WordPress is a very popular solution on the web, and this is probably what explains why it is often the target of hackers and hackers of all stripes. Experts from Sucuri come from elsewhere to detect a new critical vulnerability. This time it is not the CMS that is in question, but an extremely popular plugin: Custom Content Type Manager .
As its name suggests, this tool is used to easily create custom post type and therefore content with personalized display.
Faille WordPress
WordPress is facing a new flaw, this time related to a popular plugin.
It is not the only one to offer such functions, but he has earned a solid reputation among users and has been installed on more than 10 000 different sites.
Custom Content Type Manager is installed on more than 10 000 sites currently
It also means that there is now a little over 10 000 vulnerable sites on the web.
Basically, everything is gone an open ticket per customer Sucuri, a ticket on an infected site. In the cleaning, agency experts came across a file self-update.php placed in the folder wp-content / plugins / custom-content-type-manager .
They opened, and they realized then that this famous file was actually a backdoor able to download files from a weird area.
Downloading, but also send them directly into the plugin’s directory.
Listening only to their courage, they decided to dig a little and watch all changes to the plugin. There, they discovered that the file self-update.php was added to the extension on 18 February.
Strange, but it’s not over because the tool has also changed ownership at that date … It is now up to a user officiating under the moniker “wooranker”.
The plugin is highly rated by users
Continuing their investigations, our brave experts also determined that the plugin has not been updated for several months before it changes ownership. It is therefore possible that he was deliberately sold by its former developer.
But it is not over because they also found another file that was added to the extension in stride: CCTM_Communicator.php .
What is its purpose? Simple, it adds a bit of code to the index.php file of the plugin, a piece of code … quite problematic. It actually transmits to a remote server IDs of all people accessing the site on which is installed the extension.
In other words, if you use this plugin on your website or on your blog, then it is best to remove it immediately and change all passwords to your editors in stride.
If you want to know more about the investigation by Sucuri, then you can visit this page .
Now, this story proves once again how it is essential to pay close attention to plugins, including those broadcast via the WordPress platform.