This article is more than 1 year old
WordPress captcha plugin on 300,000 sites had a sneaky backdoor
WordFence says a fix has landed
WordFence is warning that the WordPress Captcha plugin, popular enough to get around 300,000 installations, should be replaced with the latest official WordPress version (4.4.5).
To help admins, WordFence worked with the WordPress plugin team to patch pre-4.4.5 versions of the software; the code's developer has been blocked from publishing updates without WordPress review; and WordFence now includes firewall rules to block Captcha and five other plugins from the same author.
WordFence's Matt Barry explained that the group took interest in the plug-in when after it changed hands in September. Three months after that, Captcha version 4.3.7 landed, and that's the version that WordFence found carried the backdoor.
The plugin's auto-downloader “downloads a ZIP file from https://simplywordpress[dot]net/captcha/captcha_pro_update.php”, which is how the backdoor is put onto the target install.
“This backdoor creates a session with user ID 1 (the default admin user that WordPress creates when you first install it), sets authentication cookies, and then deletes itself.”
1 < $wptuts_plugin_remote_path = 'https://simplywordpress.net/captcha/captcha_pro_update.php'; 2 --- 3 > $wptuts_plugin_remote_path = 'https://simplywordpress.net/captcha/captcha_free_update.php';
WordFence pointed the finger at a group of people it considers repeat offenders: domain records, the post said, link simplywordpress[dot]net with one Mason Soiza, via a domain contact e-mail belonging to Stacy Wellington.
The group's Mark Maunder put together a backgrounder on Soiza in September 2017.
Other plugins from the simplywordpress site are Convert me Popup, Death To Comments, Human Captcha, Smart Recaptcha, and Social Exchange – and all of them contain the backdoor code, Barry wrote.
The point of the backdoor, the post said, is to create cloaked backlinks to various payday loan businesses, to boost their Google rankings. As well as Soiza and Stacy Wellington, Barry traced links to a number of payday loan companies, some registered to Soiza, one to Charlotte Anne Wellington. ®