Legitimate websites are a growing frontier for malware attacks with over ten million pages affected every year.
Security start-up Dasient claimed the threat has risen as more people create their own websites and blogs without proper built-in security protocols.
Anyone opening an infected page could have the malware downloaded to their computer without even realising it.
"There's a real and present danger of the web being seriously compromised," said Dasient co-founder Neil Daswani.
"This emerging threat is becoming very real and is already affecting millions and millions of websites. 30,000 web pages are affected every day according to the likes of Microsoft and the security firm Sophos," said Mr Daswani who was a senior security engineer at Google.
With content-managements systems such as WordPress being used more and more, combined with the lack of follow-up to security updates and the prevalence of clear "footprints" by major CMS scripts, it is getting easier to target thousands of websites running the same vulnerable scripts.
Combined with the additional problems caused by third-party inserted code such as advertising or widgets, the attack vector is widening rapidly.
What to do? Better diligence is managing security issues from webmasters is one vital aspect, when developing a site using a CMS, plans should be made (and added to contracts for sites developed for hire) to make sure scripts are rapidly brought up to date for every announced vulnerability.
Very few attacks on websites are zero-day exploits, for the overwhelming majority of cases the vulnerability is known for weeks or months before the worm infects unprotected sites.