What just happened? Vulnerabilities in third-party WordPress plugins have increased significantly in 2021, and many of them still have public exploits. Cybersecurity firm Risk Based Security said it had reported 10,359 vulnerabilities affecting third-party WordPress plugins as of the end of last year, of which 2,240 were disclosed in 2021. That’s 142 percent more than in 2020, but of greater concern is the fact that 77 percent of all known WordPress plugin vulnerabilities — or 7,993 of them — have public exploits.
A gaze found that 7,592 WordPress plugin vulnerabilities can be exploited remotely, and 4,797 have a public exploit but no CVE ID. For organizations that rely solely on CVE to prioritize mitigation, the latter means that more than 60 percent of public exploit vulnerabilities won’t even be on their radar.
Another issue with risk-based security for organizations is that they focus on criticality rather than usability.
The firm notes that many organizations classify vulnerabilities with a CVSS severity score below 7.0 as low priority and therefore do not address them immediately. This is a problem given that the average CVSS score for all WordPress plugin vulnerabilities is 5.5.
Risk based security and other observed how attackers prioritize vulnerabilities not with a high degree of severity, but rather those that can be easily exploited. Given the data and observations, it may be wise for some organizations to rethink their threat management protocols.
Image credit: Justin Morgan