WordPress security company, Sucuri, warns of a malicious campaign where threat actors are installing the abandoned Eval PHP plugin on compromised WordPress sites to inject malicious PHP code into web pages.
Eval PHP, which has not been updated for over a decade, allows for the injection of PHP code into pages and posts, which is executed whenever the injected page or post is opened in a browser.
The plugin continues to be available through the WordPress repository, and its use has spiked from roughly 40 installations to over 100,000 within weeks. The spike is associated with a malicious campaign where attackers use the plugin to infect compromised websites.
The PHP backdoor can hide requests as cookies, making it difficult to detect. The attackers can drop the malicious code in multiple posts that are saved as drafts and remain hidden. The dropped code “uses the file_put_contents function to create a PHP script into the docroot of the website with the specified remote code execution backdoor.” By using this approach instead of dropping conventional PHP backdoors, the attackers can reinfect a compromised website when necessary while remaining hidden.
Sucuri notes that keeping old plugins in the official repository makes it easier for hackers to stay under the radar since they can install a legitimate unmodified plugin from a reputable source. It is important to re-evaluate old plugins that have been abandoned and pose a security risk.
Sucuri recommends removing unused and outdated plugins, especially those that are no longer receiving updates and have vulnerabilities that can be exploited.
