Last year, security analysts found an explosive increase in the number of exploitable WordPress plugin vulnerabilities. Researchers from RiskBased Security report that they found that the number of WordPress plugin vulnerabilities increased by three digits in 2021.
At the end of 2021, there were reportedly 10,359 vulnerabilities affecting third-party WordPress plugins, of which 2,240 were disclosed last year, an increase of 142% compared to 2020. To make matters worse, more than three-quarters (77%) of these additional WordPress plugin vulnerabilities are known, publicly available.
The report found that there were 7592 WordPress vulnerabilities that could be remotely exploited, 7993 that were publicly exploited, and 4797 WordPress vulnerabilities that were publicly exploited, but no CVE ID. In other words, organizations relying on CVE have no way of knowing about 60% of the publicly available WordPress plugin vulnerabilities.
According to the RiseBased team, the right response to the emerging WordPress attack surface is to move from prioritizing resources based on the importance of risk to the organization to focusing on the vulnerabilities that are most vulnerable. On average, the CVSSv2 score for all WordPress plugin vulnerabilities is 5.5, which is considered a medium risk at best according to many current virtual machine frameworks, but businesses using WordPress can't let these opportunities that are vulnerable to threats get bogged down in a backlog of patches.
The group noted that the Jan. 10 update to the Binding Operations Directive by the Cybersecurity and Infrastructure Security Agency (CISA) outlines vulnerabilities and positive threats against federal networks. The update also places easy-to-exploit vulnerabilities above those with higher CVSS scores, suggesting that malicious actors do not favor vulnerabilities with a high CVSS severity, but instead choose those they are easy to exploit.