What just happened? Third-party WordPress plugin vulnerabilities have increased significantly in 2021, and many of them still have known public exploits. Cybersecurity firm Risk Based Security said 10,359 vulnerabilities affected third-party WordPress plugins at the end of last year, of which 2,240 were disclosed in 2021. That’s a 142% increase from 2020, but the biggest concern is the fact that 77% of all known WordPress plugin vulnerabilities – or 7,993 of them – have known public exploits.
A to look closer revealed that 7,592 WordPress plugin vulnerabilities are remotely exploitable while 4,797 have a public exploit but no CVE ID. For organizations that rely solely on CVEs for mitigation prioritization, that means over 60% of vulnerabilities with a public exploit won’t even be on their radar.
Another issue that risk-based security has addressed for organizations is their focus on criticality rather than exploitability.
The company notes that many organizations classify vulnerabilities with a CVSS severity score below 7.0 as not high priority, and therefore do not address them immediately. This is a problem considering that the average CVSS score for all WordPress plugin vulnerabilities is 5.5.
Risk-based security and others observed malicious actors favoring vulnerabilities not with high severity scores, but rather those that can be easily exploited. Given the data and observations, it might be wise for some organizations to reconsider their threat management protocols.
Image credit: justin morgan