without fanfare, which means others may still be running the vulnerable version. In contrast, Drupal is supported by a security team that gathers security reports, ensures that they are fixed and informs the Drupal community in a timely fashion.