Custom Content Type Manager (CCTM), a WordPress plugin with over 10,000 active installations, recently turned rogue and started stealing admin credentials via a backdoor, researchers at Sucuri discovered.
The plugin, designed to help website owners create custom post types, has seen a satisfaction rating of 4.8 over its three years of development. Roughly three weeks ago, however, changes made to it by what was supposedly a new owner resulted in admin credentials being stolen and websites being hacked.
Sucuri’s Denis Sinegubko explains in a blog post that the culprit appeared to be an auto-update.php file recently added to the plugin, which was actually a backdoor that could download files from a suspicious wordpresscore .com domain. The file was added to CCTM on February 18 by “wooranker,” who was included as a contributor to the project just several days before, the Trac issue tracking system reveals.
On February 19, the /includes/CCTM_Communicator.php file was added version 0.9.8.8 of the plugin, along with new code to the plugin’s index.php, designed to send information about the site and the user to the wordpresscore .com server. It does so each time someone logs into the WordPress website, yet the passwords are not sent in plain text, it seems.
Since the password is not there, the attacker decided to adopt a new approach by using the auto-update.php backdoor to upload a c.php file into the plugin directory. This file was used to create a more sophisticated attack shell wp-options.php in the site root directory, after which it was deleted.
The wp-options.php shell is used to modify three core WordPress files that work with user passwords in plaintext, namely wp-login.php, wp-admin/user-new.php, and wp-admin/user-edit.php. As a result, the plugin could steal full credentials and send them to the attacker’s server, and could also steal credentials of newly created users and changed passwords.
Additionally, the script creates a new admin user, under the name of support, with email [email protected] .com. This extra admin account could be used to gain access to a website in the event that there was no user activity to take steal credentials, and some site owners already observed it at work.
Another change that wooranker made to the plugin was the inclusion of donutjs into includes/CCTM.php, which is a tracking script that sends referrers to donutjs .com, a website owned by this actor. Attackers looking to inject the script into vulnerable sites can use the gathered referrers for the address of sites that can be hacked.
Sucuri’s researchers suggest that wooranker might have hacked the account of fireproofsocks, CCTM’s actual author, thus being able to list himself as new owner and to modify the plugin for nefarious purposes. Because fireproofsocks made no new changes to the code for ten months, the inactive account and the plugin’s popularity made it the target of choice for this attacker.
Custom Content Type Manager 0.9.8.8 came out about three weeks ago with the malicious code inside, and many unlucky site owners might have already installed it, putting their sites at risk. Over the weekend, however, the actual owner of the plugin issued version 0.9.8.9, which removes the malicious code and reverts the plugin to the clean state is had in version 0.9.8.6.
Affected admins should update to the new version to ensure they close the backdoor. They should also make sure that the offending ./wp-login.php, ./wp-admin/user-edit.php, and ./wp-admin/user-new.php files haven’t been modified by the plugin.
Sucuri researchers suggest that, as soon as these files are verified, admins should reset the passwords for all WordPress users and should remove any users they don’t recognize, along with the wp-options.php file in the root directory (admins might also consider completely removing CCTM and performing a clean install of version 0.9.8.6 or 0.9.8.9).