582 WordPress security issues detected in 2020, over 96% from third-party plugins – WordPress Tavern
Patchstack, which recently changed its name from WebARX, released its Security White Paper 2020. The report identified a total of 582 security vulnerabilities. However, only 22 of the issues were from WordPress itself. Third-party plugins and themes made up the remaining 96.22%.
“These are all security issues that have been revealed by Patchstack’s internal research team, the Patchstack Red Team community, third-party security vendors, and other independent security researchers,” said Oliver Sild, Founder and CEO by Patchstack. “So that includes all public information about the vulnerabilities.”
Patchstack is a security company that focuses on third party WordPress plugins. His vulnerability database is public and accessible to all.
In the second quarter of 2020, Patchstack surveyed nearly 400 web developers, freelancers, and web security agencies. “Over 70% responded that they were increasingly worried about the security of their website, and the main reason was ‘third party plugins vulnerabilities’,” according to the white paper. “About 45% of respondents saw an increase in attacks against the websites they managed, and 25% had faced a hacked website in the month before they took part in the survey.”
At the top of the ranking, 211 of the vulnerabilities found were Cross-Site Scripting (XSS) issues, or 36.2% of the total.
“XSS in WordPress plugins almost always happens because user input data is printed directly to the screen without any disinfection,” Sild said. “
esc_html would be used to convert certain characters to their HTML entities, so it will literally be printed on the screen. Then you also have
esc_attr for user input variables, which should be used in HTML attributes. There are many good resources published by OWASP (The Open Web Application Security Project), such as “Secure Encoding Practices”. “
Injection vulnerabilities rank second with 70 unique cases. This was followed by 38 cross-site request forgery (CSRF) issues and 29 cases of sensitive data exposure.
“The vulnerabilities found in plugins and themes tend to be more severe than those found in the core of WordPress,” Sild wrote in the white paper. “What makes it worse is that many popular plugins have millions of active installations, and the numbers aren’t pretty when you look at the number of websites affected by vulnerable plugins.”
The total number of active and vulnerable theme and plugin installations throughout the year was 70 million. According to WordCamp Central, WordPress is installed on 75 million websites. Many sites probably had more than one vulnerable plugin in 2020 instead of 70 million individual risky sites.
Patchstack surveyed 50,000 websites and found that they had an average of 23 active plugins at a time. About four at each site were out of date with an upgrade available, often increasing the risk of a security issue.
WordPress plugins represented 478 vulnerabilities in the report. However, there were only 82 unique thematic issues. While themes usually have a much more limited scope, they can do anything a plugin can do with a few exceptions.
It’s not surprising to see this number lower for themes. However, one has to wonder if the current plan to relax the WordPress.org theme directory review guidelines will take this into account in the coming year or two. Currently, official directory reviewers perform in-depth code checks that may be more likely to spot issues before topics reach users. If the tradeoff is better automation, it could also mean tighter coding standards and fewer security concerns that human reviewers might miss.
“Third-party code vulnerabilities remain one of the biggest threats to websites built on WordPress,” Sild concluded in the report. “We are already seeing growth in the unique vulnerabilities reported in WordPress plugins and themes comparing 2020 with the start of 2021.”