Security researchers have caught threat actors abusing an old Wordpress plugin called Eval PHP to backdoor over 6000 websites. The plugin hasn’t received an update in about 11 years, although Wordpress statistics show that downloads have skyrocketed only recently from one or two on average since September 2022 to 6,988 on March 30, 2023.
The plugin itself is rather simple in functionality. It’s made by a developer called ‘flashpixx’ and allows users to insert PHP code in Wordpress posts and pages which is then executed every time the page or post is run in a web browser. The plugin has over 8,000 active installations at the time of writing.
As for the malicious activity, it was observed by Sucuri researchers who reported having seen some websites’ databases injected with malicious code inside the wp_posts table. These malicious requests originated from three Russian IPs.
Researchers also report that the actual malicious code is also quite simple. Using the file_put_contents function to create a PHP script in the root of the website alongside a specified remote code execution backdoor. The combination of a legitimate plugin and a backdoor dropper in a Wordpress post lets the attacker easily reinfect a website while also hiding their identity. Injecting the backdoor into the website’s file structure is a simple matter of visiting the infected post or page.
There are currently over 6,000 active instances of this backdoor discovered over the last six months. The attack vector mainly consists of the Eval PHP plugin being installed on the compromised site and then being abused to drop persistent backdoors in multiple posts, including drafts which remain unpublished.
This is possible due to the way the plugin works. It’s enough to save the page as a draft for the PHP code inside the [evalphp] shortcodes to execute. These rogue pages were also made with admin privileges, suggesting that threat actors were able to compromise the site and log in as privileged users.