Common Web Vulnerabilities Plague Top WordPress Plug-Ins
by Michael Mimoso, Threatpost
June 20, 2013

Since late March, no fewer than a half-dozen high profile attacks have involved a compromised website built on the WordPress platform...

Checkmarx, an application security company, recently finished a second round of code scans against the top 50 most downloaded WordPress plug-ins and top 10 ecommerce plug-ins and found a spate of common Web security issues in close to 20 percent. A paper :acrobat: on the research said that vulnerable plug-ins have been downloaded eight million times, putting sites at risk to SQL injection attacks, cross-site scripting, cross-site request forgery and path traversal attacks.

The vulnerabilities were found in popular, but unnamed, shopping cart plug-ins, feed aggregators, mobile APIs and tools to link sites to social networks such as Facebook...

The first scan, conducted in January, 18 of the top 50 plug-ins were vulnerable to one of the aforementioned attacks accounting for almost 19 million downloads. As for the ecommerce plug-ins, seven of the top 10 were vulnerable to common Web attacks, the paper said. As of a second scan conducted this month, only six plug-ins had been patched despite the fact all the plug-ins had been updated. The six, Checkmarx said, were BuddyPress, BBPress, E-Commerce, Woo Commerce, W3 Total Cache and Super Cache.
Read more...