Top 10 Most Vulnerable WordPress Plugins
Here are 10 of the most popular WordPress plugins which are still more vulnerable than you might think.
Kept properly updated, WordPress – including its plugins – is one of the most secure CMS available on the web. Provided the plugins are actively updated, most vulnerabilities are discovered and patched without widespread malicious exploitation.
Zero-day attacks do happen, but are more common in poorly-maintained or completely abandoned plugins. However, just because a vulnerability is fixed does not mean it stops existing. In most cases, it’s down to the users to make sure they apply the latest security updates to all their plugins. Complacency can easily set in, especially when a site uses many different plugins or those plugins are rarely troubled by attempted hacks.
Here are 10 of the most popular WordPress plugins which are still more vulnerable than you might think.
10. WP Super Cache XSS flaws
WP Super Cache is a performance utility plugin, streamlining load times for dynamic WordPress sites by serving static HTML rather than the full dynamic, PHP scripted webpage. It helps to cut down on bandwidth usage for hosts and visitors, and is currently in use by over 2 million WordPress sites.
Older versions of WP Super Cache are known to have PHP injection and XSS flaws. Although these do not affect newer versions, roughly 20% of users are still using version 1.4 or earlier. Many iterations of WP Super Cache 1.4 are vulnerable. WP Super Cache is known to be slow to update, so newly discovered vulnerabilities may have a wide window of potential exploitation.
9. W3 Total cache
A popular performance optimization plugin with over 1 million active installs, W3 Total Cache promises to improve SEO and page load times. It has a high level of compatibility and configurability – always highly desirable features from an end-user perspective, but ones which can often leave more avenues for security risks.
Although W3 Total Cache has 14 noted vulnerabilities, most of them were discovered and patched in 2016. However, the update schedule for Total Cache has been slow until recent months, and for a time the plugin was thought to be abandoned. Some long-time users may not be aware of the most recent updates. As with most WordPress plugins, the most up-to-date version enjoys good, stable security, but older versions are open to request forgeries, XSS, arbitrary code execution and arbitrary file uploads, along with other flaws.
Jetpack is a general assistance and management tool for WordPress, designed to provide a wide range of utilities. The plugin is highly configurable, and covers relatively superficial functionality, from image uploads and social media buttons to backend code assistance and site metrics. But a compromised Jetpack plugin could lead to a compromised WordPress site, if the plugin is configured to manage code and site functions. Jetpack has over 5 million active installations.
7. All In One SEO Pack
WordPress’ oldest SEO-focused plugin boasts more than 50 million downloads since its launch in 2007. As of today, it has over 2 million active installations on WordPress sites. On its WordPress page, it claims to be the most downloaded WordPress plugin of all time, offering a wide range of SEO-enhancing features.
AOISEO’s latest vulnerability was discovered in October 2018. Another XSS flaw, the plugin’s author was not able to release a security patch for nearly two weeks after the flaw was reported. Fortunately, there were no noted exploitation campaigns during that time. Older vulnerabilities include further XSS flaws, as well as information disclosure and privilege escalation flaws.
It's alarming to see a security-oriented plugin on a list of the most vulnerable WordPress plugins, but security web apps are often heavily targeted by attackers. This is especially true with such popular and long-established applications as Wordfence, which currently boasts over 2 million active installations. It is WordPress’ most widely-used web application firewall and malware scanning plugin. No matter how good a security solution is, nothing is ever 100% proof against attackers – especially when users are brought into the equation.
The majority of Wordfence’s 10 listed vulnerabilities are fortunately long outdated, consisting mostly of patched XSS flaws. Diligent Wordfence users have had little to worry about for a long time. However, there were multiple new flaws discovered in September 2018, including several XSS vulnerabilities and a file-path disclosure error. As Wordfence is, for the most part, a genuinely effective security measure for any WordPress site, users need to beware of installing it once and then forgetting about it. Even if new vulnerabilities are few and far between, just a few days of leaving a known risk unaddressed could leave the door open to hackers.
5. Contact Form 7
This plugin is the second most widely-used of all WordPress plugins, with over 5 million active users currently. It is designed to manage and customize a website’s contact forms. Default configurations do not handle personal user data, although the plugin is configurable to allow for a certain amount of tracking.
Contact Form 7 is not often plagued by security risks, with only three advisories since 2014. What makes CF7 more vulnerable than other plugins is its userbase and the privilege escalation flaw disclosed in September 2018. The flaw does not involve a high damage risk in itself, but allows an attacker to upload malicious files to the site’s directory, opening the possibility for further, more damaging attacks. This flaw is fixed in Contact Form 7’s current version, but under 30% of users have the plugin up to date. This leaves 3.5 million or more WordPress sites exposed to this privilege escalation vulnerability.
4. NextGEN Gallery
NextGEN Gallery is WordPress’ foremost gallery plugin and has been operating since 2007. The plugin, which boasts over 1.5 million new yearly downloads, provides features to manage uploading, storage and display of images on WordPress sites. This includes visual themes, photo galleries and slideshows.
The plugin has 14 security advisories, though only two of which are from the past year. There is a total of five CVE entries for 2017 and 2018, including code execution, directory traversal and XSS flaws. One of the plugin’s most serious security flaws was seen in 2017, when an SQL injection flaw left the plugin’s websites at risk of data exposure.
Selling itself as ‘the most popular redirect manager for WordPress’, Redirection boasts over 1 million active installations. Designed as an assistance tool for page errors and to redirect broken links to active site pages, the plugin promises to help keep WordPress sites of any size streamlined and clean of loose ends.
The plugin has not been troubled by security vulnerabilities for most of its life, but 2018 brought two severe new flaws. In June, an advisory was published on a local file inclusion vulnerability; a type of injection flaw. In December, a cross-site request forgery vulnerability was found, potentially exposing affected sites to full takeovers. Especially in this latter case, many users are still exposed despite the flaw being patched. Only 28% of active installations are up to date, with more than three-quarters of users currently vulnerable.
2. Yoast SEO
Yoast boasts an install-base in excess of 5 million users and is currently not only the most popular SEO plugin for WordPress, but the most popular plugin of all. With such a wide userbase, new vulnerabilities are more sensitive than any other WordPress plugin. A severe zero-day or failure to address a flaw could affect millions of sites.
10 known vulnerability warnings exist for Yoast SEO, with a further five affecting the Yoast team’s Google Analytics plugin. New flaws occur regularly, with new XSS discoveries from the end of 2017 and an authenticated race condition flaw from November 2018. The race condition vulnerability has the potential to allow remote code execution depending on the plugin’s setup. This was fixed in Yoast SEO version 9.2, but as of January 2019 over 50% of the plugin’s userbase is still using version 9.1 or earlier.
WooCommerce is WordPress’ leading e-commerce plugin, with over 4 million active installations and claiming to power 30% of all online stores. Because of its function in handling customer payments, it is naturally an appealing target for hackers; the websites it supports potentially store both personal and payment data on their customers.
There are 19 vulnerability warnings dating back to 2014 on the WooCommerce plugin, as well as multiple additional vulnerabilities for plugin extensions. 2018 alone saw seven different vulnerabilities in the core WooCommerce plugin, which included XSS, deserialization, injection and privilege escalation flaws. One flaw, discovered in November, would allow anyone with ‘shop manager’ privilege to take complete control of a WooCommerce-powered site.
WordPress core is stable and relatively secure. Its plug-ins are a different matter. It should be clear from this list that legacy plugins must be avoided like the plague – new zero-day vulnerabilities will simply remain zero-day vulnerabilities. Furthermore, when a user has the choice between multiple similar plugins, the one with the better history of supplier maintenance should be chosen. It remains the users’ responsibility, however, to install updates as soon as possible – without that, the vulnerability will remain and will likely be exploited by cyber criminals.
“WordPress is one of the most popular CMS in the world, and if properly configured and maintained it is quite secure compared to other systems,” explains High-Tech Bridge CEO Ilia Kolochenko. “However, many WordPress installations are not updated for months or even years; let alone plugins that contain a great wealth of unreported and thus unpatchable vulnerabilities allowing criminal takeover of the website in less than a minute.”
His advice is to stop using plugins wherever possible. Failing that, he suggests, “WordPress owners should rename or hide the admin directory and implement two factor authentication. A simple WAF can be also a very good idea (however, it will not help against advanced vectors of XSS). Obviously, the core WP installation and all updatable plugins should be maintained with the latest updates.”