Hidden Backdoor Discovered In WordPress Captcha Plugin Impacts Over 300K Websites

Hidden Backdoor Discovered In WordPress Captcha Plugin Impacts Over 300K Websites

Shopping for in style plugins with a big user-base and utilizing it for easy malicious campaigns have change into a brand new pattern for dangerous actors.

-->Backdoor discovered by accident
Initially, the update didn't catch anyone's eye and we presume it would have continued to fly under the radar even today.

What exposed the backdoor was not a user complaint but a copyright claim from the WordPress team. A few days ago, the WordPress team removed the Captcha plugin from the official WordPress.org website because the plugin's new author had used the "WordPress" trademark in his name and plugin branding.

The plugin's removal from the WordPress site alerted the security team at Wordfence, a company that provides a powerful Web Application Firewall (WAF) for WordPress sites.

"Whenever the WordPress repository removes a plugin with a large user base, we check to see if it was possibly due to something security-related," Barry says, explaining how they came to review the plugin's code and spot the backdoor.

WordPress:
One such incident happened recently when the renowned developer BestWebSoft sold a popular Captcha WordPress plugin to an undisclosed buyer, who then modified the plugin to download and install a hidden backdoor.
In a blog post published on Tuesday, WordFence security firm revealed why WordPress recently kicked a popular Captcha plugin with more than 300,000 active installations out of its official plugin store.

While reviewing the source code of the Captcha plugin, WordFence folks found a severe backdoor that could allow the plugin author or attackers to remotely gain administrative access to WordPress websites without requiring any authentication.

The plugin was configured to automatically pull an updated "backdoored" version from a remote URL — https[://]simplywordpress[dot]net/captcha/captcha_pro_update.php — after installation from the official Wordpress repository without site admin consent.

This backdoor code was designed to create a login session for the attacker, who is the plugin author in this case, with administrative privileges, allowing them to gain access to any of the 300,000 websites <<using this plugin>> remotely without requiring any authentication.