Plugins and Extensions: The Achilles Heel of Popular CMSs

2073 1

A by-product of High-Tech Bridge’s ImmuniWeb® web application penetration test SaaS is the frequent discovery of vulnerabilities in popular web applications and CMSs. High-Tech Bridge’s disclosure policy is to immediately notify the vendors but to allow three weeks for the vulnerability to be fixed before going public with the details (vendors also may ask to extend the disclosure time). During this period, a brief announcement of the vulnerability without any exploitable details is posted on High-Tech Bridge’s Research page.

High-Tech Bridge’s purpose is to persuade the vendor to fix the flaw and help make the Internet a safer place for everyone. An example of this in action is the two SQLi flaws found, ironically, in the All-In-One WP Security plug-in. The vendor was notified on the 3rd of September, with planned full disclosure on the 24th of September. Ultimately, the flaw was fixed by the vendor on the 12th of September via the new version 3.8.3.

Free Download: Is An Outright Ban On Workplace Social Networking A Good Idea?

The current state of High-Tech Bridge’s Research page shows a number of other recently discovered flaws in WordPress plugins; for example in MaxButtons, Google Maps plugin; Google Calendar Events plug-in and more. It is tempting to think because of this and the Heartbleed and ShellShock vulnerabilities that open source software including WordPress is inherently insecure. I asked Ilia Kolochenko, High-Tech Bridge’s CEO and founder, if this is an accurate assumption.

The answer, he said, is yes and no. “For upwards of a decade”, he told me, “the major CMS platforms such as Joomla and WordPress have been deeply researched by both black and white hat hackers (some well-known CMSs even changed names during their development). In the early days, SQL injections (SQLi) and code execution flaws were commonplace. In fact”, he added, “around 90% of websites were vulnerable to critical-risk attacks that allowed attackers to take control over the website remotely within a dozen of minutes. Nothing resembling the medium-risk XSSs vulnerabilities that are extremely common these days. One should not forget however, that in the past, web applications have never hosted so much critical data and personal information. Today, it would be fair to say that the vast majority of data breaches are directly or indirectly related to vulnerable web applications and compromised websites.

As time passed, the code of CMSs who managed to survive on the dynamic market became more mature and secure. Blackhats started keeping rare 0days for them, while whitehats were discovering less and less critical vulnerabilities, building the XSS epoch in web security. We now can say that after a decade of hacking, most of the SQLi and XSS flaws have been found (we are not even speaking about PHP includes or RCEs that went extinct beforehand), exposed and fixed; and that WordPress and Joomla are pretty secure. “I would say,” explained Kolochenko, “that a popular CMS such as WordPress or Joomla may be considered secure in default installation if they are properly configured, don’t have third-party code (plugins), and are up-to-date.”

That doesn’t mean, however, that all current installations are safe. Too many administrators use weak passwords that can be brute-forced, or they reuse passwords that can be stolen from other sites. They can also be phished, an art of social engineering turned science by cybercriminals. These days, hackers tend to use XSS vulnerabilities in various plugins with a mix of social engineering to get administrator’s accounts (and they do succeed in many cases).

“The main weakness in modern CMSs sites today,” continued Kolochenko, “is not in their core code where 99% of exploitable vulnerabilities were already found and fixed in the past years but in the plugins written and supported by third-parties. For example, it is not WordPress but the WordPress plugins that are vulnerable, applications which are often produced by new coders with little experience in security. At the same time, plugins are unavoidable as people will always want some specific customized features on their websites that no CMS can provide by default. Of course from time to time new vulnerabilities (or bypasses of previous patches) in major CMSs are announced, but they represent the vast minority and are usually quite complex to exploit.”

It is in the plugins that the “WordPress” SQLi and XSS flaws are still common. “A vulnerable plugin means a vulnerable CMS that has this plugin installed”, he explained. “By exploiting XSS and SQLi flaws in the plugins, the attacker can get at the admin password same as if he were exploiting these vulnerabilities in the core code of the web application”. The problem for the internet is that there are so many millions of WordPress and Joomla websites produced and operated by very small companies or individuals with no training or understanding in security. WordPress’ own statistics today claim that there are 33,581 different plugins that have a combined total of 747,619,967 downloads. An unknown number of those plugins with an unknown number of downloads will contain security flaws that have nothing to do with WordPress and yet will still make the WordPress installation insecure.

The real problem for the internet is that WordPress users tend not to understand the risks nor are able to afford a solution. They tend to think they won’t be a target when the reality is they are a prime target. Pornographers have been known to “hide” child pornography in orphaned pages on compromised websites where the URL is known only by other paedophiles; web servers are hijacked to deliver spam or operate in a watering hole campaign.

All the average WordPress user can do is guard his password carefully and try to find any flaws in his plugins. The traditional method is by employing a pentester, but with prices ranging upwards of €10,000, this is hardly realistic for the average WordPress/Joomla site.

Online penetration testing services such as High-Tech Bridge’s own ImmuniWeb are much more affordable, but apart from this, WordPress users are reliant on the white hat hackers like Ilia Kolochenko and his team who find the flaws and help the developers fix them before too much harm can be done.

By Kevin Townsend, High-Tech Bridge

About High-Tech Bridge

High-Tech BridgeHeadquartered in Geneva, Switzerland, High-Tech Bridge provides customers in Europe, the United States, the Middle East and across the globe with information security services such as penetration testing, security auditing, computer crime investigation and web application security testing.

In 2012, analyst firm Frost & Sullivan recognised High-Tech Bridge as one of the market leading service providers in the ethical hacking industry. High-Tech Bridge also received the prestigious Online Trust Alliance Honor Roll award in 20122013 and 2014.


In this article