According to RiskSense’s Spotlight Report, WordPress and Apache vulnerabilities can have devastating effects like the Equifax breach, which affected 147 million people if exploited. RiskSense also noted that total framework vulnerabilities in 2019 went down, but the weaponization rate went up, WordPress and Apache Struts had the most weaponized vulnerabilities, and input validation surpassed cross-site scripting (XSS) as the most weaponized weakness in the frameworks examined.
It is the first report that analyzes which frameworks have the most vulnerabilities, which are the most weaponized, the most common types of vulnerabilities and the threats they pose to an organization.
WordPress and Struts are the Most Weaponized: These two frameworks alone accounted for 57% of the weaponized vulnerabilities, those for which exploit code exists to take advantage of the weakness, in the past 10 years. WordPress faced a wide variety of issues, but cross-site scripting (XSS) was the most common problem, while input validation was the biggest risk for the Apache Struts framework.
2019 Vulnerabilities are Down, But Weaponization is Up: While the overall number of framework vulnerabilities was down in 2019 compared to previous years, the weaponization rate jumped to 8.6% which is more than double the NVD (national vulnerability database) average of 3.9% for the same period.
Input Validation Replaces XSS as Top Weakness: While XSS issues were the most common vulnerability over the 10-year study period, it dropped to 5th when analyzed over the last five years. This is a sign that frameworks are making progress in this important area. Meanwhile, input validation has emerged as the top security risk for frameworks, accounting for 24% of all weaponized vulnerabilities over the past five years, mostly affecting Apache Struts, WordPress, and Drupal.
Injection Weaknesses are Highly Weaponized: Vulnerabilities tied to SQL injection, code injections, and various command injections remained fairly rare, but had some of the highest weaponization rates, often over 50%. In fact, the top 3 weaknesses by weaponization rate were Command Injection (60% weaponized), OS Command Injection (50% weaponized), and Code Injection (39% weaponized).
Srinivas Mukkamala, CEO of RiskSense said,
“Even if best application development practices are used, framework vulnerabilities can expose organizations to security breaches. Meanwhile, upgrading frameworks can be risky because changes can affect the behavior, appearance, or inherent security of applications. As a result, framework vulnerabilities represent one of the most important, yet poorly understood and often neglected elements of an organization’s attack surface.”