Under the right circumstances, the WordPress plugin repository can be used to execute such an attack. Here’s how that could work.
- Your site uses a homebrew or 3rd party plugin that is not hosted on wordpress.org
- Somehow, the attacker determines the plugin’s name and version number (this could be as easy as viewing the source of your website)
- The attacker creates a plugin with the same name, and a higher version number
- The attacker tricks the wordpress.org team into hosting the plugin (possibly by keeping the initial version clean and adding malware later)
- Once the plugin is on wordpress.org, wp-admin will alert you there’s a new version available, and possibly even auto-update the plugin
- If you update the plugin, you’ll get the attacker’s “newer” version, malware included
Using a 3rd party plugin on your website involves a considerable amount of trust. WordPress plugins can do pretty much anything on your site, and once a malicious plugin is installed, your site is completely compromised.
This is why plugins should use the “Update URI” header field introduced in WordPress 5.8, to indicate which URL is used to check for updates.
Any plugin that’s not hosted on wordpress.org, but does not specify this using “Update URI”, is a potential vehicle for a supply chain attack. As described above, a hacker could try to get a plugin with the same name accepted on wordpress.org, and infect your website.
The “Update URI” header field is added by the plugin’s author and can have a number of possible values:
|Empty or not set||wordpress.org’s repository will be used|
|A valid URL||This allows a plugin to get updates from a different source|
|“false”||This effectively disables updates for that plugin|
Plugin Report 2.0.0
I’ve recently released version 2.0.0 of my Plugin Report plugin. It introduces a new column in the report, with information about the repository each plugin uses to get updates from.
To perform its checks, Plugin Report uses the “Update URI” field. If it indicates that a plugin should be present in WordPress’s repository, it checks whether a plugin with that name is indeed found. If that plugin is not found, it’ll display a warning.
If you get this warning for a plugin you created yourself, you can add “Update URI: false” to its header. If it’s a third party plugin, you could ask the creator to add the header field with whatever value is relevant for that plugin.