Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Backdoor in WordPress Plugin Steals Admin Credentials

Custom Content Type Manager (CCTM), a WordPress plugin with over 10,000 active installations, recently turned rogue and started stealing admin credentials via a backdoor, researchers at Sucuri discovered.

Custom Content Type Manager (CCTM), a WordPress plugin with over 10,000 active installations, recently turned rogue and started stealing admin credentials via a backdoor, researchers at Sucuri discovered.

The plugin, designed to help website owners create custom post types, has seen a satisfaction rating of 4.8 over its three years of development. Roughly three weeks ago, however, changes made to it by what was supposedly a new owner resulted in admin credentials being stolen and websites being hacked.

Sucuri’s Denis Sinegubko explains in a blog post that the culprit appeared to be an auto-update.php file recently added to the plugin, which was actually a backdoor that could download files from a suspicious wordpresscore .com domain. The file was added to CCTM on February 18 by “wooranker,” who was included as a contributor to the project just several days before, the Trac issue tracking system reveals.

On February 19, the /includes/CCTM_Communicator.php file was added version 0.9.8.8 of the plugin, along with new code to the plugin’s index.php, designed to send information about the site and the user to the wordpresscore .com server. It does so each time someone logs into the WordPress website, yet the passwords are not sent in plain text, it seems.

Since the password is not there, the attacker decided to adopt a new approach by using the auto-update.php backdoor to upload a c.php file into the plugin directory. This file was used to create a more sophisticated attack shell wp-options.php in the site root directory, after which it was deleted.

The wp-options.php shell is used to modify three core WordPress files that work with user passwords in plaintext, namely wp-login.php, wp-admin/user-new.php, and wp-admin/user-edit.php. As a result, the plugin could steal full credentials and send them to the attacker’s server, and could also steal credentials of newly created users and changed passwords.

Additionally, the script creates a new admin user, under the name of support, with email [email protected] .com. This extra admin account could be used to gain access to a website in the event that there was no user activity to take steal credentials, and some site owners already observed it at work.

Another change that wooranker made to the plugin was the inclusion of donutjs into includes/CCTM.php, which is a tracking script that sends referrers to donutjs .com, a website owned by this actor. Attackers looking to inject the script into vulnerable sites can use the gathered referrers for the address of sites that can be hacked.

Sucuri’s researchers suggest that wooranker might have hacked the account of fireproofsocks, CCTM’s actual author, thus being able to list himself as new owner and to modify the plugin for nefarious purposes. Because fireproofsocks made no new changes to the code for ten months, the inactive account and the plugin’s popularity made it the target of choice for this attacker.

Custom Content Type Manager 0.9.8.8 came out about three weeks ago with the malicious code inside, and many unlucky site owners might have already installed it, putting their sites at risk. Over the weekend, however, the actual owner of the plugin issued version 0.9.8.9, which removes the malicious code and reverts the plugin to the clean state is had in version 0.9.8.6.

Affected admins should update to the new version to ensure they close the backdoor. They should also make sure that the offending ./wp-login.php, ./wp-admin/user-edit.php, and ./wp-admin/user-new.php files haven’t been modified by the plugin.

Sucuri researchers suggest that, as soon as these files are verified, admins should reset the passwords for all WordPress users and should remove any users they don’t recognize, along with the wp-options.php file in the root directory (admins might also consider completely removing CCTM and performing a clean install of version 0.9.8.6 or 0.9.8.9).

Related: WordPress Sites Used to Power Layer 7 DDoS Attacks

Related: WordPress 4.4.2 Patches Open Redirect, SSRF Flaws

Written By

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Application Security

A new report finds that barely 1% of all SBOMs being generated today meets the “minimum elements” defined by the U.S. government.

Application Security

A security vulnerability identified on AliExpress, the wholesale marketplace owned by the Chinese e-commerce giant Alibaba, could have been exploited by hackers to hijack...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...