Blog

WordPress plugin disguised as a security tool injects backdoor

3 hours ago
1 minute read

A new malware campaign targeting WordPress sites employs a malicious plugin disguised as a security tool to trick users into installing and trusting it.

According to Wordfence researchers, the malware provides attackers with persistent access, remote code execution, and JavaScript injection. At the same time, it remains hidden from the plugin dashboard to evade detection.

Wordfence first discovered the malware during a site cleanup in late January 2025, where it found a modified ‘wp-cron.php’ file, which creates and programmatically activates a malicious plugin named ‘WP-antymalwary-bot.php.’

Other plugin names used in the campaign include:

  • addons.php

  • wpconsole.php

  • wp-performance-booster.php

  • scr.php

If the plugin is deleted, wp-cron.php re-creates and reactivates it automatically on the next site visit.

Lacking server logs to help identify the exact infection chain, Wordfence hypothesizes the infection occurs via a compromised hosting account or FTP credentials.

Not much is known about the perpetrators, though the researchers noted that the command and control (C2) server is located in Cyprus, and there are traits similar to a June 2024 supply chain attack.

Once active on the server, the plugin performs a self-status check and then gives the attacker administrator access.

“The plugin provides immediate administrator access to threat actors via the emergency_login_all_admins function,” explains Wordfence in its writeup.

“This function utilizes the emergency_login GET parameter in order to allow attackers to obtain administrator access to the dashboard.”

“If the correct cleartext password is provided, the function fetches all administrator user records from the database, picks the first one, and logs the attacker in as that user.”

Next, the plugin registers an unauthenticated custom REST API route that allows the insertion of arbitrary PHP code into all active theme header.php files, clearing of plugin caches, and other commands processed via a POST parameter.

An updated version of the malware can also inject base64-decoded JavaScript into the site’s

section, likely for serving visitors ads, spam, or redirecting them to unsafe sites.

Apart from file-based indicators like the listed plugins, website owners should scrutinize their ‘wp-cron.php’ and ‘header.php’ files for unexpected additions or modifications.

Access logs containing ’emergency_login,’ ‘check_plugin,’ ‘urlchange,’ and ‘key’ should also serve as red flags, warranting further investigation.


Source link

Tags
3 hours ago
1 minute read

Related Articles

Google Just Launched an AI-Powered Duolingo Alternative

18 minutes ago

Best Mac Laptop or Desktop for You

32 minutes ago

Elden Ring Hits 30 Million Sales and It’s Still Climbing

33 minutes ago

7 easy tricks to boost your productivity

35 minutes ago

Hurry! Mattress Firm is taking $300 off this excellent Sleepy’s mattress

2 hours ago

Sketchy rumors hint at an iPhone desktop mode

3 hours ago

Huawei is all in on flash storage – but it faces some stiff competition

3 hours ago

NYT Connections Today: Hints and Answer for May 1, 2025

3 hours ago

What are digital nomads and how easy is it for businesses to cater for them?

5 hours ago

Zoho adds AI capabilities to its low code dev platform

5 hours ago
Back to top button
close