The state of WordPress security plugins in 2022

| in


On May 30, 2022, we disclosed two, in our opinion, pretty serious security vulnerabilities in two popular WordPress 2FA plugins through the WPScan platform.

Our initial disclosure was very detailed, and WPScan promptly assigned it a provisional CVE.

Fast forward three months, there were still no fixes on the horizon, and ultimately WPScan decided to drop the vulnerabilities altogether.

The vendors and WPScan now categorized the vulnerabilities as “security enhancements.”

Upon hearing this, we gave the code in question another 30-minute glance. We quickly found a way to elevate the “security enhancement” to a total site takeover by logging in as any user with 2FA enabled.

Understandably having lost faith in WPScan’s ability to resolve said vulnerabilities promptly, we contacted Patchstack with our findings, but they would/could not process them either due to the vulnerability requiring a (very commonly present) precondition.

After consulting with a few trusted partners in the WordPress ecosystem, we decided to publish our findings independently on this blog.

But there was this one thought that did not go away.

“What if this is all just the tip of the iceberg?”

The two initial vulnerabilities we discovered were so indicative that we did not believe them to be outliers.

Thus, we audited the top 20 WordPress security plugins for the following two weeks.

We allocated around one hour per plugin and mostly limited our research to two types of vulnerabilities:

Two weeks later, we had identified 57 vulnerabilities in 24 plugins.
Well over 16 million sites are affected and this doesn’t even include the premium versions of the audited plugins.

We immediately contacted all vendors and disclosed the vulnerabilities in great detail. Furthermore, we included POCs and even proposed fixes for every vulnerability we discovered.
Consequently, some vendors shipped fixes to customers within three business days. However, some vendors could not have cared less.

In many cases, the most basic security best practices (for a security software vendor) were absent.

  • Many vendors made us send confidential details over untrusted third-party chat software to support staff.
  • Only 4/26 listed a dedicated security@ email on their website.
  • Only 2/26 had a public GPG key to secure the POCs.
  • Only 1/26 had a bug bounty program.

Our findings draw a pretty concerning picture of the overall state of WordPress security. In most cases the vulnerabilities were caused by not following the most basic security principles like:

  • Don’t trust user input to contain truthful information.
  • Don’t store sensitive secrets as plaintext in a database.
  • Don’t roll your own cryptography code.

We are publishing this research in the hopes of creating more awareness and security consciousness in the broader WordPress ecosystem.

Most of the vulnerabilities have been validated by:

  • GridPane
  • The InfoSec team of one of the largest enterprise WordPress hosts.
  • A fellow white-hat hacker with 20 years of experience working with Fortune 500 and government agencies.
  • Thomas Raef, CEO at wewatchyourwebsite.com

A continually updated list of vulnerabilities categorized vendors can be accessed here.