Vulnerabilities in Wordpress Plugins May Lead Hackers Inside Corporate Networks

Wordpress, one of the most popular content management system (CMS), supports a plugin-based architecture. The support for over 55,000 plugins makes this platform suitable for a large number of business use-case implementations. But this also makes it one of the most vulnerable open-source software, as evident in several recent incidents.

Wordpress plugin vulnerabilities

There have been a large number of cases when a vulnerability in the plugins enabled hackers to abuse the website and even the entire IT infrastructure.

  • In April 2020, a vulnerability was found in the ‘Real-Time Find and Replace’ plugin (having over 100,000 installations), which could have allowed an attacker to inject malicious Javascript anywhere on a site by tricking the administrator.
  • In March 2020, a critical privilege escalation vulnerability was found in the WordPress SEO Plugin Rank Math plugin, having more than 200,000 active installations. This vulnerability could allow hackers to get admin privileges to any registered user.

Real-world attack incidents

There have been several occasions wherein a vulnerability in WordPress plugins had led the hackers to do severe damage to business operations of targeted organizations.

  • In April 2020, the WordPress e-commerce sites powered by WooCommerce plugin were being targeted by a JavaScript-based card-skimmer malware, which could allow hackers to steal credit card numbers of all the visitors of the websites.
  • In February 2020, thousands of cyberattacks were identified, targeting the WordPress plugin, Duplicator. These attackers were targeting an unauthenticated arbitrary file download vulnerability found in Duplicator prior to version 1.3.28 and Duplicator Pro prior to version 3.8.7.1.
  • In February 2020, it was found that a hacker had infected more than 20,000 WordPress sites in the past one year, by distributing trojanized versions of premium WordPress themes and plugins.
  • In November 2019, two campaigns were identified distributing the Netsupport Remote Access Trojan (RAT) via a fake Flash Player update, by exploiting the vulnerabilities introduced by plugins, themes, and extensions in Wordpress and several other CMS platforms.

How to stay protected

To protect the Wordpress websites, use only reliable plugins from trustworthy sources only, and keep them updated with the latest patches. Also, there are a large number of security-related Wordpress plugins, like Google Authenticator (for enabling 2FA) and many more, which can be used to ensure robust security.