Wordpress.org homepage showing Wordpress plugins with malicious code

Over 47,000 Malicious WordPress Plugins Are Active on Nearly 25,000 Websites

Nearly 25,000 WordPress websites contain malicious WordPress plugins, according to a study by researchers from the Georgia Institute of Technology.

Ninety-four percent of the 47,337 malicious plugins installed between 2012 and 2021 were active on 24,931 unique WordPress websites, each with two or more malicious plugins. According to the study, the installation of malicious plugins increased over time, with a peak in March 2020.

The researchers blamed the “implicit trust in large amount of code with unlimited access to the web server” for the appalling security situation.

Using the researchers’ YODA framework, the findings of the Mistrust Plugins You Must study were based on code, behavioral, and metadata analysis of 400,000 anonymized website backups from CodeGuard.

Website owners bought infected WordPress plugins from legitimate marketplaces

The 8-year study quantified the cost of malicious and pirated WordPress plugins on legitimate marketplaces.

It found that popular and legitimate marketplaces, such as ThemeForest, CodeCanyon, and Easy Digital Downloads, were the sources of 3,685 malicious WordPress plugins.

The researchers found that website owners spent $41,500 on infected plugins sold on paid plugin sites, with post-exploitation attacks valued at $834,000. Similarly, pirated plugins cost WordPress plugin developers $228,000 in lost revenues.

According to the researchers, although the content management systems marketplace generated over $1 billion per year, little was done to ensure the safety and security of customers.

Subsequently, users had to rely on simple indicators such as popularity, ratings, and reviews to determine if a WordPress plugin was safe. Attackers exploited this implicit trust to distribute malicious WordPress plugins to unsuspecting users.

Additionally, they purchased code bases of popular free plugins, injected malicious code, and waited for automatic updates to infect websites that used the free plugin.

“While the website owners trusted the plugin ecosystem and spent a total of $7.3M on only the plugins in our dataset, we found that this trust is often broken for the attackers monetary gains,” the researchers stated.

Additionally, malware developers spoofed benign plugin authors to distribute pirated infected plugins. The researchers discovered 1,354 pirated plugins used in malvertising campaigns.

Cybercriminals pirated versions of paid plugins that offered a trial option, introducing “nulled” plugins containing malicious code. The study found that 97% of nulled plugins from marketplaces such vestathemes[.]com (96%), wplocker[.]com(98%), theme123[.]net(100%), and themelot[.]net (100%) exhibited malicious behaviors. Website owners obtained at least 6,223 malicious plugins from nulled marketplaces.

“Vetting PITAs is also problematic because there are thousands of these PITAs with no clear provenance, testing results, or data flow diagrams,” said Sounil Yu, Chief Information Security Officer at JupiterOne. “Security teams have rudimentary approaches, most often giving a cursory look at what I call the three Ps: popularity, purpose, and permissions.”

Malicious WordPress plugins could cross-infect and enable ATO attacks

The researchers found that malicious WordPress plugins attacked other assets on web servers with WordPress installations. They cross-infected other plugins and exploited existing vulnerabilities to maintain persistence.  At least 40,000 of the infected plugins were compromised post-deployment.

Additionally, the researchers discovered 10,000 web shells and code obfuscation techniques to conceal malicious behavior.

Such exploits could lead to a complete takeover of websites by cyber criminals and other possible attacks.

Unfortunately, website owners did not rid their websites of malicious WordPress plugins, allowing attackers to maintain persistence. According to the research, only 10% of website owners attempted to clean their websites, with 12% of the secured websites reinfected.

Additionally, the research found that while some malicious plugins were no longer available on the marketplace, they still existed on compromised websites.

“WordPress is one of the world’s most popular CMS’ that allows anyone to create dynamic websites,” said John Bambenek, Principal Threat Hunter at Netenrich. “The problem is that it allows anyone to create dynamic websites.

“Most people have their websites operate in a “set and forget” mode, which means they have no idea if there are any changes made as long as the website “works right.”

The researchers stated that website owners should engage experienced developers and security teams to purge malicious WordPress plugins from post-development environments.

According to Cory Cline, Senior Cyber Security Consultant at nVisium, organizations should also vet WordPress plugins before deployment: “This is made easier due to the fact that WordPress plugins are all written in PHP and can have their source code reviewed at will by anybody who wishes to do so.”