Application Security , Breach Notification , Incident & Breach Response
3 Weeks, 6 Bugs: Experts Analyze, Advise on WordPress FlawsSay Likelihood of Exploitation Is Low and Share Attack Prevention Measures
With WordPress-focused security firm Wordfence discovering six vulnerabilities on the content management system since Jan. 1, organizations using the platform to build and host their websites have surely had a busy year so far.
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
Two flaws were discovered in the past couple of weeks. One, tracked as CVE-2022-0218, affects 20,000 websites, and the other, tracked as CVE-2022-0215, affects 84,000 websites. The affected websites are part of the 455 million sites powered by WordPress, which constituted 37% of all websites on the internet in 2021.
Cybersecurity experts tell Information Security Media Group that the probability of exploitation of some of the vulnerabilities is low, as it's unlikely that attackers can meet the necessary criteria to execute a successful exploit.
The latest discoveries follow a Dec. 10 chain of attacks in which 1.6 million WordPress sites were targeted within 36 hours.
- CVE-2022-0215 - CVSS score: 8.8: On Jan. 13, the Wordfence threat intelligence team found this high-severity vulnerability in three WordPress plug-ins, affecting more than 84,000 websites. The "Login/Signup pop-up" plug-in affects 20,000 websites, the "Side Cart WooCommerce" or "AJAX" plug-in affects around 60,000 sites and the "Waitlist WooCommerce" plug-in makes 4,000 websites vulnerable. The cross-site request forgery flaw could enable threat actors to execute a remote takeover of the vulnerable websites.
- CVE-2022-21661 - CVSS score: 8.0: On Jan. 8, Wordfence discovered four vulnerabilities in the "medium" to "high" CVSS severity range. The CVE-2022-21661 is not exploitable directly via the WordPress core, the company says. But some plug-ins that use "WP_Query," a PHP class that enables developers to write custom queries, could allow SQL injection, it says.
- CVE-2022-21662 - CVSS score: 8.0: As with most XSS vulnerabilities, Wordfence says this flaw could be used by bad actors to either completely take over a site or add a malicious backdoor. But it can only be exploited by users with the ability to publish posts.
- CVE-2022-21663 - CVSS score: 6.6: According to Wordfence, this flaw affects only multisite WordPress websites and would require "super administrator privileges" to be exploited. Wordfence estimates that although the impact of an object injection vulnerability can be critical, the flaw could affect very few sites due to the prerequisite conditions for configuration. The rarity of an exploit explains the low CVSS score.
- CVE-2022-21664 - CVSS score: 7.4: This is a blind SQL injection that hackers could execute through a WordPress Meta query. The Open Web Application Security Project or OWASP says that a blind SQL injection attack can be triggered by asking the database true-or-false questions. Once a hacker is able to deduce the response and the time taken to yield the response, they can enumerate the entire passwords stored in the database. This type of attack is hard to execute and time-consuming as well.
A Ubiquitous Target
Although it seems significant that over 100,000 websites are potentially vulnerable, some experts offer a holistic approach.
For instance, CVE-2022-0215 affects 84,000 websites - but that affects only 0.018% of all WordPress instances, says Tyler Reguly, manager of software development and vulnerability and exposure researcher at Portland-based security and compliance firm Tripwire.
And to exploit the flaw, an attacker must target a WordPress administrator who has an active admin session with their WordPress instance and know where that instance is hosted, he tells ISMG.
"They must convince that WordPress administrator to click a link or visit a website in order to execute the attack." he says, adding that the risk of widespread attacks is minimal, but targeted attacks could occur.
Reguly says it's less that WordPress is prone to critical vulnerabilities and more that the popularity of WordPress makes it a worthwhile target for attackers. "I would compare this to the Windows problem," he says. "For years, we’ve heard that Windows is less secure that macOS and Linux but in reality, there’s just more targets, making it more valuable."
Referring to the Dec. 10 series of attacks, Reguly says that 1.6 million WordPress websites is still only 0.35% of all WordPress instances.
A Popular Target
Six vulnerabilities identified in just three weeks begs the question: Why are there so many WordPress vulnerabilities?
Echoing Reguly's comment on the popularity of WordPress, Yaniv Bar-Dayan, CEO and co-founder of Israeli cybersecurity company Vulcan Cyber, tells ISMG that when a technology or tool becomes as widely used as WordPress, it becomes a popular target for cybercriminals because they know they can count on a portion of admins to not pay adequate attention to the core platform as well as its plug-ins.
Bengaluru-based WordPress security firm MalCare says that while WordPress itself is secure, its plug-ins and themes may not be.
Drilling down to the root cause of WordPress vulnerabilities, John Goodacre, director of the U.K. Research Institute's Digital Security by Design and professor of computer architectures at the University of Manchester, says that most of today’s applications include software code that wasn’t written by primary application developers.
Goodacre says that whether developers are using open-source or commercial libraries and plug-ins, they always need to weigh the feasibility and costs of protecting one area of their application against the risk of having issues in another area of the application.
Goodacre advises CISOs to maintain a rigorous understanding and maintenance process around the software they use, including all libraries or plug-ins for any open source, and adds that they should demand that commercial suppliers do the same.
"CISOs need to be more aware of what can be done and ensure that their technology providers build and deliver solutions that are secure by default," he says.
Goodacre says the availability of newer hardware technologies can block around 70% of the ongoing software vulnerabilities from exploitation.
Bar-Dayan of Vulcan Cyber says that admins must run security audits of WordPress and its plug-ins at least on a quarterly basis. "As always, it’s crucial to be conscientious about applying security updates as soon as they’re available," he adds.
Based on personal experience, Reguly says that investing in WordPress security is invaluable. WordPress security plug-ins monitor websites, provide statistics, notify of attacks and block hosts where attacks originate.
He also recommends hosting WordPress instances outside the organization and isolating them from all other data to mitigate information loss if a website be hacked.
"For the same reason, I would ensure that regular back-ups are performed and stored elsewhere, instead of just letting it sit in a backup folder on the same server as the WordPress instance," he says.
Leo Pate, managing consultant at Virginia-based cybersecurity firm nVisium, recommends not running WordPress server's services as administrative users. He says that the server must only allow connections over TLSv1.2 or TLSv1.3. "The ciphers used for those connections should provide perfect forward secrecy, and the domain should participate in certificate transparency," he adds.
Pate also says companies must ensure that any plug-in or template used within WordPress is from a reputable source. In the WordPress plug-in portal, admins must track when the plug-in was last updated and review user comments on them, he adds.