WordPress stylized logo

The massive size of the WordPress plugins ecosystem is starting to show signs of rot, as yet another incident has been reported involving the sale of old abandoned plugins to new authors who immediately proceed to add a backdoor to the original code.

The WordPress security team has intervened and removed all plugins from the official WordPress Plugins Directory. WordPress security firm Wordfence discovered the three backdoors. Details about the three backdoored plugins are available below.

Plugin Name Active Installs Backdoor Added Calls to Removed by WP Team
Duplicate Page and Post 50,000+ v2.1.0 (August 2017) cloud-wp.org December 14, 2017
No Follow All External Links 9,000+ v2.1.0 (April 2017) cloud.wpserve.org December 19, 2017
WP No External Links 30,000+ v4.2.1 (July 2017) w pconnect.org December 22, 2017

Backdoor tied to the same threat actor

The backdoor code in all three plugins works in a very similar way by calling to a remote server and inserting content and links on the affected sites. Experts believe the backdoor code is used to inject hidden SEO spam (cloaked links) on affected sites that help improve the search engine ranking of other sites.

Wordfence experts believe the same actor is behind all three plugins. They based their conclusion on a series of discoveries they made while analyzing the malicious plugins and how they operated:

ⴲ The backdoor code in the first and third plugins call to two different domains hosted on the same IP address
ⴲ The same company (Orb Online) paid for the acquisition of the first and second plugins.
ⴲ The purchase solicitation sent via email to the owners of the second and third plugins used a similar template.
ⴲ All plugins were purchased by newly created WordPress.org users.
ⴲ The backdoor code was similar in all three plugins.

This type of incident is becoming common

This is not the first time Wordfence has uncovered a massive operation to buy old WordPress plugins and add a backdoor for injecting SEO spam on websites that were using the affected plugins.

Previously, Wordfence tied the purchase and backdoor code of several plugins to a UK man named Mason Soiza, who Wordfence linked to backdoors in plugins such as Captcha (+300,000 installs), Display Widgets (+200,000 installs), and 404 to 301 (70,000 installs).

Fellow WordPress security firm White Fir Design recently pointed out that these plugins often linger on infected sites for years. For example, three years later, there are still hundreds of (most likely abandoned) WordPress sites running one of 14 plugins that also featured a similar SEO spam-injecting backdoor.

Related Articles:

Drupalgeddon 2 Vulnerability Used to Infect Servers With Backdoors & Coinminers

Hardcoded Password Found in Cisco Enterprise Software, Again

Backdoored Python Library Caught Stealing SSH Credentials

Somebody Tried to Hide a Backdoor in a Popular JavaScript npm Package

APT28 Hackers Caught Hijacking Legitimate LoJack Software