Millions At Risk From Critical Vulnerabilities In WordPress Plugins

A host of WordPress plugins contain serious flaws, including many e-commerce add-ons dealing with online payments, researchers have warned.

The vulnerable WordPress plugins detected by Tel-Aviv-based security firm Checkmarx were downloaded millions of times. The researchers warned the flaws could allow hackers to use the WordPress platform, the most popular CMS in the world, as a vehicle for mass infection and malware distribution.

WordPress plugin attacks

As the plugins are open source, as the WordPress platform itself is, Checkmarx was able to scan code of the top 50 most downloaded plugins on two occasions, once in January, then in early June.

The first test uncovered 18 vulnerable plugins, which were downloaded 18.5 million times. Some of those were produced by WordPress itself, which has now issued fixes, Checkmarx said.

All 18 had been updated by the time Checkmarx did its second test, but just six of the plugins were properly fixed by that time.

In its June test, the firm also found over 20 percent of the most 50 popular add-ons could be exploited by a number of common attacks, such as SQL injection and cross-site scripting. Any sites running these vulnerable plugins are therefore vulnerable too.

A typical SQLi sees attackers attempt to get databases to cough up false information, usually by entering queries into search boxes or in a URL to cause the related SQL database to falter. Another kind of attack sees SQL queries entered into login boxes, attempting to get the server to accept it as a true statement and allow a login without a correct username or password. Automated tools make this kind of hit much easier to carry out.

“If the plugin is vulnerable, say to SQLi, so is the website vulnerable to that type of attack,” Maty Siman, Checkmarx CTO, told TechWeekEurope. “A hacker looking to perform a SQLi attack can simply take any one of the existing automated attack tools, point it to the vulnerable site and attempt to exploit it.”

The researchers also discovered seven out of top 10 most popular e-commerce plugins contained flaws. They were downloaded 1.7 million times.

Checkmarx did not reveal which plugins were vulnerable, but said they included social ones linking to Facebook and certain APIs.

The researchers said whilst it was clear there were some serious security problems with WordPress plugins, other platform providers suffer similar problems.

“The impact? Hackers can exploit these vulnerable applications to access sensitive information such as personally identifiable information (PII), health records and financial details,” the company’s report read.

“Other vulnerabilities allow hackers to deface the sites or redirect them to another attacker-controlled site. In other cases, hackers can take control of the vulnerable sites and make them part of their botnet heeding to the attacker’s instructions.”

What do you know about Internet security? Find out with our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

View Comments

  • Not a happy report but not that surprising either. I find this article frustrating though, because what are we supposed to do with this knowledge without knowing which plugins are at risk...

    Some crumbs please...

    Thanks,
    Bob

    • Hi Bob,

      Have asked them repeatedly if they will name the WordPress plugins, but they don't want to disclose, as they work with devs to fix the issues.

      Frustrating, but understandable... just.

      Thanks for reading.

      Tom Brewster
      Deputy Editor

Recent Posts

Three UK Investigates After Outage Impacted Some 999 Calls

Thursday outage of Three UK network impacts thousands of people, with operator confirming some 999…

1 day ago

CMA Secures Google Commitment To Tackle Fake Reviews

British competition watchdog secures undertaking from Google to tackle fake reviews, as Amazon probe continues

1 day ago

Trump Signs AI ‘Free From Idealogical Bias’ Executive Order

After earlier revoking Biden's AI safety executive order, President Trump signs new executive order to…

1 day ago

OpenAI’s ‘Operator’ Agent Automates Online Tasks

OpenAI launches AI agent called 'Operator' to automatically fill out forms, make restaurant reservations, book…

2 days ago

Pakistan’s Parliament Passes Bill For Strict Control On Social Media

Bill passed to give Pakistani government sweeping controls on social media, but critics argue it…

2 days ago

Indian Tribunal Suspends Meta’s Data Sharing Ban

After Meta had warned that India's data sharing ban could collapse WhatsApp's business model, tribunal…

2 days ago