Security Weekly

Most Dangerous Vulnerabilities in WordPress Plugins

Cleanshot 2023 11 30 At 14.14.30

Published:

Cleanshot 2023 11 30 At 14.14.30

Oliver Sild

Patchstack

Oliver Sild is the CEO and Co-founder of Patchstack. He is an entrepreneur and cyber security expert with a strong focus on community building. He has been organising hacking competitions (& local CTF community) in Estonia since 2016, has kickstarted a startup community in his hometown and has nearly 10 years of experience with WordPress security.

Week 15

As we recently published the annual Patchstack report about WordPress security (and also covered it in the last TAB security weekly), we shared some insight into what are the most commonly found security vulnerabilities in the WordPress ecosystem.

While Cross-Site Scripting, Cross-Site Request Forgery and Broken Access Control are the most common ones, they might not necessarily be the most dangerous ones. In this post today, we’ll cover the characteristics of the most dangerous security vulnerabilities in the WordPress ecosystem.

Top 3 most dangerous WordPress security vulnerabilities

Let’s look into security vulnerabilities which we see commonly mass-exploited and which are used to take over entire websites and cause the most harm.

1. Unauthenticated Privilege Escalation

Privilege escalation vulnerabilities allow hackers to essentially become admins by exploiting some mechanism that allows them to login as any user. It’s common that hackers use this vulnerability to try log in to an accounts with lowest possible user ID, which in most of the cases equals to an account with the administrator privileges.

After successful exploitation, the hackers mostly upload a fake plugin which allows them to get full filesystem and database access.

2. Unauthenticated WordPress settings change

WordPress settings have a lot of control over the security on a site. For example, if a vulnerability allows unauthenticated users to change any WordPress settings, then they can open up the site registration and set the default role of new accounts to administrator.

Similarly to the first one, after successful exploitation, the hackers mostly upload a fake plugin which allows them to get full filesystem and database access.

3. Unauthenticated site-wide stored cross-site scripting (XSS)

Site-wide stored XSS allows malicious users to inject code to a website which is then executed on every page load. Compared to the other two, the hacker might not get full access to the WordPress installation (though in theory they could), but they will be able to control how the website behaves for visitors (such as redirect traffic, show ads, etc.)

Unauthenticated vs authenticated

As you may notice on the list above, all of the three most dangerous security vulnerability types are unauthenticated. This means that an attackers does not require any prior access to the website. This is an important factor, which plays a big role in whether a vulnerability will be mass-exploited or not.

Therefore, unauthenticated security vulnerabilities are the most dangerous ones, which account for the majority of the mass-exploited vulnerabilities. Unauthenticated vulnerabilities are followed by the lowest possible authentication levels such as Subscriber & Customer (WooCommerce).

If we look at all vulnerabilities found in 2023, 58.84% were unauthenticated and 11.90% required Subscriber level authentication. The fact that over half of the vulnerabilities are unauthenticated is rather concerning.

Regardless of the high danger of unauthenticated and the lowest subscriber/customer level authentications, the Contributor, Editor, Author and even Administrator vulnerabilities should not be left unnoticed. It’s common for hackers to take over accounts, so in a more targeted attacks, such vulnerabilities can still pose a serious security risk.

Conclusion

The most dangerous vulnerabilities which are most often mass-exploited and cause damage are unauthenticated or require the lowest possible authentication level such as subscriber or a special WooCommerce customer role.

The most dangerous vulnerability types allow hackers to take complete control over the website or control how the website behaves for visitors. Hackers are most interested about vulnerabilities which allows them to get administrator privileges or a remote code execution ability.

If you want to learn more about WordPress security vulnerabilities and their types, you can find a more in-depth overview here: https://patchstack.com/articles/common-plugin-vulnerabilities-how-to-fix-them/

Subscribe to the Patchstack weekly security newsletter

Join the Conversation!

There's a dedicated thread on this post inside of The Admin Bar community. Join in on the conversation, ask questions, and learn more!

Group Thread
Cleanshot 2023 11 30 At 14.14.30

Oliver Sild

Patchstack

Oliver Sild is the CEO and Co-founder of Patchstack. He is an entrepreneur and cyber security expert with a strong focus on community building. He has been organising hacking competitions (& local CTF community) in Estonia since 2016, has kickstarted a startup community in his hometown and has nearly 10 years of experience with WordPress security.

Brought to you by:
Logo

Patchstack auto-mitigates security vulnerabilities found on WordPress core, plugins and themes. Patchstack is the leading vulnerability intelligence provider in the entire WordPress ecosystem and has the largest collection of vulnerability specific vPatch rules that provide precision protection without any performance hit nor false positives. Patchstack is the go-to security provider for many of the leading agencies such as 10up, Valet, SiteCare and others.

Never Miss an Issue!

Subscribe and have Security Weekly delivered to your inbox every week!

Come Join Us!

Join the #1 WordPress Community and dive into conversations covering every aspect of running an agency!

Kyle Van Deusen

Community Manager

More from Security Weekly

Week 21

Why You Should Avoid Nulled WordPress Plugins

Every once and a while, I see a new GPLClub-like marketplace, that is selling nulled premium …

Week 20

Why You Should Avoid Abandoned WordPress Plugins

Something that has been coming up a lot lately is the issue of abandoned WordPress plugins …

Week 19

How to Automate WordPress Security for Care Plans

In the previous two issues of Security Weekly we’ve talked about the importance of WordPress maintenance …