WordPress Mass Password Changer

Our team recently came across a password changer for WordPress that allows attackers to modify WordPress user passwords within a compromised environment.

By default, the tool is set to target user ID=1, which is almost always the administrative user. This tool is fairly customizable, allowing attackers to modify or target all usernames and passwords within the WordPress installation.

wordpress mass password changer user interface

To initiate a password change, the attacker defines the location of the wp-config.php file in the Config List.

When the Submit button is pressed, the script sends a POST request containing data like the username and password to the PHP file.

wordpress mass password changer success notification

The URL is then gathered from the config list provided in the interface, and pulls database information from wp-config.php to change the username and information for the profile.

The function file_get_contents2 is a custom function that grabs the data using curl and drops the changes into a pchangedlist.txt file for future reference.

Luke Leal

Luke Leal is a member of the Malware Research team and joined the company in 2015. Luke's main responsibilities include threat research and malware analysis, which is used to improve our tools. His professional experience covers over eight years of deobfuscating malware code and using unique data from it to help in correlating patterns. When he’s not researching infosec issues or working on websites, you might find Luke traveling and learning about new things. Connect with him on Twitter.

Related Tags

Passwords

WordPress Mass Password Changer

Luke Leal

Related Tags

A New Wave of Buggy WordPress Infections

Saskmade[.]net Redirects

What is XML-RPC? Security Risks & How to Disable

LizaMoon SQL injections (ur.php) – Now vcvsta.com, asweds.com, etc.

Simple WAF Evasion Backdoor

Dre Armeda: WordPress End-User Security

Luke Leal

Related Tags

Related Categories

You May Also Like