Out of 45000 Total WordPress Plugins, 8800 Are Vulnerable

The WordPress is the most used Content Management System. Millions of websites are using this PHP and MySQL based CMS. If you are also using WordPress for your websites, then this news could make you a little bit worry. There are around 48000 plugins which are available on the official website of WordPress and security firm RIPS Technologies has scanned a directory of 45000 plugins. The security experts of RIPS Technologies found that more than 8800 official plugins of WordPress are vulnerable to the various type of cyber-attacks. A static code scan has been analyzed by the security researchers of RIPS on all that plugins which contains at least one PHP file.

Description

RIPS Technologies is providing security solutions from 2003 by finding out the security vulnerabilities in PHP based applications. To check the security of WordPress plugins, the security team of RIPS technologies downloaded all the plugins of WordPress from its official website. Then they conducted a scan with the help of their static code analyzing tool RIPS. The results were a little bit shocking because every second well-known plugin was vulnerable. All the scanned plugins were based on PHP and they contain at least one PHP file. From the scanned plugins, around 14000 plugins contains 2-5 PHP files and 10500 plugins are larger plugins because they contain more than 500 lines of PHP code.

Total Number Vulnerabilities

The security researchers of RIPS technologies discovered total 67,486 security vulnerabilities. If we talk out larger plugins, 43 percent of them contains medium level vulnerabilities.

Low Level Vulnerabilities (1426 Plugins)

Medium Level Vulnerabilities (4612 Plugins)

High Risk Vulnerabilities (2799 Plugins)

Critical Vulnerabilities (41 Plugins)

Safe Plugins (36000 Plugins)

XSS and SQL Vulnerabilities

According to RIPS technologies, 68 percent plugins are vulnerable to the various type of Cross Site Scripting (XSS Attack) and 20 percent plugins are vulnerable to SQL Injection Attack. It means, there is a need to use more advanced security methods to protect these plugins from such type of attacks. As you know, SQL Injection Attack and XSS Attack are at the top of the OWASP top 10 attacks list.

Rest of the plugins are vulnerable to other well-known cyber-attacks and attackers could easily exploit all of them. The developers should understand the risk of these vulnerabilities. Millions of websites are based on WordPress and a single successful plugin exploit may put all the websites at risk.

Also Read: