2021 was a bad year for the world’s most widely used content management platform. According to the State of WordPress Security Report by Patchstack, 1500 security vulnerabilities were discovered in WordPress in 2021, up from 600 in 2020, which was by no means a small count.
WordPress has dominated over half of the total CMS market share in the previous decade, and its market share grew from just over 51% in January 2010 to 64.8% in March 2022. The platform’s popularity is such that WordPress powers 43.2% of all websites globally.
Patchstack’s data indicates that WordPress itself is pretty secure, given that only 0.58% of the reported WordPress vulnerabilities in 2021 originated in the files that form the key functional elements of the platform, known as WordPress Core. The remaining 99.42% reside in themes and plugins, especially free ones.
The lion’s share (91.79%) of the reported WordPress vulnerabilities reside, as expected, in free themes and plugins sourced from the WordPress.org repository. The remaining 8.21% were reported in the premium or paid versions of the WordPress plugins or themes, generally available as direct download and on marketplaces such as Code Canyon, ThemeForest, and Envato.
WordPress Vulnerabilities at a Glance | Source: Patchstack
According to Patchstack, at least 55 WordPress themes featured critical flaws, 12.4% of which had a CVSS rating between 9 and 10 out of 10. The most common ones include those originating in arbitrary file upload functions. In total, 42 themes have vulnerabilities of CVSS 8.8 in an arbitrary file upload. Among others,
- Ten themes have vulnerabilities of CVSS 10 in unauthenticated arbitrary file uploadÂ
- One theme has an unauthenticated upload vulnerability of CVSS 9.8 that could lead to remote code execution (RCE)
- One theme has a Blind SQL Injection (SQLi) vulnerability with a CVSS of 9.8
- One theme has a Reflected Cross-Site Scripting (XSS) vulnerability with a CVSS of 8.8
On the other hand, Plugins had 35 vulnerabilities, two of which have a million installations each. These are All in One SEO plugin (versions <= 4.1.5.2, 3+ million downloads), and WP Fastest Cache plugin (versions <=0.0.4, one+ million downloads). Alarmingly, just 29% of the critical plugin flaws were addressed with appropriate security patches.
Patches for both of these plugins are now available. “The positive action of these two projects is juxtaposed by the inaction by nine projects which had critical vulnerabilities identified in the plugins and with no security patch made available,†Patchstack noted. All of these are now removed from respective marketplaces.
Overall, the danger from just over 21% of all WordPress vulnerabilities was High or Critical.
Vulnerability by Severity | Source: Patchstack
Vulnerabilities being targeted the highest were the easiest to exploit. The top four most-exploited vulnerabilities were found in:
- OptinMonster (version<= 2.6.4) for unprotected REST-API to sensitive information disclosure and unauthorized API access
- PublishPress Capabilities (versions <= 2.3) for unauthenticated settings change
- Booster for WooCommerce plugin (versions <= 5.4.3) for authentication bypass
- Image Hover Effects Ultimate plugin (versions <= 9.6.1) for unauthenticated arbitrary options update
However, XSS vulnerabilities took the highest share among WordPress’s various vulnerability types. This corresponds to the most prevalent vulnerabilities reported by the Patchstack Alliance bug bounty program.
WordPress Vulnerabilities by Type | Source: Patchstack
This is made worse by the fact that over 23% of respondents (digital agencies, freelance developers, site owners) have a zero security budget for WordPress. Furthermore,
- ~24% of respondents’ security budget per website per month is between $1-3
- ~14% of the respondents’ security budget per website per month is between $4-7
- ~11% of the respondents’ security budget per website per month is between $8-10
- ~5% of the respondents’ security budget per website per month is between $11-14
- ~6% of the respondents’ security budget per website per month is between $15-30
- ~3% of the respondents’ security budget per website per month is between $30-50
- ~11% of the respondents’ security budget per website per month over $50
None of this is at par with the average cost for WordPress malware removal in 2021, which was $613.
While higher budgets for WordPress security can help, the biggest draw from Patchstack’s State of WordPress Security 2021 report is this: stay away from themes and plugins, especially the free ones. While it’s true that paid themes and plugins also have weaknesses, eliminating the reliance on free WordPress tools reduces the chances of a compromise significantly.
The security budget, however low, can then come in handy to deal with the flaws in paid themes and plugins.
Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!