WordPress is a prime example of a popular CMS. With more than 8,176 plugins and 73,037,498 downloads, this particular CMS package is extremely popular! I would agree with the statement on the WordPress site which proclaims: “WordPress is a state-of-the-art publishing platform with a focus on aesthetics, web standards, and usability.” It is.

WordPress also offers the flexibility to manage content easily, add attractive themes and customize webpages to your hearts content. And again quoting the main site: “Plugins can extend WordPress to do almost anything you can imagine.” I would agree with this too.

In this post we will be looking at WordPress closely to understand any interesting properties of the active installations publicly seen on the Internet.

The aim of this experiment:

• To determine the number of WordPress sites using older versions of the CMS package (and hence vulnerable to attacks).
• What are the associated scripts do WordPress users use in addition to core WordPress functionality?
• What are the vulnerabilities of using the associated scripts?

Experiment methodology:

An initial corpus of 100,000 websites was mined (via Google) using a keyword search to locate websites which discussed WordPress. Understandably, not all 100,000 websites would actually be using WordPress. Approximately 10,000 websites from this corpus were analyzed. Each website was analyzed to determine if it was generated by WordPress or its associated plugins. Each website was then cross-referenced with the Google Safe Browsing List. This experiment was conducted between January 28th and January 30th, 2010.

Distribution of WordPress versions:

• 30.9% of sites were running version 2.9.1
• 4.7% of sites were running version 2.9
• 9.14% of sites were running version 2.8.6
• 4.7% of sites were running version 2.8.5
• 21.42% of sites were running version 2.8.4
• 7.1% of sites were running version 2.8.2
• 9.14% of sites were running version 2.7.1
• 2.3% of sites were running version 2.6.2
• 2.3% of sites were running version 2.6
• 2.3% of sites were running version 2.1.3
• 2.3% of sites were running version 2.0.4

We found the following distribution of WordPress versions in the websites examined (where versions of installations could be determined).
Note: Publicly available information about exploits for WordPress version < 2.8.6 exist.

We present the most interesting results in brief:

• Only 0.18% of the WordPress sites were blacklisted by Google Safe Browsing.
• Only 1.6% of WordPress sites had Iframes embedded in them. We found that all these sites harbored Iframe based malware. The Iframes were not obfuscated (examples provided below)
• 44.4% of WordPress sites which had Iframes were using JQuery.
  Note: JQuery has been known to be targeted by malicious hackers as a code-injection delivery mechanism.
• About 7.2% of all WordPress sites use jQuery.
• None of the WordPress sites use Mootools.
• None of the WordPress sites use AC_RunActiveContent.js.

Examples of malware found:

Now we present some examples of the non-obfuscated malware that was detected on some of the analyzed sites.

Example Code #1,  detected on: olgamake.com/wp-login.php?action=lostpassword

<if ra e src="hxxp://a151.scrappi ng.cc:80 80/ts/in. cgi ?op en" width=971 height=0 style="visibility: hi dden"></i fra m e>

Example Code #2,  detected on: makinghimknown.com/wp-login.php

<if ra e src="src="hxxp://ke ymydoma ins.com/" width="3" height="2"></i fra m e>

Example Code #3,  detected on: bisoppreview.com/wp-login.php

<if ra e src="hxxp://ntw porta l.com/" w idth="2" hei ght="4"</i fra m e>

Conclusion:

This limited experiment shows that there are many older WordPress installations active on the Internet. Furthermore, some of them are have been infected by non-obfuscated Iframes which point to malicious websites to load exploit code dynamically. WordPress makes for an easy target by lieu of its popularity and wide installation base. The people associated with this CMS software take security very seriously and have done a great job releasing security patches and stable releases. However, the fact remains that vulnerable versions of WordPress are live on the Internet and are hosting malware, primarily via infected Iframes.

Till next time.