Sunday, 18 December 2016

More Than 8,800 WordPress Plugins Have Flaws



Web application security firm RIPS Technologies researchers have recently analysed 44,70 WordPress Plugins out of the 48,000 Plugins present in the official WordPress plugins directory. They found that 8,800 of these Plugins have at least one vulnerability in them.

HOW THEY ANALYSED

First, the researchers downloaded all the plugins and then used a static code analyser to find the ones that have at least one PHP file. An analysis of the size of these plugins showed that roughly 14,000 of them have only 2-5 files and only 10,500 of them have more than 500 lines of code.


Researchers determined that of the plugins with more than 500 lines of code, which have been classified as “larger plugins,” 4,559, or 43 percent of the total, contain at least one medium severity issue (e.g. cross-site scripting).

RIPS’s analysis showed that nearly 36,000 of the plugins did not have any vulnerabilities and 1,426 had only low severity flaws. Medium severity bugs have been identified in more than 4,600 plugins, while high and critical security holes have been found in 2,799 and 41 plugins, respectively.

Between January and December 2016, a honeypot operated by RIPS captured more than 200 attacks targeting WordPress plugins, including 69 against Revolution Slider, 46 against Beauty & Clean Theme, 41 against MiwoFTP and 33 against Simple Backup. These attacks involved easy-to-exploit vulnerabilities that were known and well documented.

RIPS pointed out that they may not have found all the vulnerabilities affecting the plugins they analysed, and it’s uncertain if the flaws they identified are exploitable.

No comments:

Post a Comment