A fake Wordpress plugin containing a backdoor and three zero-day vulnerabilities—all affecting the high-profile blogging platform WordPress—were recently discovered. The backdoor was discovered masquerading as WP-SpamShield Anti-Spam, which is a fairly popular tool (with over 100,000 installs) designed to fight spam. The three-zero day exploits, which are being exploited in the wild, were tracked down by security analysts of WordPress’ security plugin Wordfence.
Tagged as X-WP-SPAM-SHIELD-PRO, the backdoor can reportedly disable other security-related tools, steal data, and add a hidden admin account. Security researchers discovered the fake plugin had a seemingly legitimate structure and file names, but they are actually fake. In addition, the backdoor can allow attackers to upload anything to the site.
One of the files in the plugin has ‘class-social-facebook.php,’ which, on the surface, looks like it blocks potential unwanted Facebook spam. But further analysis revealed that it was designed to break the website, potentially making it unusable. This is done by listing all the active plugins within the app installation, and then disabling all of them. Two other files named ‘class-term-metabox-formatter.php’ and ‘class-admin-user-profile.php’ can be used by attackers for data gathering purposes.
Another file called ‘plugin-header.php’ was designed to add an additional administrator account to the site, which allows the attacker to delete the exploit files, while also revealing the username, password, and the email that can be used to login to the compromised website.
The fake plugin also possesses code that it can use to ping home, notifying attackers each time an administrator activates it on the website.
Meanwhile, websites that utilize certain plugins may be exposed to potential attacks after zero-days were found in three separate WordPress plugins: Appointments, RegistrationMagic-Custom Registration Forms, and Flickr Gallery.
Called PHP Object Injection Vulnerability Severity 9.8, the vulnerability allows attackers to manipulate a vulnerable website into fetching a remote file (a PHP backdoor) and save it to their preferred location. The scheme doesn’t require authentication or elevated privileges. For websites that run Flickr Gallery, it only takes sending the exploit as a POST request to the site’s root URL to get the job done. For Appointments and RegistrationMagic-Custom Registration Forms, the request would go to admin-ajax.php. If the attacker gains access to the plugins’ backdoor, it's possible to take control of the vulnerable site.
The discovered vulnerabilities have been patched in the following versions:
IT professionals and web developers/programmers can mitigate threats that may abuse web-based platforms like WordPress through the following best practices:
Trend Micro’s endpoint solutions such as Trend Micro™ Smart Protection Suites, and Worry-Free™ Business Security protect end users and businesses from these threats by detecting and blocking malicious files and all related malicious URLs.Trend Micro™ Deep Security™ and Vulnerability Protection provide virtual patching that protects servers and endpoints from threats that abuse vulnerabilities found in WordPress plugins. OfficeScan’s Vulnerability Protection shields endpoints from identified and unknown vulnerability exploits even before patches are deployed. Trend Micro™ Deep Discovery™ provides detection, in-depth analysis, and proactive response to attacks using exploits through specialized engines, custom sandboxing, and seamless correlation across the entire attack lifecycle, allowing it to detect threats even without any engine or pattern update.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.