Recently we have been looking at ways that we can improve the data we provide on WordPress plugin vulnerabilities through our service. Three weeks ago we started including data on false reports of vulnerabilities in the plugins you have installed. Today we have added a rating of the likelihood that a vulnerability will be exploited to the service’s data we present in the plugin and in the email alerts you receive if you the currently installed version of one of your plugins has a vulnerability. Once you have updated the service’s companion plugin to the newly released 2.0.22 you will start getting that.

Before we get into the details of that, we thought it would be useful to explain why we thought this would be a good addition the service. Something we often see is that really minor vulnerabilities, ones that have almost no chance of someone trying to exploit on a website, are instead presented by security companies and the press as being major concerns. The press often makes a big deal of minor vulnerabilities in very popular plugins, that never get exploited, while not covering vulnerabilities in lesser used plugins that leads to thousands of website being hacked. We also sometimes see people immediately removing a plugin with a minor vulnerability, when they could have safely waited for a fix to be put out.

One possible way to better present the actual threat of a vulnerability would be to use a severity score. Those seem to be popular, particularly the CVSS scorring system, but we found that the scores for WordPress for plugins are much to high with that, leading again to overemphasis on vulnerabilities that are not a large threat. That scoring system is also rather complicated, with multiple scores and multiple version of the scoring system.

So we have come with a simpler rating system for the likelihood of a vulnerability being exploited. We give each vulnerability a rating of low, medium, or high based on our estimation of the likelihood of the exploitation. Most vulnerabilities fall into either low or high, with medium being for vulnerabilities for vulnerabilities that would be exploited in more limited circumstances. Take for example this vulnerability that would allow anyone logged into WordPress to upload malicious files. For a lot of websites that only have one WordPress account or only have accounts for few trusted users it really isn’t much concern, but if you allow the public to register for account it could be a threat (hackers did try to target it).

How We Make Our Estimates

To come up with an accurate rating, which is important for them to be useful, we look to three items.

The first is the type of vulnerability. This is by the far the biggest factor as many types of vulnerabilities are either highly likely or unlikely to be exploited.

The second is the specifics of the vulnerability, which can sometimes make a big difference. For example a persistent cross-site scripting vulnerability that causes malicious JavaScript code on the frontend pages of the website is more likely to be exploited than one that places it on a single admin page.

Finally, since we are constantly monitoring what vulnerabilities hackers are targeting, we can see if a vulnerability is getting targeted out out line with what the two other criteria would suggest and change the rating to match that.

All of this depends on us having good understand of those things, so that is where we can provide unique value because we review vulnerabilities, we monitor hacking attempts, and clean up hacked WordPress website. In addition we are continue to look at ways to get a better understanding of what is going on, by doing things like seeing to what extent WordPress security plugins can protect against exploitation of vulnerabilities and seeing what influences the vulnerability that hackers choose to target.

Rating Data Still Being Added

We started including the estimate when adding new vulnerabilities a few weeks ago. In the last week we have adding ratings to a lot of the existing vulnerabilities, but it still we be some time before we include ratings for all of the vulnerabilities that have existed in the data set for some time.

 

If you have ideas for further improvements to the data we present in the plugin or any similar suggestions please get in touch with us.