Plugins for WordPress, or more precisely, free WordPress plugins, are a veritable primordial soup of flaws and vulnerabilities, many of which allow threat actors to take full control of the target website, and many of which are never corrected.
That's the grim conclusion of a report by Patchstack, a company that provides threat intelligence and security tools for the popular website-building platform.
According to the report, the number of WordPress-related vulnerabilities increased by 150% in 2021 compared to the previous year. Of these vulnerabilities, only 0,58% are found in the core of WordPress, the real website builder. More than nine out of ten (91,38%) were on free plugins and 8,62% on commercial plugins.
XSS the most popular default
Nearly a third (29%) of critical bugs found in WordPress plugins are never fixed. The good news is that plugins that are not patched eventually get removed from the plugin repository. The report indicates that nine plugins never received patches and were later removed.
Last year, the company discovered five critical-severity vulnerabilities that affected a total of 55 WordPress themes. One of them abused the file download features, which was a particularly dangerous discovery. Among the plugins, Patchstack found 35 critical vulnerabilities, two of which were present in four million websites.
Patchstack further found that the most commonly reported flaw was cross-site scripting (XSS), followed by "mixed" cross-site request forgery, SQL injections, and arbitrary file uploads.
The average WordPress site has 18 components installed, at least one of which contains a dangerous vulnerability. The report says the number is lower than the average of 23 plugins installed the previous year.
Of all the vulnerable plugins, the most popular targets last year were OptinMonster, PublishPress Capabilities, Booster for WooCommerce plugin, and Image Hover Effects Ultimate plugin.
Nearly half (43,2%) of all websites on the Internet are powered by WordPress.
Via: BleepingComputer