Connect with us

Hi, what are you looking for?


Malware & Threats

Abandoned WordPress Plugin Abused for Backdoor Deployment

Attackers are installing the abandoned Eval PHP plugin on compromised WordPress sites to inject PHP code into web pages.

Threat actors are installing the abandoned Eval PHP plugin on compromised WordPress sites and using it to inject malicious PHP code into web pages, WordPress security company Sucuri warns.

An old plugin that has not been updated for over a decade, Eval PHP allows for the injection of PHP code into pages and posts. The code is executed whenever the injected page or post is opened in a browser.

Despite its age, the Eval PHP plugin continues to be available through the WordPress repository, and its use has spiked starting at the end of March 2023, jumping from roughly 40 installations to more than 100,000 within weeks, Sucuri reports.

This spike, the security firm explains, is associated with a malicious campaign in which threat actors are using the plugin to infect compromised websites. Eval PHP allows the attackers to drop the malicious code in multiple posts that are saved as drafts and remain hidden.

The PHP backdoor, Sucuri explains, can hide requests as cookies, which allows it to remain unnoticed.

“In all cases, attackers were able to successfully log into WordPress admin. And the malicious pages are created with a real site administrator as their author. However, on some of the compromised sites we found malicious admin users with random names and emails,” Sucuri explains.

The dropped code “uses the file_put_contents function to create a PHP script into the docroot of the website with the specified remote code execution backdoor. All the attacker needs to do is to visit one of the infected posts or pages and the backdoor will be injected into the file structure.”

Advertisement. Scroll to continue reading.

By using this approach instead of dropping conventional PHP backdoors, the attackers can reinfect a compromised website when necessary, while remaining hidden: all they need to do is visit a site page.

The issue that this campaign has brought into the spotlight, Sucuri notes, is the need to re-evaluate old plugins that have been abandoned and which pose a security risk.

“Keeping such plugins in the official repository makes it easier for hackers to stay under radar since they can install a legitimate unmodified plugin from a reputable source instead of installing fake plugins or modifying existing plugins, which can be detected by scanners that monitor integrity of known plugins,” Sucuri notes.

Related: Elementor Pro Plugin Vulnerability Exploited to Hack WordPress Websites

Related: Vulnerability in Popular Real Estate Theme Exploited to Hack WordPress Websites

Related: Critical Vulnerability in Premium Gift Cards WordPress Plugin Exploited in Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...