Vulnerabilities in popular content management system (CMS) WordPress are growing at a rapid rate, up 30 percent in 2018, according to new web application bug research released Wednesday.
Researchers at Imperva said that in 2018, they continued to see a trend of increasing web application glitches. The overall number of new vulnerabilities in web apps in 2018 (17,142) soared upwards by 21 percent compared to 2017 (14,082).
Worse, according to Imperva’s data more than half of these web app vulnerabilities have a public exploit available to hackers, and a third of web application vulnerabilities don’t even have any available solution, including a workaround or patch.
The most common of these vulnerabilities are related to injection, such as SQL injection, command injection and object injection. In fact, injection flaws took up 19 percent of the total web app vulnerabilities in 2018. That comes as bad actors looked to new stealthy code-injection techniques in 2018 to embed malware variants such as Trickbot and TurnedUp inside infected systems.
Cross-site scripting bugs also continued to grow and appears to be the second most common vulnerability, at 14 percent – doubling since 2017.
WordPress vulnerabilities were up 30 percent since last year, and they continue to dominate in terms of the number of vulnerabilities published in the CMS category.
While it may come as no surprise that WordPress is a target for hackers due to its popularity – the CMS is used by 59 percent of all websites using a known content management system – what’s interesting is that the increase in security issues comes despite a slowed growth of 3 percent in new plugins on the suite in 2018.
Almost all (98 percent) of WordPress vulnerabilities are related to plugins that extend the functionality and features of a website or a blog. The top 10 vulnerable plugins include Event Calendar, Ultimate Member, Coming Soon Page, Ninja Forms and Duplicator Pro.
“Anyone can create a plugin and publish it — WordPress is open source, easy to manage, and there is no enforcement or any proper process that mandates minimum security standards (e.g. code analysis),” researchers said. “Hence, WordPress plugins are prone to vulnerabilities.”Wordpress patched an array of these vulnerabilities in 2018: Including a critical privilege-escalation vulnerability that could allow an attacker to inject malware, place ads and load custom code on an impacted website; and two bugs rated “medium” in its tooltips plugin.
In December, it was discovered that WordPress sites are being targeted in a series of attacks tied to a 20,000 bot-strong army of infected WordPress websites.
Also in December, WordPress 5.0 users were urged to update their CMS software to fix a number of serious bugs – less than a week after the version was released.
While WordPress leads the pack in sheer attack numbers, Drupal bugs also had a large impact and were used in mass attacks that targeted hundreds of thousands of sites during 2018. Most notably last year an infamous highly-critical Drupal bug dubbed Drupalgeddon 2.0 impacted an estimated 1+ million sites running the CMS (despite a patch being released).
Automattic, the owner of WordPress, did not immediately respond to a request for comment from Threatpost.
It’s not all bad news on the vulnerability front: The number of Internet of Things (IoT) flaws declined in 2018, as well as the number of vulnerabilities related to weak authentication. Also declining were the number of PHP vulnerabilities; and meanwhile, the growth of API vulnerabilities slightly declined.
“Despite the common belief that all our electronic devices can be easily compromised, it appears that something has changed in this area,” Imperva researchers said. “Possible explanations include: IoT vendors have finally started to implement better security in IoT devices, or hackers and researchers found another area to focus on in 2018.”
This article was updated on Jan. 14 at 4 p.m. EST, to reflect new statistics about WordPress vulns based on Imperva’s report, due to an inconsistency with stats that made it into the initial report. “Due to a data transfer error, some of the 2017 figures were incorrectly reported; this version of the blog has been corrected. This error did not affect our 2018 statistics, nor our conclusions,” Imperva said.