Cybercriminals Hijack WordPress Websites with Free Premium Plugins

Sucuri experts have identified a number of websites that offer such plugins

By on March 28th, 2014 12:40 GMT

There are a number of websites that offer premium WordPress plugins for free. However, experts warn that these “free” plugins can actually come at great cost.

Researchers from Sucuri have analyzed a number of premium WordPress plugins that are offered for free on various websites such as wplist.org, wplocker.com and others.

For instance, the SEOPressor plugin, which is normally priced starting at $47 (€34), has been found by Sucuri experts on the website of a customer. However, the plugin version in question wasn’t the genuine one.

Instead, it contained code that allowed its creator to hijack the website on which it was installed. After decoding the obfuscated code, experts found instructions to create a new WordPress administrator account with the username “wordpress” and the password “gh67io9Cjm.”

Once it’s installed on a website, the plugin sends an email to the hacker to let him know that the site has been compromised. Then, the attacker loads the blog with the ?cms=jjoplmh parameters in the URL. This triggers the creation of the new administrator account.

After that, the cybercriminal can log in to the administration panel and do whatever he wants.

Similar functionality has been found in Restrict Content Pro and Flat Skin Pack Extension. The malicious code is slightly different, but it’s still designed to create rogue users with administrator privileges.

After analyzing wplist.org, Sucuri has determined that a user called “andrewp” uploaded a total of five plugins containing the malicious code: Restrict Content Pro WordPress Plugin V1.5.5, Ideas! v1.1.6, Ultimate Ajax Grid, User Profiles, and UberMenu – Flat Skin Pack V1.0.3.

However, this andrewp is not the only one who has uploaded malicious plugins to the website. The site’s admin has also submitted 5 rogue plugins in February-March 2014. The tools are Go – Responsive Pricing & Compare Tables (go_pricing), FormCraft, Custom Scrollbar WordPress, Theia Sticky Sidebar and GravityForms.

“Our conclusion is that this practice of posting plugins containing malicious code is typical for these sites. Moreover, when in their very own comments area people warn about malicious ‘extras’ they have found in the plugins, the admin readily replaces them with ‘retail’ versions,” Denis Sinegubko noted.

Experts highlight the fact that not all webmasters who install these rogue plugins on their websites do it because they don’t want to pay for them.

“It’s not always about the money. Oftentimes, it’s likely just a lack of knowledge. We’ve found these plugins on sites that made decent money for their owners, on sites that used upscale hosting solutions, and on sites with owners who were willing to pay for extra services,” Denis Sinegubko said.

Additional details on rogue premium WordPress plugins are available on Sucuri’s blog.

Comments

WordPress plugins contain backdoors
   WordPress plugins contain backdoors