Thursday06 October 2022

New Report Shows WordPress Sites leave 30% of Critical Vulnerabilities Unpatched.

Reading time is around minutes.
PatchStack has pushed out a report that shows that a shocking 30% of vulnerabilities in WordPress sites are left unpatched. This is not to say that people are not patching (they are not), but the report illustrates that vendors for plugins are not properly updating their own tools and software to address security issues. WordPress is one of the most popular content management systems available and has a very broad ecosystem of plug-ins, themes, and other bolt-on components to make it even more flexible and usable.

The same ecosystem that makes WordPress so attractive also makes it vulnerable. According to the report from PatchStack the core WordPress CMS was responsible for less than 1% of vulnerabilities discovered in 2021. The other 99% were in themes and plugins. This was in a year where reported vulnerabilities grew by 50%. The most commonly vulnerable add-ons, as you might have guessed, are the free themes and plugins. It was in these free components that more than 90% of reported flaws were found.

Many of the vulnerabilities related to abusing file uploads, SQL injections, and privilege escalation bugs but also included the usual suspects like Cross-Site Scripting and Forgery. Due the popularity of some of these plug-ins a single critical flaw in one plug-in can affect many sites making WordPress as popular as a target for attackers as it is for people and companies to use on their own sites. This becomes even more clear when you consider that while critical vulnerabilities only accounted for around 4% of all reported vulnerabilities in 2021, almost 30% of those reported never received an update to fix the issue.

WordPress is a great tool and one that, as we mentioned, offers a lot of options to enhance the content and functionality of the site. However, site administrators need to keep on top of updates, patches and vulnerabilities that exist in the plugins that they use on the site. Not doing so leaves them open to attack and, in the right case, compromise and exfiltration of sensitive data. Nothing like having someone target an unprotected Rest-API that could leak your client list because you chose the wrong plug-in to handle signups for your newsletter (as was the case with OptinMonster Version 2.6.4 and below).

Happy Patching

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.