Popular WordPress Plugin Comes with a Backdoor, Steals Site Admin Credentials

SOFTPEDIA ^ | Mar 5, 2016 00:46 GMT | Catalin Cimpanu

[Utilizer]

that was installing a backdoor through which it was altering core WordPress files so it could log and steal user credentials from infected sites.

First signs of something being wrong were spotted by the Sucuri team, a company that provides website security. Sucuri's researchers were alerted by one of their clients to the presence of a weirdly named file (auto-update.php) that didn't exist until a recent plugin update.

The plugin in question was Custom Content Type Manager (CCTM), a popular WordPress plugin for creating custom post types that, in the three years since it was uploaded on the WordPress plugin repo, has amassed quite a following, being currently installed on more than 10,000 sites.

...

As Sucuri's investigation revealed, in the past two weeks, the plugin that looked like an abandoned project for the last 10 months, mysteriously changed owner, and immediately after, the new developer, named wooranker, updated the plugin and pushed out a new version.

All the changes he made to the plugin were of a nefarious nature. First, there was the addition of the auto-update.php file, which included the ability to download files from a remote server on the infected website.

Additionally, wooranker also added the CCTM_Communicator.php file, which worked together with another, older, legitimate plugin file. The purpose of these two files was to ping wooranker's server about the presence of a newly infected site.

[Utilizer]

WordPress users beware!

[Utilizer]

Bloody... Sorry, the first sentence was accidentally left out. It should begin “Security researchers have unmasked the wicked actions of a WordPress plugin”

Followed by “that was installing a backdoor”...

Typing too fast and did not proofread in time. :(