New web application vulnerabilities increased by 21% in 2018 compared to 2017, according to a Wednesday report from Imperva. More than half of these vulnerabilities (54%) have a public exploit available to hackers, and more than one third (38%) don’t have any solution in terms of software upgrades or patches, the report found.
In the content management system (CMS) category, WordPress vulnerabilities tripled since last year to 542, according to the report. WordPress faced more vulnerabilities than any other CMS, the report found, due in part to the platform’s popularity: It is used by nearly 60% of all websites, totalling to more than 22 million sites, according to WebsiteSetup data.
Virtually all WordPress vulnerabilities (98%) are related to plugins, which expand the functionality and features of a website, the report found. Any user can create and publish a plugin, since WordPress is open source, and there is no enforcement of minimum security standards, which makes them
At the time of the report’s publication, WordPress had 55,271 plugins, with only 1,914 (or 3%) added in 2018. The slow growth of plugins and rapid rise of new vulnerabilities could again be due to its widespread use, as attackers may be more motivated to develop dedicated tools to search for holes in the code, the report noted.
Meanwhile, while Drupal is the third-most popular CMS after WordPress and Joomla, two of its vulnerabilities (CVE-2018-7600 and CVE-2018-7602) were the cause of security breaches in hundreds of thousands of web servers in 2018, the report found. These vulnerabilities allowed unauthenticated attackers to remotely inject malicious code, and run it on default or common Drupal installations—then letting attackers connect to backend databases, scan and infect internal networks, mine cryptocurrencies, and infect clients with trojans, according to the report.
Here are the 10 WordPress plugins with the most vulnerabilities in 2018 (it should be noted that this does not mean they are necessarily the most-attacked plugins, however), according to the report:
- Event Calendar WD
- Ultimate Member
- Coming Soon Page
- GD Rating System
- Contact Form by WD
- WPGlobus
- From Maker
- Ninja Forms
- Affiliates Manager
- Duplicator Pro