State of WordPress Security in 2022

Most common WordPress security bugs in 2022

In previous years Cross-Site Scripting (XSS) has been the most common security bug reported, but in 2022 it was narrowly edged out by Cross-site Request Forgery (CSRF).

CSRF made a huge jump – when in 2021 it made up 11% of reported bugs, then last year it was 29%. There are a couple of reasons for that.

Firstly, CSRF is generally easier to find and thus they are reported more often. Secondly, last year a CSRF bug was found in the Freemius framework which affected a large number of plugins. Consequently, the number of CSRF bugs also increased dramatically.

Not all bugs are created equal – how big of a risk they pose depends on many different factors. Based on these each verified security bug is assigned a CVSS score on a scale of 10, with 10 representing critical severity.

Popular plugins with reported security bugs

These were the most popular plugins containing a security bug, defined as having at least 1 million installs and at least one bug.

Only five of the plugins contained a high severity bug, and none contained a critical one.

Two of the highest CVSS score vulnerabilities were found in plugins related to Elementor. In 2022 we found security bugs in four other page builders. Most page builders are premium plugins and thus harder to access for security auditing, which explains the relatively small number of security bugs reported in them.

However we’d like to emphasize that even if you’re using page builders to develop sites, you should still be mindful of the tools you use, and perform regular updates.

• Elementor Website Builder
• Essential Addons for Elementor
• UpdraftPlus WordPress Backup
• One Click Demo Import
• MonsterInsights
• WooCommerce
• All-in-One WP Migration
• All in One SEO
• Yoast SEO
• WordFence
• Contact Form by WPForms

Most exploited WordPress security bugs in 2022

We analyzed our firewall activity logs to detect which vulnerabilities attackers target the most. The following is a ranking of the vulnerabilities based on how many exploit attempts were made against them.

Top 3 new vulnerabilities with the most attempted exploits

AccessPress

Backdoor

↗

Dozens of plugins and themes were compromised in a supply chain attack on AccessPress in early 2022. The vulnerability affected over 360,000 websites and it enabled attackers to use a backdoor to gain access to infected websites.

Frontend File Manager

Arbitrary File Upload

↗

Versions 2.1.2 and older of this plugin were affected by an Arbitrary File Upload vulnerability. This could allow a malicious actor to upload any type of file to a website, including backdoors which are then executed to gain further access to a website. The vulnerability was patched in version 21.3.

According to the WordPress repository, as of February, 8th, 2023, 56% of sites using this plugin are still running versions 21.2 and older, meaning that they are potentially vulnerable to attacks.

This percentage of out-of-date versions highlights a bigger issue in the WordPress space of people not updating their sites often enough.

School Management Pro

Backdoor Arbitrary File Upload

↗

Versions 9.9.6 and older of the School Management Pro plugin contained a backdoor that allowed Remote Code Execution. This could allow a malicious actor to execute commands on the target website and can be used to further gain access to the website in order to assume full control of it. This vulnerability has been fixed in version 9.9.7.

We also keep seeing attack attempts against older vulnerabilities.

There are open-source hacking tools available online which are made to automate attacks on scale. Many of them are made years ago and include exploits of known old vulnerabilities.

Old vulnerabilities still actively exploited (pre-2022)

Social Warfare

Unauthorized XSS/RCE

↗

The unauthenticated XSS vulnerability in Social Warfare plugin was first reported in 2019 – last year it made up 97% of detected attempts against old vulnerabilities, based on data on hits made against our firewall.

Duplicator

Arbitrary File Download

↗

Publicly disclosed in 2020, this vulnerability allowed an attacker to download files from an affected website, including those containing login credentials. In 2022, it only accounted for 2% of attempts made for old plugins.

In general, however, few old vulnerabilities get active exploit attempts – over time sites update or remove vulnerable plugins, which in turn makes it harder for the attacker to find a website that can be exploited. For an attacker this may not be worth it if the success rate starts dropping significantly.

CVE-2022-3590 – Unauthenticated Blind SSRF

On September 5th, 2022, the respectable security researchers at Sonar Source released details regarding an Unauthenticated Blind SSRF security bug that went unpatched in WordPress core. The post includes a timeline that shows the researchers waited 228 days from their initial report before publicizing details.

The official severity assigned to CVE-2022-3590 by NVD (National Vulnerability Database) is a “5.9” Medium. In practicality, this may be too high. In order to perform the attack against a live website, attackers would first need to control the DNS (Domain Name System) server the Web Hosting server uses. This is a very unlikely scenario for most WordPress websites.

CVE-2022-33994 – XSS via SVG in Gutenberg

On July 30th, 2022 details of a potential stored XSS (Cross Site Scripting) security bug in how Gutenberg (WordPress’s editor) handles SVG (Scalable Vector Graphics) images were made public. This full disclosure came after 45 days of discussion between the security researchers and the WordPress core security team. The WordPress core team decided the report was informational and is having a discussion related to this issue in public tickets.

This CVE’s severity rating is a 3.0 or Low risk according to NVD. This is due to the fact the XSS payload will not be executed within the context of the WordPress application. This bug poses no risk to the WordPress website unless it was seriously misconfigured, however, most popular web application vendors have prevented similar SVG-related XSS bugs in their applications.

Unpatched security bugs are a silent security risk

When we looked at the most critical security bugs disclosed in 2022, we found that 26% never received a fix.

Most of the time abandoned and unsupported plugins are removed from the WordPress.org directory – but any such plugins that are installed on websites will stay there until deleted by people running those sites.

We have talked about the risks of using abandoned plugins and themes before. Such plugins are dangerous because they are a potential threat even if the site has auto-updates enabled. A vulnerable and abandoned plugin would give no indication to the user that something is wrong – with no available updates it would look as if everything were up to date.

Furthermore, if a plugin is removed from the WordPress plugin repository, the public record of its security issues is lost.

Unsupported plugins

Security bugs are just bugs that can be patched. A security bug becomes a vulnerability if a site does not receive a patch. If that vulnerability is exploited it leads to sites being compromised. Notifications about insecure components inform users to patch, preventing the compromise from happening.

The majority of bugs reported through the Patchstack Alliance in 2022 received a timely patch from the developer. However, not all reports lead to patches. In some cases, the insecure component received no patch and was subsequently removed from its respective repository. The closure of 87 themes/plugins in 2022 was directly related to their inability to address a security bug.

An unfortunate truth is that software available in public repositories is sometimes unsupported due to it being abandoned. This problem is exacerbated by the fact website owners will see a misleading “no update available” for these insecure components. Many site owners are simply unaware they are running insecure and unsupported components.

Using a vulnerability assessment tool like the Patchstack app or Patchstack Threat Intelligence feed can help identify components with known security bugs in them, empowering site owners to take action to secure their sites before they are hacked.

How Patchstack is addressing the unsupported plugin issue

Security issues in the software supply chain

The global economy and open-source software have something in common. They both depend on a supply chain – the past year showed many of us what happens when supply chains break down. How life can be disrupted when individual links in these ephemeral chains are unsupported or fail, the outcomes can be unexpected.

Open source depends on a supply chain of code. We first saw the effects of security bugs in the open-source software supply chain in late 2021 with a vulnerability in log4j. This concern is not limited to just Java-based logging libraries though. In 2022 the WordPress ecosystem experienced vulnerabilities in multiple component supply chains, but it fared a lot better than log4j. Here is what happened and why.

Freemius framework vulnerability

Freemius is a popular SDK (Software Development Kit) used by hundreds of popular WordPress plugins and themes. In early 2022, there was a report of a low to medium-risk security bug found in the Freemius code. This spurred a monumental effort from the Freemius team and WordPress.org plugin repository volunteers. The almost thousand plugins that utilized Freemius needed to be informed to update their version of the Freemius libraries in their code base.

The good news was hundreds of plugins that were notified of the security bug in Freemius updated their project’s code and patched the bug. The bad news was dozens to hundreds of projects did not respond to the notifications. These projects did not update their Freemius libraries, and in the end, were removed from the WordPress.org repository due to security concerns.

YITH framework vulnerability

A fully independent platform that sells plugins for WooCommerce shops, also independently develops all of its offered plugins using its own in-house framework. This central framework is a mature development practice, which lead to a smooth rollout when they faced a security bug.

A single, low to medium-severity security bug (CSRF) was identified in the shared code between many of the YITH plugins. The developers at YITH produced a patch in short order and deployed this patch downstream to dozens of their affected plugins.

The patch made available downstream was much faster for YITH compared to Freemius. This is because the Freemius library is used by many developers, while YITH’s code libraries were only used in their own plugins. This a sign that security improves with fewer links in the overall software supply chain.

These examples have one common positive thing going for them. Each project was supported by its developers, and those developers were able to make a security patch available for all of the projects downstream that relied on their core code or framework.

If you run or manage a WordPress website, it is important to know what plugins and themes you rely on. The next time you apply a security patch, remember that the patch was made available by a developer somewhere upstream in your supply chain. Take a minute to acknowledge your reliance on their support and consider supporting those projects in turn.

Ecosystem leaders are taking action

Over the past year or so we’ve seen a very positive trend of more and more WordPress hosting services alerting their customers about vulnerabilities in their sites.

We’ve been working together with service providers to integrate our vulnerability feed to their systems in an effort to create an additional security layer for the WordPress ecosystem. A notable example of this is One.com – in one year they fixed 56,000 vulnerabilities on their customers’ sites with the help of our intel feed and their own update management software.