• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login
Labs Note

The Dangers of Using Abandoned Plugins & Themes

December 17, 2020Krasimir Konov

32
SHARES
FacebookTwitterSubscribe

It’s not very often that we see abandoned components being used on a website — but when we do, it’s most often because the website was exhibiting malware-like behavior and we were called to investigate and clean up the site.

Old and abandoned plugins and themes are a good target for opportunistic attackers who are looking for any expired domains that might be used by those components. Once an attacker gets a hold of those domains, they’re able to distribute malware to any users that still have that resource installed on their site. Here’s an example of that exact scenario.

Expired Domain for My Weather Plugin

The plugin was called “My Weather” and one of its main functions was to show weather widgets on a website. The data for weather information was retrieved by the plugin from an external domain (weatherforecastmap[.]com), which happened to expire.

$widget_call_string = 'hxxp://weatherforecastmap[.]com/' . $typeflag;
$widget_call_string .= '.php?zona='.$country_name;
$widget_call_string .= '_'.$city;
$widget_call_string = str_replace(" ", "-", $widget_call_string);
$widget_call_string = strtolower($widget_call_string);

if($fahrenheitflag != 0)
            $widget_call_string = str_replace(".php", "F.php", $widget_call_string);

Weather Data Replaced with Malicious Injections

The URL generated by the plugin for the weather data was based on the city and country — for example: hxxps://weatherforecastmap[.]com/weather3F.php?zona=mexico_playa-del-carmen

echo '<script type="text/javascript" src="'.$widget_call_string . '"></script>';

Attackers were able to register the domain and, instead of serving the weather information, they replaced the data source with a malicious JavaScript injection which was loaded on a user’s browser whenever they visited a site using the abandoned My Weather plugin.

Unwanted Browser Add-ons & Advertisements

Abandoned Plugin redirect.
This injection resulted in a redirect to another domain: “hxxp://fnacgbik9v14[.]com/hdzi0thtzm”.
Upon further investigation, we found that the newly registered domain was distributing malware which tricks the user into installing a malicious component/extension on their browser. Post-install, additional ads were then served from another malicious domain — terraclicks[.]com.

This example clearly demonstrates how outdated and abandoned components can put your site at risk. We recommend keeping all software updated to prevent these types of issues from impacting your site’s reputation — and if you happen to have a plugin, theme, or component on your site that you aren’t using, get rid of it.

Another way to mitigate risk is to add a WAF (Web Application Firewall) to your website. WAFs can prevent many attacks, especially if you have old or outdated plugins which may contain known vulnerabilities — the firewall will be able to virtually patch your software until you get the chance to update or transition to a new one.

32
SHARES
FacebookTwitterSubscribe

Categories: Security Education, Sucuri Labs, Website Security, WordPress SecurityTags: Black Hat Tactics, Hacked Websites, Redirects, WordPress Plugins and Themes

About Krasimir Konov

Krasimir Konov is Sucuri's Malware Analyst who joined the company in 2014. Krasimir's main responsibilities include analyzing malicious code, signature creation and documentation of malware. His professional experience covers more than 10 years in the IT field, with nine years involved in IT/cyber security. When he’s not analyzing malware or writing Labs notes, you might find Krasimir riding his motorcycle and traveling the world. Connect with him on Twitter or LinkedIn.

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

2019 Threat Report

WordPress Security Course

WordPress Security Guide

How to know you can trust a plugin

Join Over 20,000 Subscribers!

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2021 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.