WordPress Themes 2016

rnIt’s easy to see the logic behind these two functions:rn). Then the attacker comes to the blog and loads it passing the ?cms=jjoplmh parameters in the URL.

As a result, a new admin user (with the ” wordpress ” name and a known password) is created. The attacker can now log into WordPress with admin permissions and do whatever he wants with the blog, with the whole site (e. g.

  • FormCraft v3.2.28 + Paypal & Multi Page AddonsVisual Composer Clipboard v3.2.5
  • Event Booking Pro v3.815 ai??i?? WP Plugin [paypal or offline]Visual Composer ai??i?? 3D Menu Flyer for Restaurant and Cafe
  • Interactive Elements v2.0.0 ai??i?? Visual Composer AddonsLogos Showcase v1.8.9 ai??i?? Multi-Use Responsive WP Plugin
  • Layered Popups for WordPress v5.94User Profiles Made Easy v2.2.06 ai??i?? WordPress Plugin
  • VC Multiple Map Location v1.1.0Modern Events Calendar v1.7.0 ai??i?? Responsive Event Scheduler
  • WooCommerce Ajax Add to CartOne Page Navigator for Visual Composer v1.1.9
  • Media Grid v5.03 ai??i?? WordPress Responsive PortfolioLiquid Fill Gauge ai??i?? Visual Composer Ready

injecting a backdoor to some theme or plugin, and then using it to upload malicious files to the server), with the server account (all sites that share the same account can be easily compromised now) and even with the wholeserver. rnLet’s move to the next set of “free” premium plugins.

Visual Composer Ultimate Pricing Tables Add-on v1.6Visual Composer v4.12.1 ai??i?? Page Builder for WordPress

rn”. The headers also mentioned the sites that sent those emails, so we only needed to check plugins on those sites. rnFirst we found this file: wp-content/restrict-content-pro/includes/sidebar. php and#8211 /8966576 (slightly trimmed). This file contains 72,847 bytes and only one line of code that looks like some commented out code from the ” option-tree” plugin.

NEX-Forms v6.0.6 ai??i?? The Ultimate WordPress Form BuilderDesktop & Mobile Push Notification System v6.3.1

However, if you inspect the code more thoroughly, you’ll notice the following 243 bytes in the very middle are not a comment (formatted for readability):rnafter decoding. Bingo!rnBut wait, this code only sends emails with the blog URL to the attacker.

Where is the code that creates a rogue user? Good, you noticed it. rnThe code was in the wp-content/restrict-content-pro/includes/class. php file and#8211 /8966599 (trimmed trailing comment). Again, 90,390 bytes of commented out, and one line of code with 288 bytes of payload in the middle, which is the missing part that created the rouge ” wordpress ” user.

rnThis time it needs the ?cms=go URL parameter. clean nulled wordpress themes rnOK, now we have both malicious functions, but how does WordPress know that it needs to call them? In the case of the SEOPressor plugin, the malicious functions were injected into a legitimate plugin file that WordPress loaded when it loaded the plugin. Now we have two standalone files that have no legitimate code at all.

Moreover, they don’t belong to that plugin. The answer is that the attacker modified the main plugin file wp-content/restrict-content-pro/restrict-content-pro. php and added the following line of code there:rnThen, with minor modifications, we found similar malicious files under wp-content/ubermenu-skins-flat . rn( amFxcXNjaWdzQGdtYWlsLmNvbQ== ) ubermenu-skins-flat/help/js/class. php and#8211 creates a rogues “wordpress” users with the admin permissions.

ubermenu-skins-flat/ubermenu-skins-flat. php and#8211 includes the above two files. rnand was surprised that he shouldn’t have trusted a site with such a cool domain name. rnWe checked that site and found that the plugins were submitted there by a user named andrewp in June, 2013. In total, he submitted five plugins and#8212 all of them had those malicious backdoors. rnRestrict Content Pro WordPress Plugin V1.

0. rnand checked them.

rnIt didn’t take long to find a few “patched” plugins submitted in February to March of 2014 by the site admin (not some third-party user). rnGo and#8211 Responsive Pricing and Compare Tables (gopricing) FormCraft Custom Scrollbar WordPress Theia Sticky Sidebar GravityForms.