Millions At Risk From Critical Vulnerabilities In WordPress Plugins

security vulnerability Shutterstock - © Andy Dean Photography

Millions of sites could contain serious flaws, security firm warns

A host of WordPress plugins contain serious flaws, including many e-commerce add-ons dealing with online payments, researchers have warned.

The vulnerable WordPress plugins detected by Tel-Aviv-based security firm Checkmarx were downloaded millions of times. The researchers warned the flaws could allow hackers to use the WordPress platform, the most popular CMS in the world, as a vehicle for mass infection and malware distribution.

WordPress plugin attacks

Wordpress LandscapeAs the plugins are open source, as the WordPress platform itself is, Checkmarx was able to scan code of the top 50 most downloaded plugins on two occasions, once in January, then in early June.

The first test uncovered 18 vulnerable plugins, which were downloaded 18.5 million times. Some of those were produced by WordPress itself, which has now issued fixes, Checkmarx said.

All 18 had been updated by the time Checkmarx did its second test, but just six of the plugins were properly fixed by that time.

In its June test, the firm also found over 20 percent of the most 50 popular add-ons could be exploited by a number of common attacks, such as SQL injection and cross-site scripting. Any sites running these vulnerable plugins are therefore vulnerable too.

A typical SQLi sees attackers attempt to get databases to cough up false information, usually by entering queries into search boxes or in a URL to cause the related SQL database to falter. Another kind of attack sees SQL queries entered into login boxes, attempting to get the server to accept it as a true statement and allow a login without a correct username or password. Automated tools make this kind of hit much easier to carry out.

“If the plugin is vulnerable, say to SQLi, so is the website vulnerable to that type of attack,” Maty Siman, Checkmarx CTO, told TechWeekEurope. “A hacker looking to perform a SQLi attack can simply take any one of the existing automated attack tools, point it to the vulnerable site and attempt to exploit it.”

The researchers also discovered seven out of top 10 most popular e-commerce plugins contained flaws. They were downloaded 1.7 million times.

Checkmarx did not reveal which plugins were vulnerable, but said they included social ones linking to Facebook and certain APIs.

The researchers said whilst it was clear there were some serious security problems with WordPress plugins, other platform providers suffer similar problems.

“The impact? Hackers can exploit these vulnerable applications to access sensitive information such as personally identifiable information (PII), health records and financial details,” the company’s report read.

“Other vulnerabilities allow hackers to deface the sites or redirect them to another attacker-controlled site. In other cases, hackers can take control of the vulnerable sites and make them part of their botnet heeding to the attacker’s instructions.”

What do you know about Internet security? Find out with our quiz!