The Captcha plugin, which is owned by developer “simplywordpress” is infected with a backdoor that gives administrator access to the plugin’s current owner. Over 300,000 WordPress sites have installed the Captcha plugin, which can no longer be installed from the WordPress Plugin Repository. We recommend that WordPress site owners who have installed this plugin remove it immediately.
The details of the backdoor are available on the WordFence blog. Researchers at WordFence were first alerted to a potential vulnerability when downloads of the plugin were stopped because of what appeared to be a copyright issue. Further investigation revealed the presence of the backdoor.
When the plugin is first installed, a snippet of malicious code causes the it to download a new version of its code, overwriting the originally installed plugin. The new code includes a file with a backdoor that creates a user session with the default admin user’s ID, setting authentication cookies before deleting itself.
This is just the latest example of a plugin that appears to have been acquired from its original developer with the intent to introduce a vulnerability that can be exploited by the new owner. The previous owners of the plugin, BestWebSoft, announced that they had handed over the rights to use and manage the plugin to new owners, without revealing who the new owners were.
BestWebSoft retains ownership of another popular reCAPTCHA plugin, Google Captcha (reCAPTCHA) by BestWebSoft. WordPress users might want to think twice about installing this plugin as an alternative.
The WordFence investigation revealed that the new owner is associated with several plugin acquisitions in which the plugin was later used to introduce malware via an update.
It appears that the attacker is motivated by a desire to inject SEO spam into WordPress sites. SEO spam takes the form of links added to content pages. The links, which are not visible to ordinary users, point to sites that the spammer wants to influence the search results of. Because the links are invisible to ordinary users, it’s common for them to go undetected.
In this case, the attacker is associated with several online loan businesses. The SEO links are an attempt to increase the search ranking of these businesses. SEO spam often has the side effect of damaging the SEO of the affected site.
Those of you who follow WordPress security will recall that this is not the first time a Captcha plugin has had to be removed from the repository for similar reasons. In September, SI Captcha Anti-Spam was removed because it contained malware that would inject adverts for Payday Loan sites into the pages of WordPress sites.