A new study Researchers from the Georgia Institute of Technology found malicious plugins installed on some 25,000 WordPress websites.
Researchers analyzed backups of over 400,000 web servers and found 47,337 malicious plugins on 24,931 unique WordPress sites using a web development tool codenamed “YODA”. Each compromised website in their data set had two or more infected plugins and 94% of the plugins were found to be active.
Using the YODA tool, researchers were also able to trace the malware used in WordPress plugins back to its source, the George Tech College of Computing. reports. The malware was found to be sold on the open market or distributed on hacking sites, with the malware being injected into the website by exploiting a vulnerability and in most cases infecting the WordPress site after adding the plugin to WordPress.
In some cases, the malicious plugins have been found to mimic benign plugins offered on legitimate marketplaces, sometimes as a trial option on paid plugin sites.
The malicious plugins have also been found to attack other plugins on servers with WordPress installed to spread the infection. The most common forms of exploitation were cross-infection or infection by exploiting existing vulnerabilities.
The researchers noted that while malicious plugins can be harmful, owners can take steps, such as purging malicious plugins and reinstalling malware-free versions that have been scanned for vulnerabilities.
“If an organization absolutely must use WordPress, the plugins should be thoroughly vetted by experienced development and security teams before being used in a production environment,” Cory Cline, senior cybersecurity consultant at the application security vendor nVisium LLC, told SiliconANGLE. “This is facilitated by the fact that the WordPress plugins are all written in PHP and can have their source code reviewed at will by anyone who wishes.”
“The impact of implementing a WordPress plugin that has not been properly vetted could be non-existent if the plugin is not malicious and contains no known vulnerabilities,” Cline added. “However, a malicious WordPress plugin could ultimately lead to a complete takeover of all affected WordPress instances.”
Sounil Yu, Head of Information Security at Cyber Asset Management and Governance Solution Provider JupiterOne Inc. noted that this is a problem not just with WordPress but with any software that leverages third-party plugins, integrations, and apps.
“Verifying PITAs is problematic because there are thousands of these PITAs with no clear provenance, test results, or data flow diagrams,” Yu explained. superficial overview. Like app stores run by Apple and Google, marketplaces need to do more checks to make sure that malicious PITAs aren’t creating problems for their customers.