Security vulnerabilities affecting different WordPress plugins saw a 142% increase in 2021 compared to the year before, experts have revealed.
Analyzing the state of the WordPress ecosystem, which includes some 58,000 free plugins, as well as “tens of thousands” more available for purchase, Risk Based Security say the spike in the vulnerabilities to hit 2,240 is “alarming”.
However, what’s even more concerning, is the exploitability of these vulnerabilities. Of all the known flaws, more than three-quarters (77%) are exploitable (have known public exploits).
Addressing the biggest threats first
While the majority of these flaws are exploitable, the average CVSSv2 score for all of them is 5.5, which creates a potential problem. Most organizations tend to deprioritize vulnerabilities with a severity score less than 7.0, which is not something they should do.
Of the vulnerabilities with known exploits, 7,592 are remotely exploitable, 7,993 have a public exploit, while 4,797 have a public exploit, but no CVE ID. For organizations relying on CVE/NVD, this is particularly concerning, as they’ll be unaware of 60% of issues with known public exploits.
“To fully understand the impact of these vulnerabilities, organizations will need to adopt a risk-based approach,” the researchers conclude. “Although some WordPress plugins claim to have over 500,000 installs, it doesn’t necessarily mean that all enterprises use them. Security teams will need to have knowledge of their assets, comprehensive vulnerability intelligence for all known issues, and detailed metadata, that allows them to examine factors like exploitability, to then contextualize the risk it poses to their environment.”
When triaging the threats, security pros should start with remotely exploitable ones first, then move on to those with a public exploit and have a known solution. If WordPress plugin issues affect important assets, these should be triaged first.
“By remediating these types of issues, organizations can best protect themselves against potential attacks while saving time since solution data is available. This risk-based approach will prove to be more effective than traditional Vulnerability Management models based on severity,” the researchers conclude.
