Many WordPress Plugin Developers Don’t Build Tight Security into Their Code, Leaving Millions of Websites Vulnerable to Hacking

Linda Musthaler
By | June 20, 2013

Posted in: Network Security Trends

A new paradigm has taken root in the word of application development. These days we have a number of application “platforms” that are supported by marketplaces where hundreds or thousands of developers post their apps or plugins for download. Some of the world’s most popular platforms are Apple’s iOS, Google’s Android, and WordPress.org’s WordPress platform for blogging, website development and content management.

The owners of these platforms and their affiliated marketplaces recognize that developers and their apps and plugins are critical to the success of the platform. Customers will come to that platform if it has a wide variety of apps or extensions.

WordPress is the largest Web ecosystem in the world. According to WordPress.org, owner of the widely popular open source platform, WordPress is behind 60 million websites—18% of the total number of websites in the world. One of the reasons this platform is so popular is the 25,000+ plugins that allow website administrators, bloggers and other content developers to customize their websites. Plugins help administrators do things like create forms for data entry on a website; setup online stores; embed Flash and HTML5 video into content frames; and so much more.

Back in January 2013, the company Checkmarx decided to use its own source code analysis tools and technologies to scan some of the most popular WordPress plugins to see if they had any vulnerabilities. The results of the scans were overwhelming and shocking. I’ll discuss those results in a moment, but first let me give you the background on how Checkmarx got involved in doing this vulnerability scanning.

Checkmarx develops solutions for automated security code review. The company primarily works with developers of enterprise software in all phases of the development lifecycle to identify technical and logical code vulnerabilities. Checkmarx is known for helping to protect applications in large platform ecosystems like Salesforce.com.

The company wanted to give back to the development community and decided to start with the WordPress ecosystem because of its extensive reach. Also, Checkmarx was concerned that there are so many security advisories warning about vulnerabilities in various WordPress plugins. So earlier this year, Checkmarx began to scrutinize some of the most popular code that that is used in millions of websites around the world. What it found is alarming.

Checkmarx scanned the top (most frequently downloaded) 50 general WordPress plugins. The initial scans were just overwhelming with too many vulnerabilities to deal with. The researchers did the scans again, this time looking only for the most highly critical vulnerabilities, including SQL injections, cross site scripting, cross site request forgery, file inclusion and path reversal. Checkmarx found that 30% of the top 50 plugins – which collectively have been downloaded 18.5 million times – were highly vulnerable and could be hacked at any time.

Four of the scanned plugins were so severely flawed that Checkmarx didn’t feel comfortable with releasing that information to the development community. Even more frightening is the fact that 2 of these plugins were developed by WordPress themselves as part of the core WordPress technology. Checkmarx contacted these developers to let them know about the problems and helped them fix the vulnerabilities.

Checkmarx repeated their exercise in June 2013. They rescanned the top 50 general plugins and noted that 10 of them are still vulnerable. These 10 applets account for 8 million downloads.

Next the company turned its attention to the top 10 e-commerce plugins for WordPress. The researchers wanted to know how plugins that handle payments are secured, and they naturally expected them to be more secure than the general plugins. Unfortunately, the results were quite the opposite. The researchers found that 7 out of the top 10 e-commerce plugins were highly flawed. These applets have been downloaded 1.7 million times. If they are used in websites, they could be hacked at any time.

Checkmarx documented its research in a report called The Security State of WordPress’ Top 50 Plugins. Given the poor state of security of so many popular WordPress plugins, Checkmarx offers recommendations of what site administrators, plugin developers and WordPress and other platform providers can do to mitigate the vulnerabilities. Let’s hope they do it soon.

You May Also Be Interested In: