Nearly 25,000 WordPress websites contain malicious WordPress plugins, according to a study by researchers from the Georgia Institute of Technology.
Ninety-four percent of the 47,337 malicious plugins installed between 2012 and 2021 were active on 24,931 unique WordPress websites, each with two or more malicious plugins. According to the study, the installation of malicious plugins increased over time, peaking in March 2020.
The researchers blamed “implicit trust in a large amount of code with unrestricted access to the web server” for the dire security situation.
Using the researchers’ YODA framework, the findings of the Beware of Plugins You Need The study was based on analyzing the code, behavior, and metadata of 400,000 anonymized CodeGuard website backups.
Website owners purchased infected WordPress plugins from legitimate marketplaces
The 8-year-old study quantified the cost of malicious and pirated WordPress plugins in legitimate markets.
It found that popular and legitimate marketplaces, such as ThemeForest, CodeCanyon, and Easy Digital Downloads, were the sources of 3,685 malicious WordPress plugins.
Researchers found that website owners spent $41,500 on infected plugins sold on paid plugin sites, with post-exploit attacks valued at $834,000. Similarly, hacked plugins cost WordPress plugin developers $228,000 in lost revenue.
According to the researchers, although the content management system market generates more than $1 billion a year, little has been done to ensure customer security.
Thereafter, users had to rely on simple metrics like popularity, ratings, and reviews to determine if a WordPress plugin was safe. Attackers exploited this implicit trust to distribute malicious WordPress plugins to unsuspecting users.
Moreover, they purchased code bases of popular free plugins, injected malicious code and waited for automatic updates to infect websites that used the free plugin.
“While website owners trusted the plugin ecosystem and spent a total of $7.3 million just on plugins in our data set, we found that this trust is often broken for monetary gain. attackers,” the researchers said.
Additionally, malware developers have spoofed benign plugin authors to distribute hacked infected plugins. Researchers uncovered 1,354 pirated plugins used in malvertising campaigns.
Cybercriminals hacked versions of paid plugins that offered a trial option, introducing “canceled” plugins containing malicious code. The study found that 97% of canceled plug-ins from marketplaces such as vestathemes[.]com (96%), wplocker[.]com(98%), theme123[.]net (100%), and bundle of themes[.]net (100%) exhibited malicious behavior. Website owners got at least 6,223 malicious plugins from canceled marketplaces.
“Verifying PITAs is also problematic because there are thousands of such PITAs with no clear provenance, test results or data flow diagrams,” said Sounil Yu, director of information security at JupiterOne. “Security teams have rudimentary approaches, most often giving a quick look at what I call the three Ps: popularity, purpose, and permissions.”
Malicious WordPress Plugins Could Get Infected and Enable ATO Attacks
Researchers found malicious WordPress plugins attacking other assets on web servers with WordPress installations. They crossed other plugins and exploited existing vulnerabilities to maintain persistence. At least 40,000 of the infected plugins were compromised after deployment.
Additionally, researchers discovered 10,000 web shells and code obfuscation techniques to conceal malicious behavior.
Such exploits could lead to complete website takeovers by cybercriminals and other possible attacks.
Unfortunately, website owners failed to rid their websites of malicious WordPress plugins, allowing attackers to maintain persistence. According to the study, only 10% of website owners have attempted to clean their websites, and 12% of secure websites have been re-infected.
Moreover, the research revealed that even though some malicious plugins were no longer available in the market, they still existed on compromised websites.
“WordPress is one of the most popular CMS in the world that allows anyone to build dynamic websites,” said John Bambenek, Principal Threat Hunter at Netenrich. “The problem is that it allows anyone to create dynamic websites.
“Most people run their websites in ‘set and forget’ mode, which means they have no idea if any changes have been made as long as the website is ‘working fine’.
The researchers said website owners should hire experienced developers and security teams to purge malicious WordPress plugins from post-development environments.
According to Cory Cline, senior cybersecurity consultant at nVisiumorganizations should also verify WordPress plugins before deployment: “This is facilitated by the fact that WordPress plugins are all written in PHP and their source code can be reviewed at will by anyone who wants to.”