8,800 WordPress plugins carry at least one severe security vulnerability, according to a new study.
An extensive analysis of 47,959 WordPress plugins – almost the entire WordPress ecosystem – shows “every second larger plugin contains at least one medium severity issue”.
Experts from RIPS Technologies scanned plugins hosted in the official WordPress repository and found that almost 4,500 large plugins – those with more than 500 lines of code – contain at least one medium severity issue, such as cross-site scripting.
In fact, cross-site scripting (XSS) issues affect more than 68% of flawed plugins and just over 20% are SQL injections.
XSS vulnerabilities have been around since the birth of the modern web and are still among the most prevalent threats affecting websites. Big companies such as Yahoo, Ebay, PayPal, Youtube and Twitter have suffered XSS attacks. Yahoo has been so plagued that it open-sourced a set of XSS filters so other webmasters could review it.
“Cross-site scripting vulnerabilities are quite serious in WordPress because they can be used, for example, to inject PHP code through the template editor. Luckily, they do require interaction with an administrator though,” the blog post reads.
Fortunately, overall, there are more secure plugins than others. Roughly 36,000 plugins are not affected by any vulnerabilities, and around 1,000 have small issues. Only 2,800 have high-severity holes.
WordPress is not as insecure as its reputation would suggest”, the company added. “Rather it is a top target due to its incredible prevalence. Yes, there are a lot of vulnerabilities in the WordPress ecosystem, but most of them are in a small percentage of the plugins. While many plugins do not contain vulnerabilities at all because of their small size, the ones that do have issues, have a lot of them.“