Report: WordPress Plugin and Theme Vulnerabilities in 2017

According to securityaffairs, January 23 news, security researchers recently released WordPress plugin and theme of vulnerability statistics in 2017, these data from the latest WordPress Vulnerability Database ThreatPress. It is reported that ThreatPress is currently monitoring a large number of data sources in order to add new vulnerabilities to the database in real time.

Overall statistics for 2017

ThreatPress added 221 vulnerabilities to its database in 2017, a total decrease of 69% over the previous year. The data shows that cross-site scripting (XSS) remains the top spot as in 2016. Researchers have speculated that because many developers do not value escaped data output, more and more WordPress plug-ins and topics are being exploited by cross-site scripting (XSS) vulnerabilities. In addition, SQL injection vulnerabilities also increased significantly in 2017.

Surprisingly, there are currently many websites that are vulnerable to vulnerabilities in WordPress plug-ins. According to preliminary statistics, the total number of websites with plug-ins has reached 17,101,300 +, of which:

  • Total vulnerable plugins – 202
  • Total vulnerable themes – 5
  • Plugins affected by vulnerabilities in WordPress.org repository – 153
  • Non-WordPress.org repository plugins affected by vulnerabilities – 24

WordPress three major loopholes

  • Cross-Site Scripting (XSS)
  • SQL Injection (SQLi)
  • Broken Access Control

TOP 5 Plug-in statistics by vulnerability type

  • XSS (Cross-Site Scripting) – 71
  • SQL Injection – 40
  • Unrestricted Access – 20
  • Cross Site Request Forgery (CSRF) – 12
  • Multi – 10

Top 5 plug-ins affected by the vulnerabilities in 2017

  • Yoast SEO (most popular SEO plugin) – 5,000,000+ – XSS (Cross-site Scripting)
  • WooCommerce (most popular ecommerce plugin) – 3,000,000+ – XSS (Cross-site Scripting)
  • Smush Image Compression and Optimization – 1,000,000+ – Directory Traversal
  • Duplicator – 1,000,000+ – XSS (Cross-site Scripting)
  • Loginizer – 600,000+ – SQL Injection

Some interesting facts?

 

Lagged security update

○ WordPress released 8 security updates in 2017.

○ The total number of vulnerabilities in the database is 3321.

○ The first vulnerability was found on 2005-02-20.

Source: SecurityAffairs