Captcha control
The discovery was made by researchers at cybersecurity experts Wordfence. It impacts the Captcha plugin for the WordPress content management system. Captcha was developed by WordPress development firm BestWebSoft. The company sold the free version of the plugin to a new developer called Simply WordPress back in September.
Captcha was one of a number of popular WordPress plugins built by BestWebSoft. It provides CAPTCHA capabilities for websites, allowing developers to include anti-bot protections in their sites. Exactly three months after purchasing the plugin, its new developers released version 4.3.7 with an added backdoor.
With over 300,000 websites confirmed to be actively using the plugin, the discovery is a serious security incident for the WordPress ecosystem. The software is used by millions of websites, ranging from small personal blogs to major media publishers. WordPress temporarily removed the plugin from its repository, a decision which maintains security but also leaves sites without access to CAPTCHA functionality.
The backdoor works by creating an authenticated WordPress session as the software’s default admin user. This gives the attacker complete administrative control of the site, allowing them to interact with content or monitor new events. The backdoor is contained inside a “plugin update” script. Once it’s been installed, the developer can remove it without leaving traces on the filesystem.
Plugin infection
This isn’t the first time WordPress plugins have been bought by actors with malicious intentions. Because popular plugins have such an extensive reach, they’ve become prime targets for cybercriminals looking to inject adware, spyware or search ranking abuse tools into websites.
Often using concealed identities, fake development companies are established which purchase plugins from their original owners. After continuing to release minor patches for a few months, a new version is then issued which contains the malicious code. Because the plugin was originally a reputable piece of code, the changes could go unnoticed for some time.
READ NEXT: Coinbase starts investigation into Bitcoin Cash “inside trading”
In investigating the infiltration of Captcha, Wordfence uncovered links between “Simply WordPress” and individuals already known to be involved in WordPress plugin infection schemes. The company’s website currently offers five other WordPress plugins for download, all of which contain the same backdoor as Captcha.
There is some good news for users of Captcha. Wordfence has worked with the WordPress plugins team to remove the backdoor and issue a new update. Users should install version 4.4.5 immediately to protect their site. Over 100,000 infected sites have already been automatically upgraded to the safe version. Simply WordPress has been banned from publishing further updates without obtaining a review from WordPress.org.
