55% of Discovered Weaponized Bugs Target WordPress and Apache Struts

A recent study focused on analyzing all the vulnerabilities disclosed over the past decade resulted in quite an interesting discovery. [RiskSense] According to analysts, around 55% of all security vulnerabilities that have been discovered, weaponized, and exploited during this period were for only two major application frameworks – Apache Struts and WordPress.

A study that analyzed all the vulnerability disclosures between 2010 and 2019 found that around 55% of all the security bugs that have been weaponized and exploited in the wild were for two major application frameworks: WordPress and Apache Struts. https://t.co/IDJTATWx1z

— Adam Levin (@Adam_K_Levin) March 17, 2020

The company conducting the study is risk analysis firm RiskSense. Its report also found that the Drupal content management system ranked as third on the list, with Ruby on Rails and Laravel following closely.

Other concerning findings

When it comes to programming languages, the most vulnerabilities that were weaponized during the same period were found in PHP and Java apps. The least weaponized bugs were found in Python and JavaScript, although the company estimates that this might change over the coming several years, as the languages are becoming increasingly popular. They also noted that developers and users alike should keep a close eye on Node.js and Django, which are the two most commonly used application frameworks for JavaScript and Python ecosystems. Nofe.js was discovered to have around 56 vulnerabilities, which is higher than any other framework for JavaScript, while Django has 66, which is the highest for Python, although only one of them was weaponized per framework thus far. However, while the weaponization itself still remains low, the number of vulnerabilities is quite high, which makes them both potentially dangerous. And it is only a matter of time before hackers start focusing more on them. On the other hand, Perl and Ruby programming languages started seeing fewer and fewer weaponized vulnerabilities over the decade, as their popularity faded. Researchers also paid attention to the vulnerability types, noting that cross-site scripting (XSS) bugs were the most common in the early 2010s but were not the most weaponized ones. The ones that were the most weaponized include injection-based flaws, which could allow hackers to inject their own commands into the systems.