Many Critical WordPress Security Flaws Are Never Patched

Plugins for WordPress, or more precisely – free WordPress plugins, are a veritable primordial soup of flaws and vulnerabilities, many of which allow threat actors to completely take control of the target website, and many of which – are never corrected.

That’s the grim conclusion of a report from Patchstack, a company that provides threat intelligence and security tools for the popular website-building platform.

According to the report, the number of WordPress-related vulnerabilities increased by 150% in 2021 compared to the previous year. Of these vulnerabilities, only 0.58% are in the core of WordPress, the real website builder. More than nine out of ten (91.38%) were in free plugins, and 8.62% in commercial plugins.

Almost a third (29%) of critical flaws found in WordPress plugins are never fixed. The good news is that plugins that aren’t patched eventually get thrown out of the plugin repository. The report states that nine plugins never received patches and were later removed.

Last year, the company discovered five critical-severity vulnerabilities, affecting a total of 55 WordPress themes. One of them abused file download features, which was a particularly dangerous discovery. Among the plugins, Patchstack found 35 critical vulnerabilities, two of which were present in four million websites.

Patchstack further found that the most commonly reported flaw was cross-site scripting (XSS), followed by “mixed” cross-site request forgery, SQL injections, and arbitrary file uploads.

The average WordPress site has 18 components installed, at least one of which contains a dangerous vulnerability. The report says the number is down from the average of 23 plugins installed the previous year.

Of all the vulnerable plugins, the most popular targets last year were OptinMonster, PublishPress Capabilities, Booster for WooCommerce plugin, and Image Hover Effects Ultimate plugin.

Almost half (43.2%) of all websites on the internet are powered by WordPress.

Via: BleepingComputer

Comments are closed.