A warning has been issued by researchers disclosing the identification of a backdoor in yet another WordPress plugin called Captcha. This plugin already has nearly 300,000 installations, which shows how popular it is among the users. However, when WordFence identified that a backdoor was added to it after an update was released on December 4. Hence, a warning was issued explaining that Captcha must be replaced with WordPress version 4.4.5 immediately.
Matt Barry from WordFence explained that they collaborated with WordPress plugin team to create a patch for 4.4.5 version while the developer of Captcha’s code will not be allowed to publish updates before reviewed by WordPress. WordFence would be including firewall rules for blocking five other plugins from Captcha’s developer namely Convert me Popup, Death To Comments, Human Captcha, Smart Recaptcha, and Social Exchange. Barry states that all these plugins also contained the backdoor.
According to Barry, they got alerted about the plugin several months after its ownership was changed from BestWebSoft to an unnamed developer in September 2017. Captcha’s version 4.3.7 was released just after three months and this version had the backdoor. He further explained that the plugin’s auto-downloader accesses a link for downloading a ZIP file and once it is inside the ZIP archive, another file titled plugin-update.php is included along with minor modifications to the actual plugin.
The file is actually a backdoor. It creates a session with “user ID1” which happens to be the admin user created by WordPress by-default after being installed. It then sets authentication cookies and self-destructs itself. Since the backdoor installation code is not authenticated, therefore, it can be triggered by anyone. The ZIP file includes another update to the URL link using a similar process that is used for installation of the backdoor but this time its task is to delete all traces of the malicious code.
In its blog post, WordFence noted that a group of repeat offenders is possibly involved in this issue since the link simplywordpress[dot]net is associated with Martin Soiza as per domain records while the domain contact email ID belongs to Stacy Wellington (email@example.com), who has multiple domain names registered in her name. It is worth noting that Mark Maunder from the same group launched a backgrounder back in September 2017 while there is a domain unsecuredloans4u[.]co[.]uk linked to Mason Soiza who was associated with other cases of backdoored WordPress plugins.
“[Soiza] has a long history of buying WordPress plugins in order to place cloaked backlinks on his users’ sites. He then uses these backlinks to increase page rank in SERPs (Search Engine Results Pages) since only web crawlers such as Googlebot can read them,” read the post from WordFence.
The purpose behind inclusion of backdoor is to produce cloaked backlinks for different payday loan businesses for increasing Google rankings. Barry traced links to numerous payday loan firms one of which was registered to Soiza while another was owned by Charlotte Anne Wellington. Further probe revealed that Wellington and Mason Soiza are both associated with Quint Group LTD while Wellington has mentioned working for an SEO firm Serpable. Yet, it is unclear whether Charlotte or Stacy
Wellington is the creator of the backdoor code in this case. However, researchers claim that the new owner of Captcha plugin, who so far is known as wpdevmgr2678 only, might be Stacy Wellington.
At the time of publishing this article, the infected plugin was removed from the WordPress repository.