WordPress site owners should be on the lookout for a malware strain tracked as wp-vcd that hides in legitimate WordPress files and that is used to add a secret admin user and grant attackers control over infected sites.
The malware was first spotted online over the summer by Italian security researcher Manuel D’Orso.
The initial version of this threat was loaded via an include call for the wp-vcd.php file —hence the malware’s name— and injected malicious code into WordPress core files such as functions.php and class.wp.php. This was not a massive campaign, but attacks continued throughout the recent months.
wp-vcd now targets old WordPress default themes
Last week, the Sucuri security team spotted a new variation of this malware that injected malicious code inside the legitimate files of twentyfifteen and twentysixteen — the default themes that shipped with the WordPress CMS in 2015 and 2016, and which are still found on a large number of sites, albeit disabled.
“[The] code is pretty straightforward and doesn’t hide its malicious intentions by encoding or obfuscation of functions,” Sucuri said in a security alert published last week.
Attackers didn’t care if the themes were active or not, and used their files to hide malicious code. This code would create a new admin user named 100010010. The purpose of this backdoor account was to open a connection to infected sites so attackers could carry out scripted attacks at later dates.
According to Sucuri, crooks leveraged vulnerabilities in outdated plugins and themes to upload the wp-cvd malware on vulnerable sites. Users would have been safe if they used any basic web application firewall (WAF) that would have spotted and prevented the modification of core WordPress files.
Popular WordPress plugins affected by security flaws
But wp-cvd wasn’t the only WordPress-related news from last week. First and foremost, the WordPress project released WordPress 4.9, a version that was focused on adding mostly developer-centric features.
On the security front, researchers found vulnerabilities in two very popular WordPress plugins — Yoast SEO (over 5 million installs) and Formidable Forms (over 200,000 installs).
Ryan Dewhurst found a cross-site scripting (XSS) in Yoast SEO plugins that allowed attackers to inject code on vulnerable sites. This was fixed in Yoast SEO 5.8. Users should patch as soon as possible as this is the ideal vulnerability that could be used for phishing WordPress admin users for login credentials.
Last but not least, security researcher Jouko Pynnönen found several vulnerabilities in the Formidable Forms plugin. Among the flaws, there was an SQL injection, several cross-site scripting (XSS) flaws, unauthenticated data retrieval, and more. Flaws allowed attackers to dump a vulnerable site’s database, so they should not be ignored. All reported vulnerabilities were fixed in plugin versions 2.05.02 and 2.05.03.