Sign with text: Cyber Forensics Innovation Laboratory. The CyFI Lab

Eight-Year Study Shows the Dark Side of WordPress Plugins

A new look into the world of WordPress plugins is showing scientists that this basic component of website development is a minefield full of malware and danger.

Since 2012 researchers in the Georgia Tech Cyber Forensics Innovation Laboratory (CyFI Lab) have uncovered 47,337 malicious plugins across 24,931 unique WordPress websites through a web development tool they named YODA.

According to a newly released paper about the eight-year study, the researchers found that every compromised website in their dataset had two or more infected plugins. The findings also indicated that 94% of those plugins are still actively infected.

“This is an under-explored space,” said Ph.D. student Ranjita Pai Kasturi who was the lead researcher on the project. “Attackers do not try very hard to hide their tracks and often rightly assume that website owners will not find them.”

YODA is not only able to detect active malware in plugins, but it can also trace the malicious software back to its source. This allowed the researchers to determine that these malicious plugins were either sold on the open market or distributed from pirating sites, injected into the website by exploiting a vulnerability, or in most cases, infected after the plugin was added to a website.

According to the paper written by Kasturi and her colleagues, over 40,000 plugins in their dataset were shown to have been infected after they were deployed. The team found that the malware would attack other plugins on the site to spread the infection.

“These infections were a result of two scenarios. The first is cross-plugin infection, in which case a particular plugin developer cannot do much,” said Kasturi. “Or it was infected by exploiting existing plugin vulnerabilities. To fix this, plugin developers can scan for vulnerabilities before releasing their plugins for public use.”

Although these malicious plugins can be damaging, Kasturi adds that it’s not too late to save a website that has a compromised plugin. Website owners can purge malicious plugins entirely from their websites and reinstall a malware free version that has been scanned for vulnerabilities. To give web developers an edge over this problem, the CyFI Lab has made the YODA code available to the public on GitHub.

Mistrust Plugins You Must: A Large-Scale Study Of Malicious Plugins In WordPress Marketplaces, was presented at the 31st USENIX Security Symposium. The paper was written by Ph.D. students Kasturi, Jonathan Fuller, and Yiting Sun; master's student Omar Chabklo, undergraduate Andres Rodriguez, Postdoctoral Scholar Jeman Park, and Assistant Professor Brendan Saltaformaggio. The project was the result of the unique partnership between the School of Cybersecurity and Privacy and the School of Electrical and Computer Engineering.