Malicious Plugins Found on 25,000 WordPress Websites: Study
According to the researchers, adversaries buy the codebase of popular free plugins and then add malicious code and wait for users to apply automatic updates. Attackers were also observed impersonating benign plugin authors to distribute malware.