Security experts at WordFence have discovered that the popular WordPress Captcha plugin installed on over 300,000 sites was recently updated to deliver a hidden backdoor. The WordPress team promptly removed the plugin from the official WordPress Plugins repository and provided sanitized versions for affected customers.
WordPress also blocked the author of the plug-in from publishing updates without the review of its development team, WordFence now includes firewall rules to block Captcha and five other plugins from the same author.
WordFence has worked with the WordPress plug-in team to patch pre-4.4.5 versions of the plug-in.
The WordPress team noticed something of strange in September, when the plug-in changed hands. Just three months later the new team distributed the backdoored version Captcha 4.3.7.
Experts found a code triggering an automatic update process that downloads a ZIP file from:
then extracts and installs itself modifying the install of the Captcha plugin running on WordPress site.
“Whenever the WordPress repository removes a plugin with a large user base, we check to see if it was possibly due to something security-related. Wordfence alerts users when any plugin they are running is removed from WordPress repo as well. At the time of its removal, Captcha had over 300,000 active installs, so its removal significantly impacts many users.” states the analysis published by WordPress.
“A backdoor file allows an attacker, or in this case, a plugin author, to gain unauthorized administrative access to your website. This backdoor creates a session with user ID 1 (the default admin user that WordPress creates when you first install it), sets authentication cookies, and then deletes itself.”
1 < $wptuts_plugin_remote_path = 'https://simplywordpress.net/captcha/captcha_pro_update.php'; 2 --- 3 > $wptuts_plugin_remote_path = 'https://simplywordpress.net/captcha/captcha_free_update.php';
WordFence investigated the new ownership of the plugin, it noticed that the domain used to deliver the ZIP file containing the backdoor is simplywordpress[.]net that is registered to someone named Stacy Wellington using the email address email@example.com.
It was easy to discover that the same email address was used to register a large number of other domains and the footer of one of them referenced Martin Soiza.
In September, around 200,000 WordPress websites using the Display Widgets Plugin were impacted after it was updated to include malicious code. Further investigation allowed the experts at WordFence to discover that the man behind plugin spam was the Briton Mason Soiza (23) who bought the plugin in late May.
WordFence discovered that also other plug-ins from the simplywordpress domain ( Convert me Popup, Death To Comments, Human Captcha, Smart Recaptcha, and Social Exchange) contain the same backdoor code.
According to the researchers, the backdoor was used to create cloaked backlinks to various payday loan businesses in order to boost their Google rankings.
“If you have not read our previous post on Mason Soiza, I’d suggest you read that first, since he has a long history of buying WordPress plugins in order to place cloaked backlinks on his users’ sites. He then uses these backlinks to increase page rank in SERPs (Search Engine Results Pages) since only web crawlers such as Googlebot can read them.” states WordPress.
“The hostmaster email address is the same for both simplywordpress.net and unsecuredloans4u.co.uk (Stacy Wellington firstname.lastname@example.org).”
Let me close with simple recommendation provided by the experts, hurry up,uninstall the Captcha plugin immediately from your site.
(Security Affairs – Captcha plugin, backdoor)