WordPress Security: Critical Vulnerabilities In 10 Popular Plugins (2020 Case Study)

WordPress is often portrayed as an insecure platform that should be avoided for enterprise-grade projects.

Having spent the past decade deploying WordPress for SMEs, I’ve busted this myth numerous times – including our guide for important security considerations disclosing our experience working with banks and other financial institutions.

As the ubiquitous platform now powers over 40% of the Internet, being a vendor common to attacks from hackers is expected. Any industry leader in tech gathers more attention and “script kiddies” when popularity exceeds a certain point.

WordPress CMS

The Main Security Risk With WordPress

The WordPress Core platform (the free software available from WordPress.org) isn’t 100% bulletproof, but it’s pretty close to this.

Every now and then, security leads and white hackers disclose a vulnerability, but the regularity is rare (compared to industry standards) and escalating privileges is usually possible under a specific set of circumstances—say, a set of available plugins, an already existing role (such as Author or Editor promoted previously), and other factors that don’t exist in a pure WordPress environment.

Aside from social engineering factors—such as poor passwords or logging in from a public Wi-Fi network – the four most common attack vectors are:

  1. Hosting (insecure hosting, cheap shared hosts, and other sites such as staging or abandoned projects available with the same account)
  2. Outdated WordPress Core – old WordPress versions are patched real quick, but if you stick to the old version forever, you may become a victim of an automated attack
  3. WordPress themes – by design, WP themes should only define presentation, not include complex features. But some marketplaces have established a pattern of premium multipurpose themes including all sorts of sliders and galleries that don’t receive regular updates (thus get hacked)
  4. WordPress plugins – while the Core system is monitored closely by thousands of active contributors, plugins are developed by third-party authors and don’t undergo the same scrutiny.

WordPress Plugins In 2020 – Case Study

There are nearly 60,000 free plugins listed on WordPress.org alone. Combined with 7,500 paid plugins on Codecanyon and a vast number of free and premium plugins not listed across marketplaces, we’re probably counting around 100,000 plugins available for free (or at a low cost).

The WordPress.org repository provides a basic introductory code review plus runs regular scans for common vulnerabilities (like SQL injections). However:

  1. The reviewing team is composed of volunteers. You can’t expect a full dissection of a plugin – especially more complex ones dealing with eCommerce or memberships or anything like this.
  2. Only the first version of a plugin is subjected to a review during submission. Authors can literally push daily updates with everything and anything.
  3. There were several known cases of plugins changing hands – whereas a new author injects malicious iframes or replaces data on the fly, which is a serious red flag if you happen to be a plugin user.

Other repositories enforce their own best practices which usually don’t include security code reviews. Same goes for random plugins authored by a small shop – some are better while others may be flawed.

WordPress’ Key Strength Jeopardizes Security

WordPress plugins

Note: Painting all plugins with the same brush is not the goal of this review.

However, when it comes to WordPress security, plugins are one of the key attack vectors that hackers utilize to gain access to a foreign website.

And one of the hardest aspects for both clients and WordPress vendors is the fine balance between custom development and relying on off-the-shelf plugins for the job.

Especially valid for small and medium business owners, looking for a $2K or $5K website quote with a myriad of features compiled by 40+ plugins is one of the key examples of websites falling prey to hacker attacks. Quickly patched solutions with questionable plugins may fall into the category of solutions that a hacker reverse-engineers and pushes an automated mass attack against.

And in practice, there’s almost no alternative on the market.

You can’t get a fully-fledged slider with a Photoshop-alike editor bundled in a Sitefinity site, a Crafter CMS build, a custom Java/.NET/any PHP framework solution. Custom development for tens if not hundreds of thousands of dollars will be required for this feature itself.

So finding the balance between stability, required features, and cost is the missing piece that WordPress often gets bad rap for. Then again – it’s not the platform at fault – it’s the use of 3rd party software authored by a small business costing peanuts which doesn’t justify hiring a security team to take care of penetration testing full time.

Here are some of the most notable WordPress plugins being hacked over the course of 2020 alone.

1. Contact Form 7 (5M+ Installs)

Contact Form 7

Contact Form 7 is the most popular contact form plugin in the WordPress ecosystem.

Virtually every website out there displays a contact form – and many use it for additional purposes (including sign-ups, accepting contributed content, user submissions, even membership profile options, job applicant submissions).

The plugin is actively used by over 5 million websites online.

The Astra Security Research team found the vulnerability on December 16.

Any form with an upload field available, using an outdated version of the plugin, can potentially be bypassed by uploading a specific executable file – including a web shell or a separate script having almost complete access to the internals of the system – files and database. A properly crafted attack can wipe out the entire database, delete files, deface the homepage, inject a crypto miner, or do any form of public (or secret) attack – including turning the site into a node part of a bot network used for massive attacks.

An updated version is now available – but hundreds of thousands of sites are not up to date yet. The good news is – if you aren’t displaying an upload field on your site, this vulnerability does not apply in this case.

It’s still worrying that one of the most important plugins out there can endanger millions of websites, small and large alike.

2. WP Bakery (4M+ Installs)

WPBakery

As reported by Search Engine Journal, a WPBakery vulnerability potentially affects 4 million websites running the popular premium “Visual Composer” plugin.

The notorious solution is both available as a standalone plugin and frequently incorporated in premium themes as a part of the bundle. While the plugin is easy to update (given enough attention to detail and monitoring news), theme authors are often slow to react when it comes to releasing a new version of the theme with the updated builder.

The reason behind that is – while a security fix only patches a minor set of features, this only concerns the delta between two different versions. Theme authors may choose to ignore updates for over a year, thus updating right away is likely to break existing templates or features within the theme.

Since the core plugin isn’t available on WordPress.org, the automated update solutions on the market may not be able to intercept and upgrade the plugin right away – which made it specifically dangerous back in July 2020 as disclosed by Wordfence.

3. All in One SEO Pack (2M+ Installs)

All in One SEO Pack

All in One SEO Pack is one of the two most popular SEO plugins known in the ecosystem, amassing over 2 million active installs.

The vulnerability, as listed on serverguy’s site, is flagged as “medium” as it can’t be targeted by every guest user. It requires a registered user with a contributor access (or higher) to exploit the flaw – which could be a guest blogger or a random user that normally wouldn’t have access to admin-level features and settings on the site.

And yet, since SEO plugins are frequently used by large blogs, business websites, online magazines with lots of authors and contributors, a large number of websites are potentially affected by the vulnerability. Additionally, hacking a contributor-level account under normal circumstances (due to a poor password or a social engineering account) won’t cause any harm – but targeting a low-level user in this context would make a real difference.

Registered users can inject a random script that gets executed when an administrator opens the “All Posts” view – the most frequently opened screen for most blogs and online media sites. The SEO plugin lists additional columns to track SEO metrics, failing to validate and sanitize malicious scripts. Thus, a similar script can steal cookies and execute code on behalf of the administrator – resulting in stealing permissions or receiving administrative access.

The vulnerability was disclosed in July and patched a few days after the report. Since automatic WordPress plugin updates are not the standard, there are still vulnerable plugin versions in the while across probably over 100,000 websites online.

4. Elementor Pro (1M+ Installs)

Elementor Pro

Elementor is one of the most popular page builders out there, with estimated 5 million active installs for the free version.

The Pro version of the plugin – the premium one for paid customers – amasses over 1M installs.

Security company Defiant reported a vulnerability that hackers actively tried to exploit in May 2020. Security Week covered the story, discussing an attack spotted on May 6, with a zero-day vulnerability that worked successfully until the public patch released by Elementor on May 7.

Whether and how many customers updated quickly to the new version is always arguable. Some never did – but sites were successfully hacked in the process.

5. Duplicator (1M+ Installs)

Duplicator

As reported in February 2020, Duplicator, one of the most popular migration and backup plugins, was found to contain a serious unauthenticated arbitrary file download vulnerability.

According to WP-Scan, the issue has been actively exploited, and access to disallowed files was available for hackers under specific circumstances through a directory traversal hack.

Attackers gaining access to a vulnerable website are able to download almost anything on the server, including wp-config.php which contains credentials to the database (including database password), among other integral arguments that allow them to continue the attack toward different vectors.

The vulnerability was found in both the free version of Duplicator as well as their premium Duplicator Pro product.

6. Loginizer (1M+ Installs)

Loginizer

Oddly enough, security issues are being found even in security plugins.

As per their official plugin page, Loginizer helps you “fight against brute-force attack” and provides different ways to protect your login pages – including 2FA, reCAPTCHA, passwordless login, etc.

With a user base of over 1 million installations, October’s plugin update introduced 2 security issues, including an SQL injection (as reported by Search Engine Journal).

The vulnerable plugin version included raw database queries without sanitized database arguments, meaning that a malformed SQL injection crafted “on the fly” could have been constructed to access certain areas of the plugin.

In addition to that, an XSS vulnerability was found in the very same version – including the ability to serve malicious files to site visitors upon a successful content update (or through a certain URL).

While the authors have patched the vulnerability since, it’s troubling that even security plugins are prone to being hacked – raising questions in blindly trusting 3rd parties available as PHP source code activated within WordPress’s core.

7. Site Kit by Google (900K Installs)

Site Kit by Google

You would expect that the search engine giant Google is practically flawless – especially considering how we trust them with our browsers, email accounts, Google calendars, business documents (and whatnot).

Site Kit by Google grew real quick considering the smooth integration of Google accounts related to your site within the WordPress dashboard, including Analytics and Search Console.

And yet, in April 2020, Wordfence discovered a critical vulnerability covered by the WPTavern allowing random site users to gain full access to Google Search Console.

GSC contains a lot of information regarding keyword rankings, positions, search volume, traffic coming from Discover, etc. This business intel can be “predicted” through tools like Ahrefs or SEMrush, but this would be an approximation that doesn’t include actual traffic numbers.

Two missing capability checks allowed site users to explore deeply the site’s ranking and reputation, and malicious users could remove certain URLs from Google’s index, modify sitemaps, and cause harm on multiple fronts.

Once again, while the plugin has been patched since, not every site out there is running the latest version. An adequate maintenance policy is required to keep a site intact even while running official plugins owned by giants like Google or Facebook.

8. File Manager (700K Installs)

File Manager

Ever since the vulnerability disclosure, about 100,000 users deleted File Manager from their sites (the current number of active installations is 600,000).

The File Manager plugin provides a user interface within your dashboard that allows you to manage files on your server through the backend, similarly to what you would perform through an FTP client or a hosting panel file editor.

The problem is that, unlike the other two options, plugin files are accessible through a web front end – or a traditional browser (or shell).

Latest Hacking News discussed the vulnerability which allows non-authenticated users to run arbitrary commands and even upload malicious files on the site.

The latter one is particularly dangerous due to the existence of “PHP shells” – executable files that could open a remote terminal from the browser and access the server with the credentials of a file browser.

This is possible due to a core library used in the plugin that provides most of the heavy lifting – file management and listing, and the ability to perform operations like zipping files or extracting archives.

Running a complex file editor within your site is always a slippery slope. Raw access to your server unlocks different opportunities and naturally opens a number of possible vectors that could be attacked. A simple plugin that barely touches the database or the server is less likely to be attacked simply because it exposes fewer raw vectors to complex systems.

9. Easy WP SMTP (500K Installs)

Easy WP SMTP

A fairly recent one disclosed in December and covered by GBHackers, the vulnerability is particularly dangerous and could easily cause harm with the right techniques in place.

While some hacks require a complex set of actions (or other activated plugins and extensions, or specific credentials available already), this vulnerability allows unauthorized users to gain access to the admin user given some history of emails sent.

SMTP plugins are commonly used to connect to a 3rd party server sending emails. Cheap hosts provide free email hosting, but public IPs hosting thousands of sites frequently get flagged or marked as spam in certain lists. This is why site owners often rely on external servers like the ones available in G-Suite or Rackspace to manage email externally – and connect these servers within the WordPress mail and notification ecosystem.

However, the vulnerable plugin versions stored a debug log for email activity in a publicly available folder with no index file. The folder is accessible through the browser, and log files include all sorts of emails sent by WordPress.

By discovering the admin username or email, a malicious user could request a forgotten password through the login form. While this email is meant to hit the inbox of the owner, it also gets stored in the debug log – including the “forgotten password” reset link. A hacker can grab the link, reset the password with no additional confirmation, and gain admin access accordingly.

If you happen to be running an outdated version at the moment, updating it is pretty much mandatory.

10. Orbit Fox by ThemeIsle (400K Installs)

Orbit Fox

For starters, I really like ThemeIsle and their theme directory. That said, Orbit Fox is a pretty broad plugin that offers anything from social media share buttons through Google Analytics, page template importer, GDPR notices, add-ons for page builders – and a lot more.

This automatically turns it into a complex “Swiss Army knife” plugin that potentially touches on various external vectors which could be flawed at a certain point in time.

The vulnerability was initially found in November by Wordfence, and two vulnerabilities allowed attackers with contributor access to upgrade themselves to admins.

Contributor is the second-lowest role which is often granted to guest authors or freelance writers contributing to a site. Additionally, other roles like Author and Editor are granted in certain cases for full-time staff or other external contributors, lacking access to sensitive data available exclusively to administrators.

This vulnerability actually allows escalation for all users being assigned other roles.

It took the core team nearly a month to release an updated version. While it’s unlikely that a lot of malicious hackers were aware of the flaw and ran targeted attacks, the full disclosure is still out there and outdated plugins should be updated as soon as possible.

Summary

WordPress, as a core platform, is fairly safe according to general security standards.

But WordPress’s biggest strength is a double-edged sword. You can run a website in a matter of hours, slapping a premium theme and a dozen popular plugins, and be done with it.

But as your website grows, you can easily fall prey to mass automated attacks targeting security vulnerabilities among some of the largest plugins on the market. The more complicated the plugin, the easier.

Finding the balance between an “off-the-shelf” solution and a custom build is hard. It costs more and takes longer to build a custom plugin or an integration that lasts and normally doesn’t allow for endless options and configurable parameters that occasionally lack escaping or sanitization.

Professional solutions – be it WordPress-based or not – are developed by professional teams understanding security from the inside-out, peering up with security analysts and engineers, hosted on professional platforms along with web firewalls and intrusion protection systems. As your business grows, investing in the right technical solution is a priority for any reputable business.

And in this case, WordPress can still be the answer. Just don’t assume that a LEGO build should last through time without maintenance in place at low cost while your revenue grows steadily.

Leave a Reply

Your email address will not be published. Required fields are marked *