APPS
APPS
APPS
Research finds WordPress security flaws exist but not as bad as thought
A new study has found that while Automattic Inc.’s WordPress content management system continues to have security flaws, they’re not as bad as commonly thought.
German security firm RIPS Technologies GmbH analyzed all 47,959 plugins that are available from the official WordPress repository using its static code analyzer and found that only 8,800 of the plugins had at least one vulnerability in them.
Where the figures do become somewhat concerning is with what the company describes as “larger plugins,” that is plugins with more than 500 lines of code. Of 10,523 larger plugins, 4,559 of them, or 43 percent of them, contain at least one medium severity issue, such as cross-site scripting.
Of all plugins analyzed, nearly 36,000 did not have any vulnerabilities at all while 1,426 had only low severity flaws. Medium severity bugs were identified in more than 4,600 plugins, while high severity bugs and critical issues came in at 2,799 and 41 plugins respectively. Those plugins found to have security issues tended not to have single vulnerabilities, with a total of 67,486 vulnerabilities discovered in the plugins analyzed.
Cross-site scripting was the most common vulnerability coming in at 68 percent of those found, followed by 20 percent of plugins allowing for potential SQL injections. Some of the most common WordPress plugins targeted by attacks were found to be
- Revolution Slider
- Beauty & Clean Theme
- MiwoFTP
- Simple Backup
- Gravity Forms
- WordPress Marketplace
- CP Image Store
- WordPress Download Manager
RIPS security researcher Hendrik Buchwald said there was a reason to be calm on the findings as the results are far less than could have been the case.
WordPress is not as insecure as its reputation would suggest. Rather it is a top target due to its incredible prevalence. Yes, there are a lot of vulnerabilities in the WordPress ecosystem, but most of them are in a small percentage of the plugins. While many plugins do not contain vulnerabilities at all because of their small size, the ones that do have issues, have a lot of them.
Buchwald recommends that WordPress users install only plugins that they really need, keep all plugins up to date and choose strong passwords.
Image credit: Maxpixel/Public Domain CCo
A message from John Furrier, co-founder of SiliconANGLE:
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
