WordPress security researchers at Patchstack published their annual State of WordPress Security whitepaper that showed an increase of high and critical severity vulnerabilities, highlighting the importance of security for all websites on the WordPress platform.
XSS Is Top WordPress Vulnerability Of 2023
There are many kinds of vulnerabilities but the most common by far was cross site scripting (XSS) vulnerabilities, accounting for 53.3% of all new WordPress security vulnerabilities.
XSS vulnerabilities generally occur due to insufficient “sanitization” of user inputs, which includes blocking any inputs that do not conform to what is expected. Patchstack shared that the Freemius framework, a third-party managed eCommerce platform, accounted for over 1,200 of all XSS vulnerabilities, representing 21% of all new XSS vulnerabilities discovered in 2023.
The Freemius Software Development Kit (SDK) is used as a component of over 1,200 plugins which in turn is installed in over 7 million WordPress sites. This highlights the problem of supply chain vulnerabilities where a component is used as a part of a WordPress plugin which subsequently increases the scope of a vulnerability beyond just one plugin.
Patchstack’s report explained:
“This year we saw once again how a single cross-site scripting vulnerability in the Freemius framework resulted in 1,248 plugins inheriting the security vulnerability, exposing their users to risk.
21% of all new vulnerabilities discovered in 2023 can be traced back to this one flaw. It’s vital for developers to choose their stack carefully and promptly apply security updates when these become available.”
More Vulnerabilities Rated High Or Critical
Vulnerabilities are assigned a severity score that corresponds to how disruptive a discovered flaw is. The ratings range from low, medium, high and critical.
In 2022 13% of new vulnerabilities were classified as high or critical. That percentage skyrocketed in 2023 to 42.9%, meaning that there were more destructive vulnerabilities in 2023 that in the previous year.
Authenticated Versus Unauthenticated Vulnerabilities
Another metric that pops out in the report is the percentage of vulnerabilities that require no authentication (unauthenticated), meaning the attacker does not need any user permission level in order to launch an attack.
Flaws that require an attacker to have a subscriber level to admin level permissions have a higher bar for attackers to overcome. Unauthenticated vulnerabilities do not require that the attacker first obtain a permission level, which makes those kinds of vulnerabilities more concerning because they can be exploited through automatic attacks like with bots that probe a site for the vulnerability then automatically launch attacks.
Patchstack found that 58.9% of all new vulnerabilities required no authentication at all.
Abandoned Plugins Spike As a Risk Factor
Another significant cause for vulnerabilities is the large amount of abandoned plugins. In 2022 Patchstack reported 147 abandoned plugins and themes to WordPress.org and out of those 87 were removed and the remainder were patched.
In 2023 the number of abandoned plugins exploded from 147 in 2022 to 827 plugins and themes in 2023. Whereas 87 vulnerable abandoned plugins were removed in 2022, 481 were removed in 2023.
Patchstack noted:
“We reported 404 of those plugins in a single day to draw attention to the “zombie plugin pandemic” in WordPress. Such “zombie” plugins are components that seem safe and up-to-date at first glance, but may contain unpatched security issues. Furthermore, such plugins remain active on user sites even if they are removed from the WordPress plugins repository.”
Most Popular Plugins With Vulnerabilities
As mentioned earlier, severity ratings range from low, medium, high and critical. Patchstack compiled a list of the most popular plugins with vulnerabilities.
In 2022 there were 11 popular plugins with over a million active installations that contained vulnerabilities. In 2023 Patchstack lowered the bar on installations from a million to over 100,000 installations. Yet despite making it easier to get on the list, there were only 9 popular plugins that were found to have a vulnerability, far less than in 2022.
In 2022 only five out of 11 of the most popular plugins with vulnerabilities contained a high severity vulnerability, none contained a critical level vulnerability and the rest were medium level severity.
Those numbers became significantly worse in 2023. Despite lowering the threshold of what’s considered a popular plugin, all nine plugins on the list contained critical level vulnerabilities, all of them. The overwhelming majority of the plugins on that list, six out of nine, contained unauthenticated vulnerabilities, meaning in that exploiting them is easy to scale with automation. The remaining three that required authentication only required a subscriber level access, which is the easiest permission level to acquire, just sign up, verify the email and they’re in. That too can be scaled with automation.
List Of Most Popular Plugins With Vulnerabilities
- Essential Addons for Elementor 1M+ installations (severity rating 9.8)
- WP Fastest Cache 1M+ installations (severity rating 9.3)
- Gravity Forms 940k installations (severity rating 8.3)
- Fusion Builder 900k installations (severity rating 8.5)
- Flatsome (Theme) 618k installations (severity rating 8.3)
- WP Statistics 600k installations (severity rating 9.9)
- Forminator 400k installations (severity rating 9.8)
- WPvivid Backup and Migration 30ok installations (severity rating 8.8)
- JetElements For Elementor 30ok installations (severity rating 8.2)
State Of WordPress Security Is Worse
If you feel like there are more vulnerabilities lately than ever before, now you know the reason, the statistics speak for themselves. There are more vulnerabilities in 2023 and a greater percentage are at high and critical levels which can be exploited with automation at scale.
This means that all publishers need to improve their security and make sure that someone is taking responsibility for auditing their plugins and themes on a regular basis to make sure they are all updated and actively maintained.
SEOs should take notice because security quickly becomes a ranking problem when Google drops a hacked site from the search results. Many SEOs who perform site audits don’t do even the most basic security checks like verifying if the security headers are in place, which is something that I do as a part of every audit I perform. Always make sure to have a discussion with clients about their security to make sure they are aware of the risks.
Patchstack is an example of a service that automatically protects WordPress sites against vulnerabilities even before the plugin issues a patch to fix the vulnerability. Those kinds of services are important in order to create a defense against getting hacked and losing search visibility and earnings.
Read the Patchstack report:
State of WordPress Security In 2023
Featured Image by Shutterstock/Iurii Stepanov
