Hidden Backdoor Found In WordPress Captcha Plugin Affects Over 300,000 Sites
One such incident happened recently when the renowned developer BestWebSoft sold a popular Captcha WordPress plugin to an undisclosed buyer, who then modified the plugin to download and install a hidden backdoor.
In a blog post published on Tuesday, WordFence security firm revealed why WordPress recently kicked a popular Captcha plugin with more than 300,000 active installations out of its official plugin store.
While reviewing the source code of the Captcha plugin, WordFence folks found a severe backdoor that
This backdoor code was designed to create a login session for the attacker, who is the plugin author in this
“This backdoor creates a session with user ID 1 (the default admin user that WordPress creates when
you first install it), sets authentication cookies, and then deletes itself’” reads the WordFence blog post. “The backdoor installation code is unauthenticated, meaning anyone can trigger it.”
Also, the modified code pulled from the remote server is almost identical to the code in legitimate plugin
The reason behind the adding a backdoor is unclear at this moment, but if someone pays a handsome
While figuring out the actual identity of the Captcha plugin buyer, WordFence researchers found that the simplywordpress[dot]net domain serving the backdoor file was registered to someone named
Using reverse whois lookup, the researchers found a large number of other domains registered to the same user, including Convert me Popup, Death To Comments, Human Captcha, Smart Recaptcha, and Social Exchange.
WordFence has teamed up with WordPress to patch the affected version of Captcha plug-in and blocked
WordFence has promised to release in-depth technical details on how the backdoor installation and execution