WordPress security researchers at Patchstack released their annual State of WordPress Security white paper showing an increase in critical and high severity vulnerabilities, highlighting the importance of security for all websites in the WordPress platform.
XSS is the top WordPress vulnerability of 2023
There are many types of vulnerabilities, but the most common by far was cross site scripting (XSS), accounting for 53.3% of all new WordPress security vulnerabilities.
XSS vulnerabilities generally occur due to insufficient “sanitization” of user input, which includes blocking any input that does not conform to what is expected. Patchstack shared that the Freemius framework, a third-party managed e-commerce platform, accounted for more than 1,200 of all XSS vulnerabilities, representing 21% of all new XSS vulnerabilities discovered in 2023.
The Freemius Software Development Kit (SDK) is used as a component of more than 1,200 plugins that are in turn installed on more than 7 million WordPress sites. This highlights the issue of supply chain vulnerabilities where a component is used as part of a WordPress plugin that subsequently increases the scope of a vulnerability beyond a single plugin.
The Patchstack report explained:
“This year we have once again seen how a single cross-site scripting vulnerability in the Freemius framework resulted in 1,248 plugins inheriting the security vulnerability, exposing their users to risk.
21% of all new vulnerabilities discovered in 2023 can be traced back to this single flaw. It is vital that developers choose their stack carefully and quickly apply security updates when they become available.
More vulnerabilities rated high or critical
Vulnerabilities are assigned a severity score that corresponds to how disruptive a discovered flaw is. Ratings range from low, medium, high and critical.
In 2022, 13% of new vulnerabilities were classified as high or critical. This percentage shot up in 2023 to 42.9%, meaning there were more destructive vulnerabilities in 2023 than the previous year.
Authenticated vs. Unauthenticated Vulnerabilities
Another metric that appears in the report is the percentage of vulnerabilities that do not require authentication (unauthenticated), meaning the attacker does not need any level of user permission to launch an attack.
Flaws that require an attacker to have administrator-level subscriber-level permissions have a higher bar for attackers to overcome. Unauthenticated vulnerabilities do not require the attacker to obtain a permission level first, which makes this type of vulnerability more worrisome because it can be exploited through automated attacks, such as bots that probe for the vulnerability in one place and then they launch attacks automatically.
Patchstack found that 58.9% of all new vulnerabilities required no authentication.
Abandoned plugins increase as a risk factor
Another major cause of vulnerabilities is the large number of abandoned plugins. In 2022, Patchstack reported 147 deprecated plugins and themes on WordPress.org and of these 87 were removed and the rest were patched.
In 2023, the number of deprecated plugins increased from 147 in 2022 to 827 plugins and themes in 2023. While 87 vulnerable deprecated plugins were removed in 2022, 481 were removed in 2023.
Patchstack noted:
“We reported 404 of these plugins in a single day to draw attention to the ‘zombie plugin pandemic’ in WordPress. These ‘zombie’ plugins are components that appear safe and up-to-date at first glance, but may contain issues unpatched security Also, these plugins remain active on user sites even if they are removed from the WordPress plugin repository.
Most popular plugins with vulnerabilities
As mentioned above, severity ratings range from low, medium, high, and critical. Patchstack compiled a list of the most popular plugins with vulnerabilities.
In 2022 there were 11 popular plugins with more than one million active installations that contained vulnerabilities. In 2023, Patchstack lowered the install bar from one million to over 100,000 installs. However, despite making the list easier to access, only 9 popular plugins were found to have a vulnerability, far fewer than in 2022.
In 2022, only five of the 11 most popular plugins with vulnerabilities contained a high-severity vulnerability, none contained a critical-level vulnerability, and the rest were medium-severity.
These numbers got significantly worse in 2023. Despite lowering the threshold for what is considered a popular plugin, all nine plugins on the list contained critical-level vulnerabilities. The vast majority of plugins on this list, six out of nine, contained unauthenticated vulnerabilities, meaning exploits are easy to scale with automation. The remaining three that required authentication only required subscriber-level access, which is the easiest level of permission to acquire, just sign up, verify email, and they’re there. This can also be scaled with automation.
List of the most popular plugins with vulnerabilities
Essential Plugins for Elementor 1M+ Installs (Severity Rating 9.8) WP Fastest Cache 1M+ Installs (Severity Rating 9.3) Gravity Forms 940k Installs (Severity Rating 8.3) Fusion Builder 900k installs (severity rating 8.5) Flatsome installs (theme rating) 86.18k (severity rating) WP Statistics 600k installs (severity rating 9.9) installs of Forminator 400k (Severity Score 9.8) WPvivid Backup and Migration Installs 30ok (Severity Score 8.8) JetElements for Elementor Installs 30ok (Severity Score 8.2)
The state of WordPress security is worse
If you think there are more vulnerabilities than ever lately, now you know why, the statistics speak for themselves. There are more vulnerabilities in 2023 and a greater percentage are at high and critical levels that can be exploited with automation at scale.
This means that all publishers need to improve their security and make sure that someone takes responsibility for auditing their plugins and themes regularly to ensure that they are updated and actively maintained.
SEOs should take this into account because security quickly becomes a ranking issue when Google removes a hacked site from search results. Many SEOs who perform site audits don’t even do the most basic security checks like checking that security headers are in place, which I do as part of every audit I do. Always make sure to talk to customers about their security to make sure they are aware of the risks.
Patchstack is an example of a service that automatically protects WordPress sites against vulnerabilities even before the plugin issues a patch to fix the vulnerability. These types of services are important in creating a defense against piracy and loss of search visibility and earnings.
Read the Patchstack report:
State of WordPress Security in 2023
Featured image by Shutterstock/Iurii Stepanov
[ad_2]
Source link
