Hidden Backdoor Found In WordPress Captcha Plugin Affects Over 300,000 Sites
One such incident happened recently when the renowned developer BestWebSoft sold a popular Captcha WordPress plugin to an undisclosed buyer, who then modified the plugin to download and install a hidden backdoor.
In a blog post published on Tuesday, WordFence security firm revealed why WordPress recently kicked a popular Captcha plugin with more than 300,000 active installations out of its official plugin store.
While reviewing the source code of the Captcha plugin, WordFence folks found a severe backdoor that could allow the plugin author or attackers to remotely gain administrative access to WordPress websites without requiring any authentication.
The plugin was configured to automatically pull an updated “backdoored” version from a remote URL — https[://]simplywordpress[dot]net/captcha/captcha_pro_update.php — after installation from the official WordPress repository without site admin consent.
This backdoor code was designed to create a login session for the attacker, who is the plugin author in this case, with administrative privileges, allowing them to gain access to any of the 300,000 websites (using this plugin) remotely without requiring any authentication.
“This backdoor creates a session with user ID 1 (the default admin user that WordPress creates when you first install it), sets authentication cookies, and then deletes itself’” reads the WordFence blog post. “The backdoor installation code is unauthenticated, meaning anyone can trigger it.”
The reason behind adding a backdoor is unclear at this moment, but if someone pays a handsome amount to buy a popular plugin with a large user base, there must be a strong motive behind.
In similar cases, we have seen how organized cyber gangs acquire popular plugins and applications to stealthy infect their large user base with malware, adware, and spyware.
While figuring out the actual identity of the Captcha plugin buyer, WordFence researchers found that the simplywordpress[dot]net domain serving the backdoor file was registered to someone named “Stacy Wellington” using the email address “scwellington[at]hotmail.co.uk.”
Using reverse whois lookup, the researchers found a large number of other domains registered to the same user, including Convert me Popup, Death To Comments, Human Captcha, Smart Recaptcha, and Social Exchange.
What’s interesting? All of the above-mentioned domains booked under the user contained the same backdoor code that the WordFence researchers found in Captcha.
WordFence has teamed up with WordPress to patch the affected version of Captcha plug-in and blocked the author from publishing updates, so websites administrators are highly recommended to replace their plugin with the latest official Captcha version 4.4.5.
WordFence has promised to release in-depth technical details on how the backdoor installation and execution works, along with a proof-of-concept exploit after 30 days so that admins get enough time to patch their websites.
Now your take on this argument.
We would also like to hear what you feel about the topic we discussed today. Your feedback is very important to us. Feel free to drop your comments and recommendations. If you have a contrary opinion, you can drop that too.
You can also join our Facebook Page CRMNigeria for more updates. You can do that by clicking on the link or searching for our page on Facebook.
You need to confirm your subscription by clicking on the link sent to you. You can check the spam folder for it. Add us to your mailing list to receive directly from us.
PS: Click on the link below to sign up for my Online E-Course CRM Training. Make sure you confirm your subscription by clicking on the link sent to you. Thanks.
Adeniyi Salau (CCNA,CDMP, CEP, MOS, MCP, CSCU (Project 2016), Microsoft Certified Security and Networking Associate is a Google and Beingcert Certified Digital Marketer, Project Manager and SEO Expert of repute with about a decade of Blogging and online marketing experience. He is always ready to share his experience with others.