Top WordPress Plugins are Vulnerable – Reported by CheckMarx

SECURITY STATE OF TOP WORDPRESS PLUGINS CheckMarx's report, which claim that around 20% of general wordpress plugins are vulnerable to web at- tacks, and 7 out of 10 wordpress ecommerce plugins are CHECKMARX, not secure to such web attacks. EXPERIMENT DONE AGAINST THESE THREATS SQL or l=1-- Injection (SQLI) Cross Site Request Forgery (CSRF) Cross Site Scripting (XSS) Path Traversal Remote / Local File Inclusion IMPORTANT FINDINGS V 20% of top 50 wordpress plug-ins are vulnerable to different web attacks like SQL injection, Cross site scripting, CSRF and PT V /0% of top 10 ecommerce wordpress plug-ins are vulnerable to common web attacks mentioned above 50 V Top content management, website development or ecommerce wordpress plug-ins are from different categories like, social media, Most of the plug-ins have release updates in last year V There are only 6 plug-ins were completely fixed in last 6 months DIFFERENT TYPES OF WORDPRESS PLUG-INS AT RISK eCommerce Content Social (shopping cart) Management Network Plugin LOC Downloads SQLI CSRF PT Lists related entries 4,682 2,093,718 Tests the site for broken links and missing images 20,636 1,493,609 Add links to Facebook 8,857 1,029,626 A review system for comments 26,326 1,002,808 An RSS aggregator 15,481 622.894 Site backup 247,816 464,212 Embeds Flash and HTML5 video 13,676 380,551 Saves contact from data - 22,591 372,150 An alternative WordPress editor 11,395 263,171 Management of site statistics 3,593 152,467 Transforms WordPress sites to mobile apps 3,820 84,863 Plugin LOC Downloads SQLI XSS CSRF PT RFI/LFI Shopping cart - 22,277 519,462 Online store setup 39,950 380,800 Paypal shopping cart 1,302 274,273 Store management and performance 42,587 234,134 Store management 56,162 104,420 Shopping cart 42,073 98,521 Shopping cart - 19,885 93,537 WHO IS RESPONSIBLE TO VULNERABILITY? Site Admins Plug-in Developers WordPress RECOMMENDATION Web Admins + Download plugins only from reputable sources, For WordPress, this means WordPress.org + Verify the security posture of the plugin by scanning it for security issues + Ensure all your plugins are up to date + Remove any unused plugins Plugin Developer + Integrate security within the plugin development + Run the plugin through a code scanner to ensure that it stands up to a security standard Wordpress and other platform providers + Enforce a security policy on apps that enter the marketplace + Authorize only apps that passed the security bar Designed by Source by CHECKMARX ©ClickSSL Be Secured. Be Safe.