A fake WordPress plugin is trending, targeting one of the world’s largest open-source applications in order to allow back-door access to a host of websites.
Dubbed WP-Base-SEO, the plugin is a forgery of a legitimate search engine optimization plugin, called WordPress SEO Tools, according to SiteLock, the firm that originally uncovered the threat. At first glance, the file appears to be legitimate, because it uses native WordPress hook functionality. A closer look, though, reveals its malicious intent in the form of a base64 encoded PHP eval request.
Eval is a PHP function that executes arbitrary PHP code. It is commonly used for malicious purposes and php.net recommends against using it, SiteLock noted. Here, it’s attached as an “action” to the header of the website’s theme. WordPress defines actions as the hooks that the WordPress core launches at specific points during execution, or when specific events occur. Plugins can specify that one or more of its PHP functions are executed at these points, using the Action API. And that means that remote attackers now have back-door access, and can force the site to do their bidding.
“Some versions include an additional hook that runs after each page load as well, which means that anytime the theme is loaded in a browser, the request is initialized,” SiteLock noted. It added that researchers have observed that multiple sites have been infected by the malware, but an internet search of the plugin name revealed no information, suggesting that it may be flying under the radar of other malware scanners.
WordPress site administrators should perform a malware scan, as well as update the WordPress core, all themes and plugins to their latest versions. It is also crucial to use strong passwords and reputable plugins.
“If you find a suspicious plugin in your /wp-content/plugins directory, it is best to delete the entire folder and reinstall a clean version of the plugin either in the WordPress admin dashboard or by downloading it directly from WordPress.org,” SiteLock recommended.