WordPress Vulnerability Roundup - Q1 2019
WordPress is a free open-source content management system. It powers about 30% of all websites on the internet and 33% of the Top 10 Million Sites globally. There are over 50,000 WordPress plugins available to add-in features and extend the functionality of WordPress websites. Since WordPress is the most popular CMS, it becomes the common target for hackers to cause more damage than any other platform.
Since the beginning of the year 2019, three zero-day vulnerabilities have been discovered on WordPress plugins Total donations, Easy WP SMTP and Social Warfare. These were actively being exploited in the wild and hackers continue to compromise WordPress websites that are still unpatched.
The SonicWall Capture Labs Threat Research Team has analyzed and addressed WordPress Vulnerabilities for Q1 2019.
The three vulnerabilities that WordPress suffers are from the WordPress Core, plugins, and themes.
Fig: Q1 2019 WordPress vulnerability distribution by components
Cross-site scripting (XSS) is at the top of the list. WordPress plugins are prone to Cross-site scripting as they fail to properly sanitize user-supplied input.
Fig: Q1 2019 WordPress vulnerability distribution by types
Nearly 40 WordPress vulnerabilities disclosed just in the month of March. Most of the bugs were in the plugins that extend the WordPress webpage's functionality.
Fig: Q1 2019 WordPress vulnerability
The top vulnerable plugins include the popular ones, WooCommerce with 4+ million active installations. Followed by WP Google Maps with 400,000+ active installations.
Fig: Q1 2019 Top Vulnerable WordPress plugins
- Hardening WordPress
- Avoid brute Force Attacks
- Always Administration Over SSL
- Two Step Authentication
- Password Best Practices
- WordPress Privacy
SonicWall Capture Labs Threat Research team provides protection with the following signatures:
IPS: 14006 WordPress Total Donations Plugin Authentication Bypass 2