Record-number WordPress plugin vulnerabilities are wicked exploitable even with low CVSS scores, leaving security teams blind to their risk.
Last year brought forth much more than a Ben Affleck-Jennifer Lopez reunion – analysts found the number of exploitable WordPress plugin vulnerabilities exploded.
Researchers from RiskBased Security reported they found the number of WordPress Plugin vulnerabilities rose by triple digits in 2021.
“10,359 vulnerabilities were reported to affect third-party WordPress plugins at the end of 2021,” RiskBased Security’s team explained. “Of those, 2,240 vulnerabilities were disclosed last year, which is a 142% increase compared to 2020.”
Worse yet, of those additional WordPress plugin vulnerabilities, more than three-quarters (77 percent) had known, public exploits.
The report found that 7,592 WordPress vulnerabilities are remotely exploitable; 7,993 have a public exploit; and 4,797 WordPress vulnerabilities have a public exploit, but no CVE ID.
In other words, organizations that rely on CVEs won’t have any visibility into 60 percent of the publicly known WordPress plugin exploits, the team said.
Focus on Exploitability Over CVSS Score
The right response to the emerging WordPress attack surface, according to the RiskBased team, is a fundamental shift away from prioritizing resources based on how critical a risk is to the organization to instead focusing on the most easily exploitable bugs.
“On average, the CVSSv2 score for all WordPress plugin vulnerabilities is 5.5, which by many current VM frameworks is considered a ‘moderate’ risk, at best,” the RiskBased Security team advised. “But if you compare this data point with news headlines you might observe a slight disconnect between conventional Vulnerability Management (VM) practices and impact.”
Organizations can’t allow these easy opportunities for threat actors to get stuck in a backlog of patches, the report added.
The team pointed to a Jan. 10 update from the Cybersecurity and Infrastructure Security Agency (CISA) to the Binding Operational Directive that outlines vulnerabilities and active threats against federal networks. The update likewise prioritized easily exploitable vulnerabilities over those with higher CVSS scores.
“Recent events such as CISA BOD 22-01 also support this as they show that malicious actors are not favoring vulnerabilities with high CVSS severity scores but are instead opting for ones that they can easily exploit,” the researchers added.
The report advocates for a risk-based approach, which requires security teams to have detailed, in-depth understanding of the organization’s assets and valuable data to make nuanced decisions tailored to the threat to the organization, rather than a rigid score assigned without context.
“Security teams will need to have knowledge of their assets, comprehensive vulnerability intelligence for all known issues, and detailed metadata, that allows them to examine factors like exploitability, to then contextualize the risk it poses to their environment.”