Updates on WordPress security, Wordfence and what we're cooking in the lab today.

Wordfence Blog

A Backdoored WordPress Plugin and 3 Additional Vulnerabilities

This entry was posted in Wordfence, WordPress Security on March 8, 2016 by Mark Maunder   40 Replies

We have several plugin vulnerabilities we’d like to bring to your attention this week.

First up is a backdoor that was added to the Custom Content Type Manager plugin. The backdoor was added by a malicious coder who gained access to the plugin code in the official WordPress plugin repository.

It’s unclear whether the plugin author’s credentials were stolen or whether the malicious actor was granted access. The WordPress security team removed the malicious user account that added the backdoor to the plugin. They have also removed all malicious code that was added to the plugin and updated the version number so that users running this plugin will be prompted to upgrade.

If you are using Custom Content Type Manager, you will need to take the following steps to remove any infection and install the updated non-backdoored version of the plugin.

  1. Update to version 0.9.8.9 of Custom Content Type Manager
  2. The malicious code in this plugin installed a backdoor in WordPress core files. So run a Wordfence scan on your site to check the integrity of your core files. The free version of Wordfence will do this.  Make sure the option to compare your core files against the official WordPress versions is enabled. In the scan results, make sure that the following three files are not modified.
    • wp-login.php
    • wp-admin/user-edit.php
    • wp-admin/user-new.php
  3. If any of the above files are modified, you can use Wordfence to repair them.
  4. Change the passwords of all your users.
  5. Delete any user accounts you don’t recognize. Check admin accounts in particular.
  6. If a file called wp-options.php exists in your home directory, remove it.

The SP Projects and Document Manager plugin version 2.5.9.6 has multiple vulnerabilities including file upload, code execution, sql injection and XSS. Update to to version 2.6.1.1 immediately which contains the vendor released fixes and is the newest version.

If you are running Easy Digital Downloads, ensure you’ve updated to at least version 2.5.8 which fixes an object injection vulnerability. The current version is 2.5.9. The vulnerability was disclosed within the past week.

A vulnerability was publicly disclosed in the Bulk Delete plugin earlier this month that allows unprivileged users to delete pages or posts. The vendor has already released a fix so make sure that if you’re using the Bulk Delete Plugin, you’ve updated to version 5.5.4 which is the latest version.

That concludes our vulnerability roundup for this week. Please share this with the larger WordPress community to help create awareness of these issues.

Did you enjoy this post? Share it!

40 Comments on "A Backdoored WordPress Plugin and 3 Additional Vulnerabilities"

Ryan J. Haught March 8, 2016 at 9:23 am

Thank you for all of the hard work you do to keep the WordPress community safe! :)

Bill Tirmer March 8, 2016 at 9:29 am

Just want to thank you for this and all the regular security updates you provide. It gives my team the confidence we need to maintain our international sites. We could not work without Wordfence Premium.

Andreas Ostheimer March 8, 2016 at 9:30 am

My guess is that it would be a good idea to actually verify personal information of every WordPress developer before granting access to the repository or publishing submitted code.
My angle on this is: don't use those free plugins if there is a premium plugin with support out there.

Diego March 8, 2016 at 11:02 am

Although there isn't always a black and white distinction between free and premium plugins, having access to support is indeed invaluable. I wish more people understood such important aspect.
Just recently I had a discussion with a self-declared "web developer" who stated that he never buys any premium product, under any circumstances, because he wants to save money and, "in worst case, a free plugin only takes some time to fix". Our ancestors used to say that time is money (today more than ever), but such a valuable teaching seems to fall on deaf ears quite often.

Brandon March 8, 2016 at 11:35 am

Where's the "like" button?

Everything I.T. March 8, 2016 at 3:52 pm

?? It doesn't have anything to do with being a free plugin or one that was paid for. I fail to see your reasoning. I have seen just as bad code in premium plugins and/or themes as I have seen in free ones...and just as many on both sides. While their is a slim edge that the desire to "knowingly" contribute malicious code is slightly less because they are trying to run a business, it still doesn't mean that individual couldn't be hacked themselves.

Ryan March 8, 2016 at 9:36 am

Thanks for the heads up and all your efforts!

Webbit March 8, 2016 at 9:40 am

Thanks for the headsup Wordfence! Appreciate your efforts in keeping the WP community safe. Have shared your blogpost on socials.

Angel Navarro March 8, 2016 at 9:43 am

Hackers will think of every way to create holes and break into systems. Also, has this happened before? I would tend to believe this is not the first time this method of hacking has been made.

Geoff March 8, 2016 at 9:45 am

Many thanks for your great plugin. I run a lot of charity sites for free, would love to upgrade to a paid version but had your current rates it would be prohibitive

mark March 8, 2016 at 9:53 am

Thanks Geoff. Right now a single license is $59 a year which is about $4.91 a month. We work hard to keep our prices low while continuing to build an amazing product and team. I'd love to give more away (90% of Wordfence is included in the free version) but we also need to continue to invest in great people, research and operations. To put things in perspective, we currently have 5 positions open (a total of 8 people we're hiring) at wordfence.com/careers/ - we've chosen to invest fairly heavily to ensure Wordfence continues to deliver the best in defense and detection. Thanks again for your feedback. ~Mark

David Wilks March 8, 2016 at 3:53 pm

The multisite licence is a bargain. Prior to installing Wordfence I had regular issues with attacks, twice bring my main site down. Since installing, I've had no issues despite regular attempts to hack the site.

Wordfence is a great example of getting what you pay for. Can't recommend it highly enough!

Mark Arambula March 8, 2016 at 9:46 am

Thanks for the updates as usual. Wordfence to the rescue!

Jak March 8, 2016 at 10:01 am

Great job as usual!

Claudia Bohringer March 8, 2016 at 10:03 am

Thank you for that information - security rules!

Paul Stonier March 8, 2016 at 10:04 am

Thanks for keeping us to date. Glad to not see any plugins that I'm using listed here.

David Coleman March 8, 2016 at 10:13 am

As always, thanks so much for the great service you provide!

Eric Rotmil March 8, 2016 at 10:24 am

So if I haven't done any updates lately no worries? I have auto updates switched off shouldn't be an issue for me or others that wait on updates. ??
Thanks Mark for all your great products and insights

Jesse March 8, 2016 at 4:34 pm

0.9.8.6 was a good version (0.9.8.9 is the clean 0.9.8.6 re-released). Timeframe for bad downloads was Feb 17, 2016 - March 05, 2016.

Dan March 8, 2016 at 10:47 am

Thanks for the heads up! Gotta watch out for those plugin vulnerabilities. That seems to be the target days. Great thing that you guys at wordfence are monitoring these this things. Very useful plugin, one of my favs!

Terence March 8, 2016 at 10:53 am

Is there a more essential Wordpress plugin than Wordfence? The answer is a resounding no!

Thanks for all the work you do to keep us safe!

Jean-Pierre March 8, 2016 at 10:57 am

Thank you for your help in keeping our site safe! We upgraded to the premium many months ago. It is just great and we learned a lot too!

Gav March 8, 2016 at 11:25 am

You guys do an amazing job thank you for keeping us all safe.

Lisa March 8, 2016 at 11:37 am

Thank you for this information. I'm new to Word Fence & have a very basic knowledge of Wordpress. I use Prophoto with Wordpress. I don't have this plugin, so I'm assuming that I don't have to do anything further?

Steve Funnell March 8, 2016 at 12:23 pm

Hi Lisa,

That's right you don't need to worry if you're not using any of these infected plugins.

Always ensure your Wordpress version and all plugins are kept up-to-date (pending their compatibility with your Wordpress version) and never use a generic login Username or password.

Lisa March 9, 2016 at 9:54 am

Thank you so much, Steve, for the helpful answer & information. I appreciate it.

Steve Funnell March 8, 2016 at 12:16 pm

Thanks Wordfence, what would we do without you!!

Spike March 8, 2016 at 12:22 pm

And so the industry has to do yet another deep dive, fix the issues, alert everybody, and lick our wounds.

The level of complacency is sickening. They are doing wrong and you say "Oh well" I say "give them hell"

We need to catch this person/persons, and prosecute and/or beat the "ever-loving snot" out of them, in front of the entire world to tell others that this type of activity is neither victim-less nor tolerated anymore.

I love you WordPress for what you are doing (and the White Hat and Grey Hat community), but this has to stop and we all need to be more aggressive with rooting out those who willingly and knowingly damage our space.

There are ways to combat online/cyber/cypher crime with real-life and physical consequences- I have had success in doing so.

Matt Wallach March 8, 2016 at 2:57 pm

Thank you, once again for your continued vigilance.

Qaedi March 8, 2016 at 6:31 pm

Are those popular downloaded plugin, thus making them highly desirable to be backdoored?

csalberg March 8, 2016 at 7:33 pm

One of the better investments I have made recently was upgrading to Wordfence PRO....GREAT VALUE and peace of mind! Thanks!

Samuel McEdwards March 8, 2016 at 10:00 pm

Thanks for the update. This is why it's always recommended to signup for updates like this and keep a keen eye on WordPress/Plugin updates.

Thanks for the part Wordfence plays in keeping WordPress secure.

allanit March 9, 2016 at 1:26 am

Thanks for the fantastic information and protection you provide.

Florian March 9, 2016 at 2:11 am

Thank you guys for checking for us on these vulnerabilities ! We would never be able to check all these plugins we install every day.

Michael Curry March 9, 2016 at 6:18 am

Thanks for the update and scanning tip.

Robert March 9, 2016 at 7:27 pm

Thanks, Wordfence,

You make the internet a little safer.

Keep up the good work.

John A March 10, 2016 at 12:57 am

Thanks for the update, wordfence saves the day again.

Previsha March 10, 2016 at 5:20 am

Thanks Wordfence. Always keeping us updated and keeping our wordpress websites safe.

Jenny Henrick March 18, 2016 at 12:29 am

Thank you so much for all your hard work and effort. It is greatly appreciated.

Aurélien April 15, 2016 at 5:10 am

I found this article on Twitter, thanks for this information !

Wordfence stay the reference for me.

Follow Us

      


Protect your websites with the #1 WordPress Security Plugin

Get Premium
Over 100 million downloads

Wordfence Newsletter

Get WordPress Security Alerts and Product Updates