Despite fewer plugins being added to WordPress in 2017, the CMS platform experienced an increase in vulnerabilities in 2018.
In 2018, vulnerabilities in the popular content management system (CMS) WordPress increased by 30 percent, according to new research on web application bugs published on Wednesday.
Researchers at Imperva reported that they continued to observe an upward trend in web application bugs in 2018. The number of new vulnerabilities in web applications increased by 21 percent in 2018 compared to 2017. (14,082).
Worse, according to Imperva’s data, more than half of these web application vulnerabilities have a public exploit available to hackers, and a third of web application vulnerabilities do not even have a workaround or patch.
The most prevalent injection-related vulnerabilities include SQL injection, command injection, and object injection. Injection vulnerabilities comprised 19% of all web application vulnerabilities in 2018. In 2018, malicious actors employed new stealthy code-injection techniques to embed malware variants like Trickbot and TurnedUp within infected systems.
Cross-site scripting vulnerabilities appear to be the second most prevalent vulnerability, with a 14 percent prevalence rate – doubling since 2017.
WordPress vulnerabilities increased by 30 percent from the previous year, and they continue to dominate the CMS category in terms of the number of vulnerabilities published.
While it may come as no surprise that WordPress is a target for hackers due to its popularity – the CMS is used by 59 percent of all websites using a known content management system – interestingly, the increase in security issues has occurred despite a 3 percent decrease in the number of new plugins added to the suite in 2018.
Almost all (98%) WordPress vulnerabilities are related to plugins that extend a website or blog’s functionality and features. Event Calendar, Ultimate Member, Coming Soon Page, Ninja Forms, and Duplicator Pro is among the top 10 plugins that are susceptible to attack.
Researchers stated, “Anyone can create a plugin and publish it because WordPress is open source, easy to manage, and there is no enforcement or proper process that mandates minimum security standards (such as code analysis).” Therefore, WordPress plugins are vulnerable to security flaws. In 2018, WordPress patched a variety of these vulnerabilities: Including a critical privilege-escalation flaw that could allow an attacker to inject malware, place advertisements, and load custom code on a vulnerable website; and two “medium” vulnerabilities in its tooltips plugin.
In December, it was discovered that WordPress websites are the target of a series of attacks connected to a 20,000-strong army of infected WordPress websites.
Less than a week after the release of version 5.0, WordPress 5.0 users were urged to update their CMS software to fix several critical bugs.
While WordPress leads the pack in terms of sheer attack volume, Drupal vulnerabilities had a significant impact in 2018 and were used in attacks that targeted hundreds of thousands of websites. Most notably, an infamous, critical Drupal bug dubbed Drupalgeddon 2.0 impacted estimated million-plus websites running the CMS last year (despite a patch being released).
The WordPress owner, Automattic, did not immediately respond to Threatpost’s request for comment.
There is some good news regarding vulnerability: The number of Internet of Things (IoT) vulnerabilities and vulnerabilities related to weak authentication decreased in 2018. Likewise, the number of PHP vulnerabilities decreased, while the growth of API vulnerabilities slowed slightly.
“Despite the widespread belief that all of our electronic devices can be compromised easily, it appears that something has changed in this area,” said Imperva researchers. “Possible explanations include the fact that IoT vendors have finally begun to implement better security in IoT devices, or that hackers and researchers shifted their focus in 2018 to another area.”
This article was updated on January 14 at 4:00 p.m. EST to reflect new statistics about WordPress vulnerabilities based on Imperva’s report, due to a discrepancy with the initial report’s statistics. Some 2017 figures were incorrectly reported due to a data transfer error; this version of the blog has been updated. This error did not affect our 2018 statistics or conclusions, as stated by Imperva.