With the advent of software’s like WordPress, building a website has become relatively easy. Owing to this, WordPress has been hailed as a major heavy hitter on the Internet with over 40% of the websites till date being made on WordPress. Naturally this has helped a lot of business owners to scale their products to a wider audience which in turn helps boost their sales.
In order to make a customer’s experience on their website satisfactory, website owners often tend to use different plugins and themes. These plugins are obtained from third party vendors and are generally used by website owners to improve their website’s overall SEO. However, owing to the large number of plugins available, there’s the possibility of security vulnerabilities existing amongst them. Hackers are always on the lookout for such chinks in your website in order to breach them and gain access to your website.
This can hamper the daily activities of a business and can deal a major blow to their sales. There have been quite a number of such attacks in the past year and today we will list the top 10 WordPress plugins whose vulnerabilities caused a massive impact.
WooCommerce:
With over 40% of WordPress websites using this plugin and over 5 million active installations this is one of the most popular WordPress plugins out in the market. However with such a large user base, this makes it a popular target for hackers as they can have a treasure trove of data in their hands if they manage to breach this plugin. The most common methods of attack on this plugin are XSS, PHP Injection, File Upload and File Deletion with the most recent one being a SQL injection attack in July 2021. This was patched in the 5.2.2 version of this plugin and it is strictly suggested to update this plugin if you haven’t already done so.
Profile Builder Plugin:
This was a popular plugin that enabled website owners to give their customers an option to create an account on their website. You could build the front end of the account page using this plugin and had options to personalise the accounts. However in February of 2020, a security flaw was discovered in this plugin which allowed a hacker to create unauthorised admin accounts on sites using this plugin. This allowed them to gain access to the entire site. A patch was released in the version 3.1.1 to rectify this.
SEOPress:
This plugin was used to help improve a website’s SEO ranking. In August 2021, Word Fence discovered an XSS vulnerability in this plugin which allowed hackers to redirect visitors to scam related webpages. This vulnerability was prevalent in versions 5.0.0 to 5.0.3. However with Word Fence notifying the concerned developers of this plugin, a patch was released in the 5.0.4 version of this plugin thus effectively nullifying this security threat.
Yoast SEO:
With more than 5 million active installations, this is the most popular plugin in this list. Therefore similarly like WooCommerce, hackers are attracted to this plugin like flies to a lamp owing to its large user base. With over 15 severe vulnerabilities recorded on this plugin, this still remains a hotspot for hackers to exploit till date. In August 2021, an XSS vulnerability was discovered which hackers exploited to takeover websites without the owner’s permission. The developer team was swift to implement a patch with the 5.0.4 version thus putting a stop to these attacks.
W3 Total Cache:
This is also another popular SEO plugin which allowed website owners to increase their SEO and user experience. This plugin was recently identified to have two security vulnerabilities which allowed XSS and RCE attacks on websites using this plugin. They were patched with the version 2.5.1 being released and it is recommended that you update this plugin as early as possible.
Elementor:
This is a popular website builder having over 5 million active installations. However in March 2021, WordFence found an XSS vulnerability in this plugin which allowed hackers to gain access to websites using this plugin. A patch was released with the version 31.4 which helped mitigate any potential attacks that could’ve been caused through these flaws.
Contact Form 7:
With the aim to create and manage contact form’s for a website, this is the second most used plugin in WordPress. In September 2018, a privilege escalation flaw was discovered in this plugin which allowed hackers to upload malware on to websites which opened doors for further cyber attacks. That vulnerability was patched quickly, however only 305 of the plugin’s users have updated it. Therefore we recommend you to take strict action and update this plugin as soon as possible.
WordFence:
This is a security based plugin for your website, which makes it pretty ironic to have a flaw based within it. However, security plugins are the most attractive targets for hackers as they allow them to gain complete access to the website once hacked. This plugin has over 11 vulnerabilities reported till date, with the latest being an XSS vulnerability reported in 2019 which was promptly patched.
WP Statistics:
This plugin allows you to view your website statistics about your visitors without having to share the data with third parties. It gives you a visual feedback and provides stats on how your website is performing which allows you to have in-depth insights about your visitors. However in March of 2021, an SQL injection based vulnerability was discovered which allowed any normal visitor to extract the data. Fortunately it was quickly patched in the 13.0.8 version.
Jetpack:
This was a all in one tool which provided a wide array of features for website owners to use. From image uploads to social media buttons, this plugin had it all. However that made this plugin all the more susceptible to cyber attacks. In 2018, this plugin was used as an attack vendor and for injecting JavaScript files in to a website thus causing it to malfunction. However the developers took swift action against these flaws and rolled out patches to help protect against these.
Here we have informed you about the top 10 plugin vulnerabilities that caused a massive impact on websites. We hope you take our advice with a grain of salt and update your outdated plugins as soon as possible as they can pose as serious security vulnerabilities.
