Nearly 1000 Plugins Closed During WordPress Security Cleanup

Published 13 November 2024
Updated 28 November 2024
Table of Contents

Patchstack is always looking for new ways to make the WordPress ecosystem safer by organizing various events for ethical hackers and security researchers. Our experiments sometimes lead to unexpected results. Also, these events sometimes uncover issues that were overlooked before.

Our latest experiment took place in October. We announced a special event for our Bug Bounty program in October as part of Cyber Security Month, and we decided to make it count by cleaning the WordPress repository of old vulnerable plugins. And what better way to do this than by running a special event with many ethical hackers?

TL;DR

So let’s get to the details!

The usual Bug Bounty rules were adjusted to put all possible plugins and themes into the scope:

  1. Reports for plugins/themes with less than 1K active installs will get the same points as components with 1K active installs.
  2. There’s no limit of 3 years since the last update for the October competition.
  3. Both exceptions to the rules are applied only for reports with these prerequisites. The vulnerability CVSS score must be at least 6.5 if you want rules “1” and “2” to be applied.

The event took off rapidly. It went so well that in the middle of the month, we added one extra challenge: “If you discover 1000 (or more) valid reports this month, we will give an extra +$100 bounty to everyone who has reported at least ten reports with CVSS higher than 6.5.”

And they did it. We had big expectations, but not as big as the actual result. The number of valid vulnerability reports shocked us—1571 valid reports (affecting 7141940 active installs) in total by 37 researchers. That’s huge on its own, but when we look at our previous record, 620 (January 2024), we can see even better how huge it was. It was pretty cool to see what the growing Patchstack Alliance community of ethical hackers and security researchers can achieve in one month.

As expected, most reports were for the vulnerabilities found in the plugins.

Vulnerable component typeCount%
Plugins153697.77
Themes352.23

Looking at the overall report count numbers does not give a clear vision of what was discovered, so we started to dig deeper into the statistics, where the scary details began to appear.

Results in numbers

One industry standard for measuring the severity of vulnerabilities is a CVSS (Common Vulnerability Scoring System) score, which includes several essential parameters to give an idea of how dangerous a vulnerability is. CVSS results for vulnerabilities discovered in this event were the main trigger for looking at results from a slightly different angle.

CVSS scoreCount%
7.175548.06
6.542627.12
9.8583.69
10.0483.06
8.5432.74
8.8382.42
7.5372.36
9.9332.10
4.3201.27
5.9171.08
5.4161.02
9.3161.02
5.3140.89
8.180.51
8.280.51
8.680.51
9.650.32
9.140.25
4.930.19
6.630.19
4.420.13
6.320.13
7.620.13
6.110.06
6.410.06
7.210.06
7.710.06
8.310.06

The two first lines of these stats represent the most common types of vulnerabilities in the WordPress ecosystem: Reflected and Stored Cross-Site Scripting issues. This is normal, and if we check stats from other events that would be similar, the unusual part is that the third, fourth, and eighth lines are for the highest severity vulnerabilities (ranging from 9.8 to 10.0).

Altogether there were 164 reports with CVSS 9.0+ and 270 reports were 8.0+.

CVSS rangeCount%
10483.06
9+1167.38
8+1066.75
7+79650.67
6+43327.56
5+472.99
4+251.59

Sure, some researchers tried to get as many points as possible, but it’s an obvious indicator that it wasn’t that hard to find such critical issues.

You can get an even clearer picture by looking into vulnerability types. Most of those dangerous vulnerabilities have been in the repository for over a decade. Yes, you read it correctly. Most reports were for plugins and themes, which were last updated 6 to 11 years ago. Do you think that’s a lot? One report was for the plugin that was last updated 17 years ago, yet there are still live websites depending on it.

Vulnerability typeCount%
Cross Site Scripting (XSS)105667.22
Cross Site Request Forgery (CSRF)1529.68
Arbitrary File Upload734.65
SQL Injection674.26
Privilege Escalation583.69
PHP Object Injection332.10
Local File Inclusion261.65
Broken Access Control221.40
Remote Code Execution (RCE)171.08
Arbitrary Content Deletion150.95
Arbitrary File Deletion110.70
Sensitive Data Exposure100.64
Arbitrary File Download70.45
Broken Authentication60.38
Server Side Request Forgery (SSRF)40.25
Full Path Disclosure (FPD)30.19
Settings Change30.19
Bypass Vulnerability20.13
Insecure Direct Object References (IDOR)20.13
Path Traversal20.13
Arbitrary Code Execution10.06
Content Injection10.06

Another aspect that strongly suggests this event removed some nasty vulnerabilities from the repository is the statistics of prerequisites (the minimal role needed to exploit the vulnerability successfully).

As you can see, most of those vulnerabilities could be exploited without authentication. Usually, that would show that there are many CSRF reports as we consider them to be the ones that don’t need any authentication (from the attacker’s perspective). However, if you look at the table above again, you will notice only 152 CSRF vulnerabilities.

PrerequisiteCount%
Unauthenticated97662.13
Contributor41626.48
Subscriber1489.42
Administrator201.27
Author50.32
Editor30.19
Salesman10.06
Shop manager10.06
Student10.06

That’s why we made an extra check and filtered out only vulnerabilities that did not require authentication from any perspective (neither from the attacker nor from the other users). We got 194 vulnerabilities, which is 12.35% of the whole catch.

VulnerabilityCount%
Privilege Escalation4221.65
Arbitrary File Upload4121.13
PHP Object Injection2814.43
SQL Injection2311.86
Remote Code Execution (RCE)105.15
Arbitrary File Deletion84.12
Sensitive Data Exposure84.12
Arbitrary Content Deletion73.61
Broken Access Control52.58
Local File Inclusion52.58
Arbitrary File Download42.06
Broken Authentication42.06
Full Path Disclosure (FPD)31.55
Bypass Vulnerability21.03
Arbitrary Code Execution10.52
Content Injection10.52
Insecure Direct Object References (IDOR)10.52
Server Side Request Forgery (SSRF)10.52

Patchstack is the most extensive CNA working on WordPress vulnerabilities, with over 6K CVE IDs already published. By processing all those vulnerabilities, we’ve noticed that many vendors/developers don’t care how people can contact them and report vulnerabilities. This is a big problem for which we even created the free mVDP program for every WordPress plugin and theme.

Can we measure this problem? Yes! Out of 1571 reports, at least 1162 were sent to WordPress plugins and themes review teams because the vendors’ contacts were unavailable, outdated, or not working (broken contact forms, bouncing back emails, URLs pointing to dropped domain names).

ContactCount%
WP review teams116273.97
Private40926.03

We want to thank the WordPress plugins review team, which worked with us closely and provided quick reactions to all our reports.

Consequences to the WordPress Plugins Repository

Each event has an outcome. In this case, again, we have something extraordinary. As we mentioned before, most of those plugins already looked abandoned or their developers were not accessible, so we were forced to report those vulnerabilities to the plugin review team. Such reporting often results in a plugin closure.

At the time of writing, 977 plugins are closed already (most of them temporarily, but if authors don’t take any action, the status will change). This is about 1.1% of all plugins in the repository.

While removing those vulnerable plugins is a great thing because we are making the repository safer, the problem with the visibility of closed plugins still exists. This means many users will still use those plugins and won’t even see any indicators of a security risk.

On the bright side, after many years, we are finally seeing some movement in this matter. There is even an experimental plugin allowing us to show statuses inside the admin panel. Kudos to Dion Hulse for pushing this. Now, we just hope that it will get merged sooner rather than later and that we won’t have to write about this topic again.

Some more stats

We want to share some stats about our rockstars who made this event that good. On average, each reporter submitted 43 reports. You can also see the October leaderboard here.

Pos.ResearcherReports (valid)CVSS (avg)
1Kinorth2757.32
2stealthcopter1218.89
3SOPROBRO5346.85
4Mika1547.68
5LVT-tholv2k538.84
6Le Ngoc Anh447.1
7thiennv506.73
8TaiYou18.1
9Muhamad Agil Fachrian407.36
10Gab926.5
11Bonds99.73
12ghsinfosec187.92
13Dimas Maulana107.7
14theviper17187.1
15Zlrqh166.9
16Joshua Chan217.48
17truonghuuphuc145.92
18C_T_R_L (Chance)68.65
19Fariq Fadillah Gusti Insani95.35
20Khalid Yusuf156.54
21hunter8576.28
22Michael146.41
23Zaidan Rizaki35.63
24Marek Mikita165.14
25Hakiduck37.36
26Ayoub Nouri27.05
27savphill46.07
28Peter Thaleikis17.1
29casol36.3
30Pritam Dash15.3
31Hazem Brini16.5
32Junwoo Kang16.5
33Fazle Mawla16.5
34tahu.datar36.93
35UKO95.9
36Junsu Yeo14.9
37Certus Cybersecurity15.9

The highest AXP for one submission goes to TaiYou – 558.90. It’s also the highest score in Patchstack’s history. You can read more about it in this article.

While most of the findings got less than <1000 active installs (1471), there were also 2 reports for plugins with more than 1M active installs. On average there were 4551 active installs per report, giving a total of 7141940 active installs affected.

Everyone who made it possible 🥇

Pos.ResearcherBountyAXP
1Kinorth39004386.3
2stealthcopter33004370.99
3SOPROBRO18003130.36
4Mika16002780.55
5LVT-tholv2k10001233.16
6Le Ngoc Anh500624.8
7thiennv500582.29
8TaiYou400558.9
9Muhamad Agil Fachrian500525.83
10Gab500458.28
11Bonds500420.8
12ghsinfosec300407.37
13Dimas Maulana600324.2
14theviper17300225.52
15Zlrqh300182.22
16Joshua Chan200171.06
17truonghuuphuc200129.85
18C_T_R_L (Chance)100129.16
19Fariq Fadillah Gusti Insani20083.4
20Khalid Yusuf15075.42
21hunter855061.82
22Michael10060.61
23Zaidan Rizaki048.6
24Marek Mikita044.05
25Hakiduck037.7
26Ayoub Nouri029.4
27savphill017.59
28Peter Thaleikis014.2
29casol5013.98
30Pritam Dash010.6
31Hazem Brini06.5
32Junwoo Kang04.88
33Fazle Mawla04.88
34tahu.datar00
35UKO00
36Junsu Yeo00
37Certus Cybersecurity00

Also, the Lucky Researcher award goes to casol 🍀

Time to start the November Bug Bounty 📅

October was really difficult – submitting that many reports is not an easy task. That’s why in November we aren’t launching any special events, so we can all recharge a bit.

But it doesn’t mean nothing will happen. Soon we’ll announce more details on a Capture The Flag event we’ll host this month. All the challenges are created by our Alliance members.

Also, don’t forget to join our Discord, where you can find all the amazing conversations and learn from others. And if you want to learn more about security – check out the Patchstack Academy.

The latest in Bug bounty

Looks like your browser is blocking our support chat widget. Turn off adblockers and reload the page.
crossmenu