According to a recent study, seven out of 10 of the most popular ecommerce plugins for WordPress are vulnerable to common application flaws such as SQL injection, cross site scripting and path traversal exploits. The problem isn’t unique to WordPress either, experts noted. Given the risks pervasive in downloads from many emerging plugin marketplaces and app stores, implementing stronger software security is a must both for developers hoping to encourage adoption of their app and companies incorporating third-party tools.
A recent Network World article analyzed the study of WordPress vulnerabilities, which also found that 20 percent of all the top 50 plugins were susceptible to common web attacks. Given the fact that WordPress powers around 18 percent of all sites on the web, the risk to end users is significant. And while WordPress plugin vulnerabilities were the subject of the study, plugins for other CMSes are probably exposed too, as developers of such tools have no obligation, in most cases, to adhere to any coding standards or requirements. This shortfall creates an opening for relatively unsophisticated attacks, Network World’s Alan Shimel noted.
“To be clear, we are talking about vulnerabilities that use the most basic type of hacks,” he wrote. “Common SQL injection and Cross-site Scripting type of attacks, for instance. You don’t have to be an evil genius to come up with these kinds of attacks.”
Addressing the problem
While many of the plugin developers exposed in the WordPress study quickly responded with patches, some experts believe that the majority of sites using the vulnerable plugins will still be exposed to hackers. The problem for many users of such tools is that they tend to be small businesses or mom-and-pop ecommerce sites with limited security knowledge, TechRepublic contributor Dominic Vogel wrote. He cited, in particular, the lack of accountability for plugin developers and encouraged small business owners to be vocal about demanding better security practices from the makers of the tools they use.
“Developers need to abide by security coding best practices and focus on making useful and secure plugins,” Vogel suggested. “Write a posting in the WordPress support forums stating that you want better enforcement and security code checking on all third-party plugins and extensions.”
Shimel pointed out that many users assume that any application approved for an app store or plugin marketplace is safe simply because it was approved for download. However, many such stores do not check for security, or a lack of secure development practices simply leads to problems down the road. Developers can help to build confidence in these marketplaces by using tools such as source code analysis software to shore up security.
“Right now, we are in sort of a Wild West era for marketplaces,” Shimel wrote. “Hopefully in the near future security requirements will be put in place for all plugins, apps and programs that we use from a marketplace. Until then, you would be wise to remember that just because it is available, that doesn’t mean it is secure.”
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.