The security firm, Cyllective, identified around 5,000 plugins on WordPress.org that contained various security exploits such as SQL Injections. The Penetration Testing Team lead, Dave Miller said what started as a random experiment turned into a treasure trove for hackers. Once they started the experiment, they were quickly surprised at how relaxed the security was on WordPress.org’s repository in allowing old and exploitable plugins to remain and be installed.

If that wasn’t bad enough, Dave’s team came across remote code execution vulnerabilities or RCE’s. RCE’s are usually where bad code allows an attacker to gain administrative or super-user privileges and entirely take over a website or the entire information system.

Dave’s team, however, focused in on the SQL injections – a way of appending your own SQL query from code that does not escape its $_POST variables which is the variable where the stuff you submit to a website is stored. After just 3 months of research, Dave’s team found a staggering 35 plugins that had already been exploited by unauthorized users or hackers. While 35 sounds like a low number, those 35 plugins were in operation and were exploited on over 60,500 WordPress websites.

“Although the vast majority of the vulnerabilities I reported were unauthenticated SQL injection vulnerabilities, which would have enabled an attacker to dump the entire WordPress database contents, these were not the most devastating ones,” Dave said.

“The sitemap-by-click5 plugin suffered from an unauthenticated arbitrary options update flaw, which would have allowed an attacker to maliciously enable the registration functionality and set the default user role to that of an administrator.”

Dave explained that this would allow an attacker to create their own administrator account and entirely take over the WordPress website. Dave went on to say that he hopes this research forwards the ability to quickly identify security exploits in the future and minimize website intrusions.

After dealing with these WordPress Plugins and WordPress.org a pretty heavy blow, Dave did applaud the WordPress team for how well the disclosure process went in allowing Dave’s team to reach out and get these updates out there to these vulnerable websites that desperately needed it.