1 min read

One in five WordPress plugins is vulnerable

Alexandra GHEORGHE

December 16, 2016

One in five WordPress plugins is vulnerable

8,800 WordPress plugins carry at least one severe security vulnerability, according to a new study.

An extensive analysis of 47,959 WordPress plugins – almost the entire WordPress ecosystem – shows “every second larger plugin contains at least one medium severity issue”.

Experts from RIPS Technologies scanned plugins hosted in the official WordPress repository and found that almost 4,500 large plugins – those with more than 500 lines of code – contain at least one medium severity issue, such as cross-site scripting.

In fact, cross-site scripting (XSS) issues affect more than 68% of flawed plugins and just over 20% are SQL injections.

XSS vulnerabilities have been around since the birth of the modern web and are still among the most prevalent threats affecting websites. Big companies such as Yahoo, Ebay, PayPal, Youtube and Twitter have suffered XSS attacks. Yahoo has been so plagued that it open-sourced a set of XSS filters so other webmasters could review it.

“Cross-site scripting vulnerabilities are quite serious in WordPress because they can be used, for example, to inject PHP code through the template editor. Luckily, they do require interaction with an administrator though,” the blog post reads.

Fortunately, overall, there are more secure plugins than others. Roughly 36,000 plugins are not affected by any vulnerabilities, and around 1,000 have small issues. Only 2,800 have high-severity holes.

WordPress is not as insecure as its reputation would suggest”, the company added. “Rather it is a top target due to its incredible prevalence. Yes, there are a lot of vulnerabilities in the WordPress ecosystem, but most of them are in a small percentage of the plugins. While many plugins do not contain vulnerabilities at all because of their small size, the ones that do have issues, have a lot of them.”

tags


Author



Right now

Top posts

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

July 16, 2021

3 min read
How to protect yourself against cyberstalking

How to protect yourself against cyberstalking

July 06, 2021

2 min read
The Top Five Security Risks Smartphone Users Face Today

The Top Five Security Risks Smartphone Users Face Today

July 02, 2021

4 min read
Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

July 02, 2021

3 min read
Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

June 30, 2021

2 min read
Mobile security threats: reality or myth?

Mobile security threats: reality or myth?

June 13, 2021

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Fraud Family cybercrime ring under the spotlight as arrests made in the Netherlands Fraud Family cybercrime ring under the spotlight as arrests made in the Netherlands
Graham CLULEY

July 23, 2021

3 min read
Homoglyph domains used in BEC scams shut down by Microsoft Homoglyph domains used in BEC scams shut down by Microsoft
Graham CLULEY

July 22, 2021

3 min read
China Sets Up New Worrying Vulnerability Disclosure Rules China Sets Up New Worrying Vulnerability Disclosure Rules
Silviu STAHIE

July 20, 2021

1 min read