Watch Out WordPress Users – This Site Lists All Your Vulnerable Things
WordPress has been beleaguered by various forms of attack in recent years. That’s largely because the content management system is used by nearly a fifth of all sites on the internet, thereby making it an attractive target for cyber criminals.
But it’s also proven to be a highly-exploitable platform due to the many vulnerabilities discovered in its own code and in the many WordPress plugins and themes that are supposed to provide added value to website owners.
British security researcher, Ryan Dewhurst, has now made a point of the issue with a publicly-accessible website of WordPress vulnerabilities called WPScan Vulnerability Database, launched today. Having received £5,000 from BruCON, a non-profit annual security conference held in Belgium, he used his WordPress scanner tool WPScan to automatically draw in vulnerability data to the site.
“This should be useful to security professionals (ethical hackers) to be able to look up what plugins, etc., have vulnerabilities during penetration tests,” Dewhurst said over email. “It should also be useful to people who run WordPress web sites to check if they are vulnerable. Also it may help in shaming third-party developers to do a better job in future in terms of the security of their software.”
Given this is public, it might also be useful for malicious hackers, though most will already have other resources for hacking WordPress sites.
Though Dewhurst said there were a number of vulnerabilities WordPress refuses to patch “because they don’t think the risk of the issue is worth the effort in fixing it”, it’s apparent from his website that plugin weaknesses are causing plenty of grief. There are 29 pages of plugin vulnerabilities, including numerous flaws that emerged in the last week, but only three pages for the core WordPress codebase.
Just last month, the Custom Contact Forms WordPress plugin was deemed vulnerable. It was a nasty flaw too, allowing an attacker to download and modify a website owner’s database remotely with no authentication required. The plugin has more than 640,000 users, so the impact was broad.
When security firm Sucuri tried to get in touch with the developers behind Custom Contact Forms, they received no response. “Due to the unresponsive nature of the development team, we’d encourage you to pursue other sources for your WordPress form needs,” the company said in a blog post.
With any luck, Dewhurst’s project will encourage developers across the WordPress platform to be more responsible with users’ data.