WordPress third-party plugin vulnerabilities shot up significantly by the end of 2021 — 10,359 to be precise, out of which 2240 vulnerabilities were disclosed in 2021 itself, an increase of about 142% compared to 2020. What’s worse is that 77% of the vulnerabilities are still known to have public exploits.
Researchers at RiskBased Security put the average CVSSv2 score for all WordPress plugin vulnerabilities at 5.5. While that might be considered a ‘moderate’ score by most current VM frameworks, RiskBased Security observed a disconnect between conventional VM practices and the impact these vulnerabilities might have had.
Out of all the currently reported vulnerabilities, 7592 are remotely exploitable, 7993 have known public exploits, and 4797 have a public exploit with no CVE ID assigned yet.
Right under the radar
These numbers are especially worrying for organisations relying on CVE IDs or NVDs, considering they’ll be unaware of about 60% of the total issues that have known public exploits.
According to the researchers, the right approach towards this threat is to start a fundamental shift away from focussing on how critical a risk might be to an organisation and concentrating more on the most easily exploitable issues.
The report further adds that security professionals should start with remotely exploitable vulnerabilities, have a publicly known exploit and have a known solution as well. If the plugin issues affect important site assets, the vulnerabilities should be fixed first. This helps protect organisations against potential attacks while saving time since implementable solutions are already available.
Organisations would be better off relying on a timely, detailed source of vulnerability intelligence that covers all known issues in IT, OT, IoT and other third-party libraries and dependencies. This approach will prove more effective than traditional Vulnerability Management (VM) models based on severity.
Someone who writes/edits/shoots/hosts all things tech and when he’s not, streams himself racing virtual cars. You can reach out to Yadullah at [email protected], or follow him on Instagram or Twitter.