WordPress captcha plugin on 300,000 sites had a sneaky backdoor

WordFence says a fix has landed

11 Reg comments Got Tips?

WordFence is warning that the WordPress Captcha plugin, popular enough to get around 300,000 installations, should be replaced with the latest official WordPress version (4.4.5).

To help admins, WordFence worked with the WordPress plugin team to patch pre-4.4.5 versions of the software; the code's developer has been blocked from publishing updates without WordPress review; and WordFence now includes firewall rules to block Captcha and five other plugins from the same author.

WordFence's Matt Barry explained that the group took interest in the plug-in when after it changed hands in September. Three months after that, Captcha version 4.3.7 landed, and that's the version that WordFence found carried the backdoor.

The plugin's auto-downloader “downloads a ZIP file from https://simplywordpress[dot]net/captcha/captcha_pro_update.php”, which is how the backdoor is put onto the target install.

“This backdoor creates a session with user ID 1 (the default admin user that WordPress creates when you first install it), sets authentication cookies, and then deletes itself.”

1 < $wptuts_plugin_remote_path = 'https://simplywordpress.net/captcha/captcha_pro_update.php';
2 ---
3 > $wptuts_plugin_remote_path = 'https://simplywordpress.net/captcha/captcha_free_update.php';

WordFence pointed the finger at a group of people it considers repeat offenders: domain records, the post said, link simplywordpress[dot]net with one Mason Soiza, via a domain contact e-mail belonging to Stacy Wellington.

The group's Mark Maunder put together a backgrounder on Soiza in September 2017.

Other plugins from the simplywordpress site are Convert me Popup, Death To Comments, Human Captcha, Smart Recaptcha, and Social Exchange – and all of them contain the backdoor code, Barry wrote.

The point of the backdoor, the post said, is to create cloaked backlinks to various payday loan businesses, to boost their Google rankings. As well as Soiza and Stacy Wellington, Barry traced links to a number of payday loan companies, some registered to Soiza, one to Charlotte Anne Wellington. ®

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER


Keep Reading

California emits fine-print of its GDPR-ish digital privacy law, complete with Google and Facebook-sized holes

Sure, companies will probably just ignore its most important component, but what you gonna do?

Western Digital shingled out in lawsuit for sneaking RAID-unfriendly tech into drives for RAID arrays

Probing by El Reg's Chris Mellor highlighted in class-action complaint

Not content with distorting actual reality, Facebook now wants to build a digital layer for the world

Data-harvesting test pilots to roam the streets wearing AR glasses and little lanyards explaining that you’re being recorded

Western Digital hands chief exec seat to boss of Cisco's networking and security biz

David Goeckeler finally gets keys to his own kingdom, says he's stoked to ride 'massive wave of new opportunity'

Australia to force Google and Facebook to pay for news and reveal algorithm changes before they whack web traffic

And is willing to fine them hundreds of millions if they don't play nice

Work-from-home shift trickles down to Western Digital as cloud builders stuff storage in bit barns to meet demand

How to survive a pandemic

Three Facebooks, four more Amazons and one Apple to collect Indonesia’s digital services tax

And so will TikTok and Disney, with more to come

Google, Amazon pass on UK Digital Services Tax by hiking ad prices, fees at same rate the government takes

Which means you get to pay, because cost of ads, sellers' fee hikes are built into prices, so once the tech titans charge more ... you get the drift

Biting the hand that feeds IT © 1998–2020