55% of all exploited vulnerabilities are related to WordPress and Apache Struts

RiskSense experts did a great job and examined all the vulnerabilities found between 2010 and 2019. As it turned out, in 55% of cases, attackers exploit vulnerabilities in WordPress and Apache Struts in real attacks.

The third most popular hacker is CMS Drupal, followed by Ruby on Rails and Laravel. As for programming languages, the most attacked were vulnerabilities in PHP and Java applications.

“At the same time, bugs in JavaScript and Python turned out to be the least popular, although this may change in the next years, since both languages are now very popular, and their adoption is growing rapidly”, – experts of RiskSense consider.

In particular, users and information security companies are advised to follow Node.js and Django, the two most popular frameworks for the JavaScript and Python ecosystems. Thus, significantly more vulnerabilities were found in Node.js than in other JavaScript frameworks – 56 vulnerabilities, although so far only one has been actively used.

In the same way, 66 vulnerabilities were discovered in Django, but only one was exploited. RiskSense researchers expect that hackers will soon turn their eyes to these rising stars of the programming world and at the same tine explore the possibility of exploiting old bugs.

It is also noted that Perl and Ruby, which were extremely popular in the early 2010s, are now less and less attacked, as programmers switched to JavaScript and Python at the end of the decade. Moreover, as we said, Python overcame JavaScript in popularity among developers.

In addition, RiskSense researchers examined the types of exploited vulnerabilities. It turned out that although cross-site scripting (XSS) errors were the most common security errors discovered in the 2010s, they were not the most used.

Now, this title has been awarded various injection related bugs that can be abused to deploy and run your own commands in the context of the victim’s application or OS.

“Vulnerabilities associated with SQL injections, code, and various commands were quite rare, but at the same time they had one of the highest exploitation rates – often more than 50%”, — the experts conclude.

We talked about vulnerabilities to SQL injections, for example, in the Duplicate Page plugin for WordPress, which is just part of the statistics on which is based the RiskSense study.