You’ve most likely noticed a CVSS score whenever a security vulnerability has been reported to you. CVSS (Common Vulnerability Scoring System) scores are calculated to give a quick understanding of the severity of a vulnerability.
The main goal is to help prioritize more serious vulnerabilities over those that pose little to no risk. However, in the WordPress ecosystem, CVSS scores can sometimes be misleading and may not serve their intended purpose.
How are CVSS scores calculated?
CVSS scores help gauge the severity or risk associated with a security vulnerability. This scoring system provides a score from 0 to 10, with 0 indicating no risk, 1–3 representing low or insignificant risk, and scores from 9–10 indicating a critical risk due to an insecure version of the software.
The score is calculated for all vulnerabilities, regardless of where they’re found, using the same base and impact metrics. This consistency allows everyone to agree on the score and use a simple calculator to determine it: NVD CVSS Calculator.
The base metrics include:
Attack Vector: The attack vector defines the level of access the attacker needs, ranging from physical access to remote internet access, to carry out the attack.
Attack Complexity: If set to “High,” it means the attacker needs privileged or insider knowledge to perform the attack. If the default “Low” is used, the attack can be carried out without requiring special knowledge of the target.
Privileges Required: If the attack can be executed without authentication, this is set to “None.” If the attacker must be logged in (including low-level accounts like subscribers in WordPress), this is set to “Low.” If a high-privilege user account (like admins or super-admins in WordPress) is needed, it’s set to “High.”
User Interaction: If set to “Required,” the attacker must interact with someone with access to perform the attack. An example is CSRF bugs.
Scope: Scope determines if a successful attack could extend beyond the application with the vulnerability. If “Changed,” attackers may gain additional access.
The impact metrics include:
Confidentiality Impact: If the attack allows reading of private data, there’s a confidentiality impact. “Low” means attackers can only read limited or partial data, while “High” means they can access any data they wish using the attack.
Integrity Impact: Integrity pertains to data modification. If attackers have limited access to modify data, it’s “Low,” whereas “High” allows them to modify any data.
Availability Impact: “Availability Impact” indicates if the attack restricts access to data. “Low” means parts of the app remain accessible, while “High” means the entire application is inaccessible during or after the attack.
It’s possible to delve deeper with Temporal and Environmental Score Metrics, but only the base and impact metrics are required to generate a CVSS score for a vulnerability.
CVSS is not ideal for WordPress security vulnerabilities
CVSS aims to quickly and accurately represent the severity and potential danger of vulnerabilities. However, over seven years of experience at Patchstack have shown us that CVSS scores are not always the best fit for WordPress vulnerabilities.
WordPress has multiple privilege levels that are difficult to represent in the CVSS scoring system. This can lead to vulnerabilities being rated as high or even critical severity, which may not reflect real-world risks accurately.
Often, we see vulnerabilities with high CVSS scores that are unlikely to be exploited due to required privilege levels or other prerequisites. Conversely, vulnerabilities with much lower CVSS scores may be widely exploited.
To see vulnerabilities that have been exploited in real-world scenarios, you can visit Patchstack’s vulnerability database, check the “exploited” box, and hit search. You’ll find that some vulnerabilities with CVSS scores of 6.5 are actively exploited, while others with scores as high as 9.1 are not.
As of October 2024, the number of new vulnerabilities reported to Patchstack and published in our database is 6226. With such a high volume, it becomes challenging to determine which vulnerabilities require immediate action and which can wait.
Patchstack Priority – a better alternative to CVSS in WordPress
It’s more important than ever for developers and site administrators to know which vulnerabilities to prioritize. With the continuous increase in WordPress vulnerabilities since 2020, cutting through the noise to focus on critical issues is essential.
In November 2023, we introduced an alternative to CVSS scoring called Patchstack Priority. The goal? To help WordPress developers reduce alert fatigue and know what to patch first.
Patchstack Priority uses a simple three-level priority system:
High Priority:
- Likely to become actively exploited
- Known to already be actively exploited
- Receives a vPatching rule from Patchstack
- Recommended time to patch/update (RTTP): 0 days
Medium Priority:
- Potentially exploitable in targeted attacks
- Not yet publicly known to be exploited
- Receives a vPatching rule from Patchstack
- Recommended time to patch/update (RTTP): 7 days
Low Priority:
- Unlikely to be exploited
- Not known to be exploited
- Does not require a vPatching rule from Patchstack
- Recommended time to patch/update (RTTP): 30 days
To calculate priorities, we consider WordPress-specific factors, active installation counts, historical exploitation data, active exploitation attempts, and the base CVSS score.
Patchstack Priority scoring is free and available in our public WordPress vulnerability database. Both free and paid Patchstack users can prioritise alerts using the Patchstack Priority score, reducing alert volume while ensuring critical issues are not overlooked.
Conclusion
While CVSS scores provide a standardized approach to evaluating vulnerability severity, they can fall short in the WordPress environment, where unique privilege levels and usage contexts affect actual risk.
In the future, consider checking Patchstack Priority that offers a tailored, practical alternative that helps developers and site administrators focus on vulnerabilities that matter most, minimizing alert fatigue and enhancing security response times.
Join the Conversation!
There's a dedicated thread on this post inside of The Admin Bar community. Join in on the conversation, ask questions, and learn more!
Group Thread