Plugin abandonware as a WordPress threat vector?

I run this site on a tiny VPS that would start crumbling if this site got, say 15 or more hits per second. Without caching at least. Now, it doesn’t get more than that but still. Be prepared, right? So naturally, I use a cache plugin.

Checking up on things a while back, I noticed that the plugin, Comet Cache (free version), had not been updated in more than two years. Slightly concerning but it still worked. Also, the developer domain that the plugin linked to had not been renewed by the developers. In fact, it had been snatched up by a reseller who would sell it to anybody with about $5000 US to spare. Slightly more concerning.

To make the implicit explicit: I have a guess as to why that domain might be worth $5000 and it’s not good SEO. If the domain turns out to be key to getting hold of the account that owns Comet Cache, the new domain owner has the chance to “update” 30,000 active installs. A cache plugin is a pretty damn good position to be in as a spreader of malware, ads, junk SEO linker, you name it.

The plugin in question however, has multiple domains associated with it:

  • cometcache.com. The product specific website which appears to be under the control of the original developers, at least because it is linked to from…
  • wpsharks.com. The two-plugin developers that appear to have originally gone under the name of…
  • websharks-inc.com. The site that is linked to from the plugins listing and is now owned and administered by hugedomains.com

By the way, I love the “satisfied customer” of HugeDomains quote on the page, that unequivocally tells you that part of HugeDomains’ business is holding accidentally abandoned domains at ransom:

We are thankful that we were still able to renew the purchase of our domain, however it would have been nice had that been clear from the beginning when we initially purchased it.

Rebecca Centers, October 4, 2023

Now, in all likelihood what happened is this: WebSharks Inc. became WPSharks, moved their WordPress accounts (and in turn, their access to the plugin subversion repository) over to email addresses tied to the new domain and forgot that in a single line, that isn’t used anywhere else, there remains a reference to websharks-inc .com. And so, websharks-inc.com is worthless because it isn’t used for any valuable accounts anywhere. (Incidentally, wordpress.org accounts do not appear to have the option for MFA, and even so, many implementations still regard email possession as a recovery trump card)

But there is also the chance that in fact, the developer account still is tied to websharks-inc.com. If so, you can get to update 30,000 live installs by simply completing a few steps.

  • Pay $5000 dollars (though I’d start the bidding at a fraction)
  • Set up a catchall email account on your new domain
  • Tell wordpress.org that you are [insert one of the associated developers’ publically available usernames] and that you forgot your password.
  • Wait for reset email to arrive and reset password
  • Send out a boring looking update that will add all sorts of interesting things to the cached pages. SEO juicing, malware distribution, etc. The sky’s the limit really.

I reached out to the developers some time ago to point out this issue and while I didn’t get a response, the reference to websharks is gone now. So why harp on about it? I think it’s a nice and simple story with a few easy-to-understand morals.

The most important is to be wary of plugins. I wondered if I could find a site doing an “X days since last major WordPress plugin zero day” joke. I can’t , it doesn’t exist but searching on Ars Technica, I only had to go back a month before finding just such an article. I don’t think anyone uses WordPress without plugins, but I’m always trying to reduce their number and find more trustworthy suppliers.

The second is the question of what if anything WordPress does or can do to safeguard against semi-abandoned plugins being snapped up. I don’t know what they do in fact do. But locking out the developer after a certain time without updates would probably be a good idea. Unlocking should then require multiple factors, including but not limited to access to the associated email account.

Brown wooden log inside building © Michał Franczak, Unsplash License

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.