Akamai Diversity

The Akamai Blog

Q2 SOTI Security Preview: WordPress and the Danger of Third-Party Plugins

The Q2 2015 State of the Internet - Security Report (SOTI Security) is due out in the next couple of weeks, and today we begin previewing various sections. Let's begin with the potential security risks that come into play when third-party plug-ins are used with Wordpress.

WordPress is the world's most popular website and blogging platform. Its ever-growing popularity makes it an attractive target for attackers who aim to exploit hundreds of known vulnerabilities to build botnets, spread malware and launch DDoS campaigns.

WordPress itself isn't poorly written or shortsighted. The general security practices and features of the core are well-intentioned and well-implemented, and generally benefit from a lot of scrutiny by the core WordPress team, as well as hundreds of open source software contributors.

However, many of its security issues come from third-party plugins and themes.

These third-party components are written by developers with various skill levels and experience. They offer features as simple as customizing text input boxes to complex shopping cart and payment processing frameworks. These plugins can be downloaded from third-party directories, developers' websites, and from WordPress.org official listings. These plugins go through very little, if any, code vetting.

Getting a plugin or theme listed on WordPress.org is a fairly strict process, as it requires review and approval on initial submission and must adhere to WordPress's long list of guidelines.

After this initial submission, review and approval, however, future changes go through a less-stringent vetting process. This means your secure plugin of today could be your attacker's plugin of choice when the plugin is updated in six months.

Given this thriving ecosystem, we reviewed some of the most popular plugins and themes on WordPress.org to determine the general security posture of third-party plugins and what vulnerabilities we could discover.

The most common vulnerabilities we found were cross-site scripting (XSS), which was expected. Conversely, there were some surprising discoveries, such as few local file inclusion (LFI) and path transversal (PT) exploits among the plugins and themes analyzed.

LFI and PT were at the top of our watch list due to their ability to leak very sensitive information and the lack of standards when coping with them (whitelisting, blacklisting, regular expressions, extension enforcement, etc.). However, most developers appear to be aware of the potential for abuse and have taken steps to successfully prevent LFI and PT exploits. There were a few dangerous LFI vulnerabilities, including one that would require the end user to modify a constant in the source code.

To read the full story, pre-register for your copy of the Q2 2015 State of the Internet - Security Report.