Popular WordPress plugin opens backdoor, steals user credentials

If you are one of the 10,000+ users of the Custom Content Type Manager (CCTM) WordPress plugin, consider your site to be compromised and proceed to clean your installation up, Sucuri Security researchers have warned.

After finding “a very suspicious auto-update.php file inside wp-content/plugins/custom-content-type-manager/ during the cleanup on an infected WP site, the researchers have begun digging, and discovered that:

  • The file in question is a backdoor that can download additional files from a third-party domain, and save them in the plugin directory
  • The CCTM plugin has been available for download from the official WP Plugin Directory for around three years, but hasn’t been updated in the last 10 months. But, some two weeks ago, a new developer (“wooranker”) started adding “small tweeks by new owner” and “bug fixes”:
    CCTM changes

  • The original owner has either transferred ownership of the plugin to wooranker, or wooranker has noticed that the original owner was inactive for nearly a year and hacked his account, then added himself as the new owner.
  • A new file in the plugin notifies wooranker of every new site that uses the backdoored plugin (an earlier added JavaScript library does the same)
  • Wooranker has tried to log into the compromised site as administrator (but failed)
  • Wooranker used the backdoor to download additional files that allowed him to create a new administrator user and to steal credentials of the site’s users
  • Wooranker is a freelance designer from India by the name of Vishnudath Mangilipudi. Or someone is impersonating him. Or it’s a fake name and identity used by the real hacker.
  • Wooranker is one of the owners of another WP plugin called “Postie”, but that plugin does not currently have potentially malicious code in it.

“At this point it’s not clear what he wants to do with all of the hacked sites. But the beginning doesn’t leave hope that it will be something benign,” Sucuri researcher Denis Sinegubko noted. “Stemming from the wooranker username, I guess it may have something to do with black hat SEO.”

This incident shows that the only way to know for sure that the plugin or code you are using is not malicious is to review the code yourself. Of course, not many people are able to do this, and they rely on author reputation and the security screening and approval process in the repository.

Unfortunately, this is not the first time that the latter has failed, and the former turned out not to mean much as the plugin changed hands.

More technical details about the infection, as well as instructions for affected users on how to clean their sites can be found in Sucuri’s blog post.

Users who want to keep using the plugin are advised revert to using version 0.9.8.6. and to disable automatic plugin updates.