A study on malicious plugins in WordPress Marketplaces

Pierluigi Paganini August 30, 2022

A group of researchers from the Georgia Institute of Technology discovered malicious plugins on tens of thousands of WordPress sites.

A team of researchers from the Georgia Institute of Technology has analyzed the backups of more than 400,000 unique web servers and discovered 47,337 malicious plugins installed on 24,931 unique WordPress websites. The experts studied the evolution of CMS plugins in the production web servers dating back to 2012, to do this they developed an automated framework named YODA to detect malicious plugins.

The number of malicious plugins on WordPress websites has increased over the years, and malicious activity reached a peak in March 2020.

The researchers employed cross-website verification to certify the malicious origin of each website, they also noted that legitimate marketplace, nulled marketplace, and injected plugin categories are mutually exclusive.

“YODA uncovered 47,337 malicious plugins on 24,931 unique websites. Among these, $41.5K had been spent on 3,685 malicious plugins sold on legitimate plugin marketplaces. Pirated plugins cheated developers out of $228K in revenues. Post-deployment attacks infected $834K worth of previously benign plugins with malware.” reads the research paper. “Lastly, YODA informs our remediation efforts, as over 94% of these malicious plugins are still active today.”

WordPress malicious plugin

The researchers noticed that most malicious plugins sold on popular plugin marketplaces do not implement evasion or obfuscation techniques.

Threat actors buy the codebase of popular free plugins and then add malicious code and wait for users to apply automatic updates. In other cases, threat actors impersonated legitimate and benign plugin authors to spread malware via pirated plugins.

The researchers also reported plugin-to-plugin infection, which means that a single malicious plugin on the webserver infects multiple benign plugins, replicating the behavior.

Boffins also studied several marketplaces that were offering a trial of plugins in a model known as “try before you buy.” This gave rise to pirated “trial plugin” marketplaces, also referred to as nulled marketplaces. The term “Nulled plugins” indicates pirated versions of originally paid plugins, freely distributed via nulled marketplaces.

The experts shared the results of their research with CodeGuard which is working on remediating the identified attacks. The bad news is that only 10% of website owners are working to sanitize their installs,

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, WordPress)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment