This seems to be getting pretty normal these days as another annoucement in the wordPress community publishes another backDoor found inside a wordPress plugin. The plugin is now removed from the repos.
The plugin backDoor
So the plugin was sold back a few months ago in September and was set up for a backDoor on sites. BestWebSoft sold the Captcha plugin to Simply WordPress on September 5th. The new owner published the plugin version 4.3.7. This version contained the malicious code. The code would connect the site SimplyWordPress.net and download the plugin and update the malicious package, this package would install a backdoor on your site.
How did they do it
The backDoor then creates a session ID which is usually the default admin ID and set the sessions and cookies, then it would delete itself. Anyone with the admin ID had access and could trigger the code. The attacker was fancy and had code that would remove any traces of the backDoor as a way to erase his tracks.
It could have never been noticed
The only way this was noticed was by a copy right claim the hacker forgot to attend to. This backDoor would have went unoticed and the hacker could have had his way with all the sites that downloaded his plugin.
WordPress takes over the code
Since the bad plugin was found by mistake WordPress has removed the plugin, If you used this Captcha plugin go back and check to see if you used this code. There is a list I think that the plug in was also listed under. Here is a list I found online:
- Covert me Popup
- Death To Comments
- Human Captcha
- Smart Recaptcha
- Social Exchange
This is not the first time the Author has been caught. They have been recorded as doing this before.