Abandonware Plugin Exploit Compromises WordPress Sites By Thousands

Posted by Takashi of Insightz Technology, 26-04-2023

Cyberattackers have made news today as they infect over 6,000 WordPress sites with a malware which was set to act as a backdoor dropper through an abandonware plugin which last received an update 11 years ago.

The said cyberattackers used Eval PHP - a WordPress plugin from developer Flashpixx which allows site owners to use PHP code within their articles. The plugin has been installed on over 8,000 websites potentially putting all said sites at risk.

Sucuri has revealed that hackers first embed a backdoor dropper into the target site's database through its codes for post, pages, and navigation menu. Once injected with the malicious code, it triggers the creation of a rogue PHP script on the website's docroot containing the remote code execution backdoor.

If and when the compromised site gets the Eval PHP plugin installed on it, the rogue PHP script embedded on the website's docroot can be run with a simple site visit and it will allow the creation of more backdoors across other posts from the infected WordPress site. The fact that the hackers used a legitimate WordPress plugin to install a backdoor dropper makes it so that detection is less likely. This also means that if the compromised sites were cleaned up on a "page" level, the hackers can just revisit the site to rerun the script and cause reinfection.

The requests to embed the backdoor dropper into some of the sites' database trace back to three IP addresses from Russia. It was also observed that the hackers were able to add rogue pages under the author's name which suggests that they were able to sign into the site as an administrator.

It is recommended that site owners watch over the WP Admin dashboard and to be on the lookout for unauthorized logins so as to keep hackers from installing the plugin through the use of administrator privileges.

An even better recommendation for all WordPress and non-WordPress users is to call the help of Insightz Technology to equip themselves with an mXDR solution that will detect and alert users of potential threats, eradicate unauthorized and suspicious activity, and provide you a comprehensive analysis of what happened, what has been done, and what needs to be done to increase your security ten-fold.