The popular plugin for WordPress contains a backdoor

    image

    Information security experts found a backdoor in the WordPress plugin , which made changes to the main platform files in order to further authorize and steal user data.

    The first signs of a backdoor were noticed by employees of Sucuri, a company working in the field of information security of web sites. One of their clients noticed a file with a strange name (auto-update.php) that did not exist until the plug-in was recently updated.

    It's about Custom Content Type Manager (CCTM), a popular WordPress plugin for creating custom post types. CCTM has been available in the plugin directory on the WordPress site for three years and has gathered a fairly large audience - it is installed on more than 10,000 sites.

    Version 0.9.8.8 of the Custom Content Type Manager plugin contains malicious code


    The plugin, which looked abandoned for the past 10 months, mysteriously changed its owner over the past two weeks, which immediately entailed the creation and release of a new version, the authorship of its new developer with the nickname Wooranker. But the new version contained only malicious updates:

    • The auto-update.php file was added, capable of downloading files from a remote server to an infected site.
    • Wooranker added the CCTM_Communicator.php file, which was paired with the old, previously safe file of this plugin. The purpose of these two files was to alert Wooranker about the appearance of recently infected sites by pinging to his server.
    • In addition to collecting information on an infected site, the new CCTM version intercepted user logins and passwords using WordPress, sending this data in encrypted form to wordpresscore.com.

    Modifications were released as Update 0.9.8.8 for Custom Content Type Manager, which allowed them to easily spread with the included auto-update feature on sites or when installed by users themselves.

    Sucuri reports that after receiving the stolen data, Wooranker tried to use it. He manually tried to log in to one of the infected sites, but to no avail, as its owner changed the URL to a non-standard link. After the failure, Wooranker quickly changed tactics. He used a file backdoor auto-update.phpand forced the victim’s site to upload and install a file c.php, which in turn created another file: wp-options.php(WordPress uses wp-settings.php). The created file had to change the WordPress core files: wp-login.php, wp-admin/user-new.php, and wp-admin/user-edit.php.

    These changes allowed the hacker to control user actions on accounts: creating, editing and changing them, which allowed intercepting data before encrypting it and stealing the information received.

    Did the hacker reveal his identity?


    In case the capabilities of the file CCTM_Communicator.phpbecame insufficient, Wooranker created its own JavaScript analysis code, which was loaded through the CCTM plugin as a fake version of jQuery.

    This file transferred information about new infected sites to the domain donutjs.com. Subsequently, the Sucuri team calculated that all the domains used in this attack belonged to a man named Vishnudat Mangilipudi, who lives in Andrha Pradesh, India, but his data could also be stolen and it is unlikely that he is our hacker.

    Although Sucuri was not the first to notice the strange behavior of the plugin, but, unlike its users, they realized that the auto-update.php file is a backdoor, and not just a plug-in security vulnerability.

    WordPress administrators with CCTM installed should immediately remove it and roll back the core WordPress files to their standard versions. If you need the CCTM application, then use its latest stable version 0.9.8.6 (version 0.9.8.7 has vulnerabilities).

    Also note that version 0.9.8.9 CCTM has already been released that does not contain malicious code and is identical to version 0.9.8.6.

    A source

    Also popular now: