A report published today by Checkmarx reveals some interesting things about the security of WordPress plugins.
According to the study, “The Security State of WordPress Top 50 Plugins,” 20% of the most popular plugins contain vulnerabilities that can be exploited by cybercriminals for web attacks such as SQL Injections.
This means that a total of 8 million vulnerable WordPress plugins have been downloaded.
In addition, the report shows that 7 out of the top 10 e-commerce plugins contain security holes. This translates to over 1.7 million vulnerable e-commerce plugin downloads.
“Hackers can exploit these vulnerable applications to access sensitive information such as personally identifiable information (PII), health records and financial details. Other vulnerabilities allow hackers to deface the sites or redirect them to another attacker -controlled site,” the report reads.
“In other cases, hackers can take control of the vulnerable sites and make them part of their botnet heeding to the attacker’s instructions.”
The study also found that there was no correlation between the number of lines of code and the vulnerability level of a plugin.
Interestingly, the company reports that only six of the top most popular plugins were completely fixed in a 6-month period, despite the fact that all of them were updated during the test timeframe.
So what should be done?
First of all, web administrators should download plugins only from reputable sources. In addition, they should make sure a plugin doesn’t contain any security holes before using it, and they should ensure that all plugins are up to date at all times.
Finally, web admins must remove unused plugins as these can pose a serious security risk.
Plugin developers, on the other hand, should integrate security testing in the development process and they should run their creations through a code scanner to make sure it stands up to a security standard.
As far as application platform providers are concerned, they are advised to enforce a security policy on the apps that enter their marketplace and authorize plugins only after they pass security tests.
The complete “The Security State of WordPress Top 50 Plugins” report is available here.