WordPress, Apache Struts Attract the Most Bug Exploits

An analysis found these web frameworks to be the most-targeted by cybercriminals in 2019.

WordPress and Apache Struts vulnerabilities were the most-targeted by cybercriminals in web and application frameworks in 2019 – while input-validation bugs edged out cross-site scripting (XSS) as the most-weaponized weakness type.

That’s according to the RiskSense Spotlight Report, which analyzed 1,622 vulnerabilities from 2010 through November of 2019. Web frameworks streamline the development and deployment of applications and websites. Instead of requiring developers to code every line of PHP, HTML, etc., a framework can provide them with ready-made building blocks for many common tasks.

“Even if best application development practices are used, framework vulnerabilities can expose organizations to security breaches. Meanwhile, upgrading frameworks can be risky because changes can affect the behavior, appearance or inherent security of applications,” said Srinivas Mukkamala, CEO of RiskSense, in a media statement. “As a result, framework vulnerabilities represent one of the most important, yet poorly understood and often neglected elements of an organization’s attack surface.”

The firm found that WordPress and Apache Struts alone accounted for a combined 57 percent of exploited framework bugs during the year. Their respective underlying languages, PHP for WordPress and Java for Struts, were also the most weaponized languages in the study.

Also, while WordPress faced a number of different types of bugs over the course of the year, XSS was the most common problem according to the analysis; input validation meanwhile was the biggest risk for the Apache Struts framework.

Their prevalence in WordPress aside, XSS bug flaws overall have fallen in volume in recent years: XSS was the most common vulnerability over the 10-year study period, but it dropped to fifth when analyzed for just the last five years. Meanwhile, input validation accounted for 24 percent of all weaponized vulnerabilities over the past five years, mostly affecting Apache Struts, WordPress and Drupal.

The analysis also found that while the total volume of cybersecurity vulnerabilities in frameworks went down last year, the actual weaponization rate of those bugs went up. That rate jumped to 8.6 percent in 2019, which is more than double the National Vulnerability Database average of 3.9 percent for the same period.

In total, 27.7 percent of WordPress vulnerabilities were weaponized. Apache Struts had the third most-weaponized vulnerabilities and had one of the highest overall weaponization rates across all frameworks, the report found; and, 38.6 percent of all Struts vulnerabilities were weaponized.

“Only Laravel had a higher weaponization rate, but that was based on only four total vulnerabilities,” the report noted.

“It’s no surprise that Apache Struts is one of the most weaponized application frameworks out there,” Mehul Revankar, director of product management at SaltStack, told Threatpost. “It’s a key dependency for a many modern web applications, and it’s not easily known whether it’s in use or not by an application.”

An Apache Struts exploit was behind the infamous 2017 Equifax breach, which affected 147 million people.

Some specific types of bugs also saw a higher rate of weaponization. For instance, SQL injection, code injections and various command injections are sought-after by cyberattackers and saw weaponization rates of more than half in the study, despite being quite rare. Broken down, the top three weaknesses by weaponization rate were command Injection (60 percent weaponized), OS command injection (50 percent weaponized) and code injection (39 percent weaponized).

And, JavaScript and Python frameworks showed the lowest weaponization of vulnerabilities overall. For instance, the JavaScript-based Node.js had a notably higher number of vulnerabilities than other JavaScript frameworks last year, with 56 vulnerabilities – but only one has been weaponized to date, according to the research. Likewise, Django had 66 vulnerabilities, with only one weaponized.

“Web application vulnerabilities have been an increasingly ripe attack vector over the past decade,” said Jack Mannino, CEO at nVisium, speaking to Threatpost. “WordPress and Apache Struts implementations in particular have been notoriously plagued with out of date plugins and library versions. As these systems remain unpatched and not updated for long intervals, their likelihood for exposure is high. Off-the-shelf exploits against these technologies have been prevalent in attacker tooling and will continue to be.”