Skip to main content

WordPress and Apache are most weaponised web and application frameworks

(Image credit: Image Credit: Atm2003 / Shutterstock)

WordPress and Apache are the two web and application frameworks with the most weaponised vulnerabilities, according to a new report from RiskSense.

Analysing vulnerabilities in leading web and application frameworks, RiskSense found the two accounted for more than half (57 percent) of weaponised vulnerabilities in the past 10 years.

WordPress has seen a wide range of issues, with cross-site scripting (XSS) the most common among them. For Apache Struts frameworks, input validation was the biggest risk.

Risksense found the underlying languages of the two frameworks, PHP and Java, were also the most weaponised languages.

Input validation is the biggest security risk for frameworks, accounting for 24 percent of all weaponised vulnerabilities in the last five years, mostly affecting Apache Struts, WordPress and Drupal.

Overall, the number of framework vulnerabilities fell year-on-year, but the weaponisation rate increased by 8.6 percent. The report says this is more than double of the National Vulnerability Database (NVD) average (3.9 percent).

The report claims Ruby on Rails, WordPress and Java were to blame for the uptick.

While cross-site scripting was the most common problem for WordPress in the last 10 years, it was fifth in the last five years, suggesting the framework is making progress where security is concerned.