WordPress-Related Vulnerabilities Tripled in 2018 [bleepingcomputer]
by CIRT Team
WordPress-related vulnerabilities have seen a 300% increase in 2018 compared to the previous year, a recent study has found. Most of the bugs were in the plugins that extend the functionality of WordPress websites.
Powering about 30% of all websites on the internet, WordPress is the most popular content management system (CMS), followed by Joomla and Drupal trailing behind at a safe distance.
A product’s rise in popularity also captures the attention of cybercriminals who look for security bugs, incentivized by a large number of potential victims.
WordPress stands out
In 2018, the number of vulnerabilities associated with WordPress was 542, according to a report cybersecurity firm Imperva shared with BleepingComputer.
The figure is almost three times more than what the company saw in 2017, when less than 200 WordPress-related vulnerabilities were recorded. Joomla and Drupal were affected by less than 150 bugs combined.
A low number of security glitches is not necessarily indicative of a more secure platform; rather it suggests that the attackers’ focus is primarily on a different target.
Also, even if there are fewer bugs, the consequences could be terrible, as shown by the massively exploited Drupalgeddon vulnerabilities last year.
The easy exploitation of the Drupalgeddon vulnerabilities led to a deluge of attacks against unpatched websites. In its report, Imperva says that it “detected and blocked more than half a million attacks related to these vulnerabilities during 2018.”
Plugins are the weak link
Almost all the vulnerabilities, 98%, are related to WordPress plugins, which are more than 50,000 on the official website of the CMS. This means that only 2% were in the WordPress code.
“Anyone can create a plugin and publish it — WordPress is open source, easy to manage, and there is no enforcement or any proper process that mandates minimum security standards (e.g. code analysis). Hence, WordPress plugins are prone to vulnerabilities,” the company says.
For more, click here.