The code repository for the Custom Content Type Manager plugin in the WordPress Plugin Repository was recently compromised by a malicious user. The plugin was modified so that it contained a backdoor that could be used by the attacker to install further malicious code, create admin users, and steal authentication credentials. This attack is a rare example of a plugin in the official repository becoming a security risk.
The Custom Content Type Manager plugin, which is now safe, allows users to create custom post types. The plugin itself is genuinely useful and relatively popular, with over 10,000 installations listed on the repository. Users who installed or updated to to the compromised version (0.9.8.8 ) of this plugin, including via automatic updates, are vulnerable and should immediately update the plugin to the most recent version, which has been patched to remove the malicious code. If you think your site is vulnerable or compromised, you may want to take a look at Sucuri’s excellent guide to finding the malicious files and mitigating the vulnerability.
Usually when we hear about WordPress plugins with vulnerabilities, they are pirate plugins deliberately altered to contain malicious code or plugins from the repository that contain accidental vulnerabilities — run-of-the-mill bugs caused by coding errors. In this case, we have a plugin in the official repository that was compromised because a malicious user was able to have himself added as an official developer in the plugin’s Subversion repository. The attacker — apparently a rogue WordPress freelancer using the handle wooranker — was given permission to make changes to the code of the plugin, and used that opportunity to add a backdoor. The initial backdoor could then be used to add further malicious code to WordPress sites, including code that allowed wooranker to steal authentication data such as passwords and usernames, and to create admin user accounts.
The malicious code has now been removed from the plugin and the WordPress team has deleted the wooranker user.
Should WordPress users be worried about installing plugins from the official repository?
For the most part, no. The vast majority of attempts to get malware onto the repository are caught early. This is a serious lapse, caused in part by the huge volume of plugins on the repository and one malicious user getting lucky. There are millions of lines of code in many thousands of plugins — vetting and verifying all of them is impossible. As Sucuri point out, plugins are as trustworthy as their developers, and for the most part, the contributors to the WordPress Plugin Repository are genuine honest developers. Historically, the plugin repository has proven to be safe. The vulnerability was caught and removed quite quickly, and although it’s regrettable that it was allowed into the repository in the first place, it was dealt with swiftly.