WPScan 2024 Website Threat Report
The audience for this report
We wrote this report so that everyone from interested security beginners to advanced security researchers will benefit from it. If you are a security beginner we have a glossary at the end of this report and link to it from key terms. For advanced researchers, we believe this report will highlight the rankings of threats to WordPress sites that we are currently seeing.
Key takeaways
- The most reported vulnerability types in 2023 were Cross‑Site Scripting, Cross‑Site Request Forgery, Authorization Issues, and SQL Injection vulnerabilities.
- Although Cross‑Site Scripting was the most reported vulnerability, it wasn’t the most detected type of attack through the Jetpack firewall. SQL injection was the most popular.
- 67% of the reported vulnerabilities were of medium severity, while 18% were classified as high severity, and 2% as critical.
- 37% of the reported vulnerabilities required the attacker to have authenticated access, either directly or via CSRF through a victim, to the targeted site.
- Weak credentials or “nulled” plugins carrying backdoors were the most common vectors for infecting sites.
- The Jetpack firewall, although a recent addition to the Jetpack Security suite, is proving its worth by blocking potential attacks early in the cycle, preventing attackers from getting a foothold on protected sites.
Summary
The WPScan Website Threat Report consolidates all the information collected by the Security Research team throughout 2023.
We navigated the logs of our user base to identify the most common threats, vulnerabilities, and active attacks that happened in 2023. This investigation showed that while Cross‑Site Scripting is popular among the Independent Researchers and Bug Bounty Hunters, it is not as common in attacks. It also showed that after a compromise, the most popular code added by bad actors is anything that would maintain access to the attacked website.
Methodology
The report was made by using a representative sample of all the websites using Jetpack Scan or Protect, as well as internal Automattic services that also use Scan. When combined this comprised a total of 360,734 websites.
We will also cover the vulnerabilities disclosed by WPScan during 2023, which consisted of reports reviewed and verified by our Security Researchers, as well as disclosures received from third parties.
It’s worth mentioning that this report only covers a fraction of the internet ecosystem; only WordPress sites were reviewed, and it is limited to Jetpack users. Therefore it will not depict the current state of the whole internet, but a more concise view of it.
Vulnerabilities
The WPScan team, along with Independent Researchers found and processed, a total of 5,271 vulnerabilities in 2023. Those researchers along with the software authors rely on our Responsible Vulnerability Disclosure process to make sure their findings are valid and relevant, and also rely on our coordination of the fix release and public disclosure.
Disclosed Vulnerability Types
Among all the vulnerabilities disclosed in 2023 (across WordPress core, plugins, and themes) the most popular vulnerability disclosed was Cross‑site Scripting (CWE‑79) with 53.02% of all cases. This was followed by Cross‑Site Request Forgery (CWE‑352), responsible for 19.89% of the disclosures, and finally, in third place, we found Authorization Issues (CWE‑862) with 8.11%. SQL injection (CWE‑89) vulnerabilities made 4th place.
Disclosed Vulnerabilities Severity Distribution
In terms of severity, a little over 20% of all reported vulnerabilities were high or critical, but medium severity dominated the reports with 67%. While severity doesn’t translate directly to the risk of exploitation, it’s an important guideline for website owners to make an educated decision about when to disable or update the extension.
Assessing Vulnerability Risk
The WPScan team, when reviewing a reported vulnerability, will verify if authenticated or unauthenticated users can exploit the affected code and what roles would be needed for a successful attack. Sharing this value is important for users to properly assess the risks of keeping outdated software in their systems.In the last year, around 22% of the disclosures required either a subscriber level of authentication to be exploited or no authentication at all, meaning that almost every user could perform an attack. On the other hand, 30.71% of the reports were related to attacks that needed administrator privileges; this reduces the risk depending on the user setup, but these vulnerabilities should not be ignored.
Almost 25% of the vulnerabilities reported were Cross‑Site Request Forgery. These are only exploited when the victim is already authenticated on the vulnerable site and visits a web page crafted by the attacker to trigger the vulnerability. The indicator is important since it shows how the developers fail to properly use authenticity checks.
When analyzing the reported vulnerabilities that didn’t require authentication or could be exploited by using a subscriber‑level user, we found that the vast majority of reports were related to a lack of proper authorization; these vulnerabilities allow users to perform plugin functions that are not available for their roles. Although Unauthenticated File Upload technically belongs to this category, we count it separately since it enables attackers to escalate their authorization level by uploading backdoors, for example, and this makes it more serious.
The second most common vulnerability type exploitable with minimal authentication was SQL injection; this is both high severity and risk under this circumstance since it allows attackers with no or minimal level of authorization to perform changes in the database or leak its content
Key Reported Extension Vulnerabilities
Among all the reviewed vulnerabilities some of them deserve to be highlighted due to the impact on the website or its visitors. There were two important Stored Cross‑Site Scripting affecting plugins with more than 200,000 installs: WP Go Maps and Popup Builder.
SQL injection vulnerabilities also got their share in the spotlight, affecting the 90,000 active installations of SlimStat Analytics and the 1,000,000 users of WP Fastest Cache.
Other popular plugins had flaws that allowed attackers to either upload malicious code or execute arbitrary commands to the vulnerable sites. WP Meta SEO allowed bad actors to perform Remote Code Execution through a PHAR deserialization vulnerability.
We also found and shared the details of vulnerabilities reported on the Essential Blocks plugin, that allowed arbitrary files to be included. We reported that Formidable Forms didn’t properly check for authorizations and made it possible to low privileged users to install arbitrary plugins to a vulnerable site.
Another important report we made was regarding Royal Elementor Addons, which was failing to check the file extensions therefore allowing attackers to craft requests that would end up as an unauthenticated file upload.
WordPress Core Vulnerabilities
There were a total of 13 vulnerabilities reported in WordPress core in 2023, including two that were discovered internally by our Security Researchers: WordPress < 6.3.2 – Unauthenticated Post Author Email Disclosure, as well as an RCE Pop Chain Gadget (credit to Marc Montpas for these findings).
Of the core vulnerabilities in 2023, only one was scored with a high severity: WordPress 5.6 – 6.3.1 – Reflected XSS via Application Password Requests.
Also, it’s worth mentioning a core vulnerability that was widely discussed in 2022 and we still had questions about it during 2023. It was the Unauthenticated Blind SSRF via DNS Rebinding in versions lower or equal to 6.1.1. This vulnerability wasn’t verified by our Security Research team, and the original researchers stated that they couldn’t generically identify ways to leverage this behavior to take over vulnerable instances without relying on other vulnerable services. However, since it was already publicly available and the WPScan team is responsible for keeping track of these reports, we decided to disclose it. You can read our recommendations on our blog.
Firewall Activity
The Jetpack firewall has been available since September 2022, and the Security Research Team was able to analyze some data collected by it. The current state of the firewall aims to block known and popular attacks, and the constant monitoring of requests and the processing of WPScan submissions will continuously add new rules to the set.
While investigating the logs, we found that our firewall blocked more than 7,000,000 requests (75.13%) to a high severity (CVSS 8.8) vulnerability on tagDiv Composer, which prevented XSS attacks on vulnerable sites. There are also rules to identify and block active exploit attempts with a more broad approach. In 2023 we found that attacks that will result in a higher gain were more popular. 8.63% of all blocked requests were SQL injection attacks, and the firewall successfully detected and rejected 499,211 Path Traversal attacks, which represented 5.26% of all detections.
It’s worth mentioning that although Cross‑Site Scripting (XSS) is the most submitted vulnerability, it’s on the top 5 types of malicious requests Jetpack WAF is blocking, with 3.06%.
This discrepancy may be related to several causes; the most likely reasons are the part of the internet we’re covering in this report and that 57% of all reported XSS vulnerabilities required a level of authentication to happen, limiting automated attacks. As a highlight, we monitored the Fake plugin Core‑stab campaign (seen as Webshell Attack in the logs). Jetpack Firewall blocked almost 30,000 requests targeting multiple sites, it was the most active attack campaign in 2022, and it still persisted in 2023. A report about this malware was shared on the WPScan blog, where you can find the detection rules we shared.
Malware Attacks
In 2023, Jetpack Scan found at least one malicious file on almost 70,000 sites running the tool. Despite the high number of cases, we didn’t identify any mass infection (our threshold is 5% of all infections). However, we have identified two common root causes for most of the attacks: weak or leaked credentials, and installation of pirated (or nulled) software (you can read more about it on our blog), which was found on around 1.52% of all compromised sites.
Jetpack Scan rules detected a vast majority of generic malware as the most common type of malicious software; in 2023 more than 600,000 files containing generic web threats were found, representing 75% of the whole detection volume. These generic rules cover popular indicators of compromise, which can leverage different types of attacks on the site; therefore it’s hard to determine the final payload without an individual analysis of each threat.
A high number of backdoor detections is expected to be present on all reports we make, since once a bad actor takes control of a compromised website, they’ll want to maintain access to it even after the entry point is fixed. In 2023 Jetpack Scan found 113,880 backdoor files (or 13% of the total detection), however, this number can be higher since our generic rules may detect those as well.
These backdoors can be as simple as a few hundred characters to execute arbitrary code or a fully capable system that will allow attackers to perform changes on the filesystem and the database. In one notable example, we found a case where popular themes were compromised and carried backdoors to their users’ websites.
Jetpack Scan also alerts users with hardening opportunities for their sites. Compared to alerts about a vulnerable theme or extension, hardening alerts will suggest users remove the offending file, since they are not vital to the site and may be exploited by attackers. Jetpack sent 85,465 (or 9.76%) hardening alerts during 2023.
An interesting indicator not covered by this chart is the number of threats identified by our fuzzy scanner, which will determine the likelihood of a file being malicious based on threats already known by the tool. In 2023 Jetpack issued 109,876 alerts generated by this scanner.
The nature of Jetpack Scan’s malware rules is to present accumulative Indicators Of Compromise to the users so they can evaluate the affected file and make a decision to use the automatic cleanup or manually check the file. Jetpack offers several options to remove malware, based on backups, known good copies of files, and more.
Forecast
From this 2023 analysis, the main entry vector for compromised websites was leaked credentials or brute‑force of weak passwords. We suspect that this will continue to be the main attack vector in 2024. While this seems to be an easy fix by using a password manager and multi‑factor authentication, it relies more on a change in culture than technology.
We also predict that gaining access to the website will continue to be the most popular attack we block on the Jetpack Firewall; bad actors will continue to attempt authentication bypasses either by software vulnerabilities or brute‑force attacks; and SQL injection attacks will continue to be more present on the logs than Cross‑Site Scripting.
Cross‑site scripting vulnerabilities will continue to be the most reported vulnerability on the WPScan platform, mostly because extension authors tend to be lax about input sanitization when it comes to the admin side of WordPress sites, but also because these issues are easy to find using tools or manual code inspection. We’ve previously shared why Admin XSS is a valid security issue in the context of Multisite WordPress configurations.
Conclusion
Although the WordPress threat landscape has continued to evolve, one thing remains constant: bad actors aim to exploit vulnerable environments. And, with WordPress being the most popular CMS, it will continue to be the most targeted platform.
For website owners, being aware of the current threat landscape and how to mitigate risks is important, not only for the website’s integrity but also for its visitors and customers. Running a website has never been easier, and its security should be easy too.
WPScan is an ideal security choice to keep large websites safe, and Jetpack Security is perfect for sites that need something that just works.
Employing multiple defensive controls can help you better identify and mitigate attacks against your website. Maintaining a strong security posture comes down to a few key principles: keeping your environment updated and patched, using password managers to avoid reuse, enabling multi-factor authentication wherever possible, and utilizing a web application firewall to filter malicious traffic.
And, if a breach occurs, a system integrity report and a malware scanner will be your allies in identifying what needs to be repaired, as well as helping you prepare to recover a website by maintaining a recent backup of its clean state.
Credits
Jetpack and WPScan Security Research Team, Jetpack Marketing team.
Authentication bypass attempts
Basic: Authentication bypass attempts are when someone tries to get into a system without using the right password or other login information.”
Advanced: Authentication bypass attempts are malicious attacks against a system in which an attacker attempts to gain access to restricted information or resources by circumventing the authentication process. This type of attack is often directed at systems that rely on usernames and passwords for authentication, as attackers will attempt to guess or exploit known vulnerabilities in the system to gain access. Authentication bypass attempts may also be used to gain access to network systems, computer databases, or application programs.
Authentication bypass attacks could involve a variety of techniques, such as exploiting weaknesses in weak passwords, guessing credentials, using brute force attacks to guess passwords, using social engineering tactics such as phishing or pretexting, using privilege escalation techniques such as exploiting known vulnerabilities in software and hardware devices or trying default account logins. These attacks can have serious consequences if successful: confidential data can be stolen from corporate systems and individuals’ personal information can also be exposed if authentication is not properly secured. As such, organizations must take steps to ensure their authentication processes are secure by implementing strong password policies and ensuring any known vulnerabilities are patched quickly. Additionally, organizations should monitor their networks for signs of unauthorized access attempts so they can take immediate action when necessary.
Backdoors
Basic: A backdoor is a way for someone to get into your computer without using the normal security. It is like a secret window or door that only certain people know about.
Advanced: Backdoors are a type of malicious software (malware) that allows an attacker to gain unauthorized access to a computer system or network. They are typically used by cybercriminals to secretly steal data, install malware, or even sabotage the system. Backdoors can be installed in a variety of ways, including through email phishing scams, malicious websites, vulnerable software, and unsecured Wi‑Fi networks. Once a backdoor is installed on a system, it can remain undetected for long periods of time and enable unauthorized access from any location.
Backdoors generally consist of two components: one for the attacker and one for the target machine. The attacker’s component is typically disguised as legitimate software that provides remote access capabilities to the target machine.
This type of backdoor often has built‑in security measures to prevent discovery by anti‑malware tools and other security measures. The target machine’s component is used to transmit data back and forth between the attacker’s machine and the target machine without triggering an alert from any security measures in place.
In some cases, backdoors may also be hardcoded into computers or other digital devices during their production process or after they have been shipped out. These types of backdoors are difficult to detect because they are built into the device’s hardware or firmware rather than being installed as software by an attacker. By exploiting these types of backdoors, attackers can gain persistent access to systems without needing credentials or other authentication mechanisms as they would with more traditional methods such as phishing scams.
Botnet
Basic: A botnet is a group of computers that are connected together on the internet. They are controlled by one person, who can use them to do things like send spam and attack websites.
Advanced: Botnets are networks of internet‑connected devices that have been infected with malicious software and can be controlled remotely by cyber criminals. The malware responsible for creating and controlling a botnet is known as a bot. Botnets are most commonly used to launch large‑scale distributed denial‑of‑service (DDoS) attacks, in which the network of compromised machines floods a targeted system or website with traffic, overwhelming it and rendering it unavailable to legitimate users.
Botnets can also be used to send out spam emails, spread malware, steal data, mine cryptocurrency, and more. The devices in a botnet can range from computers to smartphones to IoT devices such as webcams or routers.
Most often, bots infect vulnerable systems by exploiting known security flaws or by tricking users into installing the malicious code (e.g., via phishing campaigns). Once inside a device, the malware will establish communication channels with its command‑and‑control (C&C) servers and wait for instructions from its operators. The C&C server then issues commands that direct the bots to perform certain tasks.
Botnets pose serious security threats because they allow attackers to remain anonymous while launching powerful attacks on their targets. Furthermore, since many botnets use peer-to-peer or decentralized architectures, they are difficult to detect and disrupt—making them even more attractive tools for cybercriminals.
Cross-Site Request Forgery
Basic: Cross‑Site Request Forgery is a type of cyber attack that tricks a website into thinking that you asked for something to happen. It can be used to steal information or do things without your permission.
Advanced: Cross‑Site Request Forgery is an attack technique that exploits the trust between a web application and its users in order to execute unwanted actions on behalf of an authenticated user. CSRF attacks usually involve malicious actors using malicious code, such as HTML code or JavaScript, to construct a malicious request that is then sent through the victim’s browser.
This request contains data that can be used by the attacker to perform some action on behalf of the user, such as making changes to their account settings or making purchases from their account.
The fundamental concept behind a CSRF attack is that the victim unknowingly submits a malicious request to the vulnerable web application, who in turn interprets it as a legitimate one from an authenticated user. As the browser does not send credentials for authentication with each HTTP request, this type of attack takes advantage of this trust relationship between the web application and its users. This means that attackers have access to sensitive information without having to authenticate themselves, allowing them to bypass authentication protocols and steps.
In order for attackers to successfully launch a CSRF attack they must first identify vulnerabilities within the target website – such as weak input validation – which they can exploit in order to modify requests made by unwitting victims. Attackers typically use social engineering methods like phishing emails and malicious links in order to deceive victims into submitting these forged requests.
As CSRF attacks are based on tricking web applications into executing unauthorized actions without any knowledge of the user, they can result in serious damages when used against e‑commerce websites or other online services where users store sensitive information such as credit card numbers or personal data.
Cross-Site Scripting
Basic: Cross-Site Scripting is when someone adds bad code to a website so that it does something it is not supposed to do.
Advanced: Cross‑Site Scripting (XSS) is a form of computer security vulnerability that enables malicious attackers to inject code into web applications. It typically involves injecting malicious JavaScript, HTML or other types of client‑side code into webpages viewed by victims, allowing the attacker to execute malicious activities such as harvesting sensitive data from users or redirecting victims to malicious websites. XSS attacks can also be used to hijack user sessions and assume control of user accounts.
XSS attacks are most commonly found in online forums and comments sections, but they can also be present in other areas such as contact forms, logins pages, search boxes and more. The goal of the attack is generally to gain access to confidential information stored on the website such as credit card numbers, passwords or other personal data. In order to protect against XSS attacks, developers should use input sanitization techniques when receiving user input and make sure to encode any special characters that may be included in user input prior to displaying it on a webpage.
Additionally, it is important for developers to maintain an up‑to‑date version of their web application framework that includes the latest security patches and updates.
Fuzzy Rules
Basic: Fuzzy rules are instructions that computers use to keep things secure. They help a computer decide when it is safe to do certain things.
Advanced: Fuzzy Rules in computer security are a form of advanced artificial intelligence that can be used to detect potential threats. They use fuzzy logic, which is a type of mathematical system that allows for the expression of distinct truth values that are not necessarily true or false.
This technology can analyze large amounts of data and identify patterns in the data that may indicate malicious activity. For example, if a certain pattern of network traffic occurs at regular intervals, then it can be analyzed to determine whether there is an attack occurring or not.
The goal of fuzzy rules is to provide better accuracy than standard rule‑based systems when detecting potential threats. By utilizing fuzzy logic, they can take into account multiple factors at once, such as the frequency of certain activities or the size of file transfers. This allows for more accurate threat detection as it takes into consideration things like changing circumstance and user behavior instead of simply relying on static rules.
Fuzzy rules also have the advantage over traditional algorithms in that they can learn from their mistakes and evolve over time based on new data inputted into them. This means they become increasingly accurate and efficient as they gain more experience and knowledge about specific types of threats and environments. This level of adaptability makes them powerful tools for protecting against cyber attacks over time and across different networks
Hardening
Basic: Hardening is a process of strengthening the security of a computer system or network to protect it from malicious activities.
Advanced: Hardening is a process that strengthens the security of a computer system or network. This involves installing and configuring security measures to protect against potential attacks as well as testing the system to ensure its secure configuration.
Hardening can include physical security, such as locked doors and fences around the building or server room, or it can focus on digital protection such as firewall rules, antivirus software, and patch management.
Hardening also requires updating operating systems, disabling unnecessary services, applying protocol passwords for authentication, and using encryption methods for sensitive data.
Hardening is an ongoing effort that must continuously be monitored and updated to keep up with ever‑changing threats from cyber criminals. A successful hardening strategy should take into account all angles of attack—from physical access control to application layer defense—and provide comprehensive protection from both external and internal threats.
Malware Attacks
Basic: Malware attacks are when someone tries to damage a computer by sending it a virus.
Advanced: Malware attacks are malicious cyber‑attacks that utilize malicious software, also known as malware, to compromise the security and privacy of a system or network. Malware is a broad category of malicious software including viruses, spyware, ransomware, trojans, worms, and other types of malicious programs designed to damage or gain unauthorized access to a system.
Malware can be spread through email attachments, websites offering downloads, peer‑to‑peer file sharing networks, and more. Once downloaded on the user’s device or computer, malware can be used to steal the user’s sensitive data and login credentials; track their online activity; modify files; launch denial of service (DoS) attacks against servers; encrypt data and hold it for ransom; hijack web browsers or entire computer systems; mine cryptocurrencies without user consent; install additional malware payloads on the victim’s device; allow remote access to an infected machine; and perform many other malicious activities.
To protect against these threats, users should always use strong passwords for all their accounts and regularly update them. They should also regularly scan their devices with up‑to‑date anti‑malware software as well as keep their operating system and apps updated with the latest security patches. Additionally they should avoid downloading files from untrustworthy sources such as email attachments from unknown senders or websites offering free music or movie downloads.
ModSecurity Rules
Basic: ModSecurity rules are instructions that help keep websites safe from people who want to cause trouble.
Advanced: ModSecurity rules are security rules designed to protect web applications and websites from malicious attacks. These rules provide an additional layer of protection in addition to the traditional firewall and antivirus software.
ModSecurity rules use a combination of specialized filtering, attack detection, and blocking techniques to help protect websites from common web application attacks such as cross‑site scripting (XSS) and SQL injection. These rules can be used both on the server‑side of a website or at the network level.
At the server‑side, ModSecurity rules analyze incoming requests and responses for malicious content, blocking requests that it identifies as dangerous. The rule sets also have features that allow administrators to customize them to suit their particular needs.
For example, they may specify which HTTP methods are allowed on a particular page or what type of content is permitted. This can help prevent attackers from exploiting commonly used web application vulnerabilities such as remote file inclusion flaws or directory traversal issues.
At the network level, ModSecurity rules can be used to detect suspicious traffic patterns and block requests associated with malicious activity. They also provide an additional layer of defense against distributed denial‑of‑service (DDoS) attacks by monitoring communication between a web server and its clients for suspicious behavior. By doing so, ModSecurity can detect attempted DDoS attacks before they succeed in causing significant disruption or damage to the system.
Overall, ModSecurity’s ability to analyze both incoming requests and outgoing responses make it an effective tool for protecting web servers from malicious activity. The rulesets included with the product are highly flexible and customizable, allowing administrators to tailor them according to their specific security needs.
Furthermore, using ModSecurity helps secure both websites against known attack vectors as well as helping defend against unknown threats by detecting suspicious behaviors impacting either server‑level or network‑level operations.
Path Traversal
Basic: Path Traversal (also known as file path traversal) is a web security vulnerability that allows an attacker to read arbitrary files on the server that is running an application.
Advanced: Path Traversal, also known as directory traversal and sometimes referred to as ‘dot dot slash’, is a type of vulnerability that allows attackers to access restricted directories on a computer system or network. It exploits the vulnerability of an application’s inability to properly sanitize user‑supplied input and can be used to gain unauthorized access to sensitive data or files such as system configurations, source code, databases, passwords, and other sensitive information. Path Traversal attacks are typically done by inserting “../” into web addresses or other user‑supplied parameters in order to traverse back out of the current folder/directory structure.
For example, if an application were vulnerable to Path Traversal it could allow an attacker to bypass restrictions by entering a URL such as http://www.example.com/restrictedfolder/../index.html which would result in the unrestricted index page being served instead of the restricted folder contents. To prevent this type of attack from occurring, developers must make sure their applications properly sanitize all user‑supplied inputs using strict validation routines that prevent users from passing unanticipated strings such as “../” in any inputs given by them.
WPScan 