Backdoor found in WordPress' Captcha plugin, affecting more than 300,000 sites

byPeter Hershey

Open source blog software · WordPress, "Captcha"We found that there was a backdoor in the plugin and it was in a state where we could get the management access right of the site illegally. The backdoor has already been deleted from the plugin.

Backdoor in Captcha Plugin Affects 300K WordPress Sites
https://www.wordfence.com/blog/2017/12/backdoor-captcha-plugin/


Hidden Backdoor Found In WordPress Captcha Plugin Affects Over 300,000 Sites
https://thehackernews.com/2017/12/wordpress-security-plugin.html

According to WordFence which provides WordPress security plug-in, Captcha plug-in which had been installed in more than 300,000 sites was temporarily deleted from the official plug-in store, and as a result of examining the cause, the plug-in creator And it seems that it turned out that there was a backdoor where an attacker gained management access right to the site without authentication. WordFence worked with the plug-in team of WordPress.org, delivered a version without backdoor by automatic update, updated the Captcha plugin of over 100,000 sites safely.

In the first place, why the official plug-in store had a backdoor plug-in and was left untouched until it was introduced to 300 thousand sites, the reason for the creator's change is mentioned as a reason.

Originally I was making this plug-in was a manufacturer called BestWebSoft. But on September 5, 2017, Best WebSoft announced that ownership has been transferred to another developer on the official website.

Free Captcha Version is Now Supported by Other Developers - Best WebSoft
https://bestwebsoft.com/free-captcha-version-is-now-supported-by-other-developers/


I do not know who the new owner is, but since it is December 4, 2017 that the malicious code containing the backdoor was committed, this "new owner" It is obvious that you are a problematic developer.

According to a WordForce survey, the new owner is a former SEO company owner who owns the "simplywordpress.net" domain, and in addition to the Captcha plug-in "Covert me Popup" "Death To Comments" "Human Captcha" "Smart Recaptcha "" Social Exchange "has been released. These included code to install a similar backdoor.

By the way, BestWebSoft has published "Google Captcha (reCAPTCHA) by BestWebSoft"Is irrelevant to this case, so people who use this is no problem.