A fake WordPress plugin containing a backdoor and three zero-day vulnerabilities—all affecting the high-profile blogging platform WordPress—were recently discovered. The three plugins with zero-day vulnerabilities which were exploited are Appointments, Flickr Gallery, and RegistrationMagic-Custom Registration Forms. The fake plugin which contains backdoor is X-WP-SPAM-SHIELD-PRO.The three-zero day exploits, which are being exploited in the wild, were tracked down by security analysts of WordPress’ security plugin Wordfence.
The backdoor integrated in the fake plugin can be used to disable other security tools, steals the data, can create a hidden admin account and it can give the attackers full access to the website files.
The researchers said that the fake plugin contains a legitimate structure, file names, and security-related file names in the ./include folder but all the files are fake and are simple hacking tools.
One of the files in the plugin has ‘class-social-facebook.php,’ which, on the surface, looks like it blocks potential unwanted Facebook spam. But further analysis revealed that it was designed to break the website, potentially making it unusable. This is done by listing all the active plugins within the app installation, and then disabling all of them. Two other files named ‘class-term-metabox-formatter.php’ and ‘class-admin-user-profile.php’ can be used by attackers for data gathering purposes.
Security researchers in Wordfence have found three zero days plugin vulnerabilities which were exploited by hackers to install a backdoor in WordPress websites.
The discovered vulnerabilities have been patched in the following versions: