WordPress users have been subject to a rash of plugin vulnerabilities over the past couple of months. Some of these vulnerabilities have been so widespread that the FBI recently warned users of attacks designed to exploit WordPress sites.
Not long after WordPress published its Security White Paper, an outbreak of issues popped up, starting with a blind SQL injection vulnerability in WordPress SEO by Yoast, followed by a security release from the Pods Framework, and a few other plugins containing similar issues.
WordPress.org has not yet created a way to publicly identify the plugins for which its security team is pushing out automatic updates. The process involves coordination with the plugin developer and the core developers who have been allocated to verify and test the vulnerabilities.
Once their automatic update process for mitigating serious vulnerabilities is ironed out, it would be helpful to have a section of WordPress.org dedicated to transparency about which plugins have received these forced automatic updates.
In the meantime, WordPress users need to remain vigilant about staying current with updates. Plugin Vulnerabilities is a plugin that helps users stay on top of security releases. Once installed on your site, it can automatically detect known security vulnerabilities in any of your installed plugins. It will alert you via the admin and you can also turn on email alerts for notification in your inbox.
The plugin was created White Fir Design, a Colorado-based company that specializes in WordPress security and fixing hacked websites. The company also offers a security bug bounty program for WordPress and plugins.
White Fir Design regularly updates the plugin with alerts for new vulnerabilities. The description page gives an overview of the vulnerability stats, as of April 6, 2015:
- 257 vulnerabilities included
- 61 included vulnerabilities are in the most recent version of plugins (57 of these plugins have been removed from the Plugin Directory)
- 24 vulnerabilities have been fixed in part due to this plugin
- 5 included vulnerabilities in security plugins
The top vulnerability types since the creation of the plugin include:
- Cross-site request forgery (CSRF)/cross-site scripting (XSS): 52 vulnerabilities
- Reflected cross-site scripting (XSS): 45 vulnerabilities
- Arbitrary file upload: 45 vulnerabilities
- Arbitrary file viewing: 23 vulnerabilities
- SQL injection: 16 vulnerabilities
The plugin has an admin page listing all vulnerabilities relevant to the plugins you have installed, as well as those that have vulnerabilities in other versions. There will be times when a vulnerability is reported before any update is available, in which case you might want to deactivate and remove the plugin in question.
Updating software for security issues is a natural part of life on the web. With the popularity of WordPress at an all-time high, the discovery of vulnerabilities in core and third party extensions is only going to increase. If you feel overwhelmed by keeping up with security updates, the Plugin Vulnerabilities plugin can help you be more responsive to potential threats.