WordPress is the open source content management system (CMS) that powers more than 60 million web sites or about 18% of all of the sites on the web. One of its biggest advantages is the large number of plugins written by third parties that allow authors to use advanced features within WordPress. Checkmarx, makers of an automated code review solution, recently looked at the top 50 plugins for WordPress examining them for vulnerabilities. Their analysis, published here, found 20% of the top 50 were vulnerable to the most common web attacks. Even more frightening, 7 out of 10 of the leading ecommerce plugins were vulnerable.
To put this in perspective, this means that vulnerable plugins were downloaded to install in websites about 8 million times! I had a chance to speak with Maty Siman, CTO and co-founder of Checkmarx, and my friend Noa Bar Yosef, who is an advisor to Checkmarx and is well-known in the infosec community. Maty and Noa told me that Instances of insecure or hacked WordPress plugins have been reported before. For instance, the TimThumb LFI vulnerability compromised 1.2 million websites and the redirection of 200,000 WordPress based pages to rogue sites.
To be clear, we are talking about vulnerabilities that use the most basic type of hacks. Common SQL injection and Cross-site Scripting type of attacks, for instance. You don't have to be an evil genius to come up with these kinds of attacks.
While the Checkmarx report singles out WordPress, Maty and Noa emphasized that the same is probably true with other leading CMS programs. The problem is that organizations such as Automattic, the makers of WordPress, put out some coding standards and recommendations, but there are no security guidance or requirements that a plugin developer needs to adhere to.
Some of the key findings of the Checkmarx report are:
1. 20% of the 50 most popular WordPress plugins are vulnerable to common Web attacks.This amounts to nearly 8 million downloads of vulnerable plugins. Namely, these plugins are vulnerable to: SQL Injection (SQLi), Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), and Path Traversal (PT).
2. 7 out of top 10 most popular ecommerce plugins are vulnerable to common Web attacks. This amounts to more than 1.7 million downloads of vulnerable ecommerce plugins. These plugins are vulnerable to SQLi, XSS, CSRF, RFI/ LFI and PT.
3. There is no correlation between the number of Lines of Code (LOC) and the vulnerability level of the plugins. Every line of code has the potential impact of introducing a vulnerability. But Checkmarx has found that the opposite does not hold true. Meaning, the smaller the code does not necessarily mean the safer the code. On the contrary - some plugins that included only a few thousand lines of code contained more types of vulnerabilities than plugins containing tens of thousands lines of code.
4. Vulnerable top 50 general plugin types vary. These include, but are not limited to, plugins used for:
- Ecommerce, such as a shopping cart
- Content management, such as feed aggregators, related links and checking of broken links
- Site development, such as APIs for web development and transforming a website to a mobile app
- Social networks - from linking to Facebook to establishing an internal organization network.
5. Only six plugins were completely fixed in a six-month time period - although all plugins updated their versions during this time. A first scan ran in January 2013 showed a higher rate of vulnerable plugins where more than a third (18 out of 50) of the plugins were vulnerable. In total, this meant that nearly 18.5 million vulnerable plugins were downloaded. Vulnerabilities in that first scan also presented the existence of RFI/ LFI vulnerabilities. The second scan, conducted in early June 2013, was performed on the updated versions of all plugins. However, only six of these updates were free of those previously found vulnerabilities. These were:
- BuddyPress - creates a social network for the organization. Downloads: 1,319,743. Alerted by Checkmarx to their vulnerabilities.
- BBPress - forum software. Downloads: 483,283. Alerted by Checkmarx to their vulnerabilities.
- E-Commerce - shopping cart plugin. Downloads: 2,209,352. Alerted by Checkmarx to their vulnerabilities.
- Woo Commerce - an ecommerce store. Downloads: 469,503. Alerted by Checkmarx to their vulnerabilities.
- W3 Total Cache - site optimization by caching. Downloads: 1,450,980. Most likely fixed as part of a security overhaul following an external full disclosure of some vulnerabilities.
- Super Cache - site optimization by caching. Downloads: 3,984,976. Most likely fixed as part of a security overhaul as with W3 Total Cache.
To me this is the same type of thing we see in the Google Play store and other online marketplaces. The app or plugin feature is a great way to add functionality and features to everything from phones and tablets to your cloud instance and your website, but do you trust the downloads from your marketplace?
The marketplace or app store has become a feature in so many places today. As consumers in these marketplaces, we tend to think that just because something has been approved for an app store or marketplace it must be safe. This report by Checkmarx shows once again that it isn't necessarily true. What should the expectations of security be for applications, plugins or programs you use from a marketplace?
To give Apple its due, one of the strengths of the iTunes App Store is that for the most part, apps that are approved have been checked for security risks. Google has recently done a better job of checking for security. But there are so many third-party marketplaces. Amazon and Rackspace's cloud marketplace, for instance, or the WordPress plugins for another.
Right now, we are in sort of a Wild West era for marketplaces. Hopefully in the near future security requirements will be put in place for all plugins, apps and programs that we use from a marketplace. Until then, you would be wise to remember that just because it is available, that doesn't mean it is secure.
For WordPress admins specifically, here are some recommendations from the Checkmarx folks:
1. Download plugins only from reputable sources. For WordPress, this means WordPress.org. Since anyone can develop a WordPress plugin, hackers can also exploit this vulnerability to hide their own nefarious plugin. Although going through a reputable marketplace will not guarantee only harmless plugins, you should consider this as a first line of defense.
2. Verify the security posture of the plugin by scanning it for security issues If you have the source code - and most probably you do since the plugins are open-source - run a static source code analysis tool which will provide you with the plugin's "bill of health." Advanced scanners can even point you with the optimal and quickest fix recommendations. If you cannot manage the plugin's source code, you can run any of the WordPress dynamic security scanner plugins. The downside? These test only specific scenarios and so the scanners lose out on coverage.
3. Ensure all your plugins are up to date Do not ignore all those notification emails of an upgraded plugin version. You can even use a purposeful WordPress plugin that notifies admins on updates to other installed plugins. There are also third-party services that provide a plugin update notification and management offering.
4. Remove any unused plugins The code of old, unused plugins remains on the server - even if the plugins are inactive. Schedule plugin spring cleaning as part of your WordPress site admin activities.