Security Threats in 5 of the Most Popular WordPress Plugins

Popular WordPress Plugins are Unsecure

Don't presume WordPress’ most popular plugins are stable and secure. You'll be surprised by how vulnerable to security threats these top WordPress plugins are.


Given that WordPress is open source, anyone can create and publish a plugin. Since WordPress offers no enforcement of minimum security standards for plugins, they are unequivocally prone to vulnerabilities.

Of the most popular WordPress plugins available for installation, there are five which have proven to be more vulnerable to security threats than you might think.

Jetpack

Jetpack is a security and site management plug-in provided by WordPress parent company Automattic.  Jetpack has more than five million active installations. If the plugin is configured to manage code and site functions, a compromised Jetpack plugin could lead to a compromised WordPress website. 

Although most of these alerts are for outdated versions of the plugin, Jetpack currently has nine vulnerability warnings and four CVE entries. The most recent was publicized in December 2018; an XSS vulnerability which would allow JavaScript injections to compromise the WordPress website’s server.

In May of 2018, Jetpack was used as an attack vector to install a malicious plugin onto victims’ websites. If the user’s login credentials were compromised and the website used Jetpack, it could be used to install the plugin ‘pluginsamonsters’, which would give the attacker full control of the web property. According to the Wordpress.org website, this exploit remains unresolved

All In One SEO Pack

With more than 50 million downloads since its launch in 2007, All In One SEO Pack claims to be WordPress’ most downloaded and oldest SEO-focused plugin. Currently, it boasts approximately two million active installations on WordPress websites.

All In One SEO Pack’s latest vulnerability, another XSS flaw, was discovered in October 2018. The plugin’s author did not release a security patch identifying the vulnerability until Dec 11th,  nearly two months after the flaw was identified. Fortunately, there were no noted exploitation campaigns during that time. In addition to XSS flaws, other vulnerabilities include information disclosure and privilege escalation flaws.

Contact Form 7

With more than five million active users the Contact Form 7 plugin is the second most widely-used of all WordPress plugins. It is designed to manage and customize a website’s contact forms. Although the plugin is configurable to allow for a certain amount of tracking, default configurations do not handle personal user data.

What makes Contact Form 7 more vulnerable than other plugins is its user base and the privilege escalation flaw disclosed in September of 2018. The vulnerability does not involve a high damage risk in itself, but allows an attacker to upload malicious files to the website’s directory, opening the possibility for further, more damaging attacks.

Albeit the threat has been eliminated in Contact Form 7’s current version, less than 30 percent of users have updated the plugin. This leaves approximately 3.5 million WordPress websites exposed to this privilege escalation vulnerability.

Most recent security vulnerability was detected: 2018-09-04.

Yoast SEO

With its install-base of  more than five million users, Yoast is not only the most popular SEO plugin for WordPress, but also the open source platform’s most popular plugin of all.

With such a wide user base, new vulnerabilities are more troublesome than any other WordPress plugin. A severe zero-day or failure to immediately address a flaw has the potential to affect millions of websites.

10 known vulnerability warnings exist for Yoast SEO, with an additional five affecting Yoast’s Google Analytics plugin. An authenticated race condition vulnerability from November 2018 has the potential to allow remote code execution depending on the plugin’s setup. Even though this flaw was addressed in Yoast SEO version 9.2, as of January 2019 more than 50% of the plugin’s user base was still using version 9.1 or earlier.

WooCommerce

WooCommerce, owned by Wordpress parent company Automattic, is WordPress’ leading e-commerce plugin, with an estimated 4 million active installations, and powers approximately 30% of all online stores. Because of its function in handling customer payments, and potentially storing both personal and payment data on their customers, it is an appealing target for hackers.

Dating back to 2014, there are 19 vulnerability warnings for the WooCommerce plugin, as well as additional vulnerabilities for plugin extensions. 2018 alone saw seven different vulnerabilities in the core WooCommerce plugin, which included XSS, deserialization, injection and privilege escalation flaws. One flaw, discovered in November of 2018, would allow anyone with ‘shop manager’ privilege to take complete control of a WooCommerce-powered website.

Summary

Do not presume that WordPress’ most popular plugins are stable and secure. Even when flaws are identified and addressed by developers, it remains the website owner’s responsibility to install updates as soon as they become available. If users fail to abide by this, the plugin vulnerability remains and is likely to be exploited by hackers and nefarious actors.

Related posts