Connect with us

Hi, what are you looking for?


Application Security

Backdoor in WordPress Plugin Steals Admin Credentials

Custom Content Type Manager (CCTM), a WordPress plugin with over 10,000 active installations, recently turned rogue and started stealing admin credentials via a backdoor, researchers at Sucuri discovered.

Custom Content Type Manager (CCTM), a WordPress plugin with over 10,000 active installations, recently turned rogue and started stealing admin credentials via a backdoor, researchers at Sucuri discovered.

The plugin, designed to help website owners create custom post types, has seen a satisfaction rating of 4.8 over its three years of development. Roughly three weeks ago, however, changes made to it by what was supposedly a new owner resulted in admin credentials being stolen and websites being hacked.

Sucuri’s Denis Sinegubko explains in a blog post that the culprit appeared to be an auto-update.php file recently added to the plugin, which was actually a backdoor that could download files from a suspicious wordpresscore .com domain. The file was added to CCTM on February 18 by “wooranker,” who was included as a contributor to the project just several days before, the Trac issue tracking system reveals.

On February 19, the /includes/CCTM_Communicator.php file was added version of the plugin, along with new code to the plugin’s index.php, designed to send information about the site and the user to the wordpresscore .com server. It does so each time someone logs into the WordPress website, yet the passwords are not sent in plain text, it seems.

Since the password is not there, the attacker decided to adopt a new approach by using the auto-update.php backdoor to upload a c.php file into the plugin directory. This file was used to create a more sophisticated attack shell wp-options.php in the site root directory, after which it was deleted.

The wp-options.php shell is used to modify three core WordPress files that work with user passwords in plaintext, namely wp-login.php, wp-admin/user-new.php, and wp-admin/user-edit.php. As a result, the plugin could steal full credentials and send them to the attacker’s server, and could also steal credentials of newly created users and changed passwords.

Additionally, the script creates a new admin user, under the name of support, with email support@wordpresscore .com. This extra admin account could be used to gain access to a website in the event that there was no user activity to take steal credentials, and some site owners already observed it at work.

Advertisement. Scroll to continue reading.

Another change that wooranker made to the plugin was the inclusion of donutjs into includes/CCTM.php, which is a tracking script that sends referrers to donutjs .com, a website owned by this actor. Attackers looking to inject the script into vulnerable sites can use the gathered referrers for the address of sites that can be hacked.

Sucuri’s researchers suggest that wooranker might have hacked the account of fireproofsocks, CCTM’s actual author, thus being able to list himself as new owner and to modify the plugin for nefarious purposes. Because fireproofsocks made no new changes to the code for ten months, the inactive account and the plugin’s popularity made it the target of choice for this attacker.

Custom Content Type Manager came out about three weeks ago with the malicious code inside, and many unlucky site owners might have already installed it, putting their sites at risk. Over the weekend, however, the actual owner of the plugin issued version, which removes the malicious code and reverts the plugin to the clean state is had in version

Affected admins should update to the new version to ensure they close the backdoor. They should also make sure that the offending ./wp-login.php, ./wp-admin/user-edit.php, and ./wp-admin/user-new.php files haven’t been modified by the plugin.

Sucuri researchers suggest that, as soon as these files are verified, admins should reset the passwords for all WordPress users and should remove any users they don’t recognize, along with the wp-options.php file in the root directory (admins might also consider completely removing CCTM and performing a clean install of version or

Related: WordPress Sites Used to Power Layer 7 DDoS Attacks

Related: WordPress 4.4.2 Patches Open Redirect, SSRF Flaws

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.