Research Study Finds 20% of the 50 Most Popular Plugins Vulnerable

Table of Contents

Sponsored Ad

If you purchase through a link on our site, we may earn a commission.

In June 2013, Checkmarx’s research labs ran multiple security scans against the source code of the most popular WordPress plugins.

The result?

More than 20% of the 50 most popular WordPress plugins are vulnerable to common Web attacks, such as SQL Injection. In total, 8 million vulnerable WordPress plugins were downloaded.

This report presents the research findings as well as recommendations and mitigation measures for plugin developers, Web admins and platform providers when developing and installing third-party extensions.

Here’s a summary of the findings:

  1. 20% of the 50 most popular WordPress plugins are vulnerable to common Web attacks.
    This amounts to nearly 8 million downloads of vulnerable plugins.
  2. 7 out of top 10 most popular e-commerce plugins are vulnerable to common Web attacks.
    This amounts to more than 1.7 million downloads of vulnerable e-commerce plugins.
  3. There is no correlation between the number of Lines of Code (LOC) and the vulnerability level of the plugins.
  4. Vulnerable top 50 general plugin types vary and include ecommerce, content management, site development and social networks plugins.
  5. Only six plugins were completely fixed in a 6-month time period- although all plugins updated their versions during this time.

It wouldn’t be a stretch to assume that a similar percentage of all the other plugins contain these vulnerabilities.

These findings emphasize, however, a deeper problem than risky plugins. At the root of the problem is the lack of security standards that PaaS-providers (aka app marketplaces) enforce on the apps that they distribute. After all, a developer in a rush will most likely not consider security aspects during the demands of a release. Web admins cannot necessarily schedule immediate updates whether due to lack of security knowledge, admin resources and other scheduling priorities. Unfortunately, the end-user carries the brunt- which undoubtedly is not their responsibility.

So who’s responsible? The app marketplace.

The app marketplaces are in that unique position to set a security policy on the apps that they distribute. The marketplace needs to ensure that only those apps which passed its specific security bar are authorized for the public.

The world is shifting towards software distribution platforms. Β App marketplaces continue to tell us that their platforms are secure, but don’t buy into those word games. Only if they start enforcing the security of the apps they distribute, we could seriously talk about the security of distribution platforms.

Unfortunately many users don’t think about security when downloading plugins, wrongfully assuming that the repository, marketplace or seller has taken proper care of securing the plugin. This clearly is not the case, which is why we advice that you do a security lockdown every now and then to make sure your site is safe.

Download the WordPress Plugin Security white paper

If you enjoyed this post, make sure to subscribe to WP Mayor’s RSS feed.

Jean Galea is an investor, entrepreneur, and blogger. He is the founder of WP Mayor, the plugins WP RSS Aggregator and Spotlight, as well as the Mastermind.fm podcast. His personal blog can be found at jeangalea.com.

Sponsored Ad

If you purchase through a link on our site, we may earn a commission.

All suggestions are anonymous.

More from our blog...

3 Responses

  1. I see the list is in the paper, sort of. They blacked the names out but I’d guess it would be easy enough to compare the descriptions and download numbers with the top plugins and figure out what most of them are. Overall I’m not surprised. Most plugins seem to be developed by more or less random people with a bit of coding knowledge in their spare time. You’d be kidding yourself to think rigorous testing of any sort takes place prior to release most of the time.

    1. Yes that’s unfortunately one of the downsides of the current plugin marketplace. Although with some caution you can weed out the dubious ones and stick to those by the reputable developers.

Post a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Stay updated with WP Mayor's newsletter showcase every week

Stay on top of every new WordPress innovation and latest launches. Receive all our fresh product reviews and expert guides directly in your inbox.

Hosting Survey 2024

Are you happy with your hosting provider or are you over-paying for too little? Have your say below!

"*" indicates required fields

What's the main reason you picked this host?*
How happy are you with your host?*

OPTIONAL: If you'd like to receive the results of this survey, please enter your details below.