Case Study: Third-Party Plugins

[This was originally published on RiskBasedSecurity.com in the 2018 Q3 Vulnerability QuickView Report.]


Many people are familiar with content management systems (CMS), which are used in a variety of roles. Millions of people use them via hosted software such as WordPress.com and companies use them for blogging and knowledgebase systems. Historically, despite their wide deployment, many of the biggest CMS packages have had relatively few vulnerabilities. For example, since 2012, WordPress has only had 162 vulnerabilities disclosed. Given how prevalent the software is, that number is surprisingly low.

On the other side of the CMS equation are third-party plugins that add an incredibly wide variety of functionality designed to make the core software more effective. WordPress, Drupal, Typo3, and other CMS software offer an expected level of functionality to users. Then, third parties write additional software components to perform added tasks, some of which are used by millions of administrators. These third-party plugins offer an entirely different story when it comes to vulnerabilities.

First, as always, it is important to qualify and disclaim. In this case, third-party plugins can be written by anyone and integrated into the core software. That doesn’t necessarily mean the plugin will be used by many people. So, some plugins languish with an extremely limited audience of a few hundred users, while others enjoy more than a million active installations. This is a case where vulnerability statistics are interesting, but may not have any bearing on some users, while being of particular interest to others.

Focusing on two of four examples as seen in the chart below, WordPress plugins appear to receive a lot more scrutiny. While there were only 162 WordPress vulnerabilities in five years, third-party plugins for the software were found to have over 5,000 vulnerabilities. On the other hand, with Jenkins, which is used by corporations much more than individuals, the vulnerabilities in the base software as compared to the third-party plugins are closer in number. Given that some sites, such as those based on WordPress, are compromised via the vulnerabilities in third-party plugins, it is just as critical to stay on top of them as the core software vulnerabilities. How is your organization monitoring the vulnerabilities in third-party plugins? Hopefully your answer is not NVD.

Leave a Reply

%d