Hackers Exploit Outdated WordPress Plugin To Backdoor Thousands Of WordPress Sites

Hackers Exploit Outdated WordPress Plugin To Backdoor Thousands Of WordPress Sites

As part of a continuous campaign, threat actors have been seen using a genuine but old WordPress plugin to backdoor websites, according to research published last week by security firm Sucuri.

The developer flashpixx has made available a plugin called Eval PHP. Users can embed PHP scripts into WordPress pages and posts, which will run automatically whenever the post is viewed.

Statistics acquired by WordPress reveal that despite Eval PHP not having had an update in 11 years, it is still used by over 8,000 websites, with the number of downloads increasing dramatically from a couple each month in September 2022 to 6,988 on March 30th, 2023.

ALSO, READ These Android Apps With A Million Play Store Installations Redirect Users To Malicious Sites

On April 23, 2023, alone, it was downloaded 2,140 times. The plugin has racked up 23,110 downloads over the past seven days.

Hackers Exploit Outdated WordPress Plugin To Backdoor Thousands Of WordPress Sites

GoDaddy-owned Sucuri said it observed some infected websites’ databases injected with malicious code into the “wp_posts” table, which stores a site’s posts, pages, and navigation menu information. The requests originate from three different IP addresses based in Russia.

“This code is quite simple: It uses the file_put_contents function to create a PHP script into the docroot of the website with the specified remote code execution backdoor,” security researcher Ben Martin said.

“Although the injection in question does drop a conventional backdoor into the file structure, the combination of a legitimate plugin and a backdoor dropper in a WordPress post allows them to easily reinfect the website and stay hidden. All the attacker needs to do is to visit one of the infected posts or pages and the backdoor will be injected into the file structure.”

Hackers Exploit Outdated WordPress Plugin To Backdoor Thousands Of WordPress Sites

Sucuri said it detected over 6,000 instances of this backdoor on compromised websites in the last 6 months, describing the pattern of inserting the malware directly into the database as a “new and interesting development.”

ALSO, READ Lazarus X_TRADER Hack Impacts Critical Infrastructure Beyond 3CX Breach

The attack chain entails installing the Eval PHP plugin on compromised sites and misusing it to establish persistent backdoors across multiple posts that are sometimes also saved as drafts.

“The way the Eval PHP plugin works it’s enough to save a page as a draft in order to execute the PHP code inside the [evalphp] shortcodes,” Martin explained, adding the rogue pages are created with a real site administrator as their author, suggesting the attackers were able to successfully sign in as a privileged user.

The development once again points to how malicious actors are experimenting with different methods to maintain their foothold in compromised environments and evade server-side scans and file integrity monitoring.

Site owners are advised to secure the WP Admin dashboard as well as watch out for any suspicious logins to prevent threat actors from gaining admin access and install the plugin.