Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Hacking

A study on malicious plugins in WordPress Marketplaces

A group of researchers from the Georgia Institute of Technology discovered malicious plugins on tens of thousands of WordPress sites. A team of researchers from the Georgia Institute of Technology has analyzed the backups of more than 400,000 unique web servers and discovered 47,337 malicious plugins installed on 24,931 unique WordPress websites. The experts studied […]

WordPress malicious plugin

A group of researchers from the Georgia Institute of Technology discovered malicious plugins on tens of thousands of WordPress sites.

A team of researchers from the Georgia Institute of Technology has analyzed the backups of more than 400,000 unique web servers and discovered 47,337 malicious plugins installed on 24,931 unique WordPress websites. The experts studied the evolution of CMS plugins in the production web servers dating back to 2012, to do this they developed an automated framework named YODA to detect malicious plugins.

The number of malicious plugins on WordPress websites has increased over the years, and malicious activity reached a peak in March 2020.

The researchers employed cross-website verification to certify the malicious origin of each website, they also noted that legitimate marketplace, nulled marketplace, and injected plugin categories are mutually exclusive.

“YODA uncovered 47,337 malicious plugins on 24,931 unique websites. Among these, $41.5K had been spent on 3,685 malicious plugins sold on legitimate plugin marketplaces. Pirated plugins cheated developers out of $228K in revenues. Post-deployment attacks infected $834K worth of previously benign plugins with malware.” reads the research paper. “Lastly, YODA informs our remediation efforts, as over 94% of these malicious plugins are still active today.”

WordPress malicious plugin

The researchers noticed that most malicious plugins sold on popular plugin marketplaces do not implement evasion or obfuscation techniques.

Threat actors buy the codebase of popular free plugins and then add malicious code and wait for users to apply automatic updates. In other cases, threat actors impersonated legitimate and benign plugin authors to spread malware via pirated plugins.

The researchers also reported plugin-to-plugin infection, which means that a single malicious plugin on the webserver infects multiple benign plugins, replicating the behavior.

Boffins also studied several marketplaces that were offering a trial of plugins in a model known as “try before you buy.” This gave rise to pirated “trial plugin” marketplaces, also referred to as nulled marketplaces. The term “Nulled plugins” indicates pirated versions of originally paid plugins, freely distributed via nulled marketplaces.

The experts shared the results of their research with CodeGuard which is working on remediating the identified attacks. The bad news is that only 10% of website owners are working to sanitize their installs,

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, WordPress)

[adrotate banner=”5″]

[adrotate banner=”13″]