WordPress plugins that are used to add e-commerce functionality to business websites are riddled with vulnerabilities, according to a new study released today.
Israeli application security firm Checkmarx said its WordPress plugin analysis found seven out of the 10 most popular e-commerce plugins contain vulnerabilities. The security firm found SQL injection errors and cross-site scripting flaws that are most frequently targeted by attackers.
“Every developer can upload their plugin to the WordPress.org market and any user can download that plugin with no security assurance process in place,” said Maty Siman, founder and CTO of Checkmarx. “In certain cases, you can exploit a vulnerability to get full access control to the hosting server, and in many cases you can get access to other WordPress sites hosted on the same server.”
Attackers have been targeting WordPress users due to the platform’s popularity; an estimated 60 million websites are built with the content management system. Automated tools can scan and exploit common Web application vulnerabilities, enabling attackers to set up drive-by attacks or use the back-end systems to set up command-and-control servers for botnets.
“With 18 percent of the total Internet based on WordPress, a single vulnerability can impact millions of websites all at once,” Siman said.
WordPress, Joomla and Drupal are among the most popular platforms. Attackers can also steal data from Web servers or redirect website visitors to another attack websites, Siman told CRN. Siman said the website vulnerabilities serve as an easy way for attackers to spread malware and expand their botnets, taking control of larger armies of infected PCs.
Checkmarx performed multiple scans on the top 50 most downloaded plugins as part of its study. Some website owners don’t have the resources or skill level to apply updates, although newer versions of WordPress can be set to automatically update plugins, Siman said. In addition to installing security updates issued by each platform, Siman said users need to apply patches to plugins and uninstall components that are not used.
The firm found that e-commerce plugins, such as those that add shopping cart functionality to a site, were typically riddled with coding errors. Plugins that helped setup and manage a store also contained errors.
“We assumed that these plugins would be more secure but that wasn’t the case,” Siman said. “Developers want to get the most users as possible and many forgo security to get their functionality to market faster.”
Other top error-prone plugins included components that help website owners manage site statistics, review comments in site forums or blog entries, or save contact form data. Sites also had errors associated with feed aggregators, broken links, site development tools and connections to popular social networks, including Facebook, according to Checkmarx’s study.
Siman recommends that WordPress site owners stick to WordPress.org when downloading plugins. Site owners can also use scanning tools to check plugins for flaws and make a knowledgeable decision on whether using them are worth the risks they pose. Stick to the latest version of plugins, he said, and remove any unused plugins that are hosted on the site.
An attacker can still gain access to vulnerable plugins even if they are disabled, Siman said. To remove the threat completely, plugins must be uninstalled.
The firm highlighted six popular plugins for correcting coding errors that Checkmarx found in January: BuddyPress, a plugin that creates a social network; BBPress, forum software; E-Commerce, a shopping cart plugin; Supper Cache, a site optimization plugin; and Woo Commerce, an e-commerce store.
WordPress.org volunteers did not respond to CRN’s request for comment Tuesday. The platform maintains a security FAQ for website owners. Users who may have fallen victim to an attack are directed to an exploit scanner plugin that examines database tables and plugins for irregularities or unusual file names.
by Robert Westervelt