Vulnerabilities within CMS components are heavily exploited, and there’s a reason for it. Whenever an attacker finds a vulnerability in a popular component, there’s a possibility to gain access to hundreds of thousands of websites.

At the end of 2018, Imperva released a report by which a whopping 98% of vulnerabilities within the WordPress ecosystem were related to components — third-party plugins installed on the websites.

98% of vulnerabilities within the WordPress ecosystem were related to third-party components (2018).

Outdated components pose the highest risk

Plugin management within WebARX security dashboard

Web development requires less and less technical knowledge. As long as the component delivers expected functionality, most don’t even bother to check who wrote the code nor even check if it’s properly maintained.

Even if the components are properly maintained by the developer, getting people to update their websites is a standalone challenge by itself.

Analyzing 15,000+ websites, that’s what we found.

Source: at WebARX we have built a website security platform that is trusted by thousands of web development agencies worldwide. We automate vulnerability monitoring, offer managed endpoint WAF, etc.

Just by taking a quick look at September, even without going deep, we can see some interesting data.

For example:

Websites built on a WordPress run an average of 23 components built by a third-party developer. Meanwhile, ~4 of those components are outdated and haven’t been updated to the latest version.

Here are the top components outdated on those WordPress installations:

Yoast SEO (has 5M+ active installations) Elementor (has 3M+ active installations) Akismet Anti-Spam (has 5M+ active installations) UpdraftPlus — Backup/Restore (has 3M+ active installations) Contact Form 7 (has 5M+ active installations)

Every single one of these components listed above has at least one critical vulnerability on one of its previous versions.

Analyzing the traffic of WordPress sites (September 2019)

Just to dig a little bit deeper, let’s see what kind of attacks are most common. Let’s analyze 1.5 million firewall records from September, specific to WordPress.

Top 5 malicious GET requests:

You can see the bots being massively opportunistic, trying to leverage poor plugin code to access configuration files.

Top 5 malicious POST requests:

While the GET requests against WordPress are fairly basic, the POST requests often contain payloads that are very specific to a logic errors on some of the components.

On the chart below you can see that attacks against component security vulnerabilities happen in waves while multiple vulnerabilities are exploited at the same time.