What simply occurred? Third-party WordPress plugin vulnerabilities elevated considerably in 2021, and plenty of of them nonetheless have recognized public exploits. Cybersecurity agency Danger Primarily based Safety mentioned 10,359 vulnerabilities have been reported to have an effect on third-party WordPress plugins on the finish of final 12 months, of which 2,240 have been disclosed in 2021. That’s a 142 p.c enhance in comparison with 2020, however the greater concern is the truth that 77 p.c of all recognized WordPress plugin vulnerabilities – or 7,993 of them – have recognized public exploits.
A closer look revealed that 7,592 WordPress plugin vulnerabilities are remotely exploitable whereas 4,797 have a public exploit however no CVE ID. For organizations that solely depend on CVEs for mitigation prioritization, the latter signifies that greater than 60 p.c of vulnerabilities with a public exploit received’t even be on their radar.
One other situation Danger Primarily based Safety touched on for organizations is their concentrate on criticality moderately than exploitability.
The agency notes many organizations categorize vulnerabilities with a CVSS severity rating under 7.0 as not being excessive precedence, and thus do not handle them straight away. That’s an issue contemplating the common CVSS rating for all WordPress plugin vulnerabilities is 5.5.
Danger Primarily based Safety and others have noticed malicious actors favoring vulnerabilities not with excessive severity scores, however moderately these that may be simply exploited. Given the info and observations, maybe it will be sensible for some organizations to rethink their menace administration protocols.
Picture credit score: Justin Morgan