Vast numbers of applications written in web scripting languages do not meet an industry standard benchmark, with millions of websites potentially vulnerable as a result.
In a new report from Veracode, the firm says that four of out of five applications written in PHP, Classic ASP and ColdFusion failed to meet the OWSAP 10 standard.
The firm found that 86% of PHP-based applications contain at least one Cross-Site Scripting (XSS) vulnerability, while 56% have at least one SQL injection (SQLi).
Of particular concern is that the top 3 CMSs, WordPress, Joomla and Drupal, have large numbers of PHP applications developed for them. Those platforms combined make up 70% of all the CMSs in use, potentially leaving millions of websites vulnerable.
The recent mega breach of Paysafe was thought to involve exploiting a Joomla vulnerability.
Furthermore, those written in Classic ASP and ColdFusion have nearly twice as much chance of containing a XSS or an SQLi these flaws compared to those written in .NET and Java.
"When organisations are starting new development projects and selecting languages and methodologies, the security team has an opportunity to anticipate the types of vulnerabilities that are likely to arise and how best to assess for them," said Chris Wysopal, Veracode CISO and CTO.