Backdoors Discovered in WordPress Plugin Captcha

Captcha, a WordPress plugin initially developed by BestWebSoft but later sold to a developer named Simply WordPress, was modified with an update containing malicious code that created a backdoor to over 300,000 WordPress-powered websites. Captcha version 4.3.7 was pushed to websites that had the previous version installed and subsequently established a connection to the simplywordpress[.]net domain to download a plugin update package containing the backdoor. This backdoor created a session with user ID 1, set authentication cookies, and then deleted itself, according to a Wordfence security researcher. Once notified, the WordPress security team pushed a clean version of the plugin (4.4.5) to affected websites, which removed the backdoor. In what appears to be an ongoing campaign, the threat actor responsible for the malicious version of the Captcha plugin has been observed purchasing a number of WordPress plugins and modifying them with malicious code. The NJCCIC recommends all WordPress website administrators review the Wordfence report on the Captcha plugin as well as their analysis of this malicious campaign and verify that they have non-malicious versions of affected plugins installed.

AlertNJCCICWordPress