Demystifying the WordPress Vulnerability Landscape: 2023 Mid-Year Wordfence Intelligence WordPress Vulnerability Review Leveraging ChatGPT
In the first 6 months of 2023, our team has already added 2,471[1] individual vulnerability records to the Wordfence Intelligence WordPress Vulnerability Database. These vulnerabilities affected 1,680[2] WordPress software components. This means we have already surpassed the total number of vulnerabilities disclosed last year (2022), which was 2,395[1] based on unique vulnerability records.
Introduction
The Wordfence Threat Intelligence team actively monitors various vulnerability sources and conducts research of our own to make sure we have the most accurate and up-to-date information populating the Wordfence Intelligence Vulnerability Database. This information is then utilized in the Wordfence plugin as part of our vulnerability scanner, and is completely free to access and utilize as desired via our Wordfence Intelligence Vulnerability Data API and our Webhook Integration option which is coming very soon!
With this in mind, we have decided to compile a report on some statistics that paint a clearer picture of where the WordPress vulnerability landscape is so far this year. We have noticed some interesting trends like a high volume of shortcode-based vulnerabilities that were patched and disclosed at the start of this year, which were all escalated in severity by a vulnerability in WordPress core that was patched on May 16, 2023. While more vulnerabilities are being disclosed than ever, the authentication and user interaction requirements for many of these vulnerabilities means they are unlikely to see active exploitation en masse which may be relieving for most WordPress site owners to hear. Luckily we have only seen one 0-day vulnerability this year, but several critical vulnerabilities were patched this year that became prime targets for attackers.
No other WordPress vulnerability database on the market provides completely free access to an API that returns best-in-class WordPress vulnerability information. Wordfence Intelligence offers detailed and complete information such as affected version ranges, patched versions, concise and detailed descriptions that describe literal impact, CVSS score, and much more. All of it is maintained by a small army of industry-leading and highly credentialed security researchers. Not only does this make vulnerability detection free, easy, and efficient for any enterprise, it also makes it incredibly simple and fast to query our large dataset and unearth useful statistics about vulnerabilities in the WordPress ecosystem.
To make things fun, and completely transparent for the community, we have generated all the statistics in this report utilizing scripts written by ChatGPT that aggregated and parsed the data returned from the Wordfence Intelligence API. You can find all the scripts and the logic used to create them via ChatGPT at the end of this post, or you may click on a number next to a statistic in this report that will take you to the ChatGPT conversation which contains a Python script you can download. We encourage you to run these scripts, create your own scripts with ChatGPT, take a look at the Wordfence Intelligence Database, and share any new insights from our data you uncover!
Please note that due to the nature of the vulnerability database and our active maintenance of current and past data, running any of the scripts shared in this post may results in slightly different numbers as the data may have changed from the time we compiled information for this report.
Table of Contents
Note: All of the data in this report is compiled for January 2023 to June 2023.
- Jump to: General Overview of Vulnerabilities in WordPress Core, Plugins and Themes
- Jump to: Total Number of Vulnerabilities Added Broken Down By Month
- Jump to: Privileges Required to Exploit the Vulnerabilities Disclosed
- Jump to: Most Common Vulnerability Types (by CWE) Disclosed
- Jump to: CVSS Severity of Vulnerabilities Disclosed
- Jump to: Total Patched Vs. Unpatched Vulnerabilities Disclosed
- Jump to: Top Contributing Security Researchers Highlight
- Jump to: Vulnerability and Attack Data Trends and Observations
- Jump to: Conclusion
- Jump to: ChatGPT Conversations and Script Output
General Overview of Vulnerabilities in WordPress Core, Plugins and Themes
When taking a look at all the data, some things remain the same as last year. WordPress plugins are still the #1 source of vulnerabilities in the WordPress ecosystem. Generally, when we refer to the total number of vulnerabilities in our database, we simply count the total number of vulnerability records in our database, however, there are several records where multiple software components have been affected.
We added 2,471 vulnerabilities this year, but if we count by individual software records affected by each vulnerability, the total comes to 2,587[1] new vulnerabilities in the database. Of those 2,587 entries, 2,497[2] were in WordPress plugins while only 84[2] were in WordPress themes, and only 6[2] of them were in WordPress core. A total of 1,680[3] unique software components were affected by at least one vulnerability in the first half of 2023.
Total Vulnerability Records Added By Software Type[2] |
Total Number of Unique Software Components Affected by Type[4] |
Total Number of Vulnerabilities Added Broken Down By Month
When we break down new vulnerability entries by month, we see a fairly steady volume of new vulnerabilities disclosed each month. February had the highest number of vulnerabilities disclosed at 457[5] and June had the lowest at 317[5]. WordCamp Europe occurred in June of 2023, and the many plugin developers and researchers in attendance may have contributed to the minor dip in vulnerabilities disclosed during that month.
Total Count of Vulnerability Records Added Per Month[5] |
Privileges Required to Exploit the Vulnerabilities Being Disclosed
We have found that authentication requirements for this year’s vulnerabilities were fairly evenly distributed. To provide some background, unauthenticated vulnerabilities require no authentication to exploit, low-level authentication vulnerabilities generally require subscriber or customer-level access to exploit, while medium-level authentication vulnerabilities generally require contributor or author-level access, and high-level authentication vulnerabilities generally require editor or administrator-level access to exploit. Initially it looks like unauthenticated vulnerabilities top the charts with 1,171[6] new entries, however, sometimes data needs to be broken down further to paint a clearer picture.
Total Vulnerabilities Grouped By Privileges Required to Exploit[6] |
At first glance, this chart may look alarming, but, once you break down the ‘Unauthenticated’ group, you can see that 837[7] of them are Cross-Site Request Forgery (CSRF) and Reflected Cross-Site Scripting (XSS) vulnerabilities that require user interaction in order to successfully exploit. These can not be easily exploited en masse by threat actors as they typically need to be tailored to each target. They’re also the most unlikely vulnerability types to be targeted in the wild due to the user interaction requirements. Most threat actors targeting WordPress sites look for easy to exploit, high-impact vulnerabilities offering them a lot of access, like Privilege Escalation, Remote Code Execution and Arbitrary File Uploads, and low-to-no authentication required exploits that have reasonable success rates and can be easily automated.
Total Vulnerabilities Grouped By Privileges Required to Exploit Broken Down Further[7] |
After analyzing the authentication requirements, we actually see a much more positive outlook, as well over 50% of the vulnerabilities disclosed this year are highly unlikely to be exploited by threat actors. This includes vulnerabilities with high-level authentication requirements as well as user interaction requirements.
In addition, it is worth mentioning that 71% or 292[12] of the vulnerabilities with medium authentication requirements are shortcode-based Cross-Site Scripting vulnerabilities that generally require access to the post editor in order to exploit, except in vulnerable versions of WordPress Core that made it possible for these XSS injectable shortcodes to be used in comments and other user generated content.
Most Common Vulnerability Types (by CWE) Disclosed
Cross-Site Scripting remained the most common type of vulnerability disclosed with 1,062[8] new entries. This is unsurprising as WordPress plugins and themes often take user input in various locations and it is easy for a developer to accidentally overlook adding proper sanitization and escaping on all inputs and outputs.
The second most common vulnerability type for the first half of 2023 was Cross-Site Request Forgery with 607[8] entries added to the Wordfence Intelligence vulnerability database. These vulnerabilities occur when proper nonce validation is not used to verify the source of a request. Much like Cross-Site Scripting, it’s easy for developers to overlook adding these types of checks, especially when a proper capability check is already in place.
Rounding off the top three are Missing Authorization vulnerabilities with 347[8] new entries of this type being disclosed in the first half of 2023. This type of vulnerability occurs when a function that should be restricted to specific users fails to add a proper capability check. Generally when a missing authorization vulnerability is present it is likely that the plugin is vulnerable to Cross-Site Request Forgery as well, so these discoveries may have contributed to the higher number of Cross-Site Request Forgery vulnerabilities disclosed.
Top 10 Vulnerability Types Disclosed Janaury 2023 – July 2023[8] |
Interested in exploring some of the vulnerabilities in these categories being disclosed? Check out the following Wordfence Intelligence search results for each vulnerability type in 2023:
- 2023 Cross-Site Scripting Vulnerabilities
- 2023 Cross-Site Request Forgery Vulnerabilities
- 2023 Missing Authorization Vulnerabilities
- 2023 SQL Injection Vulnerabilities
- 2023 Insecure Direct Object Vulnerabilities
- 2023 Deserialization Vulnerabilities
- 2023 Information Exposure Vulnerabilities
- 2023 Directory Traversal Vulnerabilities
- 2023 Arbitrary File Upload Vulnerabilities
- 2023 CSV Injection Vulnerabilities
CVSS Severity of Vulnerabilities Disclosed
Fortunately, only 84[9] of the vulnerabilities disclosed in the first half of 2023, about 3% of the total, were classified as critical based on CVSS score. This indicates that critical vulnerabilities in the repository may be less common than they were in previous years. The most common CVSS severity was Medium with 2,049 vulnerabilities[9], which is unsurprising as the vast majority of Cross-Site Scripting, Missing Authorization, and Cross-Site Request Forgery vulnerabilities disclosed are assigned this severity.
Vulnerability Counts Grouped By CVSS Severity[9] |
Interested in exploring some of the vulnerabilities in these CVSS severity groups being disclosed? Check out the following Wordfence Intelligence search results for each CVSS rating in 2023:
Total Patched Vs. Unpatched Vulnerabilities Disclosed
Approximately 26%, or 678[10], of the vulnerabilities disclosed in the first half of 2023 are currently considered unpatched vulnerabilities. We expect this number to diminish over the next few months as developers work towards patching. Unfortunately, this is a relatively high number due to the fact that many WordPress projects in the repository have been abandoned and do not receive ongoing maintenance.
On the positive side of things, WordPress typically removes these plugins from the repository and makes them unavailable for download once a vulnerability has been reported, so that they can’t pose a threat to additional sites.
If you’re a WordPress site owner, make sure to have Wordfence installed on your site as it will notify you when a plugin installed on your site has been abandoned or removed from the WordPress repository. If you receive an alert that a plugin has been permanently removed or abandoned, we recommend finding an alternative solution before an unpatched vulnerability is discovered and exploited in the wild.
Please note this count is based on software records, and not based on individual vulnerability records, as a single vulnerability may have been patched in one software component but remain unpatched in another.
Patched Vs. Unpatched Vulnerabilities Disclosed[10] |
Top Contributing Security Researchers Highlight
Our contributing security researchers deserve their own section, as far fewer vulnerabilities would be disclosed and patched without them. So far this year, we have had 228 contributing researchers, and the top three vulnerability researchers are Lana Codes, who recently joined the Wordfence team as a vulnerability researcher, with 438[11] reported discoveries, Marco Wotschka, another Wordfence vulnerability researcher, with 133[11] reported discoveries, and Rio Darmawan an independent security researcher, with 123[11] reported discoveries. Lana Codes was responsible for the vast majority of the shortcode-based vulnerabilities we saw at the start of the year and sparked a trend that inspired other researchers to investigate shortcode-based vulnerabilities.
We’d like to take a moment to say thank you to all of the researchers contributing to security in the WordPress space. It’s thanks to your dedication and hard work that more vulnerabilities are being found and remediated than ever! As a reminder to all researchers, you can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with a mention in our weekly vulnerability report.
Top Contributing Researchers Janaury – June 2023[11] |
Check out the above researcher profiles and take a look at what vulnerabilities they’ve found and what they’re finding today:
- Lana Codes – Wordfence Vulnerability Researcher
- Marco Wotschka – Wordfence Vulnerability Researcher
- Rio Darmawan
- yuyudhn
- Mika
- Rafie Muhammad
- Dave Jong
- Erwan LR
- Rafshanzani Suhada
- thiennv
Vulnerability and Attack Data Trends and Observations
General Vulnerability Attack Statistics
Over the first 6 months of 2023, the Wordfence firewall blocked and logged over 20,077,945,042 potentially malicious requests and exploit attempts against more than four million sites under our protection.
- 7,336,932,787 of those requests were considered actual exploit attempts targeting vulnerabilities in plugins/themes.
- 11,104,965,286 of those requests were blocked for using known malicious user-agents and known vulnerability scanner user-agents.
- 1,634,173,019 were blocked for using a malicious IP address on our real-time IP blocklist.
- The remaining 1,873,950 requests were potentially malicious requests logged for further analysis by our Threat Intelligence Team.
- This equates to about 111,544,139 logged/blocked requests or 40,760,738 blocked exploit attempts per day.
While these numbers are incredible and do indicate a significant level of threat from attackers scouring the web for targets, it’s important to mention that a lot of these exploit attempts are bots blindly pointing and shooting exploits across the web just hoping to hit a low percentage of sites to compromise. However, with that said, it only takes one successful exploit to open the door for an attacker to do further harm, so it’s incredibly important to ensure site owners employ security best practices with these bots scouring the web for prime targets.
Enhanced Protection Added to the Wordfence Firewall
We added 72 new custom firewall rules to Wordfence since the beginning of the year, which you can find detailed below. As a reminder, Wordfence Premium, Care, and Response customers receive these firewall rules in real-time whereas free users receive these rules after a 30 day delay. Feel free to jump to the next section from here if you’re not interested in all the specific firewall rules we added to Wordfence. Please note, we’ve excluded three rules which still have redacted data while we work with the developer to ensure they get patched.
Most Popular Vulnerabilities Targeted by Threat Actors
The most popular vulnerabilities that were targeted in the first half of 2023 were a mix of newly disclosed vulnerabilities and some older vulnerabilities that we consistently see attackers targeting, despite the age of the vulnerability. There are a few interesting things of note in this data. The first is that 7 out of the 10 vulnerabilities primarily targeted are vulnerabilities that led to arbitrary file uploads, remote code execution, or privilege escalation, which shows that attackers are particularly interested in exploiting known vulnerabilities that can easily be exploited to gain shell access to a vulnerable server. Shell access is typically used by threat actors to maintain persistence and further infect any compromised victims. This highlights the most common vulnerabilities targeted by threat actors outside of those that have coverage via the Wordfence firewall’s built-in protection.
It is also unsurprising to see the WooCommerce Payments plugin authentication bypass vulnerability in the top 10 most exploited vulnerabilities so far this year, as we previously warned it would likely be a prime target for attackers and this played out in a widespread campaign in July of this year. We have also written PSAs in the past about many of the other vulnerabilities on the list.
Unique Vulnerabilities Most Targeted By Attackers |
Check out any of the above vulnerabilities in Wordfence Intelligence to see the latest 24 hour period attack data.
- N-Media Post Front-end Form < 1.1 & – Arbitrary File Upload
- Tatsu <= 3.3.12 – Unauthenticated Remote Code Execution
- Kaswara Modern VC Addons <= 3.0.1 – Arbitrary File Upload
- Adning Advertising <= 1.5.5 – Arbitrary File Upload
- Advanced Access Manager <= 5.9.8.1 – Unauthenticated Arbitrary File Read
- WooCommerce Payments 4.8.0 – 5.6.1 Authentication Bypass and Privilege Escalation
- OptinMonster <= 2.6.4 – Unprotected REST-API Endpoints
- Rank Math SEO <= 1.0.40.2 – Privilege Escalation via Unprotected REST API Endpoint
- Business Hours Pro <= 5.5.0 – Arbitrary File Upload
- ListingPro – WordPress Directory & Listing Theme < 2.6.1 – Arbitrary Plugin Installation, Activation and Deactivation
General Vulnerability Trends and Observations by the Wordfence Threat Intelligence Team
At the start of the year, the most common vulnerability type we saw disclosed was shortcode-based Stored Cross-Site Scripting vulnerabilities, with a few additional variants of shortcode-based vulnerabilities like local file inclusion and sensitive information disclosure. As the year has progressed, we have seen fewer disclosures of this type and the gears are shifting back towards a steady flow of Cross-Site Scripting, Cross-Site Request Forgery, and Missing Authorization vulnerabilities, often with minimal impact or high-level authentication requirements to exploit.
The Wordfence Threat Intelligence team is making an effort to target our research efforts towards vulnerabilities that are less frequently focused on by security researchers due to their often complex nature. Focusing on vulnerabilities like privilege escalation, authorization bypasses, and arbitrary file uploads can have significantly more positive impact if we find these types of vulnerabilities before threat actors do, as they are the types of vulnerabilities most likely to be exploited en masse and targeted by threat actors, which is why our team emphasizes spending time on these.
This year, we have already had one known 0-day vulnerability, which is a vulnerability that has been found and exploited by malicious threat actors before the developer has a chance to patch, in the Ultimate Member plugin, which led to unauthenticated privilege escalation. This led to a spike in infections across WordPress sites as 0-day vulnerabilities are often difficult to protect against, and in this instance the exploit was very clever and could bypass many previously known protection mechanisms. The Wordfence Threat Intelligence Team released a firewall rule within a few hours on the same day we became aware of the vulnerability. Wordfence Premium, Care , and Response users received this rule in real-time, while Wordfence free users received the rules after a 30 day delay. It’s important to highlight that sophisticated attackers will always look for ways to create clever exploits and circumvent protection, which is why it’s important to implement a security in depth strategy with protection and detection at multiple layers of an application.
While not a 0-day vulnerability, we also saw extensive infections with the Essential Addons for Elementor plugin vulnerability that allowed arbitrary password resets for any user including administrators. Fortunately, sites running the premium version of the Wordfence firewall would have had protection within 3 hours of the vulnerability being disclosed thanks to the active change-log monitoring we conduct to stay on top of the latest patched vulnerabilities. Unfortunately, sites that didn’t have Wordfence Premium installed, or didn’t actively maintain their WordPress plugin updates, may have been susceptible to attacks. This is a prime example of why we strongly recommend running a trusted WordPress-specific web application firewall like Wordfence, in addition to ensuring your plugins are kept up to date. The Wordfence firewall, or a simple plugin update, would’ve provided protection prior to the vulnerability being targeted en masse, which occurred almost immediately after it was disclosed on May 11th, 2023.
Based on our attack data we can see that attackers generally look for privilege escalation, remote code execution, and authentication bypass vulnerabilities that often vary in nature and make it more challenging for generic firewall coverage to provide adequate protection with minimal false positives. Implementing a web application firewall and vulnerability notifications are not enough on their own to provide adequate security coverage. That is why we recommend site owners employ additional layers of security such as 2-Factor Authentication, security monitoring and notifications, active maintenance like pruning unnecessary or unmaintained software, as well as any required industry-specific mitigations. Fortunately, the Wordfence Security Plugin solves many of these problems in a single solution, but it’s up to each site owner to ensure they are following all security best practices such as using a strong password, maintaining separate hosting accounts for each site to prevent cross-contamination, and optimally configuring the settings of Wordfence.
Conclusion
In today’s post, we outlined some statistics on WordPress vulnerabilities, and we hope our report paints a clear picture of where the WordPress vulnerability landscape is today. While more vulnerabilities are being disclosed and patched than ever, few of them will ever be actively exploited or targeted by the average WordPress Threat Actor. Regardless, it’s important to ensure site owners run a vulnerability scanner like Wordfence to alert when a site has a vulnerable plugin or theme installed so the administrator can take the appropriate action immediately, along with following security best practices like actively maintaining and updating plugins and themes so vulnerabilities aren’t left on any site.
We expect that the growth in vulnerability discovery and disclosure will continue as more and more researchers get into the space. We believe, however, that it’s time to shift our thinking away from mass vulnerability discoveries to finding more impactful vulnerabilities like arbitrary file uploads, privilege escalations, and remote code executions that help make the greater ecosystem more secure when discovered and patched before malicious threat actors find them. These types of vulnerabilities are often the prime target of Threat Actors which is why we need our community of ethical hackers to work towards discovering these and getting them patched before the threat actors start exploiting them.
If you’d like to stay on top of the latest vulnerabilities being added to the Wordfence Intelligence Vulnerability Database, make sure to sign up for our security newsletter which runs a report on all of the vulnerabilities disclosed each week every Thursday, sends alerts for recently disclosed critical vulnerabilities, and dives into vulnerabilities our team discovers!
ChatGPT Conversations and Script Output
The following section contains links to all of the conversations with ChatGPT that led to the creation of Python scripts used to aggregate the data. This was done using Model-4 of ChatGPT in addition to the beta link reader plugin to read the Wordfence Intelligence documentation.
[1] This is a prompt asking ChatGPT to write a script to count the total vulnerability records for a supplied date, both in terms of individual vulnerability records and count of software within each individual record, for a supplied date regex.
https://chat.openai.com/share/e94a00ba-ec58-402b-b251-be66fce79bc2
Command used: python totalcounts.py --date_regex "2023-0[1-6]"
[2] This is a prompt asking ChatGPT to write a script to count the total vulnerability records for a supplied date, grouped by software type, for a supplied date regex.
https://chat.openai.com/share/b593b453-a49b-4b71-a223-ccb5acac3fc2
Command used: python cntbytype.py --date_regex "2023-0[1-6]"
[3] This is a prompt asking ChatGPT to write a script to count the total number of software affected across the vulnerability records for a supplied date regex.
https://chat.openai.com/share/908db8ca-53b5-43de-b420-a2e3155512a0
Command used: python uniquesoftware.py "2023-0[1-6]"
[4] This is a prompt asking ChatGPT to write a script to count the total number of software affected across the vulnerability records, grouped by software type, for a supplied date regex.
https://chat.openai.com/share/a8ce4d88-a80a-4bca-963a-d4dc1f2fdd2b
Command used: python uniquecntbytype.py "2023-0[1-6]"
[5] This is a prompt asking ChatGPT to write a script to count the total number of vulnerability records added per month, for a supplied date range.
https://chat.openai.com/share/e681ff23-f0ac-4504-a9a3-b2d5e29abbc9
Command used: python vulnbymonth.py --start_date 2023-01-01 --end_date 2023-06-30
[6] This is a prompt asking ChatGPT to write a script to count the total number of vulnerability records grouped by authentication requirements to exploit, for a supplied date range.
https://chat.openai.com/share/f2b9e1ba-ed13-43f5-ae73-e84d1b9d290f
Command used: python vulnbyauth.py --date "2023-0[1-6]"
[7] This is a prompt asking ChatGPT to write a script to count the total number of vulnerability records that are either Reflected Cross-Site Scripting or Cross-Site Request Forgery, for a supplied date range.
https://chat.openai.com/share/11d5511b-1d99-4843-babb-13b16264f523
Command used: python xsscsrfcnt.py "2023-0[1-6]"
[8] This is a prompt asking ChatGPT to write a script to count the total number of vulnerability records grouped by CWE, for a supplied date range.
https://chat.openai.com/share/090a985c-4306-499a-b801-7b7cfcf2e337
Command used: python cntbycwe.py "2023-0[1-6]"
[9] This is a prompt asking ChatGPT to write a script to count the total number of vulnerability records grouped by CVSS Score, for a supplied date range.
https://chat.openai.com/share/f0a20c0b-00c9-40ca-aa4a-57cfe8ba406a
Command used: python cntbycvss.py --date_regex="2023-0[1-6]"
[10] This is a prompt asking ChatGPT to write a script to count the total number of affected software that was patched vs. unpatched, for a supplied date range.
https://chat.openai.com/share/b77b446c-dacc-45a2-a073-b879b9792cdf
Command used: python patchvno.py "2023-0[1-6]"
[11] This is a prompt asking ChatGPT to write a script to count the total number vulnerabilities by researcher from highest count to lowest, for a supplied date range.
https://chat.openai.com/share/97080bca-10a4-4826-b0ad-985c794bb4a9
Command used: python cntbyresearcher.py --date_regex "2023-0[1-6]"
[12] This is a prompt asking ChatGPT to write a script to count the total number vulnerabilities matching “shortcode” in the title or description, with medium-level privilege requirement based on “contributor” or “editor” being in the title or description, and count based on CWE all within the provided date regex.
https://chat.openai.com/share/74b03fd5-5b3e-4b88-9a12-9a3f7923ab34
Command used: python shortcode.py --date_regex="2023-0[1-6]"
[BONUS] This is a prompt asking ChatGPT to write a script to return the data or counts for vulnerabilities that match a regex in a supplied field for a given date range.
https://chat.openai.com/share/fc725ea8-56a4-4fe0-8220-5fc1f6971045
Example Command: python search.py --field=all --regex="shortcode" --date_regex="2023-0[1-6]"
The post Demystifying the WordPress Vulnerability Landscape: 2023 Mid-Year Wordfence Intelligence WordPress Vulnerability Review Leveraging ChatGPT appeared first on Wordfence.