According to WPScan, plugin vulnerabilities make up 90% of all WordPress vulnerabilities. This makes plugins the most common entry point for attackers to compromise WordPress sites.
They’re also increasing. According to data from Risk Based Security, WordPress plugin vulnerabilities rose by 142% in 2021.
It’s more important than ever to be aware of any recent plugin vulnerabilities that may have exposed your site. That way, you can update them right away or uninstall and delete the plugin until a security patch is released. Doing so prevents hackers from finding and exploiting vulnerabilities to gain access to your site.
To help, we’ve compiled a list of plugins with vulnerabilities disclosed within the past twelve months. Let’s take a look below, then discuss some takeaways from 2021 and best practices for handling plugin vulnerabilities in the future.
Vulnerable WordPress Plugins
- Gutenberg Template Library & Redux Framework
- WordPress Popular Posts
- Smash Balloon Social Post Feed
- PublishPress Capabilities
- Variation Swatches for WooCommerce
Before we dive into each plugin and its recent vulnerability, it’s important to note that most plugin vulnerabilities do not indicate a lack of quality or reliability of the plugin itself. More frequently, they reflect on the popularity of the plugin as well as the popularity of WordPress as a whole, which makes it an attractive target for hackers.
Now let’s take a look at plugins with recent vulnerabilities (that have since had security patches released).
Active installations: 5+ million
Used by 20.5% of all WordPress websites, WooCommerce is the most popular ecommerce WordPress plugin. In July 2021, WooCommerce identified an authenticated SQL injection vulnerability that allowed an unauthenticated attacker to access arbitrary data in an online store’s database, and immediately issued an emergency patch.
In addition to running the latest version of WooCommerce (which was 5.5.2 at the time), the WooCommerce team recommended updating the passwords for any admin users and rotating any Payment Gateway and WooCommerce API keys used.
To learn more about SQL injections, check out 13 WordPress Security Issues & Vulnerabilities You Should Know About.
Active installations: 1+ million
The Gutenberg Template Library & Redux Framework is a popular free plugin that enables users to access over 100 blocks and block templates and add them to their site using the Gutenberg editor.
In August 2021, the Wordfence Threat Intelligence team disclosed two incorrect authorization vulnerabilities. One allowed contributors and other users with lower permissions to install and activate arbitrary plugins and delete any post or page via the REST API. The other vulnerability allowed unauthenticated attackers to access potentially sensitive information about a site’s configuration. A patched version of the plugin (4.2.13) was released about a week after the vulnerabilities were discovered.
Active installations: 200,000+
SEOPress is an all-in-one SEO solution for building custom HTML and XML Sitemaps, creating breadcrumbs, adding schemas and Google structured data types, and managing 301 redirects, among other functions.
At the end of July 2021, the Wordfence Threat Intelligence team disclosed a stored cross-site scripting vulnerability that made it possible for an attacker to inject arbitrary web scripts on a vulnerable site that would execute any time a user accessed the “All Posts” page. An updated version of the plugin containing security patches (version 5.0.4) was quickly released a few days later.
Active installations: 200,000+
WordPress Popular Posts is a free plugin that adds a highly customizable widget for displaying your most popular posts to your WordPress installation.
In June 2021, NinTechNet discovered a remote code execution vulnerability that enabled an attacker with a contributor role or higher-level permissions to download and execute arbitrary PHP script code to the server. The plugin author quickly patched it and released a new version (5.3.3).
Active installations: 200,000+
Smash Balloon Social Post Feed is a free WordPress plugin that enables users to display Facebook posts and feeds on their WordPress sites.
In October 2021, Jetpack discovered a stored cross-site scripting vulnerability that made it possible for any user with an account, like a subscriber, to store malicious scripts on every post and page of the affected site. Then, if a logged-in administrator visited one of those pages, the script could run on their browser and execute administrative actions on their behalf. The plugin author released an updated version (4.0.1) within a week.
Active installations: 100,000+
PublishPress Capabilities is a free WordPress plugin designed for customizing user roles nad permissions.
In December 2021, the Wordfence Threat Intelligence team discovered an unauthenticated arbitrary options update vulnerability affecting four plugins, including PublishPress Capabilities, and several themes. This massive campaign consisted of 13.7 million attacks targeting over 1.6 million sites.
Each of the plugins and themes quickly released security patches. But PublishPress Capabilities took an additional safety measure. Within days of the vulnerability being reported, the team performed an emergency update on all websites with active installations of the plugin between versions 2.0.0 and 2.3.0.
Active installations: 80,000+
Variation Swatches for WooCommerce allows users to show different colors or styles of a product as color swatches, text, labels, or images — instead of the default dropdown menu — on their WooCommerce product pages.
What We Learned About WordPress Plugin Vulnerabilities in 2021
The WordPress plugin vulnerabilities above are just a few examples of thousands of vulnerabilities discovered in 2021. Through reporting, analyzing, and patching them, security researchers and plugin developers gained some valuable insights. Here are some important takeaways:
1. Cross-site scripting vulnerabilities accounted for 52% of plugin vulnerabilities in the first half of 2021. (Wordfence)
Cross-Site Scripting (XSS) is a cyber attack in which a user injects malicious code into an otherwise legitimate and trustworthy website in order to execute that code in another user’s web browser. The result may be that the attacker gains access to a user’s data or may be able to masquerade as the legitimate user in order to carry out certain actions in the website, like installing plugins or deleting posts.
XSS was the most commonly discovered vulnerability affecting WordPress plugins in 2021 by far. The next most commonly discovered vulnerability — Cross-Site Request Forgery (CSRF) — only accounted for 16% of plugin vulnerabilities.
2. 2,240 WordPress plugin vulnerabilities were disclosed in 2021, which is a 142% increase from 2020. (Risk Based Security)
WordPress plugin vulnerabilities more than doubled in 2021 — but this doesn’t necessarily indicate that WordPress plugins are becoming more vulnerable over time. Rather what this indicates is that more people are discovering and reporting more plugin vulnerabilities. This could be a result of a combination of factors, including the continuous market growth of WordPress and cybersecurity.
The increase in reported vulnerabilities does reinforce how important it is to keep your plugins updated.
3. The average CVSS score for WordPress plugin vulnerabilities is 5.5, which is a medium severity rating. (Risk Based Security)
The Common Vulnerability Scoring System (CVSS) is an open framework created by the National Institute of Standards and Technology to communicate both the characteristics and severity of software vulnerabilities. It can be used to calculate the severity of vulnerabilities discovered in a product or system and to decide which vulnerabilities to fix first based on their likelihood of being exploited and potential impact on the organization.
The good news is that while the number of disclosed plugin vulnerabilities has increased dramatically in the past decade, the CVSS score has remained relatively the same. According to the CVSS v2.0, their average CVSS score is a medium severity rating.
How to Secure Your Site Against WordPress Plugin Vulnerabilities in 2022
Moving forward, it’s essential you take steps to secure your WordPress website against plugin vulnerabilities and other threats. Here are some best practices:
- Only install plugins that have been updated in the past six months.
- Update plugins as soon as the latest version is available.
- Delete and uninstall any vulnerable plugins that have not released a security patch.
- Delete any abandoned plugins (ie. plugins that haven’t been updated in the last two years).
- Avoid nulled plugins (ie. copies of premium WordPress plugins that have been modified and made available for free or at a reduced cost).
For a more in-depth look at these and other best practices, check out 20 Steps to Secure Your WordPress Site.
The Reality of Vulnerable Plugins
While you can’t totally avoid vulnerable WordPress plugins, you can follow security practices to limit the exposure of your website. Only install plugins that have been updated in the past six months, keep them up to date, and delete them if they are abandoned or have an unpatched vulnerability.