![]() ![]() Previously, the plugin development company BestWebSoft owned and maintained the Captcha plugin. The plugin first included this malicious code in the WordPress plugin repository on Decemat 1:52pm UTC in the commit Who Is the New Captcha Author? The code pulled down from is identical to what’s in the plugin repository, so triggering the same automatic update process removes all file system traces of the backdoor, making it look as if it was never there and helping the attacker avoid detection. One of the other changes in the ZIP file is an update to the URL using the same automatic update process the developer used to install the backdoor: ![]() We will edit this post to include a proof of concept after 30 days with technical details on how the backdoor installation and execution works. The backdoor installation code is unauthenticated, meaning anyone can trigger it. This backdoor creates a session with user ID 1 (the default admin user that WordPress creates when you first install it), sets authentication cookies, and then deletes itself. $user = get_user_by('login', $username ) Ī backdoor file allows an attacker, or in this case, a plugin author, to gain unauthorized administrative access to your website. The ZIP contains a few small code changes from what is in the plugin repository, and it also contains a file called plugin-update.php, which is a = get_userdata(1) This code triggers an automatic update process that downloads a ZIP file from then extracts and installs itself over the copy of the Captcha plugin running on site. New cptch_wp_auto_update($wptuts_plugin_current_version, $wptuts_plugin_remote_path, $wptuts_plugin_slug) $wptuts_plugin_slug = plugin_basename(_FILE_) ![]() $wptuts_plugin_current_version = $cptch_plugin_info Require_once ('cptch_wp_auto_update.php') Though the developer was the person who posted about the plugin’s reason for removal, I decided to look at the plugin source to see if there was some foul play on the part of the developer. At the time of its removal, Captcha had over 300,000 active installs, so its removal significantly impacts many users. Wordfence alerts users when any plugin they are running is removed from WordPress repo as well. Whenever the WordPress repository removes a plugin with a large user base, we check to see if it was possibly due to something security-related. The WordPress repository recently removed the plugin Captcha over what initially appeared to be a trademark issue with the current author using “WordPress” in their brand name. Backdoor in Captcha Plugin Affects 300K WordPress Sites ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |