The horror!

The security of the WordPress plugin ecosystem may be much worse than many have feared, as new research suggests that thousands of add-ons for the world’s most popular content management system are vulnerable to web-based exploits.

After carrying out an analysis of 84,508 WordPress plugins, Spanish security researchers Jacinto Sergio Castillo Solana and Manuel Garcia Cardenas discovered more than 5,000 vulnerabilities, including 4,500 SQL injection (SQLi) flaws.

Many of the plugins analyzed displayed multiple vulnerabilities, which ranged from cross-site scripting (XSS) and Local File inclusion, as well as SQLi.

A total of 1,775 of the 84,000 WordPress plugins analyzed had a readily identifiable software bug.

“We have found plugins with up to 250 different vulnerabilities in the same plugin,” Garcia told The Daily Swig. “In our study the most vulnerable plugins are those of e-commerce.”

False positive concerns

Tim Nash, WordPress platform lead at web hosting and services firm, welcomed the work of the two security researchers, but voiced concerns about potential false positives.

“Automated tools are an incredibly valuable way of testing for vulnerabilities, and when used effectively can help developers patch quickly and effectively. Relying purely on an automated tool for a vulnerability report wouldn't be my choice of submitting a report,” Nash told The Daily Swig.

“If they went through and looked and confirmed all 5,000 vulnerabilities then my hat goes off to them, otherwise, I suspect there is a high level of false positives.

“It looks they are talking about 1,775 plugins with over 5,000 vulnerabilities, so I suspect again due to the automated nature they are probably hitting the same vulnerability and classifying it as new vulnerability each time it's referenced,” he added.

Despite these misgivings, Nash clarified that he felt the research was nonetheless worthwhile.

“None of that is to take away from the achievements, or the research done – they found potential vulnerabilities in 2% of plugins in the repository,” Nash, an active member of both the WordPress and infosec communities, noted.

We asked Garcia to confirm that the WordPress vulnerabilities discovered had been manually verified.

Garcia responded: “We have verified some manually and would say that most of them are vulnerable. We have not included functions that escape special characters… We have only identified vulnerable plugins where the parameters are not validated.”

“We know that maybe there are false positives, but we do not include as vulnerabilities code lines with validating functions like esc_sql() or htmlspecialshars(), so we no that there are more than 5,000 POTENTIAL vulnerabilities, but the main thing is that the developers don't validate the SQL injections.”


The two Spanish researchers presented their findings at the RootedCON cybersecurity congress in Madrid last weekend.

The pair have developed a code analysis tool called WordPress Terror that analyzed the plugins. There are no immediate plans to release WordPress Terror to the wider community, according to Garcia.

The utility of WordPress Terror in uncovering genuine flaws remains undetermined without independent inspection, according to Nash, who urged the security researchers to release their tool to the wider community.

“So, looks great on stage, sounds scary on first inspection, but without the underlying data or even a sample I can't comment if it is,” Nash said.

“What will be interesting is if they release their tooling and allow folks to see how they collected data because that might be genuinely useful.”

Security bug taxonomy

Although serious flaws in the WordPress platform itself are uncommon, vulnerabilities involving WordPress plugins have become a well-documented source of secondary problems impacting websites.

In the case of the WordPress Terror research, many types of coding mistake were repeated across multiple WordPress plugins, giving rise to multiple instances of similar vulnerabilities.

Garcia explained: “This is because developers do not validate the parameters (GET, POST, REQUEST) that execute the functions, for example in the SELECT sql query, they enter ID parameters with unvalidated GET parameters, allowing an SQL injection.”

Castillo and Garcia have disclosed their findings to the WordPress security team. Garcia declined to talk about the affected plugins pending the results of this process beyond saying that some have “thousands of installations”.

“We decided to investigate WordPress plugins because 35% of internet websites use WordPress, and the weakest link is plugins,” Garcia concluded.

“The tool has analyzed the 84,000 plugins published on the official WordPress website and we have analyzed the code of everyone, obtaining a very high number of vulnerabilities.

“Additionally, we have all inventoried all the versions and we want to make another presentation in one year to see if the vulnerabilities have been fixed, as well as working with the WordPress team to help them.”

READ MORE Oh crumbs – Security flaw in WordPress GDPR cookie plugin left 700,000 sites open to abuse