Three weeks into a month of targeting WordPress and its plugins, the Dutch 'Summer of Pwnage' hacking event has uncovered 64 vulnerabilities. Does this make WordPress the Adobe Flash of the CMS world? SCMagazine UK.com investigates...
Summer of Pwnage (#sumofpwn) describes itself as being a "community program for everyone with interest in software security" and that means everyone from "enthusiastic beginners to the 1337est hackers out there" apparently.
When you strip back the leet speak marketing, it's actually an open source security bug hunting event. The brainchild of Dutch application security outfit Security, #sumofpwn states that everyone is the owner of their bugs and exploits and can "use them as you like." It does, however, encourage participants to be part of the solution and disclose them responsibly to the original code authors.
As SC publishes this story today, #sumofpwn has reached day 21 of 29 and uncovered 64 vulnerabilities. We cannot confirm how many of these have been responsibly disclosed and patched as a result.
However, one of the most serious of newly disclosed bugs we are aware of included a reflected XSS problem in the very popular Ninja Forms plugin which has some 600,000 users. This has, thankfully, already been patched in a plugin update.
All of this does sound like evidence that WordPress is very insecure and sites built using it should be treated with suspicion.
But hold on a moment, how true is that?
WordPress is the most popular web content management system with a market share of around 60%. It's used on something like 60 million websites, and has spawned a third party plugin industry numbering 45,718 items when we checked today.
"Any other CMS of such popularity would attract the same attention of security researchers, script kiddies, White and Black hats" insists Ilia Kolochenko, CEO at High-Tech Bridge. The more popular a system is, the more people will try to hack it for fun or profit. "The WordPress security team is doing a very good job" Kolochenko reckons "but the security of any plugins cannot be controlled, verified and monitored by them."
David Coveney, Director at WordPress development specialists interconnect/it, readily admits he's been "worried about plugin security for many years." Indeed, he says the company often only accepts third party plugins when customers have been really insistent. "Even then we warn them that without a full review of the code we can't promise it will be secure" Coveney says.
"The issue with WordPress" Giovanni Vigna, CTO at Lastline told SC "is its extensibility." By allowing third-party plugins, and let's not deny they are one of the strengths of the platform, WordPress increases their security exposure. "This is the classic trade-off between extensibility and security that has haunted Windows for years" Vigna concludes "by allowing every vendor to load drivers in the kernel, Windows increased its security exposure substantially."
So is it perhaps a stretch for #sumofpwn to imply that WordPress is being pwned? Or does WordPress deserve all the bad press it gets, in much the same way that Adobe does over vulnerabilities in Flash for example?
"The WordPress core is actually pretty well secured", Javvad Malik, security advocate at AlienVault told SC, continuing "a very low percentage of any of the severe vulnerabilities are attributed to the core platform. It's definitely unfair to compare it to flash."
Ian Muscat, product communications manager at Acunetix, is in broad agreement. "I don't think that WordPress itself should be seen as a platform to stay away from" Muscat says "but I do think that this is an unfortunate side-effect to having such a huge plugin open community." As David Coveney points out "Most laymen believe that the official plugin and theme repository is reviewed for security, when it isn't."
Not that everyone SC spoke to was as considerate towards WordPress itself. Take Gareth O'Sullivan, senior director of solutions architecture at WhiteHat Security, who told us that "WordPress has long been considered the Swiss cheese of CMS solutions" and "users of WordPress should do so with caution and set their expectations for security pretty low."
Peter terSteeg, technology evangelist at Varonis, was just as unforgiving when he told SC that "there are countless known exploits that hackers use over and over again because many people who run WordPress aren't patching it regularly." Indeed terSteeg is of the opinion that the actual state of WordPress security is "far worse than the picture painted by the #sumofpwn hackathon."
At the end of the day this dichotomy over the security, or otherwise, of the WordPress platform will continue to be debated regardless of events such as #sumofpwn. Indeed, you can take the results of this Summer of Pwnage in two distinct ways according to Paul Ducklin, senior technologist at Sophos.
Either you can see it as security going backwards with 64 holes being found in just three weeks or, as Ducklin told SC, "Wow! 45,000 plugins, only 61 holes found so far, responsibly disclosed, and close to a third of those are already fixed. Now that's progress!"Given the industry's increasing and visible collective willingness to research, find, report and importantly fix security holes fast, Ducklin tends to verge on the side of it being progress...