Record-number WordPress plugin vulnerabilities are wicked exploitable even with low CVSS scores, leaving security teams blind to their risk.
Last year brought forth much more than a Ben Affleck-Jennifer Lopez reunion – analysts found the number of exploitable WordPress plugin vulnerabilities exploded.
Researchers from RiskBased Security reported they found the number of WordPress Plugin vulnerabilities rose by triple digits in 2021.
“10,359 vulnerabilities were reported to affect third-party WordPress plugins at the end of 2021,” RiskBased Security’s team explained. “Of those, 2,240 vulnerabilities were disclosed last year, which is a 142% increase compared to 2020.”
Worse yet, of those additional WordPress plugin vulnerabilities, more than three-quarters (77 percent) had known, public exploits.
The report found that 7,592 WordPress vulnerabilities are remotely exploitable; 7,993 have a public exploit; and 4,797 WordPress vulnerabilities have a public exploit, but no CVE ID.
In other words, organizations that rely on CVEs won’t have any visibility into 60 percent of the publicly known WordPress plugin exploits, the team said.
Focus on Exploitability Over CVSS Score
The right response to the emerging WordPress attack surface, according to the RiskBased team, is a fundamental shift away from