Tales of WordPress Plugin Insecurity Overblown, Researchers Say

The insecurity of WordPress plugins has been well documented, especially over the last year, but in the grand scheme of things, it’s not as bad as it seems, experts claim.

The insecurity of WordPress plugins has been well documented, especially over the last year, but in the grand scheme of things, it’s not as bad as it seems, experts claim.

Hendrik Buchwald, a researcher and cofounder of RIPS, a German firm that performs static source code analysis, recently combed through tens of thousands of WordPress plugins to see just how vulnerable they are. As part of their investigation, the company used a tool to search for vulnerabilities in PHP scripts. It downloaded all 47,959 official plugins from WordPress’ repository and reviewed each plugin that had at least one PHP file, roughly 44,705 plugins.

Buchwald said that from there, researchers with the firm looked at larger plugins – plugins with more than 500 lines of code – about 10,523 in all. About half of the plugins – 4,559, or 43 percent – had at least one medium-severity security issue.

That figure, while alarming, is somewhat misleading however, according to a write-up Buchwald posted on the analysis on Wednesday.

“There are lot of attacks on WordPress sites, but one of the main reasons for this is the large amount of sites running WordPress,” said Buchwald. “Percentage-wise the amount of vulnerabilities is not as bad as often assumed, but it is far from good.”

The vulnerabilities aren’t evenly disbursed across the plugins. After cross-referencing the number of plugins with no issues, low, medium, and critical severity issues, he found that the “vast majority of plugins” didn’t have vulnerabilities at all. Those that did however, likely had a surplus of vulnerabilities, he claims.


The more lines of code a plugin had, the more likely it was to fall into that latter camp. According to the research, plugins with fewer than 1,000 lines of code had next to zero vulnerabilities. While a large percentage of the internet’s sites may be built on WordPress, RIPS’ research suggests only a small percentage of the plugins used on those sites contain vulnerabilities.

“WordPress is not as insecure as its reputation would suggest,” Buchwald said Wednesday, “Rather it is a top target due to its incredible prevalence. While many plugins do not contain vulnerabilities at all because of its small size, the ones that do have issues, have a lot of them. The more lines of code a plugin has, the more vulnerabilities it has on average.”

The report drills down on the security of two plugins in particular, a WordPress firewall plugin All In One WP Security & Firewall and a podcast management tool, Podlove Publisher. All In One WP Security & Firewall, which has 400,000-plus installs, could have allowed an attacker the ability, assuming they had access to the admin panel, to make read-only files writable. A cross-site scripting vulnerability also existed in the plugin. Podlove Publisher, which has far fewer installs, 2,000-plus, meanwhile suffered from multiple SQL injections and a cross-site scripting vulnerability.

Researchers surveyed a handful of popular WordPress e-commerce plugins about a month ago, shortly before Black Friday, and found that four of the top 12 contained severe vulnerabilities. While the researchers behind that analysis declined to name the vulnerable plugins, it did warn that the bugs were tied to reflected cross-site scripting, SQL injection, and file manipulation flaws. RIPS’ research echoes those findings. Nearly 70 percent of the vulnerabilities it uncovered were cross-site scripting flaws, the second most popular vulnerability it found were SQL injections.

Like death and taxes, vulnerabilities like in WordPress plugins have become a near certainty. Upwards to 75 million websites depend on WordPress and some of the more popular plugins boast more than 1 million active installs. In the past several years vulnerabilities that can allow for site takeover, the bypass of two-factor authentication, and the theft of password hashes and other database information have surfaced.

Suggested articles