As we recently published the annual Patchstack report about WordPress security (and also covered it in the last TAB security weekly), we shared some insight into what are the most commonly found security vulnerabilities in the WordPress ecosystem.
While Cross-Site Scripting, Cross-Site Request Forgery and Broken Access Control are the most common ones, they might not necessarily be the most dangerous ones. In this post today, we’ll cover the characteristics of the most dangerous security vulnerabilities in the WordPress ecosystem.
Top 3 most dangerous WordPress security vulnerabilities
Let’s look into security vulnerabilities which we see commonly mass-exploited and which are used to take over entire websites and cause the most harm.
1. Unauthenticated Privilege Escalation
Privilege escalation vulnerabilities allow hackers to essentially become admins by exploiting some mechanism that allows them to login as any user. It’s common that hackers use this vulnerability to try log in to an accounts with lowest possible user ID, which in most of the cases equals to an account with the administrator privileges.
After successful exploitation, the hackers mostly upload a fake plugin which allows them to get full filesystem and database access.
2. Unauthenticated WordPress settings change
WordPress settings have a lot of control over the security on a site. For example, if a vulnerability allows unauthenticated users to change any WordPress settings, then they can open up the site registration and set the default role of new accounts to administrator.
Similarly to the first one, after successful exploitation, the hackers mostly upload a fake plugin which allows them to get full filesystem and database access.
3. Unauthenticated site-wide stored cross-site scripting (XSS)
Site-wide stored XSS allows malicious users to inject code to a website which is then executed on every page load. Compared to the other two, the hacker might not get full access to the WordPress installation (though in theory they could), but they will be able to control how the website behaves for visitors (such as redirect traffic, show ads, etc.)
Unauthenticated vs authenticated
As you may notice on the list above, all of the three most dangerous security vulnerability types are unauthenticated. This means that an attackers does not require any prior access to the website. This is an important factor, which plays a big role in whether a vulnerability will be mass-exploited or not.
Therefore, unauthenticated security vulnerabilities are the most dangerous ones, which account for the majority of the mass-exploited vulnerabilities. Unauthenticated vulnerabilities are followed by the lowest possible authentication levels such as Subscriber & Customer (WooCommerce).
If we look at all vulnerabilities found in 2023, 58.84% were unauthenticated and 11.90% required Subscriber level authentication. The fact that over half of the vulnerabilities are unauthenticated is rather concerning.
Regardless of the high danger of unauthenticated and the lowest subscriber/customer level authentications, the Contributor, Editor, Author and even Administrator vulnerabilities should not be left unnoticed. It’s common for hackers to take over accounts, so in a more targeted attacks, such vulnerabilities can still pose a serious security risk.
Conclusion
The most dangerous vulnerabilities which are most often mass-exploited and cause damage are unauthenticated or require the lowest possible authentication level such as subscriber or a special WooCommerce customer role.
The most dangerous vulnerability types allow hackers to take complete control over the website or control how the website behaves for visitors. Hackers are most interested about vulnerabilities which allows them to get administrator privileges or a remote code execution ability.
If you want to learn more about WordPress security vulnerabilities and their types, you can find a more in-depth overview here: https://patchstack.com/articles/common-plugin-vulnerabilities-how-to-fix-them/
Subscribe to the Patchstack weekly security newsletter
Join the Conversation!
There's a dedicated thread on this post inside of The Admin Bar community. Join in on the conversation, ask questions, and learn more!
Group Thread