Categories: Security

The Security State of WordPress’ Top 50 Plugins

Checkmarx’s report analyzed the security of the top 50 most popular plugins (in general), as well as the top 10 most popular ecommerce plugins.

Today we published our report “The Security State of WordPress’ Top 50 Plugins” (no reg required). This report presents Checkmarx’s research which analyzed the security of the top 50 most popular plugins (in general), as well as the top 10 most popular ecommerce plugins.

Even we who deal with code security on a daily basis were surprised by the results. We’ll let you read the details, but here’s the short-run:

20% of the 50 most popular WordPress plugins are vulnerable to common Web attacks.
This amounts to nearly 8 million downloads of vulnerable plugins.
7 out of top 10 most popular e-commerce plugins are vulnerable to common Web attacks.
This amounts to more than 1.7 million downloads of vulnerable e-commerce plugins.
There is no correlation between the number of Lines of Code (LOC) and the vulnerability level of the plugins.
Vulnerable top 50 general plugin types vary and include ecommerce, content management, site development and social networks plugins.
Only six plugins were completely fixed in a 6-month time period- although all plugins updated their versions during this time.

It wouldn’t be a stretch to assume that a similar percentage of all the other plugins contain these vulnerabilities.

These findings emphasize, however, a deeper problem than risky plugins. At the root of the problem is the lack of security standards that PaaS-providers (aka app marketplaces) enforce on the apps that they distribute. After all, a developer in a rush will most likely not consider security aspects during the demands of a release. Web admins cannot necessarily schedule immediate updates whether due to lack of security knowledge, admin resources and other scheduling priorities. Unfortunately, the end-user carries the brunt- which undoubtedly is not their responsibility.

So who’s responsible? The app marketplace.

The app marketplaces are in that unique position to set a security policy on the apps that they distribute. The marketplace needs to ensure that only those apps which passed its specific security bar are authorized for the public.

The world is shifting towards software distribution platforms. App marketplaces continue to tell us that their platforms are secure, but don’t buy into those word games. Only if they start enforcing the security of the apps they distribute, we could seriously talk about the security of distribution platforms.

Dave Hyman

VP SaaS Operations at Checkmarx

(Security Affairs – WordPress Security)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.