SSL Certificate Analysis Open Port Detection Web Application Scanning DNS Security Audit HTTP Header Analysis Misconfiguration Detection Software Fingerprinting Subdomain Enumeration
SSL Certificate Analysis Open Port Detection Web Application Scanning DNS Security Audit HTTP Header Analysis Misconfiguration Detection Software Fingerprinting Subdomain Enumeration

All Entries

Category Vulnerable and Outdated Components
Typical Severity High
OWASP A06:2021 – Vulnerable and Outdated Components
CWE CWE-1104 – Use of Unmaintained Third-Party Components
Also known as Using Components with Known Vulnerabilities, Dependency Risk, Software Supply-Chain Risk
Affected systems WordPress, Joomla, Drupal, Magento, any web application using jQuery, Bootstrap, React, Angular, or other third-party libraries
Common CVE examples CVE-2019-11043 (PHP-FPM), CVE-2020-11022 / CVE-2020-11023 (jQuery XSS), CVE-2022-21661 (WordPress SQL injection)

Overview

Web applications commonly rely on third-party software — content management systems (CMS) such as WordPress, Joomla, or Drupal; server-side frameworks; and client-side libraries such as jQuery, Bootstrap, or Lodash. When these components are not kept up to date, any publicly disclosed vulnerability in an older version becomes an immediately exploitable attack surface.

This category ranked sixth in the OWASP Top 10 2021 (A06) and has appeared in every edition of the list since its inception. The risk is compounded by the sheer volume of plugins, themes, and transitive dependencies that accompany modern web stacks — each representing an independent point of potential compromise.

Sensagraph automatically fingerprints CMS platforms, plugins, themes, and JavaScript libraries in use and cross-references detected versions against known vulnerability databases.

How it works

Version detection and exploit weaponisation follow a predictable sequence:

  • Version disclosure: Many CMS installations expose their version in HTML meta tags (<meta name="generator">), readme files (/readme.html, /CHANGELOG.txt), HTTP response headers, or JavaScript file paths with version query strings (e.g., jquery-1.11.1.min.js).
  • Public vulnerability matching: Once a version is known, attackers query databases such as the National Vulnerability Database (NVD), WPScan Vulnerability Database, or Exploit-DB to find confirmed CVEs targeting that version.
  • Automated exploitation: Many vulnerabilities in popular CMS platforms or libraries have public proof-of-concept (PoC) code or are integrated into automated scanning and exploitation toolkits, lowering the skill threshold for attackers significantly.
  • Plugin and theme risk: In WordPress, for example, third-party plugins represent the majority of disclosed CVEs. A fully updated WordPress core with a single outdated plugin remains vulnerable.
  • Client-side library risk: Outdated jQuery versions are associated with DOM-based cross-site scripting (XSS) vulnerabilities (CVE-2020-11022, CVE-2020-11023). These can be triggered even when the server-side application is otherwise secure.
  • Transitive dependencies: A first-party dependency may itself depend on a vulnerable library, meaning the application inherits risk without a direct dependency declaration.

Business impact

The consequences of exploiting known vulnerabilities in outdated components range from moderate to catastrophic depending on the nature of the underlying CVE:

  • Remote code execution (RCE): Certain CMS and plugin vulnerabilities allow unauthenticated attackers to execute arbitrary code on the server, leading to full system compromise, data exfiltration, or ransomware deployment.
  • SQL injection: Outdated plugins or CMS versions may contain SQLi flaws enabling extraction of the entire database, including credentials, personally identifiable information (PII), and payment data.
  • Cross-site scripting (XSS): Vulnerable JavaScript libraries such as older jQuery versions can be used to inject malicious scripts that steal session cookies, perform phishing overlays, or redirect users to malicious sites.
  • Website defacement and SEO poisoning: Attackers routinely use mass-exploitation tools against outdated CMS installations for defacement or injecting spam links, harming search engine rankings.
  • Compliance and regulatory exposure: Running components with known CVEs can constitute a violation of PCI DSS (Requirement 6.3.3), GDPR Article 32, and ISO/IEC 27001 controls requiring timely patch management.
  • Supply-chain propagation: Compromised websites can be used to serve malware to visitors or act as staging servers for attacks on other targets.

How to fix it

  1. Maintain a software inventory: Enumerate every CMS, framework, plugin, theme, and client-side library in use, including their current version. Tools such as Composer (PHP), npm/Yarn (JavaScript), and pip (Python) can generate dependency lockfiles for this purpose.
  2. Enable automatic or scheduled updates: For WordPress core, enable automatic background updates. For plugins and themes, evaluate auto-update suitability per component. For npm/Composer dependencies, integrate automated dependency update tools such as Dependabot or Renovate into CI/CD pipelines.
  3. Subscribe to security advisories: Monitor vendor security mailing lists, the WordPress Security Blog, WPScan Vulnerability Database, NVD (nvd.nist.gov), and GitHub Security Advisories relevant to your technology stack.
  4. Remove unused components: Deactivated but installed plugins or libraries still represent attack surface. Uninstall components that are not actively required.
  5. Use a software composition analysis (SCA) tool: Integrate SCA into the CI/CD pipeline to fail builds or raise alerts when a dependency with a known CVE above a defined severity threshold is introduced.
  6. Minimise version disclosure: Remove or restrict access to files that expose version information (e.g., /readme.html, /wp-admin/ for unauthenticated users). While security through obscurity is not a primary control, reducing information availability slows opportunistic scanners.
  7. Apply a web application firewall (WAF) as a compensating control: A WAF with rules targeting known CVE exploit patterns can provide temporary protection while patches are tested and deployed, but must not be treated as a substitute for patching.
  8. Test updates in a staging environment: Establish a staging environment that mirrors production to validate updates before deployment, reducing the risk of update-induced breakage as a reason to defer patching.
  9. Define a patch management SLA: Establish written policy defining maximum acceptable time-to-patch windows by severity (e.g., critical CVEs within 24–72 hours, high within 7 days, medium within 30 days).

References

Frequently asked questions

Version information is frequently exposed through HTML meta generator tags, JavaScript file names with version strings, publicly accessible readme or changelog files, and HTTP response headers. Automated scanners can detect these indicators within seconds of a single HTTP request.

No. The majority of WordPress CVEs are associated with third-party plugins and themes rather than the core application. Each installed plugin must be independently maintained and updated. Unused plugins should be completely removed, not merely deactivated.

Yes. The vulnerability exists in the jQuery code itself, regardless of where it is hosted. If the version contains a known XSS flaw (such as CVE-2020-11022), any page that loads and uses that version is potentially exploitable. You should update to a patched version whether it is hosted locally or via a CDN.

A CMS vulnerability resides in the core platform code (e.g., WordPress, Drupal). A dependency vulnerability resides in a library that the CMS or application relies upon (e.g., a jQuery version bundled with a theme, or a PHP library used by a plugin). Both classes require active version management, but they are tracked in separate advisory sources and may require different remediation workflows.

Research consistently shows that mass exploitation of publicly disclosed CMS vulnerabilities — particularly for WordPress plugins — can begin within hours to days of CVE publication. Delayed patching windows of weeks or months are therefore extremely high risk for popular, widely deployed CMS platforms.

No. A WAF is a compensating control that can reduce exploitability while patches are applied, but it does not remediate the underlying vulnerability. WAF rules can be bypassed, and not all exploit patterns are covered. Patching or upgrading the vulnerable component remains the required remediation.