A new study from Georgia Institute of Technology researchers has found malicious plugins installed on some 25,000 WordPress websites.
The researchers analyzed backups from over 400,000 web servers and found 47,337 malicious plugins across 24,931 unique WordPress sites using a web development tool named “YODA.” Every compromised website in their dataset had two or more infected plugins and 94% of the plugins were found to be active.
Using the YODA tool, the researchers could also trace the malware used in the WordPress plugins back to its source, George Tech College of Computing reported Aug. 26. The malware was found to be being sold on the open market or distributed on pirating sites, with the malware injected into the website by exploiting a vulnerability and, in most cases, infecting the WordPress site after the plugin was added to WordPress.
In some cases, the malicious plugins were found to be impersonating benign plugins offered through legitimate marketplaces, sometimes as a trial option on paid plugin sites.
The malicious plugins were also found to attack other plugins on the servers with WordPress installed to spread the infection. The most common forms of exploitation were cross-plugin infection or infection by exploiting existing vulnerabilities.
The researchers noted that while the malicious plugins can be damaging, owners can take action, such as purging the malicious plugins and reinstalling malware-free versions that have been scanned for vulnerabilities.
“If an organization absolutely must utilize WordPress, plugins should be thoroughly vetted by experienced development and security teams before being utilized in a production environment,” Cory Cline, senior cybersecurity consultant at application security provider nVisium LLC, told SiliconANGLE. “This is made easier thanks to the fact that WordPress plugins are all written in PHP and can have their source code reviewed at will by anybody who wishes to do so.”
Cline added that the impact of implementing a WordPress plugin that has not been properly vetted could be nonexistent if the plugin is not malicious and does not contain any known vulnerabilities. “However, a malicious WordPress plugin could ultimately lead to a full takeover of any affected WordPress instances,” he said.
Sounil Yu, chief information security officer at cyber asset management and governance solutions provider JupiterOne Inc., noted that this is a problem not only with WordPress but with any software that leverages plugins, integrations and third-party applications, or PITAs.
“Vetting PITAs is problematic because there are thousands of these PITAs with no clear provenance, testing results, or data flow diagrams,” Yu explained. “Security teams have rudimentary approaches, most often giving a cursory look. Similar to app stores managed by Apple and Google, more vetting needs to be done by the marketplaces to ensure that malicious PITAs do not create problems for their customers.”