The majority of WordPress vulnerabilities discovered in 2023 are rated as medium level, accounting for about 67% of them. Understanding these vulnerabilities and knowing when they represent an actual security threat is essential. Here are the key facts about these medium-level vulnerabilities.
What Is A Medium Level Vulnerability?
A spokesperson from WPScan, a WordPress Security Scanning company owned by Automattic, explained that they use the Common Vulnerability Scoring System (CVSS Scores) to rate the severity of a threat. The scores are based on a numbering system from 1 to 10, with ratings ranging from low to critical.
The spokesperson elaborated:
“We don’t flag levels as the chance of happening, but the severity of the vulnerability based on FIRST’s CVSS framework. Speaking broadly, a medium-level severity score means either the vulnerability is hard to exploit (e.g., SQL Injection that requires a highly privileged account) or the attacker doesn’t gain much from a successful attack (e.g., an unauthenticated user can get the content of private blog posts).
We generally don’t see them being used as much in large-scale attacks because they are less useful than higher severity vulnerabilities and harder to automate. However, they could be useful in more targeted attacks, for example, when a privileged user account has already been compromised, or an attacker knows that some private content contains sensitive information that is useful to them.
We would always recommend upgrading vulnerable extensions as soon as possible. Still, if the severity is medium, there is less urgency to do so, as the site is less likely to be the victim of a large-scale automated attack.
An untrained user may find the report a bit hard to digest. We did our best to make it as suitable as possible for all audiences, but I understand it’d be impossible to cover everyone without making it too boring or long. And the same can happen to the reported vulnerability. The user consuming the feed would need some basic knowledge of their website setup to consider which vulnerability needs immediate attention and which one can be handled by the WAF, for example.
If the user knows, for example, that their site doesn’t allow users to subscribe to it. All reports of subscriber+ vulnerabilities, independent of the severity level, can be reconsidered. Assuming that the user maintains a constant review of the site’s user base.
The same goes for contributor+ reports or even administrator levels. If the person maintains a small network of WordPress sites, the admin+ vulnerabilities are interesting for them since a compromised administrator of one of the sites can be used to attack the super admin.”
Contributor-Level Vulnerabilities
Many medium severity vulnerabilities require contributor-level access. A contributor is an access role that gives that registered user the ability to write and submit content, although they generally don’t have the ability to publish them. Most websites don’t have to worry about security threats that require contributor level authentication because most sites don’t offer that level of access.
Chloe Chamberland, Threat Intelligence Lead at Wordfence, explained that site owners shouldn’t worry about vulnerabilities requiring contributor-level access because most WordPress sites don’t offer that permission level. These kinds of vulnerabilities are also hard to scale because exploiting them is difficult to automate.
Chloe elaborated:
“For most site owners, vulnerabilities that require contributor-level access and above to exploit are something they do not need to worry about. This is because most sites do not allow contributor-level registration and most sites do not have contributors on their site.
In addition, most WordPress attacks are automated and are looking for easy-to-exploit high value returns so vulnerabilities like this are unlikely to be targeted by most WordPress threat actors.”
Website Publishers That Should Worry
Chloe also mentioned that publishers who do offer contributor-level permissions may have several reasons to be concerned:
“The concern with exploits that require contributor-level access to exploit arises when site owners allow contributor-level registration, have contributors with weak passwords, or the site has another plugin/theme installed with a vulnerability that allows contributor-level access in some way and the attacker really wants in on your website.
If an attacker can get their hands on one of these accounts, and a contributor-level vulnerability exists, then they may be provided with the opportunity to escalate their privileges and do real damage to the victim. Let’s take a contributor-level Cross-Site Scripting vulnerability for example.
Due to the nature of contributor-level access, an administrator would be highly likely to preview the post. At that point, any injected JavaScript would execute – meaning the attacker would have a relatively high chance of success. This can be leveraged to add a new administrative user account, inject backdoors, and essentially do anything a site administrator could do. If a serious attacker has access to a contributor-level account and no other trivial way to elevate their privileges, then they’d likely leverage that contributor-level Cross-Site Scripting to gain further access.
As previously mentioned, you likely won’t see that level of sophistication targeting the vast majority of WordPress sites, so it’s really high value sites that need to be concerned with these issues.
In conclusion, while I don’t think a vast majority of site owners need to worry about contributor-level vulnerabilities, it’s still important to take them seriously if you allow user registration at that level on your site, you don’t enforce unique strong user passwords, and/or you have a high value WordPress website.”
Be Aware Of Vulnerabilities
While many of the medium-level vulnerabilities may not be a major concern, it’s still essential to stay informed. Security Scanners like the free version of WPScan can alert you when a plugin or theme becomes vulnerable. It’s a good system to keep on top of vulnerabilities.
WordPress security plugins like Wordfence provide proactive security, blocking automated hacking attacks and enabling advanced users to block specific bots and user agents. The free version of Wordfence offers significant protection through a firewall and a malware scanner, while the paid version covers all vulnerabilities as soon as they’re discovered, even before they’re patched.
Security is generally not considered an SEO issue, but it should be because failing to secure a site can undo all the hard work done to achieve good rankings.
Featured Image by Shutterstock/Juan villa torres
