WordPress captcha plugin having a hidden backdoor affects over 300,000 websites. Obtaining prevalent plugins with an enormous user-base and using it for effortless malicious campaigns have become a new trend for bad players.
Recently a renowned developer BestWebSoft sold a popular WordPress Captcha plugin to an anonymous buyer, who then amended the plugin to download and install a hidden backdoor.
In a recent blog post, WordFence security firm shown why WordPress recently kicked a popular Captcha plugin with more than 300,000 active installations out of its official plugin store.
While reviewing the source code of the Captcha plugin, WordFence folks found a severe backdoor that could allow the plugin author or attackers to remotely gain administrative access to WordPress websites without requiring any authentication.
The plugin was configured to automatically pull an updated “backdoored” version from a remote URL — https[://]simplywordpress[dot]net/captcha/captcha_pro_update.php — after installation from the official WordPress repository without site admin consent.
In WordPress captcha plugin this backdoor code was designed to create a login session for the attacker, who is the plugin author in this case, with administrative privileges, allowing them to gain access to any of the 300,000 websites (using this plugin) remotely without requiring any authentication?
“This backdoor creates a session with user ID 1 (the default admin user that WordPress creates when you first install it), sets authentication cookies, and then deletes itself’” reads the WordFence blog post. “The backdoor installation code is unauthenticated, meaning anyone can trigger it.”
Also, the modified code pulled from the remote server is almost identical to the code in legitimate plugin repository, therefore “triggering the same automatic update process removes all file system traces of the backdoor,” making it look as if it was never there and helping the attacker avoid detection.
The reason behind the adding a backdoor is unclear at this moment, but if someone pays a handsome amount to buy a popular plugin with a large user base, there must be a strong motive behind.
In similar cases, we have seen how organized cyber gangs acquire popular plugins and applications to stealthy infect their large user base with malware, adware, and spyware.
While figuring out the actual identity of the Captcha plugin buyer, WordFence researchers found that the simplywordpress[dot]net domain serving the backdoor file was registered to someone named “Stacy Wellington” using the email address “scwellington[at]hotmail.co.uk.”
Using reverse whois lookup, the researchers found a large number of other domains registered to the same user, including Convert me Popup, Death to Comments, Human Captcha, Smart Recaptcha, and Social Exchange.
Most Popular Training Courses at Indian Cyber Security Solutions