Article: https://www.riskbasedsecurity.com/2022/01/11/wordpress-vulnerabilities-more-than-doubled-in-2021/
Depending on your knowledge regarding information security, your first reaction to the title may have been:
(a) “Oh, that’s good to know”,
(b) “What the heck does that mean?”, or
(c) “Should I be panicking- especially how CPSC 329 is using WordPress?!?”
Allow me to offer you context & a translation of the article!
What are WordPress plugins?
Plugin are software components that enable customization to an existing computer program – allowing users to use search engine optimizations, website builders, e-commerce functions, and more. At the time of this post, there are 59,898 free WordPress plugins available for download.
What are plugin vulnerabilities?
However, WordPress is a free and “Open Source” content management system – anyone can contribute to WordPress’ core functionalities. No one controls plugins’ development or tests them against certain standards. More importantly, not all plugins are designed with security in mind.
Without thorough investigation, plugins for any software or service can represent a real risk to websites and organizations. Vulnerabilities within existing plugins can be abused and exploited by malicious actors, to extract data from users and/or insert malicious content.
Now that you possess enough context, here is a summary of the article.
Risk-Based Security (RHS) researchers found 10,359 WordPress plugin vulnerabilities at the end of 2021 – a 142% increase from 2020. Most importantly, 77% of them (7,993 vulnerabilities) have known public exploits (Risk-Based Security, 2022).
[Translation: RHS’s primary concern is not the alarming “spike” in vulnerabilities, but their potential for exploitation!]
Good news – the severity of a vulnerability can be measured! Thanks to the “Common Vulnerability Scoring System” (CVSS), vulnerabilities can be graded from “low” (0.1 – 3.9) to “high” severity (7.0 – 8.9) (National Vulnerability Database, n.d.).
Since the CVSS average for all WordPress plugin vulnerabilities is 5.5 (“Medium”), users and organizations may be tempted to follow the traditional approach of Criticality – prioritizing vulnerabilities with “high” CVSS severity scores first over lower scored vulnerabilities.
However, RHS is suggesting a “Risk-Based” approach, due to how malicious actors favour vulnerabilities they can easily exploit. Even if a vulnerability has “low” severity CVSS scores, RHS recommends focusing on vulnerabilities that (a) are remotely exploitable, (b) has a public exploit, and (c) has a known solution.
By bringing awareness to WordPress users on these issues, RHS can offer recommendations on how users, organizations, and security professionals can best protect themselves.
Why should this matter to me?
As students of CPSC 329, we are users of WordPress.
Aside from the obvious tip of “download themes and plugins only from trusted resources (e.g. WordFence)”, it is important to adopt a “Caveat Emptor” mentality – the principle that the buyer alone is responsible for checking the quality of goods before a purchase is made.
It is up to users to research the quality of the plugin before they click the download button.
References:
Austin Powers Meme Generator. (n.d.). Austin Powers Running a WordPress Plugin I Too Like to Live Dangerously. https://memegenerator.net/instance/80388167/dangerously-austin-powers-running-a-wordpress-plugin-i-too-like-to-live-dangerously
National Vulnerability Database (n.d.). NVD – Vulnerability Metrics. https://nvd.nist.gov/vuln-metrics/cvss
Risk Based Security. (2022, January 11). WordPress vulnerabilities more than doubled in 2021. https://www.riskbasedsecurity.com/2022/01/11/wordpress-vulnerabilities-more-than-doubled-in-2021/
Torque. (March 21, 2017). 8 Common WordPress Security Mistakes That Could Cost You Dearly. https://torquemag.io/2017/03/wordpress-security-mistakes/
Willy Wonka Meme Generator (n.d.). Willy Wonka Oh So You’re a WordPress Developer Tell Me More About the Thirty PlugIns You Use. https://memegenerator.net/instance/54004449/willy-wonka-oh-so-youre-a-wordpress-developer-tell-me-more-about-the-thirty-plugins-you-use
WordPress. (n.d.). WordPress Plugins. https://wpsites.ucalgary.ca/isec-601-f21/wp-admin/post.php?post=568&action=edit
An interesting read and very relevant to our current setup here for CPSC 329 to the point that a part of me feels like I should be worried. I wasn’t aware that wordpress was such a vulnerable platform and, as a computer science major, I’m supposed to be someone who’s involved in tech! I worry for the writers who just use wordpress to casually publish their material, because if I didn’t know then who knows what levels of blissful ignorance they’re at.
This is an interesting and informative post as we are using WordPress for CPSC 329. This goes to show that we cannot ensure the security and privacy of our information, even from the plugins we download. I do agree that before users download any kind of software, they should do research and practice safety measures against plugin vulnerabilities, because no kind of downloadable software is 100% secure. To add to that, there are some users who will download plugins without batting an eye. These are the types of users who fall victim to plugin abuse and exploitation.
Very good post, Julie! It was very interesting to read about security issues regarding WordPress as we are all using it for this course. And in general, I like the reminder to be conscious about installing plugins (or software of any kind), especially if the source is unknown. Even well-intended plugins that seem to fulfill their purpose can bear a critical risk to users and their machines.
Interesting post! As we are using WordPress, this would directly affect each and every one of us in the course, and I would hope there would be no ironic twist of fate that the information security course would be the one to have all of its data leaked. Hopefully if it wasn’t taken into consideration already, all plugins we are using for this course have been double checked for vulnerabilities that might affect us as students, such as those that would grant access to the student information used in the creation of our profiles. This is a good reminder to be cautious about installing plugins made by an untrusted and unprofessional source, as while useful and fun, they may prove vulnerable.
A fascinating read that is so relevant to our current setup for CPSC 329 that a part of me feels I should be concerned. I had no idea that WordPress was such a susceptible platform, yet as a computer science major, I’m supposed to be tech-savvy! I’m concerned for the writers who use wordpress to casually publish their work, since who knows what degrees of blissful ignorance they’re at if I don’t know.
Hey, great post! I am glad that you brought this up. WordPress has been the main source for many small businesses as it limits the need to hire web developers and gives the owner control over their content without worrying about hosting websites etc. As such, plugins are made by developers who can make money by selling them to others; however, it is quite funny that the plugins are now being exploited. I think this is a disservice to small businesses and this gap should be closed ruthlessly and efficiently. In your opinion, what do you think should be done by WordPress to ensure these plugins are not weaponized for nefarious purposes?
Really interesting post! This is why there is a need for organizations to help ensure software meet a certain standard, even though most of the time these organizations are a pain to deal with if you are a developer, their job helps reduce the amount of vulnerable software out there, and these WordPress plugins are in need of such an organization.