Hundreds of sites use malicious WordPress plugins 3 years after they are discovered

14 malicious plug-ins have been removed from the official WordPress catalog by the end of 2014

Cyber security experts from the company White Fir Design reported that several hundred sites continue to use 14 malicious plug-ins WordPress after almost three years after they detected a malicious code.

In late October 2016, experts warned the public about the presence of a backdoor in 14 plug-ins for WordPress, which allows an attacker to execute arbitrary code on the sites.

For the first time, these plug-ins became known in 2014 from the blog of web developer Thomas Hambach (Thomas Hambach), who also found in them the same malicious code.

According to Hambach, the attackers used the code to introduce spam links to affected sites and send the URL of the site and other details to the email of the attacker. By the end of 2014, all 14 malicious plug-ins were removed from the official WordPress directory.

Despite the actions of the WordPress team, experts continued to record requests specific to malicious plug-ins.

These plug-ins again became the focus of attention after the recent changes in the official WordPress directory. Now the pages of the old plug-ins have become visible, although the download option is disabled.

In particular, the backdoor was detected in the following plug-ins

Name of the plug Number of installations:

return-to-top 50+
page-google-maps 500+
gallery-slider 300+
g-translate 60+
share-buttons-wp 200+
mailchimp-integration less than 10
smart-videos 70+
seo-rotator-for-images 70+
ads-widget 40+
seo-keyword-page 200+
wp-handy-lightbox 500+
wp-popup less than 10
google-analytics-analyze 70+
cookie-eu less than 10

Earlier, security experts suggested to WordPress developers to notify site owners about removing the plug-in from the official directory due to security problems. However, the developers did not accept this idea, saying that if there is an exploit for the problem, then releasing information about the vulnerability without releasing the corresponding patch can lead to even more attacks.

Recently, WordPress developers have found a way out of the situation, rolling back plug-ins to earlier “clean” versions and forcing them to install on sites. Thus it is possible not to disrupt the functionality of the resource and remove the malicious code.