Security Weekly

What is a CVSS score and how to prioritise WordPress vulnerabilities?

Cleanshot 2023 11 30 At 14.14.30

Published:

Cleanshot 2023 11 30 At 14.14.30

Oliver Sild

Patchstack

Oliver Sild is the CEO and Co-founder of Patchstack. He is an entrepreneur and cyber security expert with a strong focus on community building. He has been organising hacking competitions (& local CTF community) in Estonia since 2016, has kickstarted a startup community in his hometown and has nearly 10 years of experience with WordPress security.

Week 43

You’ve most likely noticed a CVSS score whenever a security vulnerability has been reported to you. CVSS (Common Vulnerability Scoring System) scores are calculated to give a quick understanding of the severity of a vulnerability.

The main goal is to help prioritize more serious vulnerabilities over those that pose little to no risk. However, in the WordPress ecosystem, CVSS scores can sometimes be misleading and may not serve their intended purpose.

How are CVSS scores calculated?

CVSS scores help gauge the severity or risk associated with a security vulnerability. This scoring system provides a score from 0 to 10, with 0 indicating no risk, 1–3 representing low or insignificant risk, and scores from 9–10 indicating a critical risk due to an insecure version of the software.

The score is calculated for all vulnerabilities, regardless of where they’re found, using the same base and impact metrics. This consistency allows everyone to agree on the score and use a simple calculator to determine it: NVD CVSS Calculator.

The base metrics include:

Attack Vector: The attack vector defines the level of access the attacker needs, ranging from physical access to remote internet access, to carry out the attack.

Attack Complexity: If set to “High,” it means the attacker needs privileged or insider knowledge to perform the attack. If the default “Low” is used, the attack can be carried out without requiring special knowledge of the target.

Privileges Required: If the attack can be executed without authentication, this is set to “None.” If the attacker must be logged in (including low-level accounts like subscribers in WordPress), this is set to “Low.” If a high-privilege user account (like admins or super-admins in WordPress) is needed, it’s set to “High.”

User Interaction: If set to “Required,” the attacker must interact with someone with access to perform the attack. An example is CSRF bugs.

Scope: Scope determines if a successful attack could extend beyond the application with the vulnerability. If “Changed,” attackers may gain additional access.

The impact metrics include:

Confidentiality Impact: If the attack allows reading of private data, there’s a confidentiality impact. “Low” means attackers can only read limited or partial data, while “High” means they can access any data they wish using the attack.

Integrity Impact: Integrity pertains to data modification. If attackers have limited access to modify data, it’s “Low,” whereas “High” allows them to modify any data.

Availability Impact: “Availability Impact” indicates if the attack restricts access to data. “Low” means parts of the app remain accessible, while “High” means the entire application is inaccessible during or after the attack.

It’s possible to delve deeper with Temporal and Environmental Score Metrics, but only the base and impact metrics are required to generate a CVSS score for a vulnerability.

CVSS is not ideal for WordPress security vulnerabilities

CVSS aims to quickly and accurately represent the severity and potential danger of vulnerabilities. However, over seven years of experience at Patchstack have shown us that CVSS scores are not always the best fit for WordPress vulnerabilities.

WordPress has multiple privilege levels that are difficult to represent in the CVSS scoring system. This can lead to vulnerabilities being rated as high or even critical severity, which may not reflect real-world risks accurately.

Often, we see vulnerabilities with high CVSS scores that are unlikely to be exploited due to required privilege levels or other prerequisites. Conversely, vulnerabilities with much lower CVSS scores may be widely exploited.

To see vulnerabilities that have been exploited in real-world scenarios, you can visit Patchstack’s vulnerability database, check the “exploited” box, and hit search. You’ll find that some vulnerabilities with CVSS scores of 6.5 are actively exploited, while others with scores as high as 9.1 are not.

As of October 2024, the number of new vulnerabilities reported to Patchstack and published in our database is 6226. With such a high volume, it becomes challenging to determine which vulnerabilities require immediate action and which can wait.

Patchstack Priority – a better alternative to CVSS in WordPress

It’s more important than ever for developers and site administrators to know which vulnerabilities to prioritize. With the continuous increase in WordPress vulnerabilities since 2020, cutting through the noise to focus on critical issues is essential.

In November 2023, we introduced an alternative to CVSS scoring called Patchstack Priority. The goal? To help WordPress developers reduce alert fatigue and know what to patch first.

Patchstack Priority uses a simple three-level priority system:

High Priority:

  • Likely to become actively exploited
  • Known to already be actively exploited
  • Receives a vPatching rule from Patchstack
  • Recommended time to patch/update (RTTP): 0 days

Medium Priority:

  • Potentially exploitable in targeted attacks
  • Not yet publicly known to be exploited
  • Receives a vPatching rule from Patchstack
  • Recommended time to patch/update (RTTP): 7 days

Low Priority:

  • Unlikely to be exploited
  • Not known to be exploited
  • Does not require a vPatching rule from Patchstack
  • Recommended time to patch/update (RTTP): 30 days

To calculate priorities, we consider WordPress-specific factors, active installation counts, historical exploitation data, active exploitation attempts, and the base CVSS score.

Patchstack Priority scoring is free and available in our public WordPress vulnerability database. Both free and paid Patchstack users can prioritise alerts using the Patchstack Priority score, reducing alert volume while ensuring critical issues are not overlooked.

Conclusion

While CVSS scores provide a standardized approach to evaluating vulnerability severity, they can fall short in the WordPress environment, where unique privilege levels and usage contexts affect actual risk.

In the future, consider checking Patchstack Priority that offers a tailored, practical alternative that helps developers and site administrators focus on vulnerabilities that matter most, minimizing alert fatigue and enhancing security response times.

Join the Conversation!

There's a dedicated thread on this post inside of The Admin Bar community. Join in on the conversation, ask questions, and learn more!

Group Thread
Cleanshot 2023 11 30 At 14.14.30

Oliver Sild

Patchstack

Oliver Sild is the CEO and Co-founder of Patchstack. He is an entrepreneur and cyber security expert with a strong focus on community building. He has been organising hacking competitions (& local CTF community) in Estonia since 2016, has kickstarted a startup community in his hometown and has nearly 10 years of experience with WordPress security.

Brought to you by:
Logo

Patchstack auto-mitigates security vulnerabilities found on WordPress core, plugins and themes. Patchstack is the leading vulnerability intelligence provider in the entire WordPress ecosystem and has the largest collection of vulnerability specific vPatch rules that provide precision protection without any performance hit nor false positives. Patchstack is the go-to security provider for many of the leading agencies such as 10up, Valet, SiteCare and others.

Never Miss an Issue!

Subscribe and have Security Weekly delivered to your inbox every week!

Care Plan Toolkit

Save time, boost profits, and confidently manage client websites with proven tools, tips, and resources.

Bento Toolkit

More from Security Weekly

Week 47

Why Use Virtual Patching for WordPress Security?

Virtual patching is a security strategy that involves applying protective measures to the WordPress application without …

Week 46

What Role Does AI Play in WordPress Security?

We can’t ignore the power of LLMs and AI when it comes to security. At Patchstack, …

Week 45

Where to get your WordPress plugins and themes?

As of writing this article, it’s a hot topic. Some plugins which have been available on …