Published on March 6th, 2016 📆 | 8212 Views ⚑


Backdoor In WordPress Plugin Steal Admin Credential In Clear Text

Security researchers have found that the WordPress plugin has installed a backdoor. By this backdoor, anyone can easily alter the WordPress core files, and if they do so then, they could easily log and steal user credentials from infected sites.

The Sucuri team is a company which provides website security; they are the one who found that something is wrong in the WordPress. One of the clients told the Sucuri's researchers about the unknown file named as auto-update.php, that was not present earlier. The malicious code is in the CCTM (Custom Content Type Manager). CCTM is a WordPress plugin for creating custom post types, and it has been already installed on more than 10,000 sites.
[adsense size='1']
CCTM version contains the malicious code

Two weeks ago, Sucuri's revealed their investigation and after that the plugin changed mysteriously its owner and the new version is updated by the new developers. Whatever the changes that have been made they all are of nefarious nature. If we glance to the changes, then the first changes that have been made were the addition of auto-update.php file. This auto-update.php file can download files from the remote server to the infected website.

Next, the CCTM_Communicator.php file has been added by the new developer who works with the older plugin file. This malicious code can do the following threats:

  • Gathering of important information on victim's site.
  • By tapping into the WordPress login process, it can steal usernames and password too.

Because of these two modifications, the Custom Content Type Manager Version, has been automatically installed on their sites. After gathering the information about infected sites the wooranker(developer) started to access the victims. Sucuri saw that hackers were not able to manage the authentication, but they can easily attempt to log in manually on one of the infected sites.
[adsense size='4']
So the tactics have been changed by the wooranker and they used the auto-update.php backdoor that forced the site to download and install another c.php file, and that create another file named as wp-options.php, that is able to alter the WordPress file which is the main goal of this malicious code. The edited files were:  wp-admin/user-edit.php, wp-login.php and wp-admin/user-new.php.

A new way has been founded by the hackers to steal passwords in cleartext form. The alterations that have been done by the hacker's ensure that the user login has been controlled by them and the cleartext passwords send to the wooranker's server. An admin account has been created by the wp-options.php on an infected website which he can use if somethings failed. It means that on all infected sites the wooranker had an admin account. By having admin accounts, he would always be notified about the users passwords.

If the problems have been reported by the CCTM_Communicator.php file, then the wooranker had also his own javascript analytics code, which can be used in place of CCTM_Communicator.php file via the CCTM plugin. Whatever there are the new infections all are reporting to the domain. wooranker take the identity of Mangilipudi, so Sucuri didn't accuse them of being a hacker.
[adsense size='2']
If you want to be on a safer side, then those who have installed WorPress plugin then remove it as soon as possible and the stable version ( has a security flaw) are advice to use.

Sucuri researcher was the first who came to know about this issue with the help of his few clients, and they reported to the CCTM three days ago. And this vulnerability has to be fixed as soon as possible.

Comments are closed.