Web vulnerabilities in 2017 surge 212% — study

Font Size

The number of web application vulnerabilities soared to an alarming rate in 2017, with more than a third these vulnerabilities unsolvable by any software fix, a study by Internet security firm showed.

Local DDoS Mitigation Services provider IPC cited a report by its global partner, Imperva Incapsula, which revealed that vulnerabilities went up by 212% in 2017 with 14,082 recorded, as compared to 6,615 in the previous year. The report also showed that more than half of these vulnerabilities have a public exploit available to hackers, and that more than a third (36%) don’t have an available solution such as a software upgrade workaround or software patch.

Niño Valmonte, IPC’s Director for Marketing & Digital Innovation, said that money is the main motivator in the rapid increase of Web vulnerabilities. “Websites are common targets because they can generate a substantial amount of money for cybercriminals. For instance, an e-commerce website would normally store personal information. In the wrong hands, we already know the kind of risk we can get exposed to. Also, criminals can hold websites up for ransom from company owners.”

Ransomware, the method of putting up a website for ransom is a global phenomenon that is predicted to exceed $11.5 billion annually by 2019, according to IPC. The most common form of payment sought from victims in order to get their websites back is the popular cryptocurrency Bitcoin.

Content of websites in peril
Another alarming statistics that the study revealed is the increasing number of vulnerabilities in Content Management Systems (CMS), a tool used to create and manage content posted on a website. The study revealed that WordPress, one of the most commonly used CMS today, posted a 400% increase in new vulnerabilities since 2016, with 75% coming from third-party vendor plugins.


IPC urged businesses to be wary of this as when successfully infiltrated, cybercriminals can use the CMS to edit, remove, and even post content on a website. The damage may range from altering text to even changing the visual appearance of the entire website, a tactic commonly known as defacement. Criminals can also extract sensitive information stored inside a website through the CMS.

“These findings should serve as a wake-up call for organizations to put up stronger web security protocols. CMS infiltration should not be taken lightly because this is only the tip of the iceberg. CMS attacks also pose risks to personal and confidential data,” Mr. Valmonte said.

To protect one’s website, IPC recommends deploying security measures such as applying a Web Application Firewall (WAF) that can monitor and control incoming web traffic.