Wordpress, one of the most popular content management system (CMS), supports a plugin-based architecture. The support for over 55,000 plugins makes this platform suitable for a large number of business use-case implementations. But this also makes it one of the most vulnerable open-source software, as evident in several recent incidents.
Wordpress plugin vulnerabilities
There have been a large number of cases when a vulnerability in the plugins enabled hackers to abuse the website and even the entire IT infrastructure.
- In March 2020, a critical privilege escalation vulnerability was found in the WordPress SEO Plugin Rank Math plugin, having more than 200,000 active installations. This vulnerability could allow hackers to get admin privileges to any registered user.
Real-world attack incidents
There have been several occasions wherein a vulnerability in WordPress plugins had led the hackers to do severe damage to business operations of targeted organizations.
- In February 2020, thousands of cyberattacks were identified, targeting the WordPress plugin, Duplicator. These attackers were targeting an unauthenticated arbitrary file download vulnerability found in Duplicator prior to version 1.3.28 and Duplicator Pro prior to version 220.127.116.11.
- In February 2020, it was found that a hacker had infected more than 20,000 WordPress sites in the past one year, by distributing trojanized versions of premium WordPress themes and plugins.
- In November 2019, two campaigns were identified distributing the Netsupport Remote Access Trojan (RAT) via a fake Flash Player update, by exploiting the vulnerabilities introduced by plugins, themes, and extensions in Wordpress and several other CMS platforms.
How to stay protected
To protect the Wordpress websites, use only reliable plugins from trustworthy sources only, and keep them updated with the latest patches. Also, there are a large number of security-related Wordpress plugins, like Google Authenticator (for enabling 2FA) and many more, which can be used to ensure robust security.