Popular WordPress plugin contains backdoor

Information security experts found a backdoor in a WordPress plugin that made changes to the main files of the platform in order to further authorize and steal user data.

The first signs of a backdoor were noticed by employees of Sucuri, working in the field of ensuring information security of web sites. One of their clients noticed a file with a strange name (auto-update.php), which did not exist until a recent update of the plugin.
')
This is a Custom Content Type Manager (CCTM) , a popular WordPress plugin designed to create an arbitrary type of posts. CCTM has been available in the plugins directory on the WordPress site for three years and has gathered quite a large audience - it is installed on more than 10,000 sites.

Version 0.9.8.8 of the Custom Content Type Manager plugin contains malicious code

The plug-in, which looked abandoned for the last 10 months, has mysteriously changed its owner over the past two weeks, which immediately resulted in the creation and release of a new version, authored by its new developer with the nickname Wooranker. But the new version contained only malicious updates:

• An auto-update.php file has been added that can download files from a remote server to an infected site.
• Wooranker added the file CCTM_Communicator.php, which was paired with the old, previously safe file of this plugin. The purpose of these two files was to alert Wooranker about the appearance of recently infected sites using ping to its server.
• In addition to collecting information on the infected site, the new version of CCTM intercepted usernames and passwords using WordPress, sending this data in encrypted form to wordpresscore.com.

Modifications were released as update 0.9.8.8 for Custom Content Type Manager, which allowed them to be easily distributed using the included auto-update feature on sites or when installed by users themselves.

Sucuri reports that after receiving the stolen data, Wooranker tried to use it. He manually tried to log in to one of the infected sites, but to no avail, because its owner changed the URL to a non-standard link. After the failure, the Wooranker quickly changed tactics. He used the backdoor of the auto-update.php file and forced the victim's site to upload and install the c.php file, which, in turn, created another file: wp-options.php (WordPress uses wp-settings.php ). The file created should have changed the main WordPress files: wp-login.php , wp-admin/user-new.php , and wp-admin/user-edit.php .

These changes allowed the hacker to control the actions of users over accounts: creating, editing and modifying them, which made it possible to intercept data before encrypting them and stealing the information received.

Has the hacker revealed his identity?

In case the CCTM_Communicator.php file became insufficient, Wooranker created its own analytical code in JavaScript, which was loaded via the CCTM plugin as a fake version of jQuery.

This file transferred information about new infected sites to the donutjs.com domain. Subsequently, the Sucuri team calculated that all the domains used in this attack belonged to a man named Vishnudat Mangilipudi, living in India, the city of Andrha Pradesh, but his data could also be stolen and it is unlikely that he is our hacker.

Although Sucuri was not the first to notice the plug-in’s strange behavior, but, unlike its users, they realized that the auto-update.php file is a backdoor, and not a simple plug-in security vulnerability.

WordPress administrators with CCTM installed should immediately remove it and roll back the core WordPress files to their standard versions. If you need the CCTM application, then use its latest stable version 0.9.8.6 (version 0.9.8.7 has vulnerabilities).

Also note that version 0.9.8.9 of CCTM, which does not contain malicious code and is identical to version 0.9.8.6, has already been released.

A source