A Backdoored WordPress Plugin and 3 Additional Vulnerabilities
We have several plugin vulnerabilities we’d like to bring to your attention this week.
First up is a backdoor that was added to the Custom Content Type Manager plugin. The backdoor was added by a malicious coder who gained access to the plugin code in the official WordPress plugin repository.
It’s unclear whether the plugin author’s credentials were stolen or whether the malicious actor was granted access. The WordPress security team removed the malicious user account that added the backdoor to the plugin. They have also removed all malicious code that was added to the plugin and updated the version number so that users running this plugin will be prompted to upgrade.
If you are using Custom Content Type Manager, you will need to take the following steps to remove any infection and install the updated non-backdoored version of the plugin.
- Update to version 0.9.8.9 of Custom Content Type Manager
- The malicious code in this plugin installed a backdoor in WordPress core files. So run a Wordfence scan on your site to check the integrity of your core files. The free version of Wordfence will do this. Make sure the option to compare your core files against the official WordPress versions is enabled. In the scan results, make sure that the following three files are not modified.
- wp-login.php
- wp-admin/user-edit.php
- wp-admin/user-new.php
- If any of the above files are modified, you can use Wordfence to repair them.
- Change the passwords of all your users.
- Delete any user accounts you don’t recognize. Check admin accounts in particular.
- If a file called wp-options.php exists in your home directory, remove it.
The SP Projects and Document Manager plugin version 2.5.9.6 has multiple vulnerabilities including file upload, code execution, sql injection and XSS. Update to to version 2.6.1.1 immediately which contains the vendor released fixes and is the newest version.
If you are running Easy Digital Downloads, ensure you’ve updated to at least version 2.5.8 which fixes an object injection vulnerability. The current version is 2.5.9. The vulnerability was disclosed within the past week.
A vulnerability was publicly disclosed in the Bulk Delete plugin earlier this month that allows unprivileged users to delete pages or posts. The vendor has already released a fix so make sure that if you’re using the Bulk Delete Plugin, you’ve updated to version 5.5.4 which is the latest version.
That concludes our vulnerability roundup for this week. Please share this with the larger WordPress community to help create awareness of these issues.
Comments
9:23 am
Thank you for all of the hard work you do to keep the WordPress community safe! :)
9:29 am
Just want to thank you for this and all the regular security updates you provide. It gives my team the confidence we need to maintain our international sites. We could not work without Wordfence Premium.
9:30 am
My guess is that it would be a good idea to actually verify personal information of every WordPress developer before granting access to the repository or publishing submitted code.
My angle on this is: don't use those free plugins if there is a premium plugin with support out there.
11:02 am
Although there isn't always a black and white distinction between free and premium plugins, having access to support is indeed invaluable. I wish more people understood such important aspect.
Just recently I had a discussion with a self-declared "web developer" who stated that he never buys any premium product, under any circumstances, because he wants to save money and, "in worst case, a free plugin only takes some time to fix". Our ancestors used to say that time is money (today more than ever), but such a valuable teaching seems to fall on deaf ears quite often.
11:35 am
Where's the "like" button?
3:52 pm
?? It doesn't have anything to do with being a free plugin or one that was paid for. I fail to see your reasoning. I have seen just as bad code in premium plugins and/or themes as I have seen in free ones...and just as many on both sides. While their is a slim edge that the desire to "knowingly" contribute malicious code is slightly less because they are trying to run a business, it still doesn't mean that individual couldn't be hacked themselves.
9:36 am
Thanks for the heads up and all your efforts!
9:40 am
Thanks for the headsup Wordfence! Appreciate your efforts in keeping the WP community safe. Have shared your blogpost on socials.
9:43 am
Hackers will think of every way to create holes and break into systems. Also, has this happened before? I would tend to believe this is not the first time this method of hacking has been made.
9:45 am
Many thanks for your great plugin. I run a lot of charity sites for free, would love to upgrade to a paid version but had your current rates it would be prohibitive
9:53 am
Thanks Geoff. Right now a single license is $59 a year which is about $4.91 a month. We work hard to keep our prices low while continuing to build an amazing product and team. I'd love to give more away (90% of Wordfence is included in the free version) but we also need to continue to invest in great people, research and operations. To put things in perspective, we currently have 5 positions open (a total of 8 people we're hiring) at wordfence.com/careers/ - we've chosen to invest fairly heavily to ensure Wordfence continues to deliver the best in defense and detection. Thanks again for your feedback. ~Mark
3:53 pm
The multisite licence is a bargain. Prior to installing Wordfence I had regular issues with attacks, twice bring my main site down. Since installing, I've had no issues despite regular attempts to hack the site.
Wordfence is a great example of getting what you pay for. Can't recommend it highly enough!
9:46 am
Thanks for the updates as usual. Wordfence to the rescue!
10:01 am
Great job as usual!
10:03 am
Thank you for that information - security rules!
10:04 am
Thanks for keeping us to date. Glad to not see any plugins that I'm using listed here.
10:13 am
As always, thanks so much for the great service you provide!
10:24 am
So if I haven't done any updates lately no worries? I have auto updates switched off shouldn't be an issue for me or others that wait on updates. ??
Thanks Mark for all your great products and insights
4:34 pm
0.9.8.6 was a good version (0.9.8.9 is the clean 0.9.8.6 re-released). Timeframe for bad downloads was Feb 17, 2016 - March 05, 2016.
10:47 am
Thanks for the heads up! Gotta watch out for those plugin vulnerabilities. That seems to be the target days. Great thing that you guys at wordfence are monitoring these this things. Very useful plugin, one of my favs!
10:53 am
Is there a more essential Wordpress plugin than Wordfence? The answer is a resounding no!
Thanks for all the work you do to keep us safe!
10:57 am
Thank you for your help in keeping our site safe! We upgraded to the premium many months ago. It is just great and we learned a lot too!
11:25 am
You guys do an amazing job thank you for keeping us all safe.
11:37 am
Thank you for this information. I'm new to Word Fence & have a very basic knowledge of Wordpress. I use Prophoto with Wordpress. I don't have this plugin, so I'm assuming that I don't have to do anything further?
12:23 pm
Hi Lisa,
That's right you don't need to worry if you're not using any of these infected plugins.
Always ensure your Wordpress version and all plugins are kept up-to-date (pending their compatibility with your Wordpress version) and never use a generic login Username or password.
9:54 am
Thank you so much, Steve, for the helpful answer & information. I appreciate it.
12:16 pm
Thanks Wordfence, what would we do without you!!
12:22 pm
And so the industry has to do yet another deep dive, fix the issues, alert everybody, and lick our wounds.
The level of complacency is sickening. They are doing wrong and you say "Oh well" I say "give them hell"
We need to catch this person/persons, and prosecute and/or beat the "ever-loving snot" out of them, in front of the entire world to tell others that this type of activity is neither victim-less nor tolerated anymore.
I love you WordPress for what you are doing (and the White Hat and Grey Hat community), but this has to stop and we all need to be more aggressive with rooting out those who willingly and knowingly damage our space.
There are ways to combat online/cyber/cypher crime with real-life and physical consequences- I have had success in doing so.
2:57 pm
Thank you, once again for your continued vigilance.
6:31 pm
Are those popular downloaded plugin, thus making them highly desirable to be backdoored?
7:33 pm
One of the better investments I have made recently was upgrading to Wordfence PRO....GREAT VALUE and peace of mind! Thanks!
10:00 pm
Thanks for the update. This is why it's always recommended to signup for updates like this and keep a keen eye on WordPress/Plugin updates.
Thanks for the part Wordfence plays in keeping WordPress secure.
1:26 am
Thanks for the fantastic information and protection you provide.
2:11 am
Thank you guys for checking for us on these vulnerabilities ! We would never be able to check all these plugins we install every day.
6:18 am
Thanks for the update and scanning tip.
7:27 pm
Thanks, Wordfence,
You make the internet a little safer.
Keep up the good work.
12:57 am
Thanks for the update, wordfence saves the day again.
5:20 am
Thanks Wordfence. Always keeping us updated and keeping our wordpress websites safe.
12:29 am
Thank you so much for all your hard work and effort. It is greatly appreciated.
5:10 am
I found this article on Twitter, thanks for this information !
Wordfence stay the reference for me.