Patchstack is always looking for new ways to make the WordPress ecosystem safer by organizing various events for ethical hackers and security researchers. Our experiments sometimes lead to unexpected results. Also, these events sometimes uncover issues that were overlooked before.
Our latest experiment took place in October. We announced a special event for our Bug Bounty program in October as part of Cyber Security Month, and we decided to make it count by cleaning the WordPress repository of old vulnerable plugins. And what better way to do this than by running a special event with many ethical hackers?
TL;DR
- 1571 valid security vulnerability reports received in October alone. More than $17K in rewards were paid to ethical hackers who contributed to making the WordPress ecosystem safer for everyone!
- Many plugin devs are impossible to reach, resulting in over 1000 plugins/themes to be temporarily closed in October. Plugins really need to set up proper VDPs – it’s easy!
- The security community behind WordPress is stronger than ever. Patchstack Alliance is open to everyone. Don’t miss out on our future events – so join us now!
So let’s get to the details!
The usual Bug Bounty rules were adjusted to put all possible plugins and themes into the scope:
- Reports for plugins/themes with less than 1K active installs will get the same points as components with 1K active installs.
- There’s no limit of 3 years since the last update for the October competition.
- Both exceptions to the rules are applied only for reports with these prerequisites. The vulnerability CVSS score must be at least 6.5 if you want rules “1” and “2” to be applied.
The event took off rapidly. It went so well that in the middle of the month, we added one extra challenge: “If you discover 1000 (or more) valid reports this month, we will give an extra +$100 bounty to everyone who has reported at least ten reports with CVSS higher than 6.5.”
And they did it. We had big expectations, but not as big as the actual result. The number of valid vulnerability reports shocked us—1571 valid reports (affecting 7141940 active installs) in total by 37 researchers. That’s huge on its own, but when we look at our previous record, 620 (January 2024), we can see even better how huge it was. It was pretty cool to see what the growing Patchstack Alliance community of ethical hackers and security researchers can achieve in one month.
As expected, most reports were for the vulnerabilities found in the plugins.
| Vulnerable component type | Count | % |
|---|---|---|
| Plugins | 1536 | 97.77 |
| Themes | 35 | 2.23 |
Looking at the overall report count numbers does not give a clear vision of what was discovered, so we started to dig deeper into the statistics, where the scary details began to appear.
Results in numbers
One industry standard for measuring the severity of vulnerabilities is a CVSS (Common Vulnerability Scoring System) score, which includes several essential parameters to give an idea of how dangerous a vulnerability is. CVSS results for vulnerabilities discovered in this event were the main trigger for looking at results from a slightly different angle.
| CVSS score | Count | % |
|---|---|---|
| 7.1 | 755 | 48.06 |
| 6.5 | 426 | 27.12 |
| 9.8 | 58 | 3.69 |
| 10.0 | 48 | 3.06 |
| 8.5 | 43 | 2.74 |
| 8.8 | 38 | 2.42 |
| 7.5 | 37 | 2.36 |
| 9.9 | 33 | 2.10 |
| 4.3 | 20 | 1.27 |
| 5.9 | 17 | 1.08 |
| 5.4 | 16 | 1.02 |
| 9.3 | 16 | 1.02 |
| 5.3 | 14 | 0.89 |
| 8.1 | 8 | 0.51 |
| 8.2 | 8 | 0.51 |
| 8.6 | 8 | 0.51 |
| 9.6 | 5 | 0.32 |
| 9.1 | 4 | 0.25 |
| 4.9 | 3 | 0.19 |
| 6.6 | 3 | 0.19 |
| 4.4 | 2 | 0.13 |
| 6.3 | 2 | 0.13 |
| 7.6 | 2 | 0.13 |
| 6.1 | 1 | 0.06 |
| 6.4 | 1 | 0.06 |
| 7.2 | 1 | 0.06 |
| 7.7 | 1 | 0.06 |
| 8.3 | 1 | 0.06 |
The two first lines of these stats represent the most common types of vulnerabilities in the WordPress ecosystem: Reflected and Stored Cross-Site Scripting issues. This is normal, and if we check stats from other events that would be similar, the unusual part is that the third, fourth, and eighth lines are for the highest severity vulnerabilities (ranging from 9.8 to 10.0).
Altogether there were 164 reports with CVSS 9.0+ and 270 reports were 8.0+.
| CVSS range | Count | % |
|---|---|---|
| 10 | 48 | 3.06 |
| 9+ | 116 | 7.38 |
| 8+ | 106 | 6.75 |
| 7+ | 796 | 50.67 |
| 6+ | 433 | 27.56 |
| 5+ | 47 | 2.99 |
| 4+ | 25 | 1.59 |
Sure, some researchers tried to get as many points as possible, but it’s an obvious indicator that it wasn’t that hard to find such critical issues.
You can get an even clearer picture by looking into vulnerability types. Most of those dangerous vulnerabilities have been in the repository for over a decade. Yes, you read it correctly. Most reports were for plugins and themes, which were last updated 6 to 11 years ago. Do you think that’s a lot? One report was for the plugin that was last updated 17 years ago, yet there are still live websites depending on it.
| Vulnerability type | Count | % |
|---|---|---|
| Cross Site Scripting (XSS) | 1056 | 67.22 |
| Cross Site Request Forgery (CSRF) | 152 | 9.68 |
| Arbitrary File Upload | 73 | 4.65 |
| SQL Injection | 67 | 4.26 |
| Privilege Escalation | 58 | 3.69 |
| PHP Object Injection | 33 | 2.10 |
| Local File Inclusion | 26 | 1.65 |
| Broken Access Control | 22 | 1.40 |
| Remote Code Execution (RCE) | 17 | 1.08 |
| Arbitrary Content Deletion | 15 | 0.95 |
| Arbitrary File Deletion | 11 | 0.70 |
| Sensitive Data Exposure | 10 | 0.64 |
| Arbitrary File Download | 7 | 0.45 |
| Broken Authentication | 6 | 0.38 |
| Server Side Request Forgery (SSRF) | 4 | 0.25 |
| Full Path Disclosure (FPD) | 3 | 0.19 |
| Settings Change | 3 | 0.19 |
| Bypass Vulnerability | 2 | 0.13 |
| Insecure Direct Object References (IDOR) | 2 | 0.13 |
| Path Traversal | 2 | 0.13 |
| Arbitrary Code Execution | 1 | 0.06 |
| Content Injection | 1 | 0.06 |
Another aspect that strongly suggests this event removed some nasty vulnerabilities from the repository is the statistics of prerequisites (the minimal role needed to exploit the vulnerability successfully).
As you can see, most of those vulnerabilities could be exploited without authentication. Usually, that would show that there are many CSRF reports as we consider them to be the ones that don’t need any authentication (from the attacker’s perspective). However, if you look at the table above again, you will notice only 152 CSRF vulnerabilities.
| Prerequisite | Count | % |
|---|---|---|
| Unauthenticated | 976 | 62.13 |
| Contributor | 416 | 26.48 |
| Subscriber | 148 | 9.42 |
| Administrator | 20 | 1.27 |
| Author | 5 | 0.32 |
| Editor | 3 | 0.19 |
| Salesman | 1 | 0.06 |
| Shop manager | 1 | 0.06 |
| Student | 1 | 0.06 |
That’s why we made an extra check and filtered out only vulnerabilities that did not require authentication from any perspective (neither from the attacker nor from the other users). We got 194 vulnerabilities, which is 12.35% of the whole catch.
| Vulnerability | Count | % |
|---|---|---|
| Privilege Escalation | 42 | 21.65 |
| Arbitrary File Upload | 41 | 21.13 |
| PHP Object Injection | 28 | 14.43 |
| SQL Injection | 23 | 11.86 |
| Remote Code Execution (RCE) | 10 | 5.15 |
| Arbitrary File Deletion | 8 | 4.12 |
| Sensitive Data Exposure | 8 | 4.12 |
| Arbitrary Content Deletion | 7 | 3.61 |
| Broken Access Control | 5 | 2.58 |
| Local File Inclusion | 5 | 2.58 |
| Arbitrary File Download | 4 | 2.06 |
| Broken Authentication | 4 | 2.06 |
| Full Path Disclosure (FPD) | 3 | 1.55 |
| Bypass Vulnerability | 2 | 1.03 |
| Arbitrary Code Execution | 1 | 0.52 |
| Content Injection | 1 | 0.52 |
| Insecure Direct Object References (IDOR) | 1 | 0.52 |
| Server Side Request Forgery (SSRF) | 1 | 0.52 |
Patchstack is the most extensive CNA working on WordPress vulnerabilities, with over 6K CVE IDs already published. By processing all those vulnerabilities, we’ve noticed that many vendors/developers don’t care how people can contact them and report vulnerabilities. This is a big problem for which we even created the free mVDP program for every WordPress plugin and theme.
Can we measure this problem? Yes! Out of 1571 reports, at least 1162 were sent to WordPress plugins and themes review teams because the vendors’ contacts were unavailable, outdated, or not working (broken contact forms, bouncing back emails, URLs pointing to dropped domain names).
| Contact | Count | % |
|---|---|---|
| WP review teams | 1162 | 73.97 |
| Private | 409 | 26.03 |
We want to thank the WordPress plugins review team, which worked with us closely and provided quick reactions to all our reports.
Consequences to the WordPress Plugins Repository
Each event has an outcome. In this case, again, we have something extraordinary. As we mentioned before, most of those plugins already looked abandoned or their developers were not accessible, so we were forced to report those vulnerabilities to the plugin review team. Such reporting often results in a plugin closure.
At the time of writing, 977 plugins are closed already (most of them temporarily, but if authors don’t take any action, the status will change). This is about 1.1% of all plugins in the repository.
While removing those vulnerable plugins is a great thing because we are making the repository safer, the problem with the visibility of closed plugins still exists. This means many users will still use those plugins and won’t even see any indicators of a security risk.
On the bright side, after many years, we are finally seeing some movement in this matter. There is even an experimental plugin allowing us to show statuses inside the admin panel. Kudos to Dion Hulse for pushing this. Now, we just hope that it will get merged sooner rather than later and that we won’t have to write about this topic again.
Some more stats
We want to share some stats about our rockstars who made this event that good. On average, each reporter submitted 43 reports. You can also see the October leaderboard here.
| Pos. | Researcher | Reports (valid) | CVSS (avg) |
|---|---|---|---|
| 1 | Kinorth | 275 | 7.32 |
| 2 | stealthcopter | 121 | 8.89 |
| 3 | SOPROBRO | 534 | 6.85 |
| 4 | Mika | 154 | 7.68 |
| 5 | LVT-tholv2k | 53 | 8.84 |
| 6 | Le Ngoc Anh | 44 | 7.1 |
| 7 | thiennv | 50 | 6.73 |
| 8 | TaiYou | 1 | 8.1 |
| 9 | Muhamad Agil Fachrian | 40 | 7.36 |
| 10 | Gab | 92 | 6.5 |
| 11 | Bonds | 9 | 9.73 |
| 12 | ghsinfosec | 18 | 7.92 |
| 13 | Dimas Maulana | 10 | 7.7 |
| 14 | theviper17 | 18 | 7.1 |
| 15 | Zlrqh | 16 | 6.9 |
| 16 | Joshua Chan | 21 | 7.48 |
| 17 | truonghuuphuc | 14 | 5.92 |
| 18 | C_T_R_L (Chance) | 6 | 8.65 |
| 19 | Fariq Fadillah Gusti Insani | 9 | 5.35 |
| 20 | Khalid Yusuf | 15 | 6.54 |
| 21 | hunter85 | 7 | 6.28 |
| 22 | Michael | 14 | 6.41 |
| 23 | Zaidan Rizaki | 3 | 5.63 |
| 24 | Marek Mikita | 16 | 5.14 |
| 25 | Hakiduck | 3 | 7.36 |
| 26 | Ayoub Nouri | 2 | 7.05 |
| 27 | savphill | 4 | 6.07 |
| 28 | Peter Thaleikis | 1 | 7.1 |
| 29 | casol | 3 | 6.3 |
| 30 | Pritam Dash | 1 | 5.3 |
| 31 | Hazem Brini | 1 | 6.5 |
| 32 | Junwoo Kang | 1 | 6.5 |
| 33 | Fazle Mawla | 1 | 6.5 |
| 34 | tahu.datar | 3 | 6.93 |
| 35 | UKO | 9 | 5.9 |
| 36 | Junsu Yeo | 1 | 4.9 |
| 37 | Certus Cybersecurity | 1 | 5.9 |
The highest AXP for one submission goes to TaiYou – 558.90. It’s also the highest score in Patchstack’s history. You can read more about it in this article.
While most of the findings got less than <1000 active installs (1471), there were also 2 reports for plugins with more than 1M active installs. On average there were 4551 active installs per report, giving a total of 7141940 active installs affected.
Everyone who made it possible 🥇
| Pos. | Researcher | Bounty | AXP |
|---|---|---|---|
| 1 | Kinorth | 3900 | 4386.3 |
| 2 | stealthcopter | 3300 | 4370.99 |
| 3 | SOPROBRO | 1800 | 3130.36 |
| 4 | Mika | 1600 | 2780.55 |
| 5 | LVT-tholv2k | 1000 | 1233.16 |
| 6 | Le Ngoc Anh | 500 | 624.8 |
| 7 | thiennv | 500 | 582.29 |
| 8 | TaiYou | 400 | 558.9 |
| 9 | Muhamad Agil Fachrian | 500 | 525.83 |
| 10 | Gab | 500 | 458.28 |
| 11 | Bonds | 500 | 420.8 |
| 12 | ghsinfosec | 300 | 407.37 |
| 13 | Dimas Maulana | 600 | 324.2 |
| 14 | theviper17 | 300 | 225.52 |
| 15 | Zlrqh | 300 | 182.22 |
| 16 | Joshua Chan | 200 | 171.06 |
| 17 | truonghuuphuc | 200 | 129.85 |
| 18 | C_T_R_L (Chance) | 100 | 129.16 |
| 19 | Fariq Fadillah Gusti Insani | 200 | 83.4 |
| 20 | Khalid Yusuf | 150 | 75.42 |
| 21 | hunter85 | 50 | 61.82 |
| 22 | Michael | 100 | 60.61 |
| 23 | Zaidan Rizaki | 0 | 48.6 |
| 24 | Marek Mikita | 0 | 44.05 |
| 25 | Hakiduck | 0 | 37.7 |
| 26 | Ayoub Nouri | 0 | 29.4 |
| 27 | savphill | 0 | 17.59 |
| 28 | Peter Thaleikis | 0 | 14.2 |
| 29 | casol | 50 | 13.98 |
| 30 | Pritam Dash | 0 | 10.6 |
| 31 | Hazem Brini | 0 | 6.5 |
| 32 | Junwoo Kang | 0 | 4.88 |
| 33 | Fazle Mawla | 0 | 4.88 |
| 34 | tahu.datar | 0 | 0 |
| 35 | UKO | 0 | 0 |
| 36 | Junsu Yeo | 0 | 0 |
| 37 | Certus Cybersecurity | 0 | 0 |
Also, the Lucky Researcher award goes to casol 🍀
Time to start the November Bug Bounty 📅
October was really difficult – submitting that many reports is not an easy task. That’s why in November we aren’t launching any special events, so we can all recharge a bit.
But it doesn’t mean nothing will happen. Soon we’ll announce more details on a Capture The Flag event we’ll host this month. All the challenges are created by our Alliance members.
Also, don’t forget to join our Discord, where you can find all the amazing conversations and learn from others. And if you want to learn more about security – check out the Patchstack Academy.
