Wordpress Threats

Backdoors Found in Three More Popular WordPress Plugins

Tom Grant
Tom Grant
3 Min Read

In recent weeks, the problems of the WordPress plugin ecosystem have received close attention from experts. So, three years ago, backdoors were found in 14 plugins for the popular CMS, which were then removed from the official repository. But a recent study showed that hundreds of sites are still running these dangerous solutions.

Slightly earlier in the WordPress Plugins Directory a more recent Captcha plugin was discovered , which also contained a backdoor. Captcha has been installed on 300,000 sites. As a result, the WordPress developers took unprecedented measures and forcibly updated the malicious version of the plugin to a “clean” one.

Now Wordfence analysts reported that three more plugins are affected by the same problem.

Plugin name

Number of active installs

Date the backdoor was added

Where does the backdoor go to Date removed by the WordPress security team

Duplicate Page and Post

50 000+

v2.1.0

( August 2017)

cloud-wp.org December 14, 2017

WP No External Links

v4.2.1 (July 2017) wpconnect.org

No Follow All External Links 9 000+ v2.1.0 (April 2017) cloud.wpserve.orgDecember 19, 201730 000+December 22, 2017

The situation with the above plugins is similar to the previous cases. Thus, all plug-ins access the remote servers of the attackers, and also embed various content and SEO links on the pages of infected sites.

Wordfence researchers believe that the infection of all three plugins is most likely the work of the same attacker. Experts came to this conclusion during the study of the threat and a thorough investigation. So, in two out of three cases, backdoors access domains that are located on the same IP address. Two plugins out of three from the developers were bought by the same company, Orb Online. In both cases, the purchase letters were written according to the same template. And most importantly, in all three cases, the backdoor code is almost the same.

Analysts note with sadness that now we are witnessing an already established trend or a well-established fraudulent scheme. A company buys a plugin from its developer, waits for a while, and then releases a malicious update that ends up infecting many sites. Moreover, criminals often act on a very large scale.

For example, a recent infection of the Captcha plugin with a backdoor has been linked to a specific person. Information security experts found out that behind the malicious campaign was a person who had previously been convicted of distributing backdoors through plugins. According to analysts, this is Mason Soiza (Mason Soiza) who was previously caught injecting a malicious code to the Display Widgets plugin. Let me remind you that this “product” was completely removed from the official repository four times.

Source: xaker.ru

Translate this article

TAGGED: , , , , ,
Share This Article

STAY CONECTED

LAST 10 ALERT

Detecting zero-days before zero-day
Detecting zero-days before zero-day
Apps
See what threats are lurking in your Office 365 with Cloudflare Email Retro Scan
See what threats are lurking in your Office 365 with Cloudflare Email Retro Scan
Apps
Network performance update: Birthday Week 2023
Network performance update: Birthday Week 2023
Apps
Cloudflare now uses post-quantum cryptography to talk to your origin server
Cloudflare now uses post-quantum cryptography to talk to your origin server
Apps
Privacy-preserving measurement and machine learning
Privacy-preserving measurement and machine learning
Apps
Lost your password?