Backdoor Found in WordPress Plugin With More Than 300,000 Installations

[LASER_oneXM]

A WordPress plugin installed on over 300,000 sites was recently modified to download and install a hidden backdoor. The WordPress team has intervened and removed this plugin from the official WordPress Plugins repository, also providing clean versions for affected customers.

Known only as Captcha, the plugin was one of the most popular CAPTCHA plugins on the official WordPress site and was the work of a well-established plugin developer named BestWebSoft, a company behind many other popular WordPress plugins.

Plugin sold in September, backdoored in December
BestWebSoft sold the free version of its Captcha plugin to a new developer named Simply WordPress on September 5, according to a blog post on the company's site.

Exactly three months after the sale, the plugin's new owner shipped Captcha version 4.3.7, which contained malicious code that would connect to the simplywordpress.net domain and download a plugin update package from outside the official WordPress repository (against WordPress.org rules). This sneaky update package would install a backdoor on sites using the plugin.

Backdoor discovered by accident
Initially, the update didn't catch anyone's eye and we presume it would have continued to fly under the radar even today.

What exposed the backdoor was not a user complaint but a copyright claim from the WordPress team. A few days ago, the WordPress team removed the Captcha plugin from the official WordPress.org website because the plugin's new author had used the "WordPress" trademark in his name and plugin branding.

The plugin's removal from the WordPress site alerted the security team at Wordfence, a company that provides a powerful Web Application Firewall (WAF) for WordPress sites.

"Whenever the WordPress repository removes a plugin with a large user base, we check to see if it was possibly due to something security-related," Briar says, explaining how they came to review the plugin's code and spot the backdoor.