Demystifying the WordPress Vulnerability Landscape: 2023 Mid-Year Wordfence Intelligence WordPress Vulnerability Review Leveraging ChatGPT
In the first 6 months of 2023, our team has already added 2,471 individual vulnerability records to the Wordfence Intelligence WordPress Vulnerability Database. These vulnerabilities affected 1,680 WordPress software components. This means we have already surpassed the total number of vulnerabilities disclosed last year (2022), which was 2,395 based on unique vulnerability records.
The Wordfence Threat Intelligence team actively monitors various vulnerability sources and conducts research of our own to make sure we have the most accurate and up-to-date information populating the Wordfence Intelligence Vulnerability Database. This information is then utilized in the Wordfence plugin as part of our vulnerability scanner, and is completely free to access and utilize as desired via our Wordfence Intelligence Vulnerability Data API and our Webhook Integration option which is coming very soon!
With this in mind, we have decided to compile a report on some statistics that paint a clearer picture of where the WordPress vulnerability landscape is so far this year. We have noticed some interesting trends like a high volume of shortcode-based vulnerabilities that were patched and disclosed at the start of this year, which were all escalated in severity by a vulnerability in WordPress core that was patched on May 16, 2023. While more vulnerabilities are being disclosed than ever, the authentication and user interaction requirements for many of these vulnerabilities means they are unlikely to see active exploitation en masse which may be relieving for most WordPress site owners to hear. Luckily we have only seen one 0-day vulnerability this year, but several critical vulnerabilities were patched this year that became prime targets for attackers.
No other WordPress vulnerability database on the market provides completely free access to an API that returns best-in-class WordPress vulnerability information. Wordfence Intelligence offers detailed and complete information such as affected version ranges, patched versions, concise and detailed descriptions that describe literal impact, CVSS score, and much more. All of it is maintained by a small army of industry-leading and highly credentialed security researchers. Not only does this make vulnerability detection free, easy, and efficient for any enterprise, it also makes it incredibly simple and fast to query our large dataset and unearth useful statistics about vulnerabilities in the WordPress ecosystem.
To make things fun, and completely transparent for the community, we have generated all the statistics in this report utilizing scripts written by ChatGPT that aggregated and parsed the data returned from the Wordfence Intelligence API. You can find all the scripts and the logic used to create them via ChatGPT at the end of this post, or you may click on a number next to a statistic in this report that will take you to the ChatGPT conversation which contains a Python script you can download. We encourage you to run these scripts, create your own scripts with ChatGPT, take a look at the Wordfence Intelligence Database, and share any new insights from our data you uncover!
Please note that due to the nature of the vulnerability database and our active maintenance of current and past data, running any of the scripts shared in this post may results in slightly different numbers as the data may have changed from the time we compiled information for this report.
Table of Contents
Note: All of the data in this report is compiled for Janaury 2023 to June 2023.
- Jump to: General Overview of Vulnerabilities in WordPress Core, Plugins and Themes
- Jump to: Total Number of Vulnerabilities Added Broken Down By Month
- Jump to: Privileges Required to Exploit the Vulnerabilities Disclosed
- Jump to: Most Common Vulnerability Types (by CWE) Disclosed
- Jump to: CVSS Severity of Vulnerabilities Disclosed
- Jump to: Total Patched Vs. Unpatched Vulnerabilities Disclosed
- Jump to: Top Contributing Security Researchers Highlight
- Jump to: Vulnerability and Attack Data Trends and Observations
- Jump to: General Vulnerability Attack Statistics
- Jump to: Enhanced Protection Added to the Wordfence Firewall
- Jump to: Most Popular Vulnerabilities Targeted by Threat Actors
- Jump to: General Vulnerability Trends and Observations by the Wordfence Threat Intelligence Team
- Jump to: Conclusion
- Jump to: ChatGPT Conversations and Script Output
General Overview of Vulnerabilities in WordPress Core, Plugins and Themes
When taking a look at all the data, some things remain the same as last year. WordPress plugins are still the #1 source of vulnerabilities in the WordPress ecosystem. Generally, when we refer to the total number number of vulnerabilities in our database, we simply count the total number of vulnerability records in our database, however, there are several records where multiple software components have been affected.
We added 2,471 vulnerabilities this year, but if we count by individual software records affected by each vulnerability, the total comes to 2,587 new vulnerabilities in the database. Of those 2,587 entries, 2,497 were in WordPress plugins while only 84 were in WordPress themes, and only 6 of them were in WordPress core. A total of 1,680 unique software components were affected by at least one vulnerability in the first half of 2023.
Total Vulnerability Records Added By Software Type
Total Number of Unique Software Components Affected by Type
Total Number of Vulnerabilities Added Broken Down By Month
When we break down new vulnerability entries by month, we see a fairly steady volume of new vulnerabilities disclosed each month. February had the highest number of vulnerabilities disclosed at 457 and June had the lowest at 317. WordCamp Europe occurred in June of 2023, and the many plugin developers and researchers in attendance may have contributed to the minor dip in vulnerabilities disclosed during that month.
Total Count of Vulnerability Records Added Per Month
Privileges Required to Exploit the Vulnerabilities Being Disclosed
We have found that authentication requirements for this year’s vulnerabilities were fairly evenly distributed. To provide some background, unauthenticated vulnerabilities require no authentication to exploit, low-level authentication vulnerabilities generally require subscriber or customer-level access to exploit, while medium-level authentication vulnerabilities generally require contributor or author-level access, and high-level authentication vulnerabilities generally require editor or administrator-level access to exploit. Initially it looks like unauthenticated vulnerabilities top the charts with 1,171 new entries, however, sometimes data needs to be broken down further to paint a clearer picture.
Total Vulnerabilities Grouped By Privileges Required to Exploit
At first glance, this chart may look alarming, but, once you break down the ‘Unauthenticated’ group, you can see that 837 of them are Cross-Site Request Forgery (CSRF) and Reflected Cross-Site Scripting (XSS) vulnerabilities that require user interaction in order to successfully exploit. These can not be easily exploited en masse by threat actors as they typically need to be tailored to each target. They’re also the most unlikely vulnerability types to be targeted in the wild due to the user interaction requirements. Most threat actors targeting WordPress sites look for easy to exploit, high-impact vulnerabilities offering them a lot of access, like Privilege Escalation, Remote Code Execution and Arbitrary File Uploads, and low-to-no authentication required exploits that have reasonable success rates and can be easily automated.
Total Vulnerabilities Grouped By Privileges Required to Exploit Broken Down Further
After analyzing the authentication requirements, we actually see a much more positive outlook, as well over 50% of the vulnerabilities disclosed this year are highly unlikely to be exploited by threat actors. This includes vulnerabilities with high-level authentication requirements as well as user interaction requirements.
In addition, it is worth mentioning that 71% or 292 of the vulnerabilities with medium authentication requirements are shortcode-based Cross-Site Scripting vulnerabilities that generally require access to the post editor in order to exploit, except in vulnerable versions of WordPress Core that made it possible for these XSS injectable shortcodes to be used in comments and other user generated content.
Most Common Vulnerability Types (by CWE) Disclosed
Cross-Site Scripting remained the most common type of vulnerability disclosed with 1,062 new entries. This is unsurprising as WordPress plugins and themes often take user input in various locations and it is easy for a developer to accidentally overlook adding proper sanitization and escaping on all inputs and outputs.
The second most common vulnerability type for the first half of 2023 was Cross-Site Request Forgery with 607 entries added to the Wordfence Intelligence vulnerability database. These vulnerabilities occur when proper nonce validation is not used to verify the source of a request. Much like Cross-Site Scripting, it’s easy for developers to overlook adding these types of checks, especially when a proper capability check is already in place.
Rounding off the top three are Missing Authorization vulnerabilities with 347 new entries of this type being disclosed in the first half of 2023. This type of vulnerability occurs when a function that should be restricted to specific users fails to add a proper capability check. Generally when a missing authorization vulnerability is present it is likely that the plugin is vulnerable to Cross-Site Request Forgery as well, so these discoveries may have contributed to the higher number of Cross-Site Request Forgery vulnerabilities disclosed.
Top 10 Vulnerability Types Disclosed Janaury 2023 – July 2023
Interested in exploring some of the vulnerabilities in these categories being disclosed? Check out the following Wordfence Intelligence search results for each vulnerability type in 2023:
- 2023 Cross-Site Scripting Vulnerabilities
- 2023 Cross-Site Request Forgery Vulnerabilities
- 2023 Missing Authorization Vulnerabilities
- 2023 SQL Injection Vulnerabilities
- 2023 Insecure Direct Object Vulnerabilities
- 2023 Deserialization Vulnerabilities
- 2023 Information Exposure Vulnerabilities
- 2023 Directory Traversal Vulnerabilities
- 2023 Arbitrary File Upload Vulnerabilities
- 2023 CSV Injection Vulnerabilities
CVSS Severity of Vulnerabilities Disclosed
Fortunately, only 84 of the vulnerabilities disclosed in the first half of 2023, about 3% of the total, were classified as critical based on CVSS score. This indicates that critical vulnerabilities in the repository may be less common than they were in previous years. The most common CVSS severity was Medium with 2,049 vulnerabilities, which is unsurprising as the vast majority of Cross-Site Scripting, Missing Authorization, and Cross-Site Request Forgery vulnerabilities disclosed are assigned this severity.
Vulnerability Counts Grouped By CVSS Severity
Interested in exploring some of the vulnerabilities in these CVSS severity groups being disclosed? Check out the following Wordfence Intelligence search results for each CVSS rating in 2023:
- 2023 Low Severity Vulnerabilities
- 2023 Medium Severity Vulnerabilities
- 2023 High Severity Vulnerabilities
- 2023 Critical Severity Vulnerabilities
Total Patched Vs. Unpatched Vulnerabilities Disclosed
Approximately 26%, or 678, of the vulnerabilities disclosed in the first half of 2023 are currently considered unpatched vulnerabilities. We expect this number to diminish over the next few months as developers work towards patching. Unfortunately, this is a relatively high number due to the fact that many WordPress projects in the repository have been abandoned and do not receive ongoing maintenance.
On the positive side of things, WordPress typically removes these plugins from the repository and makes them unavailable for download once a vulnerability has been reported, so that they can’t pose a threat to additional sites.
If you’re a WordPress site owner, make sure to have Wordfence installed on your site as it will notify you when a plugin installed on your site has been abandoned or removed from the WordPress repository. If you receive an alert that a plugin has been permanently removed or abandoned, we recommend finding an alternative solution before an unpatched vulnerability is discovered and exploited in the wild.
Please note this count is based on software records, and not based on individual vulnerability records, as a single vulnerability may have been patched in one software component but remain unpatched in another.
Patched Vs. Unpatched Vulnerabilities Disclosed
Top Contributing Security Researchers Highlight
Our contributing security researchers deserve their own section, as far fewer vulnerabilities would be disclosed and patched without them. So far this year, we have had 228 contributing researchers, and the top three vulnerability researchers are Lana Codes, who recently joined the Wordfence team as a vulnerability researcher, with 438 reported discoveries, Marco Wotschka, another Wordfence vulnerability researcher, with 133 reported discoveries, and Rio Darmawan an independent security researcher, with 123 reported discoveries. Lana Codes was responsible for the vast majority of the shortcode-based vulnerabilities we saw at the start of the year and sparked a trend that inspired other researchers to investigate shortcode-based vulnerabilities.
We’d like to take a moment to say thank you to all of the researchers contributing to security in the WordPress space. It’s thanks to your dedication and hard work that more vulnerabilities are being found and remediated than ever! As a reminder to all researchers, you can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with a mention in our weekly vulnerability report.
Top Contributing Researchers Janaury – June 2023
Check out the above researcher profiles and take a look at what vulnerabilities they’ve found and what they’re finding today:
- Lana Codes – Wordfence Vulnerability Researcher
- Marco Wotschka – Wordfence Vulnerability Researcher
- Rio Darmawan
- Rafie Muhammad
- Dave Jong
- Erwan LR
- Rafshanzani Suhada
Vulnerability and Attack Data Trends and Observations
General Vulnerability Attack Statistics
Over the first 6 months of 2023, the Wordfence firewall blocked and logged over 20,077,945,042 potentially malicious requests and exploit attempts against more than four million sites under our protection.
- 7,336,932,787 of those requests were considered actual exploit attempts targeting vulnerabilities in plugins/themes.
- 11,104,965,286 of those requests were blocked for using known malicious user-agents and known vulnerability scanner user-agents.
- 1,634,173,019 were blocked for using a malicious IP address on our real-time IP blocklist.
- The remaining 1,873,950 requests were potentially malicious requests logged for further analysis by our Threat Intelligence Team.
- This equates to about 111,544,139 logged/blocked requests or 40,760,738 blocked exploit attempts per day.
While these numbers are incredible and do indicate a significant level of threat from attackers scouring the web for targets, it’s important to mention that a lot of these exploit attempts are bots blindly pointing and shooting exploits across the web just hoping to hit a low percentage of sites to compromise. However, with that said, it only takes one successful exploit to open the door for an attacker to do further harm, so it’s incredibly important to ensure site owners employ security best practices with these bots scouring the web for prime targets.
Enhanced Protection Added to the Wordfence Firewall
We added 72 new custom firewall rules to Wordfence since the beginning of the year, which you can find detailed below. As a reminder, Wordfence Premium, Care, and Response customers receive these firewall rules in real-time whereas free users receive these rules after a 30 day delay. Feel free to jump to the next section from here if you’re not interested in all the specific firewall rules we added to Wordfence. Please note, we’ve excluded three rules which still have redacted data while we work with the developer to ensure they get patched.