The WordPress Ecosystem is Becoming More Secure with Responsible Disclosure Becoming More Common
The Wordfence 2022 State of WordPress Security Report was released on January 24th, 2023. One area that we reviewed in this report were the vulnerabilities disclosed in 2022. Keeping in mind that some vulnerabilities affected multiple plugins, themes, and WordPress core, a total of 2,370 vulnerabilities were reported in 2022. The top five vulnerability categories were Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), authorization bypass, SQL Injection (SQLi), and information disclosure. While the statistics sum up what was in the report, the story does not end there.
The report shows some similarities, as well as distinct differences, to the prior year. This is not uncommon, as WordPress development, both for core and for plugins and themes, potentially includes years’ worth of legacy code, as well as newer code that fits updated coding standards. This tends to have the effect of increasing the number of potential vulnerabilities, while also creating new ways for vulnerabilities to exist.
In addition to changes in code, one major factor in the increase of vulnerability reports in 2022 was likely the fact that it is becoming easier for researchers to report vulnerabilities. As was mentioned in our 2022 report, Wordfence, along with other companies, became a CVE Numbering Authority (CNA) in 2021. This means that there are more points of contact for researchers to submit newly discovered vulnerabilities, and more bandwidth for processing vulnerability reports. As mentioned in our report, we hope to continue to amplify this trend with the launch of Wordfence Intelligence Community Edition, a complete free to access and utilize WordPress Vulnerability Database.
2022 – A Year of Growth
When we look at the types of vulnerabilities being tracked, there is not a lot of difference between 2021 and 2022 when it comes to the most or least common types that have been reported. What did significantly change is the volume of reported vulnerabilities. Every category except open redirects increased in volume from 2021 to 2022. The drop in open redirect reports was minimal, as there was only one fewer report in 2022 as compared to 2021.
From 2021 to 2022, there were some changes in the top five vulnerability categories that were disclosed. Most notably, information disclosure overtook file uploads for the fifth spot, highlighting the importance of securing protected and sensitive data. The other change in the top five is CSRF vulnerabilities more than doubling to overtake authorization bypass vulnerabilities – which also nearly doubled from 2021 to 2022.
2022 |
2021 |
||
Category |
Count |
Category |
Count |
XSS | 1109 | XSS | 768 |
CSRF | 377 | Auth Bypass | 186 |
Auth Bypass | 301 | CSRF | 183 |
SQLi | 200 | SQLi | 163 |
Information Disclosure | 73 | File Upload | 42 |
File upload vulnerabilities are a type in the top-five category from 2021 that was not discussed in the 2022 report. While these vulnerabilities dropped out of the top five in 2022, they still increased from 42 reports in 2021 to 48 reports in 2022. File upload vulnerabilities remain a common vulnerability type to exploit, as they allow would-be attackers to upload files that perform desired functions, typically involving code execution. This includes webshells that allow them to run commands on the server, manage files, and potentially perform other administrative tasks that can be used maliciously in the wrong hands. The fact that it has been out ranked by other types of vulnerabilities does not mean that developers should stop focusing on the prevention of malicious file uploads when working on new or existing themes, plugins, or even WordPress core.
Vulnerability Trends in 2022
Taking a look at the breakdown of where vulnerabilities were reported, it becomes clear that plugins account for the vast majority of reported vulnerabilities. Naturally, we also need to take into account the fact that there are far more plugins out there than themes. However, with that said, this does go to show that WordPress core itself is much more secure, and the concern with security in the WordPress ecosystem may be due to plugins and themes.
Of the vulnerabilities disclosed in 2022, all but 824 of them received patches. This means that about two-thirds of the vulnerabilities were patched to prevent exploits against them. The remaining one-third of vulnerabilities are in plugins that were closed or otherwise never patched and should be removed if installed. Having the knowledge of which pieces of software installed on a website could have vulnerabilities is key to keeping the website secure. Whether it is updating the software when a patch is available, or removing the software as long as it remains unpatched, staying updated on vulnerabilities helps to prevent successful website attacks.
WordPress core had 22 reported vulnerabilities throughout the year, and seven themes ranged from 10 to 18 vulnerabilities reported. In all, there were 2,345 plugins and themes with reported vulnerabilities in 2022, in addition to WordPress core. Of these, 562 had more than one vulnerability reported during the year.
Another consideration when looking at vulnerabilities is the access level required in order to exploit the vulnerability. In 2022, there were 614 vulnerabilities that required high level privileges, 553 that required low level privileges, and 1203 that did not require any privileges. On a WordPress website, high level privileges would be those requiring the attacker to obtain editor or administrator level access, while low level privileges would be equivalent to subscriber, contributor, or author.
Of the vulnerabilities that did not require any authentication on a vulnerable website, 888 of them were reflected cross-site scripting (XSS) or cross-site request forgery (CSRF). These vulnerabilities require user interaction in order to be exploited, such as convincing a user to click a specially crafted malicious link. The remaining 315 vulnerabilities that do not require authenticated access are vulnerabilities that do not require any interaction from a user.
What Will 2023 Look Like?
With January already on the books, 2023 is shaping up to be very similar to 2022. Cross-site scripting (XSS) will be the most common vulnerability reported, with auth bypass, cross-site request forgery (CSRF) and SQL injection (SQLi) having a significant number of reported vulnerabilities as well. Information disclosure vulnerabilities may become less significant, with directory traversal and file upload vulnerabilities making a little bit of a comeback this year, but there is still plenty of time for them to catch up in the coming months.
The main thing we can count on for 2023 is that we will see more vulnerabilities being reported. It is easier than ever to report vulnerabilities that have been found, and that is a good thing because it means more vulnerabilities can be remediated effectively.
Conclusion
The increase in reported vulnerabilities illustrates more than ever the importance of keeping websites updated with the latest security updates. The increase seen in vulnerability reports is doing more than ever to keep WordPress secure, but this means that components may need to be updated more frequently as well. WordPress core, themes, and plugins should always be updated as quickly as possible after a new version is released to ensure that vulnerabilities are patched to minimize the chances of a threat actor being successful in their attack attempts. In addition to keeping websites updated, it is also important to implement a solution, like Wordfence, to protect your website from attacks and malware.
Wordfence Premium, Care and Response receive new firewall rules and malware signatures as soon as they are available, with new rules and signatures being available to Wordfence Free customers 30 days later. If you believe your site has been compromised as a result of these vulnerabilities, or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both of these products include hands-on support in case you need further assistance.
In addition to protecting your website, Wordfence Intelligence Community Edition provides the most up-to-date information on WordPress vulnerabilities, free of charge, helping you to stay on top of vulnerabilities that may affect your website.
This article was written by Topher Tebow, a former Wordfence Threat Researcher.
Comments