How to detect a vulnerable WordPress plugin
The power and functionality of your WordPress website lie in its plugins. Plugins can do so much for your small business website. You can use them to make your WordPress site load faster, make your content shareable, collect visitor email addresses for your marketing list, and do better in search results. The fortunate and good side is that many of the best WordPress plugins that can upgrade your website and your business blog are free.
It’s important to make sure the plugins you choose are reputable and secure. Unfortunately, people can, and do exploit plugins. Usually, this involves malicious scripts injected into plugins with security gaps. This is the focus of this post aimed at helping you identify vulnerable plugins and how to fix the security problems that could emanate from such vulnerability.
Cybersecurity firm Kaspersky says the possibilities include site takeover, spyware installation, and cryptocurrency mining.
Is Your WordPress Plugin Open to Threats?
Choosing plugins is like buying a car. You want performance, of course, but you also want something that’s safe, reliable and easy to maintain. You choose a reputable car dealer and read reviews, so you don’t make a decision that turns regretable. And you should get top-rated plugins from a reliable source, so you don’t end up with a malicious plugin.
Check User Reviews and Feedback
Security experts consider WordPress.org’s plugin directory to be the safest source for plugins. With more than 55,000 plugins, you won’t run out of options, and the site solicits feedback and reviews from users.
Always check the reviews before you download—not just the star ratings but also the user feedback. See what people like about the plugin. Read about any issues they’re having with the original plugin or updates. Get a sense of how well the publisher supports the plugin.
Also check out the number of active installations to get a sense of how many users trust the plugin. A good plugin can have just a few hundred users, but a plugin with thousands of users has earned a lot of trust.
Check for Compatibility with the Latest Version of WordPress
So, you’ve found a plugin with good reviews and lots of users. Before you download it, make sure it’s compatible with your version of WordPress. (For security and performance, you should always keep your own website up to date on WordPress, too.)
To ensure your plugins and WordPress are compatible, you need to know your current WordPress version. You can find it by going to your WordPress dashboard and clicking Updates. You’ll see a notice that lets you know if you’re running the latest version, and gives you the version number.
You also need to verify that the plugin you want is up to date. Most plugin authors are good about updating their products, but sometimes plugins are abandoned, or updates are slow to come. If you see a yellow-box notice at the top of the plugin’s page at WordPress.org, pay attention to it.
Also check out the spec box on the page to see which version of WordPress it works with and how recently it was updated.
WordPress is at version 5.2.2 now, so this plugin in seriously out of date.
If your chosen plugin is compatible, go ahead and try it out. If you decide it’s not right for your site, delete it. Otherwise, you’re going to have to keep maintaining it, even though you’re not using it.
That brings us to the most common way that good plugins go bad. When users don’t update them, hackers may exploit them.
Keep WordPress and Your Plugins Up to Date
Like everything made with code, WordPress and plugins get updates for new features, improvements, and repairs. Sometimes those problems are small things that affect the way a plugin looks or operates. Sometimes they’re security holes that need to be patched to keep hackers out of your site.
When publishers announce security updates, hackers see them too. And they start checking for sites that haven’t made the updates yet.
Even if you’re happy with the current version of WordPress and your plugins, you still need to update. WordPress and some plugins let you set them to update automatically, which you should do. For the rest, you have a few options for keeping things current.
Make your own manual updating schedule.
This approach can work if you’re able to commit to checking your site for update notices at least once a week. If you tend to kick small tasks down the road when you’re busy, skip this approach. You could end up with site vulnerabilities.
Even if you decide not to do manual updates, it’s a good idea to know how. Sometimes you may worry that an update will break your site, especially if your plugins haven’t been updated to support the newest version of WordPress. You’ll want to back up your site before you manually update and be ready to uninstall the update if there are problems.
Just as when you check to see which version of WordPress you’re running, you’ll go to your dashboard. Click Updates in the left column, just beneath Home. You’ll see the update status for WordPress, your plugins, and your themes. If any are out of date, you can update them here.
2. Set up notifications for update and security issues.
The WordFence Security plugin scans your site for security issues, including out-of-date plugins and pending WordPress updates. The free version of this WordPress security plugin lets you get email notices whenever your site needs an update. It’s still on you to go make the updates. But this way you don’t miss issues that crop up between your regularly scheduled updates.
3. Set up automatic plugin updates.
If you have plugins that don’t have an auto-update option, consider Easy Updates Manger plugin. Yes, a plugin to update your plugins—pluginception! The free version lets you set some or all of your plugins to update automatically. This is the most efficient approach, especially if you run more than one website or run a high-traffic site with multiple plugins.
WordPress Plugins That Are Prone to Vulnerabilities
10. WP Super Cache XSS flaws
WP Super Cache is a performance utility plugin, streamlining load times for dynamic WordPress sites by serving static HTML rather than the full dynamic, PHP scripted webpage. It helps to cut down on bandwidth usage for hosts and visitors, and is currently in use by over 2 million WordPress sites.
Older versions of WP Super Cache are known to have PHP injection and XSS flaws. Although these do not affect newer versions, roughly 20% of users are still using version 1.4 or earlier. Many iterations of WP Super Cache 1.4 are vulnerable. WP Super Cache is known to be slow to update, so newly discovered vulnerabilities may have a wide window of potential exploitation.
9. W3 Total cache
A popular performance optimization plugin with over 1 million active installs, W3 Total Cache promises to improve SEO and page load times. It has a high level of compatibility and configurability – always highly desirable features from an end-user perspective, but ones which can often leave more avenues for security risks.
Although W3 Total Cache has 14 noted vulnerabilities, most of them were discovered and patched in 2016. However, the update schedule for Total Cache has been slow until recent months, and for a time the plugin was thought to be abandoned. Some long-time users may not be aware of the most recent updates. As with most WordPress plugins, the most up-to-date version enjoys good, stable security, but older versions are open to request forgeries, XSS, arbitrary code execution and arbitrary file uploads, along with other flaws.
Jetpack is a general assistance and management tool for WordPress, designed to provide a wide range of utilities. The plugin is highly configurable, and covers relatively superficial functionality, from image uploads and social media buttons to backend code assistance and site metrics. But a compromised Jetpack plugin could lead to a compromised WordPress site, if the plugin is configured to manage code and site functions. Jetpack has over 5 million active installations.
7. All In One SEO Pack
WordPress’ oldest SEO-focused plugin boasts more than 50 million downloads since its launch in 2007. As of today, it has over 2 million active installations on WordPress sites. On its WordPress page, it claims to be the most downloaded WordPress plugin of all time, offering a wide range of SEO-enhancing features.
AOISEO’s latest vulnerability was discovered in October 2018. Another XSS flaw, the plugin’s author was not able to release a security patch for nearly two weeks after the flaw was reported. Fortunately, there were no noted exploitation campaigns during that time. Older vulnerabilities include further XSS flaws, as well as information disclosure and privilege escalation flaws.
It's alarming to see a security-oriented plugin on a list of the most vulnerable WordPress plugins, but security web apps are often heavily targeted by attackers. This is especially true with such popular and long-established applications as Wordfence, which currently boasts over 2 million active installations. It is WordPress’ most widely-used web application firewall and malware scanning plugin. No matter how good a security solution is, nothing is ever 100% proof against attackers – especially when users are brought into the equation.
The majority of Wordfence’s 10 listed vulnerabilities are fortunately long outdated, consisting mostly of patched XSS flaws. Diligent Wordfence users have had little to worry about for a long time. However, there were multiple new flaws discovered in September 2018, including several XSS vulnerabilities and a file-path disclosure error. As Wordfence is, for the most part, a genuinely effective security measure for any WordPress site, users need to beware of installing it once and then forgetting about it. Even if new vulnerabilities are few and far between, just a few days of leaving a known risk unaddressed could leave the door open to hackers.
5. Contact Form 7
This plugin is the second most widely-used of all WordPress plugins, with over 5 million active users currently. It is designed to manage and customize a website’s contact forms. Default configurations do not handle personal user data, although the plugin is configurable to allow for a certain amount of tracking.
Contact Form 7 is not often plagued by security risks, with only three advisories since 2014. What makes CF7 more vulnerable than other plugins is its userbase and the privilege escalation flaw disclosed in September 2018. The flaw does not involve a high damage risk in itself, but allows an attacker to upload malicious files to the site’s directory, opening the possibility for further, more damaging attacks. This flaw is fixed in Contact Form 7’s current version, but under 30% of users have the plugin up to date. This leaves 3.5 million or more WordPress sites exposed to this privilege escalation vulnerability.
4. NextGEN Gallery
NextGEN Gallery is WordPress’ foremost gallery plugin and has been operating since 2007. The plugin, which boasts over 1.5 million new yearly downloads, provides features to manage uploading, storage and display of images on WordPress sites. This includes visual themes, photo galleries and slideshows.
The plugin has 14 security advisories, though only two of which are from the past year. There is a total of five CVE entries for 2017 and 2018, including code execution, directory traversal and XSS flaws. One of the plugin’s most serious security flaws was seen in 2017, when an SQL injection flaw left the plugin’s websites at risk of data exposure.
Selling itself as ‘the most popular redirect manager for WordPress’, Redirection boasts over 1 million active installations. Designed as an assistance tool for page errors and to redirect broken links to active site pages, the plugin promises to help keep WordPress sites of any size streamlined and clean of loose ends.
The plugin has not been troubled by security vulnerabilities for most of its life, but 2018 brought two severe new flaws. In June, an advisory was published on a local file inclusion vulnerability; a type of injection flaw. In December, a cross-site request forgery vulnerability was found, potentially exposing affected sites to full takeovers. Especially in this latter case, many users are still exposed despite the flaw being patched. Only 28% of active installations are up to date, with more than three-quarters of users currently vulnerable.
2. Yoast SEO
Yoast boasts an install-base in excess of 5 million users and is currently not only the most popular SEO plugin for WordPress, but the most popular plugin of all. With such a wide userbase, new vulnerabilities are more sensitive than any other WordPress plugin. A severe zero-day or failure to address a flaw could affect millions of sites.
10 known vulnerability warnings exist for Yoast SEO, with a further five affecting the Yoast team’s Google Analytics plugin. New flaws occur regularly, with new XSS discoveries from the end of 2017 and an authenticated race condition flaw from November 2018. The race condition vulnerability has the potential to allow remote code execution depending on the plugin’s setup. This was fixed in Yoast SEO version 9.2, but as of January 2019 over 50% of the plugin’s userbase is still using version 9.1 or earlier.
WooCommerce is WordPress’ leading e-commerce plugin, with over 4 million active installations and claiming to power 30% of all online stores. Because of its function in handling customer payments, it is naturally an appealing target for hackers; the websites it supports potentially store both personal and payment data on their customers.
There are 19 vulnerability warnings dating back to 2014 on the WooCommerce plugin, as well as multiple additional vulnerabilities for plugin extensions. 2018 alone saw seven different vulnerabilities in the core WooCommerce plugin, which included XSS, deserialization, injection and privilege escalation flaws. One flaw, discovered in November, would allow anyone with ‘shop manager’ privilege to take complete control of a WooCommerce-powered site.