Who doesn’t love WordPress? It is one of the most popular content management systems in the world, and more than 38% of websites run on it. According to W3Techs, its market share is 63.5%, followed by Joomla, with a 4.7% difference. Besides small business websites and personal blogs, it is powering sites of Microsoft, Zoom, Etsy, Zendesk, and Cambridge. However, these are the reasons why hackers love it, too.
Due to its popularity and massive user base (WordPress 5.5 has been downloaded more than 29 million times and counting), cybercriminals transform it into their playground. One of the ways hackers attack it is through WordPress plugins, and as of now, there are more than 57,000 plugins available for download. Wordfence, a premiere WordPress security plugin, says that 55.9% of vulnerabilities are related to plugins alone.
Different Types of WordPress Plugins Vulnerabilities
Here is the list of how cybercrooks exploit the security flaws of plugins:
SQL injection
Hackers inject malicious code into queries by deleting, updating, or inserting it into the database. This code can change a WordPress site account’s password or even create a new rogue admin account.
Arbitrary file viewing
Plugins that lack security checks in their source files can be easily accessed for third-party viewing. From there, hackers can hijack your database and inject malicious scripts.
Privilege escalation
Hackers can escalate their privileges from a subscriber to an administrator the moment they infiltrate your site, getting full control of it.
Remote code execution (RCE)
This type doesn’t need to upload and run a malicious code since the attacker can execute the code from a remote location. If successful, an attacker can update posts and images and even create new posts.
Arbitrary file upload
If the plugin doesn’t have any security measures in place, hackers can upload .php files to grant them backdoor access to a WordPress website.
Cross-site scripting (XSS)
It is also a type of injection of malicious scripts that exploits the comment section’s vulnerabilities. XSS targets the website users instead and redirects them to other sites where they can steal users’ highly sensitive information like credit card accounts or bank accounts.
This is not the complete list as hackers continue to find ways to exploit WordPress plugin vulnerabilities using innovative and illegal techniques.
Here is the list of how cybercrooks exploit the security flaws of plugins:
8 Famous WordPress Plugins Which Are Exploited By Hackers
ThemeREX Addons
- Active installations: 44,000+
- The latest version (at the time of writing): not announced
It is a required plugin that enables you to use the Topper WordPress theme, an all-in-one advanced Elementor WordPress theme. Topper has features such as trendy skins, clean layouts, WooCommerce, Gutenberg Support, and more.
On 18 February 2020, Wordfence reported that the ThemeREX Addons experienced a zero-day exploit where hackers could create rogue admin accounts. Fortunately, the vulnerability was fixed by ThemeREX developers promptly. Users were strictly advised to update the theme or plugin immediately.
Contact Form 7
- Active installations: 5+ million
- The latest version (at the time of writing): 5.3
It can create and manage multiple custom contact forms. Contact Form 7 supports CAPTCHA, Ajax-powered submitting, and Akismet spam filtering.
At the time of writing, Contact Form 7 experienced four attacks in 2020 due to unauthenticated remote code execution, file upload bypass, and cross-site scripting. The latest attack was on 22 September 2020, wherein its Drag and Drop Multiple File Upload features became vulnerable to remote code execution. A fix is already available, and all you need to do is to update the plugin.
Elementor
- Active installations: 5+ million
- The latest version (at the time of writing): 3.0.12
It is a free WordPress website builder that supports the drag-and-drop method. Elementor lets you edit the site live using a visual editor. This means you don’t need to learn any HTML/CSS/PHP/coding skills to get started. It is also known as a popular add-on in free WordPress theme builders.
On 8 October 2020, a vulnerability was discovered in Dynamic Content for Elementor. It allowed accounts with user permission as low as an editor to execute remote code execution attacks. A security patch is now available.
WooCommerce
- Active installations: 5+ million
- Latest version (at the time of writing): 4.6.1
It is a free, open-source, and flexible eCommerce plugin for WordPress. It can turn your website into a full-fledged online shopping store. You can also integrate WooCommerce with Amazon stores, which in turn boosts Amazon ranking factors without hassle.
Due to its popularity and nature as a payment gateway, WooCommerce is not a stranger to hacking. On 20 August 2020, WebARX reported multiple vulnerabilities that impacted the Discount Rules for WooCommerce. It led to numerous authorization bypasses via Stored Cross-Site Scripting. WooCommerce developers are always quick to act, and a patch has been issued.
Ninja Forms
- Active installations: 1+ million
- The latest version (at the time of writing): 3.4.30
It is another plugin that uses the drag-and-drop feature and helps you build professional forms for your WordPress website. You can develop forms without the need for any programming skills, such as contact forms, quote request forms, event registration forms, and more. Ninja Forms gives you the freedom to customize a form with different layouts and fields for free.
Ninja Forms plugin was exploited through a Cross-Site Request Forgery (CSRF) attack, which allows hackers to install an arbitrary plugin from the WordPress repository. A CSRF attack can make your site exposed to identity theft, money laundering, and disclosure of highly confidential information. Fortunately, a security patch has been released.
Loginizer
- Active installations: 1+ million
- The latest version (at the time of writing): 1.6.4
Ironically, the purpose of this plugin is to protect your WordPress website from brute force attacks. It can block IPs for login until it reaches the limit that you set and sends you a notification via email. Loginizer lets you blacklist and whitelist IPs as well.
On 8 October 2020, an unauthenticated SQL injection attacked the plugin. WordPress had to issue a forced security update after a fix was made available. The fix also prevents Cross-Site Scripting (XSS) vulnerabilities.
All In One WP Security & Firewall
- Active installations: 900,000+
- The latest version (at the time of writing): 4.4.4
If you want a multipurpose WordPress security plugin, you could try All In One WP Security & Firewall. It doesn’t only block brute force login attacks. It can also add Google reCaptcha and alerts you when someone changes any files in your WordPress database.
Anthony Garand of Sucuri found that the plugin was exploited using a Cross-Site Request Forgery (CSRF) attack. A security fix has been released to stop it.
File Manager
- Active installations: 600,000+
- The latest version (at the time of writing): 6.9
File Manager frees you from the hassle of accessing FTP to access your WordPress files and folders. It is an easy-to-use file management solution where you can edit, delete, download, upload, zip, copy and paste files and folders directly from your WordPress dashboard.
But because of these irresistible features, the WordPress plugin has been an eye-candy to hackers. The vulnerability was publicly disclosed on Twitter last 26 August 2020, where hackers used unauthenticated arbitrary file upload and remote code execution attacks. Thankfully, a patch was released to fix this security breach.
In Closing
Although you may have a strong WordPress account password, you must stay vigilant to protect your website from malicious attacks. Use WordPress plugins with extra caution and practice due diligence by researching each plugin before using it.
Regularly update your site and its plugins to keep hackers away. Install a reputable WordPress security plugin that could monitor your site in real-time and can alert you in an instant of any suspicious activity.
Although you have these security measures in place, the responsibility still lies with you to prevent your site from hacking attempts. Be proactive, as always.