Vulnerable plugins plague the CMS website security landscape

Backdoors, card skimming, and spam are also common factors in website compromise.
Written by Charlie Osborne, Contributing Writer

Vulnerable plugins, extensions, and default settings are responsible for a high rate of website compromise, according to new research.

Content management systems (CMSs) are frequently used to structure websites and online services, including e-commerce shops, and make it easier for web admins to manage and publish content.

Plugins and extensions add to website functionality and can provide everything from contact forms to SEO optimization, maps, image albums, and payment options. As a result, they are incredibly popular -- but if they are vulnerable to exploitation, their use can put entire websites at risk of being hijacked.

Sucuri's 2021 Website Threat Research Report (.PDF) has examined these issues in-depth with a particular focus on CMS usage, including WordPress, Joomla, and Drupal.

According to the researchers, vulnerable plugins and extensions "account for far more website compromises than out-of-date, core CMS files," with roughly half of website intrusions recorded by the firm's clients occurring on a domain with an up-to-date CMS.

Threat actors will often leverage legitimate -- but hijacked -- websites to host malware, credit card skimmers, or for the deployment of spam. Sucuri says that websites containing "a recently vulnerable plugin or other extension" are the most likely to be abused in these ways.

"Even a fully updated and patched website can suddenly become vulnerable if one of the website elements has a vulnerability disclosure and action is not swiftly taken to remediate it," the researchers commented.

In addition, webmasters who leave their CMS websites and control panels on default configurations are considered a "serious liability," especially when multi-factor authentication (MFA) is not implemented or possible.

The report has listed the most common types of malware found on compromised websites. At the top, we have backdoors -- forms of malware that give their operators persistent access to a domain and the ability to exfiltrate data, among other features.

Sucuri said over 60% of its website compromise cases involved at least one backdoor.

In addition, credit card skimmers remain a persistent threat to e-commerce retailers. Skimmers are usually small pieces of code implanted on payment pages, which harvest customers' card details. and transfer them to an attacker-controlled server. 

They now account for over 25% of new PHP-based malware signatures detected in 2021.

Spam is also one of the most common forms of website compromise. In total, 52.6% of websites cleared up by the firm contained SEO spam, such as URL redirects, which are used to force visitors to landing pages that display malicious content. Furthermore, the team found evidence of spam injectors that hide spam links in hijacked websites to boost their SEO rankings.

Most spam-related content relates to pharmaceuticals such as viagra, essay writing services, escorts, gambling, adult websites, and pirated software.

"While there is no 100% security solution for website owners, we have always advised that a defense in depth strategy be used," Sucuri says. "Laying defensive controls helps you better identify and mitigate attacks against your website. [...] At its core, maintaining a good security posture comes down to a few core principles: keep your environment updated and patched, use strong passwords, exercise the principle of least privilege, and leverage a web application firewall to filter malicious traffic."

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards