Another day, another vulnerability in the WordPress ecosystem. At the end of March, WordPress firewall vendor Wordfence surfaced critical flaws in the Rank Math SEO plug-in affecting over 200,000 sites. The most critical flaw allowed attackers to turn any registered user into an admin. It's the latest in a string of WordPress plug-in vulnerabilities that have affected hundreds of thousands of online properties.
The issue here isn't with the core WordPress engine itself – it’s with the third-party software that users choose to install for it. WordPress engineers are doing their best to work with plug-in vendors to fix the flaws, but ultimately the responsibility lies with a constellation of independent development companies.
It's no wonder, then, that WordPress tops the list of web application frameworks with weaponized vulnerabilities released by RiskSense in March. Attackers had weaponized 27.7% of reported WordPress vulnerabilities between 2010 and 2019, the report said. It ranked PHP (really a different animal, because it’s the web language framework on which the WordPress content management system sits), Apache Struts, Java, and Drupal as the next highest in terms of weaponized vulnerabilities, in that order.
The report doesn’t appear to differentiate between the core WordPress engine and the third-party plug-ins that exist for it, because it cites the latter as examples of bugs. The distinction is important, because it's possible to upgrade individual plug-ins without upgrading your entire WordPress engine.
Many WordPress users don’t do this. They’re often small businesses, perhaps running ecommerce operations through the site and using a variety of pluggable social media marketing and analytics tools. Patching software is unlikely to be a top priority for these users, who often won't be tech savvy. That’s where the danger lies. The same goes for other content management systems like Drupal.
Ubiquitous CMS systems like WordPress are potential infection points for thousands if not millions of visitors because criminals can use these flaws to drop malicious content directly on the sites they host. Responsible selection and maintenance of these plug-ins is the site owners' responsibility. Failing to do so can do more than cripple their own sites – it can quickly affect the internet at large.