To fix this, plugin developers can scan for vulnerabilities before releasing their plugins for public use."Īlthough these malicious plugins can be damaging, Kasturi adds that it's not too late to save a website that has a compromised plugin. "Or it was infected by exploiting existing plugin vulnerabilities. The first is cross-plugin infection, in which case a particular plugin developer cannot do much," said Kasturi.
"These infections were a result of two scenarios. The team found that the malware would attack other plugins on the site to spread the infection. According to the paper written by Kasturi and her colleagues, over 40,000 plugins in their dataset were shown to have been infected after they were deployed. This allowed the researchers to determine that these malicious plugins were either sold on the open market or distributed from pirating sites, injected into the website by exploiting a vulnerability, or in most cases, infected after the plugin was added to a website.
#WORDPRESS CONSIDERS DROPPING INTERNET SOFTWARE#
YODA is not only able to detect active malware in plugins, but it can also trace the malicious software back to its source. "Attackers do not try very hard to hide their tracks and often rightly assume that website owners will not find them." student Ranjita Pai Kasturi who was the lead researcher on the project. "This is an under-explored space," said Ph.D. The findings also indicated that 94% of those plugins are still actively infected. "Since 2012 researchers in the Georgia Tech Cyber Forensics Innovation Laboratory have uncovered 47,337 malicious plugins across 24,931 unique WordPress websites through a web development tool they named YODA," warns an announcement released Friday:Īccording to a newly released paper about the eight-year study, the researchers found that every compromised website in their dataset had two or more infected plugins.