WordPress is the most popular content management system (CMS) and powering about 30% of all websites on the internet. It is followed by Joomla and Drupal trailing behind at a safe distance.
WordPress-related vulnerabilities have seen a 300% increase in 2018 compared to the previous year, a recent study has found. Most of the bugs were in the plugins that extend the functionality of WordPress websites.
A product’s rise in popularity also captures the attention of cybercriminals who look for security bugs, incentivized by a large number of potential victims.
WordPress stands out
According to a report of cybersecurity firm, Imperva shared with BleepingComputer.In 2018, the number of vulnerabilities associated with WordPress was 542.
The figure is almost three times more than what the company saw in 2017 when less than 200 WordPress-related vulnerabilities were recorded. Joomla and Drupal were affected by less than 150 bugs combined.
Also, even if there are fewer bugs, the consequences could be terrible, as shown by the massively exploited Drupalgeddon vulnerabilities last year.
The easy exploitation of the Drupalgeddon vulnerabilities led to a deluge of attacks against unpatched websites. In its report, Imperva says that it “detected and blocked more than half a million attacks related to these vulnerabilities during 2018.”
Almost all the vulnerabilities, 98%, are related to WordPress plugins only. There are more than 50,000 plug-ins on the official website of the CMS.
The company says, “Anyone can create a plugin and publish it — WordPress is open source, easy to manage, and there is no enforcement or any proper process that mandates minimum security standards (e.g. code analysis). Hence, WordPress plugins are prone to vulnerabilities”.
Imperva data shows that an exploit is publicly available for more than half (54%) of them, and in 38% of the cases, there is no mitigation solution, such as a patch or a software upgrade.
Injection type bugs affecting web apps were the most numerous in 2018, Imperva counting close to 3,300 disclosures. A closer look revealed that almost 1,980 of them allowed remote code execution (RCE) and 1,354 enabled SQL injection attacks.
The report informs that the amount of cross-site scripting (XSS) vulnerabilities doubled since 2017, accounting for 14% of all security flaws reported for web applications last year.