WordPress security vulnerabilities increase by 142%

By: Rob Corbidge, 20 January 2022

Computer and website locked out by hackers

New data points to an alarming rise in exploit vulnerabilities in the WordPress plugin ecosystem, with businesses urged to change their approach to dealing with them

New data from Risk Based Security (RBS) points to an unusually large rise in the number of vulnerabilities associated with WordPress plugins in the past year, a rise larger than could be expected on previous years' data.

RBS reports that "10,359 vulnerabilities were reported to affect third-party WordPress plugins at the end of 2021. Of those, 2,240 vulnerabilities were disclosed last year, which is a 142% increase compared to 2020".

WordPress is a hugely popular platform, and so of course is exposed like no other similar platform to security threats by sheer volume of installs alone.

Yet, importantly, RBS notes that while organisations focus on critical threats, the majority of the focus towards WordPress plugins by malevolent actors is on security exploits. 

As RBS discovered , the vast majority of WordPress plugin vulnerabilities are exploitable:

  • 7,592 WordPress vulnerabilities are remotely exploitable
  • 7,993 WordPress vulnerabilities have a public exploit
  • 4,797 WordPress vulnerabilities have a public exploit, but no CVE ID

"This intelligence gap is made even worse when considering the state of the WordPress plugin ecosystem. There are over 58,000 free plugins for download, with tens of thousands more available for purchase. Unfortunately, few of them are designed with security in mind, so one vulnerability could potentially affect millions of users," notes RBS.

Exploit attacks such as those using malware created by ALFA TEaM are actually meant to stay undetected as they are simply a conduit for the group's real targets in, for example, the aerospace or energy industries.

Some industry figures are already urging a different approach to security. Mitchell Schneider, principal analyst at Gartner, recently encouraged organisations to make vulnerability management less about mass patching and more about prioritising the most exploitable vulnerabilities.

"There's no inherent correlation between the vulnerability and if threat actors are exploiting them in terms of those severity ratings," Schneider said. "If you take the vulnerabilities in your environment, and focus on the ones that are being exploited in the wild, this will be an exponential improvement in your security posture."

The report from RBS raises questions regarding the understanding of assumed responsibility with regards to open source platforms and the level of ongoing investment required in keeping them current. Open source obviously does not mean free, in terms of cost or responsibility - two key elements in the platform selection process.