Jan 12, 2022
128 Views
0 0

WordPress Bugs Exploded in 2021, Most Exploitable

Written by

Newsletter
Join thousands of people who receive the latest breaking cybersecurity news every day.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
Share this article:
Record-number WordPress plugin vulnerabilities are wicked exploitable even with low CVSS scores, leaving security teams blind to their risk.
Last year brought forth much more than a Ben Affleck-Jennifer Lopez reunion – analysts found the number of exploitable WordPress plugin vulnerabilities exploded.
Researchers from RiskBased Security reported they found the number of WordPress Plugin vulnerabilities rose by triple digits in 2021.
“10,359 vulnerabilities were reported to affect third-party WordPress plugins at the end of 2021,” RiskBased Security’s team explained. “Of those, 2,240 vulnerabilities were disclosed last year, which is a 142% increase compared to 2020.”

Worse yet, of those additional WordPress plugin vulnerabilities, more than three-quarters (77 percent) had known, public exploits.
The report found that 7,592 WordPress vulnerabilities are remotely exploitable; 7,993 have a public exploit; and 4,797 WordPress vulnerabilities have a public exploit, but no CVE ID.
In other words, organizations that rely on CVEs won’t have any visibility into 60 percent of the publicly known WordPress plugin exploits, the team said.

The right response to the emerging WordPress attack surface, according to the RiskBased team, is a fundamental shift away from prioritizing resources based on how critical a risk is to the organization to instead focusing on the most easily exploitable bugs.
“On average, the CVSSv2 score for all WordPress plugin vulnerabilities is 5.5, which by many current VM frameworks is considered a ‘moderate’ risk, at best,” the RiskBased Security team advised. “But if you compare this data point with news headlines you might observe a slight disconnect between conventional Vulnerability Management (VM) practices and impact.”
Organizations can’t allow these easy opportunities for threat actors to get stuck in a backlog of patches, the report added.
The team pointed to a Jan. 10 update from the Cybersecurity and Infrastructure Security Agency (CISA) to the Binding Operational Directive that outlines vulnerabilities and active threats against federal networks. The update likewise prioritized easily exploitable vulnerabilities over those with higher CVSS scores.
“Recent events such as CISA BOD 22-01 also support this as they show that malicious actors are not favoring vulnerabilities with high CVSS severity scores but are instead opting for ones that they can easily exploit,” the researchers added.
The report advocates for a risk-based approach, which requires security teams to have detailed, in-depth understanding of the organization’s assets and valuable data to make nuanced decisions tailored to the threat to the organization, rather than a rigid score assigned without context.
“Security teams will need to have knowledge of their assets, comprehensive vulnerability intelligence for all known issues, and detailed metadata, that allows them to examine factors like exploitability, to then contextualize the risk it poses to their environment.”
Password Reset: On-Demand Event: Fortify 2022 with a password security strategy built for today’s threats. This Threatpost Security Roundtable, built for infosec professionals, centers on enterprise credential management, the new password basics and mitigating post-credential breaches. Join Darren James, with Specops Software and Roger Grimes, defense evangelist at KnowBe4 and Threatpost host Becky Bracken. Register & Stream this FREE session today – sponsored by Specops Software.
Share this article:
The large January 2022 Patch Tuesday update covers nine critical CVEs, including a self-propagator with a 9.8 CVSS score.
The flaw could allow attackers to bypass Privacy preferences, giving apps with no right to access files, microphones or cameras the ability to record you or grab screenshots.
Researchers offer more detail on the bug, which can allow attackers to completely take over targets.


This site uses Akismet to reduce spam. Learn how your comment data is processed.
Join thousands of people who receive the latest breaking cybersecurity news every day.
1.8M+ attacks, against half of all corporate networks, are attempting to exploit #Log4Shell, including with a new r… https://t.co/dDky1faadm
4 weeks ago
Get the latest breaking news delivered daily to your inbox.
The First Stop For Security News
Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.

source

Article Categories:
Vulnerabilities

Comments are closed.