A Backdoored WordPress Plugin and 3 Additional Vulnerabilities

Nathan WrigleySecurity

We have several plugin vulnerabilities we’d like to bring to your attention this week.

First up is a backdoor that was added to the Custom Content Type Manager plugin. The backdoor was added by a malicious coder who gained access to the plugin code in the official WordPress plugin repository.

It’s unclear whether the plugin author’s credentials were stolen or whether the malicious actor was granted access. The WordPress security team removed the malicious user account that added the backdoor to the plugin. They have also removed all malicious code that was added to the plugin and updated the version number so that users running this plugin will be prompted to upgrade.

If you are using Custom Content Type Manager, you will need to take the following steps to remove any infection and install the updated non-backdoored version of the plugin.

  1. Update to version 0.9.8.9 of Custom Content Type Manager
  2. The malicious code in this plugin installed a backdoor in WordPress core files. So run a Wordfence scan on your site to check the integrity of your core files. The free version of Wordfence will do this.  Make sure the option to compare your core files against the official WordPress versions is enabled. In the scan results, make sure that the following three files are not modified.
    • wp-login.php
    • wp-admin/user-edit.php
    • wp-admin/user-new.php
  3. If any of the above files are modified, you can use Wordfence to repair them.
  4. Change the passwords of all your users.
  5. Delete any user accounts you don’t recognize. Check admin accounts in particular.
  6. If a file called wp-options.php exists in your home directory, remove it.

The SP Projects and Document Manager plugin version 2.5.9.6 has multiple vulnerabilities including file upload, code execution, sql injection and XSS. Update to to version 2.6.1.1 immediately which contains the vendor released fixes and is the newest version.

If you are running Easy Digital Downloads, ensure you’ve updated to at least version 2.5.8 which fixes an object injection vulnerability. The current version is 2.5.9. The vulnerability was disclosed within the past week.

A vulnerability was publicly disclosed in the Bulk Delete plugin earlier this month that allows unprivileged users to delete pages or posts. The vendor has already released a fix so make sure that if you’re using the Bulk Delete Plugin, you’ve updated to version 5.5.4 which is the latest version.

That concludes our vulnerability roundup for this week. Please share this with the larger WordPress community to help create awareness of these issues.

The post A Backdoored WordPress Plugin and 3 Additional Vulnerabilities appeared first on Wordfence.