Since late March, no fewer than a half-dozen high profile attacks have involved a compromised website built on the WordPress platform. Attackers abuse vulnerabilities in the content management system’s customizable plug-ins and themes to pull off anything from drive-by downloads to watering hole attacks.
The consequences can be serious because WordPress powers upwards of 60 million websites, including popular blogs and ecommerce storefronts.
Checkmarx, an application security company, recently finished a second round of code scans against the top 50 most downloaded WordPress plug-ins and top 10 ecommerce plug-ins and found a spate of common Web security issues in close to 20 percent. A paper on the research said that vulnerable plug-ins have been downloaded eight million times, putting sites at risk to SQL injection attacks, cross-site scripting, cross-site request forgery and path traversal attacks.
The vulnerabilities were found in popular, but unnamed, shopping cart plug-ins, feed aggregators, mobile APIs and tools to link sites to social networks such as Facebook.
“These security gaps within the plugins allow hackers to use the platform as vehicles for mass infections and malware distribution,” the paper said. “Since we do not focus on the security of the basic platform, our discussion can be applied to any marketplace that provides third-party extensions and applications.”
The first scan, conducted in January, 18 of the top 50 plug-ins were vulnerable to one of the aforementioned attacks accounting for almost 19 million downloads. As for the ecommerce plug-ins, seven of the top 10 were vulnerable to common Web attacks, the paper said. As of a second scan conducted this month, only six plug-ins had been patched despite the fact all the plug-ins had been updated. The six, Checkmarx said, were BuddyPress, BBPress, E-Commerce, Woo Commerce, W3 Total Cache and Super Cache.
“Hackers can exploit these vulnerable applications to access sensitive information such as personally identifiable information (PII), health records and financial details. Other vulnerabilities allow hackers to deface the sites or redirect them to another attacker-controlled site,” the paper said. “In other cases, hackers can take control of the vulnerable sites and make them part of their botnet heeding to the attacker’s instructions.”
Most recently, a number of attacks against Washington, D.C.- area media sites involved attackers injecting malicious javascript onto the homepages that redirects visitors a compromised WordPress site hosting malware. The same tactic was used against Tibetan freedom supporters where attackers were using Twitter to send victims to a Tibet-themed WordPress blog that was serving Adobe Flash exploits that had been used in the past against manufacturing and defense industry targets.
Also, in April it was discovered that attackers were building a botnet of compromised WordPress blogs that was likely to be used in a much larger attack such as a distributed denial-of-service attack. Attackers were using brute-force attacks against administrative credentials hoping to find weak default passwords that would enable them to own the blog. A U.S.-based webhost said more than 90,000 IP addresses were involved in the attack.
“A vulnerability against a plugin propagates across millions of websites,” the Checkmarx report said. “A hacker exploiting a plugin’s vulnerability can infect millions of websites as the security industry – and bloggers worldwide – have already witnessed.”
Users should download plug-ins from trustworthy sources, ensure plug-ins are current and delete out-of-date plug-ins.