Connect with us

Hidden Backdoor Found In WordPress Captcha Plugin Affects Over 300,000 Sites

Google

Hidden Backdoor Found In WordPress Captcha Plugin Affects Over 300,000 Sites

Hidden Backdoor Found In WordPress Captcha Plugin Affects Over 300,000 Sites

captcha plugin

Buying popular plugins with a large user-base and using it for effortless malicious campaigns have
become a new trend for bad actors.

One such incident happened recently when the renowned developer BestWebSoft sold a popular Captcha WordPress plugin to an undisclosed buyer, who then modified the plugin to download and install a hidden backdoor.

In a blog post published on Tuesday, WordFence security firm revealed why WordPress recently kicked a popular Captcha plugin with more than 300,000 active installations out of its official plugin store.

While reviewing the source code of the Captcha plugin, WordFence folks found a severe backdoor that

could allow the plugin author or attackers to remotely gain administrative access to WordPress websites
without requiring any authentication.
The plugin was configured to automatically pull an updated “backdoored” version from a remote URL — https[://]simplywordpress[dot]net/captcha/captcha_pro_update.php — after installation from the official
WordPress repository without site admin consent.

wordpress-plugin

This backdoor code was designed to create a login session for the attacker, who is the plugin author in this

case, with administrative privileges, allowing them to gain access to any of the 300,000 websites (using this plugin) remotely without requiring any authentication.

“This backdoor creates a session with user ID 1 (the default admin user that WordPress creates when

you first install it), sets authentication cookies, and then deletes itself’” reads the WordFence blog post. “The backdoor installation code is unauthenticated, meaning anyone can trigger it.”

Also, the modified code pulled from the remote server is almost identical to the code in legitimate plugin

You May Also Like:  I lost my job over a Facebook post - was that fair?
repository, therefore “triggering the same automatic update process removes all file system traces of the
backdoor,” making it look as if it was never there and helping the attacker avoid detection.

wordpress-plugin-hack

The reason behind the adding a backdoor is unclear at this moment, but if someone pays a handsome

amount to buy a popular plugin with a large user base, there must be a strong motive behind.
In similar cases, we have seen how organized cyber gangs acquire popular plugins and applications to
stealthy infect their large user base with malware, adware, and spyware.

While figuring out the actual identity of the Captcha plugin buyer, WordFence researchers found that the simplywordpress[dot]net domain serving the backdoor file was registered to someone named

“Stacy Wellington” using the email address “scwellington[at]hotmail.co.uk.”

Using reverse whois lookup, the researchers found a large number of other domains registered to the same user, including Convert me Popup, Death To Comments, Human Captcha, Smart Recaptcha, and Social Exchange.

What’s interesting?

All of the above-mentioned domains booked under the user contained the same backdoor code that
the WordFence researchers found in Captcha.

WordFence has teamed up with WordPress to patch the affected version of Captcha plug-in and blocked

the author from publishing updates, so websites administrators are highly recommended to replace their
plugin with the latest official Captcha version 4.4.5.

WordFence has promised to release in-depth technical details on how the backdoor installation and execution

works, along with a proof-of-concept exploit after 30 days so that admins get enough time to patch their websites.

Continue Reading
Advertisement
You may also like...
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

More in Google

To Top
%d bloggers like this: