Virtualization Technology News and Information
Malicious Plugins Found on Nearly 25,000 WordPress Sites


Researchers at Georgia Institute of Technology have identified malicious plugins on tens of thousands of WordPress websites.

An analysis of nightly backups of over 400,000 unique web servers has revealed the existence of more than 47,000 malicious plugins installed on almost 25,000 unique WordPress websites. More than 94% of these plugins continue to be in use today.

Here are what a few industry experts had to say:


Sounil Yu, Chief Information Security Officer at JupiterOne, a Morrisville, North Carolina-based provider of cyber asset management and governance solutions:

"This is a widespread problem, not just with WordPress, but with any software that leverages what I call PITAs: plugins, integrations, and third-party applications. As with smartphones, PITAs extend the capabilities of the core product, but they are also a pain-in-the-ass for security teams because they significantly increase the attack surface of the core product.

Vetting PITAs is also problematic because there are thousands of these PITAs with no clear provenance, testing results, or data flow diagrams. Security teams have rudimentary approaches, most often giving a cursory look at what I call the three Ps: popularity, purpose, and permissions. Similar to app stores managed by Apple and Google, more vetting needs to be done by the marketplaces to ensure that malicious PITAs do not create problems for their customers."


Cory Cline, Senior Cyber Security Consultant at nVisium, a Falls Church, Virginia-based application security provider:

"WordPress itself generally comes into the picture when organizations want to save on development costs. Inherently, this moves the scope of trust to include the developers of WordPress and any plugins in use. Ideally, development teams should not arbitrarily implement plugins, regardless of apparent positive reviews. If an organization absolutely must utilize WordPress, plugins should be thoroughly vetted by experienced development and security teams before being utilized in a production environment. This is made easier due to the fact that WordPress plugins are all written in PHP and can have their source code reviewed at will by anybody who wishes to do so. The impact of implementing a WordPress plugin that has not been properly vetted could be nonexistent if the plugin is not malicious and does not contain any known vulnerabilities. However, a malicious WordPress plugin could ultimately lead to a full takeover of any affected WordPress instances."


Bud Broomhead, CEO at Viakoo, a Mountain View, Calif.-based provider of automated IoT cyber hygiene:

"WordPress is very widely used, but not by IT or Security professionals; it's managed by marketing or web design professionals who are in a hurry and won't typically check too deeply on security issues.  Installing is easy, and removing is an afterthought or never done.  Therefore if the plug in does not perform the desired function it may remain in the active WordPress deployment for a long  time.

Just like the attack surface has shifted to IoT/OT/ICS, threat actors aim for systems not managed by IT, especially ones that are widely used like WordPress.  Even with WordPress issuing alerts about plug-ins being vulnerabilities, other priorities than security may delay the removal of malicious plug-ins."


Mike Parkin, Senior Technical Engineer at Vulcan Cyber, a provider of SaaS for enterprise cyber risk remediation:

"The code driving modern websites has become increasingly complex, with content management systems (CMS) and their associated plugins doing most of the work behind the scenes. The days of a webmaster jumping into a shell and editing in vi are decades in the past. Unfortunately, managing and vetting all of the plugins that can appear on the WMS marketplaces can be a challenge. The end users may never even review the code they've installed, and often don't have the skills needed to identify malicious code even if they did. The marketplace almost certainly has a policy that forbids malicious plugins, but they may not have the resources to properly vet everything they host.

While we can hope the marketplaces will do more to prevent or at least remove malicious plugins when they find them, organizations that use plugins with their CMS platforms will have to do a better job of vetting the plugins they choose to deploy. Whether they rely on reviewing the code themselves or using a security tool doesn't matter. While the marketplace should only host legitimate plugins, making sure a site is safe ultimately falls to the site's owner."


John Bambenek, Principal Threat Hunter at Netenrich, a San Jose, Calif.-based security and operations analytics SaaS company:

"WordPress is one of the world's most popular CMS' that allow anyone to create dynamic websites. The problem is that it allows anyone to create dynamic websites. Most people have their websites operate in a "set and forget" mode, which means they have no idea if there are any changes made as long as the website "works right". Unfortunately, it takes time and expertise to secure websites so while the barrier of entry onto the web has never been lower, no one has lowered the barrier to securing their web presence."


Published Monday, September 05, 2022 9:49 AM by David Marshall
Filed under: ,
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<September 2022>