Popular WordPress plugin pulled after password-stealing backdoor discovered

The precise number of websites out there running on WordPress may not be known, but one thing is for sure - there are a lot of them. Two reasons for the popularity of WordPress are the ease of set up and the availability of a huge range of plugins.

One popular plugin, Custom Content Type Manager (CCTM), has just been pulled from the WordPress Plugin Directory after a backdoor was discovered.

The plugin has been installed on thousands of websites, and a recent update - automatically installed for many users - included a worrying payload. In the hands of a new developer, Custom Content Type Manager made changes to core WordPress files, ultimately making it possible to steal admin passwords and transmit them in plaintext to a remote server.

Security site Sucuri was alerted to the problems by a user, and immediately launched and investigation. A new file, auto-update.php, was discovered. Analysis of the code revealed it to be a backdoor that could download files from the suspicious-sounding wordpresscore.com. Another file, CCTM_Communicator.php, includes code that intercepts usernames and URLs of sites that have the plugin installed.

Custom Content Type Manager had laid dormant for 10 months but new owner, wooranker, was making use of an established install-base. It's not clear whether the change of ownership was legitimate or the result of an account hack. Towards the end of last month, wooranker started to use the backdoor to deliver additional files to users who started to notice that their sites were being hacked.

Custom Content Type Manager has now been pulled from the WordPress Plugin Directory, but if you still have it installed, you need to take action. Version 0.9.8.8 of the plugin is the updated version that includes compromised code, but the previous version - 0.9.8.7 - contains a separate security flaw.

As such, the last version considered safe is 0.9.8.6. If you're reliant on the plugin, the advice is to roll back to this version. Sucuri suggests the following steps:

  1. Deactivate the Custom Content Type Manager plugin.
  2. Check consistency of all core WordPress files. You can reinstall WordPress to achieve this. At least, make sure that the following three files are not modified (For WP 4.4.2 you can get the originals here):
    1. ./wp-login.php
    2. ./wp-admin/user-edit.php
    3. ./wp-admin/user-new.php
  3. Now that you removed the credentials stealing code in the previous steps, change passwords of all WordPress users.
  4. Don't forget to delete users that you don't recognize. Especially the one with thesupport@wordpresscore .com email.
  5. Now remove wp-options.php in the root directory.
    1. Delete the Custom Content Type Manager plugin. If you really need it, get the last good version 0.9.8.6 here and disable automatic plugin updates until the malicious plugin versions are removed from the Plugin Directory. By the way, don’t install CCTM versions older than 0.9.8.6 either. They have a known security hole and we see hackers checking websites for this (along with many other vulnerabilities).
  6. You might also want to scan all other files and the database for “wordpresscore”. Just in case.

Photo credit: bannosuke / Shutterstock