WordPress Ecosystem Records 150% Increase in Security Vulnerabilities in 2021 – WP Tavern
Patchstack has printed its State of WordPress Security whitepaper with a abstract of threats to the WordPress ecosystem recorded in 2021. The whitepaper aggregates knowledge from a number of sources, together with the Patchstack Vulnerability Database, the Patchstack Alliance (the corporate’s bug bounty platform), and publicy reported CVEs from different sources.
In 2021, Patchstack recorded almost 1,500 vulnerabilities, a 150% improve as in comparison with 2020, which recorded ~600. Patchstack discovered that almost all of those come from the WordPress.org listing:
The WordPress.org repository leads the way in which as the first supply for WordPress plugins and themes. Vulnerabilities in these elements represented 91.79% of vulnerabilities added to the Patchstack database.
The remaining 8.21% of the reported vulnerabilities in 2021 have been reported in premium or paid variations of the WordPress plugins or themes which might be offered by way of different marketplaces like Envato, ThemeForest, Code Canyon, or made out there for direct obtain solely.
WordPress core shipped 4 safety releases, and just one included a patch for a crucial vulnerability. This specific vulnerability was not in WordPress itself however slightly in one in all its bundled open supply libraries, the PHPMailer library.
Patchstack estimates that 99.31% of all safety bugs from 2021 have been in elements – WordPress plugins and themes. Themes had essentially the most crucial vulnerabilities, logging 55 this yr. Patchstack discovered that 12.4% of vulnerabilities reported in themes had a crucial CVSS rating of 9.0-10.0. Arbitrary file add vulnerabilities have been the commonest.
Plugins had a complete of 35 crucial safety points. That is fewer vulnerabilities in comparison with themes, however 29% of those acquired no public patch.
“Probably the most shocking discovering was actually additionally essentially the most unlucky fact,” Patchstack Safety Advocate Robert Rowley stated. “I used to be not anticipating to see so many plugins with crucial vulnerabilities in them not obtain patches.
“A few of these vulnerabilities required no authentication to carry out, and have publicly out there proof of ideas (exploit code) made broadly out there on-line. It’s in all probability already too late for the location house owners who didn’t get a discover that their web sites have been susceptible.”
Patchstack surveyed 109 WordPress website house owners and located that 28% of respondents had zero funds for safety, 27% budgeted $1-3/month, and simply 7% funds ~$50/month. Businesses have been extra prone to allocate month-to-month prices to safety than particular person website house owners.
Conversely, outcomes from these similar respondents confirmed$613 as the typical value of malware elimination. Publish-compromise cleanup costs reported ranged from $50 – $4,800.
Rowley sees the numerous improve in safety vulnerabilities present in 2021 as proof of extra engaged safety professionals, not an indication of the WordPress ecosystem changing into much less safe.
“Probably this is because of extra safety bugs being reported (extra susceptible code being discovered, as a result of extra persons are wanting),” Rowley stated. “Patchstack runs a bug bounty program which pays safety researchers for the bugs they report within the WordPress ecosystem, which incentives safety researchers (and even builders conversant in WordPress) to search for extra safety bugs.”
General, Patchstack’s findings this yr present that WordPress core may be very safe and the overwhelming majority of vulnerabilities are present in themes and plugins. Customers ought to monitor their extensions and periodically examine to see if they’ve been deserted, as not all susceptible software program is assured to get patched. Try the complete security whitepaper for extra particulars on the forms of vulnerabilities mostly present in 2021.
