Patchstack, which recently rebranded from WebARX, released its 2020 security whitepaper. The report identified a total of 582 security vulnerabilities. However, only 22 of the issues came from WordPress itself. Third-party plugins and themes accounted for the remaining 96.22%.
“These are all security issues disclosed by the Patchstack internal research team, Patchstack Red Team community, by third-party security vendors, and by other independent security researchers,” said Oliver Sild, Patchstack founder and CEO. “So it includes all public information about vulnerabilities.”
Patchstack is a security company that focuses on third-party extensions to WordPress. Its vulnerability database is public and available for anyone to view.
In the second quarter of 2020, Patchstack surveyed nearly 400 web developers, freelancers, and agencies about web security. “Over 70% responded that they were increasingly worried about the security of their website, and the top reason was ‘vulnerabilities in third-party plugins,’” according to the whitepaper. “About 45% of respondents saw an increase in attacks on websites they were managing, and 25% had to deal with a hacked website in the month prior to participating in the survey.”
Ranking at the top, 211 of the vulnerabilities found were Cross-Site Scripting (XSS) issues, 36.2% of the total.
“XSS in WordPress plugins almost always happens because user input data is directly printed onto the screen without any sanitization,” said Sild. “esc_html would be used to convert certain characters to their HTML entities, so it will be literally printed onto the screen. Then you also have esc_attr for user input variables, which need to be used in HTML attributes. There are many good resources published by OWASP (The Open Web Application Security Project), such as the ‘Secure Coding Practices.’”
Injection vulnerabilities ranked second with 70 unique cases. It was followed by 38 Cross-Site Request Forgery (CSRF) issues and 29 instances of sensitive data exposure.
“The vulnerabilities found in plugins and themes tend to be more severe than those found in WordPress core,” wrote Sild in the whitepaper. “What makes matters worse is that many popular plugins have millions of active installations, and the numbers aren’t pretty when we look at how many websites are affected by the vulnerable plugins.”
The total number of active and vulnerable theme and plugin installations throughout the year was 70 million. According to WordCamp Central, WordPress is installed on 75 million websites. Many sites likely had more than one vulnerable plugin during 2020 rather than 70 million individual sites being at risk.
Patchstack surveyed 50,000 websites and found that they averaged 23 active plugins at a time. About four on each site were outdated with an upgrade available, which often increases the risk of a security issue.
WordPress plugins accounted for 478 vulnerabilities in the report. However, there were only 82 unique theme issues. While themes are typically far more limited in scope, they can do anything a plugin can do with a few exceptions.
It is not surprising to see that number lower for themes. However, one has to wonder if the ongoing plan to loosen the WordPress.org theme directory review guidelines will factor into that in the coming year or two. Currently, reviewers for the official directory perform extensive code checks that may be more likely to catch issues before themes arrive in users’ hands. If the trade-off is better automation, it could also mean stricter coding standards and fewer security issues that human reviewers might miss.
“Vulnerabilities from third-party code remain as one of the biggest threats to websites build on WordPress,” concluded Sild in the report. “We already see a growth in unique vulnerabilities reported in the WordPress plugins and themes comparing 2020 with the beginning of 2021.”