WordPress is the open source content management system (CMS) that powers more than 60 million web sites or about 18% of all of the sites on the web. One of its biggest advantages is the large number of plugins written by third parties that allow authors to use advanced features within WordPress. Checkmarx, makers of an automated code review solution, recently looked at the top 50 plugins for WordPress examining them for vulnerabilities. Their analysis, published here, found 20% of the top 50 were vulnerable to the most common web attacks. Even more frightening, 7 out of 10 of the leading ecommerce plugins were vulnerable.
To put this in perspective, this means that vulnerable plugins were downloaded to install in websites about 8 million times! I had a chance to speak with Maty Siman, CTO and co-founder of Checkmarx, and my friend Noa Bar Yosef, who is an advisor to Checkmarx and is well-known in the infosec community. Maty and Noa told me that Instances of insecure or hacked WordPress plugins have been reported before. For instance, the TimThumb LFI vulnerability compromised 1.2 million websites and the redirection of 200,000 WordPress based pages to rogue sites.
To be clear, we are talking about vulnerabilities that use the most basic type of hacks. Common SQL injection and Cross-site Scripting type of attacks, for instance. You don't have to be an evil genius to come up with these kinds of attacks.
While the Checkmarx report singles out WordPress, Maty and Noa emphasized that the same is probably true with other leading CMS programs. The problem is that organizations such as Automattic, the makers of WordPress, put out some coding standards and recommendations, but there are no security guidance or requirements that a plugin developer needs to adhere to.
Some of the key findings of the Checkmarx report are:
1. 20% of the 50 most popular WordPress plugins are vulnerable to common Web attacks.This amounts to nearly 8 million downloads of vulnerable plugins. Namely, these plugins are vulnerable to: SQL Injection (SQLi), Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), and Path Traversal (PT).
2. 7 out of top 10 most popular ecommerce plugins are vulnerable to common Web attacks. This amounts to more than 1.7 million downloads of vulnerable ecommerce plugins. These plugins are vulnerable to SQLi, XSS, CSRF, RFI/ LFI and PT.
3. There is no correlation between the number of Lines of Code (LOC) and the vulnerability level of the plugins. Every line of code has the potential impact of introducing a vulnerability. But Checkmarx has found that the opposite does not hold true. Meaning, the smaller the code does not necessarily mean the safer the code. On the contrary - some plugins that included only a few thousand lines of code contained more types of vulnerabilities than plugins containing tens of thousands lines of code.
Sign up for Computerworld eNewsletters.